Skip navigation

Misconfiguration detected in hash Kerberos

4550 Views 12 Replies Latest reply: Jul 10, 2012 7:05 AM by schoysi RSS
schoysi Calculating status...
Currently Being Moderated
Nov 3, 2011 3:41 AM

Hi Guys,

 

im getting some errors in my Open Directory Logfile and i have really no idea how to fix this.

The server is a Lion 10.7.2 Server with an Open Directory Master (no Replicas)

 

When i use dscl to list the users in the directory (list LDAPv3/127.0.0.1/Users/) every user is shown correctly in the list.

 

Connecting to a share on that server works but we get the following errors:

 

2011-11-03 11:16:24.493 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user1.domain' (/LDAPv3/127.0.0.1) - ID 1053 - UUID B3189A5D-77EA-4A1C-91BB-DDD9CCF5A958 - SID S-1-5-21-2553502104-2799725507-638401443-3106

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:20:16.750 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user6.domain' (/LDAPv3/127.0.0.1) - ID 1025 - UUID 197D5942-72BA-4AC1-B11C-5154F0CC05C0 - SID S-1-5-21-2553502104-2799725507-638401443-3050

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:22:43.093 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user5.domainr' (/LDAPv3/127.0.0.1) - ID 1075 - UUID C3CBB296-1A6A-452D-BEB8-8AC7ABE52E44 - SID S-1-5-21-2553502104-2799725507-638401443-3150

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:24:34.487 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user4.domain' (/LDAPv3/127.0.0.1) - ID 1074 - UUID D5C3278F-9597-41F1-9B47-1E2865F01545 - SID S-1-5-21-2553502104-2799725507-638401443-3148

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

 

Thanks for every useful hint to get rid of these errors.

Patrick

Mac mini, Mac OS X (10.7.2)
  • S.T.Smith Level 1 Level 1 (0 points)
    Currently Being Moderated
    Dec 11, 2011 5:46 PM (in response to schoysi)

    +1 on freshly installed Lion Server 10.7.2, newly created network accounts, no migration whatsoever.

     

    Here's what dscl shows on the newly created network account 'fubar'. Note the funky Kerberos email id "untitled_1@HOST.DOMAIN.COM". Workgroup Manager always comes up with the default account name Untitled_1 before you edit anything. Does this persist? Is this the issue?

     

    $ sudo dscl

    Entering interactive mode... (type "help" for commands)

    > cd /LDAPv3/127.0.0.1/Users/fubar

    /LDAPv3/127.0.0.1/Users/fubar > ls

    /LDAPv3/127.0.0.1/Users/fubar > read

    dsAttrTypeNative:objectClass: person inetOrgPerson organizationalPerson posixAccount shadowAccount top extensibleObject apple-user

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM

    AppleMetaNodeLocation: /LDAPv3/127.0.0.1

    AppleMetaRecordName: uid=fubar,cn=users,dc=host,dc=domain,dc=com

    AuthenticationAuthority:

    ;ApplePasswordServer;0xf00 root@host.domain.com:10.0.1.2

    GeneratedUID: bar

    LastName: fubar

    MCXFlags:

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>simultaneous_login_enabled</key>

        <true/>

    </dict>

    </plist>

     

    NFSHomeDirectory: 99

    Password: {CRYPT}*

    PrimaryGroupID: 20

    RealName: fubar

     

    RecordName: fubar

    RecordType: dsRecTypeStandard:Users

    UniqueID: 1027

    UserShell: /bin/bash

    Mac mini, Mac OS X (10.7.1), 8 GB
  • tagme10k Level 1 Level 1 (10 points)
    Currently Being Moderated
    Jan 17, 2012 1:34 PM (in response to S.T.Smith)

    After doing a fresh install of Server 10.7.2 and noticing the property

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users.

     

    I will monitor if this fixes the error messages.

  • tagme10k Level 1 Level 1 (10 points)
    Currently Being Moderated
    Jan 17, 2012 3:05 PM (in response to schoysi)

    Looks like it fixed the problem.

  • S.T.Smith Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jan 18, 2012 3:43 PM (in response to tagme10k)

    Thanks! Fixed it for me too -- I didn't know about the Directory Utility app. I filed a bug report.

  • arekdreyer Level 1 Level 1 (10 points)
    Currently Being Moderated
    Mar 1, 2012 3:54 PM (in response to schoysi)

    It's probably a good idea to use the Server app any time you can. If you create a user with Workgroup Manager, you'll notice that the user has the untitled_1@REALMNAME for the AltSecurityIdentities attribute.

     

    However, if you create a user with the Server app, the AltSecurityIdentities attribute will be just fine.

  • fight_or_flight Level 1 Level 1 (10 points)
    Currently Being Moderated
    Mar 4, 2012 8:12 AM (in response to arekdreyer)

    What exactly has to be changed in the AltSecurityIdentities attribute?

    Do i have to change the attribute on the server or the user machine?

  • im3ngs Calculating status...
    Currently Being Moderated
    Mar 16, 2012 3:32 PM (in response to fight_or_flight)

    I changed the "untitled_1" part to reflect the short name of the user.

  • Lindsay Robertson1 Calculating status...
    Currently Being Moderated
    May 1, 2012 4:41 PM (in response to schoysi)

    Fixed my problem.

     

    the first symptom was users not being able to empty network based trash folders.

    Console revealed the error.

     

    What a pain!

    Glad i've only got 30 users...

     

    l.

  • RoseValley Level 1 Level 1 (10 points)
    Currently Being Moderated
    Jun 12, 2012 10:57 AM (in response to im3ngs)

    I have noticed the same issue on my server. But only one of the users is getting the error line in the log and yet all have the same untitles_1@server.domain.com in that line. Why one and not the others? Do I need to change this since no one seems to notice any problems on their end, just me looking at the logs.

     

    Help,

    Kevin

  • guitarkid55 Calculating status...
    Currently Being Moderated
    Jul 10, 2012 6:58 AM (in response to schoysi)

    "After doing a fresh install of Server 10.7.2 and noticing the property

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users."

     

     

    Could someone please give more info on where this setting is located in Directory Utility? I am new to OS X server and having this exact same issue. Thanks.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.