Does anyone know the options for MacOS's customized kinit to find certificates? I have PKINIT working in a Unix environment, however testing on MacOS I'm finding problems locating the certs when invoking pkinit. I tried adding a .p12 to a custom keychain for the users account, but pkinit fails unable to find a matching cert. I know the OID is correct for kinit in Unix because I've tested it after following the PKINIT instructions on the MIT website. Here are some log messages from MacOS: env KRB5_TRACE=/dev/stdout kinit --kdc-hostname=XXX -C XX@REALM.ORG XX@REALM.ORG set-error: 569873: Failed finding certificate with PKINIT EKU OID: Certificate not found Failed finding certificate with PKINIT EKU OID: Certificate not found: 569873 set-error: 569873: Failed finding certificate with MS EKU OID: Certificate not found Failed finding certificate with MS EKU OID: Certificate not found: 569873 set-error: 569873: Failed finding certificate with any (or no) OID: Certificate not found Failed finding certificate with any (or no) OID: Certificate not found: 569873 Adding PA mech: PKINIT(IETF) set-error: -1765328359: Error from KDC: NEEDED_PREAUTH krb5_get_init_creds: KRB-ERROR -1765328359/Error from KDC: NEEDED_PREAUTH set-error: -1980176575: PKINIT: No user certificate given PA type PKINIT(IETF) returned -1980176575: PKINIT: No user certificate given In Unix, I pass the certs as follows: kinit -X509_user_identity="FILE:/client.pem,FILE:/clientkey.epm" -p XX

Does anyone know why files are showing nobody:nobody ownership using Kerberos and secure NFSV4 with MacOS? kinit user mount -t nfs -o vers=4,sec=krb5 IP:/export/nfs-test /Volumes/export/mnt I note that, if I create a file on the mount, on MacOS it is owned by nobody, but when I check on the NFSv4 server, it has the correct ownership user. I'm not sure if this is some relationship between idmapd, MacOS NFSv4 implementation or perhaps some infrastructure misconfiguration. I have a DNS server, however LDAP isn't configured. Perhaps there need to be some GID/UID mapping on MacOS available via LDAP?

My basic requirement is to use a macOS Monterey machine as a server (without running macOS Server, which is deprecated) to host SMB shares while using Active Directory as my network accounts source (an Ubuntu server running Samba4 AD DC), and have other macOS machine's user's loging in using the Kerberos SSO Extension (in other words, without having to enter credentials for the shares). Seemed simple enough :) For the server, I initially explored the built-in smb setup in Monterey (ie: enabling "File Sharing") with the machine bound (authenticated bind) to the AD DC, but when trying to login via SMB from the client machines (click on the server on the left of a finder window), "Network Users" cannot see shares created by a local admin user (though the Kerberos SSO Extension handled passing the SSO credentials flawlessly). If I logged into the macOS Monterey server machine with an Active Directory account, it created a local home folder and then I could auto-log-in with the Kerberos-SSO extension for that same user as expected from a client machine (but could only see the home folder for that network user as a share - still couldn't see the ones that the local admin account created). Searched for a long time, tried lots of suggestions, but gave up on that option. Figured I'd try installing samba from samba.org so I did a brew install samba on the Monterey server machine. I set it up similar to another SMB file server I have running on Ubuntu (eg: security = ads, configured realm = AD.DOMAIN.COM, etc.) but I seem to be unable to get it to talk to the AD DC server to validate user accounts. I get a lot of "NT_STATUS_NO_LOGON_SERVERS" in the debug log along with "winbindd not running" (which of course, doesn't appear to be available for macOS these days unless I've missed it). So - samba.org's implementation doesn't seem to pick up the methods Apple has used to get the kerberos authentication and domain binding working despite having done that AD authenticated bind on the server machine and seeing proper output from sudo ktutil list (even when configuring the smb.conf to include password server - dc.ad.domain.com), and I don't seem to be able to figure out what those underlying components are without spending significantly more time here. (did notice that homebrew's formula code for samba compiled it by default using --without-ads, which was problem #7 or #8 I stumbled upon - which told me that the formula trimmed samba down to the basics to get it to compile on a mac). I've spent quite a bit of time searching for others who may have documented this same setup (host SMB shares on a mac using AD as the source for network accounts and Kerberos SSO Extension as the macOS client's authentication method (though I'd settle for simply entering a username/password and saving that to the keychain)) to no avail. Searching for macos and samba bring up a lot of stuff all the way back to 2004 (making it harder to sift through, as some of the older items are no longer relevant) **Question:** Rather than troubleshooting my setup, config files, etc. (which might take a while), I'm wondering if anyone can point me to a documented setup like this that they've seen that someone has managed to get working? I've just about exhausted the ways in which I can search for this setup. (I realize this looks like an ask to do my searching for me, but I'm really just looking to see if someone already has this running and can share a few tricks they used to get it going that I may not have run across yet - if my pain sounds familiar). Failing that, perhaps I'll start a new post with lots of detail on my two approaches here (including what I've already tried over the last few weeks) to see if I've missed something. I know - trying to get a mac to host a robust samba file server is probably not the best idea (but I'll cling to that requirement for a while longer before I elect to go with another option). Thank you in advance!

