On Mar 30, 2011, at 2:08 PM, Mike Reed wrote:
> On Mar 30, 2011, at 12:41 PM, Andrew Tomlinson wrote:
>
>> SMB settings on server show correct realm (the AD domain), access allowed only by NTLM NTLMv2&Kerberos.
>
> Note that there are two settings, not three. I know you didn't say this, but often people understand. This is setting either NTLM ONLY, or GSSAPI, which includes NTLMv2 AND KERBEROS.
>
> It works like this:
> 1) Attempt to authenticate via GSSAPI. GSSAPI will negotiate, and will likely try Kerberos. Assume kerberos auth fails. There's no "okay, now try NTLMv2" option. GSS auth failed. Period. So, we do:
> 2) Attempt to authenticate via NTLM.
>
> It's that point where people are confused. The order is not Kerberos-->NTLMv2-->NTLM, it's Kerberos-->NTLM, and 99.999% of the time, OS X and DirectoryService will be set up to/attempt to use Kerberos, meaning NTLMv2 *never* gets tried.
>
> Keep reading...
>
>> On WinXP clients, all works well. User logs onto workstation, maps drive to the MOSXS fileshare without prompts for authentication.
>
> Which either means Kerberos is working, or that they've saved their password for this share and aren't prompted for authentication because it's saved. It'd be interesting to see, after connecting, if these XP boxes have smb/cifs tickets for the OS X server. Google KerbTray if you need a utility on XP to do this (it's part of the ResKit's for Windows).
>
>> On new Windows 7 clients, they are prompted for credentials and theirs fail. Lowering LmCompatibilityLevel at HKLM\SYSTEM\CurrentControlSet\Control\Lsa on the client fixes this and authentication succeeds, but is this really necessary? On our Windows XP boxes, this setting is 4 and there are no issues.
>
> If Kerberos isn't working/is failing, then yes, this is necessary. See this article for more information on this commonly misunderstood setting and what it really does/how it really works: http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
>
>>
>> I would be grateful for a kick (well, you can just point) in the right direction.
>
> My guess? For some reason on Windows 7, Kerberos is failing. KerbTray works there, too. My next guess for why is DNS - either server-side (disjointed?) or client-side. Does the computer account for the OS X server in AD have an SPN for smb/cifs that matches, exactly, it's DNS name as listed in the AD computer account?
>
> You can look at this with SetSPN on Windows, or 'sudo net ads info' on the OS X server. They're at the end. If your server is server.foo.com, but the AD domain is ad.foo.com, it's likely that AD registered the SPN's as server.ad.foo.com, and Kerberos is failing (disjointed). That's the most common problem I see. Other problems could be proper reverse DNS for server and/or client. DanS has posted good info in the past (use the search function) about DNS, and Apple has good KBase articles about it as well.
>
> -- Mike
What a wealth of helpful information and analysis! Thank you very much, Mike.
I'm sure you're right that Kerberos is failing. Kerbtray does not show tickets for the OSX server.
With SetSPN I'm out of my league and probably using it incorrectly, but here's what I ran and got on a client WinXP box:
> setspn -L whs4
FindDomainForAccount: DsGetDcNameWithAccountW failed!
Cannot find account whs4
I've asked a Domain admin to check on this for me.
What I don't get is why things are working on the XP boxes. I can log onto one of those with an account that has never before been used on that computer, map a drive from the OSX Server, and get no authentication requests. The share mounts with correct access privileges. The output of log.smbd on the server for this even is not reassuring, though:
[2011/03/31 07:11:13, 0, pid=43504] /SourceCache/samba/samba-235.5/samba/source/lib/opendirectory.c:get_opendirectory_authenticator(247)
failed to read DomainAdmin credentials, err=67 fd=26 errno=2
[2011/03/31 07:11:13, 1, pid=43504] /SourceCache/samba/samba-235.5/samba/source/smbd/service.c:make_connection_snum(1092)
lpt407a0407-51 (10.2.27.217) connect to service docs initially as user atomlinson (uid=910890813, gid=568050938) (pid 43504)
And also, if I log onto a MOSX 10.6.6 client and connect to server, it works without prompts and here is the output of klist, showing the cifs ticket for server whs4, no?:
106iMac04:~ atomlinson$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: email@hidden
Valid Starting Expires Service Principal
03/31/11 07:25:34 03/31/11 17:25:34 krbtgt/email@hidden
renew until 04/01/11 07:25:34
03/31/11 07:26:10 03/31/11 17:25:34 krbtgt/email@hidden
renew until 04/01/11 07:25:34
03/31/11 07:26:10 03/31/11 17:25:34 krbtgt/email@hidden
renew until 04/01/11 07:25:34
03/31/11 07:26:11 03/31/11 17:25:34 doms41001$@STUDENTS.BCPS.K12.MD.US
renew until 04/01/11 07:25:34
03/31/11 07:27:14 03/31/11 17:25:34 cifs/email@hidden
renew until 04/01/11 07:25:34
DNS looks clean to me:
106iMac04:~ atomlinson$ dig whs4.students.bcps.k12.md.us
; <<>> DiG 9.6.0-APPLE-P2 <<>> whs4.students.bcps.k12.md.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5529
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;whs4.students.bcps.k12.md.us. IN A
;; ANSWER SECTION:
whs4.students.bcps.k12.md.us. 3600 IN A 10.2.17.254
;; Query time: 3 msec
;; SERVER: 10.32.17.100#53(10.32.17.100)
;; WHEN: Thu Mar 31 08:31:08 2011
;; MSG SIZE rcvd: 62
. . . and:
106iMac04:~ atomlinson$ dig -x 10.2.17.254
; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 10.2.17.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1553
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;254.17.2.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
254.17.2.10.in-addr.arpa. 3600 IN PTR whs4.students.bcps.k12.md.us.
;; Query time: 8 msec
;; SERVER: 10.32.17.100#53(10.32.17.100)
;; WHEN: Thu Mar 31 08:31:48 2011
;; MSG SIZE rcvd: 84
My grasp of all of this is slight, I know. I really appreciate the help!
Andrew
--
Andrew Tomlinson
Western High School, http://westernhighschool.org
--
Andrew Tomlinson, Staff Associate
Western High School, Baltimore, MD http://westernhighschool.org
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
