10.5: A possible fix for Active Directory integration issues

Aug 13, '08 07:30:00AM

Contributed by: rootryan

I may have found a culprit in the OS X10.5 Active Directory integration problem (see the comments on this post at AFP548.com for more info on the problem). I noticed that after a 10.5 machine is bound, it mostly freezes up when it's trying to authenticate. I started looking around and noticed interesting things in the /Library/Preferences/edu.mit.Kerberos file.

Before being bound, the file looked like this:

[libdefaults]
    dns_fallback = "no"
I then bound the machine. It was unusably sluggish, as expected. After binding, the file looked like this:
# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/DOMAIN.DOMAIN.LOCAL
# generation_id : 0
[libdefaults]
    dns_fallback = no
They are pretty much the same. I changed the file to look like this (if you check the file on a 10.4 machine that has been bound, you will see this file properly populated):
# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/DOMAIN.DOMAIN.LOCAL
# generation_id : 0
[libdefaults]
    default_realm = DOMAIN.DOMAIN.LOCAL
    noaddresses = TRUE
    dns_fallback = "no"

[realms]
    DOMAIN.DOMAIN.LOCAL = {
        kdc = kerberosserver.domain.domain.local.:88
        admin_server = kerberosserver.domain.domain.local.
        default_domain = domain.local
    }

[domain_realm]
      .domain.local = domain.domain.local
You will have to add [v4_realms] and [v4_domain_realm] if you are using an older version of kerberos.

The machine was delayed creating the account initially, but after that, it was performing perfectly. After restarts and trying various things, I had a working 10.5 machine bound to Active Directory. I hope some of you have the resources to test this out; I'd like to hear any successes or failures.

Comments (3)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20080808143211248