AD / OD Kerberos issues with Mavericks

Hello.

I want to post on here, as I've been fighting with Kerberos for the last two days, this has actually stopped me moving on with further development / testing of a project that will be deployed to a client site within the next 2 weeks. The lab is on an isolated port-based VLAN with a separate route out of the firewall.

So here is how my lab looks:

MACSVR 2013 Mac Mini Server - 16gb RAM - 256gb SSD / 12tb Thunderbolt Promise array, Running 10.9.4 and Server.app 3.1.2, fully updated.

WINSVR Genero-Dell Pro Workstation - 4gb RAM, 160gb HDD, Running Windows Server 2008 R2 Enterprise x64, fully patched.

MACCLI1 2010 Macbook Air - 2gb RAM - 80gb HDD, Running 10.6.8, fully updated.

MACCLI2 2013 Macbook Air - 8gb RAM - 256gb SSD, Running 10.9.4, fully updated.

WINCLI 2008 HP Laptop - 2.5gb RAM - 60gb HDD, Running Win7 Enterprise x86, fully patched.

My client's AD environment is .Local based (great eh?), so I have set this test lab with as many details as close as possible to what is on-site.

Here's what the domains/DNS looks like:

AD: testdomain.local

OD: ODM set up on macsvr.testdomain.local

WINSVR runs DHCP/DNS and has DNS/PTR records set up for the MACSVR

The MACSVR server is bound to AD on WINSVR for Permissions/ACL's on AFP/SMBX file shares. This *works* (we all know the SMBX is on Mavericks is absolutely rubbish - but permissions work and this is all I really care about during this specific phase of testing).

MACCLI1/2 are bound to OD (for computer group managed preferences) and AD (for login and auth), they log in with AD credentials, this again, works, homesync and automounting of WINSVR at login is fine. Now, when I click MACSVR in the shared computers section of Finder, I can authenticate to MACSVR and see shares with WINSVR AD credentials, however, I would like Kerberos to deal with this as I am after all logged in to the Mac with an AD account, I have a feeling this has something to do with the .local TLD.

WINCLI is bound to AD simply for the login and auth, it can talk fine to MACSVR and WINSVR SMB sharepoints using NTLM/Kerberos/Credential Matching. The Windows machines are supposed to be more challenging!

So here is some output from MACSVR, Starting with changeip:

macsvr:~ ladmin$ sudo changeip -checkhostname

Password:

Primary address = 192.168.141.2

Current HostName = macsvr.testdomain.local

DNS HostName = macsvr.testdomain.local

The names match. There is nothing to change.

dirserv:success = "success"

And dsconfigad:

macsvr:~ ladmin$ dsconfigad -show

Active Directory Forest = testdomain.local

Active Directory Domain = testdomain.local

Computer Account = macsvr$

Advanced Options - User Experience

Create mobile account at login = Disabled

Require confirmation = Enabled

Force home to startup disk = Enabled

Mount home as sharepoint = Enabled

Use Windows UNC path for home = Enabled

Network protocol to be used = smb

Default user Shell = /bin/bash

Advanced Options - Mappings

Mapping UID to attribute = not set

Mapping user GID to attribute = not set

Mapping group GID to attribute = not set

Generate Kerberos authority = Enabled

Advanced Options - Administrative

Preferred Domain controller = not set

Allowed admin groups = not set

Authentication from any domain = Enabled

Packet signing = allow

Packet encryption = allow

Password change interval = 14

Restrict Dynamic DNS updates = not set

Namespace mode = domain

Here's some output from MACCLI2:

MacClient:~ testuser2$ klist

Credentials cache: API:F4FA68F0-EB7B-4872-B043-07BA4FC2CB0B

Principal: testuser2@TESTDOMAIN.LOCAL

Issued Expires Principal

Jul 10 16:46:51 2014 Jul 11 02:46:51 2014 krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL

Jul 10 16:47:01 2014 Jul 11 02:46:51 2014 cifs/winsvr@TESTDOMAIN.LOCAL

MacClient:~ testuser2$ klist -v

Credentials cache: API:F4FA68F0-EB7B-4872-B043-07BA4FC2CB0B

Principal: testuser2@TESTDOMAIN.LOCAL

Cache version: 0

Server: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL

Client: testuser2@TESTDOMAIN.LOCAL

Ticket etype: aes256-cts-hmac-sha1-96, kvno 2

Ticket length: 1149

Auth time: Jul 10 16:46:51 2014

End time: Jul 11 02:46:51 2014

Renew till: Jul 17 16:46:51 2014

Ticket flags: pre-authent, initial, renewable, forwardable

Addresses: addressless

Server: cifs/winsvr@TESTDOMAIN.LOCAL

Client: testuser2@TESTDOMAIN.LOCAL

Ticket etype: aes256-cts-hmac-sha1-96, kvno 3

Ticket length: 1123

Auth time: Jul 10 16:46:51 2014

Start time: Jul 10 16:47:01 2014

End time: Jul 11 02:46:51 2014

Ticket flags: ok-as-delegate, pre-authent, forwardable

Addresses: addressless

So I'm kinda lost here, I've ran the command sudo dsconfigad -enablesso on MACSVR and rebooted the server / clients to see no difference. I still have to manually auth.

I've also been trying and failing to get the sso_util command to work to add another realm. If I'm still fighting with this I think I'm simply going to re-image this Mac Mini and start again.

Does anyone know how to get single sign on working in Mavericks bound to an AD domain?