Mount CIFS / Windowsshare with Kerberos ticket

Hi there!
Uhm, I am trying to mount a Windows Share with
mount -t cifs //SERVERNAME/SHARE /mnt -o krb5
(Before that, I have requested a kerberos ticket with kinit username@DOMAIN which worked fine).
I'm then asked to give a password, but I don't know which password it could be (tried my Domainuserpassword, also with "-o krb5,username=username, which didn't work).
One of the other employees said that there's a package needed which is called key-request, so the kerberos ticket is forwarded to the server where it has to be compared.
But I really didn't find the package.
My questions are now:
1. Do you know how to mount a Windows Share (Server 2008) with Kerberos tickets?
2. Is the statement about the ticketforwarding true, and if yes, how can I do this on Arch?
EDIT// The output I get after mount..
1. "Password:
Permission denied"
2. "mount error(5): input/output error"
3. Nothing happens
Greetings
Last edited by Kielo (2010-10-08 13:54:55)

The Kerberos client code is unable to get a service ticket for your afp server & the afp client is trying to fall back and running out of options.
You will need to check a couple of things on the afp server:
1) check the principal name of the server: look in the file /Library/Preferences/com.apple.AppleFileServer.plist for the key "kerberosPrincipal"
it should look like "afpserver/fqdn@REALM
2) run:
klist -k
and verify that the principal name of the afp server is in the list.
On the OD Master:
run (as root):
kadmin.local -q "listprincs"
and verify that the principal name of the afp server is in the list.
Hope that gets you started
- Leland

Similar Messages

  • Mounting CIFS on MAC with large file support

    Dear All,
    We are having issues copying large files ( > 3.5 GB) from MAC to a CIFS Share (smb mounted on MAC) whereby the copy fails if files are larger than 3.5 GB in size and hence I was wondering if there is any special way to mount CIFS Shares (special option in the mount_smbfs command perhaps ) to support large file transfer?
    Currently we mount the share using the command below
    mount_smbfs //user@server/<share> /destinationdir_onMAC

    If you haven't already, I would suggest trying an evaluation of DAVE from Thursby Software. The eval is free, fully functional, and supported.
    DAVE is able to handle large file transfer without interruption or data loss when connecting to WIndows shared folders. If it turns out that it doesn't work as well as you like, you can easily remove it with the uninstaller.
    (And yes, I work for Thursby, and have supported DAVE since 1998)

