OSX 10.6.5 Server AFP and Kerberos Auth Issue - is TS2938 applicable?
Hello,
Regarding TS2938: Lion Server: AFP users unable to authenticate with Kerberos after upgrading.
Is this tech note also applicable to OSX 10.6.5 Server? We are having kerberos auth issues with some (but not all) AFP users and running the klist -kt command on the ODM returns the following (the Kerberos realm should be XSERVE4.PDC.DEPT)
xserve4:~ sadmin$ sudo klist -kt
Password:
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4
-----
Testing the user accounts using dscl /Search -authonly username all return OK.
kinit username either returns "krb5_get_init_creds: CLIENT_NOT_FOUND", or "Password incorrect" (depending on user)
Deleting a user account in the ODM and recreating it (with same UID, etc) has no effect/improvement (clients are OSX 10.6.8 iMacs doing mobile accounts).
Is the following possibly related (or useful?)
http://alexkaloostian.livejournal.com/21876.html
or is it time to do the following?
-----
Last - we actually have two separate parallel ODMs running in house - one OSX 10.4.11 server (as OD master to an offsite FTP server/OD replica, and a FileMaker 7 server) and the OSX 10.6.5 ODM (xserve4.pdc.dept) in support of the iMacs doing mobile accounts. Our desktops are all joined to xserve4.pdc.dept, but at least some of the Desktop Macs have somehow ended up in the wrong Kerberos realm (XSERVE2.PDC.DEPT) over time, possibly through user (keychain)
What is the best way to force these OSX 10.6.8 client iMacs back to the proper Kerberos realm? Unbinding and rebinding doesn't accomplish, so possibly part of the problem is user keychain-related?
Thanks for any ideas...
brian
OSX Server-OTHER, OS X Server, Kerberos, LKDC,OSX Server 10.6.5