AD multiple domain logon and problems with Kerberos File Server authorization using SMB

Harvey hkramer at maximsoft.com.ar
Fri Jan 9 13:07:14 EST 2004 

Hi all,

I have configured the AD plug-in with the corresponding Forest, Domain 
to accept multiple domain authentication. The authentication option in 
Directory Access does have the root domain added as a custom path (the 
edu.Mit.Kerberos file has all domains configured, and each domain has 2 
entries that are “kdc” and  “admin_server”).

A user belonging to the same configured Domain can login successfully, 
however when a user from another domain tries to login, the login 
window shakes and as result the user cannot enter his session. Has 
anyone got this multiple domain authentication to work?

When a user belongs to the configured domain and logs-in, he 
automatically gets a Kerberos ticket. Depending on the file server the 
user connects to, two different scenarios take place. In the first 
scenario, the user connects the FS and is authenticated by the Kerberos 
protocol as it should normally. In the second scenario, the user 
connects to another file server in the same domain as the user, and a 
SMB/CIFS authentication window appears asking user, password and 
domain. If, in this window user, password and domain are left blank, 
and the OK button is clicked, then surprisingly the user is also 
authenticated by the Kerberos protocol. By doing some network sniffing, 
apparently the Kerberos protocol gets the correct name of file server 
and in consequence obtains a ticket for it only after SAMBA has figured 
out the correct file server name. Is it possible to resolve this issue 
so that the SMB/CIFS authentication window does not appear?

Additionally, It is not possible for any Mac to authenticate correctly 
using Kerberos to any file server in any other domains. No error 
entries in the console.log or System.log have been found.

How should Windows Clusters of two physical PCs and N logical servers 
be configured to accept Kerberos authentication from the Mac? The 
problem is that the virtual server name is not in the Kerberos 
database, but the machine account is. However nobody enters a web page 
by typing the machine account, they all are aliases.

These test were performed with 5 different Macs, some having Mac OS X 
v10.3.1 and other having 10.3.2, but the same results have been seen in 
either one.

Thanks in advanced
Harvey

More information about the Kerberos mailing list