Home Forums AFP548 Community Open Mike After applying 10.4.7 Server update, single sign-on stops working on OD Rep

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • June 30, 2006 at 2:48 am #366535
    emulator_mac
    Participant

    Hi All…

    Well, I’m fresh off the AFP won’t start bug in 10.4.6. Now that this bug is fixed in 10.4.7, we have a new problem. It appears that on our OD Replica, single sign-on doesn’t work for AFP mounts through the Apple-K method (user home directories work just fine). If a user wishes to mount an AFP share using Apple-K, he/she must re-authenticate a second time. What’s more, the user MUST use his/her SHORT name to authenticate, or else the server rejects the attempt.
    We tried demoting the OD Replica and then re-promoting it, but this did not solve the issue. The logon issue appears to affect 10.3 and 10.4 clients.

    I believe that this might be a problem with the kerberized AFP (that is, it’s not kerberized but should be). Any ideas on how to fix this?

    July 3, 2006 at 6:52 pm #366550
    Anonymous
    Guest

    I spent the weekend trying to troubleshoot this issue. I opened a case with AppleCare, and together, we found some interesting information. Kerberos/single sign-on/promotion to OD Master from Standalone server does NOT work under 10.4.7 Server if DNS is not set up and running on the 10.4.7 Server itself. For example, our DNS is running on a Windows Server platform. When pointing the OS X Server to the Windows servers for DNS, the Mac kerberos services refused to work. When installing DNS on the Mac server and pointing it to itself for DNS resolution, things worked fine.

    On a side note, I had to completely re-set up two Mac servers from scratch after trying to promote either one to an OD Master/Kerberos/single sign-on. Something got VERY corrupted in there.

    We never saw this behavior under any other 10.4.x build or 10.3.x build. This appears to have started in 10.4.7.

    July 5, 2006 at 1:38 am #366554
    rotofo
    Participant

    [QUOTE][u]Quote by: SOLUTION!!![/u]

    . I opened a case with AppleCare, and together, we found some interesting information. Kerberos/single sign-on/promotion to OD Master from Standalone server does NOT work under 10.4.7 Server if DNS is not set up and running on the 10.4.7 Server itself.

    [/QUOTE]

    I can’t explain your case, but I had no problem with Kerberos/single sign-on/promotion to OD Master on a clean 10.4.7 server using a Windows 2003 server only for DNS. I tested SSO extensively with all the services. Obviously a key is having the server in whatever DNS is used before promotion, but I imagine you had considered that.

    August 22, 2006 at 2:22 am #366880
    andrina
    Participant

    Did you try the following on your server when it was misbehaving?
    [code]mkpassdb -kerberize[/code]

    September 10, 2006 at 6:26 am #367009
    nigelkersten
    Participant

    I’m not sure if this is related or not, but I found when deploying 10.4.7 Universal that I couldn’t just create a clean install on the same hardware and pull down the existing Kerberos service principals from the machine record.

    Services just wouldn’t work correctly, no matter how I joined the Kerberos domain, and I just had to trash the server machine records, generate new service principals and pull those new ones down to the freshly installed servers.

    As another data point, I’ve set up several Kerberos environments from scratch with 10.4.7 where the OD Master is not the DNS server. I’d be surprised to see such a specific bug… as a good DNS config is usually a good DNS config, no matter the platform it’s come from…

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.