[Macpartners] Using SAPgui on WIN domain bound Macs?
Patrick McNeal
mcneal at mit.edu
Fri Nov 20 09:15:31 EST 2015
Thanks for the suggestion. Unfortunately, it didn't work for me. I start
with a tgt from the WIN.MIT.EDU realm from just logging into my machine:
$ klist
Credentials cache: API:0681E34F-FB62-4961-8A06-A62BAEF37491
Principal: mcneal at WIN.MIT.EDU
Issued Expires Principal
Nov 20 08:57:10 2015 Nov 20 18:57:08 2015 krbtgt/WIN.MIT.EDU at WIN.MIT.EDU
If I destroy that tgt and obtain one from ATHENA.MIT.EDU…
$ kdestroy
$ kinit mcneal at ATHENA.MIT.EDU
mcneal at ATHENA.MIT.EDU's password:
PALPC-145:~ mcneal$ klist
Credentials cache: API:B279F665-1256-4CDF-B0E2-F1A0C3C2FC5A
Principal: mcneal at ATHENA.MIT.EDU
Issued Expires Principal
Nov 20 09:07:14 2015 Nov 20 19:07:11 2015 krbtgt/
ATHENA.MIT.EDU at ATHENA.MIT.EDU
…and try to connect to DFS, smb://win.mit.edu/dfs/Departmental/jpal via
Finder, I'm prompted for a username and password:
[image: Inline image 1]
Entering my kerb password, the DFS volume opens. Oddly, it appears I have
the necessary tickets for it to just work:
$ klist
Credentials cache: API:B279F665-1256-4CDF-B0E2-F1A0C3C2FC5A
Principal: mcneal at ATHENA.MIT.EDU
Issued Expires Principal
Nov 20 09:07:14 2015 Nov 20 19:07:11 2015 krbtgt/
ATHENA.MIT.EDU at ATHENA.MIT.EDU
Nov 20 09:07:47 2015 Nov 20 19:07:11 2015 krbtgt/
WIN.MIT.EDU at ATHENA.MIT.EDU
Nov 20 09:07:47 2015 Nov 20 19:07:11 2015 cifs/
w92dc2.win.mit.edu at WIN.MIT.EDU
Just before the password prompt appears, I see this in the console:
11/20/15 9:12:02.559 AM secd[295]: SOSAccountThisDeviceCanSyncWithCircle
sync with device failure: Error Domain=com.apple.security.sos.error
Code=1035 "Account identity not set" UserInfo={NSDescription=Account
identity not set}
11/20/15 9:12:05.364 AM NetAuthSysAgent[19703]: checkForDfsReferral:
mounting dfs url failed, syserr = Authentication error
11/20/15 9:12:05.364 AM NetAuthSysAgent[19703]: smb_mount: mount failed to
w92dc2.WIN.MIT.EDU/dfs, syserr = Authentication error
Is anyone else binding their 10.11 machines to the win domain and using
SAPgui?
—Patrick
IT Manager | J-PAL <http://povertyactionlab.org/> | MIT <http://mit.edu> |
+1 617-324-2721 | mcneal at mit.edu
On Thu, Nov 19, 2015 at 10:02 PM, Teddy Thomas <tthoma24 at mit.edu> wrote:
> [resending from my MIT email]
>
> Hi Patrick-
>
> I believe the changes you’ll want to your krb5 config are under
> [domain_realm]; just add win.mit.edu = WIN.MIT.EDU <http://win.mit.edu> and
> .win.mit.edu = WIN.MIT.EDU <http://win.mit.edu>. I put my
> edu.mit.Kerberos file in /mit/tthoma24/Public so you can see what I did
> (note I made other edits which you may not want).
>
> I’m not a Kerberos expert, but I think the issue here is Kerberos cross
> realm doesn’t exist from the WIN realm to ATHENA realm, but DOES exist
> going the other way, meaning you can authenticate to WIN with an ATHENA
> ticket, but not the other way. Installing Kerberos extras and getting an
> Athena ticket was the first piece, but I don’t think the krb5 conf in
> Kerberos Extras for Mac defines the WIN realm, which is likely necessary to
> get the krbtgt/WIN.MIT.EDU at ATHENA.MIT.EDU
> <krbtgt/WIN.MIT.EDU at athena.mit.edu> so you can authenticate to WIN
> services with an ATHENA ticket.
>
> Hope this helps. Good luck.
>
> -Teddy
>
> On Nov 19, 2015, at 2:38 PM, Patrick McNeal <mcneal at mit.edu> wrote:
>
> Has anyone been able to get the latest SAPgui
> <https://ist.mit.edu/sapr3/sapgui/740/mac> to work on a Mac OS X 10.11
> machine that is bound to the WIN domain? We're using the WIN domain for
> authentication and authorization, but it appears the SAPgui doesn't work
> with kerberos tickets from the WIN.MIT.EDU <http://win.mit.edu/> realm.
>
> Installing Kerberos Extras for Mac
> <http://ist.mit.edu/kerberos/extras/mac> works if I destroy my WIN.MIT.EDU
> <http://win.mit.edu/> tickets and then obtain a TGT for the ATHENA.MIT.EDU
> <http://athena.mit.edu/> realm, but then I'm unable to access DFS or
> other WIN.MIT.EDU <http://win.mit.edu/> resources.
>
> For what it's worth, here is my /Library/Preferences/edu.mit.Kerberos:
>
> [libdefaults]
> default_realm = ATHENA.MIT.EDU <http://athena.mit.edu/>
> forwardable = TRUE
> proxiable = TRUE
> noaddresses = TRUE
> allow_weak_crypto = TRUE
>
> [realms]
> ATHENA.MIT.EDU <http://athena.mit.edu/> = {
> kdc = kerberos.mit.edu.:88
> kdc = kerberos-1.mit.edu.:88
> kdc = kerberos-2.mit.edu.:88
> admin_server = kerberos.mit.edu.
> default_domain = mit.edu
> }
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/>
> mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/>
>
> [v4 realms]
> ATHENA.MIT.EDU <http://athena.mit.edu/> = {
> kdc = kerberos.mit.edu.
> kdc = kerberos-1.mit.edu.
> kdc = kerberos-2.mit.edu.
> admin_server = kerberos.mit.edu.
> default_domain = mit.edu
> string_to_key_type = mit_string_to_key
> }
>
> [v4 domain_realm]
> .mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/>
> mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/>
>
> Thanks,
>
> —Patrick
>
>
> IT Manager | J-PAL <http://povertyactionlab.org/> | MIT <http://mit.edu/> |
> +1 617-324-2721 | mcneal at mit.edu
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20151120/4806ebfb/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-11-20 at 8.56.23 AM.png
Type: image/png
Size: 151821 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/macpartners/attachments/20151120/4806ebfb/attachment-0001.png
More information about the Macpartners
mailing list