IChat Server - Open Directory trouble

Similar Messages

• Mac OS Server Open Directory Will Not Turn On

  Yesterday I got the server application for Mac OS Mountain Lion.  This is my first time working with apple server software and when I try to turn on Open Directory it says:
  An Error occured on the server while processing a command.
  The error occurred while processing a command of type 'setState' in plug-in 'servermgr_dirserv'.
  I am not sure what is causing this.  I am running the server on a 2010 iMac with Mountain Lion installed and I couldn't find any answers online.  Any help would be much appriciated.
  Edit:  I would be willing to reinstall the server software and reset settings for it if I have to.  (I just don't know how)

  Thanks _Franck_!
  I had to do a few more steps than and modify the recover command based on info from Case #2 - http://www.iredmail.org/forum/topic3694-iredmail-support-power-cut-ldap-dont-sta rt.html
  1. check if this is the problem
  $ sudo /usr/libexec/slapd -Tt
  >> bdb_db_open: database "cn=authdata": db_open(/var/db/openldap/authdata/id2entry.bdb) failed: Invalid argument (22).
  2. Stop LDAP on OD Master
  $ sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  3. Repair Permissions
  $ diskutil repairPermissions /
  4. backup openldap db
  $ sudo cp /var/db/openldap/authdata/id2entry.bdb /var/db/openldap/authdata/id2entry.bdb.backup
  5. repair
  $ sudo db_recover -cv -h /var/db/openldap/openldap-data/
  >> Recovery complete at Thu Jun  6 11:01:35 2013
  >> Maximum transaction ID 8000060e Recovery checkpoint [2][6589846]
  6. run repair again to check
  $ sudo db_recover -cv -h /var/db/openldap/openldap-data/
  >> Finding last valid log LSN: file: 2 offset 6589938
  >> Recovery starting from [1][28]
  >> Recovery complete at Thu Jun  6 11:02:32 2013
  >> Maximum transaction ID 8000060e Recovery checkpoint [2][6589938]
  7. double check if things were repaired correctly
  $ sudo /usr/libexec/slapd -Tt
  >> bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
  config file testing succeeded
  8. restart the service
  $ sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

• Mac OS 10.8.3 Server Open Directory

  Hi.
  Sorry for my english.
  The problem is that to set it "OS X Server Account" on the client, in the settings of email I can not get an address that points to the account properties Open Directory. For example:
  User - Mark Douglas
  Login - m.duglas
  email - [email protected]
  But that I did not, I can not get the client automatically adjusting the desired result to me, only "[email protected]"

  Hi.
  Sorry for my english.
  The problem is that to set it "OS X Server Account" on the client, in the settings of email I can not get an address that points to the account properties Open Directory. For example:
  User - Mark Douglas
  Login - m.duglas
  email - [email protected]
  But that I did not, I can not get the client automatically adjusting the desired result to me, only "[email protected]"

• OS X Server Open Directory Remote Login

  In short, I can't bind a remote machine to authenticate users at the remote location. I can get the machine to initially setup using RFC2307 search and mappings. Once I let that, "marinate" for a bit. I can then go in, change the mappings to Open Directory, and all will work. However, that doesn't persist across reboots. The only thing that will persist across reboots is RFC2307 search and mappings. But with only RFC2307, I don't get home directory access. In the above scenario, when I switch it to Open Directory, I can get home directory access. But, again, not feasible if doesn't persist across reboot.
  It works flawlessly in house / local LAN so far. Although this environment is being built from ground up as we speak. So much testing has yet to be done. This is just one big hurdle that came along.
  I sincerely appreciate any one's help or advice that could point me in the right direction to achieve this goal.
  I should note, I have check all DNS records, connectivity, but am willing to try anything again.
  Thanks in advance!!!

