OS X Server :: Establishing Kerberos Authentication At Login?
Feb 9, 2008
I'm trying to get my leopard client to access sharepoints on my leopard server using kerberos authentication established at login. I'll list what I have done already bellow:
- OD set up with a username (short and long) and password that is the same as that being used on the client laptop.
- Client laptop is bound to the OD
- modified /etc/authorization: <string>builtin:authenticate,privileged</string> to <string>builtin:krb5authnoverify,privileged</string>
When I log in it accepts my password and allows me into the laptop. The OD logs show that authentication to the server took place (I believe) (username and domain intentionally masked): Code: Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV When I try to connect to an AFP sharepoint it again asks my to authenticate. If I authenticate once then I can access any other sharepoints with no problems, however, I'd like to be able to use the kerberos ticket I believe I have from the system login to do this AFP authentication.
When a user logs in, or tries to, it brings up Kerberos Agent and asks for a password. Anything you enter results in taking you back to the login screen? How do I disable this - all macs are running off of a Panther Server for login options.
on setting up an OD master to accept kerberos from a AD domain and I can't get AFP to work.
What I've done:
1. Bind OD Master to AD 2. Destroyed the OD Kerberos realm 3. Ran sudo dsconfigad -enableSSO
When I log into a client that is bond to both AD and OD and try to access a SMB share on the AD side it works. When I try to access a SMB share on the OD master it work. When I try to access a AFP share on the OD Master it fails with the error " The user Authentication Method required by this server can't be found". Now I think this error is because I'm forcing Kerberos authentication, if I change AFP setting to any method authentication I get promoted with the AFP login window, I enter my AD account information and I'm able to mount the share.
I am having difficulty troubleshooting this error. I have attached a section of the /var/log/opendirectoryd.log file while in debug mode. This is a 10.7.3 Open Directory master with no replicas. I put logging into debug mode to try to get to the root of this problem but I am not finding an answer to this issue. I am getting this same error message with multiple users, but they can all log in and function just fine. We are doing Radius auth to OD from our Cisco ASA for VPN connectivity and that works fine as well.Â
2012-03-12 11:30:09.119 PDT - Multiple names for non-user record 'wleler' - will be cache miss for others 2012-03-12 11:30:09.119 PDT - Module: SystemCache - Attaching Kerberos id 'wleler@OSXSERVER01.UTIL.PDX.OFFICE' to record 'wleler' 2012-03-12 11:30:09.119 PDT - Setting item 'wleler' with expiration 4061372012-03-12 11:30:09.119 PDT - Adding item 'wleler' with expiration 4061372012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalGUID - adding entry wleler (0x43E09310) -
Im having all kinds of 'not found' issues with lion server but i think alot of them may stem from not being able to stop kerberos from running on Open Directory.Therefore currently im running two Kerberos realms OD and Active directory.. When I try and stop it in terminal it errors see below...Â
shutting down kadmind kadmind shut down shutting down kdc
[code]....
then on server admin it shows kereberos for OD as "running".. still so i know it hasn't worked?
when I press "Command+Control+D" when i hover over a word to look up its meaning in Dictionary it doesn't do anything... and when I Control-Click it and select "Look up in Dictionary" it doesnt do anything either... and I tried doing both things when I had Dictionary running in the background and when it was closed and nothing.... so, what can I do?
since i got my macbook i used to always close the lid to put it to sleep between classes and every time I open it, it asks me for authentication and password... now, it's not doing that! and if I close it, and perhaps, go to the bathroom or something, anybody can open and it logs in w/o password.... maybe I changed something in Settings w/o realizing but can't remember...
[EDIT] I just remembered! in iTunes, I want to disable the little link button to iTunes Store next to each song/artist/etc... I know if I disable iTunes Store from Parental Controls, it'll do it.... but if I do, I won't be able to download Apps! How can I turn them off??
