+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Mac Thread, Magic Triangle Permissions in Technical; ...
  1. #1

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Magic Triangle Permissions

    Hi, im a bit new to macs in an AD enviroment so i followed a reasonably good looking tutorial.
    jordaneunson.com » Blog Archive » Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories.

    I got issues now i have completed it, i suspect it maybe kerberos SSO issue but im not sure how to go about rectifying it.

    My AD users log on to the mac client fine, it recieves preferences from the macserver and i can browse the AD domain controller/file server. However i can't browse any other machine or even the mac server from the mac client. Nor can i browse the mac server from a PC client or server.

    If anyone has any suggestions/tests to do, i would be appreciated!

    I notice that when i create a folder on the AD Domain controller/file server share from a mac client i have no permission to modify or enter the folder for a couple of minutes, then all of a sudden i get access.

    TIA

  2. #2

    Join Date
    Mar 2011
    Location
    Vancouver
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by danselvey View Post
    Hi, im a bit new to macs in an AD enviroment so i followed a reasonably good looking tutorial.
    jordaneunson.com » Blog Archive » Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories.
    Thanks, I try. :P

    Quote Originally Posted by danselvey View Post
    I got issues now i have completed it, i suspect it maybe kerberos SSO issue but im not sure how to go about rectifying it.

    My AD users log on to the mac client fine, it recieves preferences from the macserver and i can browse the AD domain controller/file server. However i can't browse any other machine or even the mac server from the mac client. Nor can i browse the mac server from a PC client or server.

    TIA
    What do you mean you can't browse any other machine? What are you trying to browse? Do you mean that they are not showing up in the sidebar as available servers, or do you mean that you cannot browse their file shares? If so what are file shares? I need a few more details than this.

    You can verify what Kerberos tickets you have by typing 'klist' on the command line. It will show you which tickets you currently have. To kerberize your OD server all you need to do is type 'sudo dsconfigad -enablesso' on the Mac server. Then create file shares on the Mac server and assign AD users and groups access rights via Server Admin.

    Let me know what happens. If you want take this to the comments section for this blog post here: jordaneunson.com » Blog Archive » Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories.

  3. #3

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I think its a sso issue, doesn't look like im getting any tickets. On a PC Client i go to \\macserver it asks for credentials, i type in a AD account and it fails. On a mac client i try and browser the mac server it also asks me for credentials, to which AD accounts do not work. The macs cannot browse shares on the DC without supply credentials.

    If i type klist on the mac server i get "no credentials cache found while getting the ccache principal", i also get this on a client logged into an AD account.

    i have used sudo dsconfigad -enablesso multiple times and rebuilt the mac server, trying different approaches.

    Does their have to be anything configured AD end? or anything that could be misconfigured?

    Thanks!

  4. #4

    Join Date
    Mar 2011
    Location
    Vancouver
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'm going to assume a few things here. First that you're trying to authenticate to the mac server so that you can mount a file share. My primary question would be, have you given restricted access rights to AFP or SMB services?

    Next, in terms of the SSO go to the command line and type kinit <username> see if you can check out a tgt. If you cannot check out a tgt then there's something wrong with your AD server and I can't help you. To check out a tgt you do not need the mac to be kerberized. If you can successfully check the tgt out then see if you can login into the mac server as an ad account. Do this from the login screen and not remotely, upon successful login check the klist com and again to see if you got a tgt assigned.

    Next, repeat this on a mac client that is bound to both AD and OD. Login as an AD user and see if you get a tgt. if you do, the try to authenticate to the AFP server and check afterwards. You should see some extra tickets.

  5. #5

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I realise the test account had DES encryption enabled, from some earlier tests for something else. I have logged into the client with a new test account and can now browse all the DC's and fileservers. But i still cannot access the macserver.

    I tried logging on to the macserver and it hung on log on i had to reboot it.

    I type kinit <testaccount> on the mac server and it gets a ticket.

    PC and Mac Clients still can't browse file shares on the mac server (Invalid Password). I have added the user full control to a couple of the shares in Server Manager.

