Mickael O2I

Q: FCS 1.5.x with AD authentication on Mac and PC

Hi,

I've just finalize a final cut server and XSAN integration.

Now I've to set up the AD Auth. I've followed all the step (I've 2 OD servers - master and replica - binded to the AD, FCS is installed on the master).

My issue is that all users can successfully authenticate on Mac workstations. My admins are in an OD group with AD users and my "normal users" are directly in an AD Group. Everything is going well on Mac workstation. But, on windows workstation the authentication just doesn't work.

  • My MACs are in 10.6.x
  • My PCs are on XP, Vista and 7
  • My OD server are in 10.6.x
  • My AD is a multi domain 2003 AD (but my 2 OD servers and all the users and workstations involved in the architecture are in the same domain).

Just one thing, Kerberos is stopped in my OD. Should the OD really be kerberized ?

 

Anyone had the same issue ?

 

Thanx

Final Cut Server, Mac OS X (10.6)

Posted on Jun 24, 2011 4:18 AM

Close

Q: FCS 1.5.x with AD authentication on Mac and PC

  • All replies
  • Helpful answers

  • by OMFguy,Helpful

    OMFguy OMFguy Jun 24, 2011 12:48 PM in response to Mickael O2I
    Level 1 (5 points)
    Jun 24, 2011 12:48 PM in response to Mickael O2I

    When you bind FCServer to AD you can only use AD authentication.

     

    You can not use nested AD groups, only primary group members.

     

    All your computers must be in a primary AD list, not a nested or sub group list.

     

    If you do all this AD will work. 

     

    You need to RTFM:

     

    http://support.apple.com/kb/HT3818

     

    Final Cut Server 1.5: Active Directory bound Windows clients require a custom Kerberos configuration file for authentication

     

     

    • Last Modified: August 06, 2009
    • Article: HT3688

     

     

     

    Summary

    In order for Active Directory bound Windows Final Cut Server client systems to successfully authenticate to Final Cut Server, you must create a custom Kerberos configuration file on the Windows client system.

    Products Affected

    Final Cut Server 1.x

    Use the template below to create the custom Kerberos configuration file, ensuring that the syntax and case are preserved. Replace the ".example.com" and "EXAMPLE.COM" with your Active Directory realm, domain, and kdc information.

    -----COPY BELOW THIS LINE-----

    [libdefaults]
    default_realm = EXAMPLE.COM
    default_checksum = rsa-md5
    [realms]
    EXAMPLE.COM = {
    kdc = ad.example.com
    }
    [domain_realm]
    .example.com = EXAMPLE.COM

    -----COPY ABOVE THIS LINE-----

     

    The file should be named "krb5.ini" and placed in the Windows root directory, usually: C:\WINDOWS\krb5.ini

     

    Additional Information

     

    Note: Complex Active Directory/Kerberos environments may need additional modification to the template provided.

    For more information on using Windows Active Directory, Final Cut Server administrators should see the "Final Cut Server Setup Guide," available on the Final Cut Server 1.5 Install Disc or at http://documentation.apple.com/en/finalcutserver/

  • by Mickael O2I,

    Mickael O2I Mickael O2I Jun 27, 2011 2:38 AM in response to OMFguy
    Level 1 (0 points)
    Jun 27, 2011 2:38 AM in response to OMFguy

    Hi,

    I had already done all those steps and everything is going well on my MACs (even with my admins in OD groups, but AD users, and my users in AD Groups).

    saying :

    " You can not use nested AD groups, only primary group members.

     

    All your computers must be in a primary AD list, not a nested or sub group list."

     

    Do you mean that AD auth can't work in a multi domain configuration (that's my case). Even if all my users and computers (and servers) are the same sub domain ?

  • by OMFguy,

    OMFguy OMFguy Jun 27, 2011 11:42 AM in response to Mickael O2I
    Level 1 (5 points)
    Jun 27, 2011 11:42 AM in response to Mickael O2I

    The FCServer can be bound in a multi domain environment but to a particular server.  I did this at several TV stations.  You need to bind to a particular AD server.  You need to use Fully Qualified Domain Names for everything (reverse DNS) FQDN.  The TV stations use PC in the newsroom and FCServer AD authentication. 

     

    When you bind to AD your local and OD users can not authenticate to FCServer, only users and groups in AD.  Make sure your users are using their AD user names and passwords.  Make sure that your AD user's groups have permissions set in FCServer. 

     

    Then it works. 

     

    As review you need to do this on your FCServer server:

     

    Macintosh clients authenticating via Active Directory need to be running Mac OS X v10.5.8 or later.

    Products Affected

    Final Cut Server 1.5, Windows Active Directory

    To modify the Final Cut Server settings preference file to allow access to Windows Active Directory users and groups:

    1. Log in as the root user.
    2. In the Terminal application, run the following command:

    defaults write /Library/Preferences/com.apple.FinalCutServer.settings "AUTH_TYPE" -int 1

    1. Stop and Start Final Cut Server services in Final Cut Server System Preferences.


    To add the Final Cut Server system to the Kerberos realm on Mac OS X Leopard, Mac OS X Leopard Server, and Mac OS X Snow Leopard systems:

    1. Log in as the root user.
    2. In Terminal, run the following command  (entered as a single line in Terminal):

    cd /Library/Application\ Support/Final\ Cut\ Server/Final\ Cut\ Server.bundle/Contents/Resources/sbin

    1. After the command in step 2 is complete, run the following command  (entered as a single line in Terminal):

    ./adprincadd.pl -dc <fully qualified hostname of AD server> fcsvr/<fully qualified hostname of FCSVR machine>

    Example: For a setup where the Domain is example.com, the Active Directory hostname is ad.example.com, and the Final Cut Server hostname is finalcutserver.example.com, the syntax would be:

     

    ./adprincadd.pl -dc ad.example.com fcsvr/finalcutserver.example.com

     

    Did you run the adprincadd.pl on the FCServer server?  Did you set the AUTH_TYPE to 1?

  • by Mickael O2I,

    Mickael O2I Mickael O2I Jul 5, 2011 12:29 PM in response to OMFguy
    Level 1 (0 points)
    Jul 5, 2011 12:29 PM in response to OMFguy

    I've followed all the steps ...

    I think the matter comes from the AD. One of the admin told me it wasn't the first time they were facing that kind of issues (with other applications).

    They are doing some troubleshooting on the AD to try to find out what happens with FCS.

    Thanx for your answer, I was wondering if I had made a mistake in my configuration but since I've followed all the steps, and that everything is going well on my MACs and since you told that you have it worked in nearly the same environnement, I feel more confident in what I've done.

  • by OMFguy,

    OMFguy OMFguy Jul 5, 2011 12:49 PM in response to Mickael O2I
    Level 1 (5 points)
    Jul 5, 2011 12:49 PM in response to Mickael O2I

    Use DSCL to check your AD members and computers.

     

    Secret: in Active Directory Account Options check "Use DES encryption for this account".