I have been reading through the Lion Server pages for Active Directory and came across the following question. Does the procedure listed in the URL below allow the users whose Macs are joined to the OS X server, to login with Active Directory credentials. Pass-through auth. for lack of a better term. [URL]...The procedure reads as if it is just joining the server to the domain and not configuring authentication.Â
I've recently joined/binded to our domain. All appears to be working as expected. Although one message keeps popping up in the finder at random moments. Doesn't seem related to anything that is being done at the time. It says Proxy authenication required. Authentication for HTTP proxy my.proxy.name  and has username and password to be filled in.Â
Where/what logs can be viewed to determine what program is wanting to get thru the proxy? I'm guessing it is an auto-update of something but I've turned everything off that I can find and it still is popping up. Hoping a log somewhere will tell me what is trying to gain access so I can turn off the attempt.Â
i have a domain controller and active directory based policy win 2003, one xserve running mac os x server 10.6.8 and alot of macs workstations. How can i push login script on all macs without adding it in login items? The script i want to store on smb or afp share disk, and will be edited from time to time. I've tried to add it on xserve from WGM, but it threw an error that current directory schema doesn't store desktop settings.So how can i solve this?
on a windows platform, you have Server 2003 running Active Directory on a domain. and XP SP2 clients login to the domain connected to the server.is it possible to run the same situation but run OSX Server instead of a windows 2003 server? I'm just thinkin for a small office and reliability of using mac platform instead of pc with potential viruses and stuff, I want to use my office osx server machine and use windows pc's up front to log into the server.
I have installed Leopard 10.5 server and have created users and everything. I can remotely access it to administrate it. This may be a stupid question, but how do I login as a user on the server? I tried to connect to server through the go menu. I couldn't. The IP would not work, although in other parts the ip is recognized.
I installed the 10.7.3 Server Combo update today, and now when I try to use Server.app to administer my server, it just shakes to tell me they are invalid (even though I'm logged in to the server with that username/password).
Info: Mac mini, Mac OS X (10.7.2), Server | 2.53 ghz | 4GB | (2) 500GB
After updating to osx Lion I've been having trouble with a dialog box wanting me to enter my Kerberos user name and password. I have no idea why this happens and what user name / password it is asking for, I just hit cancel and everything else seems to work fine. But the dialog box keeps popping up again and again, it is pretty annoying. Can anyone tell me how to turn it off?
I run an OS X server with associated Sun workstations running GNOME desktop 2.6. When I create user accounts on the server, I can't log in from the Suns. When I ssh from one of the accounts on the server to one of the suns I get a message saying it could not chdir to the home directory. Any ideas on how I can properly create user accounts to allow for login on Sun workstations?
I have a MacBook Air that I set up to connect to a shared drive on our university's network. I'm able to connect to it manually just fine after I've logged in, but I keep getting the following error every time I login: "Connection Failed: The server may not exist or it is not operational at this time. Check the server name or IP address and your network connection and try again."
Along with this comes a "?" in my dock, indicating the "share" drive cannot be found. I'm assuming I've pointed Leopard to an incorrect alias or something while I was figuring out how to connect to the share drive. How do I remove this instruction so the error message will just leave me alone?
I have recently had a problem with one of our servers (running OsX 10.4.8 Server). Normally I connect remotely via Chicken of the VNC, as it doesn't have a graphics card and is in another room. Connecting works fine and the display is perfect (see [URL] until that is, I try to log in. Once logged in (doesn't matter as what user, even tried a completely new one) the display instantly becomes illegible, with each row seemingly shifted 10 or so pixels to the right as you go down the display (see [URL] All directory, file and web services function correctly and the remote VNC connection is responsive (for example if you can guess where the logout button is, it will return to the perfectly displayed login screen...), but I am at a loss as to what is causing this and/or how to fix it, short of a clean install, but since it is a heavily used production server, I am loath to take it offline for that long. Any advice, tips or even solutions would be fantastic, I have been googling around for a week or so and comparing System and Library directories file by file with one of our other servers to see if there's something obvious, but to no avail.
We are running 10.5 server and 10.4 client machines. 4 servers with accounts 2 work and 2 do not. Everything seems to be set up the same on all. The error we get is "The home folder for the user account is located on an AFP or SMB server.
I have a Mac Mini Lion Server which is running open directory. I have several users which I created a while ago and they are able to login to the server from both Lion and SL clients. I created a new user account today and for some reason I am unable to login using the new user account from a SL computer. I've been able to login using a lion client, but SL, no dice. Â
Here again dealing with how OS X deals with .local domains I think.Was previously bound and all was working fine. Have just updated to 10.7.4 When trying to login using the "Other User" the button stays red and says Network accounts unavailable. I can ping domain server by name and IP.Permissions have been rebuilt.
