Cannot Join Kerberos Realm Active Directory

[at1]

Dear afp548 community

apologies in advance if i am missng something simple.
I have been trying to get our new Intel xserve(10.4.8) to talk to our existing win 2k native AD domain built on a single domain controller using the AD/OD integration white paper from this site, but i am faling over at the point where i have to join kerberos.

The network conistsof
Win 2k server runnking as Domain controler running AD, DNS, DHCP, Some file serverices
Intel Xserve running Tiger server 10.4.8 conected to an Xserve Raid.This machine is acting as a DNS secorndary for the AD domain, runs web server, ichat server and AFP and windows file services
20+ Mac clients (10.4 and 10.3)
20+ Windows clients 2k and xp

all servers and clinets are set to use AD domain controller as primary DNS source

I am trying to acheive single sign on from the mac and windows clients and windows, i dont need really need mapped home directories, i just need all machines to be able to login to the fileshares on the XRAID using AD credentials

I am able to bind the xserve to the domain without problems and can verify its machine account exists in Active directory users and computers.
When i press the ‘Join Kerberos button, i am prestented with the Join kerberos relam window which only has a pull down list with “REALM: (null)(default)” as the only available option as well as boxes for usersname and password. when i enter my username and password (which is an AD domain admin)I receive this error

Computer Record Not Available
The Open Directory Administrator has not used this computers primary ethernet address when adding this computer to a computer list

my slapconfig.log looks like this
2007-01-05 06:51:03 +0000 – slapconfig -sso_util
2007-01-05 06:51:03 +0000 – command: /usr/sbin/sso_util useconfig -u -f . -a adadminuser -p **** -v 1
2007-01-05 06:51:03 +0000 – sso_util command output:
Contacting the directory server
Obtaining the Computer record
Unable to find the Computer record error = 2
2007-01-05 06:51:03 +0000 – sso_util command failed with status 2
2007-01-05 06:51:03 +0000 –

errorValue
2

this would indicate that sso_util can acces the directory server but cannot find the machine account in AD (even though its definitely there) so i am a bit stumped

i have setup home directories for all users (pointing to a share on the domain controller for now)
I have checked forward and reverse DNS and this seems to be fine to and from all servers on the network
my AD domain name does NOT end in .local

any ideas or further troubleshoting steps would be greatly appreciated

thanks in advance

Alasdair

[nikola]

I started having this error recently after the server working fine for 2 years,
I had to unbind the server and rejoin AD and after doing that i just could not kerberize, but my users still could authenticate with AD
The only drawback is after a while the authentication stops working so I have to go through the whole process of unbinding and joining AD
so once my users start screaming
I have to
Set Windows to Role: Domain Member
Go to Open directory and bind to the domain, which does fine, once I go back to Open Directory setup I have the option to Join Kerberos but get the same error as you

As a workaround I go back to Open Directory Access and under Authentication I make sure thet teh serach path is Custom and includes /Active Directory/All Domains or /Active Directory/”your domain name”
this will make the os x server to check with domain controller for authentication, at lest that’s how I see this

Once I save this and go back to Open Directory I no longer have the option to Join Kerberos, though my users now can authenticate with AD

If anyone knows what is going on please help so I don’t have to go through the pain again, not that I’m lazy but cannot stand annoying users screaming on my back.

Thanks

nik

[Patrick Gallagher]

If I’m not mistaken, the “native” AD domain may be the problem. It’s my understanding that native is to be used when all servers and clients are 2k3/XP/Vista which basically beefs up all the security settings (digital signing and such) to a level that only 2k3/XP/Vista can use and any legacy OS’s would be left out. OS X would be considered a legacy OS since it does not support all the signing abilities of 2003 Server.

[Author]

Posts