Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"

Sometimes the SASLRealm will be set to different values on an Open Directory master and its replicas. This can happen when a master doesn't have the correct hostname; it's not an issue in the absence of replicas. The symptoms you see are:

• A user can't log in to some systems
• The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:
  
  Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).

When you create or set users passwords, the SASLRealm for that password server is used to create the DIGEST-MD5 hashes. This password will work on all password servers that also have the same SASLRealm setting. They will not work on password servers with a different SASLRealm setting. Note: other authentication methods will work.

Applications that use DIGEST-MD5 are LoginWindow, and SSH when Kerberos is not used.

To resolve the issue:

1. Using your text editor of choice, set the SASLRealm in the file /Library/Preferences/com.apple.passwordserver.plist to be the same on each of the master and replicas. Normally you should use the fully qualified domain name (FQDN) of the master in place of "example.apple.com":
   

       <key>SASLRealm</key>    <string>example.apple.com</string>

   If the file does not have an SASLRealm entry add one before the </dict>.
   
   
2. Restart the PasswordService using this command:
   
   

   killall PasswordService

3. Reset the all the passwords that don't work.

Methods for testing passwords

You should test an affected user account with both of these commands. Run them on the master and the replicas.

To test for DIGEST-MD5 authentication:

dirt -u <username> -p <password>

If this works, the last line will be "Success". To test another method, SMB-NT:

dirt -a nt --u <username> -p <password>

If this works, the last line will be "Good".

If the first test says the password is incorrect and the second one works, then the user needs a password reset.

Setting passwords

You can use Workgroup Manager or this command to set the passwords. This command will work even if the domain admin is having issues and Workgroup Manager can't:

pwpolicy -a diradmin -p <diradmin's password> -u  <user account> -setpassword <password>