Can't login to open directory accounts unless using server machine
I cannot login to any network accounts from my macbook on my local network i have tried bindind the machine to the open directory with local ip, local address and domain and all appear to be working but i cant login to any of the accounts although the passwords are correct.
Hi Salda,
I'm currently experiencing a similar problem to yours.
My situation is that I have just created a new user account which is part of our media users group.
This group is in the list of allowed users for our mac pro client host, but when I attempt to login using their credentials I get the same error you had, namely that their home directory is located on a afp or smb server (which is of course the case).
I hope you can tell me a resolution that doesn't require a re-installation of the OS.
Thanks for your help.
Rich
Similar Messages
-
Some Open Directory accounts will not log in
At the school where I work, the Open Directory master is running 10.6.8 Server and the clients are running 10.7.4. I am preparing images to update all the clients to 10.8.3, and I've run into a curious issue.
In our setup, we have a single Open Directory account for each classroom. They are set up for simultaneous login, and their home folders are created in /Users rather than on a network share. We have 20 or so unique room accounts, and the text boxes I'm working with now can log into almost all of them. However, there are a few that simply refuse.
When I attempt to log into one of those accounts, the login window immediately shakes as if I've put in the wrong password. However, I've confirmed that the password is correct. I've also checked through the settings of those accounts to make sure they're in line with all the rest of them. I know that they work because our lab Macs, which are currently running 10.7.4 are able to log into them just fine.
I've tried unbinding and rebinding the clients to the OD server, as well as manually creating a home folder in /Users, neither of which works. I have found a little bit of voodoo that seems to work sometimes. I have to bind to the OD server, then check "Allow Network Users at Login Window", then select "Only These Users", then add all of the available network users to the list. Then, I delete them all, restart the computer, and sometimes that works. Not always though.
Has anybody run into this before?As far as I can tell, the server isn't logging much with regard to the passwords being refused. I have tried attempting to log in to the accounts that don't work and then checking the Open Directory logs within Server Admin, but I don't see anything either relating to that user or with a timestamp that's close to the time to log in.
On the client side, the log entry I see that relates to that user trying to log in is:
5/30/13 10:03:28.001 AM SecurityAgent[147]: User info context values set for r364epson
Which log in the Server Admin app would errors like this be likely to be logged in? -
Help needed to log into an Open Directory account which has the same username as the local account
Hello,
I have successfully setup a Mac OS X Lion Server and it is an Open Directory Master. On the server Ihave created an account with the name 'Connor'. I have numerous Macs (allrunning OS X 10.7 Lion) connected to this server but on one of the Macs thereis a local account with the name 'Connor' too (the local and networked accountshave different passwords). I want to log into the Open Directory account onthat mac. So, I have done an authenticated bind to the server, but when I go tolog in the password box shakes. I think the computer thinks I am trying to loginto the local account and not the Open Directory account. On Windows, I canlog into either the local accounts or the networked accounts by typing\LOCAL-COMPUTER-NAME\Connor. So, I was wondering if there was a similar commandto do this on Mac.
I don't think I haveworded this very well, so if someone doesn't understand please ask me somequestion about the problem and I will try and explain it better.
Any help would be greatlyappreciated,
ConnorMaybe I didn't make myself clear. I have used directory utility to do an authenticated bind to my server. I also have no problem logging into other accounts in the Open Directory. But, I just can't log into the account which has the same name both in the Open Directory and locally.
Was there something I missed in Directory Utility? Could you please help me if this is so.
Thanks for replying so quickly -
I can not login to a certain account due to an error stating cookie not enabled, however my 3rd party cookies are enabled. How do I correct this?
COOKIE_DOMAIN=.hackers
I think this is the problem. .hackers is no valid cookie domain. You have to use something like:
.xy.ab
(two points)
I fear it is not possible to correct this easiely. First change the hostname to something allowed e.g. hackers.com
Then open an ldap browser and edit ou=iplanetamplatformservice,ou=services,dc=hackers
There is an entry with an xml. Copy the xml to an editor, search for .hackers, change it to a valid domainname.
Im not sure if a restart of the webserver is necessary here.
Another idea: You could also try to set the cookie domain to solnce.hackers, maybe this is accepted, even if it is not a cookie domain. But I dont know if this works...
hth
Chris -
Possible to convert ordinary accounts to Open Directory accounts?
This might be a naive question. But I need to set up accounts for users on this Mac Pro configured with Leopard Server and they may need to be Open Directory accounts, i.e. we may decide to create portable accounts for the whole cluster and have them hosted on this server. I won't know for sure until we have fully discussed the intended uses of the machine, which could take some time. So I am wondering if I can just give users ordinary accounts using System Preferences and then convert them at a later date to Open Directory accounts. I tried to do this with the first account I created for myself on the system and found that the name spaces of the two kinds of accounts conflict, and it's especially hard/dangerous to change a short name (is this really true??)
