Posts Tagged ‘Open Directory’

Re-building the kerberos database on OS X 10.6 server.

May 12th, 2010

I had a problem with a testing server earlier today where the kerberos database had become corrupt. For any users on my Open Directory Master the kerberos passwords were flagged as incorrect, and changing them from work group manager had no effect. Changing them from the command line was not an option as this relies on knowing the users original password – which was corrupt.

The kerberos service can be restarted by greping the output of the ‘ps aux’ command for the kerberos process, (usually named ‘krd5kdc’) and then issuing a kill command against its PID. The service will then automatically restart.

ps aux | grep krd
kill kerberos_PID

This slightly improved the problem as it allowed newly created users to use kerberos with their correct password.

Re-building the kerberos database is done with the following command:

slapconfig -kerberize -f diradmin

This needs to be run as root, either directly of via sudo. The -f flag forces the current set up to be over written.
I would recommend taking a full backup of your users and groups, as well as an archive of your Open Directory server from server admin. Stopping any services that rely on kerberos would also be a good idea.

Re-building the kerberos database from scratch.

If neither of the above options worked then it is possible to rebuild your kerberos database from scratch – nuking your old database. This would also be necessary if you are changing the the Kerberos Domain, however don’t forget that if doing this you would also have to change the search path in all your LDAM and Password Server databases.

To completely rebuild kerberos.

1) Stop the OD Service.
2) Log into a shell as root and run the following command:

sso_util remove -k 0a diradmin -p your_diradmin_password -r your_kerberos_realm

3) Remove the following files and directories from your system:

/var/db/krb5kdv/
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.keytab

4) Run the following set of commands as root:

dscl 127.0.0.1
cd /LDAPv3/127.0.0.1/Config/
auth diradmin (and enter your diradmin password)
delete KerberosKDC
delete KerberosClient
quit

5) find and kerberos process (krb5kdc) and kadmind processed and kill them, (as shown above).
6) Re-build your kerberos database:

slapconfig -kerberize diradmin

Testing Kerberos:

You can check if the users’ passwords are now being accepted using the ‘kpasswd’ command. The ‘kinit’ command can also be used to test creating a kerberos ticket.

14 comments »

Posted in ICT, OS X Server, sysadmin

Tags: