10.7.5 client shows open directory server not responding

Similar Messages

• Open Directory Server "not responding"

  This is strange, and I'm not sure what if anything is wrong...
  My server is an OD Master. LDAP, Password Server, and Kerberos all report running. AFP authentication is set to Kerberos (only). Authenticated directory binding is enabled. Client computers are bound to the directory server. They connect via AFP, a ticket is created (viewable in Ticket Viewer), everything works fine (apparently).
  However... in System Preferences/Accounts/Login Options, there's a red dot (not Leica) next to the directory server IP, and if I click on Edit it says "The server is not responding". This is the case for all client computers, not just one. Not sure when it started; when I set it up they were all green of course.
  So, what does this "server is not responding" mean? Given that clients can do everything they need to do, can/should I consider this a non-issue?

  Thanks Classic and Chris. Good questions.
  The server isn't behaving as expected. Following Classic's suggestion, I tried binding without SSL. I didn't expect it to work, I thought SSL was required. (Under OD Settings/Policies/Binding, "Encrypt all packets (requires SSL or Kerberos)" is checked.) But with SSL unchecked, I was prompted for diradmin username/password. I entered the correct credentials, but they were rejected. So I tried leaving the credentials blank. That bound the client to the directory successfully (green dot). But "Enable authenticated directory binding" is checked.
  With the green dot, I tried connecting to the server over AFP, but could not. Only when I manually copied in the Kerberos file was I able to successfully connect to AFP. (Shouldn't the Kerberos file be created automatically at some point?)
  So, clearly something is wrong with SSL, and also perhaps with my settings. (The server should only allow binding with authentication and over SSL, but it does not, and it does allow unauthenticated binding without SSL.)
  OD Overview confirms that Kerberos is running. Not connected to an AD domain (nor should be).
  Running the kadmin.local command gives me a very long list of items that look like e.g. service/[email protected] or service/LKDC:[email protected] One of the services listed is "afpserver". (There are also listings for a number of services that aren't run on the server.)
  AFP is restricted to two groups; the username I'm using for AFP connections is a member of one of those groups.

• Brand new Open Directory server not authenticating 10.9, 3.3.2

  I'm hoping somebody here has ran into this as it's driving me up a wall.
  I'm on a completely clean install of OS X Mavericks, with the installation from the App Store.
  On top of that, a completely clean install of Server.app 3.2.2 is installed.
  This server has a FQDN, and when I check to see if the hostname resolves in DNS, it totally does. DNS is not turned on as a service, but DNS server settings are correct and the server can hit the outside internet just fine.
  So my steps are as follows: Install Mavericks, clean onto a new partition. Update with all patches. Set Static IP. Install Server 3.2.2 which installs without error. Check hostname settings. All good there. Verify permissions. Create OD Master. I cannot get a single newly created with Server.app Local Network user to log in, even with home folders all 100% local to the client machine. I've unbound and rebound the client machine. I've restarted everything. Nothing.
  When attempting to log in, if I set it to reset password at next login, the prompt to reset the password will appear. I know at least initial auth is taking place, or I wouldn't be getting a password reset screen. After attempting to reset the password, neither the original temporary nor reset password will work. Users cannot log in.
  Here are the errors generated, with my info edited out:
  Jan 14 17:49:35 server slapd[111]: passwd_extop: (null) changed password for uid=test,cn=users,dc=controller,dc=domain,dc=edu
  Jan 14 17:49:35 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:35 server slapd[111]: conn=1181 op=3: attribute "entryCSN" index delete failure
  Jan 14 17:49:41 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:41 server slapd[111]: conn=1197 op=3: attribute "entryCSN" index delete failure
  I understand this is common for users upgrading from 10.6.8 but this is completely clean. I'm not usually administering an OS X server; I'm completely lost.
  Have tried: Recreating master, rekerberizing
  Using scutil and host to verify the DNS on the server works perfectly. Am I missing something small with DNS? We are a fairly large org with DNS not being provided by this server. If you think a different log file would help, please let me know which one.

  What do you get from this:
  sudo /usr/libexec/slapd -Tt
  Anything in /Library/Logs/slapconfig.log?
  Also, have you tried the suggestion here:
  Open Directory - Local Network User/Group - GONE

• Safari fails to open pages - "server not responding"

  Hello all. I just got my new MacBook a few days ago. This is my first Mac and I love it! Safari was working perfectly until yesterday. When I try to open any webpage, it says that Safari "failed to open page because the server stopped responding". Any ideas?
  Thanks in advance!

