Home Forums OS X Server and Client Discussion Active Directory Kerberized services only work on AD DNS subdomain

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • March 9, 2010 at 9:46 pm #378159
    peet1
    Participant

    Hello all,

    I’m experiencing an issue with kerberos authentication that doesn’t seem quite right. I my servers are bound in a Cylinder of Destiny to our OD and AD with a grip of augment records for our users.

    My servers are configured with two DNS domains. *.jour.umt.edu has been our legacy connection since … well as long as we’ve had DNS. Our machines are bound into an AD @ gs.umt.edu. Consequently our server’s primary DNS has been jsrv06.jour.umt.edu but we also get jsrv06.gs.umt.edu by virtue of being bound to the domain.

    Our OD is correctly configured to not have the KDC running. My servers are bound and kerberized correctly and I can make a successful kerberos auth and connections via afp/smb as long as I connect to the AD DNS of the server. i.e jsrv06.gs.umt.edu. Connections to jsrv06.jour.umt.edu fail back to standard authentication.

    my krb5.keytab has principals for both domains

    [code]27 afpserver/[email protected] (ArcFour with HMAC/md5)
    27 afpserver/[email protected] (DES cbc mode with CRC-32)
    27 afpserver/[email protected] (DES cbc mode with RSA-MD5)
    27 afpserver/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    27 afpserver/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC) [/code]
    [code]27 afpserver/[email protected] (ArcFour with HMAC/md5)
    27 afpserver/[email protected] (DES cbc mode with CRC-32)
    27 afpserver/[email protected] (DES cbc mode with RSA-MD5)
    27 afpserver/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    27 afpserver/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    [/code]

    I’ve even tried to change the kerberosPrincipal in the com.apple.AppleFileServer.plist, but that makes Kerberos authentication fail when connecting to *.jour.umt.edu [i]and[/i] *.gs.umt.edu

    Now I feel like a bit of an idiot here, but is this the expected behavior? I feel like there was a time when I could connect with Kerberos auth to our *.jour.umt.edu domain from a bound client. It’s possible that I have this memory from using an OD user when we had a JOUR.UMT.EDU Kerberos domain. If this is expected behavior why are there [email protected] principals?

    thanks for taking the time to read this and as always, any help is appreciated.

    Thanks.Peet

    March 11, 2010 at 2:54 pm #378175
    OmniBlade
    Participant

    I was never able to fix this since I don’t have sufficient access to the AD side of our network for the solutions I found, however my research led me to articles discussing this as being similar to a “Split Horizon DNS” configuration so you may wish to start your investigations there.

    March 14, 2010 at 3:45 am #378184
    arekdreyer
    Member

    Maybe this article will help: http://support.apple.com/kb/HT3795

    Mac OS X Server v10.6: Configuring service principals in Active Directory when using a disjoint namespace

    March 14, 2010 at 5:47 am #378186
    peet1
    Participant

    wow big thanks … Feel dumb for missing it.

    thanks again.

    March 15, 2010 at 10:24 pm #378195
    peet1
    Participant

    Thanks again. Just some follow up info and a question. The KB article fails to mention that you also need to to edit com.apple.AppleFileServer.plist to include the correct kerberosPrincipal. Once you edit your .plist with the right Principal, your in business for AFP.

    The issue that I have now is that AFP is kerberized correctly, but SMB fails any kerberized connection. I’ve checked the smb.conf’s but there’s no mention of which principal it’s using.

    Any help?

    thanks.peet

    April 28, 2010 at 7:22 pm #378465
    Mike Boylan
    Participant

    Thanks for this thread. I was having this issue as well, and sure enough, that article was exactly what I needed.

    Also, peet, you were correct about AFP. I also needed to edit the AppleFileServer plist file to point it to the right kerberosPrincipal.

    For SMB, though, readding and restarting the service seemed to force it to use the correct principal. I did reboot the server after making the change on the AD controller but before doing this though. Not sure if that had any affect or not.

    Also, Arek, big thanks to you on the excellent Directory Services book for 10.6. I’m learning more than my brain can take in. :p

    Thanks,
    Mike Boylan
    RMU IT :: Mac OS X

    July 16, 2010 at 5:51 pm #379109
    sgstuart
    Participant

    HI All,
    I am hoping people will see this. This is exactly what is happening with al of my OSX clients. So whatever the resolution is I will have to do it many times. However, it is better than not working.

    My question is how do I change the AppleFileServer plist to the right kerberosPrincipal. It looks like it is hashed at least in mine. It has one entry which is afpserver://LKDC:SHA1.(long string here)@LKDC:SHA1.(same long string here).

    How would I get this?

    I had found the ADSIedit.msc tool before and have changed the DSNName, but after I do that it has not let me authenticate at all back to AD.

    Thanks,
    Steven Stuart

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.