Home Forums OS X Server and Client Discussion File Serving I JUST can’t get it to work (file sharing through Open Directory)

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • October 6, 2008 at 4:41 pm #374380
    MDLarson
    Participant

    Here’s the specs:
    Mac OS X Server 10.5.5
    Running Services: AFP, DNS, iCal, iChat, Open Directory, SMB, Web

    I believe my DNS is setup correctly; the server is acting as an Open Directory Master, and the domain name is smpl-xserve.private. Kerberos realm is SMPL-XSERVE.PRIVATE. I’ve even successfully added the server’s IP address to a client’s DNS Server field in the Network preference pane, and added smpl-xserve.private in the Directory Utility app (also on the client).

    But, even though I am sure I have the usernames and passwords correct, I simply cannot authenticate to the server. The guest access does work, which proves that the share is being hosted correctly, but I am tempted to ditch the Open Directory approach and just use local user accounts to authenticate (we are just a small business so it wouldn’t be that bad… I am just trying to do things the right way).

    Any tips would be much appreciated!

    October 17, 2008 at 11:44 am #374475
    gw1500se
    Participant

    The first thing to do is start looking at logs. What shows up in the kdc and password server logs when you try to authenticate? Are there any errors showing up in the password server error log?

    October 23, 2008 at 2:22 pm #374533
    MDLarson
    Participant

    Hello and thanks for the tips; you’re right in looking at the logs first!

    I couldn’t find a “kdc” log, but here’s the results of a login I just attempted where I am positive I’m entering in the correct password…

    [b]AFP > Access Log[/b]
    “The selected log file does not exist”

    [b]Open Directory > Kerberos Server Log[/b]
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): handling authdata
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): handling authdata
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): .. .. ok
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): .. .. ok
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for afpserver/[email protected]
    Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for afpserver/[email protected]

    [b]Open Directory > Password Service Server Log[/b]
    Oct 23 2008 09:08:55 KERBEROS-LOGIN-CHECK: user {0x48c83b7837f326720000000600000006, mdlarson} is in good standing.
    Oct 23 2008 09:08:55 KERBEROS-LOGIN-CHECK: user {0x48c83b7837f326720000000600000006, mdlarson} authentication succeeded.
    Oct 23 2008 09:08:57 AUTH2: {0x48c83b7873f236720000000600000006, mdlarson} DIGEST-MD5 authentication succeeded.

    [b]Open Directory > LDAP Log[/b]
    Oct 23 09:08:55 smpl-xserve slapd[40]: <= bdb_substring_candidates: (authAuthority) index_param failed (18) The only thing that looks suspicious to me is that the AFP log doesn't exist. 😛 -Matt

    November 25, 2008 at 6:04 pm #374868
    MDLarson
    Participant

    I figured it out!

    After poking around some, I found the offending settings here:
    Server Admin > (select the server on the left) > Settings > Access > Services

    For some unknown reason my services were setup as follows:
    AFP “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
    Blog “Allow all users and groups”
    FTP “Allow all users and groups”
    iCal “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
    iChat “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
    Login Window “Allow all users and groups”
    Mail “Allow only users and groups below:” (area was blank)
    Podcast Producer “Allow all users and groups”
    QuickTime Streaming “Allow all users and groups”
    RADIUS “Allow all users and groups”
    SMB “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
    SSH “Allow all users and groups”
    VPN “Allow only users and groups below:” (area was blank)
    Xgrid “Allow all users and groups”

    I switched AFP to “Allow all users and groups” and now I can log in via username / password flawlessly.

    Dragging users into that list displays the real user name, so the big long code listed above looks out of place and buggy to me. I did switch the server from the simple setup to the advanced setup along my journey, so perhaps something got messed up there? I don’t know but now things are working right and I am happy again.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.