What OS process can I kill or force quit to terminate Kerberos? It's gotten into some bad state where choosing Sign in only brings up an empty white box (missing the normal prompts inside). I use Kerberos with a SmartCard on a regular basis. My IT coordinator informed me that my PIV certificate was expiring soon. To check the exact date, I did a Sign out, and then clicked Sign in - so far, so good - in the expected pop-up window, I clicked my certificate and clicked inspect, finding that it's end date is not til the end of October. But after the certificate inspection and closing that window, I can't login to Kerberos; I just get the blank pop-up window. I don't see a clear way to restart the process, either from the icon dropdown on the menu bar, or from Activity Monitor (I can restart my Mac, just prefer not to). It must be a running process, but none of the names jump out at me as being for kerberos. I'm running Ventura 13.5.

I'm having a problem getting file sharing to work between my MBPr and Mac Mini, here's a history of what I've tried: I have a MacBook Pro (Retina, 15-inch, Late 2013) running El Cap 10.11.1 (15B42) and recently acquired a Mac mini Server (Mid 2011) from my Aunty that was running an ancient version of OSX (and Server) that I upgraded to El Cap 10.11.1 (15B42). (probably irrelevant: The server came with an administrator account for my Aunty in her name that I haven't gotten rid of) After upgrading I created a new account for myself (Derwent) from the administrator account with (Admin access, local authentication) and signed in with my Apple ID, then enabled SMB and AFP File Sharing for all accounts, ensuring my account, Derwent had access to a folder called Movies. I could access this share remotely using SMB and AFP with the guest account, and with the administrator account, using terminal and Finder but no matter what I did, I couldn't access it using Derwent. I could also access my MBPr from my mini using Guest, Administrator and local authentication just fine. I created a new standard account test with the password test, so that I was sure that I was getting the password correct, (this account was not signed in to any apple ID) and still it wouldn't work. Here are some dumps of my console with different access methods. **Browsing to the share in Finder directly, and using "Connect as"** Get error message: Access to your account on the server “minimac” has been denied. Console dump on server end: Dec 1 00:24:53 minimac kdc: Got a canonicalize request for a LKDC realm from local-ipc Dec 1 00:24:53 minimac kdc: LKDC referral to the real LKDC realm name Dec 1 00:24:53 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:24:53 --- last message repeated 1 time --- Dec 1 00:24:53 minimac kdc: Client sent patypes: REQ-ENC-PA-REP Dec 1 00:24:53 minimac kdc: SRP announcing message of size 52 Dec 1 00:24:53 minimac kdc: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Dec 1 00:24:53 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:24:53 --- last message repeated 1 time --- Dec 1 00:24:53 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:24:53 minimac kdc: SRP step 1 Dec 1 00:24:53 minimac kdc: ccsrp server start for user: test Dec 1 00:24:53 minimac kdc: FAST factor needs more preauth data, feed it Dec 1 00:24:53 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:24:53 --- last message repeated 1 time --- Dec 1 00:24:53 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:24:53 minimac kdc: SRP step 2 Dec 1 00:24:53 minimac kdc: SRP pre-authentication succeeded -- test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:24:53 minimac kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Dec 1 00:24:53 minimac kdc: Requested flags: canonicalize Dec 1 00:24:53 minimac kdc: Client uses FAST Dec 1 00:24:53 minimac kdc: FAST strengthen reply key with strengthen-key Dec 1 00:24:53 minimac kdc: TGS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for cifs/localhost@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D [canonicalize] Dec 1 00:24:53 minimac kdc: FAST armor protection Dec 1 00:24:53 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:24:53 minimac digest-service: label: default Dec 1 00:24:53 minimac digest-service: dbname: od:/Local/Default Dec 1 00:24:53 minimac digest-service: mkey_file: /var/db/krb5kdc/m-key Dec 1 00:24:53 minimac digest-service: acl_file: /var/db/krb5kdc/kadmind.acl Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: netr probe 0 Dec 1 00:24:53 minimac digest-service: digest-request: init request Dec 1 00:24:53 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: init request Dec 1 00:24:53 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:24:53 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:24:53 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:24:53 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: init request Dec 1 00:24:53 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: init request Dec 1 00:24:53 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:24:53 minimac digest-service: digest-request: uid=0 Dec 1 00:24:53 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:24:53 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:24:53 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:24:53 minimac smbd: check_account - :[permission denied] pam_acct_mgmt **using Finder, afp://test:test@minimac.local/Movies** Dec 1 00:12:15 minimac kdc: Got a canonicalize request for a LKDC realm from local-ipc Dec 1 00:12:15 minimac kdc: LKDC referral to the real LKDC realm name Dec 1 00:12:15 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:12:15 --- last message repeated 1 time --- Dec 1 00:12:15 minimac kdc: Client sent patypes: REQ-ENC-PA-REP Dec 1 00:12:15 minimac kdc: SRP announcing message of size 52 Dec 1 00:12:15 minimac kdc: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Dec 1 00:12:15 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:12:15 --- last message repeated 1 time --- Dec 1 00:12:15 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:12:15 minimac kdc: SRP step 1 Dec 1 00:12:15 minimac kdc: ccsrp server start for user: test Dec 1 00:12:15 minimac kdc: FAST factor needs more preauth data, feed it Dec 1 00:12:15 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:12:15 --- last message repeated 1 time --- Dec 1 00:12:15 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:12:15 minimac kdc: SRP step 2 Dec 1 00:12:15 minimac kdc: SRP pre-authentication succeeded -- test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:12:15 minimac kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Dec 1 00:12:15 minimac kdc: Requested flags: canonicalize Dec 1 00:12:15 minimac kdc: Client uses FAST Dec 1 00:12:15 minimac kdc: FAST strengthen reply key with strengthen-key Dec 1 00:12:15 minimac kdc: TGS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for afpserver/localhost@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D [canonicalize] Dec 1 00:12:15 minimac kdc: FAST armor protection Dec 1 00:12:19 minimac WindowServer: send_datagram_available_ping: pid 534 failed to act on a ping it dequeued before timing out. **Using Finder, smb://test:test@minimac.local/Movies** Dec 1 00:18:05 minimac digest-service: label: default Dec 1 00:18:05 minimac digest-service: dbname: od:/Local/Default Dec 1 00:18:05 minimac digest-service: mkey_file: /var/db/krb5kdc/m-key Dec 1 00:18:05 minimac digest-service: acl_file: /var/db/krb5kdc/kadmind.acl Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: netr probe 0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac kdc: Got a canonicalize request for a LKDC realm from local-ipc Dec 1 00:18:05 minimac kdc: LKDC referral to the real LKDC realm name Dec 1 00:18:05 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:18:05 --- last message repeated 1 time --- Dec 1 00:18:05 minimac kdc: Client sent patypes: REQ-ENC-PA-REP Dec 1 00:18:05 minimac kdc: SRP announcing message of size 52 Dec 1 00:18:05 minimac kdc: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Dec 1 00:18:05 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:18:05 --- last message repeated 