Home Forums OS X Server and Client Discussion Active Directory 10.4.8 Server, AD, wrong or non existing Kerberos principals

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • November 13, 2006 at 11:39 pm #367576
    s_groening
    Participant

    Hi,

    I have an Xserve G5 OD Master with an Xserve RAID that serves home directories to our Mac users.

    Also I have an AD domain running DHCP, DNS and Kerberos for both Macs and PCs.

    Every Mac is correctly bound to the AD and SSO works from the clients to the Windows W2K3 Servers via SMB and to the Xserve via AFP, but incoming SMB for the Xserve does not work at all… The Xserve is an AD member server using Kerberos for login. All of this has been trivial until this autumn. Prior to that, everything worked like a charm on 10.3.9.

    I have no log files to back this up, but I’m pretty sure the Kerberos principals for the Xserve are screwed on the W2K3 Server, since the afpserver/[email protected] is working correctly whereas SMB connections receive a ticket named like this: [email protected] which looks very much like a ticket for a machine account and not as much like a service principal ticket (unlike AFP).

    Now, has anyone had this kind of behavior with a similar setup? dsconfigad -enablesso does not fix anything… My best guess is that I’ll need to recreate Kerberos principals on the W2K3 Server for the SMB service on the Xserve and export a new Kerberos keytab to the Xserve and see if that works…

    Perhaps anyone has some insight to share 🙂

    Best regards,

    Søren Grønning

    November 21, 2006 at 6:26 pm #367677
    jdyck
    Participant

    Just browsing by trying to find an answer to a problem I have, but figured I’d offer you one tidbit I’ve found has helped me…

    Have you tried forcing the SSO config… Go into terminal on your OS X Server and enter:

    sudo dsconfigad -enablesso

    Hope it helps.

    Jeff

    December 8, 2006 at 9:20 am #367800
    s_groening
    Participant

    Yes I do run 10.4.8 and yes I did the ‘dsconfigad -enablesso’ bit as root before Kerberized SSO started working and I DID place the AD domain at the top of the list in Directory Access’ ‘Authentication’ tab.

    I have bound and unbound the server from the AD and setup SSO repeatedly with the same results every time….

    The service principals seem screwed up some how…

    I fear that I’ll have to manually create users and principals on the AD server for my Mac OS X servers (we do have the exact same problem wit two servers), collect and combine those to new keytabs, the problem being that I have no administrative rights over the AD servers….

    //Søren

    February 21, 2007 at 3:31 am #368359
    Tarny
    Participant

    Well, I just visited a customer today and I’m seeing symptoms as described above. There are some things that I didn’t set up myself such as the “Connected To” server and the Active Directory server in our scheme was set up before I arrived. The OpenDirectory Master I did set up.

    Same symptoms:
    1) Mac OS X Clients allow uses in the AD to login at the login window
    a) correctly receive the Kerberos TGT
    b) home folders are fine with AFP (automount records are in the OpenDirectory Master, the Connected To server is operating just fine as a Kerberized AFP file server using the AD KDC)
    2) From a Mac OS X Client we can “Connect to Server” to one of the AD file servers and it works seamlessly as a SSO environment.
    a) I did forget to Set “Microsoft Network Server: Digitally sign communications (always):” to DISABLED at first, but quickly remembered it.
    b) The ticket I receive from the AD file server is similar to the [email protected]
    3) From a Mac OS X Client we can also “Connect to Server” to the “Connected To” AFP file server to other share points seamlessly.
    4) When trying to connect from either a Mac OS X Client or Windows XP client to the “Connected To” SMB file server (same server as the AFP file server) we receive a tickect as in 2b above but the the user isn’t authenticated. We are seeing error messages in the Windows smb log that sort of indicat a bad password. (Sorry I can’t post the log messages from here, I don’t have access to the logs at this minute.)

    I feel I’ve overlooked something basic.

    T.

    February 22, 2007 at 3:27 am #368362
    Tarny
    Participant

    Yep, I WAS overlooking something obvious. When using SMB/CIFS protocols, the ONLY type of KDC Mac OS X supports for single sign on is an Active Directory KDC. Doh! I feel silly for forgetting that.

    When I tested with Windows XP clients at first there were connection problems. A simple unbinding of the Mac OS X “connected to” server and a carefull removal of the following files:
    /etc/krb5.keytab
    /Library/Preferences/edu.mit.kerberos
    /Library/Preferences/DirectoryService/*

    Then rebind into AD. After that I had to leave the customer site, but the customer tested the XP clients and says that SSO to the OS X Server “Connected To” server is working as expected. I’ll be checking up on them on Friday.

    The moral of the story is that one should test with the appropriate systems.

    😳

    T.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.