In Lion Apple disabled older, less secure protocols like DHCAST128. This has caused problems with older NAS devices running AFP and some Novell servers.
Most manufactures have released updates to resolve this problem but there is also a way to re-enable the protocol from the command line.
Here are the instructions from Apple's KB:
Lion maintains a list of authentication methods that are not allowed. These are the older, less secure authentication methods. You may need to enable one or more of these methods to support legacy devices or protocols.
Open Terminal.
Execute the following commands:
sudo chmod o+w /Library/Preferences
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_host_prefs_version -int 1
Make an AFP connection to another system so that the AFP Client preference file will be filled in with the default set of values. Note: You must connect as a registered user, not as a guest.
Execute the following command to see a list of the disabled User Authentication Methods (UAMs)
defaults read /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams
By default the disabled UAMs are "Cleartxt Passwrd", "MS2.0", "2-Way Randnum exchange", and "DHCAST128". Note: if you don't see a list, restart your computer and repeat step 3.
To enable one of these UAMs, remove it from the list of disabled UAMs. For example, this command enables DHCAST128 by removing it from the list of disabled authentication methods:
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange"
After the desired changes have been made, restore the permissions on the Preferences folder with this command:
sudo chmod o-w /Library/Preferences
Additional Information
If you want to undo the changes described above, you can either delete the /Library/Preferences/com.apple.AppleShareClient file or use the following command to re-disable the default set of older UAMs:
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange" "DHCAST128"
The full article can be found here: http://support.apple.com/kb/HT4700
Tuesday, December 27, 2011
Friday, December 23, 2011
Lion clients unable to connect to Snow Leopard server
If you are attempting to connect from a bound Lion client to a bound Snow Leopard server you must use the FQDN for the server.
For example: myserver.test.network.com
If you do not you may receive an error that says "The version of the server you are trying to connect to is not supproted. Please contact your system administrator to resolve the problem."
Also check what authentication method you are using.
Note: changing the authentication to Any Method can possibly break single-sign-on for Snow Leopard client. If this happens change the authentication to "Kerberos". Lion clients should still be able to access the server.
For example: myserver.test.network.com
If you do not you may receive an error that says "The version of the server you are trying to connect to is not supproted. Please contact your system administrator to resolve the problem."
Also check what authentication method you are using.
- Open Server Manager
- Highlight "AFP"
- Click on the "Access" tab
- Change "Authentication" to "Any Method"
Note: changing the authentication to Any Method can possibly break single-sign-on for Snow Leopard client. If this happens change the authentication to "Kerberos". Lion clients should still be able to access the server.
Sunday, December 18, 2011
Shaking login with console error: Could not get a user record for [username] from Directory Services
Symptom
After binding a Mac AD account log-ins fail (shaking login). Console logs report the following:
SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services
kinit [username] will generate a Kerberos ticket
id [username] will produce a list of LDAP info for the AD account
login [username] fails
Solution
If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in. Try creating a mobile account from Terminal first:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username
Log out and back in with the user's AD credentials.
After binding a Mac AD account log-ins fail (shaking login). Console logs report the following:
SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services
kinit [username] will generate a Kerberos ticket
id [username] will produce a list of LDAP info for the AD account
login [username] fails
Solution
If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in. Try creating a mobile account from Terminal first:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username
Log out and back in with the user's AD credentials.
Subscribe to:
Posts (Atom)