1 time --- Dec 1 00:18:05 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:18:05 minimac kdc: SRP step 1 Dec 1 00:18:05 minimac kdc: ccsrp server start for user: test Dec 1 00:18:05 minimac kdc: FAST factor needs more preauth data, feed it Dec 1 00:18:05 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:18:05 --- last message repeated 1 time --- Dec 1 00:18:05 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:18:05 minimac kdc: SRP step 2 Dec 1 00:18:05 minimac kdc: SRP pre-authentication succeeded -- test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:18:05 minimac kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Dec 1 00:18:05 minimac kdc: Requested flags: canonicalize Dec 1 00:18:05 minimac kdc: Client uses FAST Dec 1 00:18:05 minimac kdc: FAST strengthen reply key with strengthen-key Dec 1 00:18:05 minimac kdc: TGS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for cifs/localhost@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D [canonicalize] Dec 1 00:18:05 minimac kdc: FAST armor protection Dec 1 00:18:05 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:18:05 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:18:05 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:18:05 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: init request Dec 1 00:18:05 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:18:05 minimac digest-service: digest-request: uid=0 Dec 1 00:18:05 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:18:05 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:18:05 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:18:05 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:18:08 minimac WindowServer: send_datagram_available_ping: pid 534 failed to act on a ping it dequeued before timing out. **Using Finder, cifs://test:test@minimac.local/Movies** Dec 1 00:31:20 minimac kdc: Got a canonicalize request for a LKDC realm from local-ipc Dec 1 00:31:20 minimac kdc: LKDC referral to the real LKDC realm name Dec 1 00:31:20 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:20 --- last message repeated 1 time --- Dec 1 00:31:20 minimac kdc: Client sent patypes: REQ-ENC-PA-REP Dec 1 00:31:20 minimac kdc: SRP announcing message of size 52 Dec 1 00:31:20 minimac kdc: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Dec 1 00:31:20 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:20 --- last message repeated 1 time --- Dec 1 00:31:20 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:31:20 minimac kdc: SRP step 1 Dec 1 00:31:20 minimac kdc: ccsrp server start for user: test Dec 1 00:31:21 minimac kdc: FAST factor needs more preauth data, feed it Dec 1 00:31:21 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:21 --- last message repeated 1 time --- Dec 1 00:31:21 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:31:21 minimac kdc: SRP step 2 Dec 1 00:31:21 minimac kdc: SRP pre-authentication succeeded -- test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:21 minimac kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Dec 1 00:31:21 minimac kdc: Requested flags: canonicalize Dec 1 00:31:21 minimac kdc: Client uses FAST Dec 1 00:31:21 minimac kdc: FAST strengthen reply key with strengthen-key Dec 1 00:31:21 minimac kdc: TGS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for cifs/localhost@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D [canonicalize] Dec 1 00:31:21 minimac kdc: FAST armor protection Dec 1 00:31:21 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:31:21 minimac digest-service: label: default Dec 1 00:31:21 minimac digest-service: dbname: od:/Local/Default Dec 1 00:31:21 minimac digest-service: mkey_file: /var/db/krb5kdc/m-key Dec 1 00:31:21 minimac digest-service: acl_file: /var/db/krb5kdc/kadmind.acl Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: netr probe 0 Dec 1 00:31:21 minimac digest-service: digest-request: init request Dec 1 00:31:21 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: init request Dec 1 00:31:21 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:31:21 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:31:21 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:31:21 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: init request Dec 1 00:31:21 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: init request Dec 1 00:31:21 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:21 minimac digest-service: digest-request: uid=0 Dec 1 00:31:21 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:31:21 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:31:21 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:31:21 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:31:49 minimac kdc: Got a canonicalize request for a LKDC realm from local-ipc Dec 1 00:31:49 minimac kdc: LKDC referral to the real LKDC realm name Dec 1 00:31:49 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:49 --- last message repeated 1 time --- Dec 1 00:31:49 minimac kdc: Client sent patypes: REQ-ENC-PA-REP Dec 1 00:31:49 minimac kdc: SRP announcing message of size 52 Dec 1 00:31:49 minimac kdc: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Dec 1 00:31:49 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:49 --- last message repeated 1 time --- Dec 1 00:31:49 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:31:49 minimac kdc: SRP step 1 Dec 1 00:31:49 minimac kdc: ccsrp server start for user: test Dec 1 00:31:49 minimac kdc: FAST factor needs more preauth data, feed it Dec 1 00:31:49 minimac kdc: AS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for krbtgt/LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:49 --- last message repeated 1 time --- Dec 1 00:31:49 minimac kdc: Client sent patypes: SRP, REQ-ENC-PA-REP, FX-COOKIE Dec 1 00:31:49 minimac kdc: SRP step 2 Dec 1 00:31:49 minimac kdc: SRP pre-authentication succeeded -- test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D Dec 1 00:31:49 minimac kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Dec 1 00:31:49 minimac kdc: Requested flags: canonicalize Dec 1 00:31:49 minimac kdc: Client uses FAST Dec 1 00:31:49 minimac kdc: FAST strengthen reply key with strengthen-key Dec 1 00:31:49 minimac kdc: TGS-REQ test@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D from local-ipc for cifs/localhost@LKDC:SHA1.861AE3F013165CCB522112A9BD16DAE8ED59CC1D [canonicalize] Dec 1 00:31:49 minimac kdc: FAST armor protection Dec 1 00:31:49 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: init request Dec 1 00:31:49 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: init request Dec 1 00:31:49 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:31:49 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:31:49 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:31:49 minimac smbd: check_account - :[permission denied] pam_acct_mgmt Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: init request Dec 1 00:31:49 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: init request Dec 1 00:31:49 minimac digest-service: digest-request: init return domain: MINIMAC server: MINIMAC indomain was: Dec 1 00:31:49 minimac digest-service: digest-request: uid=0 Dec 1 00:31:49 minimac digest-service: digest-request: od failed with -1561745588 proto=ntlmv2 Dec 1 00:31:49 minimac digest-service: digest-request: user=MINIMAC\test Dec 1 00:31:49 minimac digest-service: digest-request kdc: ok user=MINIMAC\test proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE Dec 1 00:31:50 minimac smbd: check_account - :[permission denied] pam_acct_mgmt I don't really understand these messages but hopefully someone with more experience will. **Edit for clarification:** account name , privileges, appleID , machine ====================================================== derwent , Admin , derwent , minimac administrator, Admin , - , minimac test , Standard , - , minimac jacq(deleted), Admin , jacq , minimac derwent , Admin , derwent , ich machine, share , user , access ====================================== minimac, Movies, derwent , read & write minimac, Movies, test , read only minimac, Movies, Everyone, read only

