+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 33
Mac Thread, Sharepoints and OD/AD in Technical; OK, we've got our luverly Mac network running here, nicely integrated with AD. I'm trying to setup a new sharepoint ...
  1. #1
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82

    Sharepoints and OD/AD

    OK, we've got our luverly Mac network running here, nicely integrated with AD.

    I'm trying to setup a new sharepoint on the x-server that everyone can access, which I've done. Problem is, it won't mount. Any attempt to doso using AD credentials fails. If I use one of the local XServer accounts however, it mounts fine.

    Where am I going wrong?

  2. #2

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Are you using AFP and smb service? What protocols are you using for these shares?
    Also is kerberos set up for authentication type?

    Run sudo klist -kt and see if the services have been kerberised by the AD kerberos realm. If not then running dsconfigad -enableSSO should do it for you.

  3. #3
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    Are you using AFP and smb service? What protocols are you using for these shares?
    Yep, using AFP & SMB... shares are set for all but ftp & nfs.

    Also is kerberos set up for authentication type?
    How do I check?

    see if the services have been kerberised by the AD kerberos realm
    Voici de output:

    Code:
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp         Principal
    ---- ----------------- --------------------------------------------------------
       3 08/12/08 14:00:43 afpserver/LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36@LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36
       3 08/12/08 14:00:44 afpserver/LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36@LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36
       3 08/12/08 14:00:44 afpserver/LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36@LKDC:SHA1.849912A5AE5425B5F38E13EC3F54C34F18146D36
    *snip*
       7 01/19/09 10:32:20 afpserver/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 afpserver/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 afpserver/appleserver.horbury.internal@HORBURY.INTERNAL
    *snip*
       7 01/19/09 10:32:20 nfs/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 nfs/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 nfs/appleserver.horbury.internal@HORBURY.INTERNAL
    *snip*
       7 01/19/09 10:32:20 ldap/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 ldap/appleserver.horbury.internal@HORBURY.INTERNAL
       7 01/19/09 10:32:20 ldap/appleserver.horbury.internal@HORBURY.INTERNAL
    *snip*
    No mention of smb in the output tho...

    If I just run 'sudo klist', I get:
    Code:
    klist: No Kerberos 5 tickets in credentials cache
    Last edited by Marci; 12th February 2009 at 08:43 AM.

  4. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    If HORBURY.INTERNAL is the same as your AD kerberos realm then the services have been kerberised. The AFP service is a funy one as it still utilises the local KDC realm of the OS X Server.

    You can check that authentication is set to kerberos by using Server admin.

    For AFP go to the AFP service and then go to the access tab. Under here should be authentication. Now if this is set to any method, the client "should" try to use kerberos first. If set to standard, you will have to auth using a dialog box.

    For SMB go to the SMB service, go to settings and then access. NTMLv2 and kerberos should be ticked.

    You could also try and use the kerberos.app found in /system/library/coreservices/kerberos.app

    Open this app and try and mount the share. See if you automatically get a kerberos ticket for the server the share is located.

    Running dsconfigad -enableSSO should try and kerberise all running services, but after checking my server smb isn't listed either.

    Remember to also check the time and also have the console open when trying to mount the share. This may give a little more insight to what is happening. Also you may wish to have the server logs available when mounting the share.

  5. #5
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    Yep, Horbury.Internal is the AD Domain...
    AFP is set to "any", have set it to "kerberos". SMB is set to "NTLMv2 & Kerberos".
    Have run "dsconfigad -enableSSO"
    Kerberos.app on my client shows that I have a ticket in the ticket cache and that I'm the active user etc.

    When I head to Go > Network > Appleserver it presents with finder window "Connected as: guest" unless I hit "Connect As". When I do, it prompts me for user and pass, which I provide, and then get the response "Sorry, you entered an invalid username or password, please try again."

    Time is sync'd to the AD PDC...

