Kerberos local DC problem when using screen sharing
Hi,
this is a brand new Mac Mini server with preinstalled ML and Server.app 2.2.1.
I started the following services: DNS (automatic), OpenDirectory, Sharing, Web and Mail. One additional user and that was it.
After this configuration session, Kerberos seems to be in a non-operable state. See the information below. I can log in locally, can access a share (similar LKDC related error message as below), mail and screen share. But screen share takes ages to start and gives some nasty error messages.
I have almost no knowledge of Kerberos and could use any help to fix-up the Kerberos configuration, preferably without reinstalling.
If there is anything else you need to see about the server configuration, please ask.
Turnin OD off and on again did not change anything. Keeping it off removes the error (obviously) but I think this will not be good for server operations.
Regards, Andreas
Problem statement: accessing the server from a ML client gives the following KDC error sequence before the authentication succeeds. This can take 20-30 seconds.
26.02.13 15:31:21,001 kdc[2321]: Got a canonicalize request for a LKDC realm from 192.168.178.32:59299
26.02.13 15:31:21,001 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:21,001 kdc[2321]: Got a canonicalize request for a LKDC realm from fe80::426c:8fff:fe37:6b28%en0:59300
26.02.13 15:31:21,001 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:21,021 kdc[2321]: Got a canonicalize request for a LKDC realm from 192.168.178.32:59301
26.02.13 15:31:21,021 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:21,021 kdc[2321]: Got a canonicalize request for a LKDC realm from fe80::426c:8fff:fe37:6b28%en0:59302
26.02.13 15:31:21,021 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:32,079 kdc[2321]: Got a canonicalize request for a LKDC realm from 192.168.178.32:59306
26.02.13 15:31:32,079 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:32,080 kdc[2321]: Got a canonicalize request for a LKDC realm from fe80::426c:8fff:fe37:6b28%en0:59307
26.02.13 15:31:32,080 kdc[2321]: Asked for LKDC, but there is none
26.02.13 15:31:32,214 screensharingd[83904]: Authentication: SUCCEEDED :: User Name: Administrator :: Viewer Address: 192.168.178.32 :: Type: DH
Apparently there is something seriously wrong with the Kerberos local data cache:
sudo ./checkLocalKDC
krbtgt/LKDC:SHA1.F0454A755D0C818D04161E8547E9D485D004F224@LKDC:SHA1.F0454A755D0C 818D04161E8547E9D485D004F224 doesn't exist, are you sure LKDC:SHA1.F0454A755D0C818D04161E8547E9D485D004F224 is a realm in your databaseThe kadmin check failed.
configureLocalKDC did not fix this. There are Kerberos config files but I cannot determine if they were created before or after starting any of the services.
sudo ls -l krb5kdc/
total 48
-rw------- 1 root wheel 61 21 Feb 19:33 acl_file.MARVIN.DOMAIN.DE
-rw-r--r--@ 1 root wheel 330 26 Feb 20:17 kdc.conf
-rw------- 1 root wheel 4555 20 Feb 19:24 log
-rw------- 1 root wheel 111 20 Feb 19:24 m-key
-rw------- 1 root wheel 78 21 Feb 19:33 m_key.MARVIN.DOMAIN.DE
sudo ktutil list (limited to vnc)
1 aes256-cts-hmac-sha1-96 vnc/LKDC:SHA1.F0454A755D0C818D04161E8547E9D485D004F224@LKDC:SHA1.F0454A755D0C81 8D04161E8547E9D485D004F224
1 aes128-cts-hmac-sha1-96 vnc/LKDC:SHA1.F0454A755D0C818D04161E8547E9D485D004F224@LKDC:SHA1.F0454A755D0C81 8D04161E8547E9D485D004F224
1 des3-cbc-sha1 vnc/LKDC:SHA1.F0454A755D0C818D04161E8547E9D485D004F224@LKDC:SHA1.F0454A755D0C81 8D04161E8547E9D485D004F224
1 aes256-cts-hmac-sha1-96 vnc/[email protected]
1 aes128-cts-hmac-sha1-96 vnc/[email protected]
1 des3-cbc-sha1 vnc/[email protected]
The Kerberos part of the server open directory settings:
dirserv:kerberizedRealmList:availableRealms:_array_index:0:dirNodePath = "/LDAPv3/127.0.0.1"
dirserv:kerberizedRealmList:availableRealms:_array_index:0:realmName = "MARVIN.DOMAIN.DE"
dirserv:kerberizedRealmList:defaultRealm = "MARVIN.DOMAIN.DE"
So far all fits AFAIK and the domain is also correct.