In our organization, we have 25 Active Directory Domain Controllers. For our big sites, we have 2 DC per site. We have about 50 MacBooks, with the rest being Windows laptops that doesn't have the same issue at all. Users sometimes move from one site to another one so we can't just force one or two DC. In our organization, LDAP and Kerberos protocols are blocked by firewall except to the site Domain Controller. I'm trying to configure **Kerberos SSO Extension** through Airwatch but unfortunately I can't log in with my credentials. So I tested manually with kinit and I saw this: me@MAC ~ % kinit me@SUB.AD.DOMAIN me@SUB.AD.DOMAIN's password: kinit: krb5_get_init_creds: unable to reach any KDC in realm SUB.AD.DOMAIN, tried 10 KDCs I checked on our firewall and I saw that it tried to connect to 10 differents DCs but not the good one, and since it says "tried 10 KDCs" I can only conclude that it didn't tried the one I want it to use. MacBooks aren't bound to the AD and are used with local account. My question is, is there a way to make Kerberos try ALL the KDCs in the realm and not just 10 ? If so, is there a way to set it in the Airwatch profile I made? Or is there a way for macOS to understand which in site they're located in and connect to the right Domain Controller instead of trying 10 bad DC on the list then give up trying? Of course the easier would be to just open the firewall let all LDAP / Kerberos packets pass through, I tried and it worked, but we don't want to do that for security reasons. Considering how specific this question is I don't have a lot of hope but hey ... never try never knows.

