AFP doesn't play nice with Kerberos...

I'd prefer any open ideas before blowing away the OD master and redoing all the accounts....
If I leave the AFP Authentication type to "Any", network accounts can login to any computer (and with network or portable home directories). If set to Kerbeors, we get the "User account is located on a AFP/SMB share...."
If logged in, when attempting to connect by AFP, the "Standard" authentication appears. At this point, if I set the AFP access type back to "Kerberos" (which prevents users from logging in), they will get a -35 error as stated before (one or more required items cannot be found...blah blah). Interestingly, if we use the standalone Kerberos app (System/Library/Core Services/Kerberos) to get a Kerberos TGT, we can then connect to AFP shares using Kerberos authentication. So, it seems as if Kerberos is having problems getting connections started.
So, for now, it seems as if I have to rely on AFP access via the non-kerberized ("Standard") method, which definitely reduces our security. But, at least people can login to network machines.
So, in the end, Kerberos doesn't really know what is going on...it seems like its pretty confused.
kdc.log
Jul 01 09:07:56 myserver.mydomain.com krb5kdc[268](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.10.147: UNKNOWN_SERVER: authtime 1151759266, [email protected] for krbtgt/[email protected], Server not found in Kerberos database
Jul 01 09:07:56 myserver.mydomain.com krb5kdc[268](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.10.147: UNKNOWN_SERVER: authtime 1151759266, [email protected] for krbtgt/[email protected], Server not found in Kerberos database
ldap log
Jul 1 09:06:04 myserver slapd[90]: <= bdbequalitycandidates: (apple-computers) index_param failed (18)\n
Jul 1 09:06:35 myserver slapd[90]: SASL [conn=137] Failure: no user in database\n
system.log
Jul 1 09:05:50 myserver servermgrd: AFPDefines Start AFP Server request\n
Jul 1 09:05:50 myserver configd[92]: executing /usr/sbin/AppleFileServer
Jul 1 09:07:40 myserver /usr/sbin/PasswordService: client response doesn't match what we generated<br>
Many different systems...   Mac OS X (10.4.7)  

Yes, you're on track with the quickest way to solve this problem: Recreate your Open Directory Master. However, you can save all of the data stored in the database, except for user passwords, if you use Workgroup Manager's File > Export command to save your users, groups, and computer lists. Even MCX records for same are preserved.
(Exporting from Workgroup Manager is not the same as doing a directory backup and restore via Server Admin. Doing a restore would likely not solve your problem.)
On to the specifics: I'm guessing that you created the Open Directory Master when your server was using Mac OS X Server 10.4.5 or earlier. Before version 10.4.6, Kerberization was a hit-and-miss procedure: sometimes it would work and sometimes it would not, even when the server's hostname was properly set and a DNS record existed for that name. The problem resides in a hostname resolution issue, but it's one that is most easily fixed by updating to Mac OS X Server 10.4.6 or 10.4.7 and recreating your Open Directory Master. In Mac OS X Server 10.4.6, Apple introduced a better way for the server's hostname to be set.
In versions 10.4 through 10.4.5, you'd have to make the following changes before promoting your server to Open Directory Master: edit /etc/hostconfig and change HOSTNAME=-AUTOMATIC- to the server's host name, ensure that the server had a valid DNS record for its hostname (via the server's DNS service or existing DNS service), and run the hostname (or equivalent) command to ensure that the hostname was really set. All of this was required to circumvent a system that Apple had put into place but that wasn't effectively working. With the HOSTNAME=-AUTOMATIC- entry in /etc/hostconfig, the server was supposed to set its hostname choosing the first of these that was true: doing a DHCP client ID search, doing a reverse DNS search from the primary Ethernet interface's IPv4 address, setting the hostname to the Bonjour name, then setting it to "localhost." Unfortunately, what always happened, unless the initial boot returned a different result, was the Bonjour name was returned as the hostname. (Some Apple literature calls the Bonjour name, which is a mDNS name, the "local hostname.") Thus, running hostname would always return the Bonjour name, which prevented Kerberos from starting, as Kerberos needs a valid DNS name for the server's hostname.
Starting with Mac OS X Server 10.4.6, Apple introduced a better way to do a reverse DNS lookup and set the hostname automatically at startup time. Thus, for 10.4.6 and later, /etc/hostconfig needs to have HOSTNAME=-AUTOMATIC-, and you need to ensure that the server is providing DNS services or that your existing DNS services have an entry for the server already.
You may find this article helpful: http://docs.info.apple.com/article.html?artnum=302044
It offers an additional suggestion of adding an entry for the server to /etc/hosts, should some problem with DNS arise. It also uses scutil --set to set the hostname; this command performs the equivalent of using the hostname command as I've suggested. In my testing since 10.4.6, I have had to recreate some Open Directory databases in order to get Kerberos working (or working again); however, usually the hostname is set properly after a restart automatically.
Just for reference, the "Standard" authentication for AFP uses Diffie-Hellman Exchange (DHX), which is an encrypted password transport.
--Gerrit

Similar Messages

  • New iMac doesn't play nice with 2nd gen nano-- help!