  Hello BlueOrca,
  Have you tried Safari in an other user account if not do so please.
  System pref. ->Accounts -> Login Options [+] to create one. Log out of yours & into that one. This help to pinpoint if this issue is systemic or user specific
  Which ISP do you use ?
  Which Router do you USE, Does it have a Firewall ?
  Can you find it here ? Do you know how to configure, do check the settings.
  http://www.portforward.com/english/routers/port_triggering/routerindex.htm
  In -> System Preferences -> Network -> Show: Wireless->
  • TCP/IP tab:
  Do you have DNS # Values entered in the DNS # Field Box ?
  If not enter them. Find your server here and the DNS # to enter
  http://www.portforward.com/networking/dns.htm
  Configure IPv4: Do you use Using DHCP Lease ?
  IPv6 address do you see one there? If not try setting
  Configure IPv6: Is that set on Automatically, if not try that
  • Proxy tab:
  Do you have Proxies checked ? if you do try Deselecting it.
  If AOL is a browser does it have settings that over ride Safaris ability to connect nI know nada about AOL, perhaps you could check its settings.
  Let us know how you fare, okay?
  edited by: Eme

• TS1398 my father gifted me ipad2 unfortunately i could not connect to internet .  wifi is connected but webpage cannot be opened says server not responding plz help

  help to connect to internet wifi is conncted

  It is me again. I have just noticed a more like this item that matched mine and one of the replies there has sorted my problen out. A big thanks to Spyglass Sally for that.

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• 10.3.9 clients not working with 10.4.9 open directory server

  I have a 10.4.9 server running open directory and managing about 20 10.4.9 clients. I am trying to have it manage our remaining 10.3.9 clients, but for whatever reason, I cannot seem to get the 10.3 clients to "attach" to the server.
  I have the 10.3 clients set up in a computer list on the server, and in directory access I have it set to "get ldap mappings from server". At one point, it was suggested to me that I have the clients "get ldap mappings from open directory server". I tried this, and manually set the search base suffix. My search base suffix was "dc=example,dc=local". I even tried doing "cn=config,dc=example,dc=local" (where in both cases example.local was replaced with my real DNS name). Any suggestions on what else I could try to get this to work?

  That's the odd thing though. I've done this with 10.4 no problem. Settings always worked. For some reason though, even though the clients are able to login using a network user, none of the preference settings sync.
  For example - I always put a loginwindow message on as a sort of "test" to see if preferences are being set. If that works, then I rarely have a problem. No matter what I do, though, I cannot get the loginwindow message to display on the 10.3 clients. It works really well on 10.4, but not at all on 10.3. I've tried this on multiple 10.3 machines, as well, (and they're both based on different system images) but it still doesn't work. When I get back to work on Friday, I'll have to see if preferences will work for network users; that's the one thing I haven't tried.
  Other than dumping the directoryaccess preferences, is there another preference setting that could be dumped on the client that may make it grab prefs from the server?

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• Changing the Name of an Open Directory Server while preserving users, etc.

  Hi Everyone,
  Not an emergency - but I have been wrestling with this dilemma for almost a year now.
  The good news is nothing has to be done right away. But I will ultimately need a solution.
  We have inherited a server system at a traditional elementary school from a previous IT person who was immature to say the least.
  When he set up the server system, he named the open directory server something that, while innocuous is inappropriate for a school setting.  I am sure he thought it was clever and cheeky at the time. But a few years later it is simply unprofessional. And we are being expected to ultimately be able to change it so something like "XXXdirectory.domainname.edu" The more it hangs around - the longer it looks like we did this and it makes us look unprofessional.
  So here is my dilemma. 
  This is an OD Master with iCal and network homes attached to it. It also runs DNS.
  I would like to set up a new server and name it "xxxdirectory.schooldomainname.edu"
  Setting up the new server is easy and getting all the client machines to bind to it - no problem.
  The problem is how to migrate all the users to the new server.  It seems a restore wont work because if the new server is named differently, the restore will fail. I also can't do a server migration because the stupid name migrates to the new server.
  My old server is 10.5.8 Server.  The new one is 10.7.1 Server . But could be 10.6.8 Server if need be. 
  The main problem is how do I get all the accounts onto a new server with a new OD master name?
  I don't mind command line stuff. So throw whatever you got at me.
  Thanks in advance for your help everyone.  Don't worry - I won't be a pain in the butt or argue.  I just need some good solid guidance, even if it is a "Not possible" answer - at least I have something to tell the administration when they want to know why we can't change the OD Master name from mcnugget.schoolname.edu.
  Please let me know if you need more details.  I am happy to provide.
  Thanks again.
  Tony

  If you don't mind resetting everybodies password then you can export the users and groups and wipe the server for a clean install or turn it into a standalone server then back into od master  then import the users and groups.

• How do you bind Vista / XP clients to Open Directory?

