10 Replies Latest reply: Oct 22, 2014 12:25 PM by School80303
gnaegi Level 1 Level 1 (10 points)

I did update from Lion to Mavericks and installed Server.app 3. On Lion AFP, SMB and other things worked well.

 

After the update (skipping Mounain Lion) Calendar was broken. One of the steps I did trying to solve the issue was running "Repair Permissions". Eventually I gave up on the Calendar issue and tried to make at least the AFP volumes working again. However, this is now broken as well.

 

- Access for local admin user via AFP works

- Access for all other users (local network users created with Server.app) is denied (shaky login window)

- Time Machine Backup is also broken

- SMB access works for all users, local and local network

- Network users can use other services, so passwords are ok

- All users are in the the AFT-ACL group

 

I tried all kind of things, nothing helped. I don't know if it is related to the repair permission thing.

 

 

In AppleFileServiceAccess.log I have stuff like this:

 

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

 

In AppleFileServiceError.log I have stuff like this:

 

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       minor error <1>: unknown mech-code 0 for mech unknown

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>:       minor error <1>: unknown mech-code 0 for mech unknown

 

Note that the times do not all correspond, so maybe the log entries are not related at all. E.g. for 11.35 I have no error in the file.

 

 

How can I make AFP working again for all users? We really need the time machine backup which apparently does not work over SMB...

 

Thanks

Florian

  • gnaegi Level 1 Level 1 (10 points)

    Still have the issue: network users are broken after Mavericks/Server 3 update.

     

    E.g. when I try to remote login via SSH I get the following:

     

    05.11.13 15:02:01.033 opendirectoryd[28]: GSSAPI Error: 

    Miscellaneous failure (see text (Server (ldap/my.domain.com@SERVERNAME.DOMAIN:COM) unknown while looking up 'ldap/my.domain.com@SERVERNAME.DOMAIN:COM' (cached result, timeout in 1200 sec) (negative cache))

    05.11.13 15:02:01.064 sshd[69837]: error: PAM: authentication error for myusername from 192.168.1.153 via 192.168.1.102

     

    Kerberos or LDAP or something like this is broken. Its a big mess.

     

    When I turn on SMB on all shares, users can connect. As soon as I turn on Timemachine, users can't login anymore because Timemachine automatically turns on AFP (although "serveradmin settings timemachine" lets you think it should also work with SMB).

     

    So: File sharing or Timemachine - great choice!

     

    Can anybody explain me how authentication for AFP with network users work and which tool I have to use to fix this. I already added all kind of things with "ktutil lis" and "ktutil -p xxx ...", but nothing worked.

     

    Absolutely lost, any help is apprechiated!

  • Yann@Paris Level 1 Level 1 (0 points)

    Hi,

     

    i've got the same problem with one on my user (all other are fine)

     

    AFP doesn't work but SMB does

     

    Yann

     

    Gnaegi, i don't really help, but you are not alone ;-)

  • theFerret Level 1 Level 1 (0 points)

    Similar here with a clean install of 10.9.0 and Server 3.0; SMB works, TIme Machine and AFP only works for the original admin account created at install.

  • Michael Priestley Level 1 Level 1 (35 points)

    This is worth a try as mentioned in the KB. http://support.apple.com/kb/TS2938

     

    I had the problem where the log in access was denied for users and this fixed it.Replace the REALM_NAME with the  domain name of your server in capitals

    i.e. ANYSERVER.CO.UK

    Lion Server: AFP users unable to authenticate with Kerberos after upgrading

    Symptoms

    After upgrading to Lion Server, AFP clients may no longer be able to authenticate via Kerberos. The AFP service may be referencing the LKDC.

    Resolution

    1. On the AFP server, execute the following command in Terminal using the correct Kerberos REALM_NAME and a user account authorized to make changes in the Kerberos database:

      sudo sso_util configure -r REALM_NAME -a diradmin afp

      Note:  You will be prompted for two passwords. First, for the current user's password, and then for the directory administrator's password.
    2. Restart the server.
  • Yann@Paris Level 1 Level 1 (0 points)

    Hi Mickael

     

    Thanks for your help, but your solution did not work for me.

     

    Yann

  • gnaegi Level 1 Level 1 (10 points)

    Halleluja, after installing server app version 3.0.1 the problem is gone - local network users can use AFP again.

     

    Note: I almost killed the update process because it took forever and I thought it is hanging. In the console I had many messages telling me that postgres could not be started or whatever. BUT: don't give up on the update to quick! After quite some time the update process finished, so it actually did something usefull during that time. Restart and boom - it worked

     

    What do I learn: never update again.

     

  • aaron192 Level 1 Level 1 (0 points)

    I just went from 10.8.5 to 10.9.2 and have this same problem. I first noticed in DNS 127.0.0.1 was removed during install and not put back. From there I got everyhting working except afp.

     

    Error message is:

     

    Kerberos fail: gss_acquire_cred major status_value <458752>  minor status_value <0>

           major error <1>:  No credentials were supplied, or the credentials were unavailable or inaccessible.

           minor error <1>: unknown mech-code 0 for mech unknown

     

     

    Trying:

     

    sudo sso_util configure -r REALM_NAME -a diradmin afp

     

    /Local/Default

    /LDAPv3/127.0.0.1

    Creating the service list

    Creating the service principals

    OSStatus CreateKerberosPrincipals(CFStringRef, CFStringRef, const char *, CFMutableDictionaryRef, Boolean): unable to find admin record: -1

    Creating the keytab file

    Configuring services

     

    Any solutions out there? This is pretty critical for TM backups around the office.

  • gnaegi Level 1 Level 1 (10 points)

    @aaron192: did you update to the newest server app? Current version is 3.1.1. You might have to buy and install it again. I came from 10.7, I had to rebuy...

  • aaron192 Level 1 Level 1 (0 points)

    I tried removing the server app, then reinstalling it. This was all the very latest version of the app. Same exact problem. The kicker was I let Time Machine go a few times. I tried restorinf to 10.8.5 and it only selects the Latest backup, so it coppied over a bunch of 10.9 stuff, not good. I tried to relink the Latest folder in the Backups.db but it wodn't let me even as root. It seem every step I took to protect myself led to a disaster later. I'm at a loss.

  • School80303 Level 1 Level 1 (0 points)

    I just ran into this issue upgrading to Server 3.2.2 on Mavericks. SMB login works fine, but AFP does not except for the local admin on the server. VPN has also stopped functioning.

     

    It didn't work, but I tried:

     

    sudo sso_util configure -r REALM_NAME -a diradmin afp



    Any other solutions people know of?