It would be confusing for users and a headache for me if everyone has two distinct and unrelated accounts. Thanks in advance for any help.Hi Liz
+I do get a warning if I launch Server Preferences: it says "Server Preferences can't be used with advanced configurations of Mac OS X Server." Doesn't that confirm that I chose Advanced?+
I guess it does?
I'm thinking you might be getting System Preferences and Server Preferences confused? Your original post was about converting ordinary accounts to Open Directory ones? Provided you've configured the Server as an Open Directory Master with all that that entails then you can install a clean OS on your clients. Provided the DHCP Server is handing out the correct information then after the OS has been installed and at the point the Setup Assistant asks you to create the initial account you should be given a choice to either create one locally or use one that is from Open Directory. If you choose the latter option then a generic local admin account gets created anyway. This is how its supposed to work. However you could forego all of this and simply create a secure local admin account. Join the client to the ODM using the well established method. The same result is achieved.
If you had chosen Standard instead of Advanced a lot of the auto-discovery bit comes into play. To be honest I don't really know although judging by the documentation and what some have posted here this is what happens.
You might find this useful?
http://discussions.apple.com/message.jspa?messageID=8940512#8940512
Tony -
Scripts for adding/deleting/modifying Open Directory accounts?
I think I have searched high and low for an answer to this question, but if I missed it please point me in the right direction. Where can I find information on scripts for adding/deleting/modifying open directory accounts? At the very least, a command line utility with some syntax guidelines! Any help would be greatly appreciated.
Hi
I personally don't know if any scripts although you can use the command line to do pretty much anything you want with the Open Directory. Consult the manual: man dscl. If you launch terminal and issue dscl you should see something like this:
my-Laptop:~ me$ dscl
dscl (v20.4)
usage: dscl [options] [<datasource> [<command>]]
datasource:
localhost (default) or
<hostname> (requires DS proxy support, >= DS-158) or
<nodename> (Directory Service style node name) or
<domainname> (NetInfo style domain name)
options:
-u <user> authenticate as user (required when using DS Proxy)
-P <password> authentication password
-p prompt for password
-raw don't strip off prefix from DS constants
-url print record attribute values in URL-style encoding
-q quiet - no interactive prompt
commands:
-read <path> [<key>...]
-create <record path> [<key> [<val>...]]
-delete <path> [<key> [<val>...]]
-list <path> [<key>]
-append <record path> <key> <val>...
-merge <record path> <key> <val>...
-change <record path> <key> <old value> <new value>
-changei <record path> <key> <value index> <new value>
-search <path> <key> <val>
-auth [<user> [<password>]]
-authonly [<user> [<password>]]
-passwd <user path> [<new password> | <old password> <new password>]
Entering interactive mode...
The above is for 10.4 and should server equally as well for 10.5.
Hope this helps, Tony -
If i create a new alias in my iCloud account, and forgot the password and I can´t actually have open the account in any of the devices, how can I recover my password?
Welcome to the Apple Community.
iForgot.com -
Can't turn on open directory in the server app
hi, i can't turn on open directory in the server app, I am running the new version of Mavericks (10.9.2)
please help meIf DNS services aren't properly configured and operating correctly, then various other parts of the OS X Server environment tends to be somewhere between flaky and unstable.
To verify DNS is working correctly, launch Terminal.app from Applications > Utilities and issue the following harmless diagnostic command:
sudo changeip -checkhostname
You'll need to enter an administrative password for the sudo, might see a one-time message about the use of sudo, then see some configuration information, and then an indication that no changes are required, or that there are issues with the network or with local DNS services. This tool will spot most local DNS and network errors, but will not spot an erronous configuration using the .local top-level domain; don't do that.
If you do not have another DNS server on your local network — the screen shot shows DNS isn't running locally, but it's possible there's another DNS server in use. If you do not have a local DNS server (and you're on a NAT'd network) here's how to set up DNS on a NAT'd network — DNS is essential for proper operations of OS X Server, and on a private NAT'd network, that's only possible with your own DNS services. You cannot successfully reference off-network DNS servers here (not the DNS servers at your ISP, nor at Google, and not via a low-end firewall that might have a DNS resolver, etc), as these off-NAT'd network DNS servers do not return the necessary IP-address-to-domain-name translations necessary for your hosts. These name-to-address and address-to-name DNS translations are part of distributed authentication and network encryption. -
Open directory crashed after a Time Machine restore
Hi,
My name is Benoît and I own a PowerMac G5 on which Mac OSX 10.5.6 Leopard server is running since 1,5 years. Last friday, the main hard drive crashed and I had to restore the whole disk using Time Machine (the last complet backup was 3 days old).