  • Ticket isnt for us - Apache DS on Windows Server 2008 with Kerberos

    Hello there,
    I installed Apache DS 1.5.7 on Windows Server 2008 R2 with Kerberos enabled.
    I followed the instructions here http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html.
    I added the my users like the example ldif file of the official instructions. Users got their krb keys.
    But when i try to authenticate with Apache Directory Studio using Kerberos authentication as told in the instructions.
    I get ERROR 35 "Ticket isn't for us".
    I tried googling this issuebut i couldnt solve it on my own.
    Any help will be greatly appreciated.
    Here is the server log
    INFO | jvm 1 | 2012/01/04 18:03:29 | [18:03:29] ERROR [org.apache.directory.shared.ldap.entry.DefaultServerAttribute] - ERR_04450 The value {0} is incorrect, it hasnt been added
    INFO | jvm 1 | 2012/01/04 18:03:29 | [18:03:29] ERROR [org.apache.directory.server.Service] - Cannot start the server : reuseAddress can't be set while the acceptor is bound.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59504 CREATED: datagram
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59504 OPENED
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59504 RCVD: [email protected]5a608
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      messageType: AS_REQ
    INFO | jvm 1 | 2012/01/04 18:03:35 |      protocolVersionNumber: 5
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientAddress: 192.168.27.110
    INFO | jvm 1 | 2012/01/04 18:03:35 |      nonce: 2070170438
    INFO | jvm 1 | 2012/01/04 18:03:35 |      kdcOptions:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      encryptionType: des-cbc-crc (1), aes128-cts-hmac-sha1-96 (17), des-cbc-md5 (3), rc4-hmac (23), des3-cbc-sha1-kd (16)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      realm: myrealm.org.tr
    INFO | jvm 1 | 2012/01/04 18:03:35 |      from time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      till time: 19700101000000Z
    INFO | jvm 1 | 2012/01/04 18:03:35 |      renew-till time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      hostAddresses: null
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | dn[n]: uid=myuser,ou=people,o=myrealm,dc=myrealm,dc=org,dc=tr
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: organizationalPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: person
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5Principal
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5KDCEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: inetOrgPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: top
    INFO | jvm 1 | 2012/01/04 18:03:35 | uid: myuser
    INFO | jvm 1 | 2012/01/04 18:03:35 | sn: mysurname
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5PrincipalName: [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x6B 0x4C 0x3B 0x25 0x92 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x44 0x28 0x3A 0x44 0x47 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x47 0xBF 0x80 0x39 0xA8 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xB9 0xFE 0xE9 0x45 0xB5 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5KeyVersionNumber: 4
    INFO | jvm 1 | 2012/01/04 18:03:35 | cn: myname mysurname
    INFO | jvm 1 | 2012/01/04 18:03:35 | userPassword: '0x41 0x61 0x31 0x32 0x33 0x34 0x35 0x36 '
    INFO | jvm 1 | 2012/01/04 18:03:35 | for kerberos principal name [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal [email protected] has no SAM type. Proceeding with standard pre-authentication.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
    INFO | jvm 1 | 2012/01/04 18:03:35 | org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Additional pre-authentication required
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:269)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.lang.Thread.run(Thread.java:722)
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      explanatory text: Additional pre-authentication required
    INFO | jvm 1 | 2012/01/04 18:03:35 |      error code: 25
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      client time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      server time: 20120104160335Z
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59504 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@1878a17
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59505 CREATED: datagram
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59505 OPENED
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59505 RCVD: [email protected]8df29
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      messageType: AS_REQ
    INFO | jvm 1 | 2012/01/04 18:03:35 |      protocolVersionNumber: 5
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientAddress: 192.168.27.110
    INFO | jvm 1 | 2012/01/04 18:03:35 |      nonce: 205129622
    INFO | jvm 1 | 2012/01/04 18:03:35 |      kdcOptions:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      encryptionType: des-cbc-crc (1), aes128-cts-hmac-sha1-96 (17), des-cbc-md5 (3), rc4-hmac (23), des3-cbc-sha1-kd (16)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      realm: myrealm.org.tr
    INFO | jvm 1 | 2012/01/04 18:03:35 |      from time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      till time: 19700101000000Z
    INFO | jvm 1 | 2012/01/04 18:03:35 |      renew-till time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      hostAddresses: null
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | dn[n]: uid=myuser,ou=people,o=myrealm,dc=myrealm,dc=org,dc=tr
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: organizationalPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: person
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5Principal
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5KDCEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: inetOrgPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: top
    INFO | jvm 1 | 2012/01/04 18:03:35 | uid: myuser
    INFO | jvm 1 | 2012/01/04 18:03:35 | sn: mysurname
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5PrincipalName: [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x6B 0x4C 0x3B 0x25 0x92 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x44 0x28 0x3A 0x44 0x47 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x47 0xBF 0x80 0x39 0xA8 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xB9 0xFE 0xE9 0x45 0xB5 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5KeyVersionNumber: 4
    INFO | jvm 1 | 2012/01/04 18:03:35 | cn: myname mysurname
    INFO | jvm 1 | 2012/01/04 18:03:35 | userPassword: '0x41 0x61 0x31 0x32 0x33 0x34 0x35 0x36 '
    INFO | jvm 1 | 2012/01/04 18:03:35 | for kerberos principal name [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal [email protected] has no SAM type. Proceeding with standard pre-authentication.
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Pre-authentication by encrypted timestamp successful for [email protected].
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | dn[n]: uid=krbtgt,ou=people,o=myrealm,dc=myrealm,dc=org,dc=tr
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: organizationalPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: person
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5Principal
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: gosaAccount
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: krb5KDCEntry
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: inetOrgPerson
    INFO | jvm 1 | 2012/01/04 18:03:35 | objectClass: top
    INFO | jvm 1 | 2012/01/04 18:03:35 | uid: krbtgt
    INFO | jvm 1 | 2012/01/04 18:03:35 | sn: Service
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5PrincipalName: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x5E 0x10 0xEF 0xE9 0x83 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x85 0x5A 0xA3 0xC9 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x47 0xBF 0x80 0x39 0xA8 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xEC 0xE0 0x98 0x6D 0x85 ...'
    INFO | jvm 1 | 2012/01/04 18:03:35 | krb5KeyVersionNumber: 3
    INFO | jvm 1 | 2012/01/04 18:03:35 | cn: KDC Service
    INFO | jvm 1 | 2012/01/04 18:03:35 | userPassword: '0x41 0x61 0x31 0x32 0x33 0x34 0x35 0x36 '
    INFO | jvm 1 | 2012/01/04 18:03:35 | for kerberos principal name krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Ticket will be issued for access to krbtgt/[email protected].
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Monitoring Authentication Service (AS) context:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clockSkew 300000
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientAddress /192.168.27.110
    INFO | jvm 1 | 2012/01/04 18:03:35 |      principal [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      cn null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      realm null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      principal [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      SAM type null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      principal krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      cn null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      realm null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      principal krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      SAM type null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      Request key type des-cbc-md5 (3)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      Client key version 0
    INFO | jvm 1 | 2012/01/04 18:03:35 |      Server key version 0
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Responding with Authentication Service (AS) reply:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      messageType: AS_REP
    INFO | jvm 1 | 2012/01/04 18:03:35 |      protocolVersionNumber: 5
    INFO | jvm 1 | 2012/01/04 18:03:35 |      nonce: 205129622
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: [email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      client realm: myrealm.org.tr
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      server realm: myrealm.org.tr
    INFO | jvm 1 | 2012/01/04 18:03:35 |      auth time: 20120104160335Z
    INFO | jvm 1 | 2012/01/04 18:03:35 |      start time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      end time: 20120105160335Z
    INFO | jvm 1 | 2012/01/04 18:03:35 |      renew-till time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      hostAddresses: null
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59505 SENT: org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@14fa707
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59506 CREATED: datagram
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59506 OPENED
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59506 RCVD: [email protected]eef81
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] - Received Ticket-Granting Service (TGS) request:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      messageType: TGS_REQ
    INFO | jvm 1 | 2012/01/04 18:03:35 |      protocolVersionNumber: 5
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientAddress: 192.168.27.110
    INFO | jvm 1 | 2012/01/04 18:03:35 |      nonce: 263725163
    INFO | jvm 1 | 2012/01/04 18:03:35 |      kdcOptions:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: ldap/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      encryptionType: des-cbc-crc (1), aes128-cts-hmac-sha1-96 (17), des-cbc-md5 (3), rc4-hmac (23), des3-cbc-sha1-kd (16)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      realm: myrealm.org.tr
    INFO | jvm 1 | 2012/01/04 18:03:35 |      from time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      till time: 19700101000000Z
    INFO | jvm 1 | 2012/01/04 18:03:35 |      renew-till time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      hostAddresses: null
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] - Session will use encryption type des-cbc-md5 (3).
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - The ticket isn't for us (35)
    INFO | jvm 1 | 2012/01/04 18:03:35 | org.apache.directory.server.kerberos.shared.exceptions.KerberosException: The ticket isn't for us
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.verifyTgt(TicketGrantingService.java:233)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.execute(TicketGrantingService.java:100)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:158)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    INFO | jvm 1 | 2012/01/04 18:03:35 |      at java.lang.Thread.run(Thread.java:722)
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
    INFO | jvm 1 | 2012/01/04 18:03:35 |      explanatory text: The ticket isn't for us
    INFO | jvm 1 | 2012/01/04 18:03:35 |      error code: 35
    INFO | jvm 1 | 2012/01/04 18:03:35 |      clientPrincipal: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      client time: null
    INFO | jvm 1 | 2012/01/04 18:03:35 |      serverPrincipal: krbtgt/[email protected]
    INFO | jvm 1 | 2012/01/04 18:03:35 |      server time: 20120104160335Z
    INFO | jvm 1 | 2012/01/04 18:03:35 | [18:03:35] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /192.168.27.110:59506 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@1c83981

