Sketchy SMB connectivity for network users- Yosemite Server 4.1.5

I have the same problem, and the only way that i found to connect, is enabling the guest user for this folder.

We've also seen this issue. Network accounts (LDAPv3) will get to the password entry screen, but behave as though the password is incorrect.

When I use an account that is local to the server, I can login fine. (Or when we use AFP, it works fine.)

This is from 10.10.5 clients to 10.10.5 server with Server.app 4.1.5, as in the original post.

I've tried:

sudo kill -SIGHUP <pid_of_smbd>

No change.

sudo kill -SIGTERM <pid_of_smbd>

No change.

sudo serveradmin stop smb && sudo serveradmin start smb

No change.

Here's what the server spews to log when we try a network user login:

11/25/15 2:19:25.676 PM digest-service[96515]: label: default

11/25/15 2:19:25.676 PM digest-service[96515]: dbname: od:/Local/Default

11/25/15 2:19:25.676 PM digest-service[96515]: mkey_file: /var/db/krb5kdc/m-key

11/25/15 2:19:25.676 PM digest-service[96515]: acl_file: /var/db/krb5kdc/kadmind.acl

11/25/15 2:19:25.678 PM digest-service[96515]: digest-request: uid=0

11/25/15 2:19:25.680 PM digest-service[96515]: digest-request: netr probe 0

11/25/15 2:19:25.681 PM digest-service[96515]: digest-request: init request

11/25/15 2:19:25.712 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:19:25.713 PM digest-service[96515]: digest-request: uid=0

11/25/15 2:19:25.713 PM digest-service[96515]: digest-request: init request

11/25/15 2:19:25.744 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:19:26.227 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:19:26.227 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:19:26.236 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:19:41.261 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:19:41.262 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:19:41.271 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:19:41.272 PM digest-service[96515]: digest-request: uid=0

11/25/15 2:19:41.272 PM digest-service[96515]: digest-request: init request

11/25/15 2:19:41.304 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:19:41.314 PM digest-service[96515]: digest-request: uid=0

11/25/15 2:19:41.314 PM digest-service[96515]: digest-request: init request

11/25/15 2:19:41.345 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:19:41.348 PM digest-service[96515]: digest-request: uid=0

11/25/15 2:19:41.403 PM digest-service[96515]: digest-request od: ok user=PIP\david proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE

[the previous 8 lines repeat]

Here's the same spew for a local user:

11/25/15 2:22:19.239 PM digest-service[96566]: label: default

11/25/15 2:22:19.240 PM digest-service[96566]: dbname: od:/Local/Default

11/25/15 2:22:19.240 PM digest-service[96566]: mkey_file: /var/db/krb5kdc/m-key

11/25/15 2:22:19.240 PM digest-service[96566]: acl_file: /var/db/krb5kdc/kadmind.acl

11/25/15 2:22:19.242 PM digest-service[96566]: digest-request: uid=0

11/25/15 2:22:19.244 PM digest-service[96566]: digest-request: netr probe 0

11/25/15 2:22:19.245 PM digest-service[96566]: digest-request: init request

11/25/15 2:22:19.278 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:22:19.288 PM digest-service[96566]: digest-request: uid=0

11/25/15 2:22:19.288 PM digest-service[96566]: digest-request: init request

11/25/15 2:22:19.319 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:22:19.728 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:22:19.728 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:22:19.737 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:22:32.481 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:22:32.481 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:22:32.488 PM digest-service[96566]: digest-request: uid=0

11/25/15 2:22:32.488 PM digest-service[96566]: digest-request: init request

11/25/15 2:22:32.490 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:22:32.520 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:22:32.529 PM digest-service[96566]: digest-request: uid=0

11/25/15 2:22:32.529 PM digest-service[96566]: digest-request: init request

11/25/15 2:22:32.560 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>

11/25/15 2:22:32.563 PM digest-service[96566]: digest-request: uid=0

11/25/15 2:22:32.565 PM digest-service[96566]: digest-request: od failed with 2 proto=ntlmv2

11/25/15 2:22:32.565 PM digest-service[96566]: digest-request: user=PIP\metroeastserver

11/25/15 2:22:32.572 PM digest-service[96566]: digest-request kdc: ok user=PIP\metroeastserver proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE

Here's AFP, which works:

11/25/15 2:37:20.779 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:37:20.779 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:37:20.787 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:37:38.802 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc

11/25/15 2:37:38.802 PM kdc[108]: Asked for LKDC, but there is none

11/25/15 2:37:38.811 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:37:38.833 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:62096 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG

11/25/15 2:37:38.836 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf

11/25/15 2:37:38.843 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:62096 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG

11/25/15 2:37:38.844 PM kdc[108]: Client sent patypes: REQ-ENC-PA-REP

11/25/15 2:37:38.844 PM kdc[108]: user has no SRP keys

11/25/15 2:37:38.844 PM kdc[108]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

11/25/15 2:37:38.848 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:56638 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG

11/25/15 2:37:38.857 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:56638 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG

11/25/15 2:37:38.858 PM kdc[108]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP

11/25/15 2:37:38.858 PM kdc[108]: ENC-TS pre-authentication succeeded -- davidelkinbram@LES.METROEAST.ORG

11/25/15 2:37:38.916 PM kdc[108]: DSUpdateLoginStatus: Unable to synchronize login time for davidelkinbram: 77009

11/25/15 2:37:38.928 PM kdc[108]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

11/25/15 2:37:38.928 PM kdc[108]: Requested flags: forwardable

11/25/15 2:37:38.937 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:54529 for host/pip.metroeast.org@LES.METROEAST.ORG [canonicalize, forwardable]

11/25/15 2:37:38.959 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:60502 for host/pip.metroeast.org@LES.METROEAST.ORG [forwardable]

11/25/15 2:37:38.980 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:51550 for ldap/pip.metroeast.org@LES.METROEAST.ORG [canonicalize, forwardable]

11/25/15 2:37:39.000 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:60575 for ldap/pip.metroeast.org@LES.METROEAST.ORG [forwardable]