Why is my OSX client having so much trouble connecting to our SMB server?

active-directory mac-osx kerberos server-message-block cifs
5,332

You contact realm LOCAL instead of real realm because you haven't configured your local kerberos client. You have to create configuration file in /Library/Preferences/edu.mit.Kerberos and write realm, etc. there. See the manual here.

Share:
5,332

Related videos on Youtube

Ted Middleton
Author by

Ted Middleton

Updated on September 18, 2022

Comments

  • Ted Middleton
    Ted Middleton almost 2 years

    I'm asking this here because I think I'm more likely to find SMB/kerberos experts here than in Ask Different, which seems to be mostly related to OSX client issues.

    When I first connect to our SMB share, the Finder seems to lock up for a good 30 seconds while it fetches the root folder of the share. Navigating the share is extremely slow at first as well - it takes about 30 seconds to open each folder. In the system log, I see this message repeated many times:

    Apr  9 15:14:37 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied
Apr  9 15:14:39 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs)
Apr  9 15:15:11 --- last message repeated 5 times ---
Apr  9 15:15:11 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied
Apr  9 15:15:13 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs)
Apr  9 15:15:16 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied

    Eventually the delay in opening folders goes away and I can successfully navigate the SMB share. When the SMB share is responsive, no new messages like these show up in the system log, so I'm inferring that they're related to the problem I'm seeing.

    I'm using a local account on my mac - I don't know whether its possible to log into a mac with ldap or active directory, but I'm not doing either of those. I do, however, have an active directory account here at work, and I can use that to access network resources at work (indeed, that's how I'm logging into the SMB share).

    Any ideas what might be going wrong here? Is it an OSX/client issue? Could it be an issue with the SMB server? Active directory?

    • EEAA
      EEAA about 10 years
      How are you having your client connect to the smb share?
    • Ted Middleton
      Ted Middleton about 10 years
      Cmd-K in Finder and then typing in smb://server/share. Sometimes also type in cifs://server/share, which I'm told prefers smb1 negotiation if it's available. Both result in this behavior.
    • Michael Hampton
      Michael Hampton about 10 years
      What do you see in the server's logs? And why on earth is your computer trying to contact a Kerberos realm named LOCAL?
    • Ted Middleton
      Ted Middleton about 10 years
      1. I don't have access to the server logs. I'm a developer at a medium-sized company and our IT dept doesn't have the time for this - they consider the wait to be an acceptable workaround.
    • Ted Middleton
      Ted Middleton about 10 years
      2. I have no idea why I'm accessing a kerberos realm named LOCAL. As far as I know this is an out-of-the-box OSX configuration. My user account is local and therefore isn't being validated with LDAP or any other directory service, but I am more-or-less able to sign into network resources with my LDAP account username and password when I enter them explicitly.
    • Ted Middleton
      Ted Middleton about 10 years
      3. At this point, being neither an expert in kerberos nor SMBX, I'm really looking for information on what to investigate next.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot contact any KDC for requested realm in log.winbindd-dc-connect every 10 seconds
How to fix OSX client to Windows share hangs?
Renewing kerberos ticket without user intervention
Secure way to mount a password protected cifs share in mac
Apache Kerberos Authentication - Client didn't delegate us their credential
How to verify kerberos token?
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
Edit Sudoers file to allow sudo rights to a AD domain group
CIFS mounts and Kerberos - permissions on access or best practice
How do I clear a user's cached Active Directory password on CentOS 7?