    From AD end
    Create an OU
    Create an Group
    Create an User
    add user to group
    =============================
    From LDAP client you should point to Active directory , to be more precise
    LDAP base DN eg: dc=Microsoft , dc=com
    search at the specific scope :EG; full search / subtree search
    add the user in your application ( user is the one which you have created in AD )
    client will connect to LDAP server , binds and then searches under the specified scope

  • Initial Kerberos ticket only 10 minutes- how to fix?

    I have a 10.5.8 server with OD and AFP set up.
    I have an OD user account. I have two client machines, both bound to the OD server with Directory Utility.
    On client A (10.5.8), I have a local user account that is "Managed, Mobile" with the same username/password as my OD account, but I'm using my local home directory as my default and not syncing to my server home directory.
    On client B (also 10.5.8), which is a shared machine, I do not have a local account matching my OD account.
    On every startup of client A, I automatically get a Kerberos ticket for the server, as I'd expect, but it has a life of only 10 minutes and does not auto-renew. As long as the ticket is valid, I can connect to and mount sharepoints on the server (without new authentication). Once the ticket expires, I can't connect to the AFP server without manually renewing the ticket (I use the Kerberos client) or re-booting. (Otherwise, I get a login prompt but credentials are not accepted.) If I renew the ticket, it renews for 10 hours and then I can connect to the AFP server, but I have to do this manually. It doesn't appear to matter whether I've set client A to trusted binding. I've set Kerberos preferences on A to a minimum and maximum ticket life of 10 hours, but this doesn't help.
    On client B (also 10.5.8), with a similar setup in Directory Utility, I get a 10 hour ticket. (If I login at startup with my OD account, I get the Kerberos ticket immediately. If I login in with a local account, I'm prompted to authenticate when I attempt to connect to the AFP server and then can use my OD account to connect.) I've not waited to see if this ticket will auto-renew, but my Kerberos preferences (on both A and B) are set to a renewable life range of 7 days and I'm guessing that it will auto-renew on B.
    Client B behavior is what I expect. Client A behavior I don't understand. Can anyone help me figure out what's happening (keeping in mind that I'm an OD novice!), so that I can stop client A from creating a ticket with such a short life?
    Thanks in advance for any help.

    I am not really following what you have and what you want here.
    Each Sequence is unique, and has a Duration that is equal (or should be) to the total Duration of the Assets on that Sequence.
    It is not until one defines the output and delivery of those Sequences, that any concern needs to be made for the Duration, and then the TimeCode for that delivery will incorporate the Durations from all Sequences used.
    Let's take a DVD as an example. One edits in Sequences. Their Durations will be determined by Clips on each Sequence. While there are different workflows here, I am going to keep it very simple. I am also going to save typing, and just list the minutes of Duration for each Sequence.
    I have 4 Sequences, #1 thru #4. I Export each Sequence as an AV file (DV-AVI on PC, or MOV on a Mac). Sequence #1 is 20 mins. long. Sequence #2 is 10 mins. Sequence #3 is 10 mins. Sequence #4 is 20 mins. This will be a total of 60 mins., when Imported into Encore for authoring the DVD. I assemble my 4 Sequences, in whatever order I wish, or use a Playlist to navigate to each/all in whatever order I wish. The TimeCode in the Sequences (back in PrPro) make no difference. Each starts at 00;00;00;00, and only the total Duration of each really counts for anything in my authoring. I can choose to play any/all, and in any order that I wish.
    Now, if one wishes to Export to some other delivery scheme, say a MOV filed combined into one, you can Nest (in the manual, or Help file) all Sequences into a single additional Sequence, and in any order that you wish, say Sequence 4, Sequence 1, Sequence 3 and Sequence 2. Then, just Export that new, Nested Sequence as a MOV file. That Nested Sequence does not care what the starting TimeCode of each of the contributing Sequences was. Only the total Duration of all Sequences matters.
    Does that make sense? If not, can you articulate exactly what the problem with your Sequences is?
    Good luck,
    Hunt

  • Afpserver kerberos ticket

    10.6.8 server doesn't appear to give kerberos tickets for afp to clients that use 10.7.2.  Anyone else run into this problem or find a workaround?
    EDIT:  I want to add that SMB will give cifs tickets like it's suppose to.  So the kerberos seems to be working correctly with other services, just not AFP.

