Kerberos problem, user authenticates as "nobody" on subsequent mounts

Similar Messages

• Cisco ip phone and wired user authenticate form ISE

  Hi dears,
  I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
  Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
  I create new authentication policy and use mab, and  new authorization police.
  The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
  Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
  Thanks.

  interface GigabitEthernet1/0/48
   switchport access vlan 10
   switchport mode access
   switchport voice vlan 14
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 20
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  do you need ISE configuration??

• I had a major problem with my PC yesterday, and subsequently lost Mozilla Foxfire. When I reloaded it onto my PC it opened up with "Welcome to AOL - Mozilla Foxfire". I don't want AOL attached or tagged to Foxfire. How I do prevent that? And hopefully I h

  I had a major problem with my PC yesterday, and subsequently had to reload Mozilla Foxfire. When reloaded, it opened with "Welcome to AOL - Mozilla Foxfire". I don't want AOL associated or tagged with Foxfire. I went in to "Programs and Files" and deleted everything with AOL, including Quicktime. Tried loading Foxfire again, but it still opened with AOL tagged. I do use AOL for emails and some browsing, but I want to use Foxfire soley for browsing and search engine. And yes, I did also reload AOL. Can't seem to figure out why AOL is tagging onto Foxfire. Hopefully I have not lost all of my Foxfire Bookmarks - that would really suck.
  == User Agent ==
  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

  Hello Larry.
  Hopefully this support article is what you need:
  http://support.mozilla.com/en-US/kb/How+to+set+the+home+page

• When users authenticate to read-only replica [ Identity synchronization]

  Hello,
  I have 2 sites: F and L. each site has a AD and LDAP. AD are replicated. LDAP are also replicated. Each one is the slave of the other. Idsync is installed on each site too.
  All users servers are located in F. so when a user authenticates for the 1st time or after password change, he will challenge LDAP in F and this one is read-only (slave). The user will get invalid password
  Whereas if I do for example ldapsearch + authentication on LDAP in L (this can't be done for users), the windows password gets updated in LDAP in L then LDAP in F (since F is a slave).
  do you a solution for that?
  thx

  hi,
  the replication is working between master and consumer:
  If I change an attribute in ldap A for a user in site A, the attribute is replicated to ldap in site B.
  If I change an attribute in ldap B for a user in site B, the attribute is replicated to ldap in site A.
  If I change an attribute in ldap A for a user in site B, I get an error that this is a read-only replica. OK.
  If I change an attribute in ldap B for a user in site A, I get an error that this is a read-only replica. OK.
  The password is getting updated in the consumer following a password change on the master.
  Where is the problem then? When a user in site A wants to change his password, his password is updated only in AD. ldap in site A (and IdSync) will not be aware of this change since the user in site A will login to servers (ldap clients) in site B and those servers are configured with ldap in site B. the ldap in site B is a slave for the subtree of users in site A. It stores then the password that is in ldap site A i.e. an invalid password.
  I imagine a solution where servers (ldap clients) are configured with both ldap servers so that if a user from site A logins, the ldap client challenges the ldap server in site A. is this feasible?
  any other solution?
  thank you,

• Problem user

  I have a user with constant outlook issues. ie freezing and messages getting stuck in the outbox.
  We don't use roaming profiles, and this is the case on several freshly built devices.
  I've created a new mailbox - which hasn't made a difference so I'm thinking it could be an issue with the user account.
  What would be the best way to troubleshoot this? Or replace the user account?

  Hi,
  From your description, I recommend you check if OWA works well. If yes, the issue is related to Outlook side, please follow the steps below for troubleshooting:
  1. Please check if your mail server is offline.
  2. verify if it is a wrong or changed password.
  For more information, here is a kb for your reference.
  Email stuck in the Outbox in Outlook 2010 / 2013
  http://social.technet.microsoft.com/Forums/en-US/4f9f0630-9527-455d-a2d0-5ae682536c00/problem-user?forum=exchangesvrgeneral
  If the issue persists, please use Outlook safe mode to determine whether the problem is caused by add-ins.
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• How to configure high availability and disaster recovery? And user authenticate

  We are in the process of rolling out our online help which was created using Robohelp.   In our initial rollout we will provide access to the files via our Client Portal which requires authentication.  We are also planning for our next version where we intend to implement Robohelp server functionality.
  Our IT team is looking at options on how to configure for High Availability and Disaster Recovery.  It seems that Robohelp doesn't have any built-in functionality in this area.  In addition we require that our users authenticate.  The options for the server version seem to be more internally focused and we would need to solution the authentication using a third party.
  Would anyone be willing to share their approach in these areas?  Would you be willing to participate in a conference call with our IT Professionals?

