AD / OD Kerberos issues with Mavericks
Hello.
I want to post on here, as I've been fighting with Kerberos for the last two days, this has actually stopped me moving on with further development / testing of a project that will be deployed to a client site within the next 2 weeks. The lab is on an isolated port-based VLAN with a separate route out of the firewall.
So here is how my lab looks:
MACSVR 2013 Mac Mini Server - 16gb RAM - 256gb SSD / 12tb Thunderbolt Promise array, Running 10.9.4 and Server.app 3.1.2, fully updated.
WINSVR Genero-Dell Pro Workstation - 4gb RAM, 160gb HDD, Running Windows Server 2008 R2 Enterprise x64, fully patched.
MACCLI1 2010 Macbook Air - 2gb RAM - 80gb HDD, Running 10.6.8, fully updated.
MACCLI2 2013 Macbook Air - 8gb RAM - 256gb SSD, Running 10.9.4, fully updated.
WINCLI 2008 HP Laptop - 2.5gb RAM - 60gb HDD, Running Win7 Enterprise x86, fully patched.
My client's AD environment is .Local based (great eh?), so I have set this test lab with as many details as close as possible to what is on-site.
Here's what the domains/DNS looks like:
AD: testdomain.local
OD: ODM set up on macsvr.testdomain.local
WINSVR runs DHCP/DNS and has DNS/PTR records set up for the MACSVR
The MACSVR server is bound to AD on WINSVR for Permissions/ACL's on AFP/SMBX file shares. This *works* (we all know the SMBX is on Mavericks is absolutely rubbish - but permissions work and this is all I really care about during this specific phase of testing).
MACCLI1/2 are bound to OD (for computer group managed preferences) and AD (for login and auth), they log in with AD credentials, this again, works, homesync and automounting of WINSVR at login is fine. Now, when I click MACSVR in the shared computers section of Finder, I can authenticate to MACSVR and see shares with WINSVR AD credentials, however, I would like Kerberos to deal with this as I am after all logged in to the Mac with an AD account, I have a feeling this has something to do with the .local TLD.
WINCLI is bound to AD simply for the login and auth, it can talk fine to MACSVR and WINSVR SMB sharepoints using NTLM/Kerberos/Credential Matching. The Windows machines are supposed to be more challenging!
So here is some output from MACSVR, Starting with changeip:
macsvr:~ ladmin$ sudo changeip -checkhostname
Password:
Primary address = 192.168.141.2
Current HostName = macsvr.testdomain.local
DNS HostName = macsvr.testdomain.local
The names match. There is nothing to change.
dirserv:success = "success"
And dsconfigad:
macsvr:~ ladmin$ dsconfigad -show
Active Directory Forest = testdomain.local
Active Directory Domain = testdomain.local
Computer Account = macsvr$
Advanced Options - User Experience
Create mobile account at login = Disabled
Require confirmation = Enabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = not set
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
Here's some output from MACCLI2:
MacClient:~ testuser2$ klist
Credentials cache: API:F4FA68F0-EB7B-4872-B043-07BA4FC2CB0B
Principal: testuser2@TESTDOMAIN.LOCAL
Issued Expires Principal
Jul 10 16:46:51 2014 Jul 11 02:46:51 2014 krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL
Jul 10 16:47:01 2014 Jul 11 02:46:51 2014 cifs/winsvr@TESTDOMAIN.LOCAL
MacClient:~ testuser2$ klist -v
Credentials cache: API:F4FA68F0-EB7B-4872-B043-07BA4FC2CB0B
Principal: testuser2@TESTDOMAIN.LOCAL
Cache version: 0
Server: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL
Client: testuser2@TESTDOMAIN.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 1149
Auth time: Jul 10 16:46:51 2014
End time: Jul 11 02:46:51 2014
Renew till: Jul 17 16:46:51 2014
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: cifs/winsvr@TESTDOMAIN.LOCAL
Client: testuser2@TESTDOMAIN.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 3
Ticket length: 1123
Auth time: Jul 10 16:46:51 2014
Start time: Jul 10 16:47:01 2014
End time: Jul 11 02:46:51 2014
Ticket flags: ok-as-delegate, pre-authent, forwardable
Addresses: addressless
So I'm kinda lost here, I've ran the command sudo dsconfigad -enablesso on MACSVR and rebooted the server / clients to see no difference. I still have to manually auth.
I've also been trying and failing to get the sso_util command to work to add another realm. If I'm still fighting with this I think I'm simply going to re-image this Mac Mini and start again.
Does anyone know how to get single sign on working in Mavericks bound to an AD domain?