    I have a brand-new iMac just bought a few weeks ago (running 10.5.6 and iTunes version 8), and I'm having a problem getting it to talk to my 2nd generation nano. When I connect the nano, I get this message:
    "An iPod has been detected, but it could not be identified properly. Please disconnect and reconnect the iPod, then try again. If the problem persists, reinstall the iPod support software from the Optional Installs on the Mac OS X install disc."
    The iPod still works fine with my Macbook Pro (using the same cable), and the firmware is up to date. It is also recognized in disk mode by the iMac.
    Some of the things I've tried already:
    -Reinstalling the iPod support software as instructed.
    -The 5 r's
    -Unplugging other USB devices (the only other USB device was a keyboard anyway).
    -restarting the computer with the iPod plugged in.
    -Unplugging from the internet.
    -Uninstalling iTunes, installing an old version (7.6) and using that.
    Has anyone else had this problem with the new iMac? Does anyone have any ideas????
    Thanks,
    A.

    Well...I went out and got myself a third generation nano (as I lost my old one anyway). Same problem. This is really frustrating; does anyone have an answer?

  • Need help Please. Which play nice with macs? Palm Treo's Or Tmobile MDA?

    Hi all, I post on here from time to time, but hardly anyone ever answers my questions. Here's my dilema. I bought a Tmobile MDA over the weekend that runs microsoft windows mobile 5.0. And while playing with it have noticed some things about it that i think are'nt that good. For example, I like the fact that its a windows os, but think that it's flawed. I have done quite a bit of research but don't think that it's active sync software is even compatible with mac osx. so have'nt even tried to mess with it. now i'm still in the 14 day window and am thinking about returning it. but here's the thing....
    I know that tmobile has EDGE, and it's considerably slower than verizon or sprints EVDO. (since i've researched it i know that edge is around the 70-170KBPS range when EVDO has 300-700KBPS) And tonight i was messing with this tmobile MDA and finally got it to work to connect to the net with it using bluetooth and it's "modem" ability to connect it to the web. But it S U C K S! i went to and did a bandwith test and i was only getting like 12.1-27.1kbps download (after running 2 tests) dude, it feels slower than dialup!
    so with that bullet against it, comes the compatible part. I can't sycn this thing with my mac for NOTHING! do any of you out there have a palm treo? (either verizon, sprint, or att.... carrier X?) How does it sync with your mac? is it hard? any extra software i need to get/buy? have any of you used it to connect to the net? and if so, how's the speed? And here's an even bettter question... How long did it take to config it to work using the phone as a modem? Did you use bluetooth? or serial link? was it easy to config? Where did you find the instructions?
    I know these are a lot of questions, but this is a large investment for me. I mean this thing ain't cheap and it does'nt really play nice. I don't mind paying a little extra, for some peace of mind, and knowing that it won't crash often and will work with my mac. Anyone out there got any other suggestions? I would really appreciate it. I would like your opinion on which one is the easiest to use that plays nice with a mac, and has a interface that's almost as nice. Thank you so much for your time. I will be following this post closely and comment you all back for your replys
    Mac Book Pro 1.83 GHZ 512 Ram   Mac OS X (10.4.5)  

    It really is a toss up cause Ive owned two Treo's and Ive read extensive reviews on Windows mobile devices and it seems to me like they're pretty similar in the way of hardware and software(minus the fact of using different operating systems). So I think the determining factor really ought to be more focused on how much you're willing to pay, and the level of support you get for each device. I recently got rid of my Treo 650 due to an interesting touchscreen problem and got a windows mobile device(should come tomorrow)
    in the way of syncing with a mac:
    The Treo is extremely simple to set up and use with a Mac(keep in mind Im not talking about the 700w/wx)in every aspect. Palm provides OSx compatible software(though its almost impossible to get rid of after installation). However, in my experience, Palm does not really do a good job in the customer service department. While they have a rather extensive support page for each device(some of the info is outdated), that's pretty much all you get unless you don't mind spending hrs scouring various forums. Talking to customer service is a joke. Like I said I had a problem with the touchscreen and the best the rep could give me was "try a hard reset" and "send it in for repair".
    I have yet to experience what windows mobile will be like. At the very least with syncing, theres syncing software made by people who had OSx in mind(ie: Missing Sync or Pocketmac) who will probably be able to help out a lot more in this area and possible also be able to help out with the other issues you mentioned.
    a good place to check out would be howardforums.com, you'll probably get better answers there.

