10.9 OD - diradmin login

Similar Messages

• Lion Server network accounts not working on some computers.

  Hello all -
  I'm currently having an issue with network accounts working on some Macs but not others. I have a Mac Mini and a MacBook Pro. The Mac Mini works fine and I can login and sync my network account with the server just fine. However, I cannot connect to it from my MBP.
  When I try and connect I get an error that says "You are unable to log in to the user account "xxxx" at this time. Logging in to the account failed because an error occurred."
  If I login through console (by typing in ">console" in the username field) I get an error that says the user does not have a home directory...
  I have searched numourous other forums but I have not found a solution that seems to solve this problem. I have unbound and re-bound my client to the open directory and I have restarted file sharing. Neither has solved the problem. I have a feeling the issue originates somewhere on the MBP since I can log in to the Mac Mini without any problems.
  Anymore suggestions?

  Thanks for your suggestion, SolidWood. Unfortunately it didn't help.
  After a 90 minute phone call with AppleCare, this issue has finally been resolved. Here is what the solution was. Turns out it was pretty simple but it took a while to find it.
  First we created a test user and left the home folder set to Local Only in the Server App. I was successfully able to login with the test user on both clients but since there were no mobility preferences set, it was pretty basic.
  Then, we removed the Users sharepoint from file sharing, turned off file sharing to disconnect any users, and restarted the server. Then we created a new folder on the Server HD with a random name. We chose Darron. We created a new sharepoint in file sharing (with it still turned off), and shared the new folder called Darron. Double click on the sharepoint and scroll to the bottom and check the box that says "Make available for home directories over AFP". Then we restarted file sharing.
  Then we opened Workgroup Manager, clicked on the problem user in the left sidebar, clicked on the Home option at the top, and there were three things listed:
       (None)
       afp://servername.com/Users
       afp://servername.com/Darron
  Then we removed the Darron sharepoint from file sharing, and found that it was still listed as a home directory under the problem user.
  This was the root of the problem. The system didn't know which path to use as the home directory.
  Sooooo...
  In the server app, we opened the Directory Utility (Tools in the menubar, Directory Utility). Clicked on Directory Editor. Authenticate to the directory using the diradmin login. Changed view settings to match this below:
  In the left column, there were two paths listed for home mounts. We deleted both of them, saved changes, and closed directory editor.
  Then, we restarted workgroup manager and both paths had been deleted from the users home listings. This was begining to solve the problem.
  In the Server App, we recreated the users sharepoint, made it available for home directories, and restarted file sharing and workgroup manager. Now only one path is listed for the home folder for all the users.
  This solved my problem of not being able to login on the MBP. The system synced the home folder and all was well. On the Mac Mini, I had to delete the problem account, un-bind from the network server, re-bind, and recreate the account. Now both clients are sycning perfectly and all is well.
  Thank God I bought AppleCare! Thanks to everyone else for their help and suggestions.
  As a recap, the problem of not being able to login to the MacBook Pro was caused by having multiple paths to the multiple home folders. These rogue paths were added somewhere in the troubleshooting process to try and recreate the home directories before I called AppleCare. To solve this, we had to remove the directory listings from accounts using Directory Editor, remove and recreate the users sharepoint in file sharing. The syncing problem on the Mac Mini was also created when multiple paths were introduced. The system didn't know which files to use.
  Taylor

• SMB PDC setup-authentication

  Hello, in a testing environment with a non-networked server (eth0 is on and all other settings and management are working correctly e.g. workgroup manager and server admin) I am interested in practicing setting OS X as a PDC. However, each time I try and establish this setting (SMB), I enter my domain and then attempt to authenticate as my DirAdmin only to receive a could not authenticate message and my settings reverted to previous.
  I think I might just be confused on the domain entry - I don't have enough room in the input box for server17.pretendco.com and pretendco.com doesn't work (what I've been using for everything else). Apple Knowledge Base says: "Domain: Enter the name of the Windows domain that the server will host. The domain name cannot exceed 15 characters and cannot be “workgroup.”"
  Any direction or sources please?
  I've been following the Apple Training Series Server Essentials 10.6 book up to this point, but this configuration is skipped over in the exercises... kind of important to know I feel.

  Just type PRETENDCO  it doesn't want any .coms etc
  I believe it must be in CAPS as well although i don't use this facility it is what i seem to recall it should be.
  Windows 7 is not supported i believe and Vista may need some tweeking in the security policy.
  Also login as diradmin before you try to modify anything as this will prove it is not an account issue with the diradmin login.
  When you say non-networked server is a switch or router at least plugged in to your (eth0) as i have found that an OSX server with no network connection of any kind is not a friendly beast.

