You are invited to take part in a short survey to help us improve your
Apple Support online experience. Please click Yes if you would like to participate.

Mac OS X 10.5: Duplicate computer name alert when binding to Open Directory

Symptoms

When attempting to bind a client to OpenDirectory, a client may receive an alert that the computer already exists.  Looking up the computer in OpenDirectory may return a duplicate "LDKC:SHA1" entry.

Products Affected

Mac OS X Server 10.5, Mac OS X 10.5 Leopard

Resolution

In certain circumstances, the local KDC on a Mac OS X 10.5 client may need to be reset so that a new com.apple.kerberos.kdc certificate can be created, and a new SHA1 hash of that certificate generated.  

Deleting and re-creating the certificate and associated key pair from Keychain Access will affect services that have already authenticated based on the old certificate, such as saved passwords in Screen Sharing or registration with Back to My Mac, and those services will have to be re-configured to function properly with the new identity.

To reset the local KDC

Important: These steps include use of the "rm" command. Be sure to type the commands exactly. Misuse of the rm command may result in accidental data loss.

  1. Using Keychain Access, locate the com.apple.kerberos.kdc certificate and key pair in the System keychain.  Delete all three entries.
  2. Using Terminal, execute this command to remove the local KDC:

    sudo rm -fr /var/db/krb5kdc

  3. Using Terminal, execute this command to re-generate the local KDC root certificate and key pair:

    sudo /usr/libexec/configureLocalKDC

Additional Information

This usually occurs when a system is installed from a NetInstall image that was created after the point in the Mac OS X install where the com.apple.kerberos.kdc certificate was already created, so each new imaged system has the same certificate and LKDC:SHA1 hash.

Starting with Mac OS X 10.5, each client system maintains a local KDC (LKDC) for local machine security.  A machine-specific certificate named com.apple.kerberos.kdc is created during the installation of OS X and a SHA1 hash of the certificate is generated and entries are added to the kerberos keytab for each service that uses the LKDC.  This SHA1 hash uniquely identifies the computer on the network and in OpenDirectory.

This document will be updated as more information becomes available.

Not helpful Somewhat helpful Helpful Very helpful Solved my problem