Mac OS X 10.3 and later: User cannot log into a workstation that is bound to Active Directory and Open Directory

  • Last Modified: September 09, 2008
  • Article: TS2250
  • Old Article: 300765

Symptoms

A user cannot log into a workstation that is bound to Active Directory (AD) and Open Directory (OD). This is true for:

  • Any Mac OS X 10.3 client with Directory Access bound to both 10.3 server (in OD Master Mode) and Active Directory, or
  • Any Mac OS X 10.3 server (in OD Master Mode) in combination with any LDAP directory that has the Apple schema, and is pushing out a Kerberos config file.

Starting with Panther, Mac OS X clients will try to automatically generate Kerberos config information when bound to an LDAP server that contains the "KerberosClient" record (such as OD). The AD plug-in also attempts to automatically configure Kerberos when you bind to AD. These mechanisms write data to the file /Library/Preferences/edu.mit.Kerberos.

If you have client computers bound to AD for user authentication and OD for Mac OS X-managed client items, the client computers will try to automatically configure the Kerberos settings using the KerberosClient record in the OD server and the AD plug-in. Sometimes this works fine, and they get the correct information from both sources. Other times, the OD server responds with the information before the AD domain controller, and the client gets configured with only the information for OD. The client computer essentially "forgets" about the AD Kerberos, and the result is that users cannot log into the workstation. Since Mac OS X uses Kerberos for user authentication against AD, the Kerberos settings from the OD server are inconsequential.

To prevent the client from getting conflicting information from two sources (as described above), change the name of the KerberosClient record on the OD server. This way, the client will get Kerberos information only from AD, which will be the correct information for user login every time.

Products Affected

Mac OS X Server 10.4, Mac OS X Server 10.3

Resolution

To resolve this issue:

 

  1. Open Workgroup Manager.
  2. Connect to the relevant OD Master as a directory administrator.
  3. Go to Preferences, and select the "Show all records tab and inspector" checkbox (affirm the warning dialog).
  4. Click on the bullseye icon to enable the inspector.

     

  5. A pop-up menu will appear above the list on the left. This shows all of the attribute containers. Select the Config container.
  6. You will see a list of attributes appear in the Config container.
  7. Select the KerberosClient attribute from the list on the left.
  8. The inspector pane on the right will now show the raw directory data for this attribute.
  9. Select the "RecordName" key from the inspector panel on the right. It will have the corresponding value of KerberosClient.
  10. Click the Edit button below the inspector panel to edit this attribute's RecordName.
  11. The editor panel will appear. Change the text in the Text field from "KerberosClient" to something else (for example: "KerberosClient_DONOTUSE"), and click OK.

    Note: It doesn't matter what you change "KerberosClient" to, as long as you do change it. This helps because the client won't try to auto-configure Kerberos if it doesn't find "KerberosClient."

     

  12. You will be returned to the inspector panel for the attribute. You should see that the key RecordName has the value of whatever you entered in place of KerberosClient.
  13. Click save. Because you renamed the KerberosClient attribute, clients will no longer get Kerberos auto-configuration info from OD. They will just get it from AD, which is what you want.

    Note: If you want to re-enable Kerberos auto-configuration from OD at a later time, just change "KerberosClient_DONOTUSE" (or whatever else you named it) back to "KerberosClient", and the Macintosh clients will pull configuration data from it again.

Not helpful Somewhat helpful Helpful Very helpful Solved my problem