After a night of experimentation, I found a workaround but do not know if this simply avoids Kerberos authentication or what is going on.
It can be a domain problem except for the checkLocalKDC error that needs to be fixed anyway.
Above I used the server occurrence in a Finder window, which I presume takes as a name marvin.local.
Then I used a Go to Server vnc://marvin which worked without a Kerberos error. Also marvin.fritz.box (router) works fine.
marvin.local looks up the machine via Bonjour, right? Can this be the reason for the difference in authentication?
My domain setup is likely illegal at the moment:
local DSL router does the DNS/DHCP for local devices
server marvin has its own dns for marvin.domain.de (reason below) alone and otherwise uses the router dns
domain.de is a registered domain (mine) with fixed ip and server behind
Reason: the domain.de server will be replaced by a DynDNS provider forwarding any request to my dsl router, which acts a firewall and port forwarder.
So my reasoning was that the new server marvin should be in domain.de as from the point of view of the internet, it is the machine at domain.de. Except that during setup and tests, it is not.
The client accessing marvin however has no idea about marvin.domain.de! It uses the router as the dns.
If anyone has done a similar setup (server behind router-ISP-DynDNS), I would appreciate examples how you setup the dns such that the server acts properly from the outside world of view.
And yes, there is a MX at domain.de and SMTP requests will be forwared to marvin also.
Similar Messages
-
Launchd cancels logout/restart and kills app when using screen sharing
I have an app I want to always run so I created a LaunchDaemon to keep it going:
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.sns.sentinel.air</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>/Applications/oc4j/restartSentinel.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
And restartSentinel.sh is very simple:
echo Process Sentinel.app is being restarted...
open -W /Applications/oc4j/j2ee/home/applications/Sentinel/Sentinel.app;
Everything seems to be fine but I have to access this machine via screen sharing. Then when I log in, the app gets shut down and only restarted a few minutes later. Also, when another user logs in, they are not able to log off. Launchd seems to cancel the restart.
I do also have two other plist files running other things but they seem to work okay (they don't crash, but the one which needs to be kept alive (code is almost the same as above) also seems to be preventing log out for users other than me).
So how can I get launchd to let people use screen sharing without killing the app and how can I get it to stop canceling logot/restart?Try the Unix forum (not thread) under OS X Technologies.
-
Password "wrong" or irretrievable when using Screen Sharing
Strangely, I tried using Screen Sharing on the finder to access my iMac from my Macbook today and was asked to enter my password. I presume that this is my system password that I use to log in to my computer. It is the same for both. However, no dice...
Furthermore, I can't find this password in Keychain...also to no avail. I have no idea how to get things right so that I can access Screen Sharing.
Thanks in advance for any ideas you may have.Start with Finder->Help->Mac Help->search for *Screen Sharing* and peruse the many hits.
-
HT1549 permission problem when using a sharing only account
I'm using Mavericks 10.9.1
After setup a sharing only account, when using the account login and copy files to a remote shared folder, the remote shared folder's owner do not have permission to read it. only the sharing account has permission.
what's wrong?
I need them have permission to read and write too.
anyone know how to fix it?
ThanksTry using Get Info (command - I) to set the permissions in to read/write for 'everyone'.