Do you know why I have this message when I use kinit? kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL, tried 0 KDCs Thanks.

I have a macbook pro running macOS Big Sur 11.1 that was given to me by my former employer. They allowed me to keep the laptop after I left the company. When I try changing my password, I get this error: I understand that my company's network administration setup still has its tentacles in my machine. This is the output from klist:

Credentials cache: API:9F3BD780-2620-4574-A37D-C745AC9FBCA5
        Principal: my.username@company.domain.name

  Issued    Expires    Principal

How do I change my password?

I'm trying to kerberize services on an iMac that is bound to an external Kerberos KDC on a Linux computer. I assume that I have to use sso_util and do it like this: sso_util configure -v 7 -r EXAMPLE.COM -f /LDAPv3/kdc.example.com -a diradmin/admin all where EXAMPLE.COM is the name of the realm and kdc.example.com is the Linux computer which hosts LDAP and Kerberos. I get the following error message:

GetRealmFromDir: looking up the realm name in the KerberosKDC config record in node
/LDAPv3/ldap.keps.de
GetRealmFromDir: Couldn't get attributes of kerberoskdc record
GetRealmFromDir: didn't find a KerberosKDC record, looking in the KerberosClient record
GetConfigFromDir: failed to find the KerberosClient config record in the directory error = 4101
GetRealmFromDir: didn't find a KerberosClient record either, returning NULL
GetRealmFromDir: realm is :(null)
Invalid Realm Name

It looks like I must put some configuration data in the LDAP database but what data according to what schema?

How I am supposed to configure Kerberos on OS X 10.8 ? I heard that this should work by default, just by calling kinit once. Still, I am on the corporate network (not joined any domain) and run kinit. All, I got was kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL Note: I do want to make it work without having to join the Windows domain. /var/log/opendirectory.log shows:

2012-09-05 14:05:16.600904 BST - 81.144675 - Client: mds, UID: 0, EUID: 0, GID: 0, EGID: 0
2012-09-05 14:05:16.600904 BST - 81.144675, Module: SystemCache - Misconfiguration detected - Failed to insert key 'ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000037' for entry '0x7fbf0fa01140' into hash 'UUID' as 'non-authoritative'

I need to connect to sql server using Windows authentication on a mac. I want to use kinit but I have problem with generate DC name. On windows I ran command: nltest /dsgetdc:xx.xx.com And output is: GETTING DS NAME FAILED: STATUS = 1355 0X54B ERROR_NO_SUCH_DOMAIN. I can log into this server on windows using SQL Server Management Studio so I know the account I want to use is working for the level of access I want to grant. How can I connect with this server to get kerberos tickets / use an AD account in general with Finder to mount shares?

