"Join Kerberos"

Similar Messages

• Connect a 10.6 Server to 10.5 Server OD Master? Can't "Join Kerberos..."

  Hello.
  I'm adding a 10.6 Server into a mix of 10.5 Servers. One of the 10.5 Servers is the OD Master. When I first set up the 10.6 Server, when I got to the "Users and Groups" screen, I chose "Connect to another server" and specified the 10.5 OD Master. The next screen, "Directory Service", I choose to NOT set up the machine as an OD Master (since the 10.5 machine is the OD Master).
  Is this correct?
  Once I've booted in to the 10.6 Server and use Server Admin to look at the OD settings, I've set it as "Connected to another directory" and then used Open Directory Utility to connect to the 10.5 OD Master. Then, I click the "Join Kerberos..." button, but can't get past there? When I click the "Join Kerberos..." button, it asks for the following information, which I've entered as follows...
  Administrator Name: <directory admin name of the OD Master>
  Password: <directory admin password for the OD Master>
  Realm Name: xserve001.mydomain.com
  DNS/Bonjour Name of KDC: xserve001
  Is this correct?
  When I click "OK", it quickly flashes "Joining Kerberos", but nothing happens and my only options are "OK" and "Cancel". It doesn't give any errors, etc.
  Any advice would be much appreciated!
  Thanks,
  Kristin.

  Since body else has answered, I'll take a stab at this. Server Admin isn't very good about reporting what happens in some processes like this, so check the logs. Specifically, check slapconfig.log (Server Admin -> Open Directory -> Logs -> Configuration Log).
  If you see something like:
     slapconfig -kerberize
     command: /user/sbin/sso_util info -r /DALPv3/127.0.0.1 -p
     Warning: Kerberos is already configured on this server, use -f to override current settings.
  ... you're probably all set to go, and Server Admin is just failing to remove the Join Kerberos button for some reason. You can double-check this by running the command "sudo klist -ke" on the server; it should list a bunch of service principals like "afpserver/[email protected]" (with a variety of services besides "afpserver") (it'll also list some like "afpserver/LKDC:SHA1.gibberish@LKDC:SHA1.gibberish", but you can ignore these).
  If there's something else in the slapconfig log, or the XSERVE001.MYDOMAIN.COM principals are missing, report back and we'll see what we can figure out.

• Joining Kerberos Realm from a distance

  Hi,
  I have a computer that is remote from the KDC (10.4.6).
  It connects by VPN (MS-CHAP Authentication).
  I entered the realm in the edu-mit-kerberos file by hand and managed to get a ticket.
  However everytime I try to access a Group folder, I get a kernel panic.
  Any ideas why ? Is there another file to modify ?
  Ludo

  Error stopped appearing after Mac OS X Update...

• How do you use an external MIT Kerberos realm for authentication in 10.4?

  Does anyone have experience with OS X Server 10.4.x Open Directory and using a "third-party" KDCs for authentication?
  I have four 10.4.5 XServes that form a SAN (Xsan). I am using a common Open Directory domain that consists of about 100 users to manage access to the SAN file space. I have one of the servers set up as OD master and a second as a failover.
  My university has a kerberos realm that includes all university staff and students. I would like to use that KDC for authentication, not create my own KDC on the OD Master.
  The SAN is only being used to support network file services, not as work stations. The users are going to mount file space on their local machines through AFP, Samba, or via ssh at the command line.
  All of the users' short names are identical to their principle names in the University kerberos realm.
  All of the Apple documentation assumes that in the OD Master will be the KDC for the OD, and part of the setup involves starting up the Kerberos KDC on the OD master system. There is mention of using any MIT Kerberos KDC, but I cannot for the life of me find where that is documented.
  I have tried using the Server Admin interface and the "Join Kerberos . . . " tool, but when I enter the principle and password, the realm name and the DNS of the KDC it always fails with "error creating the keytab file."
  I have also tried just putting a valid edu.mit.kerberos file /Library/ Preferences and creating a keytab file in the realm I want to join, and putting that at /etc/krb5.keytab in each of the servers in OD domain, but that doesn't seem to work, either.
  Has anyone else been successful doing this with OS X Server 10.4.x?

