10.6.8 to Mavericks Server Upgrade loses Open Directory Users

Similar Messages

• Mavericks server upgrade

  I have just bought this mac mini server, with OSX 10.8.5 and server app ver 2.0.23 pre-installed. Made the recommendede upgrades, but maveriks is not listed.
  So, I can't find how to upgrade the server to a mavericks server. Or is it that I have to upgrade to a standard mavericks in the mini, then pay a $20 to upgrade the server app 3.01?

  First you need to upgrade to OS X Mavericks, and then you have to purchase OS X Server in the Mac App Store. You cannot upgrade to OS X Mavericks directly.
  Before doing anything, make a backup of your files with Time Machine and check that your apps are compatible > http://www.roaringapps.com

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• Mavericks Server – Populate OD with AD Users & Groups?

  Setting up 'Golden Triangle' (or trying to). Mac server and clients bound to both AD and the Mac server, and we've managed to set up some device profiles which have been successfully pushed to the clients.  We can see the AD Users & Groups in the main Mavericks Server window, but have no real clue how to populate OD with them. At the moment Profile Manager by default can only see existing AD Policy groupings, rather than the actual AD Group structure. With well over a thousand AD users, do we have to add them all ONE AT A TIME to become bona fide OD users and groups?

  After re-registring the device, deleting adding user againt from/to group com.apple.access_devicemanagement did the job. No error any more.

• After Updating to Server 4.1 Open directory and LPAD gone

  Hello,
  two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.
  I get the following log entries:
  LDAP Log
  Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $
    [email protected]:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd
  Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"
  Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).
  Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed
  Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.
  Open Directory Log
  2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...
  2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'
  2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support
  2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error
  2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden
  2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden
  2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'
  2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden
  2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden
  2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden
  2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'
  2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
  2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'
  2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services
  2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support
  2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests
  2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)
  2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'
  2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'
  2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'
  2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

  I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!
  Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.
  Pre-steps:
  0. Bootable backups, Time Machine backups, and dirserv backups of everything.
  1. Disk Utility: Fix disk permissions, Fix disk
  2. PRAM reset, Command-Option-P-R at boot
  3. DiskWarrior to rebuild the disk directory
  Possible steps to fix OD:
  # Fix Open Directory "Unable to load replica"
  # Try this first:
  # https://support.apple.com/en-us/HT200018
  # Quit Server.app
  sudo mkdir /var/db/openldap/migration/
  sudo touch /var/db/openldap/migration/.rekerberize
  sudo killall PasswordService
  # Open Server.app
  # Try this second:
  # http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err
  sudo serveradmin stop dirserv
  sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
  sudo db_recover -h /var/db/openldap/authdata/
  sudo /usr/libexec/slapd -Tt
  sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
  sudo serveradmin start dirserv
  # Try this third:
  # https://discussions.apple.com/thread/6018956
  sudo serveradmin stop dirserv
  sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
  sudo serveradmin start dirserv
  # Try this fourth (assuming ccc_preflight od backup):
  # https://discussions.apple.com/thread/6018956
  sudo serveradmin stop dirserv
  sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage
  sudo serveradmin start dirserv
  # Try this last:
  sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/
  If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.
  If anyone has reliable advice how to fix a corrupt OD that would be a huge help.

• Windows 2008 Server - Cannot run Active Directory Users and Computers

  Hi,
  I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
  I attempt to open Active Directory Users and Computers tool and I get a;
  Microsoft Visual C++ Runtime Library error;
  "The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
  I click ok, then get the following debug info;
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mmc.exe
  Application Version: 6.0.6001.18000
  Application Timestamp: 47919524
  Fault Module Name: msvcrt.dll
  Fault Module Version: 7.0.6001.18000
  Fault Module Timestamp: 4791ad6b
  Exception Code: 40000015
  Exception Offset: 0000000000029b06
  OS Version: 6.0.6001.2.1.0.272.7
  Locale ID: 3081
  Additional Information 1: 43aa
  Additional Information 2: cf3a46656318492c1997480001b6b0e0
  Additional Information 3: 3837
  Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
  Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  If someone could please assist, it would be very much appreciated.
  Regards
  B

   
  Hi,
  To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request please take a look at the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  However, I am also glad to share my research.
  Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
  Also, please follow the article below to perform necessary steps to see how it's going?
  FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
  http://support.microsoft.com/kb/190536/en-us
  Hope this helps.
  Best wishes
  Morgan Che

• OS X Server 10.6 bound to Active directory, serve that as Open Directory

  I have a OS X server 10.6 bound to an Active directory. I can log in to the afp file server with a AD account.
  Now, I like the clients to be connected to Open Directory from the OS X Server and authenticate to the AD.
  Is this possible?
  I like to be able to use network homefolders etc that resides on the OS X server.

