SSO with AD/OD and fileshares

[alternapop]

I have a client and server both on 10.5. both are bound to AD. the server is an OD Master.
I’ve created a group on the server and added one user from AD to this group.
I created a fileshare and made this group the owner.

from the client, i can login (authenticating via AD) and the client applies MCX rules from OD.

if i try to mount the fileshare, using the url of the OD server, it prompts me to authenticate.
why is it doing this? why aren’t my credentials from AD being automatically passed to OD?

if i do enter my AD username and password, it fails on the client with an invalid password error, yet AFP Access Log shows this (hiding IP and name):

IP x.x.x.x – – [16/Jan/2008:10:16:29 -0800] “Login LastName, FirstName” -5023 0 0
IP x.x.x.x – – [16/Jan/2008:10:16:29 -0800] “Logout LastName, FirstName” -5023 0 0

what could i be doing wrong or what am i misunderstanding?

thanks!
chris

[CostasPPC1]

Is Kerberos working on the SSO?

[alternapop]

[QUOTE][u]Quote by: CostasPPC1[/u][p]Is Kerberos working on the SSO?[/p][/QUOTE]

there are two tickets showing up if i run klist -e
both of these appear in the Kerberos application too
so as far as i can tell, yes

[alternapop]

my edu.mit.Kerberos file list the appropriate domains/realms and contains about 10 of them for our campus.

if i run “sudo sso_util info -g”, on the client, it returns “UDPxxxxxxUDS.xxxx.EDU”

running “host UDPxxxxxxUDS.xxxx.EDU” on that domain name returns the IP of the client i’m running these commands on.

is that right?

[alternapop]

this still isn’t working for me. i attended the macword Directory Services 1, 2 and 3 classes.

within my leopard server, everyone has access to all services

there is a line for afp within krb5.keytab on the server with my server’s dns name… the krb5.keytab on the client shows as a bunch of seemingly random numbers, “afpserver2LKDC:SHA1.xxxx…”

i tried running “sudo dsconfigad -enableSSO” on the server

the lecturers mentioned a ‘plutil’ command but i don’t remember when this is necessary or how to run it.

would greatly appreciate any assistance!
thanks,
chris

[alternapop]

This is partially solved. I reinstalled the OS on the server. Binding to AD from the server is working now. Thanks to a fellow colleague for help with figuring out that even though Directory Utility showed that the server was bound to AD, it wasn’t a valid bind. I think it was either due to maybe letting the server initialize with a dynamic ip when I installed the OS the first time or a discrepancy with the names in AD and and NETBIOS.

—————-
. opendirectory:~ admin$ sudo klist –ke
Password:
klist: No Kerberos 5 tickets in credentials cache
opendirectory:~ admin$ sudo net ads info
LDAP server: xx.xx.xx.xx
LDAP server name: xx.xx.xx.xxx.xxx
Realm: xx.xx.xxx.xxx
Bind Path: dc=xxx,dc=xx,dc=xxx,dc=xxx
LDAP port: 389
Server time: Wed, 23 Jan 2008 10:23:31 PST
KDC server: xx.xx.xx.xx
Server time offset: 0
opendirectory:~ admin$ sudo net ads testjoin
Join is OK
—————-

now, if i force AFP to use Kerberos, it fails. i believe they mentioned something about running the command, ‘plutil’ at macworld. what exactly is this command’s syntax? and what does it do?

thanks!

[Author]

Posts