  I have an OSX Server OD Master set up in 10.5.6.
  My OSX Clients can bind to it just fine using Directory Utility.
  How do you bind Vista / XP clients to Open Directory masters?
  Thanks

  @ jakelh:
  Make sure Kerberos is working on your server. Without it, PC logins will probably fail at least for Vista clients. Otherwise you'd have to downgrade a client-side setting on the Vista clients,
  http://www.builderau.com.au/blogs/codemonkeybusiness/viewblogpost.htm?p=33927074 6
  DNS is critical here, but Vista can have a problem with things that are correctly configured.
  IE: Vista defaults to a TCP/IP setting that can make it incompatible with existing network hardware
  http://www.tech-recipes.com/rx/1744/vistatcp_cannot_communicate_primary_dnsserve

• Three new groups in Open Directory Server

  I noticed that my Open Directory server has three new groups in WGM,OD Users, OD Administators and com.apple.limited_admin. Should I treat these as I treated the other groups by assigning them members and group folders? I also noticed that now I have a System Administrator and a Directory Adminstrator, does that sound right? Should I keep both? Thanks

  Ok, thanks, I had forgoten the "show system records" trick.
  For the guest user, I don't see it in dscl.
  So I suppose it's not a user, just an "anonymous" authentication option in the sharing preferences.
  It's a bit like "others" in the posix rights permissions : User, group, other. User and group are existing and named, other are not named, it's just anybody that is not the named user and not a member of the named group.
  To keep things understandable, you should use an other name if you wish to configure a "guest user"
  You can manage the "enable guest account" option from WGM if you select a computergroup, in the preferences pane / login / options.
  Hope it helps
  Nicolas

• Wrong UID from open directory server

  I have a problem with a mac OSX server
  I have an open directory server A, that shares all users to every other server i have.
  I then have 2 mac OSX servers B and C, that it set up to allow network users. I can easily login with a open directory user, on both servers, but I have a problem. on server B it says the users user id is 1050, which is correct. On server C it says that the same users user id is 1000, which is wrong. Both server set ups are identical, as far as I know. On the Open Directory server A the users id for the user is also 1050, in case that is relevant.
  I have checked if server C has a local user with the same name, but htat is not the case.
  Any idea what might have caused this problem?

  bump

• Directory Utility wont connect to Open Directory Server on Xserv 10.5.1

  I am trying to set up the ical service on the xserve, I have the server set up as the OD master when I went into the directory utility app it would not located the server until I changed the search policy to custom which included LDAPv3. Once I did that the server popped up in the directory utility list but it says "server is not responding"
  Any one else having this issue or know what might be the solution?

  Have you tried adding the server to the client using 'servername.local' instead of its DNS name? I have had flaky problems adding clients to the directory server using the DNS name and found using 'servername.local' to be much more reliable.

• Open Directory server on two Private IP addresses - acting slow

  We have an OS X Open Directory server that has two non-routable IP addresses.
  Primary - 10.0.0.x (LAN) with 10.0.0.x gateway
  Secondary - 172.16.0.x (SAN) with no gateway
  When it is plugged in to both networks, Server Admin responds very slowly. If the server is just on the primary interface, Server Admin responds normally.
  We also have a replica that is on the two private networks.
  Primary - 10.0.0.x (LAN) with 10.0.0.x gateway
  Secondary - 172.16.0.x (SAN) with no gateway
  When we launch Server Admin on the replica, Server Admin says there's no server found at this address, even when it is looking for server.local, as opposed to server.domain.com.
  Again, if you put this server on the primary 10. network, it works fine.
  What's going on?

  For anyone else interested, I eventually decided that a fully-qualified domain name seems to be necessary for some services, and that OS X Server doesn't seem to know exactly when that is the cause of problems, and the documentation doesn't really specify exactly what it is necessary for. So I had my organization set up a FQDN for the server, even though it's only meant to be used internally, and that seems to fix things.
  Greg

• How to promote my OSX10.6.8 replica server to Open Directory server

  My Open Directory Server crash and i would like to promote my replica Server to Open Directory.  can you tell me how to do this.

  Hello Dave,
  Check out the steps quoted below to promote your replica to the Open Directory master.
  Provide Open Directory service
  https://help.apple.com/advancedserveradmin/mac/3.1/#apdD1F7D8CA-CF07-40CE-B2D4-8 E3ACF4BCA40
  Promote a replica to Open Directory master
  If an Open Directory master fails and you can’t recover it from a backup, you can promote a replica to be a master. The new master (promoted replica) uses the directory and authentication databases of the replica.
  Select Open Directory in the sidebar.
  Click Servers.
  Select a replica to promote, then choose Promote Replica to Master from the Action pop-up menu (looks like a gear).
  Enter the directory administrator name and password.
  If you archived Open Directory data with certificate authority keys, you can restore them by entering the Open Directory archive location or clicking choose to locate the archive.
  Click Next.
  Enter the user name and password for the replica that’s being promoted, then click Connect.
  Regards,
  -Norm G.