After the restore, all the services were up and running except the Open Directory which says LDAP server, password server and Kerberos server are down. The error log file says:
2008-06-19 17:08:19 CEST - T[0xF0103000] - Attempt #1 to initialize plug-in PasswordServer failed.
Will retry initialization at most 100 times every 1 second.
2008-07-02 15:41:06 CEST - T[0xA0B95074] - Improper shutdown detected
2008-07-02 15:48:25 CEST - T[0xA0B95074] - Improper shutdown detected
2008-07-02 15:56:42 CEST - T[0xA0B95074] - Improper shutdown detected
2008-07-02 16:47:36 CEST - T[0xA0B95074] - Improper shutdown detected
2008-07-24 09:44:56 CEST - T[0xA0B95074] - Improper shutdown detected
2008-09-30 16:51:48 CEST - T[0xA0AF9074] - Improper shutdown detected
2008-12-26 17:32:11 CET - T[0xA03E3074] - Improper shutdown detected
2009-02-27 15:57:33 CET - T[0xA01AE830] - Improper shutdown detected
2009-03-28 13:11:20 CET - T[0xA01AE830] - Improper shutdown detected
2009-03-28 14:00:16 CET - T[0xF0103000] - dsDoReleaseContinueData - PID 0 error -14071 while checking if reference <16787390> is a node
2009-04-19 17:03:40 CEST - T[0x00A16830] - Improper shutdown detected
2009-04-19 17:12:19 CEST - T[0xA01F3830] - Improper shutdown detected
2009-04-19 17:18:34 CEST - T[0xA01F3830] - Improper shutdown detected
I tried to repair the authorisations on the disk and start again the computer with no effect. Oh, for the record, the PowerMac G5 acts as a standalone Open Directory server.
I don't know what to do so if someone can help me, that would be great!
Thanks a lot,
Ben.How did you do the "restore?" Did you restore the library from the pictures folder?
Barry -
How can we access the file/directory system in the server
Hi friends,
I have made a text editor attached with an audio player for my project.
Both text editor and audio player are implemented in applet and put in to a
jsp page using jsp:plugin. Text editor and player are separate applets running
in the same page and from same server.A client who is using this editor may
want to save the edited text files to the server as well as hear audio files from
directories in the server.
My question is how can we access the file/directory system in the server
like we do in the local machine.When the user cliks save or openfromserver button
in the editor, folder/files in the server must be displayed as we do with FileChooser.
I am using Apache Tomcat 5,wiindows 2000 server, jdk1.5.
manuYou can't access it directly. But your applet can make net connections to the server, and the server can provide that kind of functionality. Generally this is easiest by making HTTP connections and having the server provide the functionality via the web server. (So in your case, JSPs or servlets on the server would list/deliver/create/modify/delete files, and the applets would invoke those JSPs and servlets.
-
Can i get in my itunes account without using my ipod as it is broken
can i get in my itunes account without using my ipod as it is broken
You can re-download music from the store using iTunes on your computer. Music from other sources should already be on your computer in the iTunes library.
As for photos, you will have to restore the last backup you made to another iOS device to get back what was in the camera roll. -
Can't back up MBA on Time Capsule using Time Machine Via Wifi
Hi,
I can't back up MBA on time capsule using Time Machine via wifi. I bought the time capsule new Dec 2014. I was able to backup for the 1st 3 days. In less than a week time, a message came up every time I tried to back up: "Time Machine couldn’t complete the backup to AirPort Time Capsule. The backup disk could not be found. Make sure the backup disk is connected or select a different backup disk". So, there's been no backup at all for almost 3 weeks. Wifi connectivity under Airport Utility is fine. Green light on the time capsule is on etc.
Please kindly advice what is going on with this time capsule wifi backup. Do I have to connect the time capsule with MBA with a physical cable to perform this job?
Many thanks in advance,
On KiThe warranty entitles you to complimentary phone support for the first 90 days of ownership.
-
Can I restore to Snow Leopard from Lion using time machine?
Can I restore to Snow Leopard from Lion using time machine? I did not make a new partition on my external HD. My reason for doing this is to import data from Quicken 2007 to Quicken Essentials and then upgrade back to Lion. Can I restart and hold down the "OPTION" key upon start up that will take me to Apple Recovery HD and recover from time machine? I'm a noob at these sort of things. I appreciate your comments and suggestions.