  Hello again
  I see my good friend Peter replied to your LInkedIn post where you cross-posted the same question. For those here that have no clue what Peter stated, here it is:
  What are you seeking to recover? Your projects? Your outputs? This sounds like a question more appropriate to Disaster Recovery consultants and far wider reaching than RoboHelp. To me it seems like a question your IT people should be asking direct to such consultants who would expect a fee for their advice.
  I would agree with Peter's reply.
  I'll also go further and ask what exactly is being done in this realm for the application? Help files generally are there to support an application on the server. So whatever you are doing for the applciation should also be able to be used for the WebHelp, FlashHelp or web based AIR Help files, no?
  Cheers... Rick
  Helpful and Handy Links
  RoboHelp Wish Form/Bug Reporting Form
  Begin learning RoboHelp HTML 7, 8 or 9 within the day!
  Adobe Certified RoboHelp HTML Training
  SorcerStone Blog
  RoboHelp eBooks

• Enable Exchange 2013 server users authenticate by certificate.

  Hello guys!
  I need to implement secure Exchange authentication through OWA and Outlook (optional). I have PKI in my environment, so I want my users to authenticate in OWA using smart card certificate (or other user certificate) if they outside my organization. Is it
  possible? If so, I can setup auto enrollment policy in my domain and make my users authenticate automatically using their personal certificates. Microsoft Lync uses similar authentication mechanism. May be I can setup it in Exchange 2013? General aim of all
  this it is to avoid brute force or other potential authentication attacks to my Exchange outside the organization. Of course I can use VPN and not public my Exchange outside at all, but it is not as sophisticated 8-) Please, help, if you have any ideas.

  I've found the solution! I used this article http://blogs.technet.com/b/exchange/archive/2008/11/12/3406481.aspx It is usefull for Exchange 2013 too. 
  - Setup IIS Client Certificate Mapping Authentication
  - IIS console - server name - Authentication - Active Directory Client Cetrificate Authentication - Enabled
  - IIS console - Defaul Web Site - ecp - SSL Settings - Require SSL - Require
  - IIS console - Defaul Web Site - owa - SSL Settings - Require SSL - Require
  - Microsoft Exchange Management Shell:
  cd c:\windows\system32\inetsrv
  .\appcmd unlock config /section:clientCertificateMappingAuthentication
  .\appcmd set config "Default Web Site/OWA" -section:clientCertificateMappingAuthentication /enabled:true
  .\appcmd set config "Default Web Site/ecp" -section:clientCertificateMappingAuthentication /enabled:true
  set-owavirtualdirectory -identity "Servername\owa (Default Web Site)" -BasicAuthentication:$false -FormsAuthentication:$false
  set-ecpvirtualdirectory -identity "Servername\ecp (Default Web Site)" -BasicAuthentication:$false -FormsAuthentication:$false

• User Passwords Rejected on AFP share mounts?

  User Passwords Rejected on AFP share mounts?
  (OK, my last post got buried, and perhaps too long), try again. Very brief
  Issue:
  After so many days, a User's AFP share password is rejected? What gives.
  If you reset it, several days later, same thing, rejected.
  Is Netinfo Database corrupted, what can / should be done?
  - Stand Alone server (with AFP and FTP services running, all other services off, not running.
  Summary Info for user having issue:
  Location: 192.168.0.50/NetInfo/DefualtLocalNode
  Home: No Home Directory
  Primary Group: Users (20)
  Password: Shadow Password
  I have deleted that troublesome user name and created a new name (for that user), just in case, in the re-creation of the same user name (after deletion) some corruption gets inherited.
  thanks,
  macguitarman
  Power Mac G5 Dual 2.0   Mac OS X (10.4.7)  

  Using Tiger Server, I have found that enabling ACLs, or Access Control Lists on the volume, and then specifying users and/or groups into the specific ACLs for the share point has been very helpful. Also note that 10.4.10 server seems to work better than 10.4.11, so if you haven't upgraded, don't go beyond 10.4.10. .11 seems to have some permissions issues and other problems.
  I assume you are connecting to the server via AFS (i.e. Go > Connect to Server > ip address) and not SMB? SMB sometimes is more problematic about ownership. But either way, Mac or PC clients, it seems ACLs are the way to go.
  Crazy as it seems, on my server, even if the owner is, say, admin, and the group with r/w permissions is, say, Prepress, it helps to specifically add the Prepress group to the ACL for that share. Then be sure to propagate the permissions down (unless you don't want to, for some reason). To do this, click the little gear icon and propagate all the permissions -- owner, group, acl, etc. down. This will take a bit of time depending on how much stuff you have. I also find that a server reboot can be helpful.
  [[ All this said, 10.5.1 seems to do some crazy things, and I hope 10.5.2 addresses them. I have one machine (not user ID) that always creates a folder on a share with no permissions for anyone. Only from that Mac; the same login on another works just fine. Go figure]]

