Skip navigation

Network user can't access AFP anymore

2390 Views 9 Replies Latest reply: Apr 6, 2014 11:55 PM by aaron192 RSS
gnaegi Level 1 Level 1 (10 points)
Currently Being Moderated
Oct 29, 2013 6:08 AM

I did update from Lion to Mavericks and installed Server.app 3. On Lion AFP, SMB and other things worked well.

 

After the update (skipping Mounain Lion) Calendar was broken. One of the steps I did trying to solve the issue was running "Repair Permissions". Eventually I gave up on the Calendar issue and tried to make at least the AFP volumes working again. However, this is now broken as well.

 

- Access for local admin user via AFP works

- Access for all other users (local network users created with Server.app) is denied (shaky login window)

- Time Machine Backup is also broken

- SMB access works for all users, local and local network

- Network users can use other services, so passwords are ok

- All users are in the the AFT-ACL group

 

I tried all kind of things, nothing helped. I don't know if it is related to the repair permission thing.

 

 

In AppleFileServiceAccess.log I have stuff like this:

 

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

 

In AppleFileServiceError.log I have stuff like this:

 

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       minor error <1>: unknown mech-code 0 for mech unknown

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       minor error <1>: unknown mech-code 0 for mech unknown

 

Note that the times do not all correspond, so maybe the log entries are not related at all. E.g. for 11.35 I have no error in the file.

 

 

How can I make AFP working again for all users? We really need the time machine backup which apparently does not work over SMB...

 

Thanks

Florian

  • Yann@Paris Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 6, 2013 5:32 AM (in response to gnaegi)

    Hi,

     

    i've got the same problem with one on my user (all other are fine)

     

    AFP doesn't work but SMB does

     

    Yann

     

    Gnaegi, i don't really help, but you are not alone ;-)

  • theFerret Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 8, 2013 2:21 PM (in response to gnaegi)

    Similar here with a clean install of 10.9.0 and Server 3.0; SMB works, TIme Machine and AFP only works for the original admin account created at install.

  • Michael Priestley Calculating status...
    Currently Being Moderated
    Nov 14, 2013 7:04 AM (in response to gnaegi)

    This is worth a try as mentioned in the KB. http://support.apple.com/kb/TS2938

     

    I had the problem where the log in access was denied for users and this fixed it.Replace the REALM_NAME with the  domain name of your server in capitals

    i.e. ANYSERVER.CO.UK

    Lion Server: AFP users unable to authenticate with Kerberos after upgrading

    Symptoms

    After upgrading to Lion Server, AFP clients may no longer be able to authenticate via Kerberos. The AFP service may be referencing the LKDC.

    Resolution

    1. On the AFP server, execute the following command in Terminal using the correct Kerberos REALM_NAME and a user account authorized to make changes in the Kerberos database:

      sudo sso_util configure -r REALM_NAME -a diradmin afp

      Note:  You will be prompted for two passwords. First, for the current user's password, and then for the directory administrator's password.
    2. Restart the server.
  • Yann@Paris Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 15, 2013 12:16 PM (in response to Michael Priestley)

    Hi Mickael

     

    Thanks for your help, but your solution did not work for me.

     

    Yann

  • aaron192 Calculating status...
    Currently Being Moderated
    Apr 3, 2014 12:56 AM (in response to gnaegi)

    I just went from 10.8.5 to 10.9.2 and have this same problem. I first noticed in DNS 127.0.0.1 was removed during install and not put back. From there I got everyhting working except afp.

     

    Error message is:

     

    Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

           major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

           minor error <1>: unknown mech-code 0 for mech unknown

     

     

    Trying:

     

    sudo sso_util configure -r REALM_NAME -a diradmin afp

     

    /Local/Default

    /LDAPv3/127.0.0.1

    Creating the service list

    Creating the service principals

    OSStatus CreateKerberosPrincipals(CFStringRef, CFStringRef, const char *, CFMutableDictionaryRef, Boolean): unable to find admin record: -1

    Creating the keytab file

    Configuring services

     

    Any solutions out there? This is pretty critical for TM backups around the office.

  • aaron192 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 6, 2014 11:55 PM (in response to gnaegi)

    I tried removing the server app, then reinstalling it. This was all the very latest version of the app. Same exact problem. The kicker was I let Time Machine go a few times. I tried restorinf to 10.8.5 and it only selects the Latest backup, so it coppied over a bunch of 10.9 stuff, not good. I tried to relink the Latest folder in the Backups.db but it wodn't let me even as root. It seem every step I took to protect myself led to a disaster later. I'm at a loss.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.