  Leland,
  Thanks for your suggestions. I need a little more
  guidance though. Can you explain how to do step one?
  1) on your OD Master, using workgroup manager edit
  the KerberosClient record and add the correct kdc
  info to the XMLPlist attribute.
  Is this done on the "Inspector" tab of the Work Group
  manager for the user record for the principle that is
  in the KDC? Exactly which key value pair do I need to
  edit?
  No, use the "Inspector" tab to look at config records, you will find the KerberosClient & KerberosKDC records in that list.
  Select the XMLPlist attribute and edit it.
  Look for the realms dictionary and either replace the existing entry with the correct realm info or add a new entry for the realm.
  The important keys are KADM_List & KDC_List.
  You should also look at the domain_realm dictionary and make sure that
  also has the correct info.
  Look at the kerberos admin guide at
  <http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-admin/krb5.conf.ht ml#krb5.conf>
  for an idea of what the sections mean.
  2) from the command line on a server run (as
  root):
  sso_util configure -r FOO.EDU -a kdcadmin -p
  kdcadmin_pw -v 4 all
  I would do this on each server in the OD, correct?
  yes, this step creates the service principals for the servers in the kdc, exports the info to the local keytab, and configures the services to use kerberos (so that they know their service principals)
  you might need to modify the
  AuthenticationAuthority
  entry for each user to point at the proper realm.
  Is this also done in the "Inspector" tab for each
  user's record in Work Group Manager?
  yes
  Thanks again for the suggestions.
  Glad to be able to help
  - Leland
  DP G4   Mac OS X (10.4.2)  

• Can't Ad Kerberos Record

  Hi,
  I have installed en New xServe Intel That must act as OpenDirectory Master
  That is set up.
  Now i want to ad a fileserver to the kerberos so i get a singel singon.
  I made a computer list with the filserver in it. Using the FQDN.
  When i want to ad a Kerberos Record i fill in :
  Administrator Name : diradmin = Directory Administrator of muy Opendirectory
  Adminstrator Password : password of diradmin
  Configuration Record Name : the fileserver i want to ad with his FQDN
  Delgated Administrators : KerberosAdmin (adminuser in LDAP) , but also tryed Server Admin name. But i keep getting the error :
  "Invalid Name
  Sorry, one of the delegated administrators you entered is not a valid name or it could not be used to encrypt the Kerberos configuration record."
  I have setup the previous server without any glitche but that was over a year ago...
  Need help, asap because otherwise we can't work anymore ...
  Thanxs
  Patrick

  Hi When read this :
  2. Member server
  There are two ways to join a member OS X Server to an Open Directory kerberos domain.
  The first is entirely GUI-based, and is the official Apple method for doing this. On 10.3 it was more than a little backward, rather involved and sometimes problematic. However, starting with 10.4 the entire process has been condensed into a single button.
  Once your server has been joined into Open Directory all you need to do is use the "Join kerberos" button in the Open Directory module of Server Admin. You'll be prompted for an admin user name and password, and you're kerberized.
  I only should need to fill in my OD-Admin and password, but he is asking me the REALM an dns name of de KDC server ..
  I fill it in , but still i get the error, user unknown when i try to connect tru AFP, the Kerberos Util shows the ticket but is not working.
  What is it i miss .. ?
  Greetings
  Patrick

• Missing Joing Kerberos Button...

  Just in case this happens to you...
  Binding Mac OS X Server 10.4.x to Active Directory or Open Directory
  (for the purposes of joining an AD or OD Kerberos Realm)
  If you go through the steps and get to the point where you've chosen "connected to a directory system" and you have no "join kerberos" button...
  1. Demote to standalone, save, quit Server Admin
  2. Remove, re-add LDAP or AD configurations in Directory Access.
  3. Obviously make sure your DNS is set to that which is able to resolve the necessary servers, including the one you're on.
  4. Set up Server (server admin) as connected-to (in the case of AD) or OD Master (in the case of OD, quickly follow this with "connected-to" once the change is complete).
  5. Click "change" when prompted for changing the role. Do NOT click save.
  6. Click Join kerberos. You should get your kerberos realm filled in the drop-down. Use your delegate admin (provided from the OD or AD KDC) to authenticate.
  The computer will still have the join kerberos button available in the meantime. Don't click it. You should be joined. Check your /Library/Preferences/edu.mit.Kerberos file to examine your realms.
  *If you now bind a client to your new service principle, you should be able to log-in, or request any other kerberized service. Examine your kerberos tickets using klist or /System/Library/CoreServices/Kerberos to make sure they are there.
  And..when in doubt, use sso_util to join. The GUI just gets weirded out sometimes..have fun.

