OD user login failed - afp issue?
Hello,
we are running OS X 10.8.3 with Server 2.2.1. It works as an Open Directory Master. Users could login, load their profile and use their file shares. But after two weeks the login didn't work anymore. "The user "xyz" can't be logged in at this time" or just a loading wheel forever. A server reboot solved that problem for about 4 days. Afterwards the problem reoccured. I rebooted the server again and so on. Today the server has to be rebooted every morning to enable the OD login.
In the OD error log isn't anything listed. In the OD server log the following entries can be found for every user who tries to login:
Jul 17 2013 11:08:26 305407us AUTH2: {0xnnnn..., username} WEBDAV-DIGEST authentication succeeded.
Jul 17 2013 11:08:43 488599us int CAuthProtocol::DoAuth(int): second token: nnnnnnnnnnnnnnnn...
The OD authentication seems to be working for me. The afp error log shows the following errors:
Jul 16 10:49:56 xserve-neu.<domain> AppleFileServer[902] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752> minor status_value <0>
Jul 16 10:49:56 xserve-neu.<domain> AppleFileServer[902] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.
Jul 16 10:49:56 xserve-neu.<domain> AppleFileServer[902] <Info>: minor error <1>: unknown mech-code 0 for mech unknown
This seems to occur once when the server is booted but after the server is started the users can login with their OD accounts for about a day (at the moment). For that I'm not sure if there is a relation.
While the user cannot login the afp access log shows up entries like the following after the "normal" entries (reading files, creating files... for the authenticated user):
Jul 17 09:54:39 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Delete .afpDeleted4632129" 0 0 0
Jul 17 09:54:39 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <username>" 0 0 0
Jul 17 09:54:39 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <username>" 0 0 0
Jul 17 09:54:39 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Login <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Login <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Login <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Login <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Login <Guest>" 0 0 0
Jul 17 09:54:40 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout <Guest>" 0 0 0
Jul 17 09:56:37 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout " -5023 0 0
Jul 17 09:56:37 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout " -5023 0 0
Jul 17 09:59:42 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout " -5023 0 0
Jul 17 09:59:42 xserve-neu.<domain> AppleFileServer[902] <Info>: IP <client IP address> - - "Logout " -5023 0 0
I tried to restart the afp service using the server.app while the problem occured. The start of the service hangs at "file sharing informations are read".
I read about ktutil list to check the kerberos connection. I get the following output on the server for every client related to afp:
1 aes256-cts-hmac-sha1-96 afpserver/<clientname>.local@XSERVE.<DOMAIN>
1 aes128-cts-hmac-sha1-96 afpserver/<clientname>.local@XSERVE.<DOMAIN>
1 des3-cbc-sha1 afpserver/<clientname>.local@XSERVE.<DOMAIN>
For me it looks as though AFP is the problem but I have not the faintest idea how to fix it. I hope you have.
Could be mobile accounts a workaround for the meantime?
Your help is greatly appreciated!
Kind regards,
ragob66