LothianScykle

Q: Kerberos Realm mismatch

First a little background. When we first set up this Mini server on 10.8, we used an old domain name. We set up services and Open Directory, and life was good. We then had a need to change the domain name associated with the installation. We changed the domain name in DNS, mail, etc. NSLookups on the new domain match the reverse pointer, and the changeip -checkhostname reports everything matches up using new domain name. Bought SSL certs for the new domain name and secured all services using the new cert. Everything works as expected including File Sharing, Mail, VPN, etc.

 

Yesterday, we upgraded to OS X Server 10.9 and Server 3.0.3. Now, most services appear to continue to work (Mail being the primary), but "some" Local Network Users cannot access file shares on the server. My (Administrative) account can, but other users cannot. Also, we cannot change user passwords - even from within the Server app, and I cannot create new users. When attempting to change passwords, I see the "processing" circle, then back to the password dialog. When creating new users, I receive "existing connection is not authenticated: password change denied". The user is created, but is marked as "Not Allowed".

 

Any time I try to make a change to the user passwords, I receive the following in the system.log:

Mar  7 12:27:52 newhost.newdomain.com kdc[77]: UNKNOWN -- oldhost.olddomain.com$@OLDHOST.OLDDOMAIN.COM: no such entry found in hdb

Mar  7 12:27:52 newhost.newdomain.com kdc[77]: AS-REQ oldhost.olddomain.com$@OLDHOST.OLDDOMAIN.COM from 127.0.0.1:53553 for krbtgt/OLDHOST.OLDDOMAIN.COM@OLDHOST.OLDDOMAIN.COM

 

I have attempted followed the instructions here (OS X Server (Mavericks): After upgrading or migrating, network user cannot be created) with no change even after rebooting.

 

I found instructions for sudo sso_util configure..., but when I process this with the NEWHOST.NEWDOMAIN.COM, I get the following:

/Local/Default

/LDAPv3/127.0.0.1

Invalid Realm Name

 

When I run sudo sso_util info -g I get:

Default Realm Name: NEWHOST.NEWDOMAIN.COM

 

Any ideas on what I can do to fix this? If the answer id to delete the Open Directory and re-create it, will my users remain? I'm not so concerned about re-creating the users if I have to - there are not that many - but I am concerned with losing their mail.

 

Many thanks in advance

Mac mini, OS X Mavericks (10.9.2), Server 3.0.3

Posted on Mar 7, 2014 9:46 AM