Help

Kerberos and Share issues - JAMF Connect

NewCollegeWorce
New Contributor

Posted on ‎11-01-2023 01:45 AM

Hello all. Just for some context, I'm Alex, and I work at a school in the UK. We are currently in the process of setting up JAMF Pro and JAMF connect, and we are running into trouble around DFS shares and Kerberos. Are AD domain is school.local, and are azure AD  is school.co.uk, and we are currently not getting Kerberos tickets,. In the JAMF connect logs, I get a kerberos authentication error, OffDomain. So I am wondering if this has anything to do with the domain names not matching and wondering if anyone else has had similar issues and how you've gotten around it? Just to clarify, I can ping the domain from my test Mac, and kinit gives a manual Kerberos ticket. Also, the next question... We have DFS shares for our home folders in AD, and all our other shares are DFS. I'm desperately looking for some way of mounting these shares, based on user groups etc. If certain user is in particular group, mount this share for them, etc. And as well while having home folders mounted over DFS. I know this isn't officially supported by JAMF connect, but changing our AD to try and not use DFS is a root that I don't think my boss will be too happy to go down... I've looked into the JAMF nation mount network shares script on GitHub, but I am thinking that may run into issues as I'm not sure how JAMF connect pulls AD groups so we can attempt to modify that script. And the best thing overall, I somehow have to try and fix all this by the end of the week to integrate our Macs into JAMF connect by the end of the week. I've contacted JAMF support, and I have a case in progress. Also, for some context, I'm pretty new to the JAMF mac admin stuff, but have been doing Windows administration for a few years now. Thank you all for any help, and sorry for the long post... 

0 Kudos
Reply
3 REPLIES 3

SCCM
Contributor III

Posted on ‎11-02-2023 11:11 AM

I dont think your kerbros ticket from azure will work with your on prem shares. You could and add a Kerberos single sign-on extension:
https://learn.jamf.com/bundle/jamf-school-documentation/page/Configuring_Kerberos_Single_Sign-on.htm....

put the realm as school.local, and under host put the extention for your dfs share. If it detects the network it will prompt the user for there creds, and should sync a token from your on prem domain controllers

0 Kudos
Reply

NewCollegeWorce
New Contributor

Posted on ‎11-04-2023 02:24 AM

Hi and thanks for your reply.

When implementing this, I get prompted for my Domain creds, and when running klist, and accessing ticket viewer, I have a valid ticket.

However, the Finder still prompts for domain creds when attempting to mount the DFS share. For the profile I have the SSO payload configured, with Kerberos selected, and  have SCHOOL.LOCAL as the realm, and for host, I've tried smb://school.local, both upper and lower case, and also just school.local, both upper and lower case. No other settings configured. Any ideas? 😊. Thanks, Alex.

0 Kudos
Reply

mfletch
New Contributor III

a month ago

@NewCollegeWorce I am seeing Kerberos authentication failed with error: OffDomain in the logs for a small number of my users after upgrading to Jamf Connect. I'm curious if you were ever able to find a solution to this? What the user sees is after Jamf Connect is pushed to them and they reboot, they log back in and choose SSO and login and connect their account to their Entra account and it takes them to the desktop and all is seemingly well, but when they open Office apps it asks them to authenticate and use 2FA as usual which works, but then immediately asks them to authenticate again and just stays in that loop seemingly endlessly. Thier office apps were working fine until they rebooted and logged back in with Jamf Connect.

0 Kudos
Reply