-
Hi all, I bought one iphone and 3 ipads, i set up all on one apple ID. Now i have a problem when using messages: when sending message from one device it appears again on screen from the other 3 devices. I need help on how to set up messages on each device separately and to start using messages app on each device independently. Thanks
search google for "iphone remove picture from contact"
-
Coercion problem when using Shared Variable
I have a curious coercion problem when using Shared Variables. I want to share the state of a State Machine, which is an enum saved as a control (typedef) called TYPE State (see attached). I create a shared variable called State and define it as a Custom Control, using the just-mentioned typedef. So far, so good. I've attached three simple VIs -- the first one, Init State, simply wires a constant to the input of the Shared Variable to initialize it -- the wired constant is, of course, defined by the typedef. However, the Get State and Set State, meant to wire an indicator (for reading the state) or control (for setting it), develop coercion dots when wired into the Shared Variable. Why? How do I get rid of the dot? [I suppose I could abandon my typedef and custom control, but the beauty of typedefs and custom controls is that it "enforces" rules, lets you use enums for clarity, keeps the code "honest", etc. -- I'd hate to give that up just to get rid of a dot!].
On a related note, the code seems to work. This is much too simplistic to do anything, but if you open Set State and Get State, set the state to anything, run it (it immediately stops, of course), then run Get State, you'll see the chosen state appear in the indicator. So it does appear to work. The "error" (coercion dot) may, I suppose, be a "bug" in Labview because it can't figure out the mapping of the (very simple!) Custom Control, but if so, I hope it gets fixed quickly!
Bob Schor
Attachments:
Coercion Problem1.zip 38 KBHello Bob,
I am also seeing this behavior, I will escalate this question to our LabVIEW developers and post again here no later than next Tuesday, November 27th as National Instruments will be closed for the remainder of this week.
If this issue does turn into a product suggestion, I would suspect the workaround would to live with the coersion dot for the time being.
Enjoy the holiday
Regards,
Erik J.
Applications Engineer
National Instruments -
I want to be able to monitor my teen daughter's computer from home using screen sharing. Anyone know how to set up screen sharing when my daughter's school has her computer set up for Apple Remote Desktop?
ARD won't be as smooth as you think over the Internet and be a security risk for your daughter.
Your best bet would be to install nannyware, then when she's asleep you can review the logs.
This is the best and Mac friendly
http://www.internetsafety.com/ -
Hi,
I'm thinking of buying a new mac-mini to replace my current one which acts as an iTunes server and records TV programs using eyeTV. I connect using screen-sharing/VNC to be able to do stuff on it (like handbrake etc.)
I have eyeTV with a satelite receiver and I want to change the setup so that:
- the new mac-mini continues to work as an iTunes server (and handbrake workhorse)
- I can use the HDMI output (inc. audio) to show eyeTV's live TV full-screen app
- I can connect using screen-sharing/VNC to the mac-mini and see my normal desktop to be able to maintain it etc. but this is a headless display (no screen is connected to the display-port).
- recorded media I'd play through the appleTV2 still + rentals etc. unless anyone knows if eyeTV software can offer up iTunes content? I don't like the eyeTV recordings in general as it seems very slow to me for access when there are lots of recordings and wouldn't be available in other apleTVs in the house AFAIK.
The main benefit that this gives me is that I'd no longer need a seperate satelite box to watch live TV and can add more eyeTV hardware to get additional TV channels all through the same HUD on the TV for ease of access.
Does this seem possible in theory & practice (ie are there any gotcha's to consider?)
- can I force the HDMI output resolution to 1080i as I go via an amp to the TV and the appleTV2 drops to low-res in this configuration so I have had to find a workaround for that.
- does the mac-mini have IR input that can be programmed?
- Does eyeTV software remain stable for long periods?
- Does the HDMI out have any handshake issues that would need a reset of the display (somehow)?
thanks in advance for any thoughts/contributions
LeeI think the easiest way to do this is to have the EyeTV app running in one user account and sent via HDMI to the TV, and use a separate user account for Screen Sharing. Both logins can be active at the same time and with Lion you can connect via screen sharing to which ever login you need.