    Console shows nothing for times when I attempt to mount the share, however, there are earlier entries for com.apple.KerberosAutoConfig stating "Couldn't find KerberosClient config record"

  6. #6
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    edu.mit.Kerberos content (same on both client and server):

    Code:
    [libdefaults]
    dns_fallback = no
    default_realm = HORBURY.INTERNAL
    [domain_realm]
    .horbury.internal = HORBURY.INTERNAL
    [logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5dc/kdc.log

  7. #7

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Try mounting by using Finder > Go > Connect to Server (⌘K)

    I have found issues when trying to use the Finder window to do this, especially if you try and create a mounting share on login in this way. It seems to mess up the UNC path by sticking in TCP% stuff.

  8. #8
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    Same response - Invalid Username or Password...

  9. #9
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    OK, this is bizarre. I THINK we're just authenticating using LDAP effectively... I don't think Kerberos is functioning between the X-Serve and the Windows domain.

  10. #10

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    What permissions do you have set on the share in server admin?

  11. #11
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    User groups in AD > OD Group that the AD Group is a member of:
    HOR Student > Student
    HOR Teacher > Teacher
    HOR ITTechTeam > SystemAdmin

    Permissions:
    Student > Read
    Teacher > Full Control
    SystemAdmin > Full Control

    Now, my AD Username and Password work fine to log on to any MAC with. The mac automounts my network home folder from the Windows AD Controller, and also automounts various shares from the Windows Server without prompting for further username and password (this has been done via WGM using Login Preferences for the MAC-based usergroup that my AD-based group is a member of - all the windows shares are mounted via smb)
    It's only sharepoints on the X-Server that fail to mount and always respond with "Invalid Username or Password".

  12. #12

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Kerberos must be working since you had been granted a ticket. To test if you use a machine that is bound to the Xserve and authenticating using AD. Log on as an AD user. Open the Kerberos client .app

    Now try to open the share. This should then give you a ticket for the service used to open the share.

    By the way what service is being used to mount the share? AFP or SMB?

    Is guest access turned on for the shares? If so try removing guest access.

  13. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    This is how i have one of mine set up:

    AFP Service: ticked
    AFP Guest Access: unticked
    SMB Service: ticked
    SMB Guest access: unticked
    enable oplocks: ticked
    enable strict locking: ticked
    inherit permissions from parent selected.

    FTP and NFS disabled.

    Enable automount: unticked
    spotlight: ticked
    time backup: unticked

    Permissions:
    ACLs

    AD Staff users group read and write
    AD Pupils group read only

    Posix
    AD administrator: read and write
    staff none
    others: none

  14. #14

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    My AFP service is set up as follows

    General tab
    Enable Bonjour: ticked
    Encoding: Roman
    Login greeting: whatever you want

    Access
    Authentication: Any method (when the AD user are created after the share-points i have found that the users fail to login when the auth type is set to kerberos only)

    enable masquerade: ticked
    unlimited client connections selected

    Now also don't forget the SACLs.

    If you have set up SACLs on the service make sure that the users you are trying to connect with have access to the services

  15. #15
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    882
    Thank Post
    84
    Thanked 233 Times in 192 Posts
    Rep Power
    82
    Yep, my permissions more or less same other than spotlight disabled.

    The share on the X-Serve that won't mount is set to use either AFP or SMB... both are enabled. Guest access is disabled for both afp and smb.

    Kerberos.app is showing:

    Ticketcache...
    mcoyles@HORBURY.INTERNAL

    Tickets...
    krbtgt/HORBURY.INTERNAL@HORBURY.INTERNAL

    Nothing else appears when I access the SMB shares on the windows servers etc, and nothing else appears when I TRY to access the X-Server.

    If I disable guest access, then head to connect to server and try to connect via SMB to the x-server, I get a cifs ticket for appleserver.horbury.internal@HORBURY.INTERNAL.
    If I try to connect to server via AFP, I get prompted for username etc - give it mine, I get "connection failed, check servername or IP Address and try again"

    If I give it an account local to the x-server, then it goes straight in fine, and a kerberos ticket appears for that account.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. What's the difference between Sharepoints?
    By mrforgetful in forum Windows
    Replies: 2
    Last Post: 31st March 2007, 04:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •