I have read quite a lot about the new LKDC feature of Mac OS X 10.5, and to be fair, I have also spend quite some time trying to circumvent this feature in regard to a setup that involves a Linux server running Netatalk for APF 3.1 file services and Mac OS X 10.5 clients.
My problem is that because of Apple’s decision to let Kerberos favor the local LKDC over the primary domain realm hosted on the Linux server, I get different results depending on how I connect to the server.
Servers listed in the ‘Shared’ section of Finder’s Sidebar are connected to over Bonjour using the local LKDC, whereas the ancient ‘Connect to server’ command connects using the appropriate domain realm of the Linux Server.
According to Apple’s documentation this is how it’s supposed to work:
[quote]Between 10.5 clients, this Kerberos exchange is only attempted if you connect using Bonjour. For example, if you navigate to the Mac in Finder, or use Finder’s Go menu to connect to server “my-machine.local”.[/quote]
([url]http://docs.info.apple.com/article.html?artnum=306723[/url])
… However, I can use my Kerberos ticket from my primary domain realm while connecting to the server using the above mentioned ‘Connect to server’ dialog, but unlike what Apple suggests, this works for both Bonjour advertised shares and regular DNS resolved, fully qualified domain name connections to the same server!
This, at least to me, means that somehow Apple’s Bonjour implementation is capable of allowing connections through the use of a domain realm in the form EXAMPLE.COM and not simply through the use of the LKDC… -But how come this behavior is unsupported from Finder’s Sidebar?
Has anyone had any luck getting that piece of the puzzle to work?
Best regards,
Søren G.
.
.
Comments are closed