With regards to the Mac video resolution changing, when it is not the current input on your AV receiver. This is 'normal', if the Mac sees no signal it drops down the a lower level. What you need is to buy a HDMI Detective Plus which tricks the Mac in to always seeing a signal and hence it will not drop down the resolution. See http://www.gefen.com/kvm/dproduct.jsp?prod_id=8005
The Mac mini does have an IR receiver. This can be used with the EyeTV app, iTunes, and similar. Yes I believe EyeTV would run for prolonged periods quite happily, it is has been around for a long time and had most of the rough edges polished off. However one issue you will have to deal with is that it does not automatically update its program guide data. For this you might have to write or modify an AppleScript. Elgato support or their user forums will be a lot of help.
You can set EyeTV to convert recordings to an iTunes (Apple TV) compatible format and then delete them from EyeTV.
The HDMI Detective should solve your handshaking problems. -
Fix for anyone unable to use screen sharing
Hi guys
Not so much a question as a fix for anyone who has been unable to use screen sharing since yesterday.
Apple have started to turn off parts of MobileMe however one of the issues is if you still have MobileMe signed in on your Snow Leopard install Screen Sharing will stop working to any computer.
To get things working again go into System Preferences -> MobileMe -> Sign Out.
It should now be fixed.
Hope this helps someone out.@Jay Gamel specifically, but to anyone who is having problems with Screen Sharing and thinks that since they don't use MobileMe that it must be something else ..
I have never used MobileMe, not even the free trial.
When I saw this post, I looked at the Mobile Me pref pane and since I had never logged in, there was no way to sign out, so I kept looking elsewhere.
Hours later, I read this email again and saw how timely it was, so I went back and looked again.
Even though I had never signed in, my AppleID was pre-populated in the Member Name field.
As soon as I cleared out this field, Screen Sharing started working again.
So, not only should you make sure you are signed out, but you should wipe out any information in either the Member Name or Password field.
I also noticed that, even after I solved it, as I continued to look at the issue, at some point the Member Name re-populated and sharing stopped working until I cleared it out again. -
Install Mac OS using Screen Sharing or VNC - is it possible?
I've always wondered how to do this: Is it possible to remote install a Mac OS (in this case Leopard and up) using screen sharing or a vnc connection, when once the remote machine restarts and boots from the installation volume, you know longer have those sharing capabilities?
Essentially I want to know how do you control a remote mac installation without having the ability to activate screen or vnc sharing options?
In our office setting, what I'd like to be able to do is make an image of our installation disc and save it on our server, an remotely install it on other computers in the office.how would a remote machine be controlled without screen sharing or vnc control if it's booting from a disc or networked volume?
The normal way to mass deploy an upgrade across many macs on a local network is to setup snow leopard server then you create an install image using a copy of a snow leopard disk. You can fully customise the install image with all your 3rd party applications etc. Then you just netboot each mac and the installation is automated.
see Create a Leopard to Snow Leopard Upgrade NetInstall Image
You would setup the server first. then you would have to setup dns correctly, then your users and groups. your sharpoints. Then when you build your image you customise it to suit your new network settings. -
Is it possible to use screen sharing between lion and mountain lion
I could always use screen sharing between my 2010 macbook and my 2007 macmini,both with lion.But now since I upgraded the macbook to mountain loin it doesn't work.The macmini did at first show up on the macbook finder sidebar under sharing like it always had done but as soon as I tried to connect the sharing option disappeared and won't come back.The macmini can still see the macbook however,its on the finder there.But when I try to connect from the mini to the macbook I get an error message that says something like "server error" and contact administrator(that's me!)I can't upgrade the mini to mountain lion as it's too old.So it this an incompatibility between the two operating systems or is it something else?
I also tried to do it with BackTo My Mac,enabled through icloud on both computers but no luck,not even showing the Back to my Mac icon on either Finder sidebar like it's supposed to.When I did it through system preferences-icloud,it said this was successfully enabled but it just doesn't work at all.
Cross about this since I always use the macbook to control the macmini which is plugged into a flat screen tv and it's much easier than fiddling around with a mouse and keyboard.I can screen share my wife's Lion iMac using Mountain Lion and the reverse is true. If the computer is not showing up to be selected under shard on the left column of the finder it is probable a connection issue. I would check my home network, restart the the macs and toggle the sharded settings and energy saving settings like wake for network activity. Be sure and set up iCloud on both your macs and turn on UPnP if you have a router for your home network serving up NAT IP Numbers. UPnG will make the port forwarding enteries in you router to allow you macs to connect behind the firewall created by nat addressing.