• Change user password , when DB is in mount state

  Hello,
  1. How to check user status , when database is in MOUNT stage. ? (Locked/Expired)
  2. Is it possible to change the password of the user SYSTEM , while database is in mount state.?
  If DB is open , we can query DBA_USERS table and can get the details of users (username, account_status,lock_date,expiry_date, etc...)
  But , is it possible to query these data, when the DB is in MOUNT state.
  3. Im having SYS authority. I want to change the password of SYSTEM user, and make SYSTEM unlock in the Standby Database. (Which is in mount state).
  How can i do this?
  regards,
  Zerandib

  How to check user status , when database is in MOUNT stage. ? (Locked/Expired)You cannot check the user status when the database is in mount stage. You need to have the database is open mode to check the status of the users.
  Is it possible to change the password of the user SYSTEM , while database is in mount state.?It is not possible to change the password of any user when the database is in mount state. Open the database and then change the password.
  If DB is open , we can query DBA_USERS table and can get the details of users (username, account_status,lock_date,expiry_date, etc...)
  But , is it possible to query these data, when the DB is in MOUNT state.No. Not possible.
  3. Im having SYS authority. I want to change the password of SYSTEM user, and make SYSTEM unlock in the Standby >Database. (Which is in mount state).
  How can i do this?Answer to this question was given in your previous thread created nearly 12 hours back. It makes no sense to change the password on the standby database. It a mirrored copy of your primary database.
  Change the password of the user in primary database and perform a log switch. The password would be changed on the standby as soon as the log is applied on the standby database.
  Whenever you try to change the password of a user in mount stage,you get an error message saying "shutdown is in progress". So change it only when the database is open

• Mail and Kerberos problem

  Mail client: 10.7.4
  Mail server: 10.6.8
  Mail protocol: imap
  Authentication: Kerberos V5
  The problem: when I login on my client, a TGT is acquired normally, klist shows it, and if I launch Mail, mail get a imap service ticket and all works fine.
  When my TGT expires, I cannot get a new TGT otherwise than a kinit, which is unacceptable for my users. Before, whith Snow Leopard or Leopard mail client, if no TGT was present on client, mail poped up a specific kerberos dialog box to ask the password and then get a new TGT and imap service ticket. It is anyway the actual behavior with others services as AFP for example.
  I have try to create an user Launch Agent which make a kinit periodically, but when the Mac client get out of long sleep state, the TGT is expired and I have no way to launch my script at this moment.
  To reproduce the problem with no ticket at sequence start:
  foo-mac1:~ foo$ klist
  klist: krb5_cc_get_principal: No credentials cache file found
  foo-mac1:~ foo$ kinit  kinit [email protected]
  foo-mac1:~ foo$ klist
  Credentials cache: API:501:12
          Principal: [email protected]
    Issued           Expires          Principal
  Jul  5 10:41:50  Jul  5 20:41:50  krbtgt/[email protected]
  A this point, I launch Mail, a service ticket is created, my account is connected and well working.
  foo-mac1:~ foo$ klist
  Credentials cache: API:501:12
          Principal: foo@XSERVER1. MYDOMAIN.NET
    Issued           Expires          Principal
  Jul  5 10:41:50  Jul  5 20:41:50  krbtgt/XSERVER1. MYDOMAIN.NET@XSERVER1. MYDOMAIN.NET
  Jul  5 11:01:22  Jul  5 20:41:50  imap/xserver3.mydomain.net@XSERVER1. MYDOMAIN.NET
  I quit mail and delete my TGT.
  foo-mac1:~ foo$ kdestroy
  foo-mac1:~ foo$ klist
  klist: krb5_cc_get_principal: No credentials cache file found
  If I launch Mail, my account cannot connect and does not propose password dialog as precedent versions so I cannot re-create TGT and imap service ticket otherwise than kinit.
  moreover, Mail log a logic entry:
  03/07/12 17:04:52,838 Mail: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found (negative cache))
  03/07/12 17:04:52,838 Mail: [<_LibSasl2SASLClient: 0x7f951dd4f080> mechanism: GSSAPI security layer: no] Failed to start the SASL connection
  SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found (negative cache))
  Do you have an idea to make Mail propose an user friendly dialog box when TGT expires or do you have an idea to launch a script when a Mac get out of sleep?

  No solution at this point. Now we are seeing the same problem trying to authenticate radius users. Extremely frustrating!
  /var/log/system.log:
  Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  /var/log/radius/radius.log:
  Fri Sep 19 14:21:56 2008 : Error: rlm_mschap: authentication failed -14090
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:48 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  I'm wondering if it's trying to use the wrong auth mech at first. I see the user come in with a successful DIGEST-MD5 during the problem, then successful MS-CHAPv2 following the password reset. Resetting the user's password "fixes" the issue. Until it happens again at an unspecified time.

