Network delays or DNS configuration issues may prevent Mac OS X Server 10.4 or later from starting Kerberos authentication services. If the services don't start, Kerberos authentication won't work.
Tip: To find out if Kerberos has successfully started, scope out the overview using Server Admin (Server Admin > Open Directory > Overview).
To resolve this issue, follow the steps below for your situation. Please note that in the following sets of instructions, we're referring to the example server that delivers Kerberos authentication services as Key Distribution Center, or "KDC."
Mac OS X Server 10.4 is installed
If you're running Mac OS X Server 10.4 or later but Kerberos authentication services won't start, follow these steps:
- Configure DNS Services to resolve your KDC's IP address to a fully qualified domain name (FQDN, such as "www.example.com"). For instructions on how to configure DNS Services, see Network Services Administration.
Optional: To ensure consistent Kerberos services, you can configure the hosts file to resolve the server's hostname to its IP Address. Note that the hosts file is not updated by the "changeip" command, so you must manually update it if you change the IP Address or hostname of the server.
"Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.
For example: 123.456.78.910 www.example.com
- In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName <FQDN>
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.
- In Terminal (/Applications/Utilities), execute the following three commands:
slapconfig -kerberize diradmin REALM_NAME
sso_util configure -r REALM_NAME -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 all
sso_util configure -r REALM_NAME -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 ldap
(where diradmin is the directory administrator's short name, diradmin_password is the directory administrator's password, and REALM_NAME is the name of your Kerberos realm--which will usually be one's search domain in all uppercase characters--and FQDN_of_KDC is the FQDN to which your KDC's IP address resolves).
- Reboot the KDC.
If Mac OS X Server 10.4 is not installed
If you haven't yet installed Mac OS X Server 10.4 but want to ensure that Kerberos authentication services will be active once you do install and configure it, do the following:
- Install Mac OS X Server 10.4 on the KDC.
- Once the installation completes, you will be prompted to configure the KDC in the Setup Assistant. Do not configure the server. Instead, hold the server's power button for 5 or more seconds, then start it again.
- Start up the server in Single-User mode.
- At the prompt, type: fsck -yf
- If the computer indicates that the filesystem was modified, repeat the fsck -yf command until you get a message that states the filesystem is OK.
- Once you get the "OK" message, type: reboot
- Start up in Single-User mode again.
- At the prompt, type: mount -uw /
- Type: sh /etc/rc
- Type: sudo scutil --set HostName <FQDN>
... where FQDN is the fully qualified domain name of this server that will be configured on your DNS server.
- Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
For example, 123.456.78.910 www.example.com.
(where IP address is the IP address of the KDC, and FQDN is the FQDN that you specified in step 10).
- To exit Single-User mode, at the prompt, type:
$ exit
After the unit starts up, go through the Setup Assistant.
- Complete the Server Setup Assistant.
- Configure DNS Services to resolve your KDC's IP address to a FQDN. For instructions on how to configure DNS Services, see Network Services Administration.