I am currently having a problem with back to my mac. S
creen shares great the the Lion iMac but Mountain Lion to Mountain on one computer will not connect if the computer is sleeping. It lights the screen on the sleeping computer but never shows on the computer requesting to share. File share always workd. If I wake the computere before I attemp the connection, screen share work as it should. If I try to screen share while the second computer is sleeping, It will never work again until I restart the iMac. -
NLS support problems when using AL32UTF8 in dads.conf
Hello,
Following a post by Joel Kallman, in one of the forum threads, about the mandatory use of AL32UTF8 in dads.conf, when running HTML DB v2.0, I changed my PlsqlNLSLanguage parameter accordingly.
Prior to the change, I experienced some problems when using non-English characters some application items appeared as gibberish when contained non-English characters, and the LIKE operator didn't perform as expected. After the change, it all seems to work OK, but now I have a different problem.
All the non-English characters in my HTML page source code appears as gibberish. On screen, at run time, everything display correctly, but the source code seems to be corrupted. It is very difficult, and very annoying to debug the pages that way. Is there a way to enjoy both worlds Using AL32UTF8 in the dads.conf, as required, and still getting a coherent HTML source code, containing non-English characters?
Thanks,
Arie.Joel,
I use the following settings and they work fine for me:
Operating system:
LANG=de_DE
LANGVAR=de_DE.UTF-8
NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1
daust:oracle[o1020]> uname -a
Linux daust.opal-consulting.de 2.4.21-37.EL #1 Wed Sep 7 13:35:21 EDT 2005 i686 i686 i386 GNU/Linux
daust:oracle[o1020]> cat /etc/redhat-release
Red Hat Enterprise Linux ES release 3 (Taroon Update 6)
daust:oracle[o1020]>
marvel.conf:
<Location /pls/htmldb>
Order deny,allow
PlsqlDocumentPath docs
AllowOverride None
PlsqlDocumentProcedure wwv_flow_file_manager.process_download
PlsqlDatabaseConnectString localhost:1521:o1020
PlsqlNLSLanguage AMERICAN_AMERICA.WE8ISO8859P1
PlsqlAuthenticationMode Basic
SetHandler pls_handler
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername HTMLDB_PUBLIC_USER
PlsqlDefaultPage htmldb
PlsqlDatabasePassword @BZvJYqadreElOqj5poCB5gE=
Allow from all
</Location>
Database:
daust:oracle[o1020]> sqlplus "/ as sysdba"
SQL> select * from nls_database_parameters;
PARAMETER VALUE
NLS_LANGUAGE AMERICAN
NLS_TERRITORY AMERICA
NLS_CURRENCY $
NLS_ISO_CURRENCY AMERICA
NLS_NUMERIC_CHARACTERS .,
NLS_CHARACTERSET WE8ISO8859P1
NLS_CALENDAR GREGORIAN
NLS_DATE_FORMAT DD-MON-RR
NLS_DATE_LANGUAGE AMERICAN
NLS_SORT BINARY
NLS_TIME_FORMAT HH.MI.SSXFF AM
PARAMETER VALUE
NLS_TIMESTAMP_FORMAT DD-MON-RR HH.MI.SSXFF AM
NLS_TIME_TZ_FORMAT HH.MI.SSXFF AM TZR
NLS_TIMESTAMP_TZ_FORMAT DD-MON-RR HH.MI.SSXFF AM TZR
NLS_DUAL_CURRENCY $
NLS_COMP BINARY
NLS_LENGTH_SEMANTICS BYTE
NLS_NCHAR_CONV_EXCP FALSE
NLS_NCHAR_CHARACTERSET AL16UTF16
NLS_RDBMS_VERSION 10.2.0.1.0####################
Using AL32UTF8 resulted in the same problem as described ( and fixed ) here: Re: Strange - HTML not written correctly
So, what is the proper configuration of the DAD, perhaps there are different ones for Unicode instances and non-Unicode instances.
