[s_groening]

your DNS config certainly look ‘sane’ to me

however, are you sure that you are ‘Domain Admin’ on the W2K/W2K3 AD server???

-I believe a user with lesser group privileges than ‘Domain Admins’ can add a Windows client to the AD if he or she has ‘sufficient’ rights, that being ‘Account Operators’. -This works for Windows clients but I am less than sure about Mac OS X…..

Best regards

Søren Grønning

[s_groening]

Do you have a sane DNS configuration with A-Host records for each server, mac and Windows, and corresponding reverse ptr recordds? -Is your DNS located on the AD server, then add this as the only DNS server for the Mac OS X Server. That ought to do the trick.

regards,

Søren Grønning

[s_groening]

try reading this document that I have posted here earlier….

Mac OS X single sign-on with Active Directory

It sshould give you a pretty straight forward way of getting this to work properly (single sign-on) for both Mac and Windows users.

Regards,

Søren Grønning

[s_groening]

-Have you tried making the suggested changes to the AD domain group policies?

I got the ‘invalid user name or password’ error right until that point. I am running 10.3.7 as well — both server and client.

[s_groening]

hmmm having read yor post once again, it strikes me that you have entered your realm as your workgroup…. This is not the way to do it properly -at least not if you are working on a subnet…. Enter the NT name for your domain/workgroup in uppercase, eg for my domain – lierderbrau.de – I would enter ‘workgroup = LIEDERBRAU’ and enter my ‘realm = LIEDERBRAU.DE’ separately which is supposed to be the sane method.

By the way, in my last post,I think I might have answered a completely different question than the one I now think you are really asking….

I have had no problems doing SSO from a windows client to my Mac OS X Server with the common smb.conf modifications done as described in Michael Bartosh’s excellent slide handouts from the Macosxlabs.org web cast last year.

security = ADS
realm = FOO.BAR.COM
workgorup = FOO
use spnego = yes

Best regards,

Søren Grønning Iversen

[s_groening]

This is probably due to faulty settings in your W2K3 Server’s domain controller group policy.

make sure the following options are enabled/disabled:

Domain Member: Digitally encrypt or sign secure channel data (always) = disabled
Domain Member: Digitally encrypt secure channel data (when available) = enabled
Domain Member: Digitally sign secure channel data (when available) = enabled

Microsoft network server: Digitally sign communications (always) = disabled
Microsoft network server: Digitally sign communications (if client agrees) = enabled

Microsoft network client: Digitally sign communications (always) = disabled
Microsoft network client: Digitally sign communications (if server agrees) = enabled
Microsoft network client: Send unencrypted password to tird-party SMB servers = disabled

This helped me reaching SMB SSO within my domain…. Samba takes care of the win2mac part of it just nicely, however the Mac OS X SMB client works in a different maner than smbclient, which by the way works without the above mentioned changes… oddly enough…

Best regards

Søren Grønning Iversen

[s_groening]

have you tried to setup Kerberos Principals in the way described by Michael Bartosh at http://4am-media.com/SSO/ ??

This has helped my AFP SSO situation tremendously — actually that is what made it work

with a correctly populated krb5.keytab file you might have better chances at making it work.

[Author]

Posts