Mac OS X 10.5: Duplicate computer name alert when binding to Open Directory
Symptoms
When attempting to bind a client to Open Directory, a client may receive an alert that the computer already exists. Looking up the computer in Open Directory may return a duplicate "LKDC:SHA1" entry.
This may occur when a system is installed from a NetInstall image created using a version of System Image Utility earlier than version 10.5.6.
Products Affected
Mac OS X 10.5
Resolution
Use the System Image Utility included in Server Admin Tools 10.5.6 or later, which is available from Apple Support Downloads (it is also included with Mac OS X Server version 10.5.6 Update, or later). This utility automatically removes the local KDC during image creation.
Note: If you were using an earlier version of System Image Utility, the image should be rebuilt using version 10.5.6 or later.
Important: You should not manually remove Mac OS X system files or security configuration items to try to resolve this issue.
Additional Information
With Mac OS X 10.5 and later, each client system maintains a local KDC (LKDC) for local computer security. A computer-specific certificate named com.apple.kerberos.kdc is created during the installation of OS X and a SHA1 hash of the certificate is generated and entries are added to the kerberos keytab for each service that uses the LKDC. This SHA1 hash is part of the computer account created for clients when bound to Open Directory and must be unique for each client computer.