1

I'm asking this here because I think I'm more likely to find SMB/kerberos experts here than in Ask Different, which seems to be mostly related to OSX client issues.

When I first connect to our SMB share, the Finder seems to lock up for a good 30 seconds while it fetches the root folder of the share. Navigating the share is extremely slow at first as well - it takes about 30 seconds to open each folder. In the system log, I see this message repeated many times:

Apr  9 15:14:37 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied
Apr  9 15:14:39 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs)
Apr  9 15:15:11 --- last message repeated 5 times ---
Apr  9 15:15:11 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied
Apr  9 15:15:13 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed tmiddleton@LOCAL: -1765328228 - unable to reach any KDC in realm LOCAL, tried 0 KDCs)
Apr  9 15:15:16 teds-mac-mini.teradici.local NetAuthSysAgent[2139]: smb_mount: mount failed to teradici.local/data, syserr = Permission denied

Eventually the delay in opening folders goes away and I can successfully navigate the SMB share. When the SMB share is responsive, no new messages like these show up in the system log, so I'm inferring that they're related to the problem I'm seeing.

I'm using a local account on my mac - I don't know whether its possible to log into a mac with ldap or active directory, but I'm not doing either of those. I do, however, have an active directory account here at work, and I can use that to access network resources at work (indeed, that's how I'm logging into the SMB share).

Any ideas what might be going wrong here? Is it an OSX/client issue? Could it be an issue with the SMB server? Active directory?

Ted Middleton
  • 111
  • 1
  • 5
  • 1
    How are you having your client connect to the smb share? – EEAA Apr 10 '14 at 00:12
  • Cmd-K in Finder and then typing in smb://server/share. Sometimes also type in cifs://server/share, which I'm told prefers smb1 negotiation if it's available. Both result in this behavior. – Ted Middleton Apr 10 '14 at 00:25
  • What do you see in the server's logs? And why on earth is your computer trying to contact a Kerberos realm named LOCAL? – Michael Hampton Apr 10 '14 at 04:01
  • 1. I don't have access to the server logs. I'm a developer at a medium-sized company and our IT dept doesn't have the time for this - they consider the wait to be an acceptable workaround. – Ted Middleton Apr 10 '14 at 19:57
  • 2. I have no idea why I'm accessing a kerberos realm named LOCAL. As far as I know this is an out-of-the-box OSX configuration. My user account is local and therefore isn't being validated with LDAP or any other directory service, but I am more-or-less able to sign into network resources with my LDAP account username and password when I enter them explicitly. – Ted Middleton Apr 10 '14 at 19:59
  • 3. At this point, being neither an expert in kerberos nor SMBX, I'm really looking for information on what to investigate next. – Ted Middleton Apr 10 '14 at 20:00

1 Answers1

2

You contact realm LOCAL instead of real realm because you haven't configured your local kerberos client. You have to create configuration file in /Library/Preferences/edu.mit.Kerberos and write realm, etc. there. See the manual here.

chicks
  • 3,639
  • 10
  • 26
  • 36
Reni
  • 21
  • 2