The Adventures of Systems Boy!

Confessions of a Mac SysAdmin...

"Disable Clear Text Passwords" Breaks Randomly

Typically, when you set up a Mac client to bind to a Mac server using Directory Access, there is one lone entry in the Security settings that is checked by default, and that is the "Disable clear text passwords" setting. This seems like a prudent default, and I always leave it checked. I assume that this means that passwords are then sent to the authentication server in some sort of hashed or encrypted form, and that both server and client are set up to negotiate this transaction properly out of the box. Indeed, most of the time this does not present any sort of problem whatsoever.

But for some reason, every now and then, completely randomly, Mac clients will suddenly and mysteriously be unable to authenticate to my Master Authentication Server. Seriously, nothing's changed. Just all of a sudden, Macs can't authenticate. The solution? Un-tick that "Disable clear text passwords" box under the LDAPv3 server configuration's Security tab. Next thing you know, everything's right as rain.

Directory Access: LDAPv3->Select Configuration->Edit
How in Hell Does this Break?

(click image for larger view)

Seriously, can anyone tell me what I'm doing wrong? 'Cause frankly, it's annoying.

Labels: , ,

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

3:28 PM

I've seen the same thing...quite weird indeed. No explanation here. I've also run into a [possibly] related issue where clients fail to unbind from a server (saything they can't contact the server) if you don't have "require clients to bind to directory" checked. Requiring clients to bind, I've never had an issue of a client unbinding from the directory.



6:16 AM

We've seen the same issue with the clear text passwords setting. It was so bad and consistently not working here that we had to just default to disabling (unchecking) it.

Anybody who can suggest a soluton to this will get a big box of donuts from me...    

8:31 AM

Me three    

11:05 AM

Never seen the failure to unbind problem. And I'm near-positive we don't require binding, though we DO bind our clients.

Anyway, good to know I'm not alone on this. If I figure out what's going on or it gets fixed I'll do a follow-up.

Thanks, all!


10:47 AM

Exactly the same problem here, I'm looking after around 60 Mac clients and randomly they will just refuse to work. Went round them all and did what was suggested here and it all works fine!    

8:35 AM

Awesome! I mean, not that your computers stopped working properly, but that I was able to help you out. Looks like this is a fairly common bug. Thanks for letting me know.


12:09 AM

In the past I've had this problem and it happened when the clock on the client was too different from the clock on the server, so fixing the clock and waiting an hour (see your system.log LDAP error messages) made it work. Kerberos depends on matching clocks.

But, today, this is broken for me again and all the clocks are in sync. Booting the server off a disk image made a week ago when everything was happy doesn't help, so it must be on the client side...    

8:34 AM


Interesting... I did check the clock, though. All my machines sync to the same NTP server, so that shouldn't be the problem.

Good to know it's a client-side problem, though. That could be useful in hunting down the trigger.

I, for one, am miffed. Yes... Miffed...

Thanks for the info.


» Post a Comment