I'm going to start this post as sbit did above me, "After applying many of the fixes stated here and elsewhere this is what worked for me."
I had a few Macs on a small, isolated network that worked fine while bound to AD as 10.4.x systems. I successfully upgraded one to 10.5.2 and watched. After 2 weeks of normal use by our staff with no significant problems, I upgraded the 2nd, then the 3rd a week after that. Everything was fine for another 2 weeks or so after that until one lost the ability to authenticate to AD.
This symptom was a major reason for upgrading to Leopard for me. As Tiger systems, I would have to walk around each morning and click several times on each login window to see if the colored gumdrop for "Network Accounts Available " was either red or green. While running Tiger, if the gumdrop was red, the fix was easy enough. Log in, fire up Directory Utility, unbind, and rebind. Tedious and unnecessary, but at least it worked.
When the first Leopard system lost the ability to authenticate, I tried the same Directory Service resolution. No luck. I was greeted by an error stating "Invalid user name and password combination," and was presented with the option to "Force Unbind." I chose the force unbind. From then on, I was no longer able to bind the system to AD again.
I tried all the common troubleshooting methods outlined here and elsewhere:
• check the time
• made sure forward and reverse DNS was clean for client and server
• verified DNS responded with correct LDAP/AD information with the cool "dig -t SRV
ldap.tcp.domain.com" command
• removed the edu.mit.Kerberos file and DirectoryService directory in /Library/Preferences and rebooted
• tried deleting the machine account in AD
• tried manually adding the machine account in AD
• checked and unchecked the "Allow authentication from any domain in the forest" option
• I specified one particular domain controller
• I tried using the dsconfigad tool to bind from the command line
• I parsed through gobs of data from the "sudo killall -USR1 DirectoryService" command in /Library/Logs/DirectoryService/DirectoryService.debug.log
• If I tried the Services Tab in Directory Utility, I received an error "Invalid user name and password combination"
• If I tried using the "+" sign in the Directory Servers Tab of Directory Utility, I received the "eDSPermissionError -14120 Unable to add the domain" error
• another related symptom- if I tried to get a Kerberos ticket through the GUI or kinit, I was given the entertaining, but not helpful error message "KDC reply did not match expectations."
I'm sure there was more that I tried, but I was nearly at wit's end when I asked a more Linux-savvy colleague to take a look. We attacked it from a Linux perspective and had success! Here's what fixed it for us.
We reviewed the man page for krb5.conf and the Files section at the end states:
Changes made in the Kerberos application are saved to >~/Library/Preferences/edu.mit.Kerberos.KerberosApp.plist,
and take precedence over the Kerberos configuration files. The order of precedence (with highest precedence first)
of the Kerberos configuration files is as as follows:
~/Library/Preferences/edu.mit.Kerberos
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.conf
We copied a krb5.conf file from a working SuSE EL 10.2 system to /etc on the Mac and attempted to bind using the following:
dsconfigad -a ThisComputer -u "adminname" -ou "CN=Computers,DC=INITECH,DC=ORG" -domain initech.org
At this point, I was also able to manually request a kerberos ticket with kinit, although I suspect I probably could have done so at any time after the kerb5.conf file was in place. We were prompted for our domain password (which was
FINALLY accepted), asked if we wanted to join the existing account, and all was well.
Well sorta.
We tried an id command on a network user who had not previously logged onto the Mac (so it wouldn't use cached credentials) and was told there was no such user. So I had to log on locally to the Mac, open Directory Utility, and add the domain to the authentication search path. I'm sure there was a way to do this from the command line, but at that point I was ready, even eager just to get it done.
OK- so you've made it this far, and I haven't even posted the working krb5.conf file. I hear your concerns, and here it is. I'm sure your see the parts that need to be tailored to your specific site:
[libdefaults]
default_realm = INITECH.ORG
clockskew = 300
[domain_realm]
.initech.org = INITECH.ORG
[realms]
INITECH.ORG = {
kdc = 172.16.0.50:88
default_domain = INITECH.ORG:749
kpasswd_server = 172.16.0.50:88
admin_server = 172.16.0.50:88
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
debug = false
retain
afterclose = false
minimum_uid = 0
try
firstpass = true
}
I hope this helps someone else out there.