Wednesday, October 29, 2008

User can't log into a bound mac (cont...)

On a problem Mac, check if the mit.edu.kerberos file has been modified back to a default. We’ve been seeing machines overwriting our custom file and replacing it with a default one. If the file has been changed try this:

In the default file look for the line that says [libdefaults]. Chances are the only thing under it will be “dns_fallback = no” or it could give you a realm list. Either way, cut and paste from your modified edu.mit.kerberos file everything under [libdefaults] line. Don’t replace the Kerberos file this time: cut and paste into it.

After you have done this go System/Library/Core Serivces/Kerberos.app and delete any Kerberos ticket you might find.

Restart and try to log in again.

On a problem Mac you could also try stopping and restarting directory services:

Sudo killall DirectoryServices

The service will start again automatically.

Then check that AD is in the search path: dscl /Search –read / CSPSearchPath SearchPolicy

It should return:

/Local/Default,
/BSD/local
Active Directory/All Domains

Lastly, if you are still having problems, turn on Directory Services logging at startup:

Sudo killall –USR1 DirectoryServices
Touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart

After the restart the logs can be found in:

/Library/Logs/DirectoryService/DirectoryService.debug.log

No comments: