Log in

Previous Entry | Next Entry

Fixing OpenDirectory archives take 2

Last year we discovered that OS X Server 10.6 has a teensy tiny issue where it corrupts the Kerberos passwords for all users when restoring an OpenDirectory archive. Yikes. I posted a script that will fix the issue, basically deleting all the Kerberos AuthenticationAuthority attributes for all users above a designated user ID and replacing them with a new password.

I have been shown a much simpler fix: If you have restored from an OD archive and your users can no longer authenticate with Kerberos, type the following in the terminal on your server:

sudo slapconfig -kerberize -f diradmin

Where "diradmin" is your directory admin name. Then authenticate with your sudo password and your diradmin password. This will generate a NEW Kerberos AuthenticationAuthority attribute for every user with their existing password. Thats it, no step 2. The only catch is, it also keeps the old, broken AuthenticationAuthority attribute; you'll see both if you dscl. But it has been working beautifully for us so far.