    From the 10.7 client, are you connecting with fully qualified host name, such as afp://hostname.domain.tld?  Or are you referencing by the Bonjour or just hostname.  I've seen some situations in which the DHCP server does not hand out the proper search path so even though a hostname alone will get you to the machine, kerb auth does not work because the fqdn and the kerb principles do not match. 

  • Trying to resolve ntlmv errros mounting CIFS network shares via fstab

    Kernel: 3.4.2-2
    WM: Openbox
    About 6 months or so ago, which was after about a year on my current install with no issue, I began getting an ntlmv error when auto mounting samba shares at
    boot.  Everything still worked but I continued getting an error message.
    My fstab entry at that time looked like this:
    //<LAN_IP>/<share name>/ /mnt/Serverbox cifs credential=/path/to/file,file_mode=0777,dir_mode=0777 0 0
    The error I recieved looked like this:
    CIFS VFS: default security mechanism requested. The default security mechanism will be upgraded from ntlm to ntlmv2 in kernel release 3.3
    So I did what research I could on the error, found the "sec" option and discovered that adding the "sec=ntlmv2" option to my above noted fstab entry got
    rid of the error message and everything still worked perfectly; that is until this weekend.
    After upgrading both machines this weekend I noticed a new boot time error message and saw that my shares were no longer being mounted.
    relevant boot log:
    Mounting Network Filesystems [BUSY] mount error(22): Invalid argument
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
    relevant everything log:
    CIFS VFS: bad security option: ntlmv2
    /var/log/pacman from the the weekend's upgrade:
    [2012-06-16 13:03] Running 'pacman -Syu'
    [2012-06-16 13:03] synchronizing package lists
    [2012-06-16 13:03] starting full system upgrade
    [2012-06-16 13:10] removed dbus-python (1.0.0-1)
    [2012-06-16 13:10] upgraded linux-api-headers (3.3.2-1 -> 3.3.8-1)
    [2012-06-16 13:10] Generating locales...
    [2012-06-16 13:10] en_US.UTF-8... done
    [2012-06-16 13:10] en_US.ISO-8859-1... done
    [2012-06-16 13:10] Generation complete.
    [2012-06-16 13:10] upgraded glibc (2.15-10 -> 2.15-11)
    [2012-06-16 13:10] upgraded bison (2.5-3 -> 2.5.1-1)
    [2012-06-16 13:10] upgraded libpng (1.5.10-1 -> 1.5.11-1)
    [2012-06-16 13:10] upgraded cairo (1.12.2-1 -> 1.12.2-2)
    [2012-06-16 13:10] upgraded libwbclient (3.6.5-2 -> 3.6.5-3)
    [2012-06-16 13:10] upgraded cifs-utils (5.4-1 -> 5.5-1)
    [2012-06-16 13:10] upgraded sqlite (3.7.12.1-1 -> 3.7.13-1)
    [2012-06-16 13:10] upgraded colord (0.1.21-1 -> 0.1.21-2)
    [2012-06-16 13:10] installed pambase (20120602-1)
    [2012-06-16 13:10] upgraded pam (1.1.5-3 -> 1.1.5-4)
    [2012-06-16 13:10] upgraded libcups (1.5.3-4 -> 1.5.3-5)
    [2012-06-16 13:10] upgraded cups (1.5.3-4 -> 1.5.3-5)
    [2012-06-16 13:10] installed python-dbus-common (1.1.0-2)
    [2012-06-16 13:10] installed python2-dbus (1.1.0-2)
    [2012-06-16 13:10] upgraded dconf (0.12.1-1 -> 0.12.1-2)
    [2012-06-16 13:10] upgraded desktop-file-utils (0.19-1 -> 0.20-1)
    [2012-06-16 13:10] upgraded firefox (13.0-2 -> 13.0.1-1)
    [2012-06-16 13:10] upgraded freetype2 (2.4.9-2 -> 2.4.10-1)
    [2012-06-16 13:10] upgraded initscripts (2012.05.1-3 -> 2012.06.1-1)
    [2012-06-16 13:10] upgraded jre7-openjdk-headless (7.u4_2.2-1 -> 7.u5_2.2.1-1)
    [2012-06-16 13:10] upgraded jre7-openjdk (7.u4_2.2-1 -> 7.u5_2.2.1-1)
    [2012-06-16 13:10] upgraded jdk7-openjdk (7.u4_2.2-1 -> 7.u5_2.2.1-1)
    [2012-06-16 13:10] upgraded kdelibs (4.8.4-1 -> 4.8.4-2)
    [2012-06-16 13:10] upgraded libdrm (2.4.33-1 -> 2.4.35-1)
    [2012-06-16 13:10] upgraded libglapi (8.0.3-2 -> 8.0.3-3)
    [2012-06-16 13:10] upgraded liblrdf (0.4.0-9 -> 0.5.0-1)
    [2012-06-16 13:10] upgraded libmysqlclient (5.5.24-1 -> 5.5.25-1)
    [2012-06-16 13:10] installed khrplatform-devel (8.0.3-3)
    [2012-06-16 13:10] installed libegl (8.0.3-3)
    [2012-06-16 13:10] upgraded nvidia-utils (295.53-1 -> 295.59-1)
    [2012-06-16 13:10] upgraded libva (1.0.15-1 -> 1.1.0-1)
    [2012-06-16 13:10] upgraded mkinitcpio (0.9.1-1 -> 0.9.2-2)
    [2012-06-16 13:10] >>> Updating module dependencies. Please wait ...
    [2012-06-16 13:10] >>> Generating initial ramdisk, using mkinitcpio. Please wait...
    [2012-06-16 13:10] ==> Building image from preset: 'default'
    [2012-06-16 13:10] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
    [2012-06-16 13:10] ==> Starting build: 3.4.2-2-ARCH
    [2012-06-16 13:10] -> Running build hook: [base]
    [2012-06-16 13:10] -> Running build hook: [udev]
    [2012-06-16 13:10] -> Running build hook: [autodetect]
    [2012-06-16 13:10] -> Running build hook: [pata]
    [2012-06-16 13:10] -> Running build hook: [scsi]
