Skip to end of metadata
Go to start of metadata

Problem

OSX systems joined to an Active Directory domain periodically exhibit behavior where access to one or multiple mounted SMB shares disappears.

It is not uncommon to see Ticket Granting Tickets (TGT), a key required component in the authentication mechanism between Active Directory and ALL OSX clients, expire and not be renewed by the system.

In OSX's Kerberos implementation auto-renewal of an expired Ticket Granting Ticket (TGT) does not happen by default. Since in many organizations users do not actually log out of their desktops at the end of the day, and in may not do so for several days, it is common for an OSX system with default settings to expire a user's TGT, not renew it, and not inform the user to refresh, resulting in users being presented with password prompts when attempting to access various resources. A few options exist for dealing with this, if this is a problem in your environment.

What one might observe in these instances is something along these lines. We normally expect to see at least the TGT when we issue the klist command via Terminal utility. Note how second time command is run, which happened after the ticket expired, there is no result from the klist command.

At times one might observe that there is a ticket, but it is expired and does not renew. Do not always assume that having a ticket means everything is normal, and be sure to confirm that the expiry stamp is later than current time.

klist
lab:~ labusr$ klist
Credentials cache: API:3C31635C-78FB-41EA-AB31-9957F0E0F02A
        Principal: labusr@RACKTOPLABS.COM
  Issued                Expires               Principal
May  9 08:17:09 2016  May  9 18:17:06 2016  krbtgt/RACKTOPLABS.COM@RACKTOPLABS.COM
May  9 08:17:42 2016  May  9 18:17:06 2016  cifs/bsr-3572c1aa.racktoplabs.com@RACKTOPLABS.COM

### Same command issued again, moments later, and nothing listed for user. ###
lab:~ labusr$ klist
klist: krb5_cc_get_principal: No credentials cache file found

When above situation occurs, user should expect to see login prompts and observe failures with saving files or accessing files from connected SMB shares.

Solution

Method 1

Open Terminal and use the kinit command. This will prompt you for your user password, then use this credential to request a new TGT. Once TGT is re-acquired, user should no longer be prompted for their password, at least not until TGT expires again.

Method 2

It is possible to achieve same result as the first method describes via a Ticket Viewer utility, which we can start from Terminal by running this command: /System/Library/CoreServices/Ticket\ Viewer.app/Contents/MacOS/Ticket\ Viewer & . Alternatively, we can use Finder's Goto Folder method and locate the Ticket Viewer utility by navigating to /System/Library/CoreServices .

Method 3

This may be a more user-friendly alternative which eliminates need for former methods, but does require that a computer have a password-protected screensaver, or login prompt is forced after display wakes-up from sleep. In System Preferences -> Security & Privacy -> General, set the option Require password after sleep or screen saver begins to immediately. When you wake your computer from sleep, activate the screen saver with a hot corner, or return to the computer after the screen saver has activated, the system will prompt you for your credentials. Once you authenticate, the system will use the credentials to renew your TGT if it recently expired.