    SMB log reads: PAM account restriction prevents user login.

  6. #6

    Join Date
    Mar 2011
    Location
    Vancouver
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Dan,

    It sounds like you have something really misconfigured. When you try to auth to the OD server does your AD log the authentication attempt?

  7. #7
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    82
    I always ask this in every thread on ad-od issues, but, you do have ALL machines syncing to the same timesource, don't you...?

  8. #8

    Join Date
    Mar 2011
    Location
    Vancouver
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Awesome question! I think he does considering he can check out the TGT. If the time is out by more than 5 mins the KDC won't allow the client to check out a TGT.

  9. #9
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    82
    Good point!

    The OPs issue was ringing bells of recognition in my head... and thus - all sounds similar to probs which I suffered from a while ago. Quick ratch produced this: Sharepoints and OD/AD

    My solution is in the penultimate post of the thread, and would be good to rule out (as you'll see from the post dates, took quite a while to get to the bottom of it!)
    Last edited by Marci; 23rd March 2011 at 09:24 PM.

  10. #10

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I rebound the mac client following jordaneunson tutorial and all is well with the client, it can browse the whole network and the network can browse its files. However i am still stuck with the same problem with the mac server. Nothing can browse it using AD credentials.

    Marci, the file you edited in your Sharepoints and OD/AD thread is vastly different to that of mine (Leopard>Snow Leopard thing?) as for the other part of that post i've checked the permissions of the Sharepoints but i cant even get authorised to view the list of sharepoints.

    As for the clocks, they are in perfectly in sync

  11. #11
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    82
    Just checked same file on our 10.6 server, and it's same as on the 10.5 server... you may have to convert it first however for it to be viewable as by default it's a binary file.

    Code:
    sudo plutil -convert xml1 /Library/Preferences/com.apple.AppleFileServer.plist
    sudo pico /Library/Preferences/com.apple.AppleFileServer.plist
    Then scroll thru it and find the <key>kerberosPrincipal</key> line. The next line should be the <string>afpserver/LKDC:SHA1.[big-long-hash]@LKDC:SHA1.[big-long-hash]</string>
    Amend all between the <string></string> tags to afpserver/fqdn@DN as per my post in that thread. Save, and then restart the AFP service.
    Last edited by Marci; 24th March 2011 at 09:42 AM.

  12. #12

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    the line has not SHA hash in it, it is altready in the format you suggest.

  13. #13

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    its also worth noting that the macserver cannot access file shares on other machines such as the domain controller, with out supplying a username/password

  14. #14
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    82
    K - now, re: the sharepoints... on the server, open terminal again.
    Take the path of one of the folders you've shared... so for instance I have shared /Volumes/Server Raid/Music/Students to all students...

    Code:
    sudo chown root:admin /Volumes/Server Raid/Music/Students
    Repeat this for each shared folder, then head to the ServerAdmin app, hit FileSharing > SharePoints, and from there set permissions for each sharepoint based on OSX groups or whatever...
    In Workgroup Manager, ensure that you've got relevant AD Groups mapped to the relevant OSX groups...

  15. #15

    Join Date
    Nov 2010
    Location
    Nottingham
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Nope none of that worked, although just to clarify what you mean by Mapping the groups?

    Im still getting "PAM account restrictions prevent user login" in the log when i try and access the server with SMB and nothing when i try and access via AFP (Apart from invalid un/password on the client)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 6th November 2010, 08:53 PM
  2. OD-AD Triangle and kerberos
    By _Bat_ in forum Mac
    Replies: 1
    Last Post: 10th September 2010, 01:21 PM
  3. My Secret Project Went Live: The IT triangle
    By russdev in forum General Chat
    Replies: 2
    Last Post: 4th March 2010, 12:28 PM
  4. Magic Whiteboard
    By Tcsltd in forum Our Advertisers
    Replies: 16
    Last Post: 11th January 2010, 03:18 PM
  5. The "Magic Triangle"
    By stig in forum Mac
    Replies: 0
    Last Post: 1st October 2009, 03:39 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •