Skip navigation

Single Sign on help

1805 Views 9 Replies Latest reply: Nov 14, 2011 11:23 AM by gbsales RSS
VinylBassist Calculating status...
Currently Being Moderated
Nov 5, 2011 8:20 AM

Hello, I am trying to get single sign on working for Mac OSX Lion server and a few OSX Lion clients. My problem is that when the clients log into network accounts on the open directory they have to authenticate again to access network resources, this hinders the proper functioning of services such as time machine server which cannot access the back up directory located on the server until the user goes into finder, clicks on the server, and enters their credentials. What I would like is for the Lion clients to automatically connect to and authenticate with the servers resources on log in. So far I have tried looking in the server admin for Kerberos settings as I thought this might be the key but all I have found so far is a message in overview telling me Kerberos server is running with no options to configure it.

 

If anyone could help me solve my problem it would be greatly appreciated.

 

Thanks.

Mac mini, Mac OS X (10.7.2), Server
  • TeenTitan Level 4 Level 4 (2,410 points)
    Currently Being Moderated
    Nov 6, 2011 12:58 AM (in response to VinylBassist)

    Are you using the fully qualified DNS name when your trying to connect to the server?

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Nov 7, 2011 11:25 AM (in response to VinylBassist)

    Log on to a network account on one of the clients and run this command in terminal

     

     

    klist
    

     

    Copy/paste the output.

    Xserve, Mac OS X (10.6.8), Server
  • gbsales Calculating status...
    Currently Being Moderated
    Nov 10, 2011 6:37 AM (in response to John.Kitzmiller)

    This is what I got.

     

    klist: krb5_cc_get_principal: No credentials cache file found

    (machine name):~ (my log in name)$

     

    What should I get?

     

    To get single sign on once this is set up correctly, do I change the login to show user name and password then enter domain\user then password to make single sign on work?

     

    gbs

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Nov 10, 2011 7:41 AM (in response to gbsales)

    That means that your clients aren't receiving kerberos tickets.

     

    Next try this command in terminal, from a client logged in to a network account:

     

     

    kinit user@server.domain.com
    

     

    Substitute user for the short name of the user you're currently logged in as, and substitute server.domain.com for whatever your kerberos realm is. Copy/paste the output.

     

    Additionally, run this command in terminal on the server:

     


    sudo changeip -checkhostname
    

     

     

    Copy/paste the output.

    Xserve, Mac OS X (10.6.8), Server
  • gbsales Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 10, 2011 2:44 PM (in response to John.Kitzmiller)

    On my laptop I got the info I sent you above.  On an iMac I got the followowing.

     

    (machine name):~ (user name)$ klist

    Credentials cache: API:501:3

            Principal: (user name)@AUSTIN.LOCAL

     

      Issued           Expires          Principal

    Nov 10 10:49:19  Nov 10 20:49:19  krbtgt/(domain name)@(domain name)

    Nov 10 10:49:27  Nov 10 20:49:19  cifs/(server)@(domain name)

    (Machine name):~ (user name)$ kinit (user name)@(domain name)

    (user name)@austin.local's Password:

    kinit: Password incorrect

    (Machine name):~ (user name)$

     

    I'm working on Windows servers so I'm not sure if I can do that second step.

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Nov 11, 2011 6:12 AM (in response to gbsales)

    A couple things:

     

    In your original post you mentioned using Lion server, but now you're mentioning Windows servers. Could you provide a little more insight into your network configuration?

     

    It looks like you're using a .local domain, which is generally not considered a best practice. The .local domain is reserved for bonjour, and should be avoided here. You should purchase your own .com (or .net, .org, etc.) domain name and use that here.

     

    If you are in fact using a Lion server in this configuration, run the changeip command on it and copy/paste the results without obfuscating the domain name or IP address.

  • gbsales Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 14, 2011 7:22 AM (in response to John.Kitzmiller)

    Hello John, I am not the original poster.  That person never responded.  I'm just tagging on.

     

    I have a network of about 100 PC's, 12 Windows servers, 6 Mac's and four locations.  I would like to setup single sign-on for the Mac's.  We do have a public domain name but use the .local for our private network.

     

    Hope this helps.

     

    gbs

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Nov 14, 2011 11:17 AM (in response to gbsales)

    My apolgies, I never noticed that.

     

    If you're using the .local domain on your private network, you might not be able to get Kerberos working on the Macs. The may be a workaround, but I've never had any success using the .local domain. I'm also completely useless when it comes to Windows servers, so I'm afraid I won't be much help from here.

     

    I will say this much:

     

    (machine name):~ (user name)$ klist

    Credentials cache: API:501:3

            Principal: (user name)@AUSTIN.LOCAL

     

      Issued           Expires          Principal

    Nov 10 10:49:19  Nov 10 20:49:19  krbtgt/(domain name)@(domain name)

    Nov 10 10:49:27  Nov 10 20:49:19  cifs/(server)@(domain name)

     

    That means that the client you ran the klist command on is successfully getting kerberos tickets. You're on the right track, at least with this client.

     

    My advice would be to start a new topic.

  • gbsales Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 14, 2011 11:23 AM (in response to John.Kitzmiller)

    Thanks John. I'll do that.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.