Home Forums OS X Server and Client Discussion Active Directory 10.4.6 Server & Active Directory – losing connection

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • May 6, 2006 at 11:40 pm #366120
    corpo
    Participant

    I’m attempting to integrate a brand new Xserve g5 into a 100% windows server environment. This is not my network – so I have very limited access to an admin password for Active Directory. I’ve seen several descriptions of people with this problem on this forum, but none of the answers have helped me. My setup is as follows:

    The only two services running on the machine are AFP and SMB – we want to configure the machine to do all of it’s authentication via Active Directory – I have Open Directory set to “Connected to a Directory System” and the windows role is “Domain Member”. As far as I can tell, Directory Access is configured properly; immediately after we bind to active directory – users on both Macs and PCs can connect and authenticate happily (we are not using Kerberos for client authentication). After about a day, nobody can authenticate with AD usernames (the one local account works fine) – the logs do not indicate any failure anywhere (i’ve looked at them all), except that all of a sudden, the authentication starts failing with NT_STATUS_NO_SUCH_USER. (I posted the relevant section from the log at the bottom).

    Now, as I understand it, the process of binding to Active Directory involves some flavor of Kerberos authentication between the xserve and the AD server. As I understand it, Kerberos can be sensitive to system time discrepancies between two machines. So, once I learned this, I found that the clock on the server was not set to sync with a network time server, and that it was, in fact about 6 minutes off; i set the clock to sink with apple’s servers. I did this today, a saturday, and therefore cannot rebind the machine to AD until Monday (we were not given even temporary admin access to get this working, hence, everytime we need the password, we have to ask someone to type it in for us). The catch is – if it unbinds itself again after we leave on Monday – we stand a fair chance of losing them as a client, and sucking up the cost of the brand new xserve we sold them (we’ve been struggling with this for a while now). That’s a little dramatic, we may end up switching them over to local auth on the box – but it’s got to support about 40 users – so it’s would be a pain to maintain.

    My question is, would a time discrepancy cause this random unbinding? Where else can I look? I have enabled debug mode on the DirectoryService process – so that if it does unbind itself again after we bind it, I can get a better idea of what’s going on. At the moment, it’s periodically attempting to connect to the AD server and returning a “No connectivity …..” message, but that doesn’t really tell me anything. Any light you can shed on this topic would be greatly appreciated.

    excerpt from log.smbd:

    sesssetup.c:reply_sesssetup_and_X_spnego(620)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[jsmith] domain=[ADDOM] workstation=[PC4090] len1=24 len2=24
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(266)
  check_ntlm_password:  Checking password for unmapped user [ADDOM]\[jsmith]@[PC4090] with the new password interface
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(269)
  check_ntlm_password:  mapped user is: [ADDOM]\[jsmith]@[PC4090]
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/namequery_dc.c:rpc_dc_name(145)
  rpc_dc_name: Returning DC TAN (10.1.1.32) for domain ADDOM
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/cliconnect.c:cli_start_connection(1382)
  Connecting to host=TAN
[2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/lib/util_sock.c:open_socket_out(768)
  Connecting to 10.1.1.32 at port 445
[2006/05/05 08:47:23, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth_util.c:make_server_info_info3(1131)
  User sschwart does not exist, trying to add it
[2006/05/05 08:47:24, 0] /SourceCache/samba/samba-92.19/samba/source/auth/auth_util.c:make_server_info_info3(1138)
  make_server_info_info3: pdb_init_sam failed!
[2006/05/05 08:47:24, 2] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(367)
  check_ntlm_password:  Authentication for user [jsmith] -> [jsmith] FAILED with error NT_STATUS_NO_SUCH_USER
    May 17, 2006 at 11:58 am #366195
    corpo
    Participant

    Further investigation leads me to believe that the trust relationship between the XServe and the AD controller does not rely on Kerberos, but rather some proprietary microsoft credential system. The problem with the Xserve losing it’s binding with AD seems to be caused by the fact that the AD controller requires a periodic password change for the machine accounts – which is not supported by the ADPlugin in Tiger. Does anyone know if there’s a way to use Kerberos for this trust mechanism, rather than the Microsoft trust credential system?

    May 17, 2006 at 3:37 pm #366202
    corpo
    Participant

    When it’s bound to AD, there are no Kerberos credentials/tickets according to klist or the Kerberos app in /System/Library/CoreServices – which is what caused me to make that assumption. Presumably, if there were a Kerberos trust relationship, wouldn’t I be able to see the ticket with those utilities?

    May 17, 2006 at 7:52 pm #366206
    corpo
    Participant

    Ah, well, that explains it then – is there any way to get information on the DirectoryService credentials?

    Thanks.

    May 18, 2006 at 4:12 am #366208
    AMSR
    Participant

    When you bind your Mac to AD, it requires the time to be in sync with the AD server, not only that its the right time. So you might try putting in the address of the domain controller (usually the one hosting the GC) and their DNS root as the NTP server. Typically people run NTP on their DNS servers, but only they can give you this info. I mention this because if time.apple.com is not what they are syncing their AD domain to, you may still have problems.

    The AD plugin uses Kerberos to bind, even if your file sharing users aren’t intended to user Kerberos to connect. When you initiate a bind, AD creates a shared secret between the domain and your server called a “principal” and this is a Kerberos thing. This shared secret between your server and the domain is secured with a “machine password” just as users accounts are secured with a “user password”. If this shared secret gets broken (such as the machine password is changed), your server will be unable to talk to AD anymore. AD requires all computers that talk to it to have valid machine account (thus valid machine passwords).

    On a more practical note, I’d try to see if they can put your server’s computer object in an OU that doesn’t have a policy applied to it to change the machine password on a periodic basis. Your other alternative is to have your client use the ADmitmac AD plugin, which will get you this functionality.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.