• Unable to authenticate with diradmin in Workgroup Manager

  This has happened before, and I have no idea how it got fixed - too many independent variables...
  Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server.
  The setup:
  SLS 10.6.8
  Split-brained DNS
       Both public and private FQDNs are the same (myserver.mydomain.com). External DNS maps machine record to my static public IP address. Using an AirPort Extreme router, port fowarding services that I want open to the server. The router provides DHCP via NAT to the local network, with a fixed private IP assigned to the server. The server is running DNS with the same zones, machine records, services and aliases that the public IP DNS has, except mapped to the fixed private IP. DNS checks out with changeip, etc.
       The server is an OD master. Yesterday I exported it, demoted it, and restored it. All services (mail, web, etc.) seem to work fine (although I admit to not using Kerberos on AFP due to another issue).
       I have a wildcard certificate that is generated by GoDaddy (*.<mydomain>.com) which seems to work fine with the hosted websites.
  This is what the password service error log says when I try to log in with diradmin in Workgroup Manager:
  Jan 10 2012 14:01:32    AUTH2: {0x4bbe71ca6b8b45670000000200000002, diradmin} DHX authentication succeeded.
  Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} is in good standing.
  Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} authentication succeeded.
  Looks good to me. But I still get the "Information Not Valid for This Server" followed by stuff about invalid login ID or password.
  I did notice in the LDAP log:
  Jan 10 14:13:12 <myserver> slapd[52283]: SASL [conn=18] Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)
  And at the last bootup in the directory service error log:
  2012-01-10 08:52:03 EST - T[0x00007FFF7027ACC0] - DNSServiceProcessResult returned -65563
  The other thing I notice when I log into the library in Workgroup Manager FROM THE SERVER, even if I use the FQDN <myserver>.<mydomain>.com that Workgroup Manager says (in the title bar of the window) <myserver>.local.
  I have googled the various errors and messages, and I get folks with all sorts of variations ("change the binding options", etc.) none of which either applied or worked.
  Help?

  Continuing on my quest... I found this Technical note from Apple about re-kerberizing:
  http://support.apple.com/kb/HT3655
  Interestingly, in step 3 where it says to remove realm information from kdc.conf, there wasn't any of my realm information. Argh!
  So I completed all of the steps and executed the slapconfig command. This resulted in:
  bash-3.2# slapconfig -kerberize -f --allow_local_realm diradmin <MYREALM>
  diradmin's Password:
  Could not resolve hostname <MYDOMAIN>
  Skipping Kerberos configuration
  Sounds like a dreaded DNS problem. It had been working correctly, but changeip -checkhostname confirmed a problem. Turns out that there were EXTERNAL DNS servers in the Network preferences in System Preferences as well as on the router. With my Split-brained DNS this caused problems (thank you again MrHoffman). So I changed them both to my DNS server INTERNAL IP address and added the external ones to the Forwarder IP Address in DNS. Now checkhostname -changeip returns a favorable result.
  So after rebooting ran the slapconfig command again and got the same result. Argh. Cleared DNS caches. Still nothing.
  So I tried nslookup.
  nslookup <mydomain>
  Server:                    10.0.8.2
  Address:          10.0.8.2#53
  ** server can't find <mydomain>: SERVFAIL
  Where 10.0.8.2 is the fixed INTERNAL IP address.
  However, nslookup on using the fixed IP address yields:
  bash-3.2# nslookup 10.0.8.2
  Server:                    10.0.8.2
  Address:          10.0.8.2#53
  2.8.0.10.in-addr.arpa          name = <mydomain>.
  Scratching head here... changeip -checkhostname works, nslookup on the IP address works, but nslookup on the host name fails.

• Leopard Clients take a Long Time to Login (roughly 1~2 minutes)

  Hello all,
  I've spent the last few weeks scouring these groups and then net and searching and searching for someone with a similar problem to my own, but have come up pretty much empty handed and so now turn to here to see if any else has had this issue or can at least point me where to look to resolve the problem.
  I've got a clean install of a XServe running Leopard server 10.5.2 with OD, AFP services and User home folders configured and fully working.
  The problem:
  Clean install of Tiger client logs into the server (OD binded) perfectly. Takes maybe 15 seconds tops to for the client to log in and show the all the AFP mounts and client settings and user's desktop and files, etc.
  However, a fresh Leopard client install (OD binded) takes roughly 1~2 minutes to do the exact same thing.
  I've gone through any log file I can find on server and client side, checked my DNS running on this xserve, created new users without "home" folders, and searched just about everywhere for an answer to this issue and am still empty handed.
  This is not a show stopper issue, but there is something definitely not normal about what is happening with Leopard client logins.
  I'm trying to explain this as best as I can without making a wall of text, but I'm sure I'll forget something, so please ask questions if you have them.
  Things I'm seeing in the logs during the time of the login happening are:
  Server-side Logs:
  - Kerberos Server Log -
  Apr 14 11:27:39 ns1.mydomain.com krb5kdc[167](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.9.14: ISSUE: authtime 1208190459, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/ns1.mydomain.com@NS1. MYDOMAIN.COM
  Apr 14 11:28:46 ns1.mydomain.com krb5kdc[167](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.1.205: NEEDED_PREAUTH: CRC0002$@NS1. MYDOMAIN.COM for krbtgt/NS1. MYDOMAIN.COM@NS1. MYDOMAIN.COM, Additional pre-authentication required
  - Password Service Server Log -
  Apr 14 2008 11:43:03 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
  Apr 14 2008 11:43:03 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
  Apr 14 2008 11:43:04 RSAVALIDATE: success.
  Apr 14 2008 11:43:04 AUTH2: {0x47c721234c9608250000000700000007, myusername} DIGEST-MD5 authentication succeeded.
  Apr 14 2008 11:43:04 RSAVALIDATE: success.
  Apr 14 2008 11:43:04 AUTH2: {0x47c721234c9608250000000700000007, myusername} DHX authentication succeeded.
  Apr 14 2008 11:43:04 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} is in good standing.
  Apr 14 2008 11:43:04 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} authentication succeeded.
  Apr 14 2008 11:43:05 RSAVALIDATE: success.
  Apr 14 2008 11:43:05 AUTH2: {0x47c721234c9608250000000700000007, myusername} DHX authentication succeeded.
  Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
  Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
  Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} is in good standing.
  Apr 14 2008 11:43:06 KERBEROS-LOGIN-CHECK: user {0x47c721234c9608250000000700000007, myusername} authentication succeeded.
  Apr 14 2008 11:45:26 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} is in good standing.
  Apr 14 2008 11:45:26 KERBEROS-LOGIN-CHECK: user {0x47f3ab5903c4b01c0000002a0000002a, CRC0005$} authentication succeeded.
  Client Side Logs:
  - All Messages -
  4/14/08 10:09:12 AM loginwindow[9868] Login Window Started Security Agent
  4/14/08 10:15:01 AM loginwindow[9868] Login Window - Returned from Security Agent
  - Console Messages -
  4/14/08 10:15:03 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[9880]) Exited: Terminated
  - SingleSignOnTools.log -
  kdcmond cannot retreive the computer's local Hostname , retrying ..
  Kerberos configuration is up to date
  Kerberos configuration is up to date
  Kerberos configuration is up to date
  Kerberos configuration is up to date
  .. and so on
  All other logs don't appear to show anything of importance in between the time frame of Login window started and login window exited.
  I'd like to know what exactly the client workstation is doing during this time with the server, but it looks like it just hangs and does nothing since nothing shows up in the logs that I can find during this time period where the client hangs. Maybe I can try an Ethereal trace to see what traffic is being sent back and forth during this timeframe. I don't know if this is a configuration issue on my part or a OD / AFP bug on Apple's part since Tiger clients connect perfectly.
  Logouts happen immediately, so no problems there on that end. And everything else with the system is working flawlessly (besides the OD Crashing issue which I'm sure everyone is well aware of right now with 10.5.2).
  Thank you to anyone that can assist in shedding some light on this issue and I apologize if I didn't provide enough information.
  -Jessee

