Specifications
Chapter 10 Solving Open Directory Problems 215
For information that can help you solve problems, see the KDC log. Also see Â
“Viewing Open Directory Status and Logs” on page 181.
If Kerberos was not running when user records were created, imported, or updated from Â
an earlier Mac OS X version, they might not be enabled for Kerberos authentication:
A record isn’t enabled for Kerberos if its authentication authority attribute lacks Â
the ;Kerberosv5; value. Use the Inspector in Workgroup Manager to see the values
of a user record’s authentication authority attribute. For more information, see
“Showing the Directory Inspector” on page 182.
Enable Kerberos for a user record by changing its password type. First set Â
the password type to Crypt Password, then set it to Open Directory. For more
information, see “Changing the Password Type to Crypt Password” on page 109
and “Changing the Password Type to Open Directory” on page 107.
If users can’t authenticate using single sign-on or Kerberos for services provided by Â
a server that is joined to an Open Directory master’s Kerberos realm, the server’s
computer record might be incorrectly congured in the Open Directory master’s
LDAP directory. The server’s name in the computer group account must be the
server’s fully qualied DNS name, not just the server’s host name. For example, the
name could be server2.example.com but not just server2.
To recongure a server’s computer record for single sign-on Kerberos
authentication:
1 Delete the server from the computer group account in the LDAP directory.
For more information about this and the next step, see User Management.
2 Add the server to the computer group again.
3 Delegate authority again for joining the server to the Open Directory master’s
Kerberos realm.
For more information, see “Delegating Authority to Join an Open Directory Kerberos
Realm” on page 100.
4 Rejoin the server to the Open Directory Kerberos realm.
For more information, see “Joining a Server to a Kerberos Realm” on page 102.