Apple have detailed the fix in http://support.apple.com/kb/HT4100. A fix is also listed at http://www.afp548.com/forum/viewtopic.php?showtopic=26509.

Follow the steps below to force the creation of the Kerberos TGT on initial login. The is taken from the Apple Knowledgebase:-

1. Make a backup copy of the authorization file with this Terminal command:

   sudo cp /etc/authorization /etc/authorization.bak

2. Open the /etc/authorization file in a text editor or plist editing application.
3. Locate this key:

   <key>system.login.console</key>

4. Under mechanisms, add the string:

   <string>builtin:krb5store,privileged</string>

5. Save the file to /etc

Basically, I needed it to allow Active Directory domain users to logon via the Podcast Producer website or logon directly to Mac OS X Server running the Podcast Composer.

The following steps are taken from http://podcastproducer.org/article.php/20100429001851465.

Step 1 - Install your Mac OS X 10.6 Server for the install DVD
Setup your IP and use your active directory domain as your search base, i.e myorganization.org.
DO NOT setup either a bind to Active Directory  or to setup Open Directory as a master server.
Click custom setup and uncheck binding to Active Directory  or setting up an Open Directory master server. Instead, just select “Manually Setup Users and Groups”. Finally, run Software Update and apply all available patches.

Step 2 - Make sure you have the DNS record is correct by running

sudo changeip -checkhostname 

You should see something similar to the following:

podcast (192.168.1.2)

Primary address = 192.168.1.2

Current HostName = podcast.myorganization.org

DNS HostName = podcast.myorganization.org

The names match. There is nothing to change.
dirserv:success = "success"

Fix any errors before proceeding.

Step 3 - Bind to AD.
Next, in the Terminal run following command to enable sign-sign on.

sudo dsconfigad -enablesso

Next, run the command to allows clear text authentication to Active Directory . This is done because of a limitation in the authentication of Podcast Producer 2 to Active Directory (It’s a good idea to login to the server with your an Active Directory account)

serveradmin settings teams:enableClearTextAuth = yes

Step 4 - Enable the require server services.
You will need NFS, Open Directory, Podcast Producer 2 and XGrid.

Step 5 - Setup Open Directory.
Set it up as a Open Directory master while connected to Active Directory
Set your LDAP admin name to be the same as your local Admin account.
The LDAP search base is the AD record of the machine i.e. – dc=podcast,dc=myorganization, dc=edu
Once setup, ensure that Kerberos is not running. It shouldn’t be running because it is using Active Directory Kerberos realm.

Step 6 - Setup NFS
Share Library/PodcastProducer - (This directory does not exist until you click on the podcast producer service, then click configure. Doing this will create the directory. Do not do anything more than merely start the config process to invoke the creation of the directory)
- Hit share
- Enable Automount
- Use LDAP domain
- Share over NFS
- Map to Shared Library folder (use the LDAP admin account to bind)
- Protocol options – Make sure afp, smb and ftp are off.
- NFS on: Select Export this item to a virtual interface/NIC
- Export to a particular subnet that what to have access.
- Map root to root
Start NFS

Step 7 - Configure XGrid
Run setup assistant
Host a grid
Bind with an AD account. This should be a regular domain account with no special privileges.

Step 8 - Setup the Podcast Producer service.
DO NOT click Configure Podcast Producer . Instead, click on Settings and change Podcast Library to /Library/PodcastProducer/Shared
Use the Standard Domain user as the Xgrid username. This should be the same as the one used in the XGrid section of this document.
Change Admin shortname to the short name of your admin account
Start the Podcast Producer Service

Trouble Shooting - Podcast Producer 2 is highly dependent on XGrid. XGrid seems to be the Achilles Heel of Podcast Producer. If you are submitting jobs successfully and find that that XGrid is failing, you can try deleting the following file and then restarting the Podcast Producer server.

/var/pcast/serve/krb_cc

See http://www.mozilla.org/projects/netlib/integrated-auth.html for the specifics on how it works.

Launch Firefox.  In the URL Field type about:config

Look for the following three preference names:

• network.automatic-ntlm-auth.trusted-uris
• network.negotiate-auth.delegation-uris
• network.negotiate-auth.trusted-uris.

Double click on each preference name and add ‘http://yourwebsite-1, http://yourwebsite-2, yourActiveDirectoryDomainName’ to its value field. You can add more sites as required.

Close the about:config windows and the following entries will be written into your prefs.js file which resides in the the Firefox User Profile directory:

• user_pref(“network.automatic-ntlm-auth.trusted-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain”);
• user_pref(“network.negotiate-auth.delegation-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain.com”);
• user_pref(“network.negotiate-auth.trusted-uris”, “http://yourwebsite-1, http://yourwebsite-2, yourADdomain.com”

You have now configured Firefox to use Integrated Authentication on your network.