Another client bind failure

[martinh]

(My binding problem seems different enough from the one just posted, that I’ve posted as a new topic.)

I have one 10.6.2 client that was once bound to our 10.6.2 OD master. After unbinding it following a re-build from scratch of the OD master (one of many in a very frustrating series of learning experiments!), I can no longer bind it. Whether using Directory Utility or dsconfigldap, I get “Invalid credentials supplied for binding to the server”, even though I am using the correct diradmin username/password, which works on other clients.

I have rebuilt my client’s local Kerberos, using the following steps:

Delete 3 Kerberos items in Keychain Access.
[code]sudo rm -rf /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC[/code]

No help.

I have even done a clean install of 10.6 client on an external drive and booted from that drive. It gets the same invalid credentials error when attempting to bind to OD master during OS installation, and, after applying all patches to 10.6.2, when attempting the bind through Directory Utility or dsconfigldap.

Server Admin on OD master shows no computers with my client’s name, so there does not appear to be a name conflict.

I am at my wit’s end. Can anyone help?

———-
Here is the output from dsconfigldap:

MyClient:~ user$ sudo dsconfigldap -f -a mymaster.fqdn.com -c MyClient -u myODadmin -p myODadminpassword -v

dsconfigldap verbose mode
Options selected by user:
Force authenticated (un)binding option selected
Add server option selected
Server name provided as
Computer ID provided as
Network username provided as
Network user password provided as
Local username determined to be

Step 1 – Server Information Discovery
Status: Success – Server Responded.

Step 2 – Validating Record/Attribute Mapping
Status: Success – Valid Record/Attribute Mapping

Step 3 – Detecting Required Security Levels and Binding requirements
Status: Success

WARNING: No Security Levels configured by Administrator!

Your LDAP server supports Secure authentication.

Directory Binding is ENABLED and REQUIRED.

Step 4 – Attempting to bind computer as MyClient
Status: Failed – Invalid credentials.

Invalid credentials supplied for binding to the server

[sunnyape]

It looks like your issue is to do with the configuration of your OD server.

In the Settings / Policies / Binding, check you have ‘Enable authenticated directory binding’ turned on and you don’t have the ‘Disable clear text passwords’ turned on. Using the ‘Require authenticated binding between directories and clients’ is optional, but leave it off while you are testing.

[martinh]

I appear to have solved my own problem.

I encountered what appeared to be an unrelated problem after posting this morning:
Workgroup Manager on the OD master suddenly stopped accepting the diradmin authentication and I couldn’t edit user or group records.

I followed suggestions I found at http://discussions.apple.com/thread.jspa?messageID=6664275 to resolve this problem. Specifically, in Server Admin/Open Directory/Settings/Policies/Binding, I unchecked 3 of the 4 security settings I’d turned on (leaving only Disable clear text passwords checked) and then re-booted the OD Master. This allowed me to again authenticate to WGM as diradmin.

I then re-booted the client that had not been able to bind (I did first do a Disk Utility – Repair permissions, but don’t know if that helped), and, lo and behold, I was now able to bind to the OD master.

I don’t like not really understanding exactly what’s going on here, and I’m uneasy about turning off some of those security settings, but at least I’m back in business.

And, thanks sunnyape. I think you were posting just as I was.

[Author]

Posts