I have used Kerberos GSSAPI authentication together with SSH to connect from my Mac to work servers. However, ever since the macOS Sierra upgrade, I'm forced to enter passwords again. My ~/.ssh/config looks like this: Host MYSERVER GSSAPIAuthentication yes GSSAPIDelegateCredentials yes I originally had there GSSAPITrustDns yes as well, but after the Sierra upgrade, SSH refused to start up saying that it could not parse the config. Removing the line fixed that. Is there any way to get this working again?

My iMac is connected to the Active Directory server, with no additional GID and UID setup, I can login to the OS X using AD user credentials, but I also need to mount the Desktops and probably other shares. The problem is that I use Linux hosted Samba servers, and I need to push the Desktop's share path to the OS X clients somehow. I can mount that using OS X' Samba client, but I need to do that automatically. As I'm already authenticated against AD, there must be a way to use my Kerberos ticket to access the share without password, isn't it? Some guys say that it is possible with passwords stored in keychain, but I don't get it much, when are passwords stored in keychain? Should I add it once, and will that work forever?

Current behaviour of Chrome om MacOS is that you have to restart the entire browser if your kerberos ticket expired and was renewed. It seems that Chrome is using the kerberos ticket that was existing at the moment Chrome started but if in meanwhile this one expired and was renewed you have to restart the browser.

First of all, I have no idea how Kerberos ended up in my Mac. I have tried to reset its password but I don't even know what is the ID to use. So, please how do I reset Kerberos password when I have no clue about which server it is connecting to? I am running El Capitan 10.11.3 on MacBook Pro. No. I don't know Kerberos password. :(

We have a web application that uses SSO to authenticate users. On Windows everything works well. Now the question is how to make it work on OSX and IPAD? Is this possible in principle. I don't have much experience with OSX. Any help would be useful.

