This article has been archived and is no longer updated by Apple.

DNS service principal may not be added to Kerberos keytab when restoring Mac OS X v10.6 Open Directory Archive to OS X Lion Open Directory Master

When you restore an Open Directory archive from a Mac OS X v10.6 Open Directory Master to an OS X Lion Open Directory Master, the DNS service principal may not be added to the Kerberos keytab on the new server.

First verify that your system is affected by this issue by executing this command in Terminal:

sudo ktutil list | grep DNS

If no results are returned, manually re-create the principal by executing this command in Terminal:

sudo sso_util configure -r (realm) -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a (diradmin username) -p (diradmin password) DNS

(realm) is the Kerberos realm of the server, such as servername.com
(diradmin username) is the short name of the primary directory administrator user
(diradmin password) is the password for that user

Learn more

After you run the command above, you can verify that a DNS service principal exists by re-running this command in Terminal:

sudo ktutil list | grep DNS

Note that multiple results may be returned; this is expected behavior.

Published Date: October 19, 2023

DNS service principal may not be added to Kerberos keytab when restoring Mac OS X v10.6 Open Directory Archive to OS X Lion Open Directory Master

Learn more

Explore Apple Support Community