Tiger and Kerberos at login

[plite]

Hi all,

Because the new batch of iBooks we received refuse to boot Panther properly, I’m currently attempting to create a deployment image of Tiger for our Mac environment, which is a mix of local OD authentication servers and campus wide AD servers. I seem to have hit a major snag when it comes to the login process.

Under Panther we had kerberos logins enabled at the login window with edu.mit.Kerberos pointed at our campus AD servers – which allowed us to have accounts in OD secured with a default password and users could use their AD password to login. This also meant they had their AD kerberos tickets after login, and all network shares were part of the “Golden Triangle” configuration ideal – so no passwords for connecting to anything. Loverly.

Then Tiger reared it’s fierce feline head. With this fearsome beastie I can’t seem to get my Kerberos tickets the way I used to. If I use AD authentication I get the right tickets, but no MCX configuration from the OD servers. If I use OD authentication I get useless OD tickets, and users don’t know their OD passwords anyhow. Basically:

I’ve modified edu.mit.Kerbreros to point to the AD servers and can get tickets using the gui and command line apps.
I’ve modified /etc/authorization using the Tiger correct “krb5authnoverify,privileged” syntax.
Login against OD – no tickets.

For some reason it seems that Tiger will only get the kerberos tickets defined in edu.mit.Kerberos if the domain defined is also the domain used by the authentication servers. Previously if you placed AD at the top of the authentication list in Directory Access with OD servers below it then the login would occur through AD, and the OD servers would be consulted for MCX information. This process, which would fix my Kerberos issues also seems to no longer work in Tiger. Has anyone got any brilliant ideas as to how to tame this rotten cat?

[AMSR]

Instead of manually editing the edu.mit.Kerberos file and using /etc/authorization to enable TGT on login, you should probably be binding your clients to AD using the AD plugin. You can then bind them to OD as well to get your MCX settings. Just make sure the OD server is listed after the AD server in the authentication path. You should also disable the kerberos auto config by OD by following the instructions in this article:

http://docs.info.apple.com/article.html?artnum=300765

If you don’t you will get conflicting OD and AD KDC info in your edu.mit.kerberos file.

FWIW, I have not seen anyone able to get the /etc/authorization trick to work on 10.4.

[plite]

That would be an ideal solution, and it worked fine for me in Panther but it doesn’t work under 10.4.2. My client machine binds to both directory services correctly, and can authenticate against either of them – but when they’re both in the Authenticate list with the AD/All Domains at the top the OD servers are never consulted for MCX information. Argh!

My OD servers do indeed have KerberosClient “munged” correctly, as per the KB document. Still no AD tickets when logging in through LDAP, no MCX when logging in through AD.

Perhaps it could be possible to use the -staticMappings parameter of dsconfigad to manually set the MCX lookup location. Does anyone know how I could do this?

[Author]

Posts