I’m having the exact same problem (same os revision also). Does anyone have other ideas? Moving the /etc/krb5.keytab file did not seem to help.

On the OD Master side, I’m also getting an error when I attempt to delegate authority to join a kerberos domain.
From server admin, I go to the OD Master -> Open Directory -> General pane and click on add kerberos record…

in the pop up window I enter:
directory admin / pw for Administrator name and password ,
OD computer record name for “Configuration Record Name”
user shortname for “delegated administrators”

This returns:

“Unable to create Kerberos service principals for the Kerberos configuration record.”

I’ve checked and double checked DNS: forward and reverse lookups work for both OD Master and the member server I want to join.
Also the configuration record name in OD matches DNS (in the form “hostname$” which I think is normal for OD)

I get this chunk of information in the kerberos server log when I attempt to add a record:

May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): handling authdata
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): handling authdata
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): .. .. ok
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): .. .. ok
May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: ISSUE: authtime 1241716325, etypes {rep=16 tkt=16 ses=16}, [email protected] for kadmin/[email protected]
May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: ISSUE: authtime 1241716325, etypes {rep=16 tkt=16 ses=16}, [email protected] for kadmin/[email protected]

I’m not exactly sure if the two problems are related but getting my member servers to join the existing kerberos realm would be really nice…

UPDATE:
running this command on the xserve I want to join to the kerberos realm:

command: sso_util configure -r MY.KERBEROS.REALM -a odadmin -p ***** all

results in this:

Contacting the directory server
Creating the service list
Creating the service principals
kadmin: Communication failure with server while initializing kadmin interface
2009-05-07 11:29:37 -0700 – sso_util command failed with status 2

so I check the OD master and while kadmin.local works, I can’t access kadmin from the command line.

Update:

got kadmin running. there were a couple of issues,

The primary one being that the config file that OS X spits out when creating the OD master
( /Library/Preferences/edu.mit.Kerberos ) was not correct, it had one of the OD replicas I’d configured as the
“admin” server. I wish apple’s docs would point more out more clearly that realms can be edited via the kerberos utility app. I found this article to be very useful if anyone else is new to this and having trouble:

[url]http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html#config[/url]

After tweaking the config settings, executing “sudo kadmin -p “directoryadmin” gets me to kadmin prompt successfully.

Now, in the server admin app I can “add a kerberos record” on the OD -> settings main pane.

However, attempting to join a server to the kerberos realm still fails after I’ve added a kerberos record on the OD Master to delegate join authority for an admin.

It returns an invalid username or password error (despite the fact that the user principle does exist and can get tickets issued from the kdc)

On the member server attempting the join there are no new kadmin or krb5kdc log entries generated after this action.

Hope that all made sense, thanks for reading.