Home Forums OS X Server and Client Discussion Active Directory Kerberos-only Active Directory environment

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • July 31, 2006 at 3:13 pm #366707
    ascii021
    Participant

    Has anyone been using Mac OS X clients and applications in a Kerberos-only Active Directory environment, where other types of password authentication (including NTLMv2) have been disabled?
    What are your experiences, regarding what works and doesn’t work? TIA.

    August 2, 2006 at 3:26 pm #366733
    thibbs
    Participant

    OK, here’s a question. I have my 10.4.7 Xserve connected through Active Directory as a Domain Member. We only use kerberos & NTLMv2 to authenticate (We actually just use kerberos, but the option in the Windows section of Server Admin says "NTLMv2 & Kerberos"). However, MANY times I have Windows users try to connect to the Xserve and it asks them for their username/password. The second that happens I know the connection has failed. Most of the time they can get on with NO interaction required. Once they get that message though, the only solution is to have them log off and log back on. Then it will work. They go to their short-cut which our IT group has set up, click on the drive and have access to what they need.

    When I go and check the Windows log in Server Admin, I see this repeatedly:

    When there’s an error:

    [2006/08/01 18:29:16, 2] auth_ods.c:opendirectory_opendirectory_ntlm_password_check(553)
    opendirectory_ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user psmith
    [2006/08/01 18:29:16, 2] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(367)
    check_ntlm_password: Authentication for user [psmith] -> [psmith] FAILED with error NT_STATUS_WRONG_PASSWORD

    When it succeeds:
    [2006/08/01 18:43:34, 2] /SourceCache/samba/samba-92.19/samba/source/lib/module.c:do_smb_load_module(63)
    Module ‘/usr/lib/samba/vfs/darwin_acls.so’ loaded
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/service.c:make_connection_snum(648)
    172.16.4.123 (172.16.4.123) connect to service 02 Literature initially as user psmith (uid=1093395257, gid=1233023604) (pid 15183)
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(261)
    Username AD.OURCOMPANY.COM\NO-PSMITH-DT$ is invalid on this system
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(265)
    Lookup trust account via passdb (AD.OURCOMPANY.COM\NO-PSMITH-DT$)
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(271)
    trust account found via passdb fullname(NO-PSMITH-DT)
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(333)
    reply_spnego_kerberos: check_sacl(AD.OURCOMPANY.COM\NO-PSMITH-DT$, smb) failed
    [2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/service.c:make_connection_snum(648)
    172.16.4.123 (172.16.4.123) connect to service 03 Photography initially as user psmith (uid=1093395257, gid=1233023604) (pid 15183)
    [2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(261)
    Username AD.OURCOMPANY.COM\NO-PSMITH-DT$ is invalid on this system
    [2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(265)
    Lookup trust account via passdb (AD.OURCOMPANY.COM\NO-PSMITH-DT$)
    [2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(271)
    trust account found via passdb fullname(NO-PSMITH-DT)

    Okay, so here’s my question: Why does the Xserve think it is being sent NTLMv1 passwords? And why, when it DOES work does the windows machine trying to connect send its machine name (no-psmith-dt$ or the longer variant)? Is this our windows peeps problem? Or have I misconfigured something?

    Thoughts? Head scratch? Land in Montana?
    A very irritated graphic designer posing as a mac server admin.

    August 4, 2006 at 6:05 pm #366748
    thibbs
    Participant

    Thanks, you two. I’ll get my IT guy involved and see if we can’t figure that out (he’s off until Tuesday next week). I’ll post back then.

    Cheers!

    August 18, 2006 at 3:26 pm #366843
    Anonymous
    Guest

    something new in solving this problem

    i have the exact same situation here and find nothing that really helps me out …

    //hups

    August 18, 2006 at 8:19 pm #366845
    cenaq
    Participant

    Try this after binding with your XS to AD.
    sudo dsconfigad -enableSSO
    This changes some stuff in you /etc/smb.conf

    I hope this helps.

    cherio 😮

    //SHU

    August 23, 2006 at 4:08 pm #366889
    jaharmi
    Participant

    Well, my thread was hijacked, but thanks for the response.

    If anyone is actually running in an Active Directory that has had other auth types disabled and had experiences with their Macs in that environment (good/bad) I’d like to hear it. I totally understand that the ADPlugin is doing Kerberos, but I’m concerned about the fringe cases.

    September 4, 2006 at 9:44 am #366979
    Anonymous
    Guest

    nope Steven

    sudo dsconfigad -enableSSO did not change the situation.

    The Win2000 ADS dont let me in – is it necessary to implement a principal rule in the mac os x 10.4.7 keytab file generated on the WIN2K SP4 ADS with ktpass to get the authentification work ?

    to join the ADS in the oppendirectory service was no problem at all – i generated a new user on the WIN2K ADS which i used to bind the MAC OS X as Domain Member without a problem.

    also the kerberos join wasnt the clue, but the authentification at the kdc always failed if a
    winxp or win2k client tries to connect to the mac os x over smb.

    only solution to get on the mac os x server is with a local user or guest account activated 🙁 – not really cool

    the event viewer on the WIN2K ADS always reports a failure that the host macserver have not the correct key to generate a kerberos ticket.

    anyone knows a solution for this problem or are stucked in the same trap ?

    im very thankful for any hint or help u guys can give me
    if someone needs exact infos please ask what u wanna know i will answer quickly

    thnx
    //hups

    September 4, 2006 at 10:48 am #366980
    Anonymous
    Guest

    additional info
    >>> manually with kinit *ADuser* it is no problem to get a correct kerberos ticket. i have proofed that with klist and also with a testconnection on a smb share on the ADS Server.

    The way that a Win Client gets a SMB connect on the OS X Samba share didnt work 🙁
    As i allready posted >>> Event viewer shows up KDC Failure with ID 8 and log.samba brings NT_STATUS failures like “failed tcon_X with NT_STATUS_ACCESS_DENIED”

    Hope that infos will help – btw. perhaps its only a setting in the ADS but i dont get it

    thnx 4 any help
    //hups

    September 15, 2006 at 6:23 pm #367048
    Anonymous
    Guest

    i too am having the same problem at my university. its really trying my patience. espically since it was working when i brough the server up.

    i have unbound from ad, deleted the AD Plist file and removed the computer object in AD. rejoined the server, kinit and klist show authenitcation to AD works.

    September 19, 2006 at 10:24 pm #367068
    Anonymous
    Guest

    verify that your default_realm in the /Library/Preferences/edu.mit.kerberos file is the same as your AD directory. Mine was set to the local machine.

    how i blew out the AD settings and anything related…

    delete everything in /Library/Preferences/DirectoryService/
    delete or mv Library/Preferences/edu.mit.Kerberos
    cp /etc/smb.conf.template /etc/smb.conf

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.