    [2012-06-16 13:10] -> Running build hook: [sata]
    [2012-06-16 13:10] -> Running build hook: [filesystems]
    [2012-06-16 13:10] -> Running build hook: [usbinput]
    [2012-06-16 13:10] -> Running build hook: [fsck]
    [2012-06-16 13:10] ==> Generating module dependencies
    [2012-06-16 13:10] ==> Creating xz initcpio image: /boot/initramfs-linux.img
    [2012-06-16 13:10] ==> Image generation successful
    [2012-06-16 13:10] ==> Building image from preset: 'fallback'
    [2012-06-16 13:10] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
    [2012-06-16 13:10] ==> Starting build: 3.4.2-2-ARCH
    [2012-06-16 13:10] -> Running build hook: [base]
    [2012-06-16 13:10] -> Running build hook: [udev]
    [2012-06-16 13:10] -> Running build hook: [pata]
    [2012-06-16 13:10] -> Running build hook: [scsi]
    [2012-06-16 13:10] -> Running build hook: [sata]
    [2012-06-16 13:10] -> Running build hook: [filesystems]
    [2012-06-16 13:10] -> Running build hook: [usbinput]
    [2012-06-16 13:10] -> Running build hook: [fsck]
    [2012-06-16 13:10] ==> Generating module dependencies
    [2012-06-16 13:10] ==> Creating xz initcpio image: /boot/initramfs-linux-fallback.img
    [2012-06-16 13:11] ==> Image generation successful
    [2012-06-16 13:11] upgraded linux (3.3.8-1 -> 3.4.2-2)
    [2012-06-16 13:11] upgraded lirc-utils (1:0.9.0-16 -> 1:0.9.0-18)
    [2012-06-16 13:11] upgraded mesa (8.0.3-2 -> 8.0.3-3)
    [2012-06-16 13:11] upgraded mysql-clients (5.5.24-1 -> 5.5.25-1)
    [2012-06-16 13:11] upgraded mysql (5.5.24-1 -> 5.5.25-1)
    [2012-06-16 13:11] upgraded nvidia (295.53-1 -> 295.59-1)
    [2012-06-16 13:11] upgraded opencl-nvidia (295.53-1 -> 295.59-1)
    [2012-06-16 13:11] upgraded pango (1.30.0-1 -> 1.30.1-1)
    [2012-06-16 13:11] upgraded pcmanfm (0.9.10-1 -> 0.9.10-2)
    [2012-06-16 13:11] upgraded psmisc (22.16-1 -> 22.17-1)
    [2012-06-16 13:11] upgraded smbclient (3.6.5-2 -> 3.6.5-3)
    [2012-06-16 13:11] upgraded thunderbird (13.0-1 -> 13.0.1-1)
    [2012-06-16 13:11] upgraded udisks2 (1.94.0-1 -> 1.94.0-2)
    [2012-06-16 13:11] upgraded unrar (4.2.3-1 -> 4.2.4-1)
    [2012-06-16 13:11] upgraded virtualbox-archlinux-modules (4.1.16-1 -> 4.1.16-2)
    [2012-06-16 13:11] In order to use the new version, reload all virtualbox modules manually.
    [2012-06-16 13:11] upgraded virtualbox-modules (4.1.16-1 -> 4.1.16-2)
    [2012-06-16 13:11] upgraded xine-ui (0.99.6-5 -> 0.99.7-1)
    [2012-06-16 13:11] Running 'pacman -Syy'
    [2012-06-16 13:11] synchronizing package lists
    [2012-06-16 13:12] Running 'pacman -Syu'
    [2012-06-16 13:12] synchronizing package lists
    [2012-06-16 13:12] starting full system upgrade
    [2012-06-16 13:13] upgraded lib32-freetype2 (2.4.9-1 -> 2.4.10-1)
    [2012-06-16 13:13] upgraded lib32-gnutls (3.0.19-1 -> 3.0.20-1)
    [2012-06-16 13:13] upgraded lib32-krb5 (1.10.1-2 -> 1.10.2-1)
    [2012-06-16 13:13] upgraded lib32-libpng (1.5.10-2 -> 1.5.11-1)
    [2012-06-16 13:13] upgraded lib32-libx11 (1.4.99.902-1 -> 1.5.0-1)
    [2012-06-16 13:13] upgraded lib32-nvidia-utils (295.53-1 -> 295.59-1)
    [2012-06-16 13:13] upgraded lib32-sqlite3 (3.7.11-1 -> 3.7.13-1)
    [2012-06-16 13:13] upgraded lib32-util-linux (2.21.1-1 -> 2.21.2-1)
    [2012-06-16 13:13] upgraded lib32-xcb-util (0.3.8-1 -> 0.3.9-1)
    [2012-06-16 13:13] upgraded wine (1.5.5-1 -> 1.5.6-1)
    Currently returning to the old fstab entry once again gives the initial error code about the security mechanism being upgraded in kernal release x.x (it always seemed to change with each kernel change) though the shares seem to mount just fine. I've looked through the wiki, man pages on die.net and googled everything I can think of and I find a lot pages mentioning ntlmv errors with no solutions, many telling me that ntlmv and ntlmv2 are mount options, but nothing that gives me any indication on why I might be getting this error or how to go about looking for a solution.
    I've looked through the pacman logs on both my desktop and my file server that I'm connecting to in an effort to determine what might have changed and I found that:
    the smbclient had been upgraded on both machines so I tried downgrading back to version 3.6.5-2 but there was no change when rebooting.
    I also found cifs-utils had been upgraded on the file server.  So I downgraded that as well to the previous version (5.4-1), rebooted both machines and I'm still getting the same invalid arguement error.
    I've now gone back and upgraded to the most recent versions of the downgraded packages on each machine but I'm at a loss as to what my next steps should be.  Where do I go from here to track this down and determine if this is a bug or configuration error.  Is there a cleaner way of mounting these shares that I should be using instead of fstab?
    Thank you.

