Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1760: Unable to connect to Mac OS X Server share using SMB (AFP works)

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl on Mac OS X Server.

Question:

Centrify users are unable to connect to a Mac OS X share using SMB (AFP works fine). 

The native Apple AD Plugin works fine for both AFP and SMB protocols.


Answer:

There are few configuration changes that need to be made on an OS X Server setup to allow Single-Sign-On for SMB connections.

For the Mac OS X Server.
  1. Log into the OS X Server and download the attached ssosmb.plist (at the end of this KB) to the Desktop.
    • Alternatively, create the plist manually using the template below and save the file as ssosmb.plist:
      • <?xml version="1.0" encoding="UTF-8"?>
      • <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      • <plist version="1.0">
      • <dict>
      • <key>Services</key>
      • <array>
      • <dict>
      •     <key>servicePrincipal</key>
      •     <string>cifs/server.acme.com@ACME.COM</string>
      •     <key>serviceType</key>
      •     <string>cifs</string>
      • </dict>
      • </array>
      • <key>configOnly</key>
      • <true/>
      • </dict>
      • </plist>
    • (NOTE: Line 2 begins with "<!DOCTYPE ..." and Line 3 is: <plist version="1.0"> )
  2. Edit the cifs/... entry in the plist (server.acme.com@ACME.COM) to match the server FQDN and domain of the OS X Server.
    • For example:
    • <string>cifs/filesserver.mydomain.local@MYDOMAIN.LOCAL</string>
  3. Save the file to the Desktop.
     
  4. Open Terminal and run:
    • sudo krbservicesetup -f ~/Desktop/ssosmb.plist
  5. Reboot the Mac OS X Server.
     
  6. Connect to Mac OS X Server using FQDN (not IP) from a client machine over SMB


Note: 
  • For more information on the krbservicesetup command, see the following Apple documentation: (Provided as a courtesy)
  • If the above steps do not work, please provide the following files to Centrify Support:
    • Mac Client Side
      1. As Local Admin, run the command:
        • sudo klist -k > /tmp/client_klist_k.log
      2. Login as an AD user and run:
        • klist -A > /tmp/client_klist_A.log
      3. Send in the following files:
        • /tmp/client_klist_k.log
        • /tmp/client_klist_A.log
    • OS X Server Side
      1. As Local Admin, run the command:
        • sudo klist -k > /tmp/server_klist_k.log
      2. Send in the following files: (Note: Some files may not be present on later versions of OS X)
        • /Library/Preferences/edu.mit.Kerberos
        • /Library/Preferences/SystemConfiguration/preferences.plist
        • /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
        • /etc/krb5.conf
        • /etc/smb.conf
        • /var/db/smb.conf
        • /var/db/krb5kdc/kdc.conf
        • /tmp/server_klist_k.log
        • The modified ssosmb.plist that was used in Steps 1-4
      3. Enable Centrify debugging and capture a network trace while running:
        • sudo krbservicesetup -f ~/Desktop/ssosmb.plist

 
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.