Leopard Kerberos Configuration Mayhem
Editing the file /Library/Preferences/edu.mit.Kerberos might not always get you the expected result in Leopard. After editing my kerberos realm with kerberos.app, I didn’t see the expected changes. After sniffing on the network I realized the client was still trying to connect to the old kdc server. It took me quite some time to figure out why the change in the configuration file did not cause the client to use the new kdc.
It appears there is a record in the local DirectoryService that overrules the old configuration file. If you try to find it using dscl or Workgroup Manager you can find it at /Local/Default/config/Kerberos:EXAMPLE.COM. This record contains an XMLPlist object with the kerberos configuration. This is what the XMLPlist attribute should look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | |
Mac OS X Server has used this format before to distribute kerberos configuration to clients. On Tiger this record in the Open Directory server would be used to create the file /Library/Preferences/edu.mit.Kerberos. On Leopard this record is duplicated to the local directory and this record overrules the configuration in the edu.mit.Kerberos file. If you are changing your kerberos configuration by changing the edu.mit.Kerberos file and your changes do not seem to work, check your local directory for kerberos records. The easiest way to do this is by using Workgroup Manager.
You can also edit the directory service record directly. It is stored in a text file at /var/db/dslocal/nodes/Default/config/Kerberos\:HCODE.BE.plist. The record itself is also a plist file so all the xml entities should be encoded. This is what the file should look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | |