I think I'm having the same problem that was discussed in this thread but I need a real solution that tells me what's going wrong, not a workaround using .local. I think my setup may be a bit different:
I'm testing 10.4.2 Server. At the moment it's set up as a NAT gateway (2 ethernet ports). It's running DNS, but mostly as a forwarder to our real LAN's DNS server. I did, however, add a non-existent zone (test.bed) just so I could experiment. The server's FQDN for the internal-side IP is main.test.bed (the external IP also has a FQDN, but in a different domain).
When I created the Open Directory, I set the kerberos realm to MAIN.TEST.BED and the search base to dc=test,dc=bed. This was not the default (those used the FQDN for the external IP). I am able to bind a client computer using Directory Access, but when I reboot the client it can't actually connect to the directory. I get the message, in the client's system.log:
DirectoryService[35]: DSLDAPv3PlugIn: Required Policies not Supported: No ClearText. LDAP connection for Node main.test.bed denied.
On the server, ApplePasswordServer.Server.log contains these for every time I booted the client:
Aug 2 2005 14:32:41 KERBEROS-LOGIN-CHECK: no principal (@MAIN.TEST.BED)
Aug 2 2005 14:32:41 QUIT: {no user} disconnected.
slapd.log contains:
Aug 2 14:32:41 tiger slapd[348]: SASL [conn=84] Failure: no user in database
I have this vague idea that the problem is I'm trying to "attach" an Open Directory to an IP and FQDN that is not the server's primary network interface. I searched the Apple docs for "kerberos principal" and found out to try this:
tiger:/var/db/krb5kdc root# kadmin.local -q list_principals
kadmin.local: Improper format of Kerberos configuration file while initializing krb5 library
So now it seems like something is messing up when the server initializes the Open Directory and Kerberos systems. Any ideas for a fix? I've set up the server basically from scratch several times now (I set up the server as standalone, configured NAT, Firewall, DNS, etc and made a disk image which I keep starting over from) and this happens every time.