DFS and Kerberos

do you have a proventia network appliance?

DFS shares are working with kerberos for me. The only time I get prompted for username/password is if the client mac doesn't have a valid kerberos ticket, I've never seen it fall back to NTLM otherwise. need me to check anything for you so you can compare?

Shouldn't need to type user name and password to get a valid certificate. You can configure to get one at login:

http://support.apple.com/kb/HT4100

that links dead?

sorry.. no its not... damn safari!!

After doing some Wireshark captures I have a bit more info:

The first connection made is to the namespace server (to get the DFS referrals). The client tries to use Kerberos but it fails because there is no Service Principal Name for "host/domain.school.edu". It falls back to NTLM authentication. In my environment you still get the DFS referrals. BUT.... When the client tries to connect to the actual file server (from the referral) it never tries to use Kerberos! It goes straight to NTLM and fails.

If I use a specific DC (smb://DCname.domain.school.edu/share$) that server DOES have a valid SPN and kerberos authentication is successful with the namespace server. The dfs referral points to the file server. This time when the client goes to the file server it uses kerberos and everything works fine!.

Problem seems to be that once Lion client fails a kerberos authentication with the DFS namespace server it doesn't try to use kerberos when authenticating to the file server.

Please let me know if i'm wrong or how to resolve this.

I think that this issue has been resolved after installing the 10.7.3 update. I haven't had time to 100% confirm it though.

Have you got this sorted Greg?

We have the same issue with 10.7.3 as well. Kerberos for DFS works fine at the very first login and will not work after logoff and log back in.

We use mobile accounts.

Yeah it seems to be working now with 10.7.3.

Are you trying to use the mountNetworkShare.sh script from the resource kit? If so, are you trying to map to a hidden share (ending with a "$")? I'm seeing an issue with that script at the moment....

Perhaps I was a bit too hasty in my response... It seems to work fine if you just logoff/logon but a reboot results in the user being prompted for a password.

My head is spinning right now so maybe it's something simple.

open a terminal and type kinit, to make sure you get a kerberos ticket

Ok... I think i'm mixing 2 different issues here.

1. The original issue is resolved with 10.7.3. DFS shares can be mapped.
2. The 'new' issues are related to users logging in multiple times and/or rebooting in between those logins.

I'm trying to use the mountNetworkShare.sh script from the resource kit.

a) I noticed that if the share was hidden (ending with a $) the part of the script that unloads the launch agent of shares that already exist failed. The "$" messed with the grep.

b) I noticed that with mobile accounts, you get prompted for a password if you rebooted your machine between logins. I don't have all the bugs worked out of this one yet. It seems like a Kerberos ticket is not being pulled at logon for mobile accounts even though you are connected to the domain (no red light).

If I DON'T use mobile accounts, the mountNetworkShare.sh script from the resource kit does not find the path to the users home directory stored in their Active Directory account. I seem to be stuck.

For the mobile account users to get kerberos tickets at login with Lion, try the following edit to /etc/pam.d/authorization

http://kb.mit.edu/confluence/pages/viewpage.action?pageId=55738387