As I’ve written before, Open Directory on Mac OS X doesn’t like it when DNS is messed up. It requires forward and reverse DNS to point to the same place. Our Open Directory server was running fine, but today we moved DNS to a different machine.
I was unable to authenticate using LDAP and saw an error in the LDAP log:
Miscellaneous failure No principal in keytab matches desired name.
After a little searching, I can across a blog entry mentioning this and talking about DNS. While it wasn’t exactly what I had, it made me do a little poking at my system. Turns out that I created 3 A records for the LDAP server which created a reverse DNS entry for the server. The problem is that the forward DNS entry didn’t match the reverse DNS entry. I changed 2 of the A records to CNAME records, restarted the LDAP server and the problem went away.
I wonder if there is another cause for this problem or just the authors of the software didn’t bother to put in a useful error message. It’s easy to ignore putting in useful error messages when writing code, but when Apple decides to use open source software and slap a GUI on it, they should try to make the error messages more useful. Again, I’m complaining about slapping a GUI on command line applications. If I wasn’t persistent and didn’t know how to troubleshoot UNIX, I’d never be able to run a Mac OS X server.