Help

Kerberos Extension Issue

Priya98
New Contributor

2 weeks ago

Hi,

After updating macOS to 15.2.0, not able to sign in to Kerberos Extension. Showing Network credential not available. When trying to sign in getting error as "Your organization is not available". I tried command like kinit, kdestroy.

Any other suggestions? Would Appreciate any help.

 

Thanks.

Kerberos.png

0 Kudos
Reply
18 REPLIES 18

AJPinto
Esteemed Contributor

2 weeks ago

Are you on a network that is able to see your domain? 

0 Kudos
Reply

Priya98
New Contributor
In response to AJPinto

2 weeks ago

It's the same when i am connected to office network or home wifi. 

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to Priya98

2 weeks ago

I would not expect it to work from home unless you have a VPN in place that is tunneling traffic back to your on prem network for this.

 

Can you ping the FQDN from the device?

0 Kudos
Reply

Jason33
Contributor III

2 weeks ago

You may want to update/redeploy the /etc/krb5.conf file. Chance it may have gotten corrupt on that device.

0 Kudos
Reply

Priya98
New Contributor
In response to Jason33

2 weeks ago

 I have re-added the device to the conf profile jamf pro. Is there any other way I can try?

0 Kudos
Reply

Shyamsundar
Contributor III

2 weeks ago

Did this issue in only one device or multiple devices affect with this, if its multiple devices i would check the connectivity, whether the AD is reachable from the Mac

0 Kudos
Reply

Priya98
New Contributor
In response to Shyamsundar

2 weeks ago

2 devices as of now where 1 got fixed with just a restart but other one is not getting fixed. I ran kdestroy, kinit as well but no success.

0 Kudos
Reply

obi-k
Valued Contributor III

2 weeks ago

When you open Terminal, enter this: 

dsconfigad -show

 

Do you get information returned? Maybe try to force unbind, then rebind.

0 Kudos
Reply

Priya98
New Contributor

2 weeks ago

When I run dsconfigad -show, gives information which is correct. When running klist, it is giving error as "Cache not found" and kinit showing as "unable to reach any KDC in realm"

0 Kudos
Reply

mainelysteve
Valued Contributor II
In response to Priya98

2 weeks ago

So just to confirm as others have asked and it's been danced around, are you able to ping the FQDN of the directory server(s)? You mention you re-added the configuration profile to the client. What did that entail? Typically removing a kerberos SSO extension config profile from a client requires a restart after the fact, at least in my past experiences. Are you binding to AD or another directory service or are you using the SSO extension with a local account?

0 Kudos
Reply

Priya98
New Contributor
In response to mainelysteve

2 weeks ago

Using SSO extension with local account. There is a config profile running in jamf pro and re-added the device and restarted.

0 Kudos
Reply

obi-k
Valued Contributor III

2 weeks ago - last edited 2 weeks ago

When you click the Kerberos Key in the menu bar, is the user signed in? Able to sign them out?

0 Kudos
Reply

Priya98
New Contributor
In response to obi-k

2 weeks ago

No, normally it shows Sign out, Change Password  and Reconnect. But for the user it is just showing up Sign in as the only option. And also in the Kerberos Key it is showing "Network Credentials not available", when trying to sign in it showing the error in the screenshot attached.

0 Kudos
Reply

mainelysteve
Valued Contributor II

2 weeks ago

So I'm looking through this thread and what I'm gleaming from it is this;

1. You have an endpoint running the Kerberos SSO extension with local accounts.

2. We still don't know if this endpoint has connectivity problems since you don't confirm or answer if you checked that. Pretty simple fire up terminal and ping mydirectoryserver. Even if the client still has internet accessibility that doesn't mean that someone could have changed the dns address to 8.8.8.8 for example and if your directory service is on-premise that would cause the problem you're seeing here.

3. Circling back to #1: @obi-k Asked if you could run dsconfigad -show and see if it showed any results. You said: " gives information which is correct" but dsconfigad -show should really only show results if the Mac is bound to a directory service. If it's a Mac with a local account(s) and the extension nothing should show so I'm confused.

Just trying to get a clearer picture to better help you out.

0 Kudos
Reply

Priya98
New Contributor
In response to mainelysteve

2 weeks ago

1. It's correct.

2. I didn't check that yet. I will check that ping here.

3. dsconfigad -show -  this do run and provide all details which are correct. Ran klist gives this message- "Cache not found". Also kinit, gives this message- krb5_get_init_creds: unable to reach any KDC in realm.

Even I checked Network Account Server from User & groups, that shows the correct realm.

I checked for kerberos certificate in Keychain, even that is also present.

0 Kudos
Reply

Priya98
New Contributor
In response to Priya98

2 weeks ago

I tried the ping. The request getting timed out. "Request timeout for icmp_seq 0"

0 Kudos
Reply

mainelysteve
Valued Contributor II
In response to Priya98

a week ago

Well that narrows things down quite a bit. Are the client and server on the same network? To rule out dns issues can you ping the ip address of the server?

0 Kudos
Reply

Priya98
New Contributor
In response to mainelysteve

a week ago

One thing more, when the device is connected to office network, the ping works fine.

0 Kudos
Reply