• Kerberos problem on Mac OS X Server

  Hi,
  Our corporate using Mac OS X 10.6.x server on Xserve, users can login server daily using OD with Kerberos enabled, they can also access files from the file server with no any problem, but if I run kinit <userid> and then type the password, it displays password is incorrect ! I am not trying all existing userid, but at least 3 existing userid have such problem, but if I create a new userid and password, running kinit, no problem found, can somebody tell me what is going on! Thanks.
  patrick

  Ok. I've did a bit more debugging. Console shows the following when you launch Pages.
  2007-06-03 16:57:15.388 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.388 Pages[21515] invalid context
  2007-06-03 16:57:15.626 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.627 Pages[21515] invalid context
  2007-06-03 16:57:15.682 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.682 Pages[21515] invalid context
  2007-06-03 16:57:15.683 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.684 Pages[21515] invalid context
  2007-06-03 16:57:15.688 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.688 Pages[21515] invalid context
  2007-06-03 16:57:15.689 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.690 Pages[21515] invalid context
  2007-06-03 16:57:15.796 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.796 Pages[21515] invalid context
  2007-06-03 16:57:15.797 Pages[21515] invalid pixel format
  2007-06-03 16:57:15.798 Pages[21515] invalid context
  2007-06-03 16:57:15.811 Pages[21515] Exception raised during posting of notification. Ignored. exception: * +[NSString stringWithCString:]: NULL cString
  The Pages main document window does not show automatically. It seems to have problems raising it. Any clicks into the pages window or attempts to use it just show repeats of the above logs. From those messages I guess I will have to assume that the Server version of Mac OS X does not have some of the libraries needed by Mac OS X. Boooo!!!
  Now I don't have any non-server Mac OS X machines here. Any know any apps that can convert Pages or Keynote files to Word or NeoOffice readable formats?

• Hostname is .local and Kerberos problems

  Hi
  Having problems with our new xserve. The computername as set in server admin is 'serverx' which is giving a local hostname of serverx.local. I have DNS running with one zone of <domainname>.org.uk, servername of serverx giving a FQSN or serverx.<domainname>.org.uk
  However i had an email out from the mailman mailing list asking for permission to allow a post to a mailing list and it had the link to click on as http://Serverx.local/mailman/.....
  Obviously i'd like this to be http://serverx.<domainname>.org.uk
  This also extends to the server's searchbase, which on the old server we migrated from was dc=<hostname>,dc=org,dc=uk which now is showing as dc=serverx,dc=local under opendirectory - settings - protocals
  The Open directory pane shows everything running apart from Kerberos which is stopped. If i try and kerberize the server using the realm name of <DOMAINNAME>.ORG.UK it whirrs away before returning me to the 'kerberize the open directory master' dialogue. Looking at the slapconfig log i get the errors...
  The KDC is not running error = 3
  failed to configure error = 3
  Is there a way to change this so that the domain name and seachbase are correct and how do i get the KDC to run so i can kerberize the server.
  Hope some of that makes sense...
  Thanks
  Quad 2GHz Intel Xserve   Mac OS X (10.4.9)   2GB ram

  I had similar issues with .local and trying to migrate away. I decided to manually massage a backup into the non-.local domain. It worked for me, but I will stress that you should make a copy of your backup to do this on.
  First, decide what new domain you want to use. If you're building on a private network, you can use a non-valid domain, like '.int' . Setup your DNS.
  Use Server Admin to make a backup of your OD Domain. Make a copy. Burn it to CD. We don't want the original to change.
  Kerberize to the new domain. Make a new backup and burn it to CD as well.
  Open a modifiable copy of the backup. In it are many files, most of them are straight text files of one flavor or another. Time to get dirty...
  Backup.ldif is the big file to work with. You must go in and change all of the olddomain.locals to newdomain.tla (this is pseudocode, please use your own domains where you see these two.) You must also change all of the dc=olddomain,dc=local to dc=newdomain,dc=tla . The fun about this file is that Apple wraps it manually, which makes search and replace tedious, as there will be some of these things at the end of lines. The good news is that they are far from random, so you can search for parts of the name (local is a good search) and find the next iteration. Here are a couple examples...
  ...dc=ol
  ddomain,dc=local
  ...dc
  =olddomain,dc=local
  ...dc=olddoma
  in,dc=local
  The key is to search and replace the whole thing at once. I used textedit and pasted the entire offending text into the find box, then replaced with the proper new dc= values. You need not worry about wrapping, the importer doesn't care. The key is to make sure that you get it all.
  Now do the same with all of the other files. I didn't touch authservermain, which already had the new Kerberos domain in it. I did modify these files...
  Backup.ldif
  authserverreplicas
  authserveroverflow.x
  DSLDAPv3PluginConfig.plist
  slapd_macosxserver.conf
  local.dump
  local.krb5realm
  Make sure to check the other files, as different configurations will yield info in different files.
  Once you are done with this, it's time to turn your nice pretty domain into a standalone. It appears that the archive and restore tools are much better in 10.4.x that older versions, so it actually works to restore things. There was one caveat. My standalone seemed to ignore the /etc/krb5adm.keytab, which then caused the conversion to Master domain to hang. Move to krb5adm.keytab.old it in case you need to restore.
  Make your server a Master again, this time with the new FQDN and search string.
  Import your modified backup. Your users should now be in place, although I lost my domain admins in the process.
  Finally, backup your domain, revert to standalone, toss the .keytab, convert to Master, and restore. This last step converts the bdb back into text, then back to the bdb. I was having a little strangeness until I did this step, which I believe clears up some cruft.
  Here are the benefits that I've seen in this process...
  - Passwords translate
  - migration is complete to new domain
  - easily restorable and/or recoverable
  Of course, your mileage may vary.

