Apple have detailed the fix in http://support.apple.com/kb/HT4100. A fix is also listed at http://www.afp548.com/forum/viewtopic.php?showtopic=26509.

Follow the steps below to force the creation of the Kerberos TGT on initial login. The is taken from the Apple Knowledgebase:-

1. Make a backup copy of the authorization file with this Terminal command:

   sudo cp /etc/authorization /etc/authorization.bak

2. Open the /etc/authorization file in a text editor or plist editing application.
3. Locate this key:

   <key>system.login.console</key>

4. Under mechanisms, add the string:

   <string>builtin:krb5store,privileged</string>

5. Save the file to /etc

Basically, I needed it to allow Active Directory domain users to logon via the Podcast Producer website or logon directly to Mac OS X Server running the Podcast Composer.

The following steps are taken from http://podcastproducer.org/article.php/20100429001851465.

Step 1 - Install your Mac OS X 10.6 Server for the install DVD
Setup your IP and use your active directory domain as your search base, i.e myorganization.org.
DO NOT setup either a bind to Active Directory  or to setup Open Directory as a master server.
Click custom setup and uncheck binding to Active Directory  or setting up an Open Directory master server. Instead, just select “Manually Setup Users and Groups”. Finally, run Software Update and apply all available patches.

Step 2 - Make sure you have the DNS record is correct by running

sudo changeip -checkhostname 

You should see something similar to the following:

podcast (192.168.1.2)

Primary address = 192.168.1.2

Current HostName = podcast.myorganization.org

DNS HostName = podcast.myorganization.org

The names match. There is nothing to change.
dirserv:success = "success"

Fix any errors before proceeding.

Step 3 - Bind to AD.
Next, in the Terminal run following command to enable sign-sign on.

sudo dsconfigad -enablesso

Next, run the command to allows clear text authentication to Active Directory . This is done because of a limitation in the authentication of Podcast Producer 2 to Active Directory (It’s a good idea to login to the server with your an Active Directory account)

serveradmin settings teams:enableClearTextAuth = yes

Step 4 - Enable the require server services.
You will need NFS, Open Directory, Podcast Producer 2 and XGrid.

Step 5 - Setup Open Directory.
Set it up as a Open Directory master while connected to Active Directory
Set your LDAP admin name to be the same as your local Admin account.
The LDAP search base is the AD record of the machine i.e. – dc=podcast,dc=myorganization, dc=edu
Once setup, ensure that Kerberos is not running. It shouldn’t be running because it is using Active Directory Kerberos realm.

Step 6 - Setup NFS
Share Library/PodcastProducer - (This directory does not exist until you click on the podcast producer service, then click configure. Doing this will create the directory. Do not do anything more than merely start the config process to invoke the creation of the directory)
- Hit share
- Enable Automount
- Use LDAP domain
- Share over NFS
- Map to Shared Library folder (use the LDAP admin account to bind)
- Protocol options – Make sure afp, smb and ftp are off.
- NFS on: Select Export this item to a virtual interface/NIC
- Export to a particular subnet that what to have access.
- Map root to root
Start NFS

Step 7 - Configure XGrid
Run setup assistant
Host a grid
Bind with an AD account. This should be a regular domain account with no special privileges.

Step 8 - Setup the Podcast Producer service.
DO NOT click Configure Podcast Producer . Instead, click on Settings and change Podcast Library to /Library/PodcastProducer/Shared
Use the Standard Domain user as the Xgrid username. This should be the same as the one used in the XGrid section of this document.
Change Admin shortname to the short name of your admin account
Start the Podcast Producer Service

Trouble Shooting - Podcast Producer 2 is highly dependent on XGrid. XGrid seems to be the Achilles Heel of Podcast Producer. If you are submitting jobs successfully and find that that XGrid is failing, you can try deleting the following file and then restarting the Podcast Producer server.

/var/pcast/serve/krb_cc

The Exchange improvements are well overdue as the current Entourage is a disaster with slow synchronisation, corrupting databases, inability to save custom distribution group, etc… Bringing back Visual Basic for Applications will also resolve the headache of not being able to use macro enabled Excel spreadsheets in a mixed Mac/PC workgroup.

As a network administrator, I welcome this but it may have repercussions. For example, you have a bunch of Quark files without extension names on an SMB share in the AppleDouble format created by a 10.4 client. By default a 10.6 client wouldn’t be able to read the Quark files because it doesn’t read the AppleDouble dot underscore file and there are no extension names. Therefore, Apple have made it easy to re-enable the feature. This is possible be editing the nsmb.conf file.

To disable named streams as a default for your Mac OS X client user account

Execute these two commands in Terminal:

echo "[default]" >>  ~/Library/Preferences/nsmb.conf
echo "streams=no" >> ~/Library/Preferences/nsmb.conf

To disable named streams as a default for all Mac OS X client user accounts on a Mac

Log in to Mac OS X with an admin user account if you aren’t already logged in as an admin, then execute these two commands in Terminal:

echo "[default]" | sudo tee -a /etc/nsmb.conf
echo "streams=no" | sudo tee -a /etc/nsmb.conf

See the man page on nsmb.conf for more details about how to configure it.

To re-enable streams on 10.6 or to enable it on 10.5 change streams=no to streams=yes

To disable support for ADS for all shares in a cluster, edit the file /etc/mcp/override/smbd.xml and add the following text to the file immediately after any line that begins </add-tag>:

This has to be done via the command line so you will need to SSH into the isilon cluster. Once you have made this change, wait 60 seconds for it to propagate to all nodes in your cluster, then run following command to restart all SMB connections to the cluster, in order to take advantage of this change:

If the change made to the global smbd.xml file doesn’t work, edit the file /etc/mcp/override/smbd_shares.xml and add the following entry <field name=”ignore named streams” value=”yes”></field> into the individual share. See the example below: -

Once again when you have made this change, wait 60 seconds for it to propagate to all nodes in your cluster, then run following command to restart all SMB connections to the cluster, in order to take advantage of this change:

Please DO NOT atempt this if you are not familar with the command line environment.

See http://www.mozilla.org/projects/netlib/integrated-auth.html for the specifics on how it works.

Launch Firefox.  In the URL Field type about:config

Look for the following three preference names:

• network.automatic-ntlm-auth.trusted-uris
• network.negotiate-auth.delegation-uris
• network.negotiate-auth.trusted-uris.

Double click on each preference name and add ‘http://yourwebsite-1, http://yourwebsite-2, yourActiveDirectoryDomainName’ to its value field. You can add more sites as required.

Close the about:config windows and the following entries will be written into your prefs.js file which resides in the the Firefox User Profile directory:

• user_pref(“network.automatic-ntlm-auth.trusted-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain”);
• user_pref(“network.negotiate-auth.delegation-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain.com”);
• user_pref(“network.negotiate-auth.trusted-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain.com”

You have now configured Firefox to use Integrated Authentication on your network.