Specifications
If Users Can’t Change Their Passwords
Users whose accounts reside in an LDAP directory not hosted by Mac OS X Server and
who have a password type of crypt password cannot change their passwords after
logging in from a client computer with Mac OS X v10.3.
These users can change their passwords if you use Workgroup Manager’s Advanced
pane to change their accounts’ User Password Type setting to Open Directory.
When you make this change, you must also enter a new password. Then instruct
users to log in using this new password and change it in the Accounts pane of
System Preferences.
If You Can’t Join a Server to an Open Directory Kerberos Realm
If a user with delegated Kerberos authority can’t join a server to an Open Directory
master’s Kerberos realm, the server’s computer record might be incorrectly congured
in the Open Directory master’s LDAP directory.
The server’s address in the computer group account must be the server’s primary
Ethernet address. The primary Ethernet address is the Ethernet ID of the rst Ethernet
port in the list of network port congurations shown in the server’s Network
preferences pane.
To recongure a server’s computer record for joining a Kerberos realm:
1 Delete the server from the computer group account in the LDAP directory.
For more information about this and the next step, see User Management.
2 Add the server to the computer group again.
3 Delegate authority again for joining the server to the Open Directory master’s
Kerberos realm.
Skip this step if you can use a Kerberos administrator account (LDAP directory
administrator account) to rejoin the server to the Kerberos realm.
For more information, see “Delegating Authority to Join an Open Directory Kerberos
Realm” on page 100.
4 Rejoin the server to the Open Directory Kerberos realm.
For more information, see “Joining a Server to a Kerberos Realm” on page 102.
216 Chapter 10 Solving Open Directory Problems