Mac OS X Server v10.6: Kerberos KDC location specified in krb5.conf is not respected

Products Affected

Mac OS X Server 10.6

Symptoms

In Mac OS X v10.6, the man page for krb5.conf states that the order of precedence for Kerberos configuration files is as follows:

~/Library/Preferences/edu.mit.Kerberos
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.conf 

When certain preferences related using DNS to locate Kerberos servers are set, they may not respect the order of precedence for location Kerberos servers.

Resolution

Remove the /System/Library/KerberosPlugins/KerberosFrameworkPlugins/ODLocate.bundle file to revert Kerberos behavior to that described in the krb5.conf man page.

If the ODLocate bundle is left in place, the order of precedence is actually this:

DirectoryService/Kerberos integration via ODLocate (using DNS)
~/Library/Preferences/edu.mit.Kerberos
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.conf

 

Additional Information

Mac OS X achieves Kerberos integration as part of DirectoryService.

Not helpful Somewhat helpful Helpful Very helpful Solved my problem