Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line

211

212

213

214

215

216

217

218

219

220

If You Can’t Log In as an Active Directory User

After conguring a connection to an Active Directory domain in the Service pane of

Directory Utility (located in Accounts preferences) and adding it to a custom search

policy in the Authentication pane, wait 10 or 15 seconds for the change to take eect.

Attempts to log in immediately with an Active Directory account will be unsuccessful.

If Users Can’t Authenticate Using Single Sign-On Kerberos

When a user or service that uses Kerberos experiences authentication failures, try

these remedies:

Kerberos authentication is based on encrypted time stamps. If there’s more than a Â

5-minute dierence between the KDC, client, and service computers, authentication

may fail.

Make sure the clocks for all computers are synchronized using the Network Time

Protocol (NTP) service of Mac OS X Server or another network time server.For

information about the NTP service of Mac OS X Server, see Network Services

Administration.

Make sure Kerberos is running on the Open Directory master and replicas. See “ Â If

Kerberos Is Stopped on an Open Directory Master or Replica” on page 210.

If a Kerberos server used for password validation is not available, reset the user’s Â

password to use a server that is available.

Make sure the server providing the Kerberized service has access to the Kerberos Â

server’s directory domain, and make sure this directory domain contains the

accounts for users who are trying to authenticate using Kerberos. For information

about conguring access to directory domains, see Chapter 7, “ Managing Directory

Clients Using Accounts Preferences.”

For an Open Directory server’s Kerberos realm, make sure the client computer is Â

congured to access the Open Directory server’s LDAP directory using the correct

search base sux.

The client’s LDAPv3 search base sux setting must match the LDAP directory’s search

base setting. The client’s LDAPv3 search base sux can be blank if it gets its LDAP

mappings from the server. If so, the client uses the LDAP directory’s default search

base sux.

To check the client’s search base sux setting, open Directory Utility (located in Â

Accounts preferences), show the list of LDAPv3 congurations, and choose the

item from the LDAP Mappings pop-up menu that’s already selected in the menu.

For more information, see “Changing a Conguration for Accessing an LDAP

Directory” on page 140.

To check the LDAP directory’s search base setting, open Server Admin and look in Â

the Protocols pane of the Settings pane for Open Directory service.

214 Chapter 10 Solving Open Directory Problems