I have a fully controllable test network set up to work this issue I've had each time I set up my SOHO network. The network now consists of a 2010 MacMini server, using RAID0, running 10.9.4 and Server 3.1.2. I have recreated this server several times without improvement to the problems. I've made the configuration very simple. The server is currently providing DNS, DHCP, FileSharing of Users' home directories, and OD. The OD only has two test users added, no other mods have been made except global password policies. The workstation I am testing from is a 2012 MacMini that I have imaged with Mavericks 10.9.4. This workstation is connected with Cat 6 cable to the server through a DLink Router; the wi-fi is disabled. The problem also exists when using a Linksys router with wi-fi turned on. Both computers have hardwired keyboards and mice. Bluetooth has been turned off. The workstation has been bound to the server using both name and ip address, and with and without authentication and SSL. The problem is that each time a networked user allows a vCard to be processed by Quicklook, the system goes ugly immediately, mostly with com.apple.quicklook.satellite errors. Sample of the log: 8/7/14 8:10:04.523 AM com.apple.quicklook.satellite: CoreData: error: (3) access permission denied 8/7/14 8:10:04.527 AM com.apple.quicklook.satellite: Unknown error reading database file, will attempt reimporting: Error Domain=NSCocoaErrorDomain Code=256 "The file couldn’t be opened." UserInfo=0x7fc7d3c493c0 {NSSQLiteErrorDomain=3, NSUnderlyingException=error during execution of SQL string 'pragma journal_mode=wal' : access permission denied} { NSSQLiteErrorDomain = 3; NSUnderlyingException = "error during execution of SQL string 'pragma journal_mode=wal' : access permission denied"; } 8/7/14 8:10:04.528 AM com.apple.quicklook.satellite: Move Address Book store at /Network/Servers/server.sub.domain.net/Users/testuser/Library/Application Support/AddressBook/AddressBook-v22.abcddb to /Network/Servers/server.sub.domain.net/Users/testuser/Library/Application Support/AddressBook/AddressBook-v22.abcddb.3496356E-319C-4176-BFB9-19D8BB7D9900.unknown 8/7/14 8:10:04.581 AM com.apple.quicklook.satellite: Could not replace store at file:///Network/Servers/server.sub.domain.net/Users/testuser/Library/Application%20Support/AddressBook/AddressBook-v22.abcddb.3496356E-319C-4176-BFB9-19D8BB7D9900.unknown from file:///Network/Servers/server.sub.domain.net/Users/testuser/Library/Application%20Support/AddressBook/AddressBook-v22.abcddb: Error Domain=NSSQLiteErrorDomain Code=3 "The operation couldn’t be completed. (NSSQLiteErrorDomain error 3.)" UserInfo=0x7fc7d3f00620 {NSFilePath=/Network/Servers/server.sub.domain.net/Users/testuser/Library/Application Support/AddressBook/AddressBook-v22.abcddb.3496356E-319C-4176-BFB9-19D8BB7D9900.unknown, reason=Failed to replace destination database} { NSFilePath = "/Network/Servers/server.sub.domain.net/Users/testuser/Library/Application Support/AddressBook/AddressBook-v22.abcddb.3496356E-319C-4176-BFB9-19D8BB7D9900.unknown"; reason = "Failed to replace destination database"; } 8/7/14 8:10:04.654 AM com.apple.quicklook.satellite: CoreData: error: (3) access permission denied 8/7/14 8:10:04.657 AM com.apple.quicklook.satellite: 0x7fc7d3c278b0: ManagedObjectContext (ABAddressBook) could not create the store at path: - creation error: Error Domain=NSCocoaErrorDomain Code=256 "The file couldn’t be opened." UserInfo=0x7fc7d3f0e830 {NSSQLiteErrorDomain=3, NSUnderlyingException=error during prepareSQL for SQL string 'pragma auto_vacuum=2' : access permission denied} { NSSQLiteErrorDomain = 3; NSUnderlyingException = "error during prepareSQL for SQL string 'pragma auto_vacuum=2' : access permission denied"; } 8/7/14 8:10:04.659 AM com.apple.quicklook.satellite: *** attempt to post distributed notification 'ABWillRestoreFromMetadataPriv' thwarted by sandboxing. Date/Time: Thu Aug 7 08:10:04 2014 OS Version: 13E28 Application: com.apple.quicklook.satellite Backtrace: 0 CoreFoundation 0x00007fff914af312 __CFGenerateReport + 242 1 CoreFoundation 0x00007fff91322052 _CFXNotificationPost + 882 2 Foundation 0x00007fff8dfc4804 -[NSDistributedNotificationCenter postNotificationName:object:userInfo:options:] + 73 3 AddressBook 0x00007fff8bbe090f -[ABAddressBook nts_RestoreFromMetaDataIfNeededAndTriggerSync:] + 209 4 AddressBook 0x00007fff8bb4aca9 -[ABAddressBook nts_RestoreFromMetaDataIfNeeded] + 22 5 AddressBook 0x00007fff8bb4ac39 -[ABAddressBook nts_DoInitialImports] + 157 6 AddressBook 0x00007fff8bb4713f ABRunWithLock + 166 7 AddressBook 0x00007fff8bb44994 +[ABAddressBook nts_SharedAddressBook] + 129 8 AddressBook 0x00007fff8bb4486e +[ABAddressBook nts_CreateSharedAddressBook] + 49 9 AddressBook 0x00007fff8bb446e1 +[ABAddressBook sharedAddressBook] + 69 10 AddressBook 0x00007fff8bb445f7 +[ABAddressBook addressBookWithDatabaseDirectory:options:] + 56 11 AddressBook 0x00007fff8bbb436a +[ABAddressBook(ABAddressBookHackery) emptyMemoryBackedAddressBookWithOptions:] + 39 12 AddressBook 0x00007fff8bc4c0fe +[ABAddressBook(ABAddressBookHackery) provisionalMemoryBackedAddressBook] + 106 13 AddressBook 0x00007fff8bc14106 -[ABVCardParser people] + 41 14 Contact 0x00000001045eb69c Contact + 9884 15 QuickLook 0x00007fff92fbee23 _QLThumbnailRequestCallGenerator + 585 16 QuickLookSatellite 0x000000010445d249 main + 6233 17 QuickLookSatellite 0x000000010445e6aa _QLUUIDForRequest + 150 18 QuickLookSatellite 0x000000010445cfa4 main + 5556 19 QuickLook 0x00007fff92fef181 _Z18QLTryCatchAndCrashU13block_pointerFvvE + 17 20 libdispatch.dylib 0x00007fff8deb21bb _dispatch_call_block_and_release + 12 21 libdispatch.dylib 0x00007fff8deaf28d _dispatch_client_callout + 8 22 libdispatch.dylib 0x00007fff8deb1673 _dispatch_queue_drain + 451 23 libdispatch.dylib 0x00007fff8deb29c1 _dispatch_queue_invoke + 110 24 libdispatch.dylib 0x00007fff8deb0f87 _dispatch_root_queue_drain + 75 25 libdispatch.dylib 0x00007fff8deb2177 _dispatch_worker_thread2 + 40 26 libsystem_pthread.dylib 0x00007fff92e8aef8 _pthread_wqthread + 314 27 libsystem_pthread.dylib 0x00007fff92e8dfb9 start_wqthread + 13 8/7/14 8:10:04.715 AM com.apple.quicklook.satellite: Restoring DB from MetaData 8/7/14 8:10:04.737 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3d23360 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} 8/7/14 8:10:04.737 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3c2e830 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} 8/7/14 8:10:04.740 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3c164a0 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} 8/7/14 8:10:04.740 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3c63fd0 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} 8/7/14 8:10:04.744 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3c5de60 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} 8/7/14 8:10:04.744 AM com.apple.quicklook.satellite: Error obtaining permanent ID: Error Domain=NSCocoaErrorDomain Code=134020 "The model configuration used to open the store is incompatible with the one that was used to create the store." UserInfo=0x7fc7d3c5e000 {NSUnderlyingException=Can't resolve how to assign objects to stores; Coordinator does not have any stores} After several minutes, the vCard may be displayed properly, but the users' address book files have been deleted and all records are lost. I've had this situation using two different 2010 MacMini servers. I've tried with both external hard drives for data and using the internal drives. The drives pass all tests I have including S.M.A.R.T monitoring. To be clear, if local home folders are used, the problem does not occur. If the networked user is logged in on the server, the problem does not occur. The problem only seems to occur when the user's home directory is served over either SMB of AFP. If I use a local (or Guest) user on the workstation to view a vCard on a networked drive, it seems to work fine. Because of this, I'm leaning towards something with binding, kerberos or OD. Something where the default configurations are not satisfactory. I'm at a loss of what to try next. I've Googled extensively and have not been able to find a solution, or even evidence that other people are experiencing this issue. I find this odd. Has anyone seen this issue and have you resolved it? Thanks.