  Describe for me your network.  When you say remote location, do you mean two physical locations separated by distance that are connected via a VPN tunnel?  or do you mean that you punched some holes in a firewall to attempt to allow the clients to bind to the server?  I am hoping the first option.
  If you have a VPN tunnel between the two locations and DNS is available on both sides of the fence, you likely don't need to define the mappings.  I tend to leave the option set to "from server" and I've never run into any issues. 
  When you are binding, are you using the simple bind via System Preferences or are you using Directory Utility?  Are you performing authenticated binds or unauthenticated binds?
  If you have two locations, Main office 10.0.0.0/24 and Remote office 10.0.10.0/24.  Make sure that the Remote side is using DNS that resolve to devices in Main.  For example, if the server is at 10.0.0.10 and it is the DNS server, then the clients on the 10.0.10.0/24 network should be hitting 10.0.0.10 for name resolution (unless you have replicated DNS to the 10.0.10.0/24 network.
  Since you are building this from scratch, you might want to consider using two OD servers, Master and Replica, placing a replica in the remote office and then using OD Locales to better direct your clients.
  Reid
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Mavericks Server Open Directory Configure Network Wizard not displaying

  when setting up the open directory master in mavericks server i get a empty servers list and no drop down to create a new one.  Any ideas on how to force it to display the wizard? 

  You might want to try and flush the configuration, reboot, and try again.  Try this command to remove all remnants of an OD master.  All data will be deleted.
  slapconfig -destroyldapserver
  If the wizard still does not display, make sure you DNS is working properly.  And as a final attempt, use slapconfig to create an OD Master.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• 10.6 Client and 10.7 Server Open Directory

  I´ve got an Mac Mini running Lion Server. It´s configured as an Open Directory Server.
  And I´ve got some 10.6 Clients running on the same local network.
  All Clients have the Mini Server as DNS Server.
  And now I want to use NetworkAccounts form the 10.7 Server on the 10.6 Clients.
  I´ve connected the 10.6 Clients to the Server (without SSL) and all Clients say "Network Accounts available".
  But if I try to log in on the Client it just shakes the login window. I´ve tried it on all my Clients with different Accounts but nothing worked.
  It just won´t work! But why? Can you please help me?
  What I´m doing wrong? Or is the combination of 10.6 Clients and 10.7 Server not Supported by OpenDirectory on 10.7 Server ?
  Thank you !

  Check your authentication against the server from one of the clients using the following command:
  dscl /LDAPv3/<server name or IP> authonly <shortname of an account that cannot login>
       The server name should be the same name or IP you used when binding your 10.6 client to a 10.7 server.
  If you get the response "Failed to authenticate user <shortname> (tDirStatus: -14103)" you are having the same issue I was having. I found an answer to this, but you are not going to like it.
  Apparently Workgroup manager and Server.app deal with accounts differently. If you are using Workgroup Manager to import a long list of accounts, don't. Server.app needs to write an addition setting that is not part of Workgroup manager or in Passenger I doesn't work correctly with accounts that have home folders that are not local. Here are the steps I used to resolve the issue:
  Export all your accounts and groups
  Using Server Admin, demote your OD to a standalone directory
  Once the demotion is complete, use Server.app to promote your server to an OD Master
  Update: I've not found it to make a difference if you use server.app or Server Admin to configure your Open Directory Master.
  Once the server is again an Open Directory Master, import the users that you exported using Server.app instead of Workgroup Manager.
  If you are importing groups, set the Home Directory by editing the account in Server.app before importing groups to avoid overwriting your group settings. Thankfully, you can select multiple accounts at a time.
  Import your groups using Server.app
  Verify group membership and test the loginsIf you test the login using the dscl command from above, you should get no error after entering the password, but as long as you have a bound client, you should be able to login at this point.
  Hope this reaches you in time to help.

• OSX server open directory users and logic

  Hi guys,
  Can anyone shed light on this issue, I can't be the 1st person to encounter it. We have a lab with 10 emacs, plus a OSX Xserve, which is set up as a Open Directory Master, the students log in to the workstations through the xserve.
  When they try and run logic, we get a load of permission errors, I have tried changing the ownership and permissions to read write everyone, but it doesn't help, has anyone got a fix for this problem

  I am assuming you are not using network home directories here, purely using open directory for logging in right? Logic does not play well over a network, but using OSX server for managing users should NOT affect being able to run logic locally on a machine. If you are using network home directories for users then this WILL be a problem. For example, you will get permission errors when trying to record something.

• OSX 10.6 server open directory authentication

  I was wondering if there is any issues with allowing one user account to authenicate (login) at the same time on serveral machines?

  This is perfectly ok to do but remember that it is possible to set an account in Workgroup Manager to only allow a single login at a time. Also, if you login to the same Network Home Directory (i.e. same account) from more than one machine at the same time then some applications do not allow or cope with two systems trying to access those files at the same time.

