Kerberos rejects password

[jacobpearson]

Hi everyone, my apologies if this is in the wrong location,

I’m having a fun Kerberos issue that is driving me mad. We have an AD domain, all our users are hosted on Win2003 AD – we don’t do any fancy AD and OD integration. We have an xserve and xraid, running 10.4.9. The xServe is bound to the domain, and the OD tab in Server Admin says its connected to a directory system. We also have another SAN, which is served by Win2003 as well.

My problem happens like this:
[list]User logs into their mac, using their AD user name and password, all OK.
User can connect to a windows based file server using single-sign-on, without problem.
When a user tries to connect to the Mac file server, it doesn’t ask for a user name or password, it just says the password was incorrect.[/list]

This doesn’t happen to everyone – only starts to affect one person at a time. Recently its started happening to one user, Randall, but its stung myself and at least two other people. We have had no solution but to recreate the user’s AD account.

There is nothing in the AFP or Windows access or error logs on the xServe, with the exception of in the afp access log:
[code]IP 10.0.3.232 – – [18/Jul/2007:09:57:59 1200] “Login randall.inch” -5023 0 0
IP 10.0.3.232 – – [18/Jul/2007:09:57:59 1200] “Logout randall.inch” -5023 0 0[/code]

On the local machine there is one entry in the samba log:
[code]mount_smbfs: session setup failed (extended security lookup2): syserr = Permission denied
mount_smbfs: cound not login to server FILE03: syserr = Permission denied[/code]

Based on my understanding of Kerberos, is that either the ticket request the client sends to the xServe is corrupt or wrong, or the ticket granting ticket the client receives from the xServe is corrupt or wrong, meaning that the client doesn’t decode the data properly and just gives the error message.

I have tried three different logins on this particular machine and had the same problem. I have re-imaged the machine and it persists. The problem does not happen when the user uses a different machine. Problems only happen when connecting to the xServe, not any windows based servers. I have unbound and rebound the client, and on the xServe I have unbound and gone through the binding/kerberos process, again with no luck.

Curiously, when I disabled Kerberos (and thusly lost SSO) it worked fine.

help! 😥

[jacobpearson]

Not really a lot of groups, no more than we’ve had running in this school, and in the last one I was in. This particular user is a member of five groups including Domain Users and Staff.

It just seems at random it will pick a staff member once every four months, and they’ll lose access to the xServe. having said that, only about 10 staff members need access to the xServe, and it could be messing with the 250 or so Windows users that don’t go near the xServe.

[Author]

Posts