Every time I try to connect to a simple file share set up on Mac client - started with Mavericks, is still an issue with Yosemite (not server version), I get a long delay. There are lots of references to this problem... like: https://apple.stackexchange.com/questions/127180/why-is-my-osx-client-having-so-much-trouble-connecting-to-our-smb-server/127195#127195 and https://discussions.apple.com/thread/6764545 The issue is that it tries to authenticate using a kerberos method and fails. Here's an example from my console (I edited the domains): > 5/15/15 10:39:38.144 AM NetAuthSysAgent: > NAHSelectionAcquireCredential The operation couldn’t be completed. > (com.apple.NetworkAuthenticationHelper error -1765328228 - > acquire_kerberos failed user-name@SOME.INVALID.KERBEROS.REALM: > -1765328228 - unable to reach any KDC in realm SOME.INVALID.KERBEROS.REALM, tried 2 KDCs) Once it fails, it finally pops up with the user/password prompt or allows me to select the share (if the pw is stored). Aside from blocking netAuthSysAgent as suggested in one of the linked articles, is there a way to not have it attempt to use Kerberos?

We have a Mac mini running OS X 10.7 Server which has a number of shared folders/drives using AFP. We have a user account called fcp setup as sharing only which coworkers use to access the shared files. Whenever a coworker clicks on the machine in finder we get prompted for a Kerberos password: We can get around this simply by clicking cancel (and we are then presented with the classic login window), but it confuses people. **How can I disable single signon/kerberos?** (or alternatively, would it just be better to configure it properly? and if so what are the benifits since we only use filesharing?) *I assume this is something that comes activated with server because I dont remember anyone ever 'turning it on'*

I've already asked this question on ServerFault, but I'm beginning to think that this might be an issue more with my OSX client machine than our SMB server. I'm using 10.9, but this problem happened when I was on 10.8 as well. When I first connect to our SMB share (hosted by some recent-ish windows server, not linux or osx server), the Finder seems to lock up for a good 30 seconds while it fetches the root folder of the share. Navigating the share is extremely slow at first as well - it takes about 30 seconds to open each folder. In the system log, I see this message repeated many times: Apr 9 15:14:37 teds-mac-mini.teradici.local NetAuthSysAgent: smb_mount: mount failed to teradici.local/data, syserr = Permission denied Apr 9 15:14:39 teds-mac-mini.teradici.local NetAuthSysAgent: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs) Apr 9 15:15:11 --- last message repeated 5 times --- Apr 9 15:15:11 teds-mac-mini.teradici.local NetAuthSysAgent: smb_mount: mount failed to teradici.local/data, syserr = Permission denied Apr 9 15:15:13 teds-mac-mini.teradici.local NetAuthSysAgent: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs) Apr 9 15:15:16 teds-mac-mini.teradici.local NetAuthSysAgent: smb_mount: mount failed to teradici.local/data, syserr = Permission denied Eventually the delay in opening folders goes away and I can successfully navigate the SMB share. When the SMB share is responsive, no new messages like these show up in the system log, so I'm inferring that they're related to the problem I'm seeing. I'm using a local account on my mac - I don't know whether its possible to log into a mac with ldap or active directory, but I'm not doing either of those. I do, however, have an active directory account here at work, and I can use that to access network resources at work (indeed, that's how I'm logging into the SMB share). Any ideas what might be going wrong here? Is it an OSX/client issue? Could it be an issue with the SMB server? Active directory?