<div dir="ltr">Thanks for the suggestion. Unfortunately, it didn't work for me. I start with a tgt from the <a href="http://WIN.MIT.EDU" target="_blank">WIN.MIT.EDU</a> realm from just logging into my machine:<div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>$ klist</div></div><div><div>Credentials cache: API:0681E34F-FB62-4961-8A06-A62BAEF37491</div></div><div><div> Principal: <a href="mailto:mcneal@WIN.MIT.EDU" target="_blank">mcneal@WIN.MIT.EDU</a></div></div><div><div><br></div></div><div><div> Issued Expires Principal</div></div><div><div>Nov 20 08:57:10 2015 Nov 20 18:57:08 2015 krbtgt/<a href="mailto:WIN.MIT.EDU@WIN.MIT.EDU" target="_blank">WIN.MIT.EDU@WIN.MIT.EDU</a></div></div></blockquote><div><br></div><div>If I destroy that tgt and obtain one from <a href="http://ATHENA.MIT.EDU" target="_blank">ATHENA.MIT.EDU</a>…</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>$ kdestroy</div></div><div><div>$ kinit <a href="mailto:mcneal@ATHENA.MIT.EDU" target="_blank">mcneal@ATHENA.MIT.EDU</a></div></div><div><div><a href="mailto:mcneal@ATHENA.MIT.EDU" target="_blank">mcneal@ATHENA.MIT.EDU</a>'s password: </div></div><div><div>PALPC-145:~ mcneal$ klist</div></div><div><div>Credentials cache: API:B279F665-1256-4CDF-B0E2-F1A0C3C2FC5A</div><div> Principal: <a href="mailto:mcneal@ATHENA.MIT.EDU" target="_blank">mcneal@ATHENA.MIT.EDU</a></div><div><br></div><div> Issued Expires Principal</div><div>Nov 20 09:07:14 2015 Nov 20 19:07:11 2015 krbtgt/<a href="mailto:ATHENA.MIT.EDU@ATHENA.MIT.EDU" target="_blank">ATHENA.MIT.EDU@ATHENA.MIT.EDU</a></div></div></blockquote><div><br></div><div>…and try to connect to DFS, smb://<a href="http://win.mit.edu/dfs/Departmental/jpal" target="_blank">win.mit.edu/dfs/Departmental/jpal</a> via Finder, I'm prompted for a username and password:</div><div><img src="cid:ii_1512535056c62769" alt="Inline image 1" width="562" height="410"></div><div>Entering my kerb password, the DFS volume opens. Oddly, it appears I have the necessary tickets for it to just work:<br></div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>$ klist</div></div><div><div>Credentials cache: API:B279F665-1256-4CDF-B0E2-F1A0C3C2FC5A</div><div> Principal: <a href="mailto:mcneal@ATHENA.MIT.EDU" target="_blank">mcneal@ATHENA.MIT.EDU</a></div><div><br></div><div> Issued Expires Principal</div><div>Nov 20 09:07:14 2015 Nov 20 19:07:11 2015 krbtgt/<a href="mailto:ATHENA.MIT.EDU@ATHENA.MIT.EDU" target="_blank">ATHENA.MIT.EDU@ATHENA.MIT.EDU</a></div><div>Nov 20 09:07:47 2015 Nov 20 19:07:11 2015 krbtgt/<a href="mailto:WIN.MIT.EDU@ATHENA.MIT.EDU" target="_blank">WIN.MIT.EDU@ATHENA.MIT.EDU</a></div><div>Nov 20 09:07:47 2015 Nov 20 19:07:11 2015 cifs/<a href="mailto:w92dc2.win.mit.edu@WIN.MIT.EDU" target="_blank">w92dc2.win.mit.edu@WIN.MIT.EDU</a></div></div></blockquote><div><br></div>Just before the password prompt appears, I see this in the console:<div><br></div><div><div>11/20/15 9:12:02.559 AM secd[295]: SOSAccountThisDeviceCanSyncWithCircle sync with device failure: Error Domain=com.apple.security.sos.error Code=1035 "Account identity not set" UserInfo={NSDescription=Account identity not set}</div><div>11/20/15 9:12:05.364 AM NetAuthSysAgent[19703]: checkForDfsReferral: mounting dfs url failed, syserr = Authentication error</div><div>11/20/15 9:12:05.364 AM NetAuthSysAgent[19703]: smb_mount: mount failed to <a href="http://w92dc2.WIN.MIT.EDU/dfs">w92dc2.WIN.MIT.EDU/dfs</a>, syserr = Authentication error</div><div><br></div><div>Is anyone else binding their 10.11 machines to the win domain and using SAPgui?</div><div><br></div><div>—Patrick</div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><br></div><div>IT Manager | <span style="border-collapse:collapse"><a href="http://povertyactionlab.org/" target="_blank">J-PAL</a> | <a href="http://mit.edu" target="_blank">MIT</a><a></a> </span>| +1 617-324-2721 | <a href="mailto:mcneal@mit.edu" target="_blank">mcneal@mit.edu</a><br></div></div></div></div>
