User profile for user: orange1
orange1 Author
User level: Level 1
0 points

What does 'Join Kerberos...' do?

The somewhat-short version:
I want to get AFP/SSH/SMB on Mac OS X Server to work with passthrough authentication to our university's LDAP/Kerberos servers. NOT ticket based authentication, but enter a password and pass it through to the other servers. I currently have this working for AFP and SSH. It doesn't work for SMB.

I have tried setting it up using Active Directory instead, and SMB did work for AD accounts, but not our standard LDAP accounts. The step that made SMB work was when I went to Open Directory in Server Admin and went clicked the "Join Kerberos..." button.
The only things I know of that this did was adding keytabs for the AD forest, and joining SMB to AD. Trying to mimic this behavior for the LDAP setup, I first obtained host and cifs keytabs from our Kerberos team. This wasn't enough to make it work. I then tried configuring smb.conf with 'security = ads', 'auth methods = opendirectory winbind', and 'realm = OUR.REALM'. This changed the error from NT STATUS_WRONGPASSWORD to NT STATUS_CANT_ACCESS_DOMAININFO.

My server isn't added in LDAP (I don't even know if it needs to be), and I'm not going to get delegated Kerberos authority for it. So, my question is, is there something else that the 'Join Kerberos...' button does that might make my passthrough authentication work?

Mac OS X (10.4.9)

Posted on Apr 12, 2007 5:45 AM

Reply
4 replies
User profile for user: slowfranklin
slowfranklin
User level: Level 3
640 points

Apr 14, 2007 11:15 AM in response to orange1

OK. That was clearly misquiding so take my apologies. I've been in a rush when posting this.

What I meant to say was: when authenticating to a service on the os x server you are authenticatin to the service and not to the server which in turn the does what should be done. That is what pass-through would be which is not happening here.

Whic mean for your scenario: AFP authenticaton can works because when your client auths to the afp server the client will pass the clear text password tunneled inside an encryped DHX2 session. So in turn the afp server can then try to verify the password via an (probably) SASL bind to your LDAP server.

The same happens with ssh.

As I've never really got my head around how smb on OS X server is integrating with AD (it can be "legacy" via a machine account or via kerb) I can't tell you what is breaking smb, but these link might point you in the right direction:
http://lists.apple.com/archives/macos-x-server/2007/Jan/msg00354.html

HTH

-Ralph
Reply
User profile for user: Gerrit DeWitt
Gerrit DeWitt
User level: Level 4
3,900 points

Apr 16, 2007 12:51 AM in response to orange1

The short answer is that the Join Kerberos button in Server Admin/Open Directory runs the following command:

dsconfigad -enablesso

This configures the various Kerberized services of Mac OS X Server to use the KDC provided by the Active Directory plugin via the Directory Services framework. It performs the equivalent function of running the sso_util to configure Kerberized services to use a locally-hosted KDC, such as one that is created when you configure your server as an Open Directory Master.

Some things to keep in mind here:

1. Most directory services have more than one supporting authentication backend. An Open Directory LDAPv3 domain has Kerberos 5 and Apple Password Server. Password Server is a SASL "hash manager," which stores shadow hashes in /var/db/authserver that you designate as OK. Many of these hashes were designed to support a particular service. NetInfo domains support a limited set of shadow hash mechanisms as well, stored in /var/db/shadow/hash. Active Directory domains typically use Kerberos and a limited set of hashes, usually NTLM or NTLMv2.

However, the directory stores the password, but it is the service that is responsible for encrypting that password's transport and accepting the encrypted hash. Not all services accept all hashes. AFP uses DHX2, but not NTLM.

2. PAM-based services usually are easy to Kerberize. PAM is the pluggable authentication mechanism that many services use for shadow-hash methods. If a service is PAM-compatible, then it is usually pretty easy to Kerberize because it's already been designed to work with separate authentication modules. AFP and FTP are two good examples here.

3. Samba employs its own authentication module, SAM. In a standard Samba build, Samba is responsible for not only File and Print services, but low-level authentication and high-level service discovery and name resolution. In Mac OS X and Server, Apple has modified Samba to using Open Directory's Password Server or Kerberos (look in /usr/lib/samba/auth). The modifications are part of the Darwin source. Thus, Samba isn't PAM-based in Mac OS X, and it doesn't support Kerberos unless it's configured to be a domain member.

With this in mind, I would check the following:

1. Is your Mac OS X Server's SMB (Windows) service configured as a Domain Member in Server Admin? It has to be a Domain Member or PDC/BDC (using the Server's Open Directory Kerberos realm) for this to work.

2. If your server also hosts a shared LDAPv3 domain - that is, it's bound to Active Directory but also acting as an Open Directory Master or Replica - you need to destroy the Kerberos realm and KDC that was created for the Open Directory (LDAPv3) domain and configure services to use the KDC and Kerberos realm provided by Active Directory. The general outline for setting up a new system in this way is to perform the following steps:

a. Configure Mac OS X Server as a Standalone Server via Server Assistant.
b. Get a DNS entry for the server's primary IP address, and use scutil or hostname to set the server's hostname to that DNS entry.
c. Promote the server to Open Directory Master using Server Admin.
d. Destroy the Open Directory KDC and remove the configuration for the server's processes.
e. Bind the server to Active Directory via Directory Access.
f. Join Kerberos to configure the server's processes to use the KDC provided by Active Directory
g. Test.

Mike Bombich has step-by-step directions on how to accomplish this on his website, www.bombich.com.

Hope this helps!

--Gerrit
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

What does 'Join Kerberos...' do?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up