  FOUND IT!!! Well for our install anyway. The culprit was AUTH2.
  In our case computers would (randomly) have the same ..SLOW.. symptoms as your original post described, and the 'Apple Password Server log' on our server showed the same log entries.
  It turned out that Single-Sign-On was being screwed up by two Authentication Authorities as applied in the LDAP (Computer and User) Attributes,
  and showed up in the log as competing authentications from KERBEROS-LOGIN-CHECK and AUTH2. as follows:
  Apr 30 2008 16:22:17 RSAVALIDATE: success.
  Apr 30 2008 16:22:17 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DIGEST-MD5 authentication succeeded.
  Apr 30 2008 16:22:17 RSAVALIDATE: success.
  Apr 30 2008 16:22:17 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DHX authentication succeeded.
  Apr 30 2008 16:22:17 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
  Apr 30 2008 16:22:17 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
  Apr 30 2008 16:22:18 RSAVALIDATE: success.
  Apr 30 2008 16:22:18 AUTH2: {0x4818c423083a8ddd0000000a0000000a, user} DHX authentication succeeded.
  Now, all the entries in our log (for remote logins) show:
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} is in good standing.
  May 2 2008 10:35:39 KERBEROS-LOGIN-CHECK: user {0x4818c423083a8ddd0000000a0000000a, user} authentication succeeded.
  i.e...Single-Sign-On and they're FAST.
  no more AUTH2 entries overlapping with KERBEROS.
  (local Authentications still show AUTH2 when using WGM)
  The solution was pretty straight forward, But only applies if the system is using Single-Sign-On with AFP shared home folders and the Authentication for AFP is set to Kerberos.
  Delete ;ApplePasswordServer entries from all user/computer combinations that are having problems.
  I actually deleted it from all users and Computers. (Except the Server Computer and Directory Administrator that uses WGM. When I tested these, WGM would not authenticate Diradmin)
  It can be done in the GUI from the inspector tab in WGM
  find the attibute
  dsAttrTypeStandard:AuthenticationAuthority
  click to open
  If there are two entries: ApplePasswordServer and Kerberosv5 then:
  Edit the ApplePasswordServer entry (You can copy the text into an editor and save it for future use if needed, all entries are the same for all computers and users, so you only need 1 copy, and you can paste it back into new entry to put it back,...If needed....maybe for older systems, mine are all Leopard.
  Now delete, OK, and Save the changes
  After its done, check the logs again to make sure that all remote logons now show
  KERBEROS-LOGIN-CHECK:
  and they should be FAST.
  Hope this helps
  Steve

• Open Directory - Unable to login Workgroup Manager

  I am unable to login to Workgroup Manager with my diradmin account.
  I know the password is correct.
  This is on Mac OS X Lion 10.7.2
  Everything was working fine last night, but then it stopped functioning.  I am able to see all the users, but they are greyed out.  When I try to login, I get "The login information is not valid for this server" 
  The LDAP log shows a bunch of the same errors that it did not show before.
  slapd[76]: SASL Failure: GSSAPI Error: Miscellaneous failure.
  Please advise.  Thank you.
  Samson

  Try logging in to Workgroup Manager using the local admin account not the diradmin account. If this works, then try accessing the /LDAPv3/127.0.0.1 choice using the diradmin account.