• Kerberos problems: "Failed to find KerberosKDC node"

  I'm running 10.7.1 on a Macbook. Something's wrong with my Kerberos installation. My Console is filled with messages like:
  Sep 23 09:56:13 macbook digest-service[658]:krb5_kdc_set_dbinfo: Failed to find KerberosKDC node
  Sep 23 09:56:13 macbook com.apple.launchd[1] (com.apple.Kerberos.digest-service[658]): Exited with code: 1
  Sep 23 09:56:13 macbook com.apple.launchd[1] (com.apple.Kerberos.digest-service): Throttling respawn: Will start in 10 seconds
  I know almost nothing about Kerberos and am having trouble finding clear explanations of its configuration. Any suggestions on how to fix this?

  Hi
  Kerberos is used extensively in Single Sign On (SSO) environments. This would typically be medium-to-large Coporate or Educational institutions running instances of Windows Active Directory and possibly Apple's Open Directory or even a mixture of the two. There are other manufacturers that offer their own bespoke offering such as Novell but I'm seeing less and less of this now-a-days. Regardless, all of these technologies have one thing in common; they are based on Open Source OpenLDAP:
  http://www.openldap.org/
  http://www.openldap.org/project/
  At its simplest LDAP (Lightweight Directory Access Protocol) is a database (or series of databases) that can 'contain' information about all sorts of things which can be easily distributed or shared.
  If you're not in any of these types of environments and your laptop has not been bound and/or joined to a networked domain and essentially you're in a single user, residential home environment I would ignore it.
  FWIW I see this 'error' also even in 10.6 and like a lot of things that are logged by the OS it does not necessarily mean there's anything wrong. For some things Console can be overly verbose and may 'frighten' the unwary into thinking there's something wrong when actually there isn't.
  Having said all that and apart from what is being logged, are you actually having any problems?
  HTH?
  Tony

• Solaris 10 Kerberos problem

  I have a problem with a kerberos installation on Solaris 10.
  I modiefied the krb5.conf and pam.conf file, if I do a kinit or klist kerberos is working fine.
  If I try to login with ssh I get this error:
  [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory
  What does this mean ?
  Regards,
  Ar_min

  my first guess is you are missing your keytab (/etc/krb5/krb5.keytab). ssh uses a host/FQDN@<KRB5 REALM> entry in the keytab for auth. other kerbirized services may use the same entry or ftp/FQDN@<KRB5 REALM>, ldap/FQDN@<KRB5 REALM> (openldap for example).
  if you created that host entry on your kdc (or in AD, and then used ktpass to export it), and you imported it ok, run sshd in debug mode to see more: /usr/lib/ssh/sshd -ddd -p 220 (-p 220 is the port to connect to)

• Sharepoint 2013 Problem - User Personal site never created. Clicking Skydrive/Newsfeed/or Follow

