<HTML>
<HEAD>
<TITLE>Solving corruption of Kerberos config</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'>We recently ran into a problem where our Macs kept “falling out” of our Active Directory domain and wouldn’t authenticate, even if they had previously been working. We had support staff unbinding and rebinding multiple machines every day to get them working again.<BR>
<BR>
The problem was eventually tracked down to this: <a href="http://support.apple.com/kb/TS2691">http://support.apple.com/kb/TS2691</a><BR>
<BR>
Essentially, the Kerberos configuration files in DSLocal were invalid/corrupt/empty (zero bytes), which seems to be an issue with Mac OS X 10.5.6. This is obviously more of a problem on lab machines where multiple users log in every day, than on staff machines where the same user logs in all the time and is cached. The machine hasn’t actually dropped off the domain – it just doesn’t have the right credentials to talk to the domain, is unable to authenticate users, and therefore appears to have “fallen out”.<BR>
<BR>
To resolve this, one of the things we did was to implement the following custom command-line as a Startup policy in Casper, scoped to all machines to intervene in a no-touch manner and fix the issue before anyone notices, even if the corruption keeps recurring.<BR>
<BR>
</SPAN></FONT><FONT SIZE="2"><FONT FACE="Lucida Grande"><SPAN STYLE='font-size:8.5pt'>if [ ! -s /var/db/dslocal/nodes/Default/config/Kerberos\:DU.DEAKIN.EDU.AU.plist ]; then rm /var/db/dslocal/nodes/Default/config/Kerberos\:DU.DEAKIN.EDU.AU.plist; killall DirectoryService; fi<BR>
<BR>
The “if” statement first checks for whether the affected file is zero-length, and does nothing if it is non-zero. Otherwise, if the file is empty, the command performs Apple’s recommended work-around, which is to remove the corrupted file and respawn DirectoryServices, thus regenerating the affected file, and restoring the workstation’s credentials. No re-bind necessary.<BR>
<BR>
It was also implemented in a Once Per Day policy, in case someone doesn’t restart very often.<BR>
<BR>
Instances of “falling out of the domain” have now dropped completely off. We’re now moving forward with preparing 10.5.8 for release, which is said to resolve the issue once and for all. </SPAN></FONT></FONT><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'>We had previously held off on updating existing machines to Mac OS X 10.5.7 and 10.5.8, except on new hardware out of necessity, as the versions of Safari bundled into those updates are not supported by a couple of our key corporate applications, so much of our fleet was (and is) still running 10.5.6.<BR>
</SPAN></FONT><FONT SIZE="2"><FONT FACE="Lucida Grande"><SPAN STYLE='font-size:8.5pt'><BR>
Hope this might help someone.<BR>
<BR>
<BR>
</SPAN></FONT></FONT><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'>Cheers,<BR>
David.<BR>
<BR>
David Whiteley<BR>
Senior Desktop Infrastructure Engineer, Information Technology Services Division<BR>
<BR>
Deakin University Geelong Victoria 3217 Australia<BR>
Phone: 03 5227 8914 International: +61 3 5227 8914<BR>
Fax: 03 5227 8866 International: +61 3 5227 8866<BR>
E-mail: <a href="deej@deakin.edu.au">deej@deakin.edu.au</a><BR>
Website: <a href="http://www.deakin.edu.au">http://www.deakin.edu.au</a><BR>
<BR>
Deakin University CRICOS Provider Code 00113B<BR>
<BR>
Important Notice: The contents of this email transmission, including any attachments, are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents and any attachments is expressly prohibited. If you have received this transmission in error, please delete it and any attachments from your system immediately and advise the sender by return email or telephone.<BR>
<BR>
</SPAN></FONT>
</BODY>
</HTML>