• AFP login via Kerberos from 10.5 clients to 10.4 server broken

  I don't know if this is connected to the problem laid out by William W. Higgins in [Open Directory or LDAP Problem with 10.5 Client and 10.4 Server|http://discussions.apple.com/thread.jspa?threadID=2163645&tstart=0]. The symptoms are... somewhat different, so I'll start a new thread.
  We've got a small office with a bunch of 10.5.8 clients, a couple of 10.6 clients, one lone Windows 2000 client, and a number of remote users. I've had my OS X Server 10.4.11 machine (a PowerMac G5 single 1.8GHz, fwiw) working happily as an OD Master for the past few weeks. It's mostly a file server and a back DNS server for our public web site—we have web service turned on, but it's mostly to allow remote users to download files (or upload via WebDAV). The server has a secondary NIC that's hooked up to the cable modem in the DMZ. Everything else is behind the modem's NAT.
  We've had some things show up on the logs that are making us want to tighten security, both in the LAN and over the internet. We've gone to HTTPS for the web server and are using TLS/SSL for the PureFTPd server. We closed the SMB ports on the external firewall—something we should have done years ago, probably.
  I wanted to switch the AFP service over to Kerberos authentication only. However, when I make that change in Admin Server>AFP>Settings>Access, none of the clients can log on; they get an error reading:
  +*Connection Failed*+
  +There was an error connecting to the server. Check the server name or IP address and try again.+
  +If you are unable to resolve the problem, contact your network administrator.+
  Then, after you click on OK, you get the following:
  +Sorry, the operation could not be completed because an unknown error occurred.+
  +(Error code -5002)+
  That code seems to indicate a Kerberos problem.
  And when I try to log on as a network user from one of the clients, I get this message:
  *+You are unable to log in to the user account "user" at this time+*
  +Logging in failed because an error occurred.+
  Gee, that's helpful!
  Server Admin shows OD and Kerberos as up and running. The Password Service log has the following entry:
  +Jan 21 2010 09:18:21 AUTH2: {0x4b4df87638fa1ec80000003400000034, bound-client-machine$} CRAM-MD5 authentication succeeded.+
  So the log-on didn't go through Kerberos, for some reason, though it's been working fine that way for weeks.
  I tried using +sso_util configure -r KERBEROS.REALM -a diradmin afp+ to make sure that single sign-on was running for AFP. No change.
  I can use +dscl -u username -p localhost read /LDAPv3/Users/username+ and read the information on the user's home directory.
  I can use /System/Library/CoreServices/Kerberos (or Ticket Agent) to request and receive a ticket. (Side note: does Kerberos really not allow login by secondary short names??? That's a pain! If I add principals for the secondary short names, will it authenticate correctly to the proper account???)
  FTP is working. Web authentication is working. If I turn Kerberos authentication off for AFP, everything else seems to return to normal... but then the passwords are passed as cleartext, which isn't acceptable.
  So... Is this a bug? Is this a conflict with PureFTPd? Am I doing something wrong?
  Message was edited by: David Kudler

  Post-reboot:
  Well, the good news is that the kdc now shows up in the kadmin log as starting up:
  Jan 26 11:43:02 localhost kadmind[98](info): Seeding random number generator
  Jan 26 11:43:03 localhost kadmind[98](info): No dictionary file specified, continuing without one.
  Jan 26 11:43:04 localhost kadmind[98](info): starting
  The lack of dictionary file I believe is a minor error, right?
  The bad news is that a) clients are no longer able to receive tickets (+*Kerberos Error* Configuration does not specify default realm+) and b) clients can't log on at all—not even via the Finder>Go>Connect to Server... command. Not even when you use the static IP address of the server rather than the DNS name.
  DNS still seems to be working. I can get reverse lookup:
  *cerberus:~ root#* dig -x 10.1.10.2
  ; << DiG 9.3.6-APPLE-P2 << -x 10.1.10.2
  ;; global options: printcmd
  ;; Got answer:
  ;; -HEADER<<- opcode: QUERY, status: NOERROR, id: 45389
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
  ;; QUESTION SECTION:
  ;2.10.1.10.in-addr.arpa. IN PTR
  ;; ANSWER SECTION:
  2.10.1.10.in-addr.arpa. 3600 IN PTR cerberus.limbo.jcf.org.
  ;; AUTHORITY SECTION:
  10.1.10.in-addr.arpa. 3600 IN NS ns1.jcf.org.
  10.1.10.in-addr.arpa. 3600 IN NS cerberus.limbo.jcf.org.
  10.1.10.in-addr.arpa. 3600 IN NS 10.1.10.1.
  ;; ADDITIONAL SECTION:
  ns1.jcf.org. 86400 IN A 207.58.140.213
  cerberus.limbo.jcf.org. 3600 IN A 10.1.10.2
  ;; Query time: 2 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Tue Jan 26 11:50:51 2010
  ;; MSG SIZE rcvd: 163</div>
  *cerberus:~ root#* dig cerberus.hades.jcf.org
  ; <<>> DiG 9.3.6-APPLE-P2 <<>> cerberus.hades.jcf.org
  ;; global options: printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36453
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;cerberus.hades.jcf.org. IN A
  ;; ANSWER SECTION:
  cerberus.hades.jcf.org. 86400 IN A 10.0.1.2
  ;; AUTHORITY SECTION:
  hades.jcf.org. 86400 IN NS cerberus.hades.jcf.org.
  hades.jcf.org. 86400 IN NS 10.1.10.1.
  ;; Query time: 4 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Tue Jan 26 11:51:46 2010
  ;; MSG SIZE rcvd: 93
  </div>
  *cerberus:~ root#* changeip -checkhostname
  Primary address = 10.1.10.2
  Current HostName = cerberus.limbo.jcf.org
  DNS HostName = cerberus.limbo.jcf.org
  The names match. There is nothing to change.
  (The DNS also checks out from the clients.)
  But.... fubar.
  When I run +kadmin.local listprincs+, it lists all of the users and computers I've added—plus a couple that I don't recognize but that seem to be the products of bound computers (the names are along these lines, rather than the actual computer names for the clients: +LKDC:SHA1.59B886209B027XXXXXXXXXXXXXXXXXXXXXXXXXXX$@CERBERUS.LIMBO.JCF.ORG+). But when I run +kadmin.local list_policies *+, it just pops down to the next prompt. There don't seem to be any policies defined. That can't be right, can it????
  Further weirdness: I tried rebinding the client that I'm working from (an iMac running 10.6.2), also using the IP address. It goes through the binding process, but no dice—when I try to run System/Library/CoreServices/Kerberos.app, I still can't get a ticket. And the weird bit is, there doesn't seem to be a /Library/Preferences/edu.mit.Kerberos plist file on the client. Well, no wonder the client's Kerberos app can't authenticate the realm—there's no local file in which the data is stored!
  I should note that when I rebooted this morning, I first booted to the backup drive and ran Disk Utility; I repaired permissions—more than once—and repaired the disk directory as well. Perhaps I have confused the **** out of it. Though how the permissions got fouled in the first place is beyond me.
  I have other things to do (as it says in my profile, I'm the local IT guy by default)—though everyone where I work needs this problem solved.
  At this point my options seem to be:
  1.) Back up, demote, promote and reload the OD server.
  2) Reinstall from scratch.
  If anyone has any suggestions in the next hour or so, I'd love to hear them!
  Message was edited by: David Kudler

