How to give a Mac OS X machine a new Kerberos identity

If you’re doing a quick-n-dirty deployment of a few Macs, and instead of building a real SOE, you just build one machine and image it to the others, you can easily end up in a situation where you can only bind one of these machines to Open Directory, as they all have an identical Kerberos identity.

Fortunately it’s pretty easy to reinitialise the Kerberos database on a Mac – simply follow these steps:

In the Utilities folder, open Keychain Access. In the System keychain, find and delete the three com.apple.kerberos.kdc entries – a certificate and a public/private key pair generated from that certificate.

  1. In Terminal, run ‘sudo rm -fr /var/db/krb5kdc’ – this will destroy the local KDC database.
  2. In Terminal, run ‘sudo /usr/libexec/configureLocalKDC’ – this will regenerate the local KDC database, including a new certificate and SHA1 hash.
  3. Bind the machine to OD.
This article was posted by Kai Howells. If you liked this content and have any technical work in the Melbourne area, say hello via my contact form or give me a call on 0419 361 653 - I cover most of the greater Melbourne area and my rates are competitive.

Leave a Reply

Your email address will not be published. Required fields are marked *