Problems with Kerberos/AD authentication

greenbirdweb

Registered
Hello -

I have a 10.4 Server that I wish to integrate into an existing Windows domain. The Active Directory server is Windows 2003. All clients are either Win2K or XP machines. I want the clients to be able to browse shared folders from the Mac server through Network Places.

I have followed the instructions in Apple's Windows Services Administration Guide. The server is set up as "Connected to a Directory System" and has joined the Kerberos realm. However, it doesn't seem to be functioning properly (the Windows services and authentication) and there are a couple of things I find strange.

First, once the Kerberos realm has been joined, all mention of it disappears from the Settings->General area of the Open Directory service. Is that normal? I was expecting it to say something like, "Connected to Directory System" with "Joined to Kerberos Realm" or something similar below it.

Also, under the Windows service Settings->Access tab, I have to keep NTLM (v1) checked in order for the share points to be accessible to the Windows clients. If I deselect it (the service should be using v2 and Kerberos anyway, right?) then the client is given a UN/PW prompt and a message saying, "Incorrect password or unknown username". The user authenticates to the Active Directory domain when they log in to Windows, so the Mac isn't getting the correct information from Kerberos somehow. Strange, though, that the share is accessible if NTLM(v1) is enabled. It appears to me that the Mac is only using NTLM to authenticate, and not Kerberos. Also, entering the user's AD UN/PW if the prompt appears does not allow access.

Any ideas on what the problem might be? The AD admin said it looks as if the Mac server authenticates to Kerberos correctly, so I can't figure out what the problem is!

Thanks,

Jeff
 
The Kerberos button does 'go away'. That's normal behavior after you've joined a third party Kerberos server.

Try running kinit on the Tiger Server to query your AD for a Kerberos ticket. Then use klist to see if the tgt is properly returned. Also, check your forward and reverse DNS records from the Xserve. AD integration is highly reliant on a working DNS. Also, you do have the AD authentication node listed in the Directory Access application, correct?

Michael
 
Hmmm....

Well, according to the Win2k3 server guy, he says the Mac server is authenticating okay. However, doing as you prescribed, I get the following:

>kinit
Please enter password for admin@COMPANYAD.COMPANY.COM
Kerberos Login Failed: Client not found in Kerberos database

>klist
klist: No Kerberos 5 tickets in credentials cache
klist: No Kerberos 4 tickets in credentials cache

In Directory Access, companyad.company.com is listed for both the Active Directory Forest and the Active Directory Domain. The server guy says those got filled in automagically.

DNS lookup seems to work correctly in both directions.

Do you think the problem lies more in the way things are set up, or in something being "broken" in 10.4.2 that will hopefully be fixed in 10.4.3, whenever that happens to appear?

Thanks again,

Jeff
 
Back
Top