Mac OS X v10.5 and 10.6: Duplicate computer name alert when binding to Open Directory

When attempting to bind a NetInstall or NetRestore client to Open Directory, a client may receive an alert that the computer already exists.  Looking up the computer in Open Directory may return a duplicate "LKDC:SHA1" entry.

This article has been archived and is no longer updated by Apple.

For Mac OS X v10.6 systems, use the System Image Utility included in Mac OS X Server v10.6.3 or later, and create the NetInstall or NetRestore image from a 10.6.3 or later system.

For Mac OS X v10.5 systems, create a new image using the System Image Utility included in Server Admin Tools 10.5.6 or later, which is available from Apple Support Downloads (it is also included with Mac OS X Server version 10.5.6 Update, or later). This utility automatically removes the local KDC during image creation.

Important: You should not manually remove Mac OS X system files or security configuration items to try to resolve this issue.

With Mac OS X 10.5 and later, each client system maintains a local KDC (LKDC) for local computer security.  A computer-specific certificate named is created during the installation of OS X and a SHA1 hash of the certificate is generated and entries are added to the kerberos keytab for each service that uses the LKDC.  This SHA1 hash is part of the computer account created for clients when bound to Open Directory and must be unique for each client computer.

Published Date: