Leopard Clients cannot search a Shared Volume

Clients are 10.5.1, conntecting to a Leopard server 10.5.1
when the clients try to search for a file by contents or name, nothing is every returned, it does not seem to try (no delay or spinner)
the results are the same if they click into the server first (to get the shared point name in the top of the search window) or if they open any other finder window
searches of the local volume works perfectly
Filesharing is working as intended on all clients, they have read and write on the files in question.
its just that all searches return no results
any ideas?

Your server may be hanging while creating the Spotlight index for the share point. Look in the console.log file (open Console on the server from the Utilities folder). If one of the mdworker processes is having trouble, you'll see Spotlight error messages. Also look in Activity Monitor (also in Utilties) on the server to see if any process that starts with md (like mds, mdworker, etc.) is using a significant portion of CPU time (20% or more, sustained).
It's possible that waiting will alleviate the problem, as Spotlight finishes the index. Or you may want to try this:
1. Create a new share point (preferably on a different server volume, if possible), and set all permissions and turn on Spotlight search while the new share point is empty.
2. Copy a few folders from the troublesome share point to the new one, and attempt searching from a client.
3. If this works, continue copying or moving items from the old share to the new one. If you encounter problems, the last items moved or copied were probably troublesome. If you don't have trouble, then continue moving/copying items until the original share point is empty (or contains the same contents). Later you can delete the original share if you're happy about the status of the new one.
And for VPN access to the server behind a NAT/PAT device (such as a DSL gateway), your server's firewall needs to accept any PPTP or L2TP and IKE data from the "any" network; then forward those ports from your gateway to the server's local address via Port Address Translation (PAT):
* Most gateways ("routers", "cable modems", etc.) refer to PAT by one of these names: Port Forwarding, NAT Pinholes, or Port Address Translation. Some devices hide these settings in the Advanced, Security, or Firewall settings.
* Let's say that your public IP address is 17.30.31.7 and that your server behind the NAT device is at 192.168.1.3. You want to forward incoming requests from 17.30.31.7 to 192.168.1.3 for the following TCP and UDP ports:
UDP Port 500 (IKE)
UDP Port 1701 (L2TP over UDP)
TCP Port 1723 (PPTP)
UDP 4500 (IKE NAT Traversal)
--Gerrit

Similar Messages

  • Problems with Spotlight searching of shared volumes

    According to: http://www.apple.com/macosx/features/300.html#spotlight, I should be able to "...search any connected Mac with Personal File Sharing enabled or a file server that’s sharing its files."
    It doesn't specify what "file server", so I presume it means Spotlight should be able to search any mounted shared volume (assuming, of course, that indexing has been enabled).
    I have a NAS device that I want to be able to search with Spotlight. According to mdutil, the volume is enabled for indexing, but I don't see any results when I search under "Shared" in Finder via Cmd+F. (I checked, and there's no .Spotlight folders on the volume.)
    From what I recall, under Tiger you could manually specify a network volume to index, but if you dismounted the volume, you'd have to re-enable indexing on next mount. This worked for other file systems (such as Fat32 & NTFS), as well as for HFS+ drives.
    According to mdutil in Leopard, the volume is still enabled for indexing even across dismounts. The NAS drive is not HFS+ formatted, but uses XFS.
    I've tried deleting the index, to no avail.
    Has anyone successfully used Spotlight to search mounted volumes on volumes not shared via another Mac?
    Am I missing something?

    You have not missed anything.... Leopard promises but does NOT deliver.
    I use an AFP server with Bonjour enabled. And NO NO NO Spotlight search is possible on this network volume...
    This is outrageous and FALSE information....
    Oh and - that Leopard is Sporting 300 new features is false info too.... Not even the "What is New in Leopard" says anything about 300 features.. But it sounds great doesn't it....

