Home Forums OS X Server and Client Discussion Active Directory Single user login help

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • February 28, 2007 at 8:10 pm #368416
    Dsipp
    Participant

    I am a Windows 2003 Admin and have been tasked with integrating 3 Mac 10.4.8 servers into our Network. I have read the white paper from this site and have made progress with the AD integration. My issue is thst when I sit at my Windows Xp workstation and use a UNC path to the Mac server, I still get a login in prompt? Looking at the “Windows File Serve Log” on the Mac I see “odssam_getsampwnam:(get_sam_record_attributes dsRecTypeStandard:Users no account for ‘[i]username[/i]”!

    In the Terminal in the Mac I can issue the Kinit command and receive a proper output. I type Kinit [i]username[/i]
    Enter password for [email protected] is returned. I enter the correct PW and the command completes with no errors. Klist shows a ticket in cache.

    Workgroups manager is pulling the domain user and group lists from my AD.
    What have I missed?

    I am a complete newbe here so I am open to all input.

    Dsipp

    March 2, 2007 at 2:42 pm #368444
    velo2k77
    Participant

    It looks like your user authentication is working but your kerberos isn’t fully configured. Did you join your mac servers to the kerberos domain? Did you create kerberos trusts from your windows 2003 server to your mac servers?

    You may need to join your mac servers to the kerberos domain and create kerberos trusts from your win2k3 server to your mac servers.

    If you bound your mac clients to the AD domain then they’ll get a kerberos ticket from the KDC (your win2k3 server) which will allow them to access kerberized services on the win2k3 server but until the mac servers are joined and trusted to the kerberos domain then the KDC won’t give out tickets to access services on the mac servers.

    Mac OS will try a kerberos connection first then if that fails then it will try a standard username/password conection. The same behavior will be exhibited by windows clients until the mac servers are trusted by the KDC. Joining the kerberos and creating kerberos trusts have to be done separately from just joining the domain for user authentication.

    I am assuming that you’ve given your AD users/groups access to needed network shares on the Mac servers.

    Thanks, Richard

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.