Home Forums OS X Server and Client Discussion Active Directory Single Sign on to Domain not working

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • February 18, 2009 at 6:22 pm #375460
    the_yeti
    Participant

    I have an OS X 10.5.6 client and it is successfully had been bound to the domain. The account shows up and I can log in using any domain user and password. However; when I try to “mount” or browse a share (I press the apple key + k) and I type in SMB://server/fileshare it prompts me for a user name and password.

    I can type in my user name and password and successfully access the shared resource.

    I want to just be able to browse / mount shares with out having to enter the user name and password, Am I missing somthing here? Itsn’t that the point of single sign on? I have NOT extended my schema, is that why?

    Just verified as well using Kerberos.app that I have a valid ticket that will expire in 9:58. Still being prompted for a user/pass when trying to connect to a share.

    I used a utility to disable the Bonjour Service
    I have set DSCINFIGAD -namespace forest
    I have added my domain to authentication search accounts
    I have added my domain to search policy / contacts

    This is what I have done, what am I missing?

    This is a laptop, I have tried with different user accounts, and I have tried using a mobile account and a non-mobile account.

    Please help. And Thanks

    February 25, 2009 at 5:23 am #375556
    the_rug
    Participant

    Hi Yeti,

    I had the same problem and it took me ages to work it out.

    Turns out, it has to do with the default Kerberos settings on OSX:

    Edit the file: “Macintosh HD/Library/Preferences/edu.mit.kerberos”

    Under the section “libdefaults” add:
    forwardable = yes
    proxiable = yes

    I believe it is the ‘proxiable’ portion that is the key here.

    I’m not sure, but I think you also have to do the following:
    i. Open a terminal on the reference workstation
    ii. Type in ‘sudo pico /etc/authorization’
    iii. Authenticate with the root password
    iv. Press ‘Control’ & ‘W’ to start a search
    v. Type in “authenticate,privileged” in the search prompt
    vi. Change the text to “krb5authnoverify,privileged”. Ie. It should look like “builtin:krb5authnoverify,privileged”
    vii. Press ‘Control’ & ‘X’ to exit
    viii. Restart the system for the changes to apply

    This tells OSX to invoke a Kerberos request when the user logs in.

    Once I finally got Kerberos to work, I found a lot of accounts were being locked because of the way OSX uses the Kerberos tickets. Specifically, I was getting KRB_PRE_AUTH errors logged on the AD servers. If this is the case, let me know and I’ll post the solution to that problem as well 😀

    Cheers,
    The_Rug

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.