tekwerx IT
Level 1 (0 points)

Q: Can someone explain the difference between these to kerberos AFP listings

I have been doing quite a bit of digging to solve a widespread AFP idle disconnect issue, and while comparing settings among multiple servers, I noticed a kerberos recond variation that I don't understand.

 

Most of the servers under the APF settings list a record like this:

 

afp:kerberosPrincipal = "afpserver/server.FQDN.com@SERVER.FQDN.COM"

 

One in particular, lists a record like this that is comepletely different from the other servers:

 

afp:kerberosPrincipal = "afpserver/LKDC:SHA1.F4848D1138AE9704A1A67C3F2F25AE98465D6465@LKDC:SHA1.F4848D1138AE9704A1A67C3F2F25AE98465D6465"

 

 

Can anyone explain to me why the difference and what it means?

OS X Server

Posted on Mar 27, 2014 6:29 PM

by Antonio Rocco,Solvedanswer
Antonio Rocco Antonio Rocco
Level 6 (10,606 points)
Desktops
A:

Basically it's the Local Key Distribution Centre ostensibly used for peer to peer file sharing and Access Control Lists etc as compared to SSO in a Networked Directory environment such as OD, AD, eDirectory, OpenLDAP etc. Wikipedia explains it fairly well if you're interested?

 

https://dreness.com/wikimedia/index.php?title=LKDC

 

In practical terms I have seen it cause confusion sometimes when authenticating file shares. It usually happens when File Sharing has been started prior to configuring DNS Services properly and starting PM and/or OD. The AFP server preference file appears to be 'locked' with the LKDC info instead of the server one and networked users fail to authenticate when accessing a share. It's a rare-ish occurence (I've seen it happen a few of times) but can take a while to troubleshoot because defining shares and applying ACLs in the GUI shows no problems.

 

However this may not be the case with whatever problems you may be having? It's easy to 'fix' though, simply unshare whatever you've shared, stop the service, remove the preference file, reboot the server, restart the service. Check the information in the preference file is what it should be.

Posted on Mar 28, 2014 3:32 AM

Close
tekwerx IT

Q: Can someone explain the difference between these to kerberos AFP listings

  • All replies
  • Helpful answers

  • by Antonio Rocco,Solvedanswer

    Antonio Rocco Antonio Rocco Mar 28, 2014 3:32 AM in response to tekwerx IT
    Level 6 (10,606 points)
    Desktops
    Mar 28, 2014 3:32 AM in response to tekwerx IT

    Basically it's the Local Key Distribution Centre ostensibly used for peer to peer file sharing and Access Control Lists etc as compared to SSO in a Networked Directory environment such as OD, AD, eDirectory, OpenLDAP etc. Wikipedia explains it fairly well if you're interested?

     

    https://dreness.com/wikimedia/index.php?title=LKDC

     

    In practical terms I have seen it cause confusion sometimes when authenticating file shares. It usually happens when File Sharing has been started prior to configuring DNS Services properly and starting PM and/or OD. The AFP server preference file appears to be 'locked' with the LKDC info instead of the server one and networked users fail to authenticate when accessing a share. It's a rare-ish occurence (I've seen it happen a few of times) but can take a while to troubleshoot because defining shares and applying ACLs in the GUI shows no problems.

     

    However this may not be the case with whatever problems you may be having? It's easy to 'fix' though, simply unshare whatever you've shared, stop the service, remove the preference file, reboot the server, restart the service. Check the information in the preference file is what it should be.

  • by tekwerx IT,

    tekwerx IT tekwerx IT Mar 30, 2014 5:48 PM in response to Antonio Rocco
    Level 1 (0 points)
    Mar 30, 2014 5:48 PM in response to Antonio Rocco

    Thanks for all that info. What a wealth of information. I am having some issues with users not being able to sleep or go idle properly on the server that has the LKDC entry and not the FQDN. I am going to fix this and see if it works.

     

    One more question. do you know the location of the preference file?

  • by Antonio Rocco,

    Antonio Rocco Antonio Rocco Mar 31, 2014 2:35 AM in response to tekwerx IT
    Level 6 (10,606 points)
    Desktops
    Mar 31, 2014 2:35 AM in response to tekwerx IT

    /Library/Preferences. Note this is not the top level Library folder and nothing to do with the System or Users' Library folders. The file is called com.apple.AppleFileServer.plist. You can use Property List Editor to view/edit the file. I prefer to use Pref Setter:

     

    http://www.nightproductions.net/prefsetter.html

     

    Look for the kerberosPrincipal key.

  • by Antonio Rocco,

    Antonio Rocco Antonio Rocco Mar 31, 2014 5:52 AM in response to tekwerx IT
    Level 6 (10,606 points)
    Desktops
    Mar 31, 2014 5:52 AM in response to tekwerx IT

    "This is not the top level Library folder . . ." is a typo as it is the top level Library folder.

  • by tekwerx IT,

    tekwerx IT tekwerx IT Mar 31, 2014 6:10 AM in response to Antonio Rocco
    Level 1 (0 points)
    Mar 31, 2014 6:10 AM in response to Antonio Rocco

    Thanks,

     

    I was thinking that was the preference, but wasn't sure which one you were referring to. I did try to remove shares, remove the pref file, reboot, then reconfigure AFP, but the server didn't regenerate the pref file. I ended up putting the pref file back.

     

    What I did instead was just changed the entry in the AFP pref file itself by typing (substituting the "yourserver" with the FQDN of the server:

     

    serveradmin settings afp:kerberosPrincipal=afpserver/server.yourserver.com@SERVER.YOURSERVER.COM

     

    Thanks.

  • by Antonio Rocco,

    Antonio Rocco Antonio Rocco Mar 31, 2014 6:39 AM in response to tekwerx IT
    Level 6 (10,606 points)
    Desktops
    Mar 31, 2014 6:39 AM in response to tekwerx IT

    Yes that will do it. It's what I did some years back to fix the problem I mentioned in my first reply. You're welcome.

  • by LTOguy,

    LTOguy LTOguy Apr 15, 2015 10:34 AM in response to Antonio Rocco
    Level 1 (0 points)
    Apr 15, 2015 10:34 AM in response to Antonio Rocco

    Thank you both for posting.  This article and the linked ones were really helpful. Having same issues with a couple file servers after migrating from XSAN 3 to 4.

     

     

    Cheers,

    Ernesto