AFP Connections Server 4.1

[keerf]

Hi Everyone,

I upgraded our company file server over the weekend to a brand new machine running 10.10. It is a machine that sits in an OD replication setup as a slave. I went through the server process, made sure to setup file sharing etc properly.

I have SMB and AFP both turned on (and all the users are local network users). For some odd reason, AFP connections no longer work. IT is a mixed mac os environment as well. Some machines are using 10.10 (like my laptop) and most are on 10.9.5. When I try to connect with my account, I get my access has been denied, yet SMB connections work flawlessly.

I've tried with several other peoples usernames and passwords with AFP, and pretty much the same result. AFP doesn't work, and SMB does.

Is there a setting I am missing somewhere? Or is AFP just broken in Yosemite/Server 4.1.

Thanks!

 

[chrfr]

When I try to connect with my account, I get my access has been denied, yet SMB connections work flawlessly.

Do you have the AFP ports open in the firewall and on your network? What appears in the server's logs when a user tries to connect via AFP?

 

[keerf]

Do you have the AFP ports open in the firewall and on your network? What appears in the server's logs when a user tries to connect via AFP?

Hey there!

AFP ports are open, they haven't been touched. AFP worked on our 10.9 server without issue. So this seems to be a new issue.

As for the AFP logs, best I can do is this:

Jun 28 14:19:21 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:19:21 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login closser" -5023 0 0
Jun 28 14:19:21 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout closser" -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login aclayton" -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout aclayton" -5023 0 0
Jun 28 14:23:53 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Login aclayton" -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout aclayton" -5023 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Login twarner" -5000 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout twarner" -5023 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0

Terry

 

[chrfr]

Jun 28 14:19:21 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login closser" -5023 0 0
Jun 28 14:19:21 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout closser" -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login aclayton" -5023 0 0
Jun 28 14:19:48 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout aclayton" -5023 0 0
Jun 28 14:23:53 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Login aclayton" -5023 0 0
Jun 28 14:23:54 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout aclayton" -5023 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:28:02 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:28:09 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout " -5023 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Login twarner" -5000 0 0
Jun 28 14:33:35 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.154 - - "Logout twarner" -5023 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout " -5023 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Login twarner" -5000 0 0
Jun 28 14:36:38 MKG-SV-008.local AppleFileServer[1079] <Info>: IP 192.168.4.146 - - "Logout twarner" -5023 0 0

Terry

What about in the main system log? Keep Console open and watch the main log when you attempt to connect. The "-5023" is indicative of an authentication error. It may also be that the users don't have permissions to any volumes over AFP (you set this in the File Sharing section of server by making sure AFP is enabled in the "Share Over" field.) Perhaps the users also don't have access to the services.
If SMB works, there's no good reason not to use it; in most cases it's faster than AFP now.

 

[keerf]

What about in the main system log? Keep Console open and watch the main log when you attempt to connect. The "-5023" is indicative of an authentication error. It may also be that the users don't have permissions to any volumes over AFP (you set this in the File Sharing section of server by making sure AFP is enabled in the "Share Over" field.) Perhaps the users also don't have access to the services.
If SMB works, there's no good reason not to use it; in most cases it's faster than AFP now.

Ok, so it looks like watching the console logs a little more closely might of yielded some results.

I tried logging in to the file server on a share that has AFP enabled (turned it mostly off for testing) and I got this message:

6/29/15 3:28:14.384 PM kdc[92]: UNKNOWN -- user@servername: no such entry found in hdb (I edited out my info)


Also, I noticed in my Server main Windows I have the server defined as a .local. I will change that tonight, but would that specifically cause issues?

Thanks

 

[chrfr]

6/29/15 3:28:14.384 PM kdc[92]: UNKNOWN -- user@servername: no such entry found in hdb (I edited out my info)


Also, I noticed in my Server main Windows I have the server defined as a .local. I will change that tonight, but would that specifically cause issues?

It looks like you have Open Directory issues. A likely cause is misconfigured DNS. What's the output of

sudo changeip -checkhostname

Edit: Also, do you see any kdc errors in the console?

 

[keerf]

It looks like you have Open Directory issues. A likely cause is misconfigured DNS. What's the output of

sudo changeip -checkhostname

Edit: Also, do you see any kdc errors in the console?

Ok doing that, I just get :

dirserv:success = "success"


As for kdc:

6/29/15 3:44:45.970 PM kdc[92]: Server not found in database: krbtgt/LOCAL@masterserver: no such entry found in hdb

Is one that is coming up.

 

[chrfr]

As for kdc:

6/29/15 3:44:45.970 PM kdc[92]: Server not found in database: krbtgt/LOCAL@masterserver: no such entry found in hdb

Is one that is coming up.

Yeah, you have OD problems, but still probably due to DNS issues. Is the server assigned a FQDN on the network? Do you have DNS running on the server itself? It's tough to try and figure things out from here without knowing the name of the server aside from MKG-SV-008.local.

 

[keerf]

Yeah, you have OD problems, but still probably due to DNS issues. Is the server assigned a FQDN on the network? Do you have DNS running on the server itself? It's tough to try and figure things out from here without knowing the name of the server aside from MKG-SV-008.local.

I can lay out what I did this weekend, just so it sheds any light on any of my steps.

We have 4 servers total in a replica chain. Three servers in NYC, and one in LA. I upgraded all the servers to Yosemite this weekend. When I upgraded server on the main master, it looks as though it wiped out all my users. So I restored from a backup I had made.

Then on each of the upgraded servers (the new one included). I joined the OD as a replica. They connected and then sat at creating a replica for ages. The server app wasn't frozen, but I quit it, and re-opened it, and everything was there (OD wise, and User wise). I had to do that on each server. Not sure if I was just impatient.

I ran into a weird issue after doing that, where I couldn't authenticate as anyone. Then after rebooting each server, I was able to log in without issue (via SMB).

Tonight, I can change the .local hostname to the full server name. I mean I can do it now, so long as it won't disrupt anyone (I assume).

Hopefully that sheds a little more light on my steps (thank you for all the replies so far).

 

[chrfr]

Tonight, I can change the .local hostname to the full server name.

This will probably take care of it. I assume your master and all replicas are all on the same versions of Server and OS X.

 

[keerf]

This will probably take care of it. I assume your master and all replicas are all on the same versions of Server and OS X.

Yes they are, all of them are on 4.1, and all of them are on 10.10.3

 

[keerf]

Thanks once again for the help!

Quick question, would changing the .local affect anything badly right now? Or is it better to do it when not many people are using the file server.

 

[chrfr]

Thanks once again for the help!

Quick question, would changing the .local affect anything badly right now? Or is it better to do it when not many people are using the file server.

It's not something I'd do while it's live. It would probably interrupt connectivity anyway.

 

[keerf]

Well, the DNS change didn't help.

So this morning, I destroyed the open directory master, and rebuilt from scratch. That amazingly fixed everything.

 

[chrfr]

Well, the DNS change didn't help.

So this morning, I destroyed the open directory master, and rebuilt from scratch. That amazingly fixed everything.

That isn't too surprising. I've also had situations where destroying the master and restoring it from an archive revived it too.