  Yes.
  You are working in the right order. Now that you are bound to AD, simply promote the Mac server to OD Master. This will enable the LDAP server. You will likely note that the Kerberos KDC will not be running. This is proper, because the AD server is the KDC.
  Once this is done, you know can create OD groups and add AD users or groups so that you can manage those groups.
  Now, the trick is, you will need to go back to all the workstations and bind them to OS X as well as AD. This will allow the Mac clients to use AD for user authentication and authorization but then use OD for group management policy.
  Hope this helps

• OSX Server 4 missing open directory

  Hi,
  Recently updated my Mac Mini to Yosemite then subsequently updated the Server app to 4.0.
  After a quick reboot I realized that the Open Directory was disable.
  When i tried to enable the OD, it wants me to create a new OD. No error message was shown.
  Any ideas what happen to the existing OD? I have about 50+ users.
  Let me know what kinda info is needed. Thanks!
  Alwyn

  Hi,
  Recently updated my Mac Mini to Yosemite then subsequently updated the Server app to 4.0.
  After a quick reboot I realized that the Open Directory was disable.
  When i tried to enable the OD, it wants me to create a new OD. No error message was shown.
  Any ideas what happen to the existing OD? I have about 50+ users.
  Let me know what kinda info is needed. Thanks!
  Alwyn

• OSX server open directory users and logic

  Hi guys,
  Can anyone shed light on this issue, I can't be the 1st person to encounter it. We have a lab with 10 emacs, plus a OSX Xserve, which is set up as a Open Directory Master, the students log in to the workstations through the xserve.
  When they try and run logic, we get a load of permission errors, I have tried changing the ownership and permissions to read write everyone, but it doesn't help, has anyone got a fix for this problem

  I am assuming you are not using network home directories here, purely using open directory for logging in right? Logic does not play well over a network, but using OSX server for managing users should NOT affect being able to run logic locally on a machine. If you are using network home directories for users then this WILL be a problem. For example, you will get permission errors when trying to record something.

• OS Lion Server to OS Mavericks Server Upgrade Advice Needed

  a) Has anyone successfully done this on a corporate, AD bound, production, 10.7.5 Lion Server server with active Profile Manager accounts, 3rd party certificates, file sharing etc?  I'd like to assess probabilities of getting this done without having to rebuild a machine and re-enroll all of my profile manager clients.
  b) Can anyone provide high level steps towards achieving this goal - or - is the following general upgrade path correct?
  1) Upgrade OS Lion (which is running OS Lion Server) to OS Mavericks - THEN:
  2) Upgrade OS Lion Server to OS Maverics Server
  c) Is anyone running OS Lion Server successfuly in a corporate or professional arena and supporting the items above in red?  If so, what are some of the "gotcha's" you ran across?
  Q: Why am I wanting to upgrade from OS Lion Server to OS Mavericks?
  A: Just discovered that OS Lion Server Software Update Service (SUS - now "caching server?) doesn't support Mavericks clients.
  Note: I do keep an updated SuperDuper image of the system/startup drive.
  Thanks.

  Same issue with me. I am a new mac user, actually Mac Minii server is my first mac. I am not interested inthe server aspect but rather the pure Lion as I also plan to install bootcamp with windows 7. (Sorry but I am not ready for a full pc to mac migatrion). Being the only user of the mac mini does ot make sense to have the full server installed.
  Please help !!! Idiot (yours trully) proof guide will be highly appreciated. Thanks

• After Mavericks Server upgrade: cannot start DNS

  Hi,
  the upgrade to Mavericks went smooth on my Mac Mini, and also the upgrade of the Server App except on issue. I switched off DHCP an DNS before upgrading, but I cannot turn on DNS again. It will turn off instantly. I deleted the records and reentered all them with no success. I also tried "sudo rm /var/db/.ServerSetupDone" which will run the Server App like the first time, but all settings and my DNS error remain. What can I do? How can I reset DNS settings or all Server App settings?
  Thank you
  Peter

  Same problem here on my test server -> DNS turn on and instantly turned off
  Solution from raimattern solved the problem
  Got this from another list here and that was the solution:
  The plist that you need to edit (as root) is /var/db/launchd.db/com.apple.launchd/overrides.plist
  There will be a value in there for org.isc.named.
  Set that Disabled value to False.

