Alex Kaloostian

Apple Certified Master Trainer | Systems Integrator | Video Editor | Motion Graphics Artist

Archiving OD in 10.6 breaks Kerberos.

Leave a comment

Here’s how to fix it.

Last year we discovered that OS X Server 10.6 has a teensy tiny issue where it corrupts the Kerberos passwords for all users when restoring an OpenDirectory archive. Yikes. I posted a script that will fix the issue, basically deleting all the Kerberos AuthenticationAuthority attributes for all users above a designated user ID and replacing them with a new password.

I have been shown a much simpler fix: If you have restored from an OD archive and your users can no longer authenticate with Kerberos, type the following in the terminal on your server:

sudo slapconfig -kerberize -f diradmin

Where “diradmin” is your directory admin name. Then authenticate with your sudo password and your diradmin password. This will generate a NEW Kerberos AuthenticationAuthority attribute for every user with their existing password. Thats it, no step 2. The only catch is, it also keeps the old, broken AuthenticationAuthority attribute; you’ll see both if you dscl. But it has been working beautifully for us so far.

Author: alexkaloostian

I'm a video editor, motion graphics designer and Mac IT consultant in the Boston area.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s