Jamf Nation Community

We changed our wifi profile - Use as a Login Window configuration because the radius configuration requires AD user name and password for auth. We also have mobile accounts and if they are not on the network at time of login - we get "network accounts unavailable" and drives do not mount at login.

Thanks,

Blake

Yeah, that's really weird, when you run a "klist -l" do you see any additional ticket caches for accounts besides the user? If so, which one has the asterisk next to it?

Just me -

Name Cache name Expires bwiessne@ISD720.COM FILE:/tmp/krb5cc_1103169761 Feb 3 20:23:39 2015
* bwiessne@ISD720.COM API:B855B913-98F6-46CA-B35F-EA20BB995253 Feb 3 20:23:39 2015 bwiessne@ISD720.COM API:1103169761 >>> Expired <<<

Hmmm, I don't know what's up with that FILE one but it's not your default so I guess it shouldn't be causing issues.

I would play around with running a kdestroy after login to see if that kills that FILE /tmp/ TGT. Maybe that cache is created as part of the Login Window auth process and is interfering? At the very least, kdestroy until you have no caches left, then do testing from there with and without a kinit to get a fresh TGT and see if that solves the policy issues.

A few updates. I took away the radius wifi config and went back to a PSK network and issue still persists.

I delete a users kerberos ticket in ticket viewer and tried self service and no go - the only difference is when I delete the ticket I can mount the drive with cmd-K and it now prompts for user name and password as before it would just say you do not have permission.

@bwiessne, have you tried HTTP/S?

Also, are your DP's bound to the domain too? If so you may need to give DOMAIN USERS read access to the Casper DP's as the issue is that the DP's are being mounted (or attempting to be mounted) using the users creds.

We are looking into DFS and HTTP but we have not gone live with it yet.

Our DPs are most likely bound - but the weird thing is nothing has changed that we know of - this was working until last week.

Added DOMAIN USERS with read but no luck.

Created a new SMB Share - with casperinstall and casperadmin permissions (AD USERS) for both sharing and security. Updated this in the JSS and rebooted tomcat - opened Casper Admin and the DP mounted just fine - Test by adding a package to it.

However, Self service and software policies still do not work. Same issue - AuthError

C02N95V3G3QH Self Service[529]: [ERROR] -[InstallerQueueProcessBinder finishProcess] (line:190) --> Policy Adobe Flash Player v.16 failed with: Error Domain=JAMFSoftware/SelfService Code=30 "The operation couldn’t be completed. (JAMFSoftware/SelfService error 30.)"

Also running a policy in terminal - sudo jamf policy -id 148 -verbose Shows - Mounting DFS-1/DP2 to /volumes/DP2.. verbose: result of mount attempt: mount_smbfs: server connection failed: Authentication error.

@bwiessne, I'd put a call it with support. As the error says, there is still an issue with Authentication, so they should be able to sort over a webex.

Update **

This seems to be only effecting some users not all and these users are in different AD groups as well as same groups.

Random...

Just to throw my thoughts in...

The kerberos pre-auth wouldn't stop kerberos authentication. It's just an early step in the overall kerberos authentication process that is used to add extra security. So the user would still end up with a TGT either way.

Self service should be using the casper read only account to authenticate, but I would expect a kerberos TGT to get there first, in which case normal file and folder permissions would take effect.

I would try mounting the share manually while logged in as one of the effected users. If that fails or you can't read the contents then it will just be a permissions issue (probably unlikely based on what you've done so far but worth a look).

Regarding DFS, not sure what your plans are here. I was still under the impression you couldn't use a DFS share as a distribution point.