Mac OS X kerberos : kerberized SMB, but no access to AD Server
S ø ren Gr ø nning
sgi at dskd.dk
Wed Dec 15 08:09:04 EST 2004
Hi,
I am having a problem accessing my W2K3 server in a SSO environment,
consisting of a Mac OS X 10.3.6 Server and two W2K3 Servers.
SSO wise, everything is supposedly setup correctly; my smb.conf has been
edited to contain the following lines required for SSO:
Security = ads
Encrypt password = yes //samba default
Workgroup = FOO
Realm = FOO.BAR.COM
Use spnego = yes
Client use spnego = yes
Domain logons = yes
Client use ntlmv2 auth = yes
...and evrything works like a charm on the Windows side of the fence.... The
majority of out clients run Mac OS X, however, and from these machines I
cannot get in contact with the W2K3 servers when using Kerberos. Using
Apple's standard setup is no problem...
...I even have SSO for AFP (Apple File Protocol) working with customised
Kerberos principals on the W2K3 servers...
...The only bit missing is the re-acceptance of the once granted (Active
Directory) Kerberos TGT for SSO use with Mac OS X.... This ticket is
encrypted with Arcfour HMAC-MD5 and this seems to be valid enough, since the
exact same type of ticket gives us SSO from W2K client -> Mac OS X 10.3.6
server....
Does anyone have a clue as to what might be skewing things up,
kerberos-wise?
Best regards,
Søren Grønning
More information about the Kerberos
mailing list