dsconfigldap – Failures during bind to OD

[sunnyape]

When trying to bind a Mac to an OD server using dsconfigldap, the bind process seems to start, then fails with the message that the computer already exists.

If I delete the computer record from the OD server, regenerate the KDC on the client Mac and try the bind again, it still fails. If I try to do a manual bind via the Directory Utility, I get an error that the record exists and if I try to overwrite, I get an “Unexpected error while attempting to bind. Operation cancelled”.

Each attempt causes a Computer account to be created in the OD server.

It seems that dsconfigldap is successfully adding the Computer record to OD, then going to do a secondary task and that task is discovering the just created record and producing a fail.

Client Macs are 10.6.2, OD master server is 10.6.2 (and replica is 10.6.2 also).

Anyone seem the same problem? This never used to happen with the same script when clients and server were 10.5.

[sunnyape]

I think I’ve worked it out.

When I prep the image, prior to deployment, I use a cleanup script that also regenerates the KDC. This has always been fine for 10.5 and 10.5 server.

With 10.6, you need to delete and re-generate the system keychain as well as the KDC before making an image for deployment.

For those with similar issues, do this in your image prep script and your binds should be OK.

[code]# Delete and re-generate the System keychain
rm -rf /Library/Keychains/System.keychain
/usr/sbin/systemkeychain -C

# Delete and re-generate the KDC database
rm -rf /var/db/krb5kdc
/usr/libexec/configureLocalKDC
[/code]

[Author]

Posts