« Why is checking up on things that hard? | Main | R.I.P. Steve »

So, some things i've found recently in my adventures with Lion.

• If you have a brand new Lion server, that is, not upgraded from Mac OS X 10.6 Server, and when you go through the binding process to attach it to a Mac OS X 10.6 Server Open Directory, it seems to not work after a reboot, (i.e., you reboot, and you can't troll through the LDAP directory via dscl), try copying an edu.mit.kerberos file from a Mac OS X 10.6 machine to the Lion server as /etc/krb5.conf. (make sure you remove the two autogen lines.) I did this, and a Lion server that just would not have a functional binding is now working correctly.
• Heimdall uses UDP more than TCP for Kerb connections. In addition to causing you fits with Active Directory, it's also going to cause you problems with kadmin. Trying to use kadmin from a OS X 10.7 Mac against an Mac OS X 10.6 Server Open Directory is probably going to fail. I get kadm5_init_with_password: init_sec_context failed with 851968/-1765328189 errors when I try it. The reason is shown in the Kerberos5 page of the FreeBSD handbook:

  The major difference between the MIT and Heimdal installs relates to the kadmin program which has a different (but equivalent) set of commands and uses a different protocol. This has a large implications if your KDC is MIT as you will not be able to use the Heimdal kadmin program to administer your KDC remotely (or vice versa, for that matter).

Fun times. Maybe Apple will get around to documenting this. Maybe not, but at least we have a start.

Comments