Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: gnaegi
gnaegi Author
User level: Level 1
19 points

Network user can't access AFP anymore

I did update from Lion to Mavericks and installed Server.app 3. On Lion AFP, SMB and other things worked well.


After the update (skipping Mounain Lion) Calendar was broken. One of the steps I did trying to solve the issue was running "Repair Permissions". Eventually I gave up on the Calendar issue and tried to make at least the AFP volumes working again. However, this is now broken as well.


- Access for local admin user via AFP works

- Access for all other users (local network users created with Server.app) is denied (shaky login window)

- Time Machine Backup is also broken

- SMB access works for all users, local and local network

- Network users can use other services, so passwords are ok

- All users are in the the AFT-ACL group


I tried all kind of things, nothing helped. I don't know if it is related to the repair permission thing.



In AppleFileServiceAccess.log I have stuff like this:


Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:45 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:34:59 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout " -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Login myusername" -5023 0 0

Oct 28 11:35:03 my.domain.com AppleFileServer[35234] <Info>: IP 192.168.1.153 - - "Logout myusername" -5023 0 0


In AppleFileServiceError.log I have stuff like this:


Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752> minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: minor error <1>: unknown mech-code 0 for mech unknown

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: Kerberos fail: gss_acquire_cred major status_value <458752> minor status_value <0>

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.

Oct 28 11:34:42 my.domain.com AppleFileServer[35234] <Info>: minor error <1>: unknown mech-code 0 for mech unknown


Note that the times do not all correspond, so maybe the log entries are not related at all. E.g. for 11.35 I have no error in the file.



How can I make AFP working again for all users? We really need the time machine backup which apparently does not work over SMB...


Thanks

Florian

Posted on Oct 29, 2013 6:08 AM

Reply
10 replies
User profile for user: gnaegi
gnaegi Author
User level: Level 1
19 points

Nov 5, 2013 6:18 AM in response to gnaegi

Still have the issue: network users are broken after Mavericks/Server 3 update.


E.g. when I try to remote login via SSH I get the following:


05.11.13 15:02:01.033 opendirectoryd[28]: GSSAPI Error:

Miscellaneous failure (see text (Server (ldap/my.domain.com@SERVERNAME.DOMAIN:COM) unknown while looking up 'ldap/my.domain.com@SERVERNAME.DOMAIN:COM' (cached result, timeout in 1200 sec) (negative cache))

05.11.13 15:02:01.064 sshd[69837]: error: PAM: authentication error for myusername from 192.168.1.153 via 192.168.1.102


Kerberos or LDAP or something like this is broken. Its a big mess.


When I turn on SMB on all shares, users can connect. As soon as I turn on Timemachine, users can't login anymore because Timemachine automatically turns on AFP (although "serveradmin settings timemachine" lets you think it should also work with SMB).


So: File sharing or Timemachine - great choice!


Can anybody explain me how authentication for AFP with network users work and which tool I have to use to fix this. I already added all kind of things with "ktutil lis" and "ktutil -p xxx ...", but nothing worked.


Absolutely lost, any help is apprechiated!

Reply
User profile for user: Michael Priestley
Michael Priestley
User level: Level 1
35 points

Nov 14, 2013 7:04 AM in response to gnaegi

This is worth a try as mentioned in the KB. http://support.apple.com/kb/TS2938


I had the problem where the log in access was denied for users and this fixed it.Replace the REALM_NAME with the domain name of your server in capitals

i.e. ANYSERVER.CO.UK

Lion Server: AFP users unable to authenticate with Kerberos after upgrading

Symptoms

After upgrading to Lion Server, AFP clients may no longer be able to authenticate via Kerberos. The AFP service may be referencing the LKDC.

Resolution

  1. On the AFP server, execute the following command in Terminal using the correct KerberosREALM_NAME and a user account authorized to make changes in the Kerberos database:

    sudo sso_util configure -r REALM_NAME -a diradmin afp

    Note: You will be prompted for two passwords. First, for the current user's password, and then for the directory administrator's password.
  2. Restart the server.
Reply
User profile for user: gnaegi
gnaegi Author
User level: Level 1
19 points

Nov 19, 2013 7:29 AM in response to gnaegi

Halleluja, after installing server app version 3.0.1 the problem is gone - local network users can use AFP again.


Note: I almost killed the update process because it took forever and I thought it is hanging. In the console I had many messages telling me that postgres could not be started or whatever. BUT: don't give up on the update to quick! After quite some time the update process finished, so it actually did something usefull during that time. Restart and boom - it worked 😀


What do I learn: never update again.


Reply
User profile for user: aaron192
aaron192
User level: Level 1
0 points

Apr 3, 2014 12:56 AM in response to gnaegi

I just went from 10.8.5 to 10.9.2 and have this same problem. I first noticed in DNS 127.0.0.1 was removed during install and not put back. From there I got everyhting working except afp.


Error message is:


Kerberos fail: gss_acquire_cred major status_value <458752> minor status_value <0>

major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.

minor error <1>: unknown mech-code 0 for mech unknown



Trying:


sudo sso_util configure -r REALM_NAME -a diradmin afp


/Local/Default

/LDAPv3/127.0.0.1

Creating the service list

Creating the service principals

OSStatus CreateKerberosPrincipals(CFStringRef, CFStringRef, const char *, CFMutableDictionaryRef, Boolean): unable to find admin record: -1

Creating the keytab file

Configuring services


Any solutions out there? This is pretty critical for TM backups around the office.

Reply
User profile for user: aaron192
aaron192
User level: Level 1
0 points

Apr 6, 2014 11:55 PM in response to gnaegi

I tried removing the server app, then reinstalling it. This was all the very latest version of the app. Same exact problem. The kicker was I let Time Machine go a few times. I tried restorinf to 10.8.5 and it only selects the Latest backup, so it coppied over a bunch of 10.9 stuff, not good. I tried to relink the Latest folder in the Backups.db but it wodn't let me even as root. It seem every step I took to protect myself led to a disaster later. I'm at a loss.

Reply

Network user can't access AFP anymore

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up