Mac OS X Server 10.3 or later: Kerberos authentication may not work after changing to LDAP master or replica, or Kerberizing a particular service

If you change your server LDAP directory configuration to Master or Replica, or if you re-Kerberize a service, the creation of duplicate keytab files may cause Kerberos authentication to stop working in some cases. Deleting older keytab files resolves the issue.
Symptom

Kerberos authentication no longer works.

Products Affected

Solution

There are normally three keys within the keytab file per kerberized service. If there are duplicate sets of keys, execute the following commands in Terminal. Commands are preceded by the number sign (#).

To examine the keytab file:

# sudo ktutil

At the ktutil prompt:

ktutil: read_kt /etc/krb5.keytab
ktutil: list
ktutil: exit

If duplicate keys exist or Kerberos authentication is no longer working, remove the keytab file with this command:

#sudo rm /etc/krb5.keytab

Then recreate the keytab file with this command:

#sudo sso_util configure -r KERB-REALM -a LDAP-ADMIN -p LDAP-ADMIN-PASSWORD all

The new keytab file should allow kerberized services to authenticate correctly.

Note: The "LDAP-ADMIN" mentioned above represents the user (or administrator) created on the master LDAP server in Server Assistant during initial server setup. This step may fail if the root user is used.
Published Date: Oct 7, 2016