Have rebound. Had a problem at first unbinding inside the Open Directory Utility as it said it could not connect with the domain and an unused account would be left if a forced unbind was done. Tried again by using the minus button instead of the Unbind button and it worked without any message.
So then binded to the domain and all looked good. Green button next to Network Account Server in the Users and Groups.
Info:iMac (27-inch Mid 2011), Mac OS X (10.7.3), VM Ware with XP Pro
I'm trying to diagnose our new intel servers and VNC.They're of varying configurations in terms of memory, disks, etc, but all are the new xserve model.
Here's what happens.
When connecting to VNC either through ARD's built in software or chicken of the vnc we can see the login screen perfectly, but as soon as we login it suddenly "scrambles." The second a monitor is plugged in the remote display "clears" and again becomes usable.
Here's what's been done so far; Rebooted the server (VNC broken) Ran software update (VNC broken) Booted the server with a monitor attached (VNC works) Unplug the monitor after reboot + login + monitor plugged in. (VNC continues to work.)
Here's the problem. When I reboot the server I don't need to go through a song and dance to login remotely after a reboot.
I'm not sure - but for some reason I am no longer able to login to my wikiserver via Safari. I can with firefox, chrome, IE, etc but not in Safari. Username doesn't matter. (either total admin or just a user).
I have 3 servers in my office. I have plan to configure these three together in my office. My plan is one server just only for login purpose and other two to keep the home folders and shared folders.the function is when one network user log in to one client machine, it just login(by using first server)and disconnect from first server and connect to the either two (means direct to the homefolder i created either of two server). Means first server as login server and other two are file servers.
I have a brand new iMac running 10.7.4 bound to AD with mobile accounts to be created at login. We've had dozens of users log into this Mac with their AD credentials with no problems. Login proceeds as expected, home folders are created, etc. One user cannot log in. The login window will freeze (spinning beach ball) after he enters his credentials and the computer has to be manually shut down. After a restart you can see that his home directory has been created, with proper permissions, but he still cannot log in (spinning beach ball). However, he CAN log onto other AD bound Macs, just not this one. And he CAN log onto a bound Windows machine, so apparently there's nothing wrong with his account. There is no OD server in the mix. The computer is bound to our AD domain only. The system log shows the proper UID but indicates that the user name can't be found. But then the user folder (with the correct name) is created anyway. Later there is an entrry that the UID can't be found.
I have a problem with Network Users defined on my Lion Server accessing the server through VPN or Profile Manager (via Safari) ... I keep on getting authentication errors. Is this because they are network users or am I missing something else?
This works: when I logon to my Lion Server with either local or network users everything seems to be OK including home directory synchronisation.
I tried the following for VPN:my local server account can logon to the server (ie my secret key, user account/password combination are OK ("chap peer authentication succeeded for ...")when I try the same with two of my network accounts I keep on getting authentication errors (VPN) but I'm sure I use the same userid/password combinations as above ("chap peer authentication failed for ...")
I get similar results when I access the Profile Manager (url..)my local server account can logon on to the Profile Manager and sees as all the informationwhen I try this with one of my network accounts (which has devices assigned) I keep on getting 'incorrect user name or password
Is there a way to disable or hide the sleep button at the login screen? I am trying to send updates and/or commands from ARD.... But the end users are putting the computers to sleep by pressing the sleep button. This is causing the ARD updates/commands to fail. The computers and severs are all Lion OSX. If I can disable the sleep button at login then I can send the updates/commands. I normally only do the updates/commands when there is no user logged in.So I am not concerned with the case where the user is already logged in and puts the computer to sleep. I have already setup an MCX in WGM for the Energy Saver.
I have an OSX Lion 10.7.4 Server set up with Profile Manager and it is joined to AD.Â
I am able to see AD groups in the Profile Manager groups section. I can also see and add AD users and groups using the server app.Â
I have enabled the "Can Enable Remote Management" check box for Domain Users through Profile Manager. I have also added Domain Admins to the Workgroup group in the Server app. I'm not sure that I want or need either of these options, but they were suggestions to try. I am not able to log on to the Profile Manager or My Devices pages with AD logins.Â
I found these directions about nested groups in Workgroup Manager [URL] but I don't have a [URL] local group or any groups like are shown in the picture.Â
