Problems with Kerberos and Mobile accounts in a magic triangle setup.

[OmniBlade]

Hello

I’m currently testing out a magic triangle setup to migrate Mac user authentication off the ODM we use just for our department and onto the AD that provides services for the wider campus. Through a magic triangle setup I can have AD user accounts authenticate and log on to a Mac client and through the magic of augmented records they have Mac server hosted home folders as network users. Using MCX on the group to specify a syncronisation URL I’ve also been able to create PHDs that sync back to the same home folders. All this has been tested with a 10.6 client and a 10.6 server and so far, so good, but now there are a few issues with the setup.

First, kerberos seems to be broken. From a windows client I can access kerberised services on both the mac server and the wider AD with single sign on. However from Mac clients I am asked for credentials every time. I appear to get a a TGT krbtgt/[email protected] for default principal [email protected]. The problem appears to be that most services are on servers with addreses server.domain.com, if I access a service from a server with an address server.ad.domain.com then I get a ticket and the service works. I’m guessing that either the wrong information is being pulled from the AD or the Mac clients are misinterpreting it but lack sufficient understanding of how kerberos is configured to fix it.

The second issue I’m having is that when the test client is disconnected from the network I still get the option for “Other…” logins and mobile accounts that I have created cannot logon. I assume this is because the system still thinks that it should be able to contact either the AD servers or the ODM despite the fact that it isn’t connected to the network and in fact cannot.

Any advice and/or assistance with these issues would be appreciated.

[OmniBlade]

Well I seem to have partially solved the problem by copying the 10.5 kerberos utility across and using it to destroy the existing TGT and get a new one. Why that has kind of worked I don’t know, I just wanted to use it to get more info on what tickets I had. Only problem is that its hit and miss, some services work and some don’t. For those that don’t I appear to get a malformed ticket dated to 1970 of the form “krb5_ccache_conf_data/negative-cache/http/server.domain.com@@X-CACHECONF”. Strangely this doesn’t happen if I access kerberised services from the ODM, they all work fine and I get the correct tickets, only the test client. A Google search didn’t turn up anything useful on this unfortunately.

Using the PHDs offline still doesn’t seem to work though :/

[Rmaider]

I seem to be having a similar issue https://www.afp548.com/forum/viewtopic.php?showtopic=29082

Was wondering if you where able to figure out your bad tickets problem?

[Author]

Posts