You Unix-enable a user by entering the Unix attributes on the Unix Account tab in Active Directory Users and Computers (ADUC) MMC Snapin.
To Unix-enable a user
Select the Unix-enabled check box.
Default values are generated for the user.
There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder promptd you for your password. The two possible causes for these issues are explained in the following topics:
When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a Mac OS X client to Digitally Sign all traffic. Since Mac OS X clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.
This issue is related to two settings in the Default Domain Controllers Policy.
To disable the policies and allow Mac OS X machines to connect to SMB shares
|
Note: If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence. |
If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the Mac OS X computer is not be able to use SMB connections to mount the Windows file shares.
A network trace reveals if a Kerberos TGS request for the CIFS service ticket was sent to a domain controller. If a MAC never attempts to get a CIFS service ticket for SSO, it is usually a problem where the machine is not able to connect the host name you are contacting with a Kerberos realm. When this happens Finder, or any other mounting application, assumes that the host is not a part of any Kerberos domain for which you have credentials and prompts you for a user name and password.
This can easily happen if your DNS domain name is not the same as your Kerberos realm (often referred to as a disjoint DNS name space). It might also happen if you were trying to connect to the server using a short-name or some other alias.
Add a domain to realm mapping for your DNS domain, short-name, or alias under the "[domain_realm]" section of the /Library/Preferences/edu.mit.kerberos file.
Authentication Services automatically adds a mapping similar to the following at join time:
[domain_realm] .example.com = EXAMPLE.COM
This maps any DNS names ending in .example.com to the KRB5 realm EXAMPLE.COM. You must always specify the destination domain realm in upper case. And, when attempting to connect to the share, you must specify the source exactly as the DNS name is specified.
If you are connecting to a share using an alias that does not have a domain suffix, you can explicitly map that name to a KRB5 realm using a domain realm:
[domain_realm] shortname = EXAMPLE.COM
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy