Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: James Spong
James Spong Author
User level: Level 1
100 points

Authentication errors in Magic Triangle set up

Hi All,


I have recently integrated a SL server into AD to provide MCXs to Mac workstations as well as network homes, time machine server etc.


Everything is working fine and there aren't any major problems - clients can log into AFP homes and the majority of MCXs are working well. One thing I have noticed though is that exactly every 2 hours I get an error in Windows event viewer complaining of a Kerberos authentication error (Event ID 4768). The account name specified in the event log is the computer record for the OD master.


I did a bit of digging through the logs and can see the successful logging in of the Mac server computer account to the Password server. In the password server service log, I get this:


RSAVALIDATE: success.

Apr 8 2012 14:10:12 USER: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} is the current user.

Apr 8 2012 14:10:12 AUTH2: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} CRAM-MD5 authentication succeeded.


The computer account 'server.domain.com$' is listed when you go into WGM and go to 'show system records' and is the computer account for the mac server that is the OD master.


I believe that the server is trying to authenticate to the Windows DC, receiving an error (and generating the 4768 error code) and then successfully authenticating to OD.


I have changed the search policy on the server to authenticate against OD first and then AD, but I am still getting this error. I don't know whether Directory Utility is buggy and incorrectly shows LDAP before AD as I cannot find the dscl command to list search policies anywhere, only to add, delete and amend search policies.


Questions:


1) Why is the server authenticating to itself every 2 hours?

2) Does anyone know how to list the search policy order in dscl, so I can verify that the server is actually authing against OD first?

3) If the search policy is OK, and I suspect it is, why is the server trying to auth against AD?

4) Has anyone else seen this error and, if so, how did you resolve?


Coincidently, I also get this error when I log into WGM using the directory admin username/password.


TIA

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 8, 2012 11:16 AM

Reply
1 reply
User profile for user: piperspace
piperspace
User level: Level 2
305 points

Apr 10, 2012 10:10 PM in response to James Spong

Hi James,


Received wisdom for Magic Triangle is to bind the Mac server to AD and ensure that Kerberos is disabled on the Mac server. It sounds like you may not have done it that way?


This reference may help:

http://www.afp548.com/netboot/mactips/activedir.html


Just a guess - but perhaps the re-authentication every 2 hours is due to Kerberos ticket expiration?


Best

Reply

Authentication errors in Magic Triangle set up

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up