You can’t assign server administrator privileges, Users can’t access their home directories, Kerberos users can’t authenticate – Apple Mac OS X Server (Administrator’s Guide) User Manual

204

Chapter 3

m If an AFP client prior to version 3.8.3 fails to authentiocate, use AFP 2-Way Random

authentication in Password Server for these older clients.

You Can’t Assign Server Administrator Privileges

In order to assign server administrator privileges to a user for a particular server, first log in
to that server in Workgroup Manager.

Users Can’t Access Their Home Directories

Make sure that users have access to the share point in which their home directories are
located and to their home directories. Users need Read access to the share point and Read &
Write access to their home directories.

Mac OS X User in Shared NetInfo Domain Can’t Log In

This problem occurs when a user tries to log in to a Mac OS X computer using an account in
a shared NetInfo domain, but the server hosting the domain isn’t accessible. The user can log
in to the Mac OS X computer by using the local user account created automatically when he
or she set up the computer to use a NetInfo account. The user name is “administrator”
(short name is “admin”) and the password is the NetInfo password.

Kerberos Users Can’t Authenticate

When a user or service that uses Kerberos experiences authentication failures, try these
techniques:

m Kerberos behavior is based on encrypted timestamps. If there’s more than 5 minutes

difference between the KDC, client, and service computers, authentication may fail. Make
sure that the clocks for all computers are synchronized using a network time server.

m If Kerberos is being used, make sure that Kerberos authentication is enabled for the

service in question.

m If a Kerberos server used for password validation is not available, reset the user’s

password to use a server that is available.

m Make sure that the server providing the Kerberized service has access to directory

domains containing accounts for users who are authenticated using Kerberos. One way to
do this is to use a shared directory domain on the KDC server that hosts user records that
correspond to all the user principals.

m Refer to the KDC log (kdc.log) for information that can help you solve problems.

Incorrect setup information such as wrong configuration file names can be detected using
the logs.

m Make sure all your configuration files are complete and correct. For example, make sure

the keytab file on your server has the principals of interest in it.