• Server admin not seeing directory users from workgroup manager

  I am setting up a new Xserve with Snow Leopard (get 'em while we can). We have eight other XServes running Leopard or Snow Leopard server. On those machines we have set up file sharing over AFP. The machines are connected to our Active Directory server and our users authenticate using their domain passwords. All of our other servers were setup in Leopard and were upgraded to Snow Leopard. We have not had any issues authenticating to those boxes.
  This is the first one that we have actually setup new-out-of-the-box in Snow Leopard. I can set Workgroup Manager up to connect to our AD, and can see and search my domain users and groups in Workgroup Manager. When I try to set up my File Shares in Server Admin, none of my domain users show up-only local accounts.
  What have I missed? In Leopard, when I connected to the domain, the users immediately became available in Server Admin. Not so in SL, at least on this box.
  Help?

  Hi
  The first thing to check is if you've bound the Server to the AD Domain. The second thing is if the /Active Directory/All Domains is in the Search Policy. If you don't do either of these WorkGroup Manager won't display anything coming from the AD Schema.
  In 10.6 Apple moved the Directory Utility from where it used to be in /Applications/Utilities and made it part of the Accounts Preferences Pane. Perhaps it's this change that's confusing you? I would not advise doing this but it's also possible you used the Server Setup Assistant to do most of the configuration? If you did maybe something went wrong at that stage (won't be the first time) and you need to manually bind the Server instead?
  As ever make sure this server is using the same NTP Server as the others.
  Tony

• Server 2012 Essentials Active Directory users

  I am in the process of setting up a small business with 40 users and 12 workstations, most of the users will be working in a client site on they workstation and some will have access to anywhere access. I'm aware of essentials limited to 25 users, my question
  is can I only create 25 AD accounts or can I create 40, as all 40 users will not require concurrent access at sny given time?

  Hi,
  à
  when you say Essentials role experience is included, does this include Remote Anywhere feature in Essentials?
  The Windows Server Essentials Experience role is available in Windows Server 2012 R2 Standard and Windows Server
  2012 R2 Datacenter. When you install the Windows Server Essentials Experience role, you can take advantage of all the features that are available to you in Windows Server 2012 R2 Essentials without the locks and limits enforced in it. Windows Server Essentials
  Experience role enables you to
  use the Anywhere Access functionalities on the server (such as Remote Web Access and virtual private networks) to access your server, network computers, and data from remote locations in a highly secure manner. For more details, please refer to following article.
  Windows Server Essentials Experience Overview
  For configuring Anywhere Access functionalities in Windows Server Essentials, please refer to following article
  and check if can help you.
  Manage Anywhere Access in Windows Server
  Essentials
  By the way, if only have Windows Server 2012 Essentials, there are two scenarios in which Windows Server 2012
  Essentials can be used in environments with more than 25 users. For more details, please refer to following article.
  Using
  Windows Server 2012 Essentials with more than 25 users
  However, as Cliff and diramoh suggested,
  Windows Server 2012 R2 Standard with the Windows Server Essentials Experience role installed will be a better option.
  If anything I misunderstand or any update, please don’t hesitate to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• Messed up 10.3.9 to 10.4 upgrade on Open Directory Master.

  I am experiencing the issue described in
  http://docs.info.apple.com/article.html?artnum=301909
  I have tried to follow the instructions in the Article but I still have issues.
  I cannot modify the users list under anything but root and the diradmin logon does not work at all. If I disable Open Directory and Re-enable that will it fix the issue and how can I do this and still keep the Users and Groups straight? The passwords do not matter I was going to reassign them anyway.
  Help!!!

  Hi
  You could also try target disk moding the XServe to another mac that has a DVD drive and try from there. Make sure you have a fallback position before trying this as Daddy has already suggested if the disk is bad you might get it installed but subsequently have boot problems with your Xserve.
  Tony

• Binding Snow Leopard server OD to Mavericks server OD

  Does anyone know if it's possible to setup a Snow Leopard server to bind Open Directory to a new server running Macvericks server?
  I have 2 new mac minis running 10.9.4 with server 3.1.2 on them, one as an OD master and the other as a replica. We have a couple of older Xserves still running Snow Leopard server and must keep them that way because of some other software that can't be upgraded.
  What we need is those 2 servers to be able to bind (not as a replica as it's not possible) to the master OD mac mini for authentication?  I've been able to get the OD process on them to be set to "connect to another directory" then use Directory Utility to try and bind LDAPv3 to the master mini but it says invalid credentials supplied when I type in the proper OD username and password.
  Any thoughts?

  To work as Master and Replicas, all must be the same version of Server.
  You cannot bind as Open Directory Servers (as in combining Open Directories), but you can run Mac OS X 10.6.8 workstations [running 10.6.8 or 10.6.8 Server] off a Mavericks plus Server 3 Open Directory Server. You can have Home Directories on an older Server. You may be able to provide some services off the older Servers. But you cannot keep them as Open Directory Servers on the same Network.
  I think you just shut off Open Directory on the 10.6.8 Servers, then use Directory Utility to Bind to the Mac Mini or Replica Server as if they were Workstations.