[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 870
  • Last Modified:

Snow Leopard Server Single Sign-On Not Working

First, a disclaimer:  I don't know Macs very well but I need to setup a Mac Mini Server for a small Mac network.  I've setup dozens of Windows servers and most times, the setup goes well but setting up this Mac server has been quite a challenge.  So please be patient with me if I give you "dumb" responses to your suggestions.

With the disclaimer in place, on to the problem...

Server is a Mac Mini Server running Snow Leopard Server.  DHCP installed and working.  DNS installed and working.  Configured to be Open Directory Master.  Client machine being used for testing is a MacBook Pro running Leopard.

I added the MacBook to the directory using Directory Utility and was able to logon to the MacBook as a directory user but as soon as I try to browse to the server in Finder, I get asked for credentials.

It's my understanding that when you configure the server to be an Open Directory Master and have users configured, the server automatically becomes a KDC and should look after the authentication request in the background so I shouldn't have been prompted for credentials.

Am I understanding this correctly?  Is there something else that I need to configure?

Any help would be great.
0
Sabbec
Asked:
Sabbec
  • 7
  • 6
  • 4
2 Solutions
 
robertcernyCommented:
/System/Library/CoreServices/KerberosAgent

After successful login check if you got a ticket. Also, the machine must be bound to OD. (System preferences->Accounts->Login options->Network join->Open Directory Utility

Click your server, Edit ->Security
0
 
SabbecAuthor Commented:
My apologies but here is the first of my dumb responses.

I forgot to mention that not only are Macs fairly new to me but I've also never used Unix (10 years of Windows networking but no Linux or Unix).

I open terminal windows and changed to /System/Library/CoreServices and find KerberosAgent.app but I can't seem to do anything with it.  I tried opening it using Finder but it doesn't show me anything.

Also, in System preferences->Accounts->Login options there isn't a Network join option (see screen shot).  As I mentioned in the original post, the client is running Leopard and it is my understanding that adding a server using Directory Utility found in Applications/Utilities performs the binding.  Do I have this wrong?

 Login options
0
 
nxnwCommented:
Click the options button.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SabbecAuthor Commented:
I tried that before my last post but it only provides the ability to select what directory users can log on to the client:

Options
0
 
robertcernyCommented:
Aha,
your client isn't running on Snow Leopard, right? This part of networking is a little bit different in 10.5... Anyway, you should have an Open Directory Utility in /Applications/Utilities. Navigate there, open LDAP and bind client to server
0
 
SabbecAuthor Commented:
Sorry for the confusion.  I mentioned in the original post that the client is running Leopard (but I didn't clarify that it was 10.5) and that I already added the server using Directory Utility - that's why I can logon to the client as a network user.  It's after logon that the problem starts. Directory utility
0
 
nxnwCommented:
You need to bind the client to OD using using Directory Utility.
0
 
SabbecAuthor Commented:
I thought binding took place when I added the OD server to the client as shown in the screen shot.  Am I misundertanding this?
0
 
robertcernyCommented:
You need to click Services, LDAPv3 and enter auth details there
0
 
SabbecAuthor Commented:
Here's a screen shot of Services and a screen shot of what shows up when I open LDAP.  I haven't changed anything here - it was configured automatically when I added the OD server.

Again, please forgive my ignorance - what do I need to change?

 DU Services DU LDAP Config
0
 
robertcernyCommented:
Hello,
select MacServer in the Picture-5 and click Edit. A window will popup and in the third tab is authenticated binding.
Screen-shot-2011-05-02-at-15.42..png
0
 
SabbecAuthor Commented:
Is this a one-time configuration that applies to all users or does it need to be configured for each directory user?  If it's a one-time thing, I assume I should use an administrative username & password.

Also, is there a way to make this happen automatically to save a few steps on each client when the server gets deployed?
0
 
robertcernyCommented:
This should be done on each client, just once. There are basically three ways how to do it:
using remote desktop to each client and authenticate via admin password
give your users rights to add their computer to domain
use some of the deployment tools to prepare an image with authentication
It depends on amount of computers which you need add to domain. I would probably use command line
dsconfigldap

Open in new window

and distribute it using ARD (Apple Remote Desktop)
0
 
nxnwCommented:
I am afraid you are going to spin your wheels unless you have a look at the OS X Server manuals. They are online at apple.com.
0
 
SabbecAuthor Commented:
I thought setting it up would be pretty straight forward (given that I'm very comfortable with Active Directory) and that I could avoid reading 500 pages of manuals.

Thanks for your help.
0
 
robertcernyCommented:
Actually Mac OS X Server is a UNIX based server with additional features to ease OS X clients administration. It's not a click and forget solution even Apple's PR dept is trying hard to change it :)

IIRC 500 pages is just one manual, and there is more than 13 of them :)
0
 
nxnwCommented:
You may not have to read 500 pages of manuals, but you sure should have a look at them, at least. One can't even avoid referring to the manual for a new TV or washing machine.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 7
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now