  • Why won't iTunes 'play nice' with Windows 8.1

    After following painstaking, tedious Troubleshooting hoop-jumping**, iTunes (latest version) STILL refuses to "play nice" with Windows 8.1
    Stalls out (Windows Task Manager reports "not responding") and does truly nasty things like blanking computer display and making Windows 8.1 system commands non-responsive (iTunes also has to be Forced closed ['End Task'] using Task Manager)
    My question:
    ANY HOPE that iTunes will EVENTUALLY actually work with Windows 8.1?? (Of course, there's NO '8.1' listed in drop-down menu, inspiring further confidence!)
    Adding INSULT to INJURY - Apple programmers DEMAND/FORCE creation of NSA-grade Password to Login to iTunes!!?!  (8 minimum, mandatory Capital and lower case letters, plus number(s), plus NO repeats, plus NO "common passwords" [whatever THOSE are] etc. etc. etc....ad nauseum)
    ARGGGH!
    ** Update iTunes, start in Safe mode, re-start (iTunes & Windows), check AV status, shut down AV & firewall, scan for viruses, check status of all drivers, all DLL's, any "possibly conflicting" applications [whatever THOSE are], create new User Account, etc. etc. etc. ad nauseum!
    At the risk of repeating myself ...  ARGGGH!

    Just checking that you've tried "iTunes Safe Mode" as opposed to "Windows Safe Mode"?
    Press and hold down CTRL+SHIFT the instant you click the icon that launches iTunes and keep holding until this message appears.
    Click Continue, then close iTunes and reopen. Some people seem to have had success with this approach...
    Alternatively, have you tried removing all iTunes components and then reinstalling as shown in the second box of Troubleshooting issues with iTunes for Windows updates?
    tt2

  • Make Illustrator play nice with OS X Spaces, eh?

    Hey Mr & Mrs Adobe --
    Can you pretty please make your apps play nice with OS X Spaces? It's only been around since October 2007. I'm tired of having documents in two different spaces.  k'thanks.

    While I don't believe this discussion belongs here (try Feature Requests, next time), I think Adobe is not completely innocent here. Spaces is a feature of the OS that's been around for two years, and that Adobe has had access to for even longer. Other companies with fewer resources than Adobe, and without developer seeds, were able to support Spaces from day 1. Even programs released before Leopard usually work with it.
    Adobe has proven that they do not care about Mac OS conventions or about fully supporting the Macintosh OS. For the amount of money they charge for their programs and upgrades (which are often little more than bug fixes that should be no charge) it is not asking too much for support of basic OS features.

  • If apple is dropping iDisk are they going to play nice with others?

    If apple is dropping iDisk are they going to play nice with Pages amd Numbers apps and let me access SkyDrive, DropBox, Box and so on?  Or am I stuck with the lame iWork?

    Whether Apple will ever support direct connections to any of the other cloud services is something no one here knows or can say. You can comment to Apple on the matter here, if you wish:
    http://www.apple.com/feedback
    For now, there is a workaround for DropBox by using an intervening service and the Copy to WebDAV option. Whether there's a similar option for other services I don't know. Otherwise, the only option is sharing via email or synchronzation via iCloud.
    Regards.

  • Cheap wireless router that plays nice with macs??

    Greetings:
    I have the older cone-shaped airport extreme base station...
    it's working fine & I'm very happy with it.
    My situation is this....
    Periodically I go thru times of network degradation when I pull my hair out trying to ascertain if the issue is my ISP mothership, my cable modem, the airport extreme base station, or any of the myriad of links in the chain along the way.
    It's struck me on more than one occasion that it sure would be handy if I had *another wireless router on the shelf that I could grab & go with.
    At issue, however are several matters:
    --the fact that many other routers don't play nice with macs
    --the fact that I **need to do WEP security (it seems to be being dropped by a lot of newer routers).......but my TIVO won't do WPA & also I still have 2 older imacs on my home wireless network.
    I would LOVE to hear a recommendation of something cheap & locally plentiful (like at the local best buy) that still does WEP & will play nice with macs.
    Thanks for your help.
    tm

