Can't authenticate against LDAP
We currently have an OpenLDAP server setup which includes the Apple schema. This database uses MIT Kerberos for passwords and has worked for authentication purposes very well through OSX 10.4, 10.5, and 10.6. However, once I upgraded one of our 10.6 machines to 10.7 I can no longer authenticate. I can still browse our LDAP server through DSCL on the client. I can view our LDAP server through the "Directory Editor" tab in Directory Utility. My LDAP users are also available as contacts... Just can't authenticate with this information. From the Terminal I can also use KINIT to receive a kerberos ticket in my name without any problems.
Initially in /var/log/secure.log I would see this message:
Mar 22 14:05:41 sysops-imac-2 SecurityAgent[1364]: User info context values set for jsmillie
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got user: jsmillie
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got ruser: (null)
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got service: authorization
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in od_principal_for_user(): no authauth availale for user.
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in od_principal_for_user(): failed: 7
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Done cleanup3
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Kerberos 5 refuses you
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.
Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: Failed to authenticate user <jsmillie> (error: 9).
Did some web research and found some info about possible changes needed to /Library/Preferences/edu.mit.kerberos as well as /etc/pam.d/authorization. Best info I think I could find was here:
With these changes in place I no longer receive the "Failed to determin Kerberos Principal name" message, but I still can't login. Per the log:
Mar 26 15:43:34 Sysops-iMac-2 SecurityAgent[933]: User info context values set for jsmillie
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got user: jsmillie
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got ruser: (null)
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got service: authorization
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Context initialised
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: jsmillie
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.
Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: Failed to authenticate user <jsmillie> (error: 9).
Login fails.
Last time I attended an Apple event I brought this issue up with the field service tech associated with our account. He said to change our LDAP mappings on the client to RFC2307 and try again. That 10.7 should authenticate against anything using those mappings. Sadly it doesn't work. Same result. I have also tried to install OSX 10.7 fresh on a machine and reconfigure everything by hand. Same results in the end. For what its worth we also have an Open Directory server (OSX Server 10.6.8) which I can authenticate users against without any problems.
Any ideas or suggestions would be greatly appriciated. We've been working on this issue off and on since we receive our 10.7 licenses without any real sense of urgency, but with new Macs now only coming with 10.7 installed we getting closer to the wall. Thanks for reading.
Lots of PPC and Intel Macs...., Mac OS X (10.6.6)