AD Realm Kerberos Failure

[Senator Jack]

Hi,

My first post here, and of course it would have to deal with Windows AD integration.

I've spoken with an Apple engineer about this issue, but it seems to me they're not sure of how it's supposed to work either. From what I learned through three days of research, and the AD-OD paper at AFP 938, the correct way to integrate is:

1) Under Open Directory choose 'Connected to a Directory System
2) Bind the Xserve to the Domain
3) CLick the Join Kerberos button

And here's where it goes haywire.

In the Realm box I'm only seeing Null (default). The domain realm does not appear, nor can I get it to appear. If I then click Save without joining the realm, the Join Kerberos button disappears and I cannot attempt to join the realm again unless I unbind and rebind the server. The engineer claims I have DNS issues, but I proved to him that that is not the case. My DNS is clean and all the forward and reverse records are there. I can even get a kerberos ticket through Kerberos GUI, so what would prevent the Realm from appearing in the box?

I've found another thread with the same issue, but unfortunately there was no solution in it.

Any ideas, would be helpful.

Thanks and kind regards,

Jack

 

[Go3iverson]

Well, 99% of the time is actually Kerberos. Remember, just because you can get a ticket, doesn't always mean its a valid ticket.

This is on Tiger Server I'm gathering?

What version of AD are you running? 2000? 2003? Are you using anything like DFS, SMB Signing, etc?

Joel's AD-OD white paper at AFP548 is fairly exhaustive. Just because you can forward and reverse resolve the DNS of your Xserve, doesn't necessarily mean that the DNS is properly setup. For the AD plugin to work, Mac OS X needs to be able to also get the service records resolved from DNS, such as resolving things like the global catalog. Do you see any logs on your server when binding that might indicate what's going on?

Also, are you familiar with directory service debug mode? I'd suggest starting debug mode (killall -USR1 DirectoryService) and grabbing out the pertinent AD plugin calls from the debug log. Make sure to issue the USR1 call again to stop debug mode, or you will slowly fill up your server!

 

[Senator Jack]

Michael,

I have an out of the box Tiger server trying to connect to a 2000 SBS AD. I can bind. I can see users in WGM. I get no errors in my 2000 event log. I did get the Xserve to see the realm ONCE, but being that I still couldn't get the AD to correctly connect, I tried unbinding and rebinding and then I lost the realm again. There must be a certain sequence that has to be followed to get it to work. I did it once, but it happened to be by luck and I couldn't replicate it.

I'm a Windows/Novell consultant that's been thrust into mac world by a new client who begged me to work on their Macs after I got their network solid. (I guess the guys before me weren't very good.) I don't know how to work the debug mode, so if you can point me to an article that would be great. I suppose I just need to see a specific error - why it's not seeing the realm - rather than the generic 'keytab file' error that mac gives. (This sort of error reporting leaves much to be desired in mac).

I have gone through that AD-OD paper, and while fairly exhaustive, it unfortunately doesn't help if I can't get past the first page. From what I'm reading 'No Realm' means 'No Integration.'

Reading through a few other posts, I see others are having the same problem. The full kerebos login (asking for DNS) sometimes appears, and sometimes it's the three field with the Null(default) realm. To me this is an inconsistency that indicates a bug. Any other thoughts?

Thanks and kind regards,

Jack

 

[Go3iverson]

Take a look back at my post as it does tell you how to run debug mode.

I can't really speak to a bug. I've deployed this solution on Tiger a plethora of times. Sometimes it takes some tweaking and some good under the hood knowledge, but I haven't had a situation that couldn't be rectified.