× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Centrify is in connected mode but users are unable to login.

Showing results for 
Search instead for 
Do you mean 
Reply
Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#11 of 15 3,308

Re: Centrify is in connected mode but users are unable to login.

It looks like sandboxd is disagreeing with something related to smbd.  The referenced folder that has our variable data.

 

I wish I had more expertise on that topic and from what I read here, the process of troubleshooting does not seem to be very trivial.  I did check our internal knowledgebase and there were 4 cases referencing sandboxd but none combined with smbd or related to any open Centrify bugs.

 

Perhaps anyone else with more experience than me can chime-in.

 

Did you find a chance to update your agent to 5.2.4?

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#12 of 15 3,276

Re: Centrify is in connected mode but users are unable to login.

Hi OG,

 

The message you received: 

 

Dec 11 08:13:40 xserve.DOMAIN.local sandboxd[449] ([549]): smbd(549) deny network-outbound /private/var/centrifydc/daemon2

 

It looks like the sandboxd restricting the smb access through our agent's socket.

 

Normally, Centrify agent will do a couple of tasks using smb, e.g. pulling certificates, registries, printing etc.

 

Do you know the time when you saw the message, is there anything happened on SMBD? Did it crash? Did any port blocking smbd service?

 

For us to better understand the issue, could you upload the full system log?

 

For your information about sandboxd:

 

https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSandboxDesignGuide/Abou...

 

https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf

 

Hope this helps.

 

Regards,

Albert

Participant III
Posts: 8
Registered: ‎12-03-2015
#13 of 15 3,257

Re: Centrify is in connected mode but users are unable to login.

Hi,

 

Thanks for your reply.

 

I will send you the full server log, tomorrow.

 

 

When the SMB crashes and when a user tries to login it display the below message on the serve log.

 

13/12/15 5:14:36.273 PM digest-service[22471]: digest-request: uid=0
13/12/15 5:14:36.274 PM digest-service[22471]: digest-request: od failed with 2 proto=ntlmv2
613/12/15 5:14:36.274 PM digest-service[22471]: digest-request: DOMAIN\\user
13/12/15 5:14:36.277 PM digest-service[22471]: digest-request: kdc failed with -1561745659 proto=ntlmv2

 

SMB crashes everyday three or four times. Sometime it crashes when that Sandbox message appears on the server log.

 

Today, when the SMB crashed and when I checked the console logs on the client Mac. It was showing a lot of different types of error message as below.

 

On the console log  it showed up the following message "11:36:14 Kernal: Sandbox: fmfd(1894)  deny file-read-metadata /SMB" it was repeated continously maybe like 10 times

 

"11:36:15 kernel: Sandbox: cloudpaird(1878) deny file-read-metadata /SMB (This message was repeated more than 20times."

 

There was another error message on the log as follows "11:45:47 kernel: smb2_sm_parse_change_notify: smb_rq_reply failed 60" this message was repeated may be like 30 times on the same time 11:45:47 the message kept on appearing. Somewhere in the middle of the this repeated message it showed up another message which is as follows "11:45:47 kernel: process_svrmsg_items: disabling  svrms notify, error: 60.

 

"ReportCrash: File creation failed /SMB/xserve.DOMAIN.local/Homes/user/Library/Logs/DiagnosticReports/CalanerAent_2015-12-14-120800_MAC-2.crash - uid: 301991036 gid: 20, euid:301991036 egid: 20 - error 24: Too many openfiles" This message was repeated 5 times with differetn file location and some error message ended with No such file or directory instead of Too many open files.

 

Thanks.

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#14 of 15 3,243

Re: Centrify is in connected mode but users are unable to login.

Hi OG,

 

Thanks for coming back to us.

 

Regarding the first few messages you saw:

 

=====

13/12/15 5:14:36.273 PM digest-service[22471]: digest-request: uid=0
13/12/15 5:14:36.274 PM digest-service[22471]: digest-request: od failed with 2 proto=ntlmv2
613/12/15 5:14:36.274 PM digest-service[22471]: digest-request: DOMAIN\\user
13/12/15 5:14:36.277 PM digest-service[22471]: digest-request: kdc failed with -1561745659 proto=ntlmv2

=====

 

It is complaining the authentication going through the Open Directory is failed with method NTLMV2 for user. It is the Mac's Open Directory's issue and the way that the Mac deal with the shares(ntlmv1 or ntlmv2). Are you trying to connect windows shares from Mac or are you using windows network home?

 

Following are some reference links found online which Mac users have similar problem:

 

https://lists.samba.org/archive/samba/2015-January/188323.html

 

http://apple.stackexchange.com/questions/152900/share-mac-files-yosemite-with-windows

 

You could follow steps in the below link to configure both NTLMV1 and NTLMv2 to see if it will help to get rid of these messages.

 

https://discussions.apple.com/thread/6754792?start=0&tstart=0

 

Secondly, regarding the messages from sandboxd and smb crashes. I am afraid these are the things that belong to Apple as Centrify is one of the victim from the smb crashes which it is blocking our agent's socket from sending/receiving anything.

 

=====

Dec 11 08:13:40 xserve.DOMAIN.local sandboxd[449] ([549]): smbd(549) deny network-outbound /private/var/centrifydc/daemon2

=====

 

Hope this helps.


Regards,
Albert

Participant III
Posts: 8
Registered: ‎12-03-2015
#15 of 15 3,232

Re: Centrify is in connected mode but users are unable to login.

I got the below message when a client tried to login after the SMB crashes and then it display the ptoto=ntlmv2 message with the Domain and username.

 

=========

13/12/15 5:14:36.273 PM digest-service[22471]: digest-request: uid=0
13/12/15 5:14:36.274 PM digest-service[22471]: digest-request: od failed with 2 proto=ntlmv2
613/12/15 5:14:36.274 PM digest-service[22471]: digest-request: DOMAIN\\user
13/12/15 5:14:36.277 PM digest-service[22471]: digest-request: kdc failed with -1561745659 proto=ntlmv2

=========

 

Thanks for your help. I will chcek out the links you have provided and I will let you know if fixes the problem.