  New 2013 setup.  I created 1 test site.   I'm able to load the site, but If the user clicks on 'Follow', 'Skydrive', or 'Newsfeeds', the user is taken to the personal page that reads:
  We're almost ready!
  While we set things up, feel free to changeyour
  photo, adjustyour
  personal settings, and fill
  ininformation about yourself.
  It could take us a while, but once we're done, here's what you'll get:
  Newsfeedis your social hub where you'll see updates from the people, documents, sites, and tags you're following, with quick access to the apps you've added.
  SkyDrive Prois your personal hard drive in the cloud, the place you can store, share, and sync your work files.
  Sitesgives you easy access to the places you'll want to go.
  There seems to be some sort of user init that never completes. 
  In the log files taken from "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions" I found the following related to an attempt 
  12/05/2012 16:02:26.55     w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal
  Server          User Profiles                     ajxt4    Unexpected    Microsoft.Office.Server.Social.SPSocialFeedManager.GetFeedFor:
  Microsoft.Office.Server.Microfeed.MicrofeedException: WarningPersonalSiteNotFoundCanCreateError :  : Correlation ID:d4f0e79b-2e8c-9054-08c5-674e84005449 : Date and Time : 12/5/2012 1:02:26 PM     at Microsoft.Office.Server.Microfeed.SPMicrofeedManager.CommonPubFeedGetter(SPMicrofeedRetrievalOptions
  feedOptions, MicrofeedPublishedFeedType feedType, Boolean publicView)     at Microsoft.Office.Server.Microfeed.SPMicrofeedManager.GetPublishedFeed(String feedOwner, SPMicrofeedRetrievalOptions feedOptions, MicrofeedPublishedFeedType typeOfPubFeed)    
  at Microsoft.Office.Server.Social.SPSocialFeedManager.Microsoft.Office.Server.Social.ISocialFeedManagerProxy.ProxyGetFeedFor(String actorId, SPSocialFeedOptions options)     at Microsof...    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.55*    w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       User Profiles                     ajxt4    Unexpected    ...t.Office.Server.Social.SPSocialFeedManager.<>c__DisplayClass4b`1.<S2SInvoke>b__4a()    
  at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name, Func`1 func)    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.55     w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       User Profiles                     ajxt4    Unexpected    Microsoft.Office.Server.Social.SPSocialFeedManager.GetFeedFor:
  Microsoft.Office.Server.Social.SPSocialException: No personal site exists for the current user, and a previous attempt to create one failed. Internal type name: Microsoft.Office.Server.Microfeed.MicrofeedException. Internal error code: 80.    
  at Microsoft.Office.Server.Social.SPSocialUtil.TryTranslateExceptionAndThrow(Exception exception)     at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name, Func`1 func)    
  at Microsoft.Office.Server.Social.SPSocialFeedManager.<>c__DisplayClass48`1.<S2SInvoke>b__47()     at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name,
  Func`1 func)    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.55     w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       User Profiles                     ajxt4    Unexpected    Microsoft.Office.Server.Social.SPSocialFeedManager.GetFeedFor:
  Microsoft.Office.Server.Social.SPSocialException: No personal site exists for the current user, and a previous attempt to create one failed. Internal type name: Microsoft.Office.Server.Microfeed.MicrofeedException. Internal error code: 80.    
  at Microsoft.Office.Server.Social.SPSocialUtil.TryTranslateExceptionAndThrow(Exception exception)     at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name, Func`1 func)    
  at Microsoft.Office.Server.Social.SPSocialFeedManager.<>c__DisplayClass48`1.<S2SInvoke>b__47()     at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name,
  Func`1 func)     at Mic...    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.55*    w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       User Profiles                     ajxt4    Unexpected    ...rosoft.Office.Server.Social.SPSocialFeedManager.<>c__DisplayClass2f.<GetFeedFor>b__2d()    
  at Microsoft.Office.Server.Social.SPSocialUtil.InvokeWithExceptionTranslation[T](ISocialOperationManager target, String name, Func`1 func)    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.57     w3wp.exe (0x1AB0)                           0x2324    SharePoint Foundation       
       Monitoring                        nasq    Medium      Entering monitored scope (Render
  Ribbon.). Parent SharePointForm Control Render    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.58     w3wp.exe (0x1AB0)                           0x2324    SharePoint Foundation       
       Monitoring                        b4ly    Medium      Leaving Monitored Scope (Render
  Ribbon.). Execution Time=3.16897818018771    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.58     w3wp.exe (0x1AB0)                           0x2324    SharePoint Server Search    
       Query                             dn4s    High        FetchDataFromURL
  start at(outside if): 1 param: start    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.58     w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       User Profiles                     aiokq    High        User profile property 'EduUserRole'
  not found from from MySitePersonalSiteUpgradeOnNavigationWebPart::GetUserRoleFromProfile(). This should indicate that the current user is not an edudation user. [SPWeb Url=http://share2/my/Person.aspx?accountname=mycompany\username]    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.58     w3wp.exe (0x1AB0)                           0x2324    SharePoint Portal Server    
