CKMTech
Level 1 (0 points)

Q: Network Acct Login Fails "no common enctypes"

On a brand new install of both OS X Server 3.1.2 and a Mavericks client laptop I'm unable to login on the laptop using a network account. The server as a FQDN and the laptop is also using the server's DNS service.

 

After reviewing the logs and incoming network traffic I can see the laptop reaching out to the server on the LDAP port although it quickly fails. The system logs say:

 

8/14/14 5:19:18.771 PM kdc[57161]: AS-REQ xxxxuser@xxxx.CO from 192.168.xx.xx:51041 for krbtgt/xxxxuser@xxxx.CO

8/14/14 5:19:18.777 PM kdc[57161]: AS-REQ xxxxuser@xxxx.CO from 192.168.xx.xxx:51041 for krbtgt/xxxxuser@xxxx.CO

8/14/14 5:19:18.778 PM kdc[57161]: Client (xxxxuser@xxxx.CO) from 192.168.xx.xxx:51041 has no common enctypes with KDC to use for the session key

 

Any idea?

 

Thanks!

Mac mini, OS X Mavericks (10.9.4)

Posted on Aug 14, 2014 2:30 PM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (207,995 points)
Applications
A:

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

Posted on Aug 14, 2014 4:55 PM

Close
CKMTech

Q: Network Acct Login Fails "no common enctypes"

  • All replies
  • Helpful answers

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis Aug 14, 2014 4:55 PM in response to CKMTech
    Level 10 (207,995 points)
    Applications
    Aug 14, 2014 4:55 PM in response to CKMTech

    Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

    1. The OD master must have a static IP address on the local network, not a dynamic address.

    2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

    4. Follow these instructions to rebuild the Kerberos configuration on the master.

    5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

    6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

    7. Reboot the master and the clients.

    8. Don't log in to the server with a network user's account.

    9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 14, 2014 6:48 PM in response to CKMTech
    Level 9 (61,073 points)
    Desktops
    Aug 14, 2014 6:48 PM in response to CKMTech

    First, follow the steps Linc Davis supplied on this thread:

     

    Open Directory not working on select macs.

  • by CKMTech,

    CKMTech CKMTech Aug 14, 2014 7:19 PM in response to Linc Davis
    Level 1 (0 points)
    Aug 14, 2014 7:19 PM in response to Linc Davis

    Thanks.

     

    I believe its was the fact that the FQDN was not accurately reflected in the DNS records. After reconfiguring profile manager and OD connections are now working.