Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Single Sign-on stops working after updating to 10.4.7

Well, I'm fresh off the AFP won't start bug in 10.4.6. Now that this bug is fixed in 10.4.7, we have a new problem. It appears that on our OD Replica, single sign-on doesn't work for AFP mounts through the Apple-K method (user home directories work just fine). If a user wishes to mount an AFP share using Apple-K, he/she must re-authenticate a second time. What's more, the user MUST use his/her SHORT name to authenticate, or else the server rejects the attempt.

We tried demoting the OD Replica and then re-promoting it, but this did not solve the issue. The logon issue appears to affect 10.3 and 10.4 clients.



I believe that this might be a problem with the kerberized AFP (that is, it's not kerberized but should be). Any ideas on how to fix this?

Dual 2Ghz G5 10.4.7 Server

Posted on Jun 30, 2006 5:24 AM

Reply
3 replies

Jul 3, 2006 12:59 PM in response to Marc Hoffman1

spent the weekend trying to troubleshoot this issue. I opened a case with AppleCare, and together, we found some interesting information. Kerberos/single sign-on/promotion to OD Master from Standalone server does NOT work under 10.4.7 Server if DNS is not set up and running on the 10.4.7 Server itself. For example, our DNS is running on a Windows Server platform. When pointing the OS X Server to the Windows servers for DNS, the Mac kerberos services refused to work. When installing DNS on the Mac server and pointing it to itself for DNS resolution, things worked fine.



On a side note, I had to completely re-set up two Mac servers from scratch after trying to promote either one to an OD Master/Kerberos/single sign-on. Something got VERY corrupted in there.



We never saw this behavior under any other 10.4.x build or 10.3.x build. This appears to have started in 10.4.7.

Jul 25, 2006 6:13 AM in response to Marc Hoffman1

Hi Marc,

i'm running the same environment as you - which means an OD master for user authentication an a second server as OD Replik for other fileservices and a Debian Linux DNS Server.

Because of some really bad AFP problems with the homedirectories on the OD master i have to update to 10.4.7 - so maybe i run into the same problem like you did. Good to know what to do, i'll let you know about my findings!

MacSEK

Jul 26, 2006 7:19 PM in response to Marc Hoffman1

Kerberos/single sign-on/promotion to OD Master from
Standalone server does NOT work under 10.4.7 Server if DNS is not set up and running on the 10.4.7 Server itself.



This is NOT true. It is not helpful to make these sort of broad statements without thorough testing.

I have multiple 10.4.7 AD/integrated Single-Sign On environments using Windows 2003 supplied DNS with Master/Replicas/SSO working perfectly.

While DNS running on the Master can be beneficial to eliminate variables or areas outside the control of the Mac admin, it is far from necessary based on the multiple installs, both new and upgraded, that I have been done since 10.4.7 came out. A functional DNS, with both FW and Rev. lookups for all involved server is the critical piece.

Mac OS X (10.4.7)

Single Sign-on stops working after updating to 10.4.7

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.