       Personal Site Instantiation       af1lc    High        Skipping creation of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite()
  because one or more of the creation criteria has not been met. [SPWeb Url=http://share2/my/Person.aspx?accountname=mycompany\username]  http://share2/my/Person.aspx?accountname=mycompany\username]Self-Service Site Creation == False  Can Create Personal
  Site == True  Is user licensed == True  Storage&Social UPA Permission == True  Site or Page or Web Part is in design mode == False      d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:26.59     w3wp.exe (0x1AB0)                           0x2324    SharePoint Foundation       
       Monitoring                        b4ly    Medium      Leaving Monitored Scope (Request
  (GET:http://share2:80/my/Person.aspx?accountname=mycompany%5Cusername&AjaxDelta=1)). Execution Time=94.5348500996635    d4f0e79b-2e8c-9054-08c5-674e84005449
  12/05/2012 16:02:27.17     w3wp.exe (0x1AB0)                           0x23A0    SharePoint Foundation       
       Monitoring                        nasq    Medium      Entering monitored scope (Request
  (POST:http://share2:80/my/_vti_bin/client.svc/ProcessQuery)). Parent No    
  12/05/2012 16:02:27.17     w3wp.exe (0x1AB0)                           0x23A0    SharePoint Foundation       
       Logging Correlation Data          xmnv    Medium      Name=Request (POST:http://share2:80/my/_vti_bin/client.svc/ProcessQuery)    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.17     w3wp.exe (0x1AB0)                           0x23A0    SharePoint Foundation       
       Authentication Authorization      agb9s    Medium      Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|mycompany\username, ClaimsCount=57    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.17     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Foundation       
       CSOM                              agw10    Medium      Begin
  CSOM Request ManagedThreadId=54, NativeThreadId=2504    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.18     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Foundation       
       Logging Correlation Data          xmnv    Medium      Site=/my    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.18     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       Microfeeds                        aizmk    High        serviceHost_RequestExecuting  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.20     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajk39    Medium      UserProfileDBCache_WCFLogging::Begin ProfileDBCacheServiceClient.GetUserData.ExecuteOnChannel  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.20     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajk35    Medium      MossClientBase_WCFLogging::Begin MossClientBase.ExecuteOnChannel  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.20     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajk36    Medium      MossClientBase_WCFLogging:: MossClientBase.ExecuteOnChannel
  -  Executing codeblock on channel    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.21     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Foundation       
       Topology                          e5mc    Medium      WcfSendRequest: RemoteAddress:
  'http://share2:32843/1c9a1642f4d9456c94ae0dbbd9b25a41/ProfileDBCacheService.svc' Channel: 'Microsoft.Office.Server.UserProfiles.IProfileDBCacheService' Action: 'http://Microsoft.Office.Server.UserProfiles/GetUserData' MessageId: 'urn:uuid:24af6007-0615-428e-ad0a-1265f47f0b33'  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.22     w3wp.exe (0x1B78)                           0x1BA0    SharePoint Foundation       
       Monitoring                        nasq    Medium      Entering monitored scope (ExecuteWcfServerOperation).
  Parent No    
  12/05/2012 16:02:27.22     w3wp.exe (0x1B78)                           0x1BA0    SharePoint Foundation       
       Topology                          e5mb    Medium      WcfReceiveRequest: LocalAddress:
  'http://share2.mycompany.com:32843/1c9a1642f4d9456c94ae0dbbd9b25a41/ProfileDBCacheService.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://Microsoft.Office.Server.UserProfiles/GetUserData' MessageId: 'urn:uuid:24af6007-0615-428e-ad0a-1265f47f0b33'  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.22     w3wp.exe (0x1B78)                           0x1BA0    SharePoint Foundation       
       Monitoring                        b4ly    Medium      Leaving Monitored Scope (ExecuteWcfServerOperation).
  Execution Time=0.647079447248184    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.22     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajk37    Medium      MossClientBase_WCFLogging:: MossClientBase.ExecuteOnChannel
  -  Executed codeblock on channel    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.22     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajk4a    Medium      UserProfileDBCache_WCFLogging::End ProfileDBCacheServiceClient.GetUserData.ExecuteOnChannel  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.22     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       User Profiles                     ajp2i    Medium      GetMySiteLinks: user has a profile but no personal
  site; not returning personal site links    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.23     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Portal Server    
       Microfeeds                        aizmj    High        serviceHost_RequestExecuted  
