Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: KN4R
KN4R Author
User level: Level 1
0 points

OSX 10.6.5 Server AFP and Kerberos Auth Issue - is TS2938 applicable?

Hello,


Regarding TS2938: Lion Server: AFP users unable to authenticate with Kerberos after upgrading.


Is this tech note also applicable to OSX 10.6.5 Server? We are having kerberos auth issues with some (but not all) AFP users and running the klist -kt command on the ODM returns the following (the Kerberos realm should be XSERVE4.PDC.DEPT)


xserve4:~ sadmin$ sudo klist -kt

Password:

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Timestamp Principal

---- ----------------- --------------------------------------------------------

3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4


-----


Testing the user accounts using dscl /Search -authonly username all return OK.


kinit username either returns "krb5_get_init_creds: CLIENT_NOT_FOUND", or "Password incorrect" (depending on user)

Deleting a user account in the ODM and recreating it (with same UID, etc) has no effect/improvement (clients are OSX 10.6.8 iMacs doing mobile accounts).


Is the following possibly related (or useful?)


http://alexkaloostian.livejournal.com/21876.html


or is it time to do the following?


Mac OS X Server v10.5 or later: Rebuilding the KDC while maintaining LDAP and PasswordServer databases


-----

Last - we actually have two separate parallel ODMs running in house - one OSX 10.4.11 server (as OD master to an offsite FTP server/OD replica, and a FileMaker 7 server) and the OSX 10.6.5 ODM (xserve4.pdc.dept) in support of the iMacs doing mobile accounts. Our desktops are all joined to xserve4.pdc.dept, but at least some of the Desktop Macs have somehow ended up in the wrong Kerberos realm (XSERVE2.PDC.DEPT) over time, possibly through user (keychain)


What is the best way to force these OSX 10.6.8 client iMacs back to the proper Kerberos realm? Unbinding and rebinding doesn't accomplish, so possibly part of the problem is user keychain-related?


Thanks for any ideas...

brian

OSX Server-OTHER, OS X Server, Kerberos, LKDC,OSX Server 10.6.5

Posted on Aug 30, 2012 2:06 PM

Reply

There are no replies.

OSX 10.6.5 Server AFP and Kerberos Auth Issue - is TS2938 applicable?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up