  • Finder search on shared volumes: Works on 10.7, not on 10.8

    In our office, we have a Mac Mini acting as a local server running OS X 10.8.3 with an external hard drive connected.  Each person in our office connects to the Mac Mini through an idividual user account, so that we can control each user's access to the folders on the external hard drive.  Some users are on OS X Lion and others are on OS X Mountain Lion.
    All of our Lion computers are able to connect to the Mac Mini and do a Finder search for any items in the shared volume.  So a filename search for ".doc" on the "Shared" scope returns all Word documents on our Mac Mini server which they have permission to access.
    That same feature is not working properly for users connecting through Mountain Lion.  When a Mountain Lion user does the same search - filename containing ".doc" - no results are returned initially, however if they toggle the search scope back and forth (like from "Shared" to "This Mac") a few times, eventually some results show up on the Shared search.
    But with this issue, we can't be confident that the results listed by any search are complete or not.  Our business generates a lot of documents and audio files each day and the search function is a crucial part of our daily workflow.
    The Mac Mini server has recently been upgraded from Lion to Mountain Lion 10.8.3, and Mountain Lion users have just upgraded from 10.8.2 to 10.8.3, however the issue is still the same: users connecting with Lion 10.7.5 can search shared volumes properly, but users connecting with Mountain Lion 10.8.3 cannot.
    Is there a solution to this that doesn't require a downgrade to Lion?

    It sounds like you are using Spotlight.
    Spotlight Alternatives
    EasyFind – Spotlight Replacement
    Find Any File
    Information.
    Spotlight – 5 things You Never Knew
    Spotlight Basics
    Spotlight – Create Good Queries
    Spotlight FAQ
    Spotlight – Narrow Search Results

  • Clients cannot search new content on 10.6 server

    10.6.6 server
    10.5+  & 10.6+ clients connect via AFP to sharepoints
    Clients complained that they cannot find files on server.
    I rebuilt all spotlight indexes on all clients macs and on all volumes on the server
    Clients were happy and were able to quickly search server....
    Approx. 4 days later clients complained again that they cannot find files on server.
    Asked manager for specifics and he found that only new files added to the server after the spotlight index rebuild cannot be found.
    Can someone help.
    Thank you.

    Yes - these permissions are needed for your share point (according to Apple Server Support):
    I hope this helps you..pgonzalez
    here are the recommended permissions for the new share at the root level of the volume:
    ACL:
    <Spotlight> Allow Custom (ghosted)
    <yourgroupname> Allow Read & Write
    <Everyone> Deny Read
    POSIX:
    root  Read & Write
    admin  Read & Write
    Others  Read only

  • Outlook 2003 clients cannot connect to shared diaries on Exchange 2010

    Having recently upgraded to Exchange 2010 from 2003, I am now receiving calls from users regarding the above.
    I am due to move to Office 2013 later this year but there are some third party app incompatibilities I need to get resolved first.
    So I came across the following article
    https://support.microsoft.com/en-us/kb/2299468?wa=wsignin1.0
    and have changed the default RCAMaxConcurrency from 20 to a very high value of 214783647 and have restarted the Throttling services.
    However, my Outlook 2003 users are still having issues when they have less then 16 calendars open.
    I have ran Get-ThrottlingPolicy to confirm my changes which is correct.
    As another approach, I have got users to run the /resetnavpane switch when lauching Outlook to clear down any orphaned references.
    Can anyone suggest what else I could try?

    Hi,
    As per the information and details provided by you, to solve this issue, please follow these steps: -
    To resolve this problem, create a custom throttling policy by using an increased value for
    RCAMaxConcurrency. Then, associate this custom throttling policy to the mailboxes that require Outlook 2003 clients to open multiple shared calendars.
    After you make this change, wait for the
    Active Directory replication to finish. By default, the throttling policy should be applied after
    15 minutes. To apply it immediately, restart the Microsoft Exchange RPC Client Access service on the
    Client Access Server (CAS).
    Note: - An
    RCAMaxConcurrency value of 100 is suffient in typical cases in which Outlook 2003 has to open
    29 shared calendars. This value may have to be increased, depending on which
    Outlook add-ins is installed.
    Important: - The original release of Exchange Server 2010
    allows a maximum parameters value for RCAMaxConcurrency of 100. Exchange server 2010 service pack 1 increase the maximum value for
    RCAMaxConcurrency to 2147483647.
    I hope this information will be helpful for you.
    Thanks and regards
    Shweta@G 

  • Mac OS 9 client cannot find files using Sherlock on 10.4.9 Server

    Hi folks,
    the subject says everything. The client simply returns immeditelly with "Search produced no results". Any idea?

