Hi all,
Because the new batch of iBooks we received refuse to boot Panther properly, I'm currently attempting to create a deployment image of Tiger for our Mac environment, which is a mix of local OD authentication servers and campus wide AD servers. I seem to have hit a major snag when it comes to the login process.
Under Panther we had kerberos logins enabled at the login window with edu.mit.Kerberos pointed at our campus AD servers - which allowed us to have accounts in OD secured with a default password and users could use their AD password to login. This also meant they had their AD kerberos tickets after login, and all network shares were part of the "Golden Triangle" configuration ideal - so no passwords for connecting to anything. Loverly.
Then Tiger reared it's fierce feline head. With this fearsome beastie I can't seem to get my Kerberos tickets the way I used to. If I use AD authentication I get the right tickets, but no MCX configuration from the OD servers. If I use OD authentication I get useless OD tickets, and users don't know their OD passwords anyhow. Basically:
I've modified edu.mit.Kerbreros to point to the AD servers and can get tickets using the gui and command line apps.
I've modified /etc/authorization using the Tiger correct "krb5authnoverify,privileged" syntax.
Login against OD - no tickets.
For some reason it seems that Tiger will only get the kerberos tickets defined in edu.mit.Kerberos if the domain defined is also the domain used by the authentication servers. Previously if you placed AD at the top of the authentication list in Directory Access with OD servers below it then the login would occur through AD, and the OD servers would be consulted for MCX information. This process, which would fix my Kerberos issues also seems to no longer work in Tiger. Has anyone got any brilliant ideas as to how to tame this rotten cat?