Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Launchfire
Launchfire Author
User level: Level 1
0 points

Unable to log in using LDAP at login screen, but kinit works?

Hi Guys,


Running into an issue that I was hopeful to get some help with.


Server: 10.6, Open Directory configured


Client: 10.7.3


Steps to reproduce:



a. Fire up the Lion client

b. Wait a few seconds for the login screen to show "Other"

c. Attempt to log in with a user that exists in the server-side directory (user, and associated pass)

d. Login screen fails.



Console on client reveals:



Mar 15 00:49:00 user123 loginwindow[4139]: Login Window Started Security Agent

Mar 15 00:49:00 user123 SecurityAgent[4149]: Echo enabled

Mar 15 00:49:16 user123 SecurityAgent[4149]: User info context values set for dquinlan

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Got user: user123

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Got ruser: (null)

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Got service: authorization

Mar 15 00:49:16 user123 authorizationhost[4159]: in od_principal_for_user(): No authentication authority returned

Mar 15 00:49:16 user123 authorizationhost[4159]: in od_principal_for_user(): failed: 7

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Done cleanup3

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): Kerberos 5 refuses you

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Mar 15 00:49:16 user123 authorizationhost[4159]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.




Logging into a local account on the same machine and checking the console, I can run kinit successfully, and then klist. This reveals:




bash-3.2$ klist

Credentials cache: API:502:2

Principal: user123@SERVER.OURCOMPANY.COM



Issued Expires Principal

Mar 15 00:57:08 Mar 15 10:57:03 krbtgt/SERVER.OURCOMPANY.COM@SERVER.OURCOMPANY.COM




Any ideas what the issue might be?


Thanks!

Alex

Mac OS X (10.6.8), Server

Posted on Mar 14, 2012 10:12 PM

Reply

There are no replies.

Unable to log in using LDAP at login screen, but kinit works?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up