• OS X Server 10.4.11 - OS X Server 10.5.5 - PDC - No Windows login

  Hey there,
  we just upgraded a 10.4.11 Server to 10.5.5. Some little issues occured afterwards which we were possible to solve but one big problem remained.
  Before upgrading the server, Windows XP Clients and a Windows 2003 Server could use our OD user accounts for a domain login.
  Now the clients prompt that there is no domaincontroller available or the machine account couldn't be found.
  Rejoining the domain works but doesn't solve the problem. The message keeps the same.
  The OS X Server is PDC and OD Master.
  Some relevant informations:
  /etc/smb.conf:
  xserve:Users sadmin$ more /etc/smb.conf
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  /var/db/smb.conf:
  xserve:Users sadmin$ more /var/db/smb.conf
  # Configuration options for smbd(8), nmbd(8) and winbindd(8).
  # This file is automatically generated, DO NOT EDIT!
  # Defaults signature: 0cff3e2e008004ba46f9cd36000048ff36880000
  # Preferences signature: e0080ddc1594905ae70000000000574
  # Configuration rules: $Id: rules.cpp 32909 2007-08-17 23:07:40Z jpeach $
  # Server role: PrimaryDomainController
  # Guest access: never
  # NetBIOS browsing: domain master browser
  # Services required: org.samba.smbd org.samba.nmbd
  [global]
  security = USER
  add machine script = /usr/bin/opendirectorypdbconfig -c createcomputer
  account -r %u -n /LDAPv3/127.0.0.1
  add user script = /usr/bin/opendirectorypdbconfig -c createuseraccount
  -r %u -n /LDAPv3/127.0.0.1
  domain logons = yes
  logon drive = H:
  logon path = \\%N\profiles\%u
  auth methods = odsam
  netbios name = xserve
  workgroup = OUR-WINDOWS-DOMAIN
  dos charset = 437
  server string = xserve
  ntlm auth = yes
  lanman auth = yes
  max smbd processes = 40
  log level = 1
  map to guest = Never
  wins server = 192.168.1.1
  domain master = yes
  preferred master = yes
  os level = 65
  enable disk services = yes
  enable print services = yes
  wins support = no
  [netlogon]
  path = /etc/netlogon
  browseable = no
  write list = @admin
  oplocks = yes
  strict locking = no
  [profiles]
  path = /Users/Profiles
  browseable = no
  read only = no
  oplocks = yes
  strict locking = no
  [homes]
  root preexec = /usr/sbin/inituser %U
  comment = User Home Directories
  browseable = no
  read only = no
  create mode = 0750
  guest ok = no
  com.apple: show admin all volumes = no
  [global]
  Error messages in the smb log:
  [2008/10/23 13:21:18, 0, pid=554] /SourceCache/samba/samba-187.8/samba/source >/passdb/pdbodsam.c:odssamgetsampwnam(1571)
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no >dsRecTypeStandard:Computers record for account 'LAZ-IMAC-20-ZOL$'
  [2008/10/23 13:21:18, 0, pid=554] /SourceCache/samba/samba-187.8/samba/source >/passdb/pdbodsam.c:odssamgetgrnam(2040)
  odssam_getgrnam gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Groups >record for 'LAZ-IMAC-20-ZOL$'!
  [2008/10/23 13:21:18, 0, pid=554] /SourceCache/samba/samba-187.8/samba/source >/passdb/pdbodsam.c:odssamgetsampwnam(1571)
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no >dsRecTypeStandard:Computers record for account 'LAZ-IMAC-20-ZOL$'
  kDSStdAuthNewUser was successful for account "laz-imac-20-zol$"
  kDSStdAuthNewUser accountid len(392)"0x49005e2f415db9d900000ece00000600,1024 >35 >131244790597481883925064106712462407867419357228339572195109892970463819598600 08944504249596590147264020481450929886533055945735978363855606054033179354725683 16502940822933278295061864335023431267611975840263121713521174193910961618397774 36761029605188471296273168837776820246633980403453223607235696076277111 >[email protected]"
