2

I work for a small company where there's no dedicated system admin. I was tasked with upgrading our file and calendar server to 10.8, which I did by upgrading the OS then installing the server tools from the app store (as recommended by Apple).

Kerberos is not working properly. The server has a bunch of network users stored in Open Directory. When I try to screen share the server, which uses Kerberos behind the scenes to authenticate, I get informed of an invalid password.

Initially it was failing at Got a canonicalize request for a LKDC realm from local-ipc, and stating it could not find a LKDC realm. I followed these instructions to regenerate the LKDC on the server:

  • Repeat sudo rm -rf /var/db/krb5kdc
  • sudo rm -rf /etc/krb5.keytab
  • Open Keychain Access and search for 'kdc' then deleting the 3 com.apple.kerberos.kdc items.
  • Run the command to reinstall the LKDC sudo /usr/libexec/configureLocalKDC this is non-destructive so can be rerun without upsetting anything.
  • Re Bind the client to the server.

After that, the system log states this when I try and log in to screen sharing from another Mac:

kdc[48]: AS-REQ amy@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA from fe80::cabc:c8ff:fec5:4b93%en0:53175 for krbtgt/LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA
kdc[48]: UNKNOWN -- amy@LKDC:SHA1.3489A33F133BAF273138432326E52616444378EA: no such entry found in hdb
screensharingd[582]: Authentication: FAILED :: User Name: amy :: Viewer Address: 192.168.1.44 :: Type: DH

The following is in the opendirectoryd log, which looks suspicious:

38.938 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
38.938, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified
38.938 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
38.938, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

Also on startup in the system log, I'm getting

servermgrd[107]: servermgr_accounts: got error 5000 trying to auth to local LDAP node

If I call kinit in the terminal, it asks for my password and then validates it (it tells me if it is incorrect). At that point I get this log (I've replaced our company domain with OURCOMPANY, but it's getting it right):

kdc[48]: AS-REQ amy@OWL.OURCOMPANY.COM from 127.0.0.1:59175 for krbtgt/OWL.OURCOMPANY.COM@OWL.OURCOMPANY.COM
kernel[0]: Sandbox: kcm(690) deny mach-lookup com.apple.networkd
kdc[48]: UNKNOWN -- amy@OWL.OURCOMPANY.COM: no such entry found in hdb
kinit[693]: krb5_sendto_context is called on main thread, its a blocking api

Edit:

If I try kinit now I get:

kinit
amy@OWL.OURCOMPANY.COM's Password: 
kinit: krb5_get_init_creds: Client (amy@OWL.OURCOMPANY.COM) unknown

Can anyone suggest how I get Kerberos, Open Directory and LDAP all talking together again?

Amy Worrall
  • 121
  • 1
  • 4
  • 3
    Hopefully someone has a good answer, but I've found that with all the changes to server, I've had much better luck setting up 10.8 on a temporary machine (used mini or one to resell later) and slowly moving one service over at a time. Not only are the bumps less, but you can attack them with a backup in place (the old server). – bmike Nov 29 '12 at 13:40
  • I'm currently leaning strongly towards restoring from Time Machine backup to how it was before I attempted any of this. Of course, I've never done a full disk Time Machine restore either… who knows how many things that could mess up? – Amy Worrall Nov 29 '12 at 14:39

1 Answers1

2

Upgrading from Snow Leopard to Mountain Lion is tricky and best and catastrophic at worst. With the issues you've run into I'd recommend going with building a new ML from scratch and transferring services.

Restoring from a time machine backup on a server usually works great.

Phillip Boushy
  • 76
  • 5