    You have the option to configure both your AirPort Extreme and the AirPort Express to "participate in a WDS network, so the Express will connect to the AiirPort Extreme using wireless only and then "extend" the reach of the wireless network.
    Or, connect the Express to the Extreme using an Ethernet cable and configure it to "create a wireless nework", which will also provide more wireless coverage.....with greater bandwidth because you are connecting routers together using Ethernet, not wireless.
    The following Apple document will give  you all the options:
    http://support.apple.com/kb/HT4145

  • Most of the .mov and .AVI files doesn't play anymore with QT 7 or 10

    I'm running OS 10.7.5 and most of the .mov files that were generated with Quicktime 7 doesn't play anymore, except in VLC.
    I used QT7 because it can still crop and edit videos, instead of QT 10 that came with the system.
    QT7 has a also a very nice feature that allow to reset the image ratio, which is sometime very usefull.
    I shall say that videos came from a digital recorder I used to tape the TV and those files came as .AVI
    Anyway, overnight (probably after an update of iTunes or any part of the system) QT 7 nor 10 can play those files anymore !
    Each time I try to open a file with QT it says I need a codec, and leads to the DIVX download page, but installing this codec doesn't solve my problem.
    QT7 was a very fine software and worked until now.
    Why an update makes my system go backward ??!?
    I'm a huge fan of Apple, but that is not acceptable !!!
    It just makes me want to purchase on older mac and go back to 10.6 !!!
    Shame on you Apple !

    Indeed, a further search on the side lead me to this page :
    http://perian.org/
    and now it works again !
    I still don't get how an update could change the system like this.
    Anyway, thanks for the reply

  • Samba doesn't want to play nice with DNS

    I'm trying to join my machine to my organization's AD domain, and one of the steps is that I do a "net ads dns register", which comes back with "DNS update support not enabled at compile time!" I rebuilt samba from ABS, adding the --with-dnsupdate, as specified in my organization's documentation and https://bugs.launchpad.net/ubuntu/+sour … bug/156686. However, I'm still getting the same error after installing my package. Any ideas?

    EJT,
    Sorry but I'm not 100% sure I understand your question.
    When you say
    noticed that when putting it on that the theme doesn't start to play immediately upon starting it up as it used to do.
    Are you talking about 1) pushing the "play" button inside iDVD to preview the project?
    Or 2) are you talking about playing the completed iDVD on your Mac?
    Or 3) on a DVD set-top stand-alone player?
    If it's #1, then try deleting your iDVD plist file, com.apple.iDVD.plist
    If it's #2, check your DVD player (not iDVD) preferences. Look at the "previously viewed" tab.
    If it's #3, then it's probably the quality of the burn itself. Try new blank DVDs, or use "Save as Disk Image" and then mount and play the image with the DVD player in your applications folder.
    John B.

  • Midi doesn't play correctly with plugin

    I cannot get midi to play correctly in applets using java plugin (of any version). It does not stay "synced" when it is played. It does work with the appletviewer though. Not even the example in the java tutorial/sound is played correctly. Is there any walkaround?

    What OS are you using? Please clarify what versions of java you are using? And, are you sure you have the latest sound bank installed correctly?
    - Mike

  • Would a LabVIEW 8.5 Executable play nice with LabVIEW 7.1 Developmen​t on the Same System?

    Our testing computer right now just has the user run the corresponding .vi file since we have LabVIEW 7.1 installed on the computer.
    If I use 8.5 to compile this .vi to an executable, I realize that I must install the run-time support for 8.5.  My question is what effect will installing the 8.5 run-time have on the ability to continue to run the other 7.1 VIs with LabVIEW 7.1. 
    Should I be concerned with losing MAX settings when installing the run-time support for 8.5? I want to be able to run 8.5 executables but also able to open up a 7.1 .vi file in LabVIEW 7.1 and run it that way also.
    Thanks for your help! I have 8.5 on my system and the idea is to slowly replace the running of the .vi files with .exe files, I was just curious in case my .exe doesn't work I can still run the tests with .vi in the mean time.
    Thanks for your help folks!

    Just note one thing - installing the 8.5 RTE should have no effect on 7.1, but if your executable requires drivers (e.g. DAQmx) and you install a version which no longer supports 7.1, you will lose the ability to work with that driver in 7.1. I don't think NI has any drivers yet which are not supported in 7.1, but I believe there are some which are no longer supported in 7.0.
    Try to take over the world!

  • CS6 doesn't play nice.