  <CFArray 0x129cd0 [0xa06fb174]>{type = mutable-small, count = 1, values = (
  0 : <CFDictionary 0x113180 [0xa06fb174]>{type = mutable, count = 3, >capacity = 3, pairs = (
  0 : <CFString 0x129800 [0xa06fb174]>{contents = >"dsAttrTypeStandard:RecordName"} = <CFArray 0x129710 [0xa06fb174]>{type = >mutable-small, count = 1, values = (
  0 : <CFString 0x128140 [0xa06fb174]>{contents = "passwordserver"}
  1 : <CFString 0x12ca80 [0xa06fb174]>{contents = >"dsAttrTypeStandard:PasswordServerLocation"} = <CFArray 0x129100 >[0xa06fb174]>{type = mutable-small, count = 1, values = (
  0 : <CFString 0x129f50 [0xa06fb174]>{contents = "192.168.64.55"}
  3 : <CFString 0x10ca00 [0xa06fb174]>{contents = >"dsAttrTypeStandard:AppleMetaNodeLocation"} = <CFArray 0x12a450 >[0xa06fb174]>{type = mutable-small, count = 1, values = (
  0 : <CFString 0x12b140 [0xa06fb174]>{contents = "/LDAPv3/127.0.0.1"}
  [2008/10/23 13:21:19, 0, pid=554] /SourceCache/samba/samba-187.8/samba/source >/passdb/pdbget_set.c:pdb_get_groupsid(211)
  pdbget_groupsid: Failed to find Unix account for laz-imac-20-zol$
  [2008/10/23 13:21:19, 0, pid=554] /SourceCache/samba/samba-187.8/samba/source >/passdb/pdbget_set.c:pdb_get_groupsid(211)
  pdbget_groupsid: Failed to find Unix account for laz-imac-20-zol$
  testparm /etc/smb.conf
  Load smb config files from /etc/smb.conf
  Processing section "[netlogon]"
  Processing section "[profiles]"
  Processing section "[homes]"
  Processing section "[printers]"
  Loaded services file OK.
  Server role: ROLEDOMAINPDC
  testparm /var/db/smb.conf
  Load smb config files from /var/db/smb.conf
  Processing section "[netlogon]"
  Processing section "[profiles]"
  Processing section "[homes]"
  Loaded services file OK.
  Server role: ROLEDOMAINPDC
  Is it possible to try the following?
  /usr/bin/opendirectorypdbconfig -c createuseraccount -r %u -n /LDAPv3/127.0.0.1
  create user account(%u)
  no credentials available
  opendirectorypdbconfig error(-14200)
  Or that?
  /usr/bin/opendirectorypdbconfig -c createcomputeraccount -r %u -n /LDAPv3/127.0.0.1
  create computer account(%u)
  no credentials available
  opendirectorypdbconfig error(-14200)
  Or must that lead into those error messages?
  Error message in the nmbd log:
  [2008/10/29 10:20:03, 0, pid=74896] /SourceCache/samba/samba-187.8/samba/source >/libsmb/nmblib.c:send_udp(791)
  Packet send failed to 169.254.255.255(138) ERRNO=Host is down
  [2008/10/29 10:20:05, 0, pid=74896] /SourceCache/samba/samba-187.8/samba/source >/libsmb/nmblib.c:send_udp(791)
  Packet send failed to 169.254.255.255(138) ERRNO=Host is down
  It would be awesome if some of you guys could help us back into the communication between OS X Server and Windows!
  Thanks a lot!

  I had some issues when I initially setup Windows Services on our 10.4 server.
  Some things that may help:
  1) Check the WINS server box in Server Admin. Make sure your Windows clients have the IP address on your WINS server in their TCP/IP configuration
  2) Reset your SID on the server. More info @ http://www.radiotope.com/node/61
  2) If the diradmin password has changed, you will have to demote the PDC and recreate it to get the link between OD and samba working again, unless Apple fixed that in Leopard. Of course, you'll have to add all your machines back to the domain after this.
  I'm looking at a problem now where just one machine cannot download a roaming profile after I had to restore OD from archive. I'm thinking it is a problem with the SID, bit so far, no love...
  -Jon
  Jon Auman
  Systems Administrator
  National Evolutionary Synthesis Center
  Duke University
  http:www.nescent.org
  ------------------------------------------------------