~Dietmar. -
Cannot email pdf using Acrobat Reader XI v11.0.3 in Windows 8. No problem when using in ms vista. ge
Cannot email pdf using Acrobat Reader XI v11.0.3 in Windows 8. No problem when using in ms vista. get "authentication error". Sometimes will get a very quick dialogue box showing the gmail login screen but then disappears. I use firefox and IE
Hi Rodney
Welcome to Apple Discussions
This sounds like one of those "oddities", contributed to by a few sources.
I can clear the Safari cache files as a temporary solution, but I encounter the same difficulties with the “problematic” files once they have been opened again.
Wondering if you disabled the Safari Cache would the refresh function work correctly? As a test you can disable the Safari Cache by Emptying the Cache first via the Safari menu, then Quit Safari. Now go to the Finder>Your User Library>Caches>Safari. Single click on the Safari folder, then Apple Key + I to open Info panel. There, check the "locked" box. This prevents further additions to the cache. The downside, you lose your ability to upload images etc. within Safari (my cache is disabled, so I use Firefox for the uploads).
Then restart Safari. Try the PDF from within Safari.
Post back -
My entire TV show library does not appear when using home sharing to ipad
I've tried everything to get my entire library to show when using home sharing on the ipad but it only displays the shows under letter A to the beginning of F. Is there a limit on the seasons that can be displayed? Im streaming from itunes on a PC.
I figured out my own problem. Thanks dmule you're a genius. All I had to do was turn off home sharing on my iPad and then turn it back on. Now all the video art work matches their proper movies.
-
Error Using Screen Sharing (Not iChat)
I have a PowerBook and a G4 tower, both 10.5.6 and when I am using screen sharing I get an error: "Connection Failed to "********" Please make sure that Screen Sharing (in the Sharing Preferences section of System Preferences) is enabled on the computer you're connecting to...). This worked at one time. Sharing is enabled on both computers, the firewall has been turned off. Still it will not connect. Anyone have any ideas?
If you see: Apple Remote Desktop in the Services list in the the Sharing pane, select it. Also, you might need to assign permissions.
Setting permissions for screen sharing
Use the Sharing pane of System Preferences on the computer you want to share to set up screen sharing accounts and assign permissions to them.
To set up screen sharing accounts and permissions:
On the computer you want to control, choose Apple > System Preferences, and then click Sharing.
Select the Screen Sharing checkbox.
Select “All users” or “Only these users,” depending on who will be allowed to share this computer.
If you select “Only these users,” click Add + and select Sharing Users, Network Users, or Address Book from the list, and then choose a user. Or click New Person and assign a name and password to create a new sharing user.
Click Computer Settings and select to allow anyone to request permission to control the screen of this computer, or to allow Virtual Network Computing (VNC) users to access the screen after entering a password.
Carolyn
Message was edited by: Carolyn Samit
Maybe you are looking for
-
LDAP Java SDK errors with iDS5.1
I'm using the 5.08 java SDK and iPlanet directory server 5.1 SP1. My code works fine on 4.X directory servers but doesn't work correctly on 5.1 SP1. Jar file: 262749 Sep 19 15:17 ldapjdk.jar Example: LDAPSearchResults.getCount() returns 2 when it sho
-
F8 doesn't work / query could not be executed
I've had a form that worked perfectly until I started to put some of the fields on a new canvas in a new window (in the same form). Since then, I get the error "ORACLE ERROR: query could not be executed" when pressing F8 or starting "execute_query" b
-
Is there any reason that my lock keeps unlocking in my network settings? Is there any way to keep it locked? It sure is inconvenient when I have to reboot to get back on the internet and re-lock that lock.
-
Hello, We do not have a need for the Software Center as we use another product to present applications to users. At the moment we use SCCM for inventory, wsus and software we can't push through our other product. Do we need to keep Software Center fo
-
Collection agency keeps renewing past due account please help
Hello everyone. I have a collection agency ERC that first showed on all 3 of my credit reports back when i pulled a report in 2010. At that time, ERC (acting on behalf of Sprint) was reporting a collection account opened 12/1/2008 with a balance of