[zero]

We are seeing similar issues.
Some helpful info for basic Kerb auth was found at http://linsec.ca/blog/2011/07/26/kerberos-on-os-x-10-7-lion/
However third party LDAP does not seem to work right.

We played with the /etc/pam.d/authorization setting “auth optional pam_krb5.so use_first_pass default_principal”

From logs it looks like the user is getting a TGT but then it ends with “OpenDirectory – The authtok is incorrect”.
Command line kinit works.

[zero]

So what are the characteristics of the accounts with the bad security group? What should I be looking from in AD that would distinguish these problem security groups?

Server appears to have bound properly and I can get Kerb tickets localy.

I can AFP to the server without a Kerb ticket but get the error 32 with a ticket. I can SSH to the server. I can’t use SMB from the Mac with or without a Kerb ticket and can’t connedt from a Windows mahcine, bound to AD.

Marc

[zero]

As far as I know it isn’t possible for a Mac to make a GUI SMB connection to a Windows server or even another Mac that is only doing SMB on port 445. I’ve reported this as a bug to Apple but they don’t seem to think it’s a bug. Even the command line SMB tools that you might use on any other UNIX to make a mount seem to be crippled by Apple.

But at the command line you can use ‘smbcleint’ to connect to port 445 like an FTP connection but It doesn’t seem to be able to create a mount.

If you have SSH on the Windows server you can tunnel the connection. Rutgers has a nice set of directions.
http://www.nbcs.rutgers.edu/newdocs/samba/macosx/port_for.php

Haven’t tried installing the SMB from source or binary to see if it fixes anything but it might give you command line access. If you get that you can make a mount point in the file system then use the GUI to access it.

[Author]

Posts