• Xserver Will not allow me to login As Admin or Root locally

  Hi all,
  I am a regular reader of this wonderful forum but tend to shy away from discussions as I think a lot of you out there are a lot more unix knowledgable than I. I tend to do as much as I can in the GUI only.
  After working on many cust. Xservers.
  I have recently decided to upgrade our own little office Xserver from a PM G4 to a Mac Mini Intel running 10.4.10 Xserver.
  We use this machine as our live lab learning unit to ensure we don't stuff up our client
  I normally follow the usual method of setup for a small office Xserver to be used for Web, Mail & File services:-
  1. I installing OS Xserver - no services running
  2. Then Update to 10.4.10 latest updates etc,
  3. Configured dns correctly for registered domain & test fwd & rev lookup working OK.
  4. Setup DHCP ok. tested dns working okfrom DHCP bound client.
  5. Premoted server to Open Directory Master OK. Kerberos running OK.
  6. In this instance I restored Open Directory master from previous working 10.4.10 Xserver PM G4 Open Dir Archive, Restarted server.
  Now it gets to login screen but the login screen is frozen for about 10-15 minutes & won't let me type anything in.
  Logged Backin as admin get the spinning wheel of death indefinately.
  Force Restart the Xserver
  Wait 10-15minutes
  Login as root.
  Noticed kerberos not running anymore.
  Demote to standalone then back to Open directory master but problem still occurs after every restart.
  Can any one please tell me what I have done incorrectly & how to fix without reinstalling from scratch?
  Thankyou
  Macbook   Mac OS X (10.4.10)  

  Hi Tony,
  I tried without network cable before posting, this did not help. Also tried on test network router.
  However. I think I have fixed part of the problem.
  I deselected the Enable SSL in the SA OD LDAP protocol area (not sure why this was on or whether it is the default setting when you promote to OD master).
  Restarted the server.
  It now boots quickly & allows me to log in OK.
  I then Reset all the LDAP users passwords for OD OK in WGM. Just to make sure.
  Restarted the server. Tested All services OK. Ie. Web, Mail, AFP etc.
  Wa Hoo!
  Came back to add additional user in WGM & now get error:-
  "Error of type eDSAuthFailed (-14090) on line 1922 of /SourceCache/ServerManagerUserGeneral/ServerManagerUserGeneral-193.3.2/"
  Doh! One step fwd three back.
  I do have familiarity with Terminal but tend to avoid using it to try & keep the server as close to Apple out of the box STD as possible to avoid headaches when they update their software.
  All services are still running in OD.
  In regards to your Questions.
  Yes. Keberos realm automatically appeared when I promoted to OD master. As I understand it this tells you your DNS is functioning correctly.
  Yes. The diradmin user appears in WGM under ldap.
  Yes It is the only server on network.
  I normally setup a server on a lab test router /ADSL setup away from anything else to ensure I am not chasing my tail when configuring a new setup.
  PS I am slowly getting better at the terminal but because I don't use it that often I keep forgetting the cmds. This is what happens when you run Macs. They hardly ever screw up.
  Hoping you can help with the above error as I would really like to learn to repair these issues instead of reinstalling everytime I screw up.
  Thank you for your help
  Charles

• The login information is not valid for this server

  Hello,
  i've recently setup open directory for 30 MAC running 10.5 and 10.6
  it works sort of fine.
  having a few errors with mobility though that's for another thread.
  My prob, is that the first time ive set OD, the next day while logging into WGM i had an error and couldnt login with directory administrator username.
  i've trieed the following to resolve it:
  tried reseting password according to an apple support document
  disabled SSL(advice on some none apple forum)
  rebooted the server
  tried logging in localy from the server itself
  checked tht LDAP autehtnication is the first to be checked while authenticaing with the server.
  None of the above worked, where i had to wipe my OD, by choosing standalone from the server admin, and then doing it all over again.
  today and for the second time i had the same issue.
  i've managed to take screenshots of the errors i'm recieving. you can find them attached.
  the below errors are ones which appeared while i had my WGM already authenticated and tried to work on it:
  i appreciate any help with this matter.
  Thanks,

  To be sure, the server field says your server "name"
  you are tying to log in as diradmin
  and you are using your password from when you set up the server? This password is also the same local admin password that you setup.

• Can't login to ML server network user from a client

  Hi,
  The computer name on my customer's ML server was changed post OD installation. Now I can't login with network user credentials from a MacBook.
  I also see the old server/hostname displayed in workgroup manager under "location" (see attached).
  I've tried destroying OD by deleting it in Server app then re-adding it again but it still shows the old name in WGM as shown in the screenshot above.
  I suspect this is related to authentication problems. Should I be running a utility like changeDirData.pl to update the old values? If so, what is the syntaxt?
  Old name was: server1.stmarys.lan
  New name is: server1.local
  I ran the following: sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/changeDirData.pl -i -s 192.168.2.2 -u diradmin -o server1.stmarys.lan -n server1.local
  But got an error: cant contact ldap server to get config info

  After contacting Apple server support, I was told there were two issues:
  1- ".local" cannot be used in a hostname due to conflict with Bonjour
  2- Hostnames must have three parts like "server.company.lan" & "server.lan" cannot be used
  I wish Apple would inform users with a pop-up about these rules before they waste a lot of time having to re-do everything from scrath. I was lucky enough to have an export of all users.
  If these rules are followed from the begining, DNS would auto-configure itself with the appropriate forward & reverse records.

