Time Machine-Server & Active Directory-Authentication

We had some issues with our corporate Time Machine-Server lately and we possibly found a fix for some. As troubles arose, we soon scheduled a maintainance downtime and applied all pending software updates.

All updates went through and we were running a fully patched Mac OS X Server 10.9.2 with OS X Server.app 3.1.1. Unfortunately, when the system came back, authentication was broken somehow and we were greeted with the following message in the Console.app on the client-side:

com.apple.backupd[1916]: Starting manual backup
com.apple.backupd[1916]: Attempting to mount network destination URL: afp://user@server/volume
com.apple.backupd[1916]: NAConnectToServerSync failed with error: 80 for url: afp://user@server/volume
com.apple.backupd[1916]: Authentication error (80) - the correct user or password info may not exist in the System.keychain or the server may no longer allow access for this user.
com.apple.backupd[1916]: Authentication error (80) - the correct user or password info may not exist in the System.keychain or the server may no longer allow access for this user.
com.apple.backupd[1916]: Backup failed with error 29: There was a problem authenticating with the destination.

After doing some research, we found that this problem came from a combination of com.apple.access-groups and Active Directory-groups. Our TM-Server is simply bound to the corporate AD-Domain and the privilege to use the backup-service came from three AD-group memberships.

Figure 1

The error message above states that Time Machine tried to connect via AFP-protocol and got some authentication error. So we tried to do the same from Finder and it worked flawlessly. hmm, strange... Let's try Time Machine once again! What should I say: it worked on the second try. Obviously, something happend while authenticating from the Finder.

This misbehaviour was reproducible.

Then I remembered a comment by Rich Trouton on ##osx-server:

[13:09:26 UTC] rtrouton: hjlinde: Another fix is to keep the SACL, create a local group that you add to the SACL's list and then stick an AD group with the users you want into that local group.

What Rich recommends is shown in Figure 2: Figure 2

We implemented this method and tested Time Machine on different clients without any errors. Now, we only need to find a reason for this strange behaviour! Please use the comments if you have a clue.

links

social