Single Sign on help

Are you using the fully qualified DNS name when your trying to connect to the server?

Log on to a network account on one of the clients and run this command in terminal

klist

Copy/paste the output.

This is what I got.

klist: krb5_cc_get_principal: No credentials cache file found

(machine name):~ (my log in name)$

What should I get?

To get single sign on once this is set up correctly, do I change the login to show user name and password then enter domain\user then password to make single sign on work?

gbs

That means that your clients aren't receiving kerberos tickets.

Next try this command in terminal, from a client logged in to a network account:

kinit user@server.domain.com

Substitute user for the short name of the user you're currently logged in as, and substitute server.domain.com for whatever your kerberos realm is. Copy/paste the output.

Additionally, run this command in terminal on the server:

sudo changeip -checkhostname

Copy/paste the output.

On my laptop I got the info I sent you above. On an iMac I got the followowing.

(machine name):~ (user name)$ klist

Credentials cache: API:501:3

Principal: (user name)@AUSTIN.LOCAL

Issued Expires Principal

Nov 10 10:49:19 Nov 10 20:49:19 krbtgt/(domain name)@(domain name)

Nov 10 10:49:27 Nov 10 20:49:19 cifs/(server)@(domain name)

(Machine name):~ (user name)$ kinit (user name)@(domain name)

(user name)@austin.local's Password:

kinit: Password incorrect

(Machine name):~ (user name)$

I'm working on Windows servers so I'm not sure if I can do that second step.

A couple things:

In your original post you mentioned using Lion server, but now you're mentioning Windows servers. Could you provide a little more insight into your network configuration?

It looks like you're using a .local domain, which is generally not considered a best practice. The .local domain is reserved for bonjour, and should be avoided here. You should purchase your own .com (or .net, .org, etc.) domain name and use that here.

If you are in fact using a Lion server in this configuration, run the changeip command on it and copy/paste the results without obfuscating the domain name or IP address.

Hello John, I am not the original poster. That person never responded. I'm just tagging on.

I have a network of about 100 PC's, 12 Windows servers, 6 Mac's and four locations. I would like to setup single sign-on for the Mac's. We do have a public domain name but use the .local for our private network.

Hope this helps.

gbs

My apolgies, I never noticed that.

If you're using the .local domain on your private network, you might not be able to get Kerberos working on the Macs. The may be a workaround, but I've never had any success using the .local domain. I'm also completely useless when it comes to Windows servers, so I'm afraid I won't be much help from here.

I will say this much:

(machine name):~ (user name)$ klist

Credentials cache: API:501:3

Principal: (user name)@AUSTIN.LOCAL

Issued Expires Principal

Nov 10 10:49:19 Nov 10 20:49:19 krbtgt/(domain name)@(domain name)

Nov 10 10:49:27 Nov 10 20:49:19 cifs/(server)@(domain name)

That means that the client you ran the klist command on is successfully getting kerberos tickets. You're on the right track, at least with this client.

My advice would be to start a new topic.

Thanks John. I'll do that.