AD multiple domain logon and problems with Kerberos File Server authorization using SMB
Harvey
hkramer at maximsoft.com.ar
Fri Jan 9 13:07:14 EST 2004
Hi all,
I have configured the AD plug-in with the corresponding Forest, Domain
to accept multiple domain authentication. The authentication option in
Directory Access does have the root domain added as a custom path (the
edu.Mit.Kerberos file has all domains configured, and each domain has 2
entries that are “kdc” and “admin_server”).
A user belonging to the same configured Domain can login successfully,
however when a user from another domain tries to login, the login
window shakes and as result the user cannot enter his session. Has
anyone got this multiple domain authentication to work?
When a user belongs to the configured domain and logs-in, he
automatically gets a Kerberos ticket. Depending on the file server the
user connects to, two different scenarios take place. In the first
scenario, the user connects the FS and is authenticated by the Kerberos
protocol as it should normally. In the second scenario, the user
connects to another file server in the same domain as the user, and a
SMB/CIFS authentication window appears asking user, password and
domain. If, in this window user, password and domain are left blank,
and the OK button is clicked, then surprisingly the user is also
authenticated by the Kerberos protocol. By doing some network sniffing,
apparently the Kerberos protocol gets the correct name of file server
and in consequence obtains a ticket for it only after SAMBA has figured
out the correct file server name. Is it possible to resolve this issue
so that the SMB/CIFS authentication window does not appear?
Additionally, It is not possible for any Mac to authenticate correctly
using Kerberos to any file server in any other domains. No error
entries in the console.log or System.log have been found.
How should Windows Clusters of two physical PCs and N logical servers
be configured to accept Kerberos authentication from the Mac? The
problem is that the virtual server name is not in the Kerberos
database, but the machine account is. However nobody enters a web page
by typing the machine account, they all are aliases.
These test were performed with 5 different Macs, some having Mac OS X
v10.3.1 and other having 10.3.2, but the same results have been seen in
either one.
Thanks in advanced
Harvey
More information about the Kerberos
mailing list