Harvey
2004-Jan-09 18:06 UTC
[Samba] AD multiple domain logon and problems with Kerberos File Server authorization using SMB
Hi all, I have configured the AD plug-in with the corresponding Forest, Domain to accept multiple domain authentication. The authentication option in Directory Access does have the root domain added as a custom path (the edu.Mit.Kerberos file has all domains configured, and each domain has 2 entries that are ?kdc? and ?admin_server?). A user belonging to the same configured Domain can login successfully, however when a user from another domain tries to login, the login window shakes and as result the user cannot enter his session. Has anyone got this multiple domain authentication to work? When a user belongs to the configured domain and logs-in, he automatically gets a Kerberos ticket. Depending on the file server the user connects to, two different scenarios take place. In the first scenario, the user connects the FS and is authenticated by the Kerberos protocol as it should normally. In the second scenario, the user connects to another file server in the same domain as the user, and a SMB/CIFS authentication window appears asking user, password and domain. If, in this window user, password and domain are left blank, and the OK button is clicked, then surprisingly the user is also authenticated by the Kerberos protocol. By doing some network sniffing, apparently the Kerberos protocol gets the correct name of file server and in consequence obtains a ticket for it only after SAMBA has figured out the correct file server name. Is it possible to resolve this issue so that the SMB/CIFS authentication window does not appear? Additionally, It is not possible for any Mac to authenticate correctly using Kerberos to any file server in any other domains. No error entries in the console.log or System.log have been found. How should Windows Clusters of two physical PCs and N logical servers be configured to accept Kerberos authentication from the Mac? The problem is that the virtual server name is not in the Kerberos database, but the machine account is. However nobody enters a web page by typing the machine account, they all are aliases. These test were performed with 5 different Macs, some having Mac OS X v10.3.1 and other having 10.3.2, but the same results have been seen in either one. Thanks in advanced Harvey