I work for a small company where there's no dedicated system admin. I was tasked with upgrading our file and calendar server to 10.8, which I did by upgrading the OS then installing the server tools from the app store (as recommended by Apple).
Kerberos is not working properly. The server has a bunch of network users stored in Open Directory. When I try to screen share the server, which uses Kerberos behind the scenes to authenticate, I get informed of an invalid password.
Initially it was failing at Got a canonicalize request for a LKDC realm from local-ipc, and stating it could not find a LKDC realm. I followed these instructions to regenerate the LKDC on the server:
- Repeat sudo rm -rf /var/db/krb5kdc
- sudo rm -rf /etc/krb5.keytab
- Open Keychain Access and search for 'kdc' then deleting the 3 com.apple.kerberos.kdc items.
- Run the command to reinstall the LKDC sudo /usr/libexec/configureLocalKDC this is non-destructive so can be rerun without upsetting anything.
- Re Bind the client to the server.
After that, the system log states this when I try and log in to screen sharing from another Mac:
kdc[48]: AS-REQ amy@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA from fe80::cabc:c8ff:fec5:4b93%en0:53175 for krbtgt/LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA
kdc[48]: UNKNOWN -- amy@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA: no such entry found in hdb
screensharingd[582]: Authentication: FAILED :: User Name: amy :: Viewer Address: 192.168.1.44 :: Type: DH
The following is in the opendirectoryd log, which looks suspicious:
38.938 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
38.938, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified
38.938 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
38.938, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context
Also on startup in the system log, I'm getting
servermgrd[107]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
If I call kinit in the terminal, it asks for my password and then validates it (it tells me if it is incorrect). At that point I get this log (I've replaced our company domain with OURCOMPANY, but it's getting it right):
kdc[48]: AS-REQ amy@OWL.OURCOMPANY.COM from 127.0.0.1:59175 for krbtgt/OWL.OURCOMPANY.COM@OWL.OURCOMPANY.COM
kernel[0]: Sandbox: kcm(690) deny mach-lookup com.apple.networkd
kdc[48]: UNKNOWN -- amy@OWL.OURCOMPANY.COM: no such entry found in hdb
kinit[693]: krb5_sendto_context is called on main thread, its a blocking api
Edit:
If I try kinit now I get:
kinit
amy@OWL.OURCOMPANY.COM's Password:
kinit: krb5_get_init_creds: Client (amy@OWL.OURCOMPANY.COM) unknown
Can anyone suggest how I get Kerberos, Open Directory and LDAP all talking together again?
Best Answer
Upgrading from Snow Leopard to Mountain Lion is tricky and best and catastrophic at worst. With the issues you've run into I'd recommend going with building a new ML from scratch and transferring services.
Restoring from a time machine backup on a server usually works great.