Mac Thread, OS X Server Kerberos stopped not sure if thats okay or not in Technical; I have set up an OS X server as per the many guides that are around here so that it ...
3rd August 2009, 03:25 PM #1
OS X Server Kerberos stopped not sure if thats okay or not
I have set up an OS X server as per the many guides that are around here so that it is an OD master bound to AD. Clients are bound to both the AD server & OD. Users can log in and the preferences are working okay. But in Server Admin Kerberos is 'stopped'. I go to Core Services > Kerberos and New Ticket. I enter in my username and password and I recive a ticket. Does that mean that Kerberos is okay and working? Even tho it is stopped in Server Admin?
3rd August 2009, 03:37 PM #2
Hi, as far as I can remember this is how the setup is supposed to work when the OD is bound to the AD.
On your OSX server the overview page for the open directory service should have LDAP Server as "running", the Password Server as "running" and the Kerberos "stopped". The reason for this is that the OD should be bound into the AD Kerberos Realm and not one of its own.
Hope this sheds some light
3rd August 2009, 03:40 PM #3
agreed because kerberos is dealt with by your windows server(s)
Originally Posted by richardp
3rd August 2009, 03:53 PM #4
And the fact your are getting a KRB ticket back means your AD servers are acknowledging the service, and all is working.
4th August 2009, 11:28 AM #5
If kerberos is all working, should I still get log in prompts for Safari, Printing, just about anything that requires authentication? At the moment I can log in as a user using domain credentials, but when I open up safari I have to re-enter them again to authenticate.
4th August 2009, 11:44 AM #6
If Kerberos weren't working you wouldn't be able to authenticate at all. I'd say you need to look elsewhere to find out why credentials aren't being stored sensibly.
Originally Posted by AlexPilot
4th August 2009, 11:53 AM #7
Just to be clear in my mind. In a fully working AD-OD network where everything is perfect I shouldnt have to enter credentials once im logged in? Or should I just have to enter them once and save them to the keychain?
4th August 2009, 01:11 PM #8
Hi, are you using a proxy server such as a cachepilot for safari? If so this has something to do with the authentication method used I think. I believe it can handle only one way of doing it so when we login here on a windows computer the cachepilot can read the AD info and not prompt for authentication. However if the same user logs into a mac and runs safari they are prompted for username and password. I am not sure how to resolve this at the moment as it is not top of my list.
On a somewhat related note I would look at using a different browser on your macs, safari is ok however it has a bug in it (even in V4 !!) that prevents it from accessing https pages through a proxy. Have a look at camino or firefox etc...
4th August 2009, 09:34 PM #9
As far as i know Safari only uses NTLM Authentication, not kerberos. You can see if kerberos is working by simply logging in looking at the kerberos app (or by typing kinit at the command line). Navigate to a share on either the AD/OD. If you go to an AD server in the sidebar in Finder you should see all of the shares that you have access to mounted without needing to authenticate.
You will also see a ticket handed in your kerberos app for the service used eg, afpserver/servername.fqdn.com.
If you are unsure about yor kerberos domain on the OD run sudo klist -kt. This will list all of the kerberised services and also what realm they are kerberised with. They all should be the AD realm apart from one afp service and vnc i think.
6th August 2009, 08:07 AM #10
Okay, thanks for everyones help. Havingnever seen an AD-OD network before I had to make one I am never sure if its working as it should or just cobbled together.
By imunro01 in forum O/S Deployment
Last Post: 21st August 2009, 11:43 AM
Last Post: 7th September 2007, 12:05 PM
Last Post: 6th April 2007, 12:22 PM
By ajbritton in forum Windows
Last Post: 25th March 2006, 06:18 PM
By ajbritton in forum Windows
Last Post: 2nd November 2005, 02:13 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)