    Yup he's correct somewhere in 10.4 Server they broke it (Spotlight is way different then the old ways). If your clients can upgrade to OS X and use Classic 9.2.2 to run there OS 9 Application I highly recommend you do so. Apple support for Pure OS 9 clients is running thin as seen with the latest problems with AFP under 10.4.9. You can expect for things to get worse from here I suspect. They may cave to keeping some basic File sharing in place but search and other functions that the server provided to Pure OS 9 clients will be gone. I also would not be surprised if all Classic support dies out after 10.5. We have all had some time now to road map to OS X and I am keenly aware of the costs of upgrading. I have only one unit still running Pure OS 9 because of a old Application that needs a ADB dongle attached. Beyond that All other users use Classic 9.2.2 and can run the few application still used.
    If your feeling geeky you could write a simple Web page with a Search field that can search the shared volumes. You can host it on the OS X Server and provide for login for security or only allow IP range into the page. I was going to do this about 6 month ago to support the 2 other users I had on OS 9 but decided to bite the bullet and go to X with them.

  • Snow Leopard Finder's Get Info fails to show Owner and Group for some files or folders which reside on a Shared Volume, hosted by G5 Server w/ OS 10.4 - why?

    Frustrations with file permissions abound, as certain co workers are unable to manually determine their level of permission or who to ask to make changes to files and folders belonging to others. Users of Snow Leopard desktop OS get unhelpful feedback via Finder's Get Info, seeing only the permissions listed for "Everyone" and a statement that "You have custom access".  The custom message exists, presumably, because ACL's are employed on the shared volume in an attempt to give managerial control over these volumes to specific users, even if all users can create files and folders on those volumes.
    Shared volumes are partitions of an external RAID which are set up as sharepoints on a G5 tower running Server 10.4.  Other persons in the office, using machines that are running desktop OS 10.5, can correctly see the assigned Owner and Group permissions (although the "custom access" still shows).  This at least lets the 10.5 user know who created a given file or folder, so that they can resolve permissions-restricted issues if they come up (i.e. User A wants to delete file X, but as it was created by User B, A must contact B and have them delete it.  In 10.6 it appears that A cannot determine who B is).
    I know that ACL's are functioning (enabled on the drive) since we have been making use of ACL-granted write privileges for quite a while (and the custom access seems to be evidence too).
    An error I encountered, pertaining to this, is that I used a 10.6 machine to create a working folder, then generated and saved several files in this location.  Expected permissions thus would be Owner = me (i.e. the user I was logged in as), R/W, Group = staff, R only, Everyone = R only.  However, immediately the permissions shown in Finder / Get Info consisted only of Everyone = R only, with no entry for Owner or Group.  Moreover, clicking + to add either an Owner or a Group resulted in error message that I had entered an invalid user or group, even though I typed in correct info (such as trying to add "staff" as a group).

    Frustrations with file permissions abound, as certain co workers are unable to manually determine their level of permission or who to ask to make changes to files and folders belonging to others. Users of Snow Leopard desktop OS get unhelpful feedback via Finder's Get Info, seeing only the permissions listed for "Everyone" and a statement that "You have custom access".  The custom message exists, presumably, because ACL's are employed on the shared volume in an attempt to give managerial control over these volumes to specific users, even if all users can create files and folders on those volumes.
    Shared volumes are partitions of an external RAID which are set up as sharepoints on a G5 tower running Server 10.4.  Other persons in the office, using machines that are running desktop OS 10.5, can correctly see the assigned Owner and Group permissions (although the "custom access" still shows).  This at least lets the 10.5 user know who created a given file or folder, so that they can resolve permissions-restricted issues if they come up (i.e. User A wants to delete file X, but as it was created by User B, A must contact B and have them delete it.  In 10.6 it appears that A cannot determine who B is).
    I know that ACL's are functioning (enabled on the drive) since we have been making use of ACL-granted write privileges for quite a while (and the custom access seems to be evidence too).
    An error I encountered, pertaining to this, is that I used a 10.6 machine to create a working folder, then generated and saved several files in this location.  Expected permissions thus would be Owner = me (i.e. the user I was logged in as), R/W, Group = staff, R only, Everyone = R only.  However, immediately the permissions shown in Finder / Get Info consisted only of Everyone = R only, with no entry for Owner or Group.  Moreover, clicking + to add either an Owner or a Group resulted in error message that I had entered an invalid user or group, even though I typed in correct info (such as trying to add "staff" as a group).

  • Searching for shared files over a server network using a client computer

    I think spotlight can only be used to search for files on a local computer. Is there a way to search for shared files on a server from a logged in client computer?

