Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Troubleshooting connections to Windows SMB shares

There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder promptd you for your password. The two possible causes for these issues are explained in the following topics:

Connecting to SMB shares on domain controllers

When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a Mac OS X client to Digitally Sign all traffic. Since Mac OS X clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.

This issue is related to two settings in the Default Domain Controllers Policy.

To disable the policies and allow Mac OS X machines to connect to SMB shares

  1. Open Active Directory Users and Computers, select the domain, right-click, and select Properties.
  2. Click the Group Policy tab.

    Note: If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.

    1. If the default Domain Controllers Policy is linked to this domain, navigate to Edit | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options, then double-click and disable the following two policies:
      • Microsoft network server: Digitally sign communications (always)
      • Microsoft network server: Digitally sign communications (if client agrees)
    2. If the Default Domain Policy is linked to this domain, navigate to Edit | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options, then double-click and disable the following two policies:
      • Microsoft network server: Digitally sign communications (always)
      • Microsoft network server: Digitally sign communications (if client agrees)

      If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the Mac OS X computer is not be able to use SMB connections to mount the Windows file shares.

  3. If you change these policies on the domain controller, run the gpupdate command to refresh the group policies before logging on to Mac OS X computers.

The DNS domain name differs from the Kerberos realm

Problem:

A network trace reveals if a Kerberos TGS request for the CIFS service ticket was sent to a domain controller. If a MAC never attempts to get a CIFS service ticket for SSO, it is usually a problem where the machine is not able to connect the host name you are contacting with a Kerberos realm. When this happens Finder, or any other mounting application, assumes that the host is not a part of any Kerberos domain for which you have credentials and prompts you for a user name and password.

This can easily happen if your DNS domain name is not the same as your Kerberos realm (often referred to as a disjoint DNS name space). It might also happen if you were trying to connect to the server using a short-name or some other alias.

Workaround:

Add a domain to realm mapping for your DNS domain, short-name, or alias under the "[domain_realm]" section of the /Library/Preferences/edu.mit.kerberos file.

Authentication Services automatically adds a mapping similar to the following at join time:

[domain_realm]
.example.com = EXAMPLE.COM

This maps any DNS names ending in .example.com to the KRB5 realm EXAMPLE.COM. You must always specify the destination domain realm in upper case. And, when attempting to connect to the share, you must specify the source exactly as the DNS name is specified.

If you are connecting to a share using an alias that does not have a domain suffix, you can explicitly map that name to a KRB5 realm using a domain realm:

[domain_realm]
shortname = EXAMPLE.COM

Automatically mount network home folders

When you Unix-enable an Active Directory user with Authentication Services, the default configuration for that user is that he or she will use a local home directory. The home directory path is populated with a Unix path (/home/<username>).

On Mac OS X systems, /home is replaced with /Users, aligning with the Mac OS X standard location for local home directories. Authentication Services supports the automatic mounting of network shares (SMB or AFP) using Active Directory credentials, but you must specify a server path. You can store this server path in the directory on each user as a UNC path, or as a per machine setting.

You can configure your home folder strategy globally for the entire domain using Group Policy extensions for Unix, or you can configure it on a per machine basis at the time you join your Mac OS X machine to the domain.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating