During the Apple Open Directory Master creation process scripts start up the Kerberos Key Distribution Center [ KDC ] and creates the necessary encryption keys or “principles” for all the services that can be Kerberized and used with single sign on.
The KDC creation process is triggered automatically by “promoting” an OD server to the role of “Master” in the Open Directory section of the Server Admin application.
You can normally tell if this scripted creation process completed successfully by:
Checking the overview tab of the OD section of server admin and check that kerberos is running ( not “stopped” )
The definitive way however is to check whether the process completed successfully by looking to see if the local Kerberos principals where created in the “/etc/krb5.keytab” binary file you can do this by issuing the following:
$ sudo kadmin.local -q “listprincs”
$ sudo klist -kt
you should see all the principals for services such as afpserver , imap, pop etc. The lowercase names after the service name (i.e. imap/xserve.company.com@XSERVE.COMPANY.COM ) listed conform to the fully qualified domain name a.k.a DNS hostname of the servers primary network interface. the uppercase names should conform also to the fully qualified domain name, but theoretically could have been changed in advanced configurations (perhaps by you at the promotion creation in server admin, thought normally there is no need)
If what you see does not match what’s normal ( as listed above ), you should attempt to repair the kerberos configurations using the following procedures.
Before you do anything else check DNS, and then check DNS again. As a quick fix as well you should not use a password with a space in it for the diradmin user, doing this has known issues with kerberos KDC creation.
The values that are automatically filled in to Server Admin for KERBEROS.REALM and the dc=ldap,dc=search,dc=base are derived from the systems hostname. i.e.
hostname = mail.318.com default keberos realm = MAIL.318.COM default searchbase = dc=mail,dc=318,dc=com
So when you promote the server you should have a good idea that something is not correctly configured by the values that are automatically filled in. The 2 most commonly seen incorrect values are something like mail.local or secondnic.318.com but in rare circumstances you may also see localhost. NOTE: in 10.3 these values where tied to the “Search Domains” section of System Preferences but in 10.4 they come from the systems hostname.
The systems hostname is pulled using the following:
dhcp hostname ( the server is hopefully not using DHCP ).
the reverse DNS record or PTR record for the primary network interface i.e. the top of the active list under “Network Port configurations” in system preferences. or the “default” route when using $ netstat -rn
You can verify the PTR record by determining this IP and running the host command on it.
$ host 192.168.55.8
which will show output such as: 188.8.131.52.in-addr.arpa domain name pointer mail.three18.com.
this information should match the output of the hostname command:
$ hostname mail.318.com