Michael Newbery
Level 4 (2,424 points)
Servers Enterprise

Q: How to rekerberize in Yosemite?

It appears the mechanism for rekerberizing has changed in Yosemite, or been removed. As per this thread of mine (Can't create Local Network Users in Yosemite) which refers to this Apple tip for Mavericks (OS X Server (Mavericks): After upgrading or migrating, network user cannot be created).

 

 

On Yosemite:

$ uname -v

Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64

$ strings /usr/sbin/PasswordService|grep -i kerber

KERBEROS_V4

libkerberos4.la

%s: Could not add Kerberos principal for %s: %d %s

KERBEROS-LOGIN-CHECK

%s: Unable to create Kerberos principal data for name %s.  HeimODCreatePrincipalData returned %d, CFError was %d

$

On Mavericks:

% uname -v

Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64

% strings /usr/sbin/PasswordService | grep -i kerb

KERBEROS_V4

libkerberos4.la

Importing MIT Kerberos principals

/var/db/openldap/migration/.rekerberize

Rekerberizing users

-kerberize

Error: command: mkpassdb -kerberize, exitcode = %d.

%s: Could not add Kerberos principal for %s: %d %s

GETKERBPRINC: no realm

%s: Could not add Kerberos principal for %s: %d

SETPOLICY: could not find user record to update kerberos administrator status for user: %s

SETPOLICY: error setting kerberos acl for user %s: %d %s

SETPOLICY: error clearing kerberos acl for user %s: %d %s

%s: Could not remove old Kerberos principal for %s: %d

KERBEROS-LOGIN-CHECK

KERBEROS-LOGIN-CHECK: rejected request from remote client, offending IP address is %s.

KERBEROS-LOGIN-CHECK: bad parameter list

KERBEROS-LOGIN-CHECK: %s

KERBEROS-LOGIN-CHECK: no principal (%s)

KERBEROS-LOGIN-CHECK: user %s is in good standing.

KERBEROS-LOGIN-CHECK: policy violation (%d) for user %s

DoKerberosLoginCheck: user record changed, writing out slot

KERBEROS-LOGIN-CHECK: user %s authentication succeeded.

KERBEROS-LOGIN-CHECK: setting disable reason to %d

KERBEROS-LOGIN-CHECK: user %s authentication failed.

KERBEROS-LOGIN-CHECK: password changed for principal %s

GETKERBPRINC

_Bool UpdateKerbAA(ODNodeRef, ODRecordRef, PWFileEntry *)

Kerberosv5

;Kerberosv5;

%s: Unable to create Kerberos principal data for name %s.  HeimODCreatePrincipalData returned %d, CFError was %d

%

Notice the (highlighted) .rekerberize check which is missing from Yosemite.

 

So, does anyone know how to rekerberize on Yosemite?

 

Note that

$ sudo mkpassdb -kerberize

does not seem to do the job (or at least, I still can't create network users)

Server 4.0, OS X Yosemite (10.10)

Posted on Oct 26, 2014 9:11 PM