    It should work on shared HFS volumes. You would have to start the search from the Finder, not from the Spotlight menu.

  • Cannot login to network account (leopard client and server)

    Up until now, I have used local accounts on my leopard server. I want to start experimenting with OD prior to implementing. I created a new user account in the /LDAPv3/127.0.0.1 domain, and have bound my leopard client to the server using directory utility. On the login screen, "Network Accounts Available" has a green button to the left of it. When I try and login to the server account, the login window just shakes. At first, I could enter the password and then it would prompt me for a new password. Trying to enter a new password would not allow me to login. I went back to server admin and disabled the "require new password" setting, (as well as the other good security policies)...
    I have also reset the password in WGM, and made sure to disable all the security stuff there too...
    Lastly, I have deleted the server in directory utility, rebooted, then added it back in, and rebooted again...
    I still cannot login to the server account, the login screen just shakes
    Does anyone have an idea of what settings and or logs I can check to try and narrow down what is going on?
    Thanks in advance....

    to close out the thread, I have working dns on my network, but I did not have dns enabled on my server. I enabled the dns service and entered just the info for my server, then assigned my server and client to use the server's ip addy as the primary dns server. Next, I created the home directory.
    Once both steps were done, I was able to log in from my client to my server based account...
    FYI-I found a document on afp548.com called "leopard server: advanced setup, rsync backup and automated reporting" that walks you right thru the process...Here is the link, it's a very useful doc....
    http://www.afp548.com/filemgmt_data/files/Leopard%20Server%20Quickstart%20Guide. pdf
    thanks again boomboom_uk and woVi, your suggestions were spot on....

  • Why will spotlight only search my HD and not shared volumes?

    spotlight gives me the choice to search shared volumes but will not produce any find results.
    This is really causing us production issues.
    Thanks for any help

    You can keep Spotlight from indexing a volume altogether by placing the Volume in the Privacy section of the Spotlight system preference. You would do this for instance, for your Backup volume, because otherwise Spotlight would find duplicates of all your data. Is it possible this is the case?
    I have seen where the solution is to add the volume to privacy, to not index and then remove. This seems to make spotlight index the volume. If that does not work, here is an article that details how to manually have spotlight manually index an external drive:
    http://forum.multiplexapp.com/comments.php?DiscussionID=17
    Notice the caveat in the article
    There are some potential drawbacks to indexing network drives, especially those with large amounts of storage. First, if your drive holds tens or hundreds of thousands of files, indexing can be slow and tedious to the OS, and may affect your operating system's performance.
    Might be wise to index during off hours.
    Cheers
    Michael

  • Search shared Volumes by default???

    is it possible to include shared volumes in search by default instead of clicking it every time.
    or use shortcuts? cmdaltspace opens spotlight... then ??? to show shared volumes???
    thx

    Thanks once more BD. I seem to recall on my much mourned PB3400 having a wee app that suppressed Sherlock2—the Spotlight of its day—in OS8.5 and restored the old FindFile to Command-F. I kept reinstalling it all the way to 9.2. If only they had kept it up; it seems Apple's determination that the new and imperfect shall sweep away the old that 'just works' will perpetually provide development opportunities like this.
    I'll give Ukelele a bash, but I tend to tone-deafness.
    Message was edited by: Ed Hanna

  • Urgent: Cannot see shared volumes while installing Clusterware

    I have made 4 extended logical drives from EMC shared storage to be visible from my two nodes on 64bit windows 2003 server. During Clusterware installation while selecting the disks for OCR and Voting file, I cannot see the raw shared volumes.
    The following is the output of cluvfy utility for component shared storage accessibility,
    # runcluvfy.exe comp ssa -n node1,node2
    Verifying shared storage accessibility
    Checking shared storage accessibility...
    Shared storage check failed on nodes "node2,node1".
    Verification of shared storage accessibility was unsuccessful on all the nodes.
    I also get exectask.exe encounter a problem and needed to close meassage aswell.
    [email protected]

    The issue is resolved. I formatted the shared disks with NTFS file system. Then deleted the partition and recreated extended logical volumes and now the shared storage is accessible from the clusterware instalation for the selection of ocr and voting files.
    Thanks anyways.
    [email protected]

