Two AFP problems

Solution to "Empty" share point.

Open Workgroup Manager.
Click on each user. Click on the home tab. Make sure you erase the default share point home
and set it to "none". The empty share point will no longer be an issue.

As far as Kerberos tickets go, after your ticket expires, it should automatically update your ticket and get a new one. Your clients are bound to the ODM correctly for authentication? I have come across some errors with Kerberos not letting me log in on 10.4, but not yet on 10.5.

I've run into the same issue with kerberos and AFP and confirmed t overnight. Yesterday afternoon my kerberos ticket was in place and I was able to access my AFP share points (as well as other kerberized services). This morning I was unable to access my shares until I opened Directory.app and edited my entry (thus forcing the creation of a ticket to my OD serve, which also houses my AFP service). After the ticket was created I was able to access my shares.

Seems like the Finder or whatever service is responsible for creating the kerberos ticket for AFP isn't. Has anyone found a solution that doesn't involve turning of kerberos authentication for AFP?

+If APF uses Kerberos authentication, in clients I can click in the sidebar and connect.+

Yes, AFP +can use+ Kerberos authentication, but it doesn't have to. The authentication methods used by AFP 3 are typically Kerberos 5 or DHX (which Apple calls "Standard"). One, the other, or both can be enabled, as per the authenticationMode key in the com.apple.AppleFileServer.plist file in /Library/Preferences.

You can check and change which authentication methods AFP uses with Server Admin or the command-line version, serveradmin.

+But after the Kerberos certificate expires .... manually entering the password still fails.+

I'm guessing that's the standard AFP connection panel that's failing. Your AFP service is probably configured to only use Kerberos as its authentication method. You can change that back to "Standard and Kerberos" if you want in Server Admin.

+It looks like the Kerberos ticket on the client never gets renewed.+

There are two ways to overcome this:

1. Ask your users to keep their Kerberos application open. (You can add it to their login items via Managed Preferences.) The application is located in /System/Library/CoreServices/Kerberos.app. The default behavior, as defined in the application's preferences, is to automatically renew tickets while it is open. This should work for up to 7 days (the default configuration for the KDC on an Open Directory Master).

2. Adjust your ticket lifetime on the server end. To do so, you must edit the /var/db/krb5kdc/kdc.conf file. For example: *sudo nano /var/db/krb5kdc/kdc.conf*

Look for the max_life variable for your realm under realms. Change that value to whatever you like. The default value is: max_life = 10h 0m 0s.

If you change that, you may also want to change the max renewablelife variable, too.

Reboot your server.

This post may also be helpful: http://www.afp548.com/forum/viewtopic.php?showtopic=16609

--Gerrit

Message was edited by: Gerrit DeWitt

ok, with all that has been said... does anyone have a fix?

Yeah, I think we do.

http://discussions.apple.com/thread.jspa?threadID=1244959

I searched and searched to find something to save me from reinstalling tiger on 3 leopard machines.

System Prefs>Security>Firewall
Set to "Set access for specific services and applications"
Then to "advanced". Enable stealth mode.

This has taken all the AFP bugs away from our network. So far.....

Well, I answered the original question. Do you have another? 🙂

--Gerrit

Hi Gerrit,

Thanks for your post. We have been battling the same issue with Leopard clients on Leopard server. It looks like we can just avoid any issues by selecting standard auth. What is the downside of this (selecting standard only)?

Also, we are having an issue of AFP disabling/asleep on systems when they go to sleep. Then they can't reconnect Similar to the issue discussed above. The workaround at that point was to simply disable sleep on all systems, then logout and shut down at night.