I booted up my Leopard server yesterday to discover that my directory administrator account — that’s the one used to authenticate to /LDAP/127.0.0.1 in Workgroup Manager — appeared to be broken. It looked as if I was locked out, as if I had forgotten my password. I knew that I hadn’t forgotten my password, and I verified that by logging into the directory using ldapsearch. However, Workgroup Manager insisted, “login information not valid for this server”.

I worked on it for awhile, sifting through log files and Googling for answers, but ran out of time for the evening: I was almost late for American Gangster. To my surprise, when I booted up Leopard server today, it worked. To confirm my sanity, I rebooted again: this time, no dice. So there was some kind of random failure happening. After some hunting around, I noticed a single entry in slapd.log:

slapd[40]: SASL [conn=9] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)

Google found me the explanation, in the Kerberos FAQ:

In general, this means that the encryption key stored in a keytab doesn’t match the key stored in the KDC for a particular principal. As mentioned above, generating a new key will fix this problem.

I listed my keytab:

sudo klist -kt

Looking for entries that begin with “host/myserver…” and “ldap/myserver…”, where “myserver” is the fully qualified domain name (FQDN) of my OSX Server. I discovered that there were 6 entries in the keytab file for both my server host and for the ldap entry; normally there are 3 of each (3 entries for 3 different encryption schemes). So at least one of the entries for each matched the key in my KDC; sometimes it picked the right one, but usually it didn’t.

As the FAQ says, the solution is to generate new keytab keys. To do that, the old ones must be deleted, and new ones created, using kadmin.local:

[root:~]# kadmin.local
Authenticating as principal root/admin@LEOPARDSERVER.NETMOJO.CA with password.

: ktremove host/leopardserver.netmojo.ca@LEOPARDSERVER.NETMOJO.CA all
: ktremove ldap/leopardserver.netmojo.ca@LEOPARDSERVER.NETMOJO.CA all

: ktadd host/leopardserver.netmojo.ca@LEOPARDSERVER.NETMOJO.CA
: ktadd ldap/leopardserver.netmojo.ca@LEOPARDSERVER.NETMOJO.CA

Last but not least, destroy cached tickets with kdestroy:

kdestroy -a

After that, authentication automagically started working again, consistently.

Tags: Kerberos, Leopard-Server, Mac-OS-X, Sysadmin

This entry was posted on Wednesday, November 21st, 2007 at 11:28 pm MST and is filed under System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.