Authentication errors in Magic Triangle set up
Hi All,
I have recently integrated a SL server into AD to provide MCXs to Mac workstations as well as network homes, time machine server etc.
Everything is working fine and there aren't any major problems - clients can log into AFP homes and the majority of MCXs are working well. One thing I have noticed though is that exactly every 2 hours I get an error in Windows event viewer complaining of a Kerberos authentication error (Event ID 4768). The account name specified in the event log is the computer record for the OD master.
I did a bit of digging through the logs and can see the successful logging in of the Mac server computer account to the Password server. In the password server service log, I get this:
RSAVALIDATE: success.
Apr 8 2012 14:10:12 USER: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} is the current user.
Apr 8 2012 14:10:12 AUTH2: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} CRAM-MD5 authentication succeeded.
The computer account 'server.domain.com$' is listed when you go into WGM and go to 'show system records' and is the computer account for the mac server that is the OD master.
I believe that the server is trying to authenticate to the Windows DC, receiving an error (and generating the 4768 error code) and then successfully authenticating to OD.
I have changed the search policy on the server to authenticate against OD first and then AD, but I am still getting this error. I don't know whether Directory Utility is buggy and incorrectly shows LDAP before AD as I cannot find the dscl command to list search policies anywhere, only to add, delete and amend search policies.
Questions:
1) Why is the server authenticating to itself every 2 hours?
2) Does anyone know how to list the search policy order in dscl, so I can verify that the server is actually authing against OD first?
3) If the search policy is OK, and I suspect it is, why is the server trying to auth against AD?
4) Has anyone else seen this error and, if so, how did you resolve?
Coincidently, I also get this error when I log into WGM using the directory admin username/password.
TIA
MacBook Pro, Mac OS X (10.6.8)