   d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.23     w3wp.exe (0x1AB0)                           0x09C8    SharePoint Foundation       
       CSOM                              agw11    Medium      End
  CSOM Request. Duration=53 milliseconds.    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.23     w3wp.exe (0x1AB0)                           0x1604    SharePoint Foundation       
       Monitoring                        b4ly    Medium      Leaving Monitored Scope (Request
  (POST:http://share2:80/my/_vti_bin/client.svc/ProcessQuery)). Execution Time=62.5798809625246    d4f0e79b-3eb6-9054-08c5-61e70b316688
  12/05/2012 16:02:27.44     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:27.51     w3wp.exe (0x1B78)                           0x1934    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: Disk Manager.PerformCleanup    11c5f189-7512-0002-bee0-df766138e919
  12/05/2012 16:02:27.51     w3wp.exe (0x1B78)                           0x1934    Excel Services Application  
       Excel Calculation Services        8jg2    Medium      ResourceManager.PerformCleanup: Disk Manager: CurrentSize=57369.    11c5f189-7512-0002-bee0-df766138e919
  12/05/2012 16:02:28.45     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:28.92     w3wp.exe (0x1B78)                           0x18C8    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformSessionTimeouts    8854a25e-6740-0002-b513-28f8778da25e
  12/05/2012 16:02:28.92     w3wp.exe (0x1B78)                           0x23E0    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: Memory Manager.PerformCleanup    53fed7f1-2e29-0002-a910-5150db6281e2
  12/05/2012 16:02:28.92     w3wp.exe (0x1B78)                           0x23E0    Excel Services Application  
       Excel Calculation Services        8jg2    Medium      ResourceManager.PerformCleanup: Memory Manager: CurrentSize=730533888.    53fed7f1-2e29-0002-a910-5150db6281e2
  12/05/2012 16:02:29.40     w3wp.exe (0x1B78)                           0x19B4    SharePoint Portal Server    
       User Profiles                     ahqt1    Medium      UserProfileDBCache.GetChangedDBItemsPrimaryKeys:
  m_AllPropertyIDs = 1;3;9;2;5009;7;23;13;14;22;5065;5061;5062;5040;5042;5091;5092;5093;    19a3e79b-2ee3-9054-08c5-6a281115d989
  12/05/2012 16:02:29.45     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:29.54     OWSTIMER.EXE (0x26C4)                       0x1964    SharePoint Foundation       
       Monitoring                        aeh57    Medium      Sql Ring buffer status eventsPerSec
  = 0,processingTime=0,totalEventsProcessed=0,eventCount=0,droppedCount=0,memoryUsed=0    
  12/05/2012 16:02:30.10     w3wp.exe (0x1B78)                           0x0FAC    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: HealthPerfCounter    633d7a5d-1310-0002-8342-391ed51888b4
  12/05/2012 16:02:30.45     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:30.61     w3wp.exe (0x1B78)                           0x19A4    SharePoint Server Search    
       Query                             ac3iq    High        Ims::EndPoints:
  old: net.tcp://share2/C5A0AC/QueryProcessingComponent1/ImsQueryInternal;, new: net.tcp://share2/C5A0AC/QueryProcessingComponent1/ImsQueryInternal;    19a3e79b-2ee3-9054-08c5-6a281115d989
  12/05/2012 16:02:30.67     w3wp.exe (0x1B78)                           0x1EE4    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: RequestManager.RequestTimeoutCleanup    5baea2ed-01b0-0002-9183-bc6ae11d23eb
  12/05/2012 16:02:30.67     w3wp.exe (0x1B78)                           0x1EE4    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: ExcelServerThreadPool.QueueConsiderate    5baea2ed-01b0-0002-9183-bc6ae11d23eb
  12/05/2012 16:02:30.67     w3wp.exe (0x1B78)                           0x1EE4    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformAutoSave    5baea2ed-01b0-0002-9183-bc6ae11d23eb
  12/05/2012 16:02:31.45     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:32.45     w3wp.exe (0x1B78)                           0x1178    SharePoint Server           
       Logging Correlation Data          xmnv    Medium      Name=Task: SessionManager.PerformOngoingRequestDepartures    6b6b4445-152d-0002-8ef6-85991723bb2d
  12/05/2012 16:02:32.65     OWSTIMER.EXE (0x26C4)                       0x197C    SharePoint Foundation       
       Monitoring                        nasq    Medium      Entering monitored scope (Timer
  Job EducationBulkOperationJob). Parent No    9d183f64-33f3-4bb8-83b3-f401e3150f7e
  Any thoughts on this?   troubleshooting tips? 

  In my case, here is what happened and how I fixed it.
  Situation:
  Mysite is a new web application. We have two one-way trusts in place since the domain of the farm is different than the two other domains where users reside. So I ran the 
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "Forest1,Domain1\account,password;
  Forest2,Domain2\account,password"
  -url https://mysitesURL
  This allowed the user policy of the new Mysites web application to search through the two domains where AD users reside. Once I added them I was good, no more errors. 
  One thing to note, I have two web apps using the same wildcard cert and running off port 443 SSL. 
  I wanted to make the user picture come from AD so I changed that user property (Picture) in User Profile Service options, and this seems to have broken initial MySite creation, but once the user adds a picture
  to their profile settings, the site starts working. I need to remove the property I added for "Picture" in user profile properties.
  This is the process I took that caused my problem:
  http://richardstk.wordpress.com/2013/04/12/import-user-photos-from-active-directory-into-sharepoint-2013/