  John,
  As mentioned yestda, i deleted and re-installed the Element 8 on my computer. It went very smoothly, no problem whatsoever. Then i tried everything you mentioned in your emails. Nothing helped. The 'Advanced" option did not show up at all in the Preferences box, nor on the Downleader box. I can't think of anything else to try other than call the Tech support of Adobe, unless you or someone else can suggest something else to try. I am willing to try anything. Thanks a lot for everyone's help.
  Regards, DukeF5
  Date: Mon, 8 Feb 2010 11:47:39 -0700
  From: [email protected]
  To: [email protected]
  Subject: missing Advanced Dialog button
  Does "'Show APD Dialog (Advanced)" appear as an option in that drop-down list, as shown here:
  http://forums.adobe.com/servlet/JiveServlet/showImage/19683/capture.png
  If it doesn't, then that's an additional indication that your PSE is getting confused about the display height.  (When the height is less than 768, PSE won't show the Advanced option in the drop-down box.)  Whether that's a bug in PSE or a problem on your computer, who knows.
  Did you try steps 2-4 from my previous message?
  >

• Help on MAC OS 10.4 Server, I'm a newbie...

  I've read the documentation and have managed to get it working to a certain extent. Please excuse my lack of terminology and wording on some of these issues. What I'm trying to accomplish is we are a Windows / MAC environment. I've setup a MAC OS 10.4 Server so it can help better manage our MAC users trying to authenticate to the Windows Active Directory. I'm able to bind the MAC clients to AD. I've been able to add the 10.4 OS Server to AD and can pull the domain accounts in Workgroup Manager. The OS 10.4 server is set in Open Directory as " Connected to a Directory System" according to the Apple documentation. Joined Kerberos also with local admin. account. Can't seem to find documentation or figure out how to get the clients to utilize the OS 10.4 server for authentication instead of AD. Any help would be appreciated, thanks.

  www.afp548.com is your friend. They have a bunch of articles, tips about OD & Active Directory integration.
  HTH
  - Leland
  DP G4   Mac OS X (10.4.5)  

• Can't connect to a directory system

  I'm working on upgrading all of our OSX Servers from Tiger to Leopard.
  Before this happens, I always test new server setups in my test lab.
  I'm having a problem in this lab that I cannot figure out. All that I'm trying to do is connect a Leopard server (10.5.2) using 'Connect to a Directory System' to another Leopard server(10.5.2) that is an Open Directory Master.
  I can do both forward and reverse lookups on both the servers.
  LDAP server, Password Server and Kerberos are all running on the ODM.
  I've added the server that I want to connect to the ODM into the computer list of the ODM's Workgroup Manager.
  I've created a group of Kerberized Servers with that added computer in WGM.
  I've added a Kerberos Record to the ODM which contains:
  diradmin for the administrator name
  diradmin's password for the administrator password
  The fully qualified domain name of the Leopard server that is going to connect to a Directory system
  diradmin as the Delegated Administrator.
  I don't get an error message and the window disappears after I click add so I'm assuming the record is added.
  On the server that is going to connect to the ODM, I open Open Directory Utility and I am able to bind this server to the ODM.
  I next click on the Join Kerberos button.
  The realm that first appears is LKDC:SHA1.763D1DFF494B476438C
  I click on this and choose the Kerberos Realm that I created when I set up the ODM which is marked as (default)
  I enter the username of diradmin
  I enter diradmin's password for the password.
  It tells me I have either an invalid username or password.
  I'm pretty sure that the username is correct because if I use another username I get a delegation error that says this administrator has no delegated Kerberos Join authority. But if I go back to the diradmin username it gives me the invalid user name/password error.
  Looking at the Password Service Server Log I get an error such as this when I try to join the Kerberos realm:
  RSAVALIDATE: success.
  AUTH2: {0x47b35e1c6b8b4570000000200000002, diradmin} DHX authentication failed, SASL error -13 (password incorrect).
  I've tried destroying the ODM multiple times. Rebooted both servers. Changed the diradmin password. Nothing works.
  I'm at a loss for what to do next.