    I had the same issue. After upgrading kernel to 3.4.5 today the cifs share mounted with original fstab settings. I believe it was caused by this bug:
    kernel changelog wrote:    The double delimiter check that allows a comma in the password parsing code is
        unconditional. We set "tmp_end" to the end of the string and we continue to
        check for double delimiter. In the case where the password doesn't contain a
        comma we end up setting tmp_end to NULL and eventually setting "options" to
        "end". This results in the premature termination of the options string and hence
        the values of UNCip and UNC are being set to NULL. This results in mount failure
        with "Connecting to DFS root not implemented yet" error.

  • How do I create a kerberos ticket using coldfusion

    I have 3 apps on our intra net that require authentication and would like to use kerberos to accomplish this. This is my set up.
    users log in to the network and authenticate via active directory (all windows based) , Our web apps are on a box running solaris 10, weblogic app server, cf 9 and oracle 11g.  A group of our web apps on this sever require users to authenticate through oracle (not the web / app server).
    I can authenticate with kerberos via a putty session on the server with no problems.
    USEING COLDFUSION, how do i request a kerberos ticket and pass the necessary credentials to authenticate.?
    can this be done.?
    I am looking for a CODE SAMPLE OF HOW DO THIS IN A UNIX environment  NOT WINDOWS.
    I appologize for the frustrated tone of this post. However, after a week of reading documentation til my eyes bleed, to end up chasing my tail with no truly help info............
    TIA
    JB

    This is something your web server should do, not CF. Configure your web server to participate in the Kerberos realm. If WebLogic is the web server (and not just the application server) configure that:
    http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html
    If you have WebLogic configured to use Apache as a web server, configure that:
    http://modauthkerb.sourceforge.net/
    http://support.microsoft.com/kb/555092
    Dave Watts, CTO, Fig Leaf Software
    http://www.figleaf.com/
    http://training.figleaf.com/

  • Mobile accounts are not being issued kerberos tickets

    Hi
    If I set mobile accounts to expire as soon as they log out, as soon as the user logs back into the same mac with the same account, it does not get issued another kerberos ticket at login.
    If I turn mobile accounts off, it works every time.
    running 10.6, 10.6 open directory server and the user accounts are AD accounts server 2003.
    I am pulling my hair our here. Is this something that is intentional?

    Other observations:
    *1. from /Library/Logs/DirectoryService/DirectoryService.error.log*
    2010-06-18 14:04:11 CEST - T[0xB0185000] - Misconfiguration detected in hash 'Global UID':
    2010-06-18 14:04:11 CEST - T[0xB0185000] - User 'user1' (/LDAPv3/macsrv1.disney.ch) - ID 1035 - UUID 80699B6C-A90E-4D2F-9B07-FB78F72E9709 - SID S-1-5-21-4063190502-2217233148-2094676766-3070
    *2. user IS showing up in the login window.*
    If I configure the login window to show all users (including network users), then user1 does indeed show up.
    *3. Logging into user1 via ssh works.*
    *4. dscl on macsrv1*
    dscl /LDAPv3/127.0.0.1 -list /Users
    does indeed show user1 (and any other user I create)
    So why can't I login/create user1 on the client mac without toggling the FULL PATH to /Network/Servers/macsrv1.disney.ch/users/user1 first? arghh!

