Posted on 01-13-2012 07:23 AM
Continuing on my thread of posting about Kerberos - has anyone out there had their authentication fall back to NTLM when they attempt to connect to a DFS share?
Solved! Go to Solution.
Posted on 01-25-2012 10:05 AM
I'm seeing this on a Lion 10.7.2 client. It is joined to an Active Directory Domain which has domain based DFS.
Connecting to SMB://domain.school.edu/share$ results in kerberos failure because there is no Service Principal Name for "domain.school.edu". The authentication falls to NTLM. If I use SMB://DCname.domain.school.edu/share$ everything works fine.
Posted on 01-13-2012 08:23 AM
do you have a proventia network appliance?
Posted on 01-13-2012 03:10 PM
DFS shares are working with kerberos for me. The only time I get prompted for username/password is if the client mac doesn't have a valid kerberos ticket, I've never seen it fall back to NTLM otherwise. need me to check anything for you so you can compare?
Posted on 01-17-2012 04:10 AM
Shouldn't need to type user name and password to get a valid certificate. You can configure to get one at login:
http://support.apple.com/kb/HT4100
Posted on 01-25-2012 10:05 AM
I'm seeing this on a Lion 10.7.2 client. It is joined to an Active Directory Domain which has domain based DFS.
Connecting to SMB://domain.school.edu/share$ results in kerberos failure because there is no Service Principal Name for "domain.school.edu". The authentication falls to NTLM. If I use SMB://DCname.domain.school.edu/share$ everything works fine.
Posted on 01-26-2012 06:01 AM
that links dead?
sorry.. no its not... damn safari!!
Posted on 01-26-2012 07:31 AM
After doing some Wireshark captures I have a bit more info:
The first connection made is to the namespace server (to get the DFS referrals). The client tries to use Kerberos but it fails because there is no Service Principal Name for "host/domain.school.edu". It falls back to NTLM authentication. In my environment you still get the DFS referrals. BUT.... When the client tries to connect to the actual file server (from the referral) it never tries to use Kerberos! It goes straight to NTLM and fails.
If I use a specific DC (smb://DCname.domain.school.edu/share$) that server DOES have a valid SPN and kerberos authentication is successful with the namespace server. The dfs referral points to the file server. This time when the client goes to the file server it uses kerberos and everything works fine!.
Problem seems to be that once Lion client fails a kerberos authentication with the DFS namespace server it doesn't try to use kerberos when authenticating to the file server.
Please let me know if i'm wrong or how to resolve this.
Posted on 02-09-2012 07:55 AM
I think that this issue has been resolved after installing the 10.7.3 update. I haven't had time to 100% confirm it though.
Posted on 04-17-2012 05:27 PM
Have you got this sorted Greg?
We have the same issue with 10.7.3 as well. Kerberos for DFS works fine at the very first login and will not work after logoff and log back in.
We use mobile accounts.
Posted on 04-23-2012 08:18 AM
Yeah it seems to be working now with 10.7.3.
Are you trying to use the mountNetworkShare.sh script from the resource kit? If so, are you trying to map to a hidden share (ending with a "$")? I'm seeing an issue with that script at the moment....
Posted on 05-02-2012 02:14 PM
Perhaps I was a bit too hasty in my response... It seems to work fine if you just logoff/logon but a reboot results in the user being prompted for a password.
My head is spinning right now so maybe it's something simple.
Posted on 05-02-2012 02:24 PM
open a terminal and type kinit, to make sure you get a kerberos ticket
Posted on 05-03-2012 01:06 PM
Ok... I think i'm mixing 2 different issues here.
I'm trying to use the mountNetworkShare.sh script from the resource kit.
a) I noticed that if the share was hidden (ending with a $) the part of the script that unloads the launch agent of shares that already exist failed. The "$" messed with the grep.
b) I noticed that with mobile accounts, you get prompted for a password if you rebooted your machine between logins. I don't have all the bugs worked out of this one yet. It seems like a Kerberos ticket is not being pulled at logon for mobile accounts even though you are connected to the domain (no red light).
If I DON'T use mobile accounts, the mountNetworkShare.sh script from the resource kit does not find the path to the users home directory stored in their Active Directory account. I seem to be stuck.
Posted on 05-04-2012 10:11 AM
For the mobile account users to get kerberos tickets at login with Lion, try the following edit to /etc/pam.d/authorization
http://kb.mit.edu/confluence/pages/viewpage.action?pageId=55738387