  Hi Tony,
  Let tell you what I did.
  1. I created a dns record for the odm and member server on the odm
  2. Started up dns on odm
  3. I made sure both machines resolved correctly on both the member and odm using nslookup
  4. Started afp on the odm
  5. Configured Open Directory Master on ODM with the administrator diradmin
  6. Configured Directory Utility on the member server to bind to odm
  7. Made sure odm was the first one in list for authentication/contacts (it was the only one)
  8. Added a machine record for the member server on the odm. (Double checked that the MAC address was correct.)
  9. Added Kerberos record with the member server's FQDN with diradmin as the admin
  10. Went to Connect to the Directory System on the member system. It was already selected.
  11. Went into terminal on member server and ran the kadmin.local -q list_principals
  It gave me the following output:
  Authenticating as principal root/admin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E with password.
  K/M@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  afpserver/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF 494B476438CF685295A959757D8541E
  cifs/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494B4 76438CF685295A959757D8541E
  kadmin/admin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  kadmin/changepw@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  kadmin/history@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  kadmin/mail.lgusd.k12.ca.us@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  krbtgt/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494 B476438CF685295A959757D8541E
  lgadmin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  root@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
  vnc/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494B47 6438CF685295A959757D8541E
  12. Went into terminal on the odm and ran the kadmin.local -q list_principals
  It gave me the following output:
  Authenticating as principal root/[email protected] with password.
  HTTP/[email protected]
  HTTP/[email protected]
  K/[email protected]
  XMPP/[email protected]
  XMPP/[email protected]
  afpserver/[email protected]
  afpserver/[email protected]
  cifs/[email protected]
  cifs/[email protected]
  [email protected]
  ftp/[email protected]
  ftp/[email protected]
  host/[email protected]
  host/[email protected]
  http/[email protected]
  http/[email protected]
  imap/[email protected]
  imap/[email protected]
  ipp/[email protected]
  ipp/[email protected]
  kadmin/[email protected]
  kadmin/[email protected]
  kadmin/[email protected]
  kadmin/[email protected]
  krbtgt/[email protected]
  ldap/[email protected]
  ldap/[email protected]
  nfs/[email protected]
  nfs/[email protected]
  [email protected]
  pop/[email protected]
  pop/[email protected]
  [email protected]
  smtp/[email protected]
  smtp/[email protected]
  vpn/[email protected]
  vpn/[email protected]
  [email protected]
  xgrid/[email protected]
  xgrid/[email protected]
  xmpp/[email protected]
  xmpp/[email protected]
  Obviously not the same
  13. So I clicked on the Join Kerberos button. Changed realm from the LKDC one to ODM.LGUSD.K12.CA.US. Entered diradmin's credential's. It once again says my password is invalid. So I'm back to where I started.
  Conclusion:
  I hate OS 10.5.2 Server

• Active Directory - Open Directory Magic Triangle

  I have a 10.5.5 server that I am trying to bind to our AD so I can provide SSO to our Mac users.
  I start from a Standalone installation and Bind to AD through the Directory Utility without issue. The servers computer record is created in AD. However I am unable to join a kerberos realm because the "Join Kerberos" button never appears in the Open Directory settings in Server Admin.
  I thought this part should be straight forward, but I am unable to get the button to appear. Am I missing something here?
  Any help would be greatly appreciated.

  Hi
  If you can verify the edu.mit.Kerberos file has been created in /Library/Preferences then you have received your ticket and in that sense you are already 'joined'.
  For lack of any definitive documentation I think the 10.5.4 Combo Update has made AD binding much simpler and easier. Because of this the button is no longer there because its no longer required? I've not had time to do any extensive testing but I think this is the case? If your Server Install Disk is 10.5 or 10.5.2 and you leave it as it is rather than updating I think you do see the button?
  Tony

• Can Kerio and Postfix Play Together?