  • Cannot connect to iChat Server from Leopard Client

    I just installed Leopard Server fresh and did all of the software updates. I let Directory Utility configure my Leopard client machine to setup all of the accounts. When I try to connect with iChat, I get the following prompt:
    *Please type your Kerberos password for patrick@LKDC:SHA1.48E73...0D0.*
    I enter my password on the server, and I then get:
    *Kerberos Login Failed:*
    Cannot resolve network address for KDC in requested realm.
    My co-worker has a similar problem, but it instead asks him to type in the Kerberos password for "[email protected]". It also fails for him.
    Keep in mind this is a freshly-installed Leopard Server set for basic usage. I'm literally shocked that it doesn't *just work*. I'm even more shocked that nothing I seem to try actually has any result on fixing it.
    What am I doing wrong? (Or rather, what is Leopard Server doing wrong, since all I did was follow the instructions to install this thing.)
    Thanks,
    Patrick

    Yes, the problem turned out to be that when I initially installed Leopard, the IP address I was using didn't have a reverse DNS entry. Leopard should really provide a WARNING when this is the case, as it causes so many problems across the board, and I've read so many other users having other problems because their DNS was not set up properly. Since there is no easy way to remedy this once it's installed, it's even more pertinent that an administrator be notified at the time of installation that this is the case. I fixed my DNS issue and reinstalled Leopard Server, and that solved the problem. (And yes, I will file a bug report with Apple.)

  • TS2570 Hi, MacBook Pro & Snow Leopard- startup probs. I have tried repairing with the disk utility, resetting PRAM, booting in safe mode, and finally trying to get to archive&install the o/s, but it cannot find the destination volume. IsAn erase the only

    (10.6.8 Intel core duo 2009)
    Hi,
    I have a grey screen and grey rotating wheel startup probs. I have tried repairing with the disk utility, resetting PRAM, booting in safe mode (which gave a subset of the errors that 'disk repair' did- namely- 'invalid sibling link,invalid record count, invalid node structure, invalid key length)  and finally trying to get to archive&install the o/s, but it cannot find the destination volume. Is an erase the only option? PS I have backed up most files individually, but my daughter did not back up any from her user account. Any help would be appreciated. J

    Gray, Blue or White screen at boot, w/spinner/progress bar
    Why is my computer slow?
    ..Step by Step to fix your Mac
    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

  • Leopard Clients take a Long Time to Login (roughly 1~2 minutes)

    Hello all,
    I've spent the last few weeks scouring these groups and then net and searching and searching for someone with a similar problem to my own, but have come up pretty much empty handed and so now turn to here to see if any else has had this issue or can at least point me where to look to resolve the problem.
    I've got a clean install of a XServe running Leopard server 10.5.2 with OD, AFP services and User home folders configured and fully working.
    The problem:
    Clean install of Tiger client logs into the server (OD binded) perfectly. Takes maybe 15 seconds tops to for the client to log in and show the all the AFP mounts and client settings and user's desktop and files, etc.
    However, a fresh Leopard client install (OD binded) takes roughly 1~2 minutes to do the exact same thing.
    I've gone through any log file I can find on server and client side, checked my DNS running on this xserve, created new users without "home" folders, and searched just about everywhere for an answer to this issue and am still empty handed.
    This is not a show stopper issue, but there is something definitely not normal about what is happening with Leopard client logins.
    I'm trying to explain this as best as I can without making a wall of text, but I'm sure I'll forget something, so please ask questions if you have them.
    Things I'm seeing in the logs during the time of the login happening are:
    Server-side Logs:
    - Kerberos Server Log -
    Apr 14 11:27:39 ns1.mydomain.com krb5kdc[167](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.9.14: ISSUE: authtime 1208190459, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/ns1.mydomain.com@NS1. MYDOMAIN.COM
    Apr 14 11:28:46 ns1.mydomain.com krb5kdc[167](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.1.205: NEEDED_PREAUTH: CRC0002$@NS1. MYDOMAIN.COM for krbtgt/NS1. MYDOMAIN.COM@NS1. MYDOMAIN.COM, Additional pre-authentication required
    - Password Service Server Log -
    Apr 14 2008 11:43:03 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
    Apr 14 2008 11:43:03 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
    Apr 14 2008 11:43:04 RSAVALIDATE: success.
    Apr 14 2008 11:43:04 AUTH2: {0x47c721234c9608250000000700000007, myusername} DIGEST-MD5 authentication succeeded.
    Apr 14 2008 11:43:04 RSAVALIDATE: success.
    Apr 14 2008 11:43:04 AUTH2: {0x47c721234c9608250000000700000007, myusername} DHX authentication succeeded.
    Apr 14 2008 11:43:04 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} is in good standing.
    Apr 14 2008 11:43:04 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} authentication succeeded.
    Apr 14 2008 11:43:05 RSAVALIDATE: success.
    Apr 14 2008 11:43:05 AUTH2: {0x47c721234c9608250000000700000007, myusername} DHX authentication succeeded.
    Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
    Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
    Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} is in good standing.
    Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} authentication succeeded.
    Apr 14 2008 11:45:26 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
    Apr 14 2008 11:45:26 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
    Client Side Logs:
    - All Messages -
    4/14/08 10:09:12 AM loginwindow[9868] Login Window Started Security Agent
    4/14/08 10:15:01 AM loginwindow[9868] Login Window - Returned from Security Agent
    - Console Messages -
    4/14/08 10:15:03 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[9880]) Exited: Terminated
    - SingleSignOnTools.log -
    kdcmond cannot retreive the computer's local Hostname , retrying ..
    Kerberos configuration is up to date
    Kerberos configuration is up to date
    Kerberos configuration is up to date
    Kerberos configuration is up to date
    .. and so on
    All other logs don't appear to show anything of importance in between the time frame of Login window started and login window exited.
    I'd like to know what exactly the client workstation is doing during this time with the server, but it looks like it just hangs and does nothing since nothing shows up in the logs that I can find during this time period where the client hangs. Maybe I can try an Ethereal trace to see what traffic is being sent back and forth during this timeframe. I don't know if this is a configuration issue on my part or a OD / AFP bug on Apple's part since Tiger clients connect perfectly.
    Logouts happen immediately, so no problems there on that end. And everything else with the system is working flawlessly (besides the OD Crashing issue which I'm sure everyone is well aware of right now with 10.5.2).
    Thank you to anyone that can assist in shedding some light on this issue and I apologize if I didn't provide enough information.
    -Jessee

