Home › Forums › OS X Server and Client Discussion › Active Directory › AD Kerberos working–SSO to AFP not working
I am administering an XServe running OS X Server 10.4.11, bound to our Active Directory domain, and I am trying to get Kerberos single sign-on working against its AFP and SMB services. SSO was working when I inherited the system, but I turned it off Kerberos authentication at Apple support’s request while trying to fix major authentication problems caused by the 10.4.11 upgrade and have not been able to get SSO working since. Users can log into the AFP service when authentication is set to Standard, but not when it is set to Kerberos.
What puzzles me is that Kerberos authentication to our Active Directory server seems to be working. I can issue kinit someaduser from a test user Mac and get the appropriate password request, and the Kerberos app shows that the AD user has been granted a krbtgt ticket.
Apple support suggested that there may be duplicate keys in the keytab file and suggested I try the procedure outlined in support # 107702. The output from my kutil is:
ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
—- —- ———————————————————————
1 2 afpserver/xserve02.nourison.com@NOURISON.COM
2 2 afpserver/xserve02.nourison.com@NOURISON.COM
3 2 afpserver/xserve02.nourison.com@NOURISON.COM
4 2 ftp/xserve02.nourison.com@NOURISON.COM
5 2 ftp/xserve02.nourison.com@NOURISON.COM
6 2 ftp/xserve02.nourison.com@NOURISON.COM
7 2 imap/xserve02.nourison.com@NOURISON.COM
8 2 imap/xserve02.nourison.com@NOURISON.COM
9 2 imap/xserve02.nourison.com@NOURISON.COM
10 2 pop/xserve02.nourison.com@NOURISON.COM
11 2 pop/xserve02.nourison.com@NOURISON.COM
12 2 pop/xserve02.nourison.com@NOURISON.COM
13 2 HTTP/xserve02.nourison.com@NOURISON.COM
14 2 HTTP/xserve02.nourison.com@NOURISON.COM
15 2 HTTP/xserve02.nourison.com@NOURISON.COM
16 2 http/xserve02.nourison.com@NOURISON.COM
17 2 http/xserve02.nourison.com@NOURISON.COM
18 2 http/xserve02.nourison.com@NOURISON.COM
19 2 smtp/xserve02.nourison.com@NOURISON.COM
20 2 smtp/xserve02.nourison.com@NOURISON.COM
21 2 smtp/xserve02.nourison.com@NOURISON.COM
22 2 host/xserve02.nourison.com@NOURISON.COM
23 2 host/xserve02.nourison.com@NOURISON.COM
24 2 host/xserve02.nourison.com@NOURISON.COM
25 2 cifs/xserve02.nourison.com@NOURISON.COM
26 2 cifs/xserve02.nourison.com@NOURISON.COM
27 2 cifs/xserve02.nourison.com@NOURISON.COM
28 2 xmpp/xserve02.nourison.com@NOURISON.COM
29 2 xmpp/xserve02.nourison.com@NOURISON.COM
30 2 xmpp/xserve02.nourison.com@NOURISON.COM
31 2 ipp/xserve02.nourison.com@NOURISON.COM
32 2 ipp/xserve02.nourison.com@NOURISON.COM
33 2 ipp/xserve02.nourison.com@NOURISON.COM
34 2 vpn/xserve02.nourison.com@NOURISON.COM
35 2 vpn/xserve02.nourison.com@NOURISON.COM
36 2 vpn/xserve02.nourison.com@NOURISON.COM
37 2 xgrid/xserve02.nourison.com@NOURISON.COM
38 2 xgrid/xserve02.nourison.com@NOURISON.COM
39 2 xgrid/xserve02.nourison.com@NOURISON.COM
40 2 xserve02$@NOURISON.COM
41 2 xserve02$@NOURISON.COM
42 2 xserve02$@NOURISON.COM
ktutil:
————
So it looks like I do have duplicates. Should recreate the keytab file as directed, supplying my realm, ladap-admin and password, or is there other troubleshooting steps I should try first?
Many thanks for your help,
–Carney Mimms
Thanks for clearing that up. My instinct was that the kutil entries were fine, but I didn’t know why.
My real question, though, is what are my troubleshooting steps to determine why Kerberos isn’t working for afp? Where do I start?
Thanks,
–Carney
Check your clock skew, time zone, and dns forward and reverse for xserve02.nourison.com.