[Arte]

I have solved the problem. The Windows Administrator has produced new keytab entries for my MacOS X Server. I have removed the old /etc/krb5.keytab with the new entries and since then its working again.

As I said before, we have two servers where one can act as a backup system. However, the one where the first round of keytabs was produces crashed so bad it had to be replaced. It looks like the authentication entries don’t propagate to the other server.

[Arte]

I should mention that the kerberos auth server is a Windows 2k3 server. It spits out some errors regarding double host/server.fqdn/DOMAIN errors and not authorized errors.

The server part is split into a main server and one backup. It all happened after one of them died and they had to re-setup that one. Maybe I have to go through the process again and delete old kerberos entries on the server.

Leo.

[Arte]

Out of a sudden I have a strange problem with my mobile clients. Whenever the screen locks or they reboot or try to unlock a pref pane it takes ages to unlock or even show wrong password.

This happens whenever the clients are not in out normal environment (like at home or somewhere else). I have entered the OD server as IP adresse and have short timeouts. I have not been able to find out where exactly it hangs. Any hints?

[Arte]

I just did something similar. The steps are as follows:

1. Make the OSX Server an OpenDirectory Master
2. Bind The OSX Server to your AD domain to get the users
3. Create a group on the OSX Server in OD (i.e. Mac Users)
4. With WGM put the Mac users from AD into that Group
5. With WGM Manage Preferences for that Group
6. In addition to AD bind your mac clients to OD by adding your OD as an LDAPv3 server

For step 2 use Directory Service and bind the Server like you did with the clients.

For step 3 you need to switch to /Active Directory/All Domains in WGM.

Now the client gets the auth info from AD but will also query OD for information and find that its in the mac users group which is managed.

Arte.

[Arte]

Nice idea, but thats not an option here. I am an appendix sort of to the rest of our infrastructure, trying to integrate the macs better.

While playing around with my testmac I found that after reboot the user logging in does not get his kerberos ticket and thus the afp mount fails. It may have to do with me playing with edu.mit.Kerberos so I will replace it with the default (is re-binding the client with AD enough?).

This is not a big issue, as the user with a mobile home can mount the home dir and then the home synchronization works just fine. It would just add to the happiness of the users (esp. my boss :-).

[Arte]

A long fight but now I know the pitfalls …

The main problem all way long was that the home directories were not seen and mounted. The important part is to put all mac computer accounts in AD into the Pre-Windows 2000-Authentication group so that the AD plugin can read all users attributes. After that is done it works like a charm.

The kerberos stuff above is then a nice side thing to be able to host the home directories on an afp volume on an xserve with single sign on.

[Arte]

I did a few more tests. I am sure the kerberos stuff works. After I have logged in klist displays a tdg and as described Cmd-K mounting works flawlessly. However, looking up users with lookupd -d and userWithName: leo shows home: /Users/leo which indicates that the home directory somehow gets lost in the process.

With WGM on the Xserver I do see smb://server/Users/leo as the home. This is very strange. Is the home directory in AD on Windows Server 2003 in some different attribute? I found it in SMBHome and something like (I don’t have access at the moment) dsAttribute:HomeDirectory.

Leo.

[Arte]

[QUOTE BY= dthompson] Have you seen this link here? It sounds to me like you are looking to create cross realm authentication. http://www.4am-media.com/sso/#unix
[/QUOTE]
That was a great hint I have not dared to try before …

Anyway, I have setup the kerberos cross auth and now I can login a user with his AD password. Using Cmd-K in Finder and trying to mount afp://server/Users/username will promptly mount the directory. However, it looks like the user does not get a ticked upon login as I /Network/Servers/server/Users is mounted as guest as I can see from Server Admin. I tried setting up /etc/authorization as in some tutorials explained but with no positive results.

Any more hints?

[Author]

Posts