+ Post New Thread
Results 1 to 3 of 3
Mac Thread, Lion Server AD-OD setup in Technical; Hello, Just a heads up really. I ran into a slight issue when trying to configure Lion Server as a ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,191
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Lion Server AD-OD setup

    Hello,

    Just a heads up really. I ran into a slight issue when trying to configure Lion Server as a home dir for my windows users. I eventually sorted this out (which is another thread). Whilst trying to resolve this issue though I came across something that I think is slightly different in Lion Server than 10.6.

    The order in which you list the directory bindings does seem to have an effect on things, most importantly the kerberos realm. While the OD server was listed first, the REALM being used was the ODSERVER.REALM.COM rather than the AD's REALM.COM. When running the kinit command the server had no cached credentials for AD users (had no OD users to test). When changing the order to AD first, the server then cached the credentials as expected for AD users but also used the AD REALM.COM. It seems that depending on which server is in the list first, directly impacts which kerberos realm is going to be used. It can change on the fly too without any reboots/terminal commands.

    I don't think this was the case in 10.6

  2. #2
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33
    I remember with previous versions to 10.7 it was always suggested that you disable kerberos. When setting up integration in the correct steps it does this for you. But because lion uses a different version of kerberos it does not need to be done now.

    Ross

  3. #3

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,191
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Yes, you are right. Lion uses Heimdal as opposed to the MIT kerberos. However, the point I probably managed to hide in my post is that lion server will kerberise depending on the Directory Services list order. Take for example, the OD REALM is OD.EXAMPLE.COM and the AD is EXAMPLE.COM.

    If the AD is first in the list then the realm used would be EXAMPLE.COM. But if the OD server was first in the list the realm used would be OD.EXAMPLE.COM.

    Try it and see if you get the same results. Switch the list order around and then run the kinit AD username and see the results. If the OD server is first the cache would be empty and the realm would be the OD one.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 24th May 2012, 10:23 AM
  2. Client setup of W2k3 server AD setup
    By Laphan in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 24th August 2011, 08:39 PM
  3. Replies: 2
    Last Post: 19th November 2010, 06:40 AM
  4. OSX Server - AD - Advice/help wanted
    By pooley in forum Mac
    Replies: 4
    Last Post: 7th September 2007, 12:22 PM
  5. OSX server ,AD & kerberos
    By pooley in forum Mac
    Replies: 3
    Last Post: 7th September 2007, 12:05 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •