OS X 10.6.x Clients and Kerberos Certificates with Windows 2003 AD/DC

[mattai]

Howdy!

Last week I wrote the OS X client management list regarding a problem I was having with Kerberos certificates not being received from a Windows 2003 DC on OS X 10.6.x clients. I later determined that the Kerberos Certificate does get received upon the second sequential login for every user (user logs in, no cert, user logs off, logs in again, cert is in ticket viewer).

I didn’t think this would be a problem until I was moving forward with deployments and configuration options. We would like to have mobility enabled to sync their local Documents/Settings with their remote network home folders (hosted by windows shares/defined by AD home folder attribute). Additionally, they would like their network home folder icon to appear in their dock.

This obviously becomes a problem during their initial login where it cannot resolve their network home folder because the client isn’t receiving the Kerberos certificate upon the first login, and therefore cannot use SSO to mount the network home folder (so the OS X client just throws an error “cannot access /Users/” at the login window and doesn’t allow them to log in).

I’ve gotten one response back from the OS X Client management list from someone who is experiencing my same problem. Does anyone have any ideas why it’s taking two sequential logins to receive the Kerberos Certificate from the Windows DC? Has anyone else seen this behavior?

Thanks for any information you have!

[mac1980]

I was experiencing the same issue on our domain. After speaking with Apple Engineering, it seems that this is a known issue with no current fix (other thank the two login’s). We were not given any eta, but we should be expecting this to be resolved in a OS update.

I was also driving myself crazy trying to figure out what the issue was! If I hear anthing back I will post the solution.

Thanks,

[mac1980]

I was experiencing the same issue on our domain. After speaking with Apple Engineering, it seems that this is a known issue with no current fix (other thank the two login’s). We were not given any eta, but we should be expecting this to be resolved in a OS update.

I was also driving myself crazy trying to figure out what the issue was! If I hear anthing back I will post the solution.

Thanks,

[mac1980]

I dont remember amnything out of the ordinary in the logs, but we did send them down to Apple for review. Client network connections are fiber. Maybe take a look at article HT4100 on Apple’s support page. I had to also make this update to our 10.6 images. Hope that helps..

[bango]

are people still having this issue?… cause its still happening in our environment.
– need to login twice before ticket is generated and is causing issues with new users logging in and having the initial Home sync failing on them.
info:
authenticating to Windows AD / DC
the client is running 10.6.7

thanks

[bango]

i should also mention i have tweaked the /etc/authorization file, following steps from http://www.techrepublic.com/blog/mac/configure-os-x-for-kerberos-single-sign-on-authentication/208
and still no go.

[bango]

ok i re-tweaked that file – following apple’s KB article: http://support.apple.com/kb/ht4100

after a reboot, the initial home sync issue i was experiencing went away but now…. the account gets locked out and the user cant perform a logout sync. i then have to unlock the account in AD.
this is really weird…
whilst logged in, the account must be hitting / clogging the DC or something… to cause a “lock out ” issue.
console logs dont really state anything helpful – as always.

anyone ????

[mattai]

[QUOTE][u]Quote by: bango[/u][p]ok i re-tweaked that file – following apple’s KB article: http://support.apple.com/kb/ht4100

after a reboot, the initial home sync issue i was experiencing went away but now…. the account gets locked out and the user cant perform a logout sync. i then have to unlock the account in AD.
this is really weird…
whilst logged in, the account must be hitting / clogging the DC or something… to cause a “lock out ” issue.
console logs dont really state anything helpful – as always.

anyone ????
[/p][/QUOTE]

You’re not using OCS / Microsoft Messenger are you?

[bango]

no… i dont use OCS /Messenger.
i believe the org i work for use these tools.
why?

[mattai]

[QUOTE][u]Quote by: bango[/u][p]no… i dont use OCS /Messenger.
i believe the org i work for use these tools.
why?

