10.4.2 Server authentication woes


Hello -

I was recently put in charge of a Mac Server at work, in order to have my own machine to host the internal web site I created. I am by no means either a Mac or a networking expert, but with the help of some of our staff who sometimes wear IT hats, we have been able to get somewhere close to a workable solution. All users at our company log in to an Active Directory domain on a Win 2003 Server when they boot to Windows. We have the Mac server set to "Connected to a Directory System" under Open Directory, and have configured the AD plugin and bound to the AD server. So, in theory, if I understand correctly, when a user on one of our Windows machines clicks the icon of the server in Network Neighborhood, the Mac server should authenticate the user automagically, since he/she already logged into the AD domain at Windows startup. However, most of the time it pops a UN/PW dialog and says that the supplied credentials are invalid.

Any ideas on correct setup? All we really need this thing to do is to run a website, (which it doesn't seem to have any problems doing) and to correctly run Windows filesharing, so that myself and a select few others can add files to the web folder(s).


Are you sure that the users do have the permission to read/write on the shares on the Mac? I think you can do it using the Workgroup Manager. There, besides the Users options (where it should appear the Domain Users) should be a Sharings option where all the shares of the Mac should appear. When selecting one of the shares you should check the ACL (which is the list of permissions for that share) and add every user and/or group you want to be able to access it. Don't forget that you must log on to the Workgroup Manager using a Domain's account (maybe a domain adm?).

Hope this may be at any help or give you any ideas...

Marcelo Myara
Rio de Janeiro/Brazil
So, to get Kerberos authentication to work from an existing Active Directory, you need to have a few things set up.

First, what version of Mac OS X Server is this? Panther (10.3.x) or Tiger (10.4.x)? Having that final version number is very important as well.

Do you have a proper DNS set up? That'll be integral to AD integration with Mac OS X.

That's a good place to start.
We're running Tiger. We had Panther installed on this machine, did an erase and install with the stock Tiger DVD (10.4.0) and then I got the 10.4.2 update from the Software Update service. So, 10.4.2 is what we're at now, until Apple releases 10.4.3... hopefully soon. :)

We have DNS set up and working. The Mac server can see the list of domain users, and I have ACLs set up on the shared directory. When you browse to the Mac server from Windows, it complains about user credentials, but the user is already authenticated to the domain. Looking at the Windows File Service log in Server Admin on the Mac shows:

[2005/10/17 08:14:54, 1] auth_ods.c:opendirectory)auth_user(212)
  User "jeffb" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14987) :(
[2005/10/17 08:14:54, 1] auth_ods.c:opendirectory_smb_pwd_check_ntlmv1(427)

...and it fills the whole log (or at least the visible buffer) with this. It just repeats over and over, all with the same timestamp, meaning it retries about a bazillion times a second.

Does that provide any clues?

Thanks again,