+ Post New Thread
Results 1 to 10 of 10
Mac Thread, OS X Server Kerberos stopped not sure if thats okay or not in Technical; I have set up an OS X server as per the many guides that are around here so that it ...
  1. #1
    HMCTech's Avatar
    Join Date
    Apr 2008
    Posts
    618
    Thank Post
    37
    Thanked 48 Times in 35 Posts
    Rep Power
    23

    OS X Server Kerberos stopped not sure if thats okay or not

    I have set up an OS X server as per the many guides that are around here so that it is an OD master bound to AD. Clients are bound to both the AD server & OD. Users can log in and the preferences are working okay. But in Server Admin Kerberos is 'stopped'. I go to Core Services > Kerberos and New Ticket. I enter in my username and password and I recive a ticket. Does that mean that Kerberos is okay and working? Even tho it is stopped in Server Admin?

  2. #2
    richardp's Avatar
    Join Date
    May 2007
    Location
    North Yorkshire
    Posts
    131
    Thank Post
    3
    Thanked 25 Times in 25 Posts
    Rep Power
    19
    Hi, as far as I can remember this is how the setup is supposed to work when the OD is bound to the AD.

    On your OSX server the overview page for the open directory service should have LDAP Server as "running", the Password Server as "running" and the Kerberos "stopped". The reason for this is that the OD should be bound into the AD Kerberos Realm and not one of its own.

    Hope this sheds some light

    Richard

  3. #3

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,807
    Thank Post
    3,320
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365
    Quote Originally Posted by richardp View Post
    Hi, as far as I can remember this is how the setup is supposed to work when the OD is bound to the AD.

    On your OSX server the overview page for the open directory service should have LDAP Server as "running", the Password Server as "running" and the Kerberos "stopped". The reason for this is that the OD should be bound into the AD Kerberos Realm and not one of its own.

    Hope this sheds some light

    Richard
    agreed because kerberos is dealt with by your windows server(s)

  4. #4
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    And the fact your are getting a KRB ticket back means your AD servers are acknowledging the service, and all is working.

  5. #5
    HMCTech's Avatar
    Join Date
    Apr 2008
    Posts
    618
    Thank Post
    37
    Thanked 48 Times in 35 Posts
    Rep Power
    23
    If kerberos is all working, should I still get log in prompts for Safari, Printing, just about anything that requires authentication? At the moment I can log in as a user using domain credentials, but when I open up safari I have to re-enter them again to authenticate.

  6. #6

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Quote Originally Posted by AlexPilot View Post
    If kerberos is all working, should I still get log in prompts for Safari, Printing, just about anything that requires authentication? At the moment I can log in as a user using domain credentials, but when I open up safari I have to re-enter them again to authenticate.
    If Kerberos weren't working you wouldn't be able to authenticate at all. I'd say you need to look elsewhere to find out why credentials aren't being stored sensibly.

  7. #7
    HMCTech's Avatar
    Join Date
    Apr 2008
    Posts
    618
    Thank Post
    37
    Thanked 48 Times in 35 Posts
    Rep Power
    23
    Just to be clear in my mind. In a fully working AD-OD network where everything is perfect I shouldnt have to enter credentials once im logged in? Or should I just have to enter them once and save them to the keychain?

  8. #8
    richardp's Avatar
    Join Date
    May 2007
    Location
    North Yorkshire
    Posts
    131
    Thank Post
    3
    Thanked 25 Times in 25 Posts
    Rep Power
    19
    Hi, are you using a proxy server such as a cachepilot for safari? If so this has something to do with the authentication method used I think. I believe it can handle only one way of doing it so when we login here on a windows computer the cachepilot can read the AD info and not prompt for authentication. However if the same user logs into a mac and runs safari they are prompted for username and password. I am not sure how to resolve this at the moment as it is not top of my list.

    On a somewhat related note I would look at using a different browser on your macs, safari is ok however it has a bug in it (even in V4 !!) that prevents it from accessing https pages through a proxy. Have a look at camino or firefox etc...

    Richard

  9. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,191
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    As far as i know Safari only uses NTLM Authentication, not kerberos. You can see if kerberos is working by simply logging in looking at the kerberos app (or by typing kinit at the command line). Navigate to a share on either the AD/OD. If you go to an AD server in the sidebar in Finder you should see all of the shares that you have access to mounted without needing to authenticate.

    You will also see a ticket handed in your kerberos app for the service used eg, afpserver/servername.fqdn.com.

    If you are unsure about yor kerberos domain on the OD run sudo klist -kt. This will list all of the kerberised services and also what realm they are kerberised with. They all should be the AD realm apart from one afp service and vnc i think.

  10. #10
    HMCTech's Avatar
    Join Date
    Apr 2008
    Posts
    618
    Thank Post
    37
    Thanked 48 Times in 35 Posts
    Rep Power
    23
    Okay, thanks for everyones help. Havingnever seen an AD-OD network before I had to make one I am never sure if its working as it should or just cobbled together.

SHARE:
+ Post New Thread

Similar Threads

  1. [Fog] FOG server has stopped multicasting
    By imunro01 in forum O/S Deployment
    Replies: 10
    Last Post: 21st August 2009, 11:43 AM
  2. OSX server ,AD & kerberos
    By pooley in forum Mac
    Replies: 3
    Last Post: 7th September 2007, 12:05 PM
  3. Replies: 19
    Last Post: 6th April 2007, 12:22 PM
  4. Group Policy / Kerberos problem
    By ajbritton in forum Windows
    Replies: 2
    Last Post: 25th March 2006, 06:18 PM
  5. Kerberos error - All policies disappeared
    By ajbritton in forum Windows
    Replies: 13
    Last Post: 2nd November 2005, 02:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •