Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later

121

122

123

124

125

126

127

128

129

130

122 Chapter 8 Maintenance and Problem Solving

Solving Authentication Problems

You can solve some common problems with authentication services.

A User’s Password Can’t Be Modified

Before you can modify the password of a user whose password is authenticated by

Open Directory, you must be an administrator of the directory domain in which the

user’s record resides. In addition, your user account must be configured for Open

Directory authentication.

A User Can’t Authenticate for VPN Service

Users whose accounts are stored on a server with Mac OS X Server version 10.2 can’t

authenticate for VPN service provided by Mac OS X Server version 10.3 or later. VPN

service requires the MS-CHAPv2 authentication method, which isn’t supported in

Mac OS X Server version 10.2. To enable the affected users to log in, you can move their

user accounts to a server with Mac OS X Server version 10.3 or later. Alternatively, you

can upgrade the older server to Mac OS X Server version 10.3 or later.

A User’s Password Type Can’t Be Changed to Open Directory

Before you can modify a user account to use Open Directory authentication, you must

be an administrator of the directory domain in which the user’s record resides. In

addition, your user account must be configured for Open Directory authentication.

Kerberos Users Can’t Authenticate

When a user or service that uses Kerberos experiences authentication failures, try these

techniques:

• Kerberos behavior is based on encrypted time stamps. If there’s more than a five-

minute difference between the KDC, client, and service computers, authentication

may fail. Make sure that the clocks for all computers are synchronized using a

network time server.

• If Kerberos is being used, make sure that Kerberos authentication is enabled for the

service in question.

• If a Kerberos server used for password validation is not available, reset the user’s

password to use a server that is available.

• Make sure that the server providing the Kerberized service has access to directory

domains containing accounts for users who are authenticated using Kerberos. One

way to do this is to use a shared directory domain on the KDC server that hosts user

records that correspond to all the user principals.

• Refer to the KDC log (kdc.log) for information that can help you solve problems.

Incorrect setup information such as wrong configuration file names can be detected

using the logs.

• Make sure all your configuration files are complete and correct. For example, make

sure the keytab file on your server has the principals of interest in it.

LL2352.Book Page 122 Friday, August 22, 2003 3:12 PM