[/p][/QUOTE]

I believe your problem is OCS/Messenger then. There is a known problem with it causing lockouts. http://www.ms-news.net/f2330/microsoft-messenger-7-0-2-ad-accountimmediately-locked-out-when-using-kerberos-8894446.html

I had the same thing happen. Don’t launch messenger, and try the login/logout again…

[bango]

i dont use OCS/Messenger – these apps aren’t open at all.
my problem still exists where by i need to login the 2nd time for the login sync to be successful.
really weird.

[mattai]

[QUOTE][u]Quote by: bango[/u][p]i dont use OCS/Messenger – these apps aren’t open at all.
my problem still exists where by i need to login the 2nd time for the login sync to be successful.
really weird.

[/p][/QUOTE]

Your responses are neurotic. On one hand you’re saying you fixed the issue by tweaking a file, but your accounts are getting locked out. On the other hand you say your original problem is still occurring. I’m not sure what to tell you other than if you could provide more complete concise information we could probably better help you.

[bango]

ok…
when i tweaked that file in /etc dir – thats when i had the account lock out issue.
i then reimaged the mac….
modified the file (so it generates a KDC ticket straight away) but i get the home sync issue and no lock out issue anymore? weird.
the msg i get is :

Home sync failed. Continue without a synced home?
If you continue, sync your home as soon as possible.
If you cancel, your home will not be created

Note: I’ve enabled Mobility for all network accounts.

I can click [Continue] and perform a manual sync and logout (does another sync) and then when I log back in, the syncing works from that point on. The problem is the initial login. In WGM – Home sync, I’ve set “Suppress Initial Sync Errors” to True, but this doesn’t take affect.

I’ve checked the Console logs and it shows the following 2 errors that stand out:

Sender[PID]: /System/Library/CoreServices/ManagedClient.app/Contents/Resources/HomeSync.app/Contents/MacOS/HomeSync
Message: smb_mount: mount failed to server.test.com.au/userdata$ ” syserr = Authentication error

Sender[PID]: HomeSync
Message: HomeSync.doHomeSyncLoginLogout: Unable to mount server URL at ‘smb://server.test.com/userdata$’ (80). No sync will occur.

i hope you can assist?

thanks

[seawolfe]

OK, this is how you can test for and fix this issue.

1. When you are logged into a computer for the first time as a user, open terminal and run the [b]klist[/b] command. If you have not received Kerberos credentials from the server, you this will return “No credentials cache found while getting the ccache principal”. If that is the case, then go to step 2 below. If you receive a different response, then this issue isn’t your problem.

2. To ensure the Kerberos problem isn’t with the server, run the [b]kinit[/b] command and enter the user password to obtain a TGT. Run klist again and you should see the proper Kerberos credentials. If you don’t see this, then you have issues either with the user account or the server.

3. To confirm (and reproduce) this behaviour, you can run the [b]kdestroy -a[/b] command, log out and back in, and you should find that the user has no Kerberos credentials cached when you run [b]klist.[/b].

4. To fix this issue, you will need to edit the /etc/authorization file. However, this should be done with care and only after a backup of the file has been made or you could cause yourself a lot of grief. Apple has an article detailing this issue as someone else noted (http://support.apple.com/kb/HT4100 for more information). However, this is way to make the changes at the command line using plist buddy (note that this only works for 10.5 and 10.6). You will need to reboot after making this change.

/[b]bin/cp /etc/authorization /etc/authorization.save
/usr/libexec/PlistBuddy /etc/authorization -c “set rights:system.login.console:mechanisms:4 builtin:krb5authnoverify,privileged”
[/b]

If you have problems with accounts getting locked out after doing this, then you have another problem, probably with the AD server.

[Rmaider]

Is there any difference in the builtin:krb5store,privileged (From HT4100) compared to the builtin:krb5authnoverify,privileged (From http://www.techrepublic.com/blog/mac/configure-os-x-for-kerberos-single-sign-on-authentication/208 )

[Author]

Posts