    Creative Cloud installed on test machine (Mac 10.7.3 with CS5 installed). Photoshop CS6 worked fine, but no other CS6 program would launch, period.
    45 minutes on support and I'm told to uninstall all of CS6 (I'd already done that and reinstalled), create a new admin user on my machine(s) and reinstall there (um, that's not a good answer). Does this seem like an adequate workflow to you? Switching from one user to another, or taking the days it would take to transfer all the user preferences, email accounts, etc. over to a new user! Yeah, me either. Cancelling CS6 until it's absolutely necessary for us to switch. Buh bye!

    Hi Madam Bomb,
    Sorry to hear it didn't work out for you. Testing in a new user account is common troubleshooting step is not unique to CS6 or Creative Cloud. You wouldn't want to move everything over to a new account unless you determined that the launch issue was somehow specifically related to your original user account.
    We have this document that shows more info
    http://helpx.adobe.com/x-productkb/global/install-or-run-applications-new.html
    I know it doesn't show 10.7 but it still applies
    -Dave

  • Quicktime 7.2 doesn't play files with audio

    I just upgraded quicktime to 7.2 and I can not open files that have audio. Mov files that video only open just fine.
    When I updated quicktime, the installation was "successful". The web test on the apple site says quicktime is installed correctly and displays streams correctly.
    itunes won't boot up
    Final Cut gets stuck booting at the "audio filters" extension
    Safari displays quicktimes video and audio just fine. Apple movie trailers look and sound great.
    I have installed the ilife conflict fix update.
    I am running a G5 with 10.3.9 OSX.

    To Apple Discussions!
    Did you run fsck/repair permissions after the installation? If so, then check out the following:
    KB article - No sound from some applications, but system alert sounds play (Mac OS X 10.3, 10.4)
    Another trick: If you have GarageBand installed, open it (maybe open a GarageBand document) and then quit out of the application.

  • FCP isn't playing nice with my camera

    I'm having problems getting FCP to communicate with my mini DV camera. (I have both a Canon ZR70 and a Canon ZR80 . . .this problem applies to both of them.)
    I'm trying to capture video, but things aren't working as they usually do.
    -The camera is hooked up to my G4 via firewire.
    -I turn on the camera and launch FCP.
    -Under the video playback, it says: (missing) Apple Firewire NTSC (720x480)
    -The External Video options are greyed out
    -I try refreshing AV devices but nothing changes
    The thing that really has me baffled is that when I launch Capture, it say "VTR okay." The transports in the capture window will control my video camera, but the captures window says "No video available."
    So, the camera and computer seem to be talking to each other, but they won't transfer video or audio.
    Help?

    For what it's worth, this system has worked fine until this last week. However, I just remembered that I've updated a lot of software on this computer . . .including upgrading it from OS 10.3 to OS 10.4 (it's incompatible with OS 10.5). Right now I'm in the middle of loading software updates . . .However, none of them seem to be related to FCP.
    Having said all that . . .
    I've tried trashing the preferences, and that didn't help. Not sure I want to completely re-install FC Studio at this point. Yes, I do have a tape with video in the camera, and yes, the easy setup is set up correctly.
    Yes, I DO have a Firewire drive hooked up at the same time. I'm using this as my scratch drive. This HAS worked until now, but as you said, there appear to be a number of issues with this. I'll play with that for a while.
    I'll work on these other suggestions and report back if none of this clears up the problem.
    Thanks for the tips!

  • Please help!  Logic Studio won't play nice with my Edirol UR-80 controller

    Hi everyone,
    I finally upgraded to Logic Studio (from Logic Studio 7 - quite the upgrade!) when I got my new iMac recently, and I'm itching to use it but can't get it to work with my control surface no matter what I do. I have an older controller - it's an Edirol UR-80, made by Roland, and it worked perfectly with my old setup. Logic will recognize it and I can program some functions to work correctly, but my beloved track wheel and any of the main buttons (play, record, etc.) just won't work. I've done a bunch of research, called all relevant manufacturers, and even took it to the Apple Store, but nobody can help. The folks at the Applie Store said that since it's not a supported control surface, the transport features might just not work. But I thought I would put it to you geniuses out there to see if someone has had a similar problem or any thoughts on what might help. Any help would be most appreciated!
    -Dan

    I do not know this piece of equipment, but the rule of thumb is simple: any knob/wheel/slider/switch that sends a MIDI message when touched, can be applied in Logic. So the thing for you to do is to examine what sort of message they send, and then use the 'Midi learn' function to set it up manually.
    The best way to monitor midi messages is in the environment, with a monitor object.
    !http://farm3.static.flickr.com/2492/3844372277_0ec7b022f3.jpg!
    regards, Erik.

Maybe you are looking for