Jamf Nation Community

Priya98 · yesterday

Hi,

After updating macOS to 15.2.0, not able to sign in to Kerberos Extension. Showing Network credential not available. When trying to sign in getting error as "Your organization is not available". I tried command like kinit, kdestroy.

Any other suggestions? Would Appreciate any help.

Thanks.

AJPinto · yesterday

Are you on a network that is able to see your domain?

Priya98 · yesterday

It's the same when i am connected to office network or home wifi.

AJPinto · yesterday

I would not expect it to work from home unless you have a VPN in place that is tunneling traffic back to your on prem network for this.

Can you ping the FQDN from the device?

Jason33 · yesterday

You may want to update/redeploy the /etc/krb5.conf file. Chance it may have gotten corrupt on that device.

Priya98 · yesterday

I have re-added the device to the conf profile jamf pro. Is there any other way I can try?

Shyamsundar · yesterday

Did this issue in only one device or multiple devices affect with this, if its multiple devices i would check the connectivity, whether the AD is reachable from the Mac

Priya98 · yesterday

2 devices as of now where 1 got fixed with just a restart but other one is not getting fixed. I ran kdestroy, kinit as well but no success.

obi-k · yesterday

When you open Terminal, enter this:

dsconfigad -show

Do you get information returned? Maybe try to force unbind, then rebind.

Priya98 · yesterday

When I run dsconfigad -show, gives information which is correct. When running klist, it is giving error as "Cache not found" and kinit showing as "unable to reach any KDC in realm"

mainelysteve · 7 hours ago

So just to confirm as others have asked and it's been danced around, are you able to ping the FQDN of the directory server(s)? You mention you re-added the configuration profile to the client. What did that entail? Typically removing a kerberos SSO extension config profile from a client requires a restart after the fact, at least in my past experiences. Are you binding to AD or another directory service or are you using the SSO extension with a local account?

Priya98 · 7 hours ago

Using SSO extension with local account. There is a config profile running in jamf pro and re-added the device and restarted.

obi-k · 9 hours ago

When you click the Kerberos Key in the menu bar, is the user signed in? Able to sign them out?

Priya98 · 7 hours ago

No, normally it shows Sign out, Change Password and Reconnect. But for the user it is just showing up Sign in as the only option. And also in the Kerberos Key it is showing "Network Credentials not available", when trying to sign in it showing the error in the screenshot attached.

mainelysteve · 2 hours ago

So I'm looking through this thread and what I'm gleaming from it is this;

1. You have an endpoint running the Kerberos SSO extension with local accounts.

2. We still don't know if this endpoint has connectivity problems since you don't confirm or answer if you checked that. Pretty simple fire up terminal and ping mydirectoryserver. Even if the client still has internet accessibility that doesn't mean that someone could have changed the dns address to 8.8.8.8 for example and if your directory service is on-premise that would cause the problem you're seeing here.

3. Circling back to #1: @obi-k Asked if you could run dsconfigad -show and see if it showed any results. You said: " gives information which is correct" but dsconfigad -show should really only show results if the Mac is bound to a directory service. If it's a Mac with a local account(s) and the extension nothing should show so I'm confused.

Just trying to get a clearer picture to better help you out.

Jamf Nation Community

Kerberos Extension Issue