Home › Forums › OS X Server and Client Discussion › Active Directory › AD Kerberos working–SSO to AFP not working
- This topic has 3 replies, 3 voices, and was last updated 16 years, 7 months ago by
Timothy Perfitt.
-
AuthorPosts
-
August 8, 2008 at 7:30 pm #373691carneymParticipant
I am administering an XServe running OS X Server 10.4.11, bound to our Active Directory domain, and I am trying to get Kerberos single sign-on working against its AFP and SMB services. SSO was working when I inherited the system, but I turned it off Kerberos authentication at Apple support’s request while trying to fix major authentication problems caused by the 10.4.11 upgrade and have not been able to get SSO working since. Users can log into the AFP service when authentication is set to Standard, but not when it is set to Kerberos.
What puzzles me is that Kerberos authentication to our Active Directory server seems to be working. I can issue kinit someaduser from a test user Mac and get the appropriate password request, and the Kerberos app shows that the AD user has been granted a krbtgt ticket.
Apple support suggested that there may be duplicate keys in the keytab file and suggested I try the procedure outlined in support # 107702. The output from my kutil is:ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
—- —- ———————————————————————
1 2 afpserver/[email protected]
2 2 afpserver/[email protected]
3 2 afpserver/[email protected]
4 2 ftp/[email protected]
5 2 ftp/[email protected]
6 2 ftp/[email protected]
7 2 imap/[email protected]
8 2 imap/[email protected]
9 2 imap/[email protected]
10 2 pop/[email protected]
11 2 pop/[email protected]
12 2 pop/[email protected]
13 2 HTTP/[email protected]
14 2 HTTP/[email protected]
15 2 HTTP/[email protected]
16 2 http/[email protected]
17 2 http/[email protected]
18 2 http/[email protected]
19 2 smtp/[email protected]
20 2 smtp/[email protected]
21 2 smtp/[email protected]
22 2 host/[email protected]
23 2 host/[email protected]
24 2 host/[email protected]
25 2 cifs/[email protected]
26 2 cifs/[email protected]
27 2 cifs/[email protected]
28 2 xmpp/[email protected]
29 2 xmpp/[email protected]
30 2 xmpp/[email protected]
31 2 ipp/[email protected]
32 2 ipp/[email protected]
33 2 ipp/[email protected]
34 2 vpn/[email protected]
35 2 vpn/[email protected]
36 2 vpn/[email protected]
37 2 xgrid/[email protected]
38 2 xgrid/[email protected]
39 2 xgrid/[email protected]
40 2 [email protected]
41 2 [email protected]
42 2 [email protected]
ktutil:
————
So it looks like I do have duplicates. Should recreate the keytab file as directed, supplying my realm, ladap-admin and password, or is there other troubleshooting steps I should try first?Many thanks for your help,
–Carney Mimms
August 11, 2008 at 2:31 pm #373702carneymParticipantThanks for clearing that up. My instinct was that the kutil entries were fine, but I didn’t know why.
My real question, though, is what are my troubleshooting steps to determine why Kerberos isn’t working for afp? Where do I start?Thanks,
–Carney
August 29, 2008 at 6:26 am #373941Timothy PerfittMemberCheck your clock skew, time zone, and dns forward and reverse for xserve02.nourison.com.
-
AuthorPosts
- You must be logged in to reply to this topic.
Comments are closed