• Leopard (10.5.5) client not login on Tiger (10.4.11) Server

  Subj.
  New iMac with 10.5.5 not login on server. Just message:
  "You are unable to log on in to the user account "name" at this time.
  Logging in to the account failed because an error occurred."
  On this imac i can logon as local user or diradmin. But after login as diradmin i see this message:
  "The home folder for user "diradmin" is not located in the usual place or cannot be accessed.
  The home or User folder may have been moved or deleted. If the home folder is located on the network, the server may be unavailable temporarile. If you continue to have problem, see you system administrator."
  Home folder for users created on Mac OS X Server:
  afp://serverIP/Users
  Path:
  username
  Home:
  /Volumes/Users/username
  WT??
  Tiger clients login properly.
  I'm search all forum and not find answer..
  Please, help me or point me on related topic!

  John-
  Just realized I didn't answer your question.
  For the /Users directory, I have no ACLs set.
  However, for an individual user directory, I did the following:
  - select the user directory in the left pane under Share Points
  - click the Users/Groups button (bottom center of WGM window) to expose a slide-out window containing available users.
  - dragged the owner of the user directory to the ACL window
  - set "Allow" and "Full Control" permissions for that user
  - then propagated the permissions (drop-down from the little gear in the bottom right corner).
  I now have no issues logging in from Leopard clients. Hopefully this is helpful and more completely answers your question.

• Unable to authenticate as diradmin in WGM

  Just installed the security Update 2011-002 for OS 10.6.7 Server. After the reboot I was able to login as diradmin into WGM but all settings were grayed out. I could not authenticate to /LDAPv3/127.0.0.1 any longer, using the lock in the top right corner.
  /var/log/slapd.log showed a massive amount of errors like these after the update:
  Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)
  /Library/Logs/PasswordService/ApplePasswordServer.Error.log showed the following:
  Registration is finished error: (10, -72000).
  Not sure if this is related to the update, but turning off and on SSL as suggested by user "xjrguy" in this past discussion worked for me:
  https://discussions.apple.com/message/10553322?messageID=10553322
  Mind however, that this procedure has to be carried out after every update. Does anyone have a permanent "cure" for this issue?

  Just installed the security Update 2011-002 for OS 10.6.7 Server. After the reboot I was able to login as diradmin into WGM but all settings were grayed out. I could not authenticate to /LDAPv3/127.0.0.1 any longer, using the lock in the top right corner.
  /var/log/slapd.log showed a massive amount of errors like these after the update:
  Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)
  /Library/Logs/PasswordService/ApplePasswordServer.Error.log showed the following:
  Registration is finished error: (10, -72000).
  Not sure if this is related to the update, but turning off and on SSL as suggested by user "xjrguy" in this past discussion worked for me:
  https://discussions.apple.com/message/10553322?messageID=10553322
  Mind however, that this procedure has to be carried out after every update. Does anyone have a permanent "cure" for this issue?

• Diradmin Password Failures

  Since 10.5.x, the diradmin user has been wonky. In WGM it sometimes fails to allow me to login. Logging in, it turns out, is quite useful. I like being able to edit all the nice accounts on my system.
  Now that I'm running 10.6.3, the diradmin user is unable to authenticate using WGM at all. I'm sure I've got the password right. It just refuses to cooperate. Here are the methods for reset I've tried thus far:
  passwd - No success.
  mkpassdb - This slot-ID nonsense didn't help at all. Altho I did notice that the slot-ID was almost entirely a bunch of zeros.
  dscl - Well, I would try this, but I'm unclear what the complete path is for the diradmin user so that I can actually use this.
  Of course, it could be that it's not a password problem at all. Open Directory has the following checkboxes checked in its settings:
  -Enable authenticated directory binding
  -Disable clear text passwords
  -Encrypt all packets
  There something I'm missing here?

  I don't know if this helps:
  http://serverfault.com/questions/56830/what-commands-will-change-open-directory- passwords
  "apropos password gives me these interesting results:
  kpasswd(1) - change a user's Kerberos password
  ldappasswd(1) - change the password of an LDAP entry
  lppasswd(1) - add, change, or delete digest passwords
  passwd(1) - modify a user's password
  pwpolicy(8) - gets and sets password policies
  saslpasswd2(8) - set a user's sasl password
  slappasswd(8) - OpenLDAP password utility"
  What does logs say when you try to login using diradmin/root in OD?

• It hangs when I login DB

  It has no response when I try to login database. I cancel the login since I don't have any choices
  SQL> connect apps/apps
  ^CERROR:
  ORA-00604: error occurred at recursive SQL level 1
  ORA-01013: user requested cancel of current operation
  But it is ok if I login as dba role like"/ as sysdba"
  Please advice,
  Amy

  When did it last work for application users?
  What changed?
  Identify the faulty trigger & either fix or DROP it.
  SQL> desc dba_objects
  Name                            Null?    Type
  OWNER                                  VARCHAR2(30)
  OBJECT_NAME                             VARCHAR2(128)
  SUBOBJECT_NAME                         VARCHAR2(30)
  OBJECT_ID                             NUMBER
  DATA_OBJECT_ID                         NUMBER
  OBJECT_TYPE                             VARCHAR2(19)
  CREATED                             DATE
  LAST_DDL_TIME                             DATE
  TIMESTAMP                             VARCHAR2(19)
  STATUS                              VARCHAR2(7)
  TEMPORARY                             VARCHAR2(1)
  GENERATED                             VARCHAR2(1)
  SECONDARY                             VARCHAR2(1)SELECT .... WHERE OBJECT_TYPE = 'TRIGGER' ....