Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2917: Refreshing User GPs reports "Can not invoke GP for [username]: Kerberos credentials not found for current user."

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl on all versions of Mac OS X.

Question:

When updating group policies on a Mac system, either via the Diagnostic Tool or via the Terminal command:
 
adgpupdate

The User Policy section fails with the following example output:
 
Refreshing Computer Policy...
Success
Refreshing User Policy...
Can not invoke GP for username: Kerberos credentials not found for current user.

The current user is logged in with a network account (i.e. not a local account) and the problem intermittently occurs when a Mac is connected via wifi.

The issue is normally fixed by connecting the Mac to the network via an Ethernet cable and then logging out and logging back in again.

What could be happening?


Answer:

The GP processor depends on the file-based Kerberos credentials for the user which are stored in the /tmp/ folder of the machine. 

If these get deleted or cleared for some reason, then the user GP updates can produce the message seen. 

The message might also appear if the credentials had expired and were not renewed. This should be less likely on Mac systems, infinite renewal of the Kerberos credentials is enabled by default. This can be double-checked by running the Terminal command: 
 
adinfo -c | grep infinite 


While the user updates are still failing with the above message, check to see if the cache is present or expired with the commands:
 
klist
ls -l /tmp/ | grep krb5cc

The klist will show the current status of the Kerberos cache for that user, and the ls -l /tmp/ command should return a file that looks like:
 
-rw-------  1 username         wheel  2423 Mar 13 00:35 krb5cc_[UID_of_current_user]

If either of these are missing, then the User Policy will fail.


To restore the file-based Kerberos cache, there are two options, both require the the Mac to be currently connected to the domain.


Option 1: 
  1. Set up a screensaver password in:
    • System Preferences > Security > General > Require password [...] after sleep or screensaver begins [Enabled]
  2. Then either let the system go to screensaver naturally, or configure a Hot Corner to invoke it manually:
    • System Preferences > Desktop & Screen Saver > Screen Saver > Hot Corners... > (Pick a corner) > Start Screen Saver > OK
  3. When the user re-enters their credentials to get back to the desktop from screensaver, the AD cache will be recreated in the correct locations.

Note:

The screensaver password can also be configured via group policy:
  • User Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy / "Require password to wake this computer from sleep or screen saver"


Option 2: 
  1. Open the Terminal and run the command:
    • login ad_username
       
    • (Where ad_username is the username of the AD user.)
  2. The AD cache will be recreated once the command-line login completes.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.