Hi
I have an OS X.6 server on which I’m running Open Directory. In Server Admin, under Overview, Kerberos is showing as stopped.
I can see the Kerberize button, but it doesn’t seem to accept the credentials I’m feeding it. In the Configuration log I see:

2011-08-28 00:00:16 +0100 – slapconfig -kerberize
2011-08-28 00:00:16 +0100 – Error: Incorrect username or password. You must enter a directory domain administrator username and password.

The Kerberos server log includes these two entries:
Aug 24 17:27:45 odmaster.gp.lan krb5kdc[45](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.17.28.2: ISSUE: authtime 1314203265, etypes {rep=18 tkt=16 ses=18}, [email protected] for krbtgt/[email protected]
Aug 24 17:27:52 odmaster.gp.lan krb5kdc[45](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.17.28.2: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required

In WorkGroup Manager, I can’t authenticate as diradmin when I try and connect, but after authenticating with the server admin account I can unlock the directory with the diradmin credentials.

changeip -checkhostname checks out OK.
host gives me the expected result whether I feed it the IP or the FQDN.

If I demote to a standalone server and promte back to an OD Master, everything seems to be in working order. Then I import the archive I did before demotion and then Kerberos stops again.
Same result If I reinstall the OS from scratch.

I guess, then, that something that ends up in the archive is tripping me up. Any idea how to troubleshoot/figure out which bit?
Or, is there a way to export Users and Groups with passwords intact in a way that I can re-import them after the Standalone-Master shuffle?