<br><div class="gmail_quote">On Thu, Nov 19, 2015 at 10:02 PM, Teddy Thomas <span dir="ltr"><<a href="mailto:tthoma24@mit.edu" target="_blank">tthoma24@mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">[resending from my MIT email]<span class=""><div><br></div><div><span style="font-family:HelveticaNeue">Hi Patrick-</span><br style="font-family:HelveticaNeue"><br style="font-family:HelveticaNeue"><span style="font-family:HelveticaNeue">I believe the changes you’ll want to your krb5 config are under [domain_realm]; just add </span><a href="http://win.mit.edu" style="font-family:HelveticaNeue" target="_blank">win.mit.edu</a><span style="font-family:HelveticaNeue"> = </span><a href="http://win.mit.edu" style="font-family:HelveticaNeue" target="_blank">WIN.MIT.EDU</a><span style="font-family:HelveticaNeue"> and .</span><a href="http://win.mit.edu" style="font-family:HelveticaNeue" target="_blank">win.mit.edu</a><span style="font-family:HelveticaNeue"> = </span><a href="http://win.mit.edu" style="font-family:HelveticaNeue" target="_blank">WIN.MIT.EDU</a><span style="font-family:HelveticaNeue">. I put my edu.mit.Kerberos file in /mit/tthoma24/Public so you can see what I did (note I made other edits which you may not want).</span><br style="font-family:HelveticaNeue"><br style="font-family:HelveticaNeue"><span style="font-family:HelveticaNeue">I’m not a Kerberos expert, but I think the issue here is Kerberos cross realm doesn’t exist from the WIN realm to ATHENA realm, but DOES exist going the other way, meaning you can authenticate to WIN with an ATHENA ticket, but not the other way. Installing Kerberos extras and getting an Athena ticket was the first piece, but I don’t think the krb5 conf in Kerberos Extras for Mac defines the WIN realm, which is likely necessary to get the </span><a href="mailto:krbtgt/WIN.MIT.EDU@athena.mit.edu" style="font-family:HelveticaNeue" target="_blank">krbtgt/WIN.MIT.EDU@ATHENA.MIT.EDU</a><span style="font-family:HelveticaNeue"> so you can authenticate to WIN services with an ATHENA ticket.</span><br style="font-family:HelveticaNeue"><br style="font-family:HelveticaNeue"><span style="font-family:HelveticaNeue">Hope this helps. Good luck.</span><br style="font-family:HelveticaNeue"><br style="font-family:HelveticaNeue"><span style="font-family:HelveticaNeue">-Teddy</span></div></span><div><font face="HelveticaNeue"><br></font><div><blockquote type="cite"><span class=""><div>On Nov 19, 2015, at 2:38 PM, Patrick McNeal <<a href="mailto:mcneal@mit.edu" target="_blank">mcneal@mit.edu</a>> wrote:</div><br></span><div><div><div class="h5"><div dir="ltr">Has anyone been able to get the <a href="https://ist.mit.edu/sapr3/sapgui/740/mac" target="_blank">latest SAPgui</a> to work on a Mac OS X 10.11 machine that is bound to the WIN domain? We're using the WIN domain for authentication and authorization, but it appears the SAPgui doesn't work with kerberos tickets from the <a href="http://win.mit.edu/" target="_blank">WIN.MIT.EDU</a> realm.<div><br></div><div>Installing <a href="http://ist.mit.edu/kerberos/extras/mac" target="_blank">Kerberos Extras for Mac</a> works if I destroy my <a href="http://win.mit.edu/" target="_blank">WIN.MIT.EDU</a> tickets and then obtain a TGT for the <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a> realm, but then I'm unable to access DFS or other <a href="http://win.mit.edu/" target="_blank">WIN.MIT.EDU</a> resources.</div><div><br></div><div>For what it's worth, here is my /Library/Preferences/edu.mit.Kerberos:</div>