  • Can login, but can't get Kerberos ticket

    Hi,
    This is on OS X Server 10.5.8, all up to date, and an OS X Client 10.6.4, all up to date.
    One user in particular can login, however they can't get a kerberos ticket (iChat and other apps fail to login). They can use the Ticket Viewer app to see that there is no ticket, but then add an identity manually and it all works fine.
    If I change the password via Workgroup Manager they can login with that new password. I also ticked "change password at next login", however the client didn't pick that up (although they logged in with the new password).
    Also, when trying to change the password via System Prefs, it says the old (current) password is incorrect, even though its the same as they logged on with.
    I'm pretty sure the problems are to do with the Kerberos login check failing (as seen in the log below) - but why would the user be able to login, yet fail the kerberos authentication check?
    Output from password server log:
    Nov 2 2010 10:24:52 RSAVALIDATE: success.
    Nov 2 2010 10:24:52 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
    Nov 2 2010 10:24:52 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
    Nov 2 2010 10:24:52 GETPOLICY: user {0x46ac8ee739c0ff000000000e0000000e, nhankey}.
    Nov 2 2010 10:24:52 GETPOLICY: user {0x46ac8ee739c0ff000000000e0000000e, nhankey}.
    Nov 2 2010 10:24:55 RSAVALIDATE: success.
    Nov 2 2010 10:24:55 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DIGEST-MD5 authentication succeeded.
    Nov 2 2010 10:24:56 RSAVALIDATE: success.
    Nov 2 2010 10:24:56 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
    Nov 2 2010 10:24:56 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
    Nov 2 2010 10:24:56 RSAVALIDATE: success.
    Nov 2 2010 10:24:56 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
    Nov 2 2010 10:24:56 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
    Is there a way to see which tickets have been issued on the server?
    Thanks for any help.
    Regards,
    Steve

    ... bump ...

  • Trouble with Kerberos and SSH

    I'm working in a test environment to configure Solaris 10 hosts to authenticate against an Active Directory environment using LDAP and Kerberos. I have all of the hard parts done - I can login locally, ssh, telnet, ftp, etc to the Solaris 10 device using a username/password within the Active Directory.
    I am having trouble, however, getting SSH to forward Kerberos tickets for passwordless authentication. I can login locally to a Solaris box, run a klist to verify that I have a Kerberos ticket, and the ssh to another Solaris 10/Kerberos box, but I am still prompted for my password. Below is a snippet of SSH debug traffic:
    debug1: GSS-API error while calling GSS_Init_sec_context(): An invalid name was supplied
    service not available
    debug1: Skipping GSS-API mechanism kerberos_v5 (An invalid name was supplied
    service not available
    No amount of googling has been able to help me thus far. Perhaps you can.

    Apparantly my initial problem was related to hostname resolution; I initially was accessing everything by IP address because it was easier than setting up a DNS server in my testing environment. I have resolved those issues within my testing environment, but I still can't seem to get SSH to pass the Kerberos ticket along, or maybe SSHD isn't accepting it. This is what I see now, after getting a Kerberos ticket with kinit and attempting to ssh to another host:
    debug1: Next authentication method: gssapi-with-mic
    debug1: ssh_gssapi_init_ctx(<xxxxxxxxxxxxxxxxxxxx>)
    debug3: ssh_gssapi_import_name: snprintf() returned 41, expected 42
    debug2: we sent a gssapi-with-mic packet, wait for reply
    But it moves on to the next method, never receiving a reply. What's up?

  • Shouldn't I be getting a Kerberos ticket when logging in to my Lion Server?

    I have a very small OS X network setup: one server, one client.  OD, DNS, etc. all working well.  One thing I noticed though is when I log into the server directly, I never have a Kerberos ticket and have to use kinit; when I log into the client, I always get a ticket automatically. 
    After logging in to the server (directly via console, not ssh), I open a terminal and klist shows:
    klist: krb5_cc_get_principal: No credentials cache file found
    I can 'kinit' at this point, provide my password and I will get a working ticket, but isn't this supposed to happen at login time the way it does on my client?
    I've made no modifications to /etc/pam.d/authorization:
    # authorization: auth account
    auth       optional       pam_krb5.so use_first_pass use_kcminit
    auth       optional       pam_ntlm.so use_first_pass
    auth       required       pam_opendirectory.so use_first_pass nullok
    account    required       pam_opendirectory.so
    What am I missing here?  Why woudn't I bet getting tickets at login on this system?
    Many thanks,
    -O

    @Strontium, not sure what the basis for your opinion is, the server login processes *is* a client of  OpenDirectory and Kerberos and subject to the same PAM authorization process and thus the creation of a Kerberos ticket.
    After nearly two days of digging, I found the issue was caused by the existance of user records for some of my network users in the /Local/Default directory on the server which had  an AuthenticationAuthority value pointing to an old, no longer used, Kerberos domain.  As these were OpenLDAP users, I hadn't even thought of examing the local directory until I noticed that the expected Kerberos ticket behavior was working properly for one of my accounts which was not a 'mobile' account.  I then realized only my 'mobile' accounts (which were nearly all of them) were the only accounts showing this problem. 
    I believe what happened is when I changed server's kerberos name at some point in the past (by backing up the OpenLDAP records, demoting the master, re-creating the master with the new Kerberos name, importing the records, and resetting passwords); I never thought to clean up any locally cached user records for my 'mobile' users.
    To fix: I used the Directory Utility to delete the users from the local cache.  On next login by a mobile user, a correct local user record was created reflecting the proper Kerberos authority and now I'm getting Kerberos tickets on login again. 

