• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1519
  • Last Modified:

OS X - new users in ldap database - client not found in Kerberos database

I implemented OD about 6 months ago. The migration went fine and everything was working well including Kerberos. My environment is this: I have a single MAC OS X 10.4.11 XServe in each of 4 offices. The OD Master is at the headquarters, with each remote office -connected with site to site VPN - configured as OD Replica. We've enjoyed single user sign on and afp access to the file servers since the migration. The clients are all Macs running OS X 10.4.x - no other services besides afp are kerberized at this point.

A couple of days ago, one user reported that she was getting a Kerberos password prompt and that each time she entered her password, it failed with a bad password error. She eventually canceled the Kerberos prompt and entered her password in the afp prompt and gained server access.

I confirmed that the same password was used and that it indeed, would not allow access via Kerberos. I destroyed the existing Kerberos ticked and tried again to no avail. I logged in as other users on this machine and Kerberos worked fine. I logged onto other machines as this user with the same failure. I then deleted the ldap user and recreated her account. Since that time, I get the following error when trying to authenticate to Kerberos - "Client not found in Kerberos database"

I then created a new, never before used username in the ldap db and get the same error with that new account. So it would seem that existing users are all still working fine, but new users created are not.

I've looked at the user accounts using dscl and the inspector in Workgroup manager and in both places, it shows that Kerberos v5 is an authentication authority. I've compared the accounts with working ones - I see no differences.

I don't see anything in the kdc logs that look out of place...any suggestions as to what might be going on?

Thanks,
Elly
0
EllysP
Asked:
EllysP
  • 4
1 Solution
 
wyliecoyoteukCommented:
I am not an OD expert by any means, especially on MAC, but it sounds like a ticket renewal failure.
This link looks promising.

http://lists.apple.com/archives/macos-x-server/2008/Jan/msg00530.html

I have also heard of problems with large numbers of users (100 plus)
You could eliminate that as an issue by deleting any dormant or unused accounts, but it is anecdotal.

Hope that helps
0
 
EllysPAuthor Commented:
I read the doc that you linked to - thanks...all existing users are getting and renewing tickets OK. When I create a new user - that user never gets a ticket - I immediately get the error that they are not in the Kerberos database.

A couple more bits of info - we are not using any mobile accounts and we only have about 80 users in the database.
0
 
EllysPAuthor Commented:
I haven't gotten any good leads on this problem - will  close this question next week - I am going to demote the servers to stand alone and then recreate the Master and replicas. I'll post if I learn anything helpful along the way before I close.
0
 
EllysPAuthor Commented:
Well - I've demoted to stand alone and re-promoted the server to Replica. Last night everything worked OK. I tested all of the clients and no errors. This morning - however - a user logs in - no problem, connects to server - gets a Kerberos ticket, but all of the shares do not show up. If I destroy the Kerberos ticket and log on to the server via afp dialog, shares appear....any ideas?

I ran updates on the server last night also - am kicking myself this morning for adding that to the mix.
0
 
EllysPAuthor Commented:
Apple has been unable to help with this problem...I am able to boot from a cloned drive that I created a while ago - and after a demotion and recreation of the replica - and without running the updates, it works as expected. I guess I will have to rebuild the server to resolve the issue....
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now