<div><br></div><div><div>[libdefaults]</div><div> default_realm = <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a></div><div> forwardable = TRUE</div><div> proxiable = TRUE</div><div> noaddresses = TRUE</div><div> allow_weak_crypto = TRUE</div><div><br></div><div>[realms]</div><div> <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a> = {</div><div> kdc = <a href="http://kerberos.mit.edu" target="_blank">kerberos.mit.edu</a>.:88</div><div> kdc = <a href="http://kerberos-1.mit.edu" target="_blank">kerberos-1.mit.edu</a>.:88</div><div> kdc = <a href="http://kerberos-2.mit.edu" target="_blank">kerberos-2.mit.edu</a>.:88</div><div> admin_server = <a href="http://kerberos.mit.edu/" target="_blank">kerberos.mit.edu</a>.</div><div> default_domain = <a href="http://mit.edu/" target="_blank">mit.edu</a></div><div> }</div><div><br></div><div>[domain_realm]</div><div> .<a href="http://mit.edu/" target="_blank">mit.edu</a> = <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a></div><div> <a href="http://mit.edu/" target="_blank">mit.edu</a> = <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a></div><div><br></div><div>[v4 realms]</div><div> <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a> = {</div><div> kdc = <a href="http://kerberos.mit.edu/" target="_blank">kerberos.mit.edu</a>.</div><div> kdc = <a href="http://kerberos-1.mit.edu/" target="_blank">kerberos-1.mit.edu</a>.</div><div> kdc = <a href="http://kerberos-2.mit.edu/" target="_blank">kerberos-2.mit.edu</a>.</div><div> admin_server = <a href="http://kerberos.mit.edu/" target="_blank">kerberos.mit.edu</a>.</div><div> default_domain = <a href="http://mit.edu/" target="_blank">mit.edu</a></div><div> string_to_key_type = mit_string_to_key</div><div> }</div><div><br></div><div>[v4 domain_realm]</div><div> .<a href="http://mit.edu/" target="_blank">mit.edu</a> = <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a></div><div> <a href="http://mit.edu/" target="_blank">mit.edu</a> = <a href="http://athena.mit.edu/" target="_blank">ATHENA.MIT.EDU</a></div><div><br></div><div><div>Thanks,</div><div><br></div><div>—Patrick</div><div><br clear="all"><div><div><div dir="ltr"><div><br></div><div>IT Manager | <span style="border-collapse:collapse"><a href="http://povertyactionlab.org/" target="_blank">J-PAL</a> | <a href="http://mit.edu/" target="_blank">MIT</a><a></a> </span>| <a href="tel:%2B1%20617-324-2721" value="+16173242721" target="_blank">+1 617-324-2721</a> | <a href="mailto:mcneal@mit.edu" target="_blank">mcneal@mit.edu</a><br></div></div></div></div>
</div></div></div></div></div></div><span class="">
_______________________________________________<br>Macpartners mailing list<br><a href="mailto:Macpartners@mit.edu" target="_blank">Macpartners@mit.edu</a><br><a href="http://mailman.mit.edu/mailman/listinfo/macpartners" target="_blank">http://mailman.mit.edu/mailman/listinfo/macpartners</a><br></span></div></blockquote></div><br></div></div></blockquote></div><br></div>