  • Mount error: ...not superuser and mount.cifs not installed SUID

    I'm trying to automount Samba shares but get this everytime I try to mount the partition:
    mount error: permission denied or not superuser and mount.cifs not installed SUID
    I have this entry in the fstab:
    //192.168.2.1/Capsule /media/capsule cifs auto,noserverino,username=xxx,password=xxx,workgroup=WORKGROUP,iocharset=utf8,file_mode=0777,dir_mode=0777,suid,users 0 0
    I tried different options (suid,users or without them) same results.
    I also tried to chown like this:
    chmod u+s mount.cifs
    But still no luck
    Need help please.

    It seems that mount.cifs will only let you mount at directory that you are the owner of.  I think this may be changeable with the UID option but I have not figured it out.

  • [SOLVED] mount.cifs failing to mount after update to 3.8.x

    When trying to mount a CIFS share in Arch with kernel 3.8.3-2-ARCH, I get this:
    mount error(22): Invalid argument
    dmesg shows this:
    FS-Cache: Loaded
    FS-Cache: Netfs 'cifs' registered for caching
    Key type cifs.spnego registered
    Key type cifs.idmap registered
    For clarity, I'm running this command (and have tried many others):
    sudo mount.cifs //desktop/mydata /mnt/mydata -o user=me
    Also, I am able to browse this share properly with smbclient, and I'm also able to mount it in distributions using older kernels.
    I tested this on Ubuntu 13.04 as well, and the same problem happens there (also has kernel 3.8.x, so it seems likely that this is a kernel issue). From what I understand, portions of the mount.cifs client code were moved into the kernel recently, and the argument parser was overhauled at the same time (I found similar bug reports for Fedora, Gentoo, etc). Any ideas?
    SOLVED:
    The fix is to add "sec=ntlm" to the -o flag:
    sudo mount.cifs //desktop/mydata /mnt/mydata -o user=me,sec=ntlm
    Last edited by willroberts (2013-03-22 03:32:46)

    While the "Permission denied" error seems completely different from an "Invalid argument" error, adding sec=ntlm to my -o flag fixed my issue as well.
    For the record, I did search for my error message via Google, and got this:
    https://www.google.com/search?q=site%3A … today&tbm=
    No results for my "invalid argument" problem, but maybe that thread hasn't been indexed by Google yet. I'll try the built-in search next time. Most sites have notoriously awful built-in search, so I didn't even try.

  • Mount cifs as user

    Hi,
    I'm trying to mount cifs as normal user using mount.cifs via fstab
    Here is my fstab entry:
    //server/zawart    /home/zawart/media    cifs    credentials=/etc/conf.d
    /zawart.cifs,uid=1000,forceuid,gid=100,rw,perm=0600,noexec,nosuid,user,iocharset=utf8,directio,noauto    0    0
    Here is what I get when I type mount ~/media as user zawart with uid 1000.
    This mount.cifs program has been built with the ability to run as a setuid root program disabled.
    So I read the man 8 mount.cifs and there is a note
    'This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.
    I set it chmod a+s /sbin/mount.cifs and now it still doesn't mount anything but shows different message:
    This mount.cifs program has been built with the ability to run as a setuid root program disabled.
    mount.cifs has not been well audited for security holes. Therefore the Samba team does not recommend installing it as a setuid root program.
    Mounting it as root works but not as normal user, if you could help please leave a post here
    Last edited by zawart (2010-06-04 16:13:35)

    this is a security restriction with mount commands, so that only root can mount volumes. by default mount.cifs does not come with setuid enabled, you can however compile it yourself from sources and enable setuid for it,

  • Is it possible to configure Safari to support Kerberos ticket forwarding?

    I work in an environment that authenticates with Kerberos.  I would like to be able to use Safari in this environemnt but I am forced to use other browsers that support ticket forwarding.  It seems that Safari does support Kerberos authentication according the to this support artical http://support.apple.com/kb/HT5385?viewlocale=en_US&locale=en_US.  However, it fails to explain how to enable ticket forwarding.

    rdar://6644527: Kerberos ticket forwarding doesn't work in Safari
    FirefoxAuth - User Guides Wiki

Maybe you are looking for

  • Installation Error of SAP ERP 6.0 SR3 HA MSCS on Win2008 with DB2 9.1

    Hi, I am installing ERP 6.0 SR3 HA MSCS on Windows 2008 Ent. Server with DB2 9.1v. In IBM Clustered environment with 2 nodes and a SAN Storage. We are going through the SAP Installation Document. 1. Here my problem is I am not able to install DB2 wit

  • Section Header Text Background Color

    Hi have a catalog that has a running section header that will be placed over a black graphic the width of the page header.  I would like to have a white background box appear the length of the header section text, but not be the full length of the te

  • Text frames not supported and images can't be imported when trying to open word document, can this be fixed?

    trying to open a word document in pages, no images, diagram r tables are seen, states problems are text frames not supported and that images can not be imported. the document opens fine in mircosoft office. can this be fixed or do i need to buy micro

  • Adding new field in Objects(Equipment) either using AET or EEWB.

    I have to add a new field in the screen for Objects (under Processing data). To do the same first i tried using AET but i get the "Show Enhancements" and "Create New Fields" buttons grayed out in AET so i assume that AET is not available for Objects(

  • Need Help !!! New Bee !!!

    Hi All, Im a brand newbee to BI publisher. I have a requirement of customizing "Contract Terms Layout" . I downloaded the .xsl(OKCTERMS_en.xsl) file from xml publisher responsibility. My understanding is that .xsl could be edited by BI publisher. But