Probably not. See Kappy's going back to SL from Lion guide.
-
Cannot login with Active Directory Account
Hello,
I am testing SnowLeopard (10.6.1) for deployment in my labs for the Spring 2010 semester. We use local home directories. This is a brand new fresh install of SL, on a freshly formatted Hard Drive.
When bound to Active Directory I can get any AD account that I've tested (5 different accounts) to authenticate except one, which happens to be my own personal AD account.
The secure.log shows these entries when I attempt to login:
Oct 9 14:18:29 mac-0017f20fc40 SecurityAgent[209]: User info context values set for ctarbox
Oct 9 14:18:29 mac-0017f20fc40 authorizationhost[208]: Failed to authenticate user <ctarbox> (tDirStatus: -14090).
Considering that I could log in with other accounts, and after resetting my AD password then still not being able to authenticate, I came to the conclusion that I had a corrupt OU in Active Directory.
I contacted one of our AD admins and had him delete both of my AD accounts: ctarbox and ctarbox1 then recreate both accounts. I still cannot login to AD with my ctarbox account.
I can still login to my current lab machines anywhere on campus running 10.5.8 with ctarbox.
I am baffled by this. I have been authenticating to Active Directory since 10.1 and have never seen anything like this.
Any idea, anyone?
Cheryl Tarbox
Macintosh Support Specialist
Binghamton UniversityI have found the solution to my problem. I have accounts in two different domains in our AD tree. I'll called these domains Domain A and Domain B.
Domain A is the primary domain for authentication to our public computing labs.
Domain B is a secondary domain for authentication to shared resources for faculty/staff.
Both accounts have the same user ID, but different passwords. In my Directory Utility>Advanced>Administrative window I have the option "Allow authentication from any domain in the forest' checked.
With this option checked Directory Utility in 10.6.1 will allow me to authenticate Domain B, but not Domain A.
With this option checked in Directory Utility in 10.5.8 just the opposite is taking place, I can authenticate to Domain A, but not Domain B.
It seems that somewhere in the upgrade to 10.6.1 the search policy for Active Directory has changed. My workaround is to uncheck this option and specifically choose Domain A in the search policy. -
New open directory account doesn't create mail account
Hi All
I have a Mac Mini with lion server, Fresh out of the box i messed with it a few times to learn and then i did a clean (internet) install and started with the settings i wanted (hostname, etc) with no mistakes. (It seems Lion doesn't like applhying most changes)
When i set it up i created one local admin user that won't be in the open directory.
Anyway, I've set up the following :
* Address Book
* File Sharing
* iCal
* Mail
* Profile Manager
* and VPN
The first open directory user i added was myself and that user managed to get assigned an email account.
Susiquent users i've added have not been registered with the mail subsystem.
I've checked this using the "Server Admin" additional download management tool. (Mail service on the left, Maintenance up the top and then accounts uder that)
There is only one mail account and thats the first one i've added.
I havn't played with the settings so other than switching things on it should "just work" but it doesn't.
I've prevously setup vmail servers using mysql to store the accounts with postfix and courioer imap but that was in some ways simpler as nothing was under the covers. I havn't dug too much into the dovecot config files, etc as i believe there is an all knowing server configuration engine at work here that isn't doing its job (which i havn't dug into)
Has anyone had this issue of the mail accounts not being created?
Or can anyone point me to a fix?It seems to have something to do with profile manager.
I get stack traces in the "system messages" logs for the "Server" application, grrrr.
I'll get that info and attempt to submit a but report tonight.
Maybe you are looking for
-
4 iDevices, 2 iTunes accounts, 1 Mac, 1 CD collection. (& backups!)
Hi I appreciate there are a lot of these questions asked; I've been reading a lot on here and in general but am struggling to see the wood for the trees! Apologies for such a laboured description; wanted to provide as much info as possible to get acc
-
My signal downstairs is pretty weak even though I can see it as part of my WDS, I have access to a hard wired internet connection downstairs should I plug in my secondary airport extreme direct to improve my wireless downstairs?
-
Do Applescript / Automator work with Final Cut Express?
Hey list, I'm a nubie in all things Applescript / Automator related. Does Final Cut Express support commands from these? For example, can I tell it to go pick up a batch of photos I created, put them in a seqeunce, and export them as an MOV? If so, i
-
I need a suggestion on a Photo Editor APP, that will allow me to write captions on the photos... Any suggestions?
-
I'm using a session bean ProcessBean and an entity bean AlarmBean.... where one of functions processor() of ProcessDataBean is like...... processor() println(.a..); println(..b.); correlate(); println(.c..); And correlator() is like:- correlator() pr