| Author |
Message |
|
Balkhy02
|
Post subject: Single sign on  Posted: Wed Feb 18, 2009 10:02 am |
|
 |
| Just started |
 |
Joined: Tue Feb 17, 2009 1:26 pm
Posts: 5
|
|
I have joined several 10.5 computers to the AD successfully. I am trying to get a fully single sign-on environment. I have configured Entourage 2008 to use kerberos and managed to get it working.
However, when mounting an AFP volume the user is prompt for a username and password when it should go straight forward.
Has anyone faced a similar issue?
Thanks.
|
|
  |
|
 |
|
Dominic
|
Post subject: Re: Single sign on Posted: Wed Feb 18, 2009 1:55 pm |
|
Joined: Wed May 18, 2005 3:53 pm
Posts: 293
Location: UK
|
|
Hello
It sounds like it might be a couple of things....
The client is not setup correctly or the server is not setup correctly...
When you try and establish the AFP connection is it creating the afpserver/domain/realm in the kerberos app?
have you checked using klist -ke
also have a look at sso_util for the client setup...
how have you setup the server? 10.4 or 5?
|
|
| |
|
|
|
Balkhy02
|
Post subject: Re: Single sign on Posted: Wed Feb 18, 2009 2:37 pm |
|
|
| Just started |
|
Joined: Tue Feb 17, 2009 1:26 pm
Posts: 5
|
|
Hi, Thanks for the quick answer.
a) When trying to mount the volume or even after entering the credentials to mount the volume, the kerberos app does not show the new afpserver/domain/realm after the volume is mounted.
b) The result of klist -ke shows nevertheles the name of the afp server:
3 host/madfls03.emea.corp.ipgnetwork.com@LKDC:SHA1.FA29F559C1AD283BDE35C8A3282AE1B5ABA0ED20 (Triple DES cbc mode with HMAC/sha1)
3 host/madfls03.emea.corp.ipgnetwork.com@LKDC:SHA1.FA29F559C1AD283BDE35C8A3282AE1B5ABA0ED20 (ArcFour with HMAC/md5)
3 host/madfls03.emea.corp.ipgnetwork.com@LKDC:SHA1.FA29F559C1AD283BDE35C8A3282AE1B5ABA0ED20 (DES cbc mode with CRC-32)
c) The server is a Windows 2003 and it is running ExtremeZIP to serve AFP shares.
d) I do not know how to setup sso_util....
Thanks.
|
|
| |
|
|
|
Dominic
|
Post subject: Re: Single sign on Posted: Wed Feb 18, 2009 3:35 pm |
|
Joined: Wed May 18, 2005 3:53 pm
Posts: 293
Location: UK
|
A quick test with ExtremeZIP on a windows 2003 server using afp connect to server... afp://server/sharemy kerberos.app shows afpserver/server@realm klist -ke returns the afpserver connection as well... How have you added your mac to the AD ... LDAP or its own plugin?
|
|
| |
|
|
|
Balkhy02
|
Post subject: Re: Single sign on Posted: Wed Feb 18, 2009 5:47 pm |
|
|
| Just started |
|
Joined: Tue Feb 17, 2009 1:26 pm
Posts: 5
|
|
We bound the mac to the AD using Active Domain plugin, no LDAP plugin.
Just tried from other 2 bound macs, instead of mine. I am afraid mine must have something corrupted or wrong.
From those bound macs, when connecting to the share, there is a new entry in the kerberos app. But they are prompted for a username and password anyway. Once they are validated to the domain, the volume is mounted. Afterwards when connecting to a second share of the same server the connection goes straight forward.
I hope this gives you a more specific desxcription of what is happening.
Thanks in advance.
|
|
| |
|
|
|
Dominic
|
Post subject: Re: Single sign on Posted: Wed Feb 18, 2009 8:44 pm |
|
Joined: Wed May 18, 2005 3:53 pm
Posts: 293
Location: UK
|
|
try this....
open the kerberos app...
un-mount any shares
delete all entries in the "ticket cache"...
Click on "new"
enter your domain password
try the share...
|
|
| |
|
|
|
Balkhy02
|
Post subject: Re: Single sign on Posted: Thu Feb 19, 2009 12:29 pm |
|
|
| Just started |
|
Joined: Tue Feb 17, 2009 1:26 pm
Posts: 5
|
|
I tried that and I am getting the same.
Any other ideas? Maybe the edu.mit.kerberos file?
Thanks.
|
|
| |
|
|
|
Dominic
|
Post subject: Re: Single sign on Posted: Thu Feb 19, 2009 1:18 pm |
|
Joined: Wed May 18, 2005 3:53 pm
Posts: 293
Location: UK
|
|
When you connect to a windows domain share are you prompted for you username etc...?
|
|
| |
|
|
|
Balkhy02
|
Post subject: Re: Single sign on Posted: Thu Feb 19, 2009 1:49 pm |
|
|
| Just started |
|
Joined: Tue Feb 17, 2009 1:26 pm
Posts: 5
|
|
Let's see. Once the user has successfully logged on the mac with the AD credentials we face these situations:
a) SMB shares connections are never prompted for a username and password.
b) AFP shares connections are prompted for username and password the first time it connects to the AFP server. Once the volume is mounted you can mount another volume of the same server without being prompted for credentials.
c) Kerberos app shows the new tickets afpserver/servername@realm for AFP connections and cifs/servername@realm for SMB connections.
d) After demounting all shared volumes, even keeping a valid ticket for the afp connection in kerberos app, we are prompted for a username and password when trying to mount a new afp share of the same server included in the ticket.
I am a little bit desperate as all the documentation I have read indicates that AFP connections to a Windows domain AFP server should behave as SSO in bound computers to the domain.
|
|
| |
|
|
|
Dominic
|
Post subject: Re: Single sign on Posted: Thu Feb 19, 2009 4:29 pm |
|
Joined: Wed May 18, 2005 3:53 pm
Posts: 293
Location: UK
|
Balkhy02 wrote: I am a little bit desperate as all the documentation I have read indicates that AFP connections to a Windows domain AFP server should behave as SSO in bound computers to the domain. ... There does not appear to be anything in the plugin for ExtremeZIP...  works fine for me...i have also setup kerberos on my 10.4/5 servers and that works as it should.... Is the time in sync? create a share via smb on the windows box that hosts your AFP shares... do you still get prompted? it sounds like you have a valid ticket but the credentials are not being recognized....until it recreates the ticket... very odd
|
|
| |
|
|
|
