0 Replies Latest reply: Aug 30, 2012 2:06 PM by KN4R
KN4R Level 1 Level 1 (0 points)

Hello,

 

Regarding TS2938: Lion Server: AFP users unable to authenticate with Kerberos after upgrading.

 

Is this tech note also applicable to OSX 10.6.5 Server?  We are having kerberos auth issues with some (but not all) AFP users and running the klist -kt command on the ODM returns the following (the Kerberos realm should be XSERVE4.PDC.DEPT)

 

xserve4:~ sadmin$ sudo klist -kt

Password:

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

   3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 afpserver/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 vnc/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

   3 02/13/12 11:34:15 cifs/xserve4.pdc.dept@LKDC:SHA1.5823538DEBF942E1638AEA73E98E49F2D98E77D4

 

-----

 

Testing the user accounts using dscl /Search -authonly username all return OK.

 

kinit username either returns "krb5_get_init_creds:  CLIENT_NOT_FOUND", or "Password incorrect" (depending on user)


Deleting a user account in the ODM and recreating it (with same UID, etc) has no effect/improvement (clients are OSX 10.6.8 iMacs doing mobile accounts).

 

Is the following possibly related (or useful?)

 

http://alexkaloostian.livejournal.com/21876.html

 

or is it time to do the following?

 

Mac OS X Server v10.5 or later: Rebuilding the KDC while maintaining LDAP and PasswordServer databases

 

-----

Last - we actually have two separate parallel ODMs running in house - one OSX 10.4.11 server (as OD master to an offsite FTP server/OD replica, and a FileMaker 7 server) and the OSX 10.6.5 ODM (xserve4.pdc.dept) in support of the iMacs doing mobile accounts.  Our desktops are all joined to xserve4.pdc.dept, but at least some of the Desktop Macs have somehow ended up in the wrong Kerberos realm (XSERVE2.PDC.DEPT) over time, possibly through user (keychain)

 

What is the best way to force these OSX 10.6.8 client iMacs back to the proper Kerberos realm?  Unbinding and rebinding doesn't accomplish, so possibly part of the problem is user keychain-related?

 

Thanks for any ideas...

brian


OSX Server, OS X Server, Kerberos, LKDC,OSX Server 10.6.5