  I'm thinking of switching my small office from postfix to Kerio. We host three websites with mail accounts on all three. A couple questions for anyone who might know:
  1. Can Kerio run on the same server as Postfix? And can email users for one domain be served by Kerio and the others by Postfix? I want to know because I want to try out Kerio before buying, and I plan on trying it on the leasted used domain. If I like it I'll switched the main domain to Kerio, too.
  2. Is there a way to migrate mail from postfix to Kerio? All accounts are IMAP, and I'm wondering if I can just drag the old spool's contents to the new Kerio spool folder.
  Thanks!

  This is from Kerio's site:
  "Configure Kerberos on the Kerio MailServer Machine to authenticate against OpenDirectory
  This directions in this step assume that you are using a Mac OS X machine to run Kerio MailServer. As far as we are aware, this step is only necessary on Mac OS X Server.
  To correctly configure Kerberos, you must:
  Open the Mac OS Server Admin tool on the Kerio MailServer machine.
  In the OpenDirectory section, go to the "Settings" section and select "Connected to a Directory System"
  After this, you must go through the necessary steps to be able to join your machine to Kerberos using the "Join Kerberos..." button. For details, see Apple documentation.
  If you have any difficulty with this last step, unfortunately Kerio Technical Support will not be able to help. Apple's Support Team would be glad to assist you, though. You can tell them that you need to "configure Kerberos to point to your OpenDirectory Master."
  Once this is working, you should be able to log into Kerio MailServer using the credentials of any activated OpenDirectory user."
  This CANT be right. If the OD master is changed, the whole hosted dbase is trashed, right?

• Connected to a Directory System

  I am not able to properly set up my Open Directory Access. I have bounded the mac server to the Windows server and joined Kerberos. I was able to authenticate to both OD and Kerberos successfully. When launching workgroup manager I type in the local IP address of the mac server and it says "you are working in a directory node that is not visible to the network" I then quit Workgroup Manager and attempted to log into the IP of the windows server and used a domain admin account on the windows server and it said "host unreachable the address you entered is not reachable. Please check your network connections" and I know it is not a network issue. I found an article on apples support page that showed me how to setup LDAP manually and I did that and i am still recieving the same errors. All I am wanting my mac server to do is pull the information from AD on the Windows server so I can push updates to all my macs. Create custom Install imanges for new systems, and run Netboot. I may be missing something or setting the mac server up incorrectly. What should I do to have my mac server authinticate with the windows server and push updates to my macs?

  Hi Saatchi, you say that when you login using the local IP address it gives you the "you are working in a directory node that is not visible to the network" message, are you clicking the globe icon on the top left under the Server Admin icon?
  It should list all the directory systems available.

• "No Virtual Host Found for iCal Service" help?

  I have Leopard Server installed.
  When I try to "Start iCal" in Server Admin, "No Virtual Host Found for iCal Service" pops up.
  Also, I can't configure the server in the Directory Utility. Utility claims the ip address is incorrect, even though I know it is.
  HELP!!!

  I just solved this problem by creating a Kerberos record for the iCal server in my Open Directory server's Kerberos realm. The iCal server can join your Open Directory's Kerberos realm through its Open Directory pane's 'Join Kerberos' button. (I think this could be presented better.)
  If you're not using Kerberos, then you'd probably solve the problem by selecting 'Digest' as the 'Authentication' method.

• Using Xserve w/ XRAID, Binding to AD for Windows Filesharing. Issues.

