Q: Misconfiguration detected in hash Kerberos

+1 on freshly installed Lion Server 10.7.2, newly created network accounts, no migration whatsoever.

Here's what dscl shows on the newly created network account 'fubar'. Note the funky Kerberos email id "untitled_1@HOST.DOMAIN.COM". Workgroup Manager always comes up with the default account name Untitled_1 before you edit anything. Does this persist? Is this the issue?

$ sudo dscl

Entering interactive mode... (type "help" for commands)

> cd /LDAPv3/127.0.0.1/Users/fubar

/LDAPv3/127.0.0.1/Users/fubar > ls

/LDAPv3/127.0.0.1/Users/fubar > read

dsAttrTypeNative:objectClass: person inetOrgPerson organizationalPerson posixAccount shadowAccount top extensibleObject apple-user

AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM

AppleMetaNodeLocation: /LDAPv3/127.0.0.1

AppleMetaRecordName: uid=fubar,cn=users,dc=host,dc=domain,dc=com

AuthenticationAuthority:

;ApplePasswordServer;0xf00 root@host.domain.com:10.0.1.2

GeneratedUID: bar

LastName: fubar

MCXFlags:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>simultaneous_login_enabled</key>

    <true/>

</dict>

</plist>

NFSHomeDirectory: 99

Password: {CRYPT}*

PrimaryGroupID: 20

RealName: fubar

RecordName: fubar

RecordType: dsRecTypeStandard:Users

UniqueID: 1027

UserShell: /bin/bash

After doing a fresh install of Server 10.7.2 and noticing the property

AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users.

I will monitor if this fixes the error messages.

Looks like it fixed the problem.

Thanks! Fixed it for me too -- I didn't know about the Directory Utility app. I filed a bug report.

It's probably a good idea to use the Server app any time you can. If you create a user with Workgroup Manager, you'll notice that the user has the untitled_1@REALMNAME for the AltSecurityIdentities attribute.

However, if you create a user with the Server app, the AltSecurityIdentities attribute will be just fine.

What exactly has to be changed in the AltSecurityIdentities attribute?

Do i have to change the attribute on the server or the user machine?

I changed the "untitled_1" part to reflect the short name of the user.

Fixed my problem.

the first symptom was users not being able to empty network based trash folders.

Console revealed the error.

What a pain!

Glad i've only got 30 users...

l.

I have noticed the same issue on my server. But only one of the users is getting the error line in the log and yet all have the same untitles_1@server.domain.com in that line. Why one and not the others? Do I need to change this since no one seems to notice any problems on their end, just me looking at the logs.

Help,

Kevin

"After doing a fresh install of Server 10.7.2 and noticing the property

AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users."

Could someone please give more info on where this setting is located in Directory Utility? I am new to OS X server and having this exact same issue. Thanks.

Note that a script to fix all users with this error has been posted by Eric Dryer here:

https://github.com/arekdreyer/Lion-Server/blob/master/FixAltSecurityIdentities.s h