AFP/Kerberos connection generates Error 32

[iwill]

I’ve configured an OD master for managing groups and computers and have also bound this computer to Active Directory for User accounts. All the directory service pieces seem to work (can look up and login using accounts in both OD and AD). When users try to connect to the server via AFP, after a longer then normal wait, an Error 32 is generated. I know this has to do with kerberos because if I change the authentication method in Server Admin to just standard rather then Any or Kerberos, the user is presented with a normal login window that works. Users are logged into the computer using AD accounts, I verified that they have a valid ticket and that time is synced appropriately. Additionally, sso for windows users works correctly (e.g. they can connect to the server and aren’t prompted to authenticate). Does anybody know how to fix this?

[boardski]

I’ve just noticed the same thing on one of my OSX Servers that is bound to AD.

The server is not running OD at all and there is no OD on the network, its simply bound to Active Directory. I also get no problems with smb or if I set authentication to standard.

Running the id command from terminal gives out the correct AD user information and the open directory button in Server Admin shows the machine bound to the AD.

The machine is running 10.4.5

[jramos]

I have the same issue and have already issued a dsconfigad -enablesso, but it still fails on afp.

[Anonymous]

I’m having the exact same problem I am getting a Connection Failed 32 when Kerberos is selected for the authentication of AFP on the server.

[Anonymous]

I too am having the same problem but it is not with all the AD users, a few work ok.

[thirdpig]

I “solved” this at a client site recently. It’s an OS X 10.4.6 server bound to an AD domain, with access to shares managed by ACLs (one AD group has full control access- no Open Directory accounts). It’s a very simple setup for 10 designers in a PC corporate environment.

The problem was only with a few users. I compared the security groups in AD that these users were members of to users in AD that did not get this error and found one security group was the problem. Luckily they didn’t need to be a member of the group, so their accounts could be removed from it. SSO worked fine for these users. The Windows admin doesn’t understand why this particular group is causing problems, and only for AFP access to the OS X server.

Not sure if it’s the OS X server that is to blame or not. In any case, one thing I’ve noticed is that on the OS X Server, running “kinit (user_name) always prompts me for a password, which Mactrolls guide says should NOT happen.

[zero]

So what are the characteristics of the accounts with the bad security group? What should I be looking from in AD that would distinguish these problem security groups?

Server appears to have bound properly and I can get Kerb tickets localy.

I can AFP to the server without a Kerb ticket but get the error 32 with a ticket. I can SSH to the server. I can’t use SMB from the Mac with or without a Kerb ticket and can’t connedt from a Windows mahcine, bound to AD.

Marc

[xsquared_uk]

Hmm, we’re having this issue too after a server rebuild. Users can login and connect fine, then after they’ve been working for a while, accessing the network shares with no problems, all of a sudden it’ll beachball when they try to save and it’ll say ‘Connection Failed 32’ or words of that nature. If I look in AFP, often they have multiple connections listed, and they all say ‘Disabled/Asleep’. If I disconnect those, it kicks them off the share and if they try to reconnect it just hangs. If I do nothing, it just hangs. I could turn off Kerberos, but then of course we lose the benefits of it. Anyone got any ideas?

[chiplab]

I’m having a similar problem, except changing the AFP authentication settings offers no solution. The problem just cropped up yesterday.

I’m running Server 10.4.11

Briefly the symptoms I’m seeing are

Error 32 with attempting to log onto afp

Users who attempt to connect to AFP can be seen as disabled/asleep in the connections window, multiple connections listed per user

Has anyone made any headway with solving this?

[Author]

Posts