  Hi all, first time post im hoping that you guys can lead me in the right direction with the issue that im having. Seems like I have tried everything.
  I installed an Xserver with a backend Xraid. My goal is to use the Server as a Windows file sharing passthrough for the storage on the Xraid. So I went ahead and bound the xsrv to AD, everything went fine. At that point Directory services asked me to go into server admin and click the "Join Kerberos" button. I went there and did that no errors. I went into workgroup manager, and I am authenticating to AD since i see AD groups and users etc. I create a share..,I then try to connect to the share, or even just browes the machine with smb. For example: (on windows) START->RUN->\\xsrv\ <ENTER>
  At this point I am challanged for a username and password. so it seems that AD integration is not working. I have looked over the logs, and I know the issue is with Kerberos....i see this:
  [2006/12/17 09:28:58, 1]
  /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:replyspnegokerberos(184)
  Failed to verify incoming ticket!
  If i look into my Kerberos application i see that i DO NOT have a ticket either. Im almost sure this is the root cause of the issues..
  Here is another odd thing, I can't tell you how many times I have joined and unjoined the AD domain. Here is the odd thing, after the first time joining, I no longer have the "Join Kerberos" button in the server admin. Its just not there.
  Anyone that can help it would be much appricated.
  Xserver Xeon   Mac OS X (10.4.8)  

  What services was running on this machine prior to binding it to AD?
  If you have OD (master) setup you probably will get kerberos/LDAP problems.
  The server has it's IP/name setup in DNS (A and reverse PTR records - in AD DNS machine - does not always have reverse zone configured if smaller network)?
  What does /Library/Preferences/edu.mit.kerberos look like?
  changeip - checkhostname gives?
  I belive Tiger OS X Server automatically adds spnego=yes and security=ads to /etc/smb.conf when you bind to AD, older versions (Panther) does not.

• Profile Manager, Push, Kerberos and other oddities

  Hey all,
  First time setting up a Mac Server on our network, thought we'd give Lion a try since we're seeing more and more Macs make their way into our ranks. I'm having issues with the following areas, hopefully someone could shed some light.
  Push
  I can't for the life of me get push to work behind our Firewall. I opened up TCP Port 5223 as outlined in the Apple Docs but that doesn't get me anywhere. Do I need to NAT that port to the lion server? I thought that push sent notifications down to individual machines and then they went and grabbed the new config from the server? How does a firewall with NAT know what machine to send the notification to? Any help would be appreciated.
  Also, what are you supposed to manage users with, the Work Group Manager or the Profile Manager. It seems like apple is moving away from the WGM style of management, although you can't do everything in PM, like setting up home folders etc. Very confusing to a novice.
  Email Addresses in Profile Manager configurations and Webmail.
  I might be missing something really simple here, but no matter what I do the Profile Manager spits out a default payload for email with our FQDN as the email address for the user ([email protected]). I have set the local alias and checked the checkbox to allow our example.com domain to work. Manually setting the email address to [email protected] works just find. I'm a bit bothered that everytime I push a configuration out to a device I'll have to go back in and manually change the email address. Has anyone figured out how to change that?
  In webmail it always lists the email address as [email protected] instead of [email protected]. You can go in and edit the identity and all is right with the world, but that's sort of a pain? Seems like common sense that you could set that as the default.
  Kerberos
  I was excited to get a Single Sign On solution going for our users since it would come in handy, however, straight out of the box it just doesn't work.I'm also not sure what to look for in the logs to make sure that things are working smoothly. I'm joinging the client machines to the server by going into users and clicking join. Selecting the server from the drop down and hitting submit. Do I have to set up a search order and all that jazz or is that set up automatically then.  I can see that I'm getting tickets with the Ticket Viewer but I'm still getting prompted for passwords in mail, ichat, AFP etc. Close to giving up on that front.
  Any help or general words of encouragement appreciated. 

  Push
  You've opened the secure iChat port to have push notifications working? Take a look here for the right ports:
  http://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8-2 952C362FA3E.
  On that page are all port numbers you need to forward to your server.
  Email
  The addresses being displayed as [email protected] is a bug in Lion Server in my opinion, you can file a bug report at apple.com/feedback.
  Kerberos
  Is as poorly documented as invisible in OS X Lion Server. Single Sign-On is a great tool for making services more user-friendly, it should be top of mind at Apple. You can file an enhancement request at apple.com/feedback.
  Regards,
  Mark

• I am getting a Changing Password Failed error when I try to join an active directory

  I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
  However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
  2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
  2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
  2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
  2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
  2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
  2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
  2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
  2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
  2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
  2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

  Reggierror,
  Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.