There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder promptd you for your password. The two possible causes for these issues are explained in the following topics:
When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a Mac OS X client to Digitally Sign all traffic. Since Mac OS X clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.
This issue is related to two settings in the Default Domain Controllers Policy.
To disable the policies and allow Mac OS X machines to connect to SMB shares
Note: If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.
If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the Mac OS X computer is not be able to use SMB connections to mount the Windows file shares.
A network trace reveals if a Kerberos TGS request for the CIFS service ticket was sent to a domain controller. If a MAC never attempts to get a CIFS service ticket for SSO, it is usually a problem where the machine is not able to connect the host name you are contacting with a Kerberos realm. When this happens Finder, or any other mounting application, assumes that the host is not a part of any Kerberos domain for which you have credentials and prompts you for a user name and password.
This can easily happen if your DNS domain name is not the same as your Kerberos realm (often referred to as a disjoint DNS name space). It might also happen if you were trying to connect to the server using a short-name or some other alias.
Add a domain to realm mapping for your DNS domain, short-name, or alias under the "[domain_realm]" section of the /Library/Preferences/edu.mit.kerberos file.
Authentication Services automatically adds a mapping similar to the following at join time:
[domain_realm] .example.com = EXAMPLE.COM
This maps any DNS names ending in .example.com to the KRB5 realm EXAMPLE.COM. You must always specify the destination domain realm in upper case. And, when attempting to connect to the share, you must specify the source exactly as the DNS name is specified.
If you are connecting to a share using an alias that does not have a domain suffix, you can explicitly map that name to a KRB5 realm using a domain realm:
[domain_realm] shortname = EXAMPLE.COM
When you Unix-enable an Active Directory user with Authentication Services, the default configuration for that user is that he or she will use a local home directory. The home directory path is populated with a Unix path (/home/<username>).
On Mac OS X systems, /home is replaced with /Users, aligning with the Mac OS X standard location for local home directories. Authentication Services supports the automatic mounting of network shares (SMB or AFP) using Active Directory credentials, but you must specify a server path. You can store this server path in the directory on each user as a UNC path, or as a per machine setting.
You can configure your home folder strategy globally for the entire domain using Group Policy extensions for Unix, or you can configure it on a per machine basis at the time you join your Mac OS X machine to the domain.