Problems logging in to Snow Leopard domain after install OS X Lion

By Matthew Savage

TL;DR

Just installed Lion and can’t log in? Boot into recovery, open terminal, enter resetpassword, reset root password, reboot, login as root, rebind to Open Directory, reboot, profit :)

The Long Story

I received a phone call on Friday from someone who made the decision to update to OS X Lion, and ran into a huge problem – unable to log into the computer… at all. In normal circumstances this wouldn’t be an issue, I would just have the user log in with a local account, however as this was a system which was bound to an Open Directory server on an OS X Snow Leopard server, and during the setup a local-only account was not setup.

When I looked into the issue there was some errors popping up in the Open Directory password service, mainly:

'username' DIGEST-MD5 authentication failed, SASL error -13

Now, this to me normally indicates there’s an issue between the client computer and the server with the Kerberos authentication, i.e. possibly an issue with the shared secret or similar – especially considering that the users password hadn’t changed, and the user was able to log into another machine without any issues.

Now, the solution, was actually somewhat simple. OS X Lion now sets up a Recovery Partition which you can access by booting while holding Command + R, or holding down the Option key and choosing the Recovery HD from the options.

Once you have booted into the Recovery Partition there is a menu titled Utilities - click that and choose Terminal, which will bring up the lovely world of the OS X Terminal, and thankfully there is one single command you need to enter: resetpassword

Entering this magical command will bring up a dialog asking you to choose which account you want to reset the password for – choose the root account, and then enter a password of your choosing, then simply reboot your computer.

Once you have rebooted you can then login as the root user, by selecting ‘other user’ and typing in the username and password – now you are logged in as an administrator account which will allow for you to recovery your login (hint: rename your account, including the login, maybe back up your data, then kind of create a new account and move the data back).

If your issue relates to the binding with Open Directory the solution is quite straight forward – in System Preferences, under Users & Accounts/Login Options edit the Open Directory bindings and remove your current one, then re-join the directory (you may want to remove the machine account from the directory in between these two steps). Once done simply reboot and you should be able to log in to your account again – woo hoo!

Good luck!

Footnote: this probably doesn’t need to be said, but don’t forget to back up your system before installing Lion – it will save you a world of trouble and panic.

This entry was written by Matthew Savage, posted on July 24, 2011 at 9:20 pm, filed under Development, General, IT Consulting, User Experience and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.
  • Tuttle

    Thanks for the help! Here’s another hint for those poking around in Lion LDAP;

    If you were forcing local home directories by specifying “#/Users/$uid$” for the NFSHomeDirectory, this no longer seems to work with Lion clients authenticating to Snow Leopard Server. However, using the stock “From Server” settings and then creating a Mobile User still works and has the same end effect (of creating a local Home folder).