    FOUND IT!!! Well for our install anyway. The culprit was AUTH2.
    In our case computers would (randomly) have the same ..SLOW.. symptoms as your original post described, and the 'Apple Password Server log' on our server showed the same log entries.
    It turned out that Single-Sign-On was being screwed up by two Authentication Authorities as applied in the LDAP (Computer and User) Attributes,
    and showed up in the log as competing authentications from KERBEROS-LOGIN-CHECK and AUTH2. as follows:
    Apr 30 2008 16:22:17 RSAVALIDATE: success.
    Apr 30 2008 16:22:17 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DIGEST-MD5 authentication succeeded.
    Apr 30 2008 16:22:17 RSAVALIDATE: success.
    Apr 30 2008 16:22:17 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DHX authentication succeeded.
    Apr 30 2008 16:22:17 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
    Apr 30 2008 16:22:17 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
    Apr 30 2008 16:22:18 RSAVALIDATE: success.
    Apr 30 2008 16:22:18 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DHX authentication succeeded.
    Now, all the entries in our log (for remote logins) show:
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
    May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
    i.e...Single-Sign-On and they're FAST.
    no more AUTH2 entries overlapping with KERBEROS.
    (local Authentications still show AUTH2 when using WGM)
    The solution was pretty straight forward, But only applies if the system is using Single-Sign-On with AFP shared home folders and the Authentication for AFP is set to Kerberos.
    Delete ;ApplePasswordServer entries from all user/computer combinations that are having problems.
    I actually deleted it from all users and Computers. (Except the Server Computer and Directory Administrator that uses WGM. When I tested these, WGM would not authenticate Diradmin)
    It can be done in the GUI from the inspector tab in WGM
    find the attibute
    dsAttrTypeStandard:AuthenticationAuthority
    click to open
    If there are two entries: ApplePasswordServer and Kerberosv5 then:
    Edit the ApplePasswordServer entry (You can copy the text into an editor and save it for future use if needed, all entries are the same for all computers and users, so you only need 1 copy, and you can paste it back into new entry to put it back,...If needed....maybe for older systems, mine are all Leopard.
    Now delete, OK, and Save the changes
    After its done, check the logs again to make sure that all remote logons now show
    KERBEROS-LOGIN-CHECK:
    and they should be FAST.
    Hope this helps
    Steve

Maybe you are looking for