Archived - Mac OS X Server v10.5 or later: Rebuilding the KDC while maintaining LDAP and PasswordServer databases

In certain cases, it may be desirable to rebuild the Kerberos Key Distribution Center (KDC) on a Mac OS X Server v10.5 or later server in a manner that retains the existing databases for LDAP and PasswordServer.  The steps outlined in this article will accomplish this.

Note: You must have at least one of the "Recoverable Authentication Methods" (WebDAV-Digest and/or APOP) checked in the Policy tab under Settings for the Open Directory service in Server Admin, otherwise passwords will not be recreated properly.
 
Important: You should back up the files mentioned in the steps below prior to editing or deleting them.

This article has been archived and is no longer updated by Apple.
  1. If a KDC is currently running on the server, stop the process by entering the following commands in Terminal:

    Mac OS X Server v10.5 commands:

    sudo -s
    launchctl unload /System/Library/LaunchDaemons/com.apple.kdcmond.plist 2>/dev/null
    launchctl unload /System/Library/LaunchDaemons/edu.mit.kadmind.plist 2>/dev/null
    
  2. Mac OS X Server v10.6 commands: 

         sudo -s
         launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist 2>/dev/null
         launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist 2>/dev/null 

     

  3. In Terminal, navigate to the /var/db/krb5kdc/ directory and remove Kerberos principal files:
    # cd /var/db/krb5kdc

    Remove all files prefixed with principal.<REALMNAME> (for example, principal.SERVER1.APPLE.COM).  Do NOT remove the files prefixed with principal.LKDC.

    # rm principal.<REALMNAME>*

  4. While still in the /var/db/krb5kdc/ folder, edit the kdc.conf file using a command-line text editor (such as VI or nano) and remove the server realm information from the file.  For example, a file that looks like this:
    ## This file autogenerated by KDCSetup from (null) ##
    [libdefaults]
            default_realm = SERVER1.APPLE.COM
    
    [kdcdefaults]
            kdc_ports = 88
            kdc_tcp_ports = 88
    
    [realms]
            SERVER1.APPLE.COM = {
                    kadmind_port = 749
                    max_life = 10h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    master_key_type = des3-hmac-sha1
                    supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:normal des-cbc-crc:v4
                    acl_file = /var/db/krb5kdc/kadm5.acl
                    admin_keytab = /var/db/krb5kdc/kadm5.keytab
                    database_name = /var/db/krb5kdc/principal.SERVER1.APPLE.COM
                    key_stash_file = /var/db/krb5kdc/.k5.SERVER1.APPLE.COM
            }
            LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C = {
                    kadmind_port = 749
                    max_life = 10h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    master_key_type = des3-hmac-sha1
                    supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:normal des-cbc-crc:v4
                    acl_file = /var/db/krb5kdc/kadm5.acl
                    admin_keytab = /var/db/krb5kdc/kadm5.keytab
                    database_name = /var/db/krb5kdc/principal.LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C
                    key_stash_file = /var/db/krb5kdc/.k5.LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C
            }
    [logging]
            kdc = FILE:/var/log/krb5kdc/kdc.log
            admin_server = FILE:/var/log/krb5kdc/kadmin.log
    

    should be edited to look like this:

    ## This file autogenerated by KDCSetup from (null) ##
    [libdefaults]
            default_realm =
    
    [kdcdefaults]
            kdc_ports = 88
            kdc_tcp_ports = 88
    
    [realms]
            LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C = {
                    kadmind_port = 749
                    max_life = 10h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    master_key_type = des3-hmac-sha1
                    supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:normal des-cbc-crc:v4
                    acl_file = /var/db/krb5kdc/kadm5.acl
                    admin_keytab = /var/db/krb5kdc/kadm5.keytab
                    database_name = /var/db/krb5kdc/principal.LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C
                    key_stash_file = /var/db/krb5kdc/.k5.LKDC:SHA1.D9778E7719119E1359ABC67ACDDE16DDA1E3378C
            }
    [logging]
            kdc = FILE:/var/log/krb5kdc/kdc.log
            admin_server = FILE:/var/log/krb5kdc/kadmin.log
    

  5. Remove the KerberosClient and KerberosKDC records from the LDAP node.  Substitute the name of your OD directory administrator for USERNAME:
    dscl -u USERNAME /LDAPv3/127.0.0.1 rm /Config/KerberosClient
    dscl -u USERNAME /LDAPv3/127.0.0.1 rm /Config/KerberosKDC
    

  6. Restart the KDC:

    Mac OS X Server v10.5 commands: 

    launchctl load /System/Library/LaunchDaemons/com.apple.kdcmond.plist
    launchctl load /System/Library/LaunchDaemons/edu.mit.kadmind.plist
    
  7. Mac OS X Server v10.6 commands: 

    launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist
    launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist
    
    
  8. Type the following command to re-Kerberize the server.  Substitute the name of your OD directory administrator for USERNAME and the name of your realm (for example, SERVER1.APPLE.COM) for REALMNAME: 
    # slapconfig -kerberize -f --allow_local_realm USERNAME REALMNAME

    Note: This final command outputs its progress to the terminal.  If you see lines such as the following, you can disregard them:

    WARNING: no policy specified for server1.apple.com@SERVER1.APPLE.COM; defaulting to no policy
    add_principal: Principal or policy already exists while creating "server1.apple.com$@SERVER1.APPLE.COM".
    WARNING: no policy specified for root@SERVER1.APPLE.COM; defaulting to no policy
    add_principal: Principal or policy already exists while creating "root@SERVER1.APPLE.COM".
    
Last Modified: Aug 2, 2013
Helpful?
Yes
No
  • Last Modified: Aug 2, 2013
  • Article: HT3655
  • Views:

    11024
  • Rating:
    • 20.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked