Q: Can someone explain the difference between these to kerberos AFP listings
I have been doing quite a bit of digging to solve a widespread AFP idle disconnect issue, and while comparing settings among multiple servers, I noticed a kerberos recond variation that I don't understand.
Most of the servers under the APF settings list a record like this:
afp:kerberosPrincipal = "afpserver/server.FQDN.com@SERVER.FQDN.COM"
One in particular, lists a record like this that is comepletely different from the other servers:
afp:kerberosPrincipal = "afpserver/LKDC:SHA1.F4848D1138AE9704A1A67C3F2F25AE98465D6465@LKDC:SHA1.F4848D1138AE9704A1A67C3F2F25AE98465D6465"
Can anyone explain to me why the difference and what it means?
OS X Server
Posted on Mar 27, 2014 6:29 PM
Basically it's the Local Key Distribution Centre ostensibly used for peer to peer file sharing and Access Control Lists etc as compared to SSO in a Networked Directory environment such as OD, AD, eDirectory, OpenLDAP etc. Wikipedia explains it fairly well if you're interested?
https://dreness.com/wikimedia/index.php?title=LKDC
In practical terms I have seen it cause confusion sometimes when authenticating file shares. It usually happens when File Sharing has been started prior to configuring DNS Services properly and starting PM and/or OD. The AFP server preference file appears to be 'locked' with the LKDC info instead of the server one and networked users fail to authenticate when accessing a share. It's a rare-ish occurence (I've seen it happen a few of times) but can take a while to troubleshoot because defining shares and applying ACLs in the GUI shows no problems.
However this may not be the case with whatever problems you may be having? It's easy to 'fix' though, simply unshare whatever you've shared, stop the service, remove the preference file, reboot the server, restart the service. Check the information in the preference file is what it should be.
Posted on Mar 28, 2014 3:32 AM