DFS and Kerberos

Mbentley777
Contributor

Continuing on my thread of posting about Kerberos - has anyone out there had their authentication fall back to NTLM when they attempt to connect to a DFS share?

1 ACCEPTED SOLUTION

frozenarse
Contributor II

I'm seeing this on a Lion 10.7.2 client. It is joined to an Active Directory Domain which has domain based DFS.

Connecting to SMB://domain.school.edu/share$ results in kerberos failure because there is no Service Principal Name for "domain.school.edu". The authentication falls to NTLM. If I use SMB://DCname.domain.school.edu/share$ everything works fine.

View solution in original post

13 REPLIES 13

jwojda
Valued Contributor II

do you have a proventia network appliance?

nkalister
Valued Contributor

DFS shares are working with kerberos for me. The only time I get prompted for username/password is if the client mac doesn't have a valid kerberos ticket, I've never seen it fall back to NTLM otherwise. need me to check anything for you so you can compare?

sean
Valued Contributor

Shouldn't need to type user name and password to get a valid certificate. You can configure to get one at login:

http://support.apple.com/kb/HT4100

frozenarse
Contributor II

I'm seeing this on a Lion 10.7.2 client. It is joined to an Active Directory Domain which has domain based DFS.

Connecting to SMB://domain.school.edu/share$ results in kerberos failure because there is no Service Principal Name for "domain.school.edu". The authentication falls to NTLM. If I use SMB://DCname.domain.school.edu/share$ everything works fine.

Jak
New Contributor III

that links dead?

sorry.. no its not... damn safari!!

frozenarse
Contributor II

After doing some Wireshark captures I have a bit more info:

The first connection made is to the namespace server (to get the DFS referrals). The client tries to use Kerberos but it fails because there is no Service Principal Name for "host/domain.school.edu". It falls back to NTLM authentication. In my environment you still get the DFS referrals. BUT.... When the client tries to connect to the actual file server (from the referral) it never tries to use Kerberos! It goes straight to NTLM and fails.

If I use a specific DC (smb://DCname.domain.school.edu/share$) that server DOES have a valid SPN and kerberos authentication is successful with the namespace server. The dfs referral points to the file server. This time when the client goes to the file server it uses kerberos and everything works fine!.

Problem seems to be that once Lion client fails a kerberos authentication with the DFS namespace server it doesn't try to use kerberos when authenticating to the file server.

Please let me know if i'm wrong or how to resolve this.

frozenarse
Contributor II

I think that this issue has been resolved after installing the 10.7.3 update. I haven't had time to 100% confirm it though.

Kumarasinghe
Valued Contributor

Have you got this sorted Greg?

We have the same issue with 10.7.3 as well. Kerberos for DFS works fine at the very first login and will not work after logoff and log back in.

We use mobile accounts.

frozenarse
Contributor II

Yeah it seems to be working now with 10.7.3.

Are you trying to use the mountNetworkShare.sh script from the resource kit? If so, are you trying to map to a hidden share (ending with a "$")? I'm seeing an issue with that script at the moment....

frozenarse
Contributor II

Perhaps I was a bit too hasty in my response... It seems to work fine if you just logoff/logon but a reboot results in the user being prompted for a password.

My head is spinning right now so maybe it's something simple.

nessts
Valued Contributor II

open a terminal and type kinit, to make sure you get a kerberos ticket

frozenarse
Contributor II

Ok... I think i'm mixing 2 different issues here.

  1. The original issue is resolved with 10.7.3. DFS shares can be mapped.
  2. The 'new' issues are related to users logging in multiple times and/or rebooting in between those logins.

I'm trying to use the mountNetworkShare.sh script from the resource kit.

a) I noticed that if the share was hidden (ending with a $) the part of the script that unloads the launch agent of shares that already exist failed. The "$" messed with the grep.

b) I noticed that with mobile accounts, you get prompted for a password if you rebooted your machine between logins. I don't have all the bugs worked out of this one yet. It seems like a Kerberos ticket is not being pulled at logon for mobile accounts even though you are connected to the domain (no red light).

If I DON'T use mobile accounts, the mountNetworkShare.sh script from the resource kit does not find the path to the users home directory stored in their Active Directory account. I seem to be stuck.

lisacherie
Contributor II

For the mobile account users to get kerberos tickets at login with Lion, try the following edit to /etc/pam.d/authorization

http://kb.mit.edu/confluence/pages/viewpage.action?pageId=55738387