Our thinking


How to give a Mac OS X machine a new Kerberos identity

If you’re doing a quick-n-dirty deployment of a few Macs, and instead of building a real SOE, you just build one machine and image it to the others, you can easily end up in a situation where you can only bind one of these machines to Open Directory, as they all have an identical Kerberos identity.

Fortunately it’s pretty easy to reinitialise the Kerberos database on a Mac – simply follow these steps:

In the Utilities folder, open Keychain Access. In the System keychain, find and delete the three com.apple.kerberos.kdc entries – a certificate and a public/private key pair generated from that certificate.

  1. In Terminal, run ‘sudo rm -fr /var/db/krb5kdc’ – this will destroy the local KDC database.
  2. In Terminal, run ‘sudo /usr/libexec/configureLocalKDC’ – this will regenerate the local KDC database, including a new certificate and SHA1 hash.
  3. Bind the machine to OD.

Leave a Reply

Your email address will not be published. Required fields are marked *