• Creating Open Directory Replica fails with Server Admin Error Value 1127

  Hallo,
  I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
  Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
  When executing
  slapconfig -createreplica master.ourdomain.com diradmin
  as root on the prospective replica machine, I get the following error message:
  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  That makes perfect sense to me, but how is it meant to work then?
  Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
  root login is not permitted to this machine via public key authentication.
  While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
  Replica Setup failed : This machine does not have a valid computer name
  I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
  changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
  reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
  Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
  I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
  I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
  Thanks and bye, Christian Völker

  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
  Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
  Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
  In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
  Then configure the /etc/sshd_config file on the OD master like this:
  \# Authentication:
  PermitRootLogin yes
  PasswordAuthentication yes
  PubkeyAuthentication no
  and the /etc/ssh_config file on the OD replica like this:
  PasswordAuthentication yes
  PubkeyAuthentication no
  Then from the OD replica as the 'root' user issue:
  slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
  Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

• Open directory in mavericks server.

  Setting up mavericks server - open directory displays error " server was successfully configured as a directory server but an error occurred" I have tried everything. Can anyone help ?

  Does the server show up in the Server list as (Master)?  If so, delete it, make absolutely sure your DNS set up and try again.
  Even though I hsve a fully qualified Domain name, SERVER.DOMAIN.COM and my reverse lookup set weith my ISP. if I do a lookup for the IP of my server it returns server.domain.com, found Open Directory was much happier if  I used the DNS server on the Server Itselfl
  In Server DNS created a Primary Zone for my doman, domain.com. Then a Machine A Record for server,domain.com. It automatically made a nameserer record of server.domain.com and the Reverse Zone and server mapping for reverse lookup. Then set it to perform lookups for this server only. Then set 127.0.0.1 as the First DNS server in System Network Settings before any ISP DNS Servers. Then for good measure also entered my ISPs DNS servers in as forwarding servers. Then setup Open Directory with the correct domain with no errors.

• DNS conflict when running Open Directory Master inside of WIndows network..

  We installed Snow Leopard Server as an Open Directory Master in a building that already has a Windows Primary Domain Controller. The intent was to create a Mac network inside of the building with their own services. The Mac server does not pull LDAP/Kerberos/etc. from the Windows server and the Mac clients do not use the WIndows server for any other services.
  Everything (Final Cut Server, Open Directory, DNS, File Sharing) worked fine for a day. The next day, all of the windows machines were getting DNS conflict messages on their screens every 15 minutes. After shutting down the Snow Leopard Server, the Windows machines are back to normal.
  Ideas?
  Thanks!

  Hi
  Is it possible the Window's Administrators have added your server as a DNS Server in their DHCP Service for some reason unknown to you? Or possibly you've chosen an IP address that is listed as a DNS Server in their DHCP Service?
  If you launch terminal from a client mac and issue the host command for the server's IP address what's the result?
  +"we understood the Mac server has to be hosting DNS in order for Open Directory to function"+
  DNS does not have to be running on the Server itself for any of the Services in OSX Server to function. Just as long as it can resolve itself on both pointers is all that matters. If it was the only server on the network then yes configure the Service. If there already is an existing and mature DNS Service then it makes sense to use it.
  Tony

• Synchronizing multiple Mac Mini Server Open Directories across branch offices

  Greetings from Central Asia -
  The non-profit that I work with has been undergoing a long-overdue IT upgrade and we recently purchased some Mac Mini Servers (still running Snow Leopard Server) to act as the core of our network across our 3 offices in 3 different cities.
  We have employees moving between offices regularly, so I'm hoping to find a way to synchronize our user database between our head office and our branch offices instead of creating separate databases in each location.  We use RADIUS and pfSense with a CaptivePortal for controlling who has internet access as well as have file shares, so keeping user database management to a minimum is an ideal.
  I come from a mostly Microsoft Domain background with regards to these things so I'm not entirely sure where to start.  Hopefully some hopeful folks here will steer me in the right direction!
  I have a (mostly) unrelated question though - OS X Server seems to have two separate user databases - the "local" DB and the LDAP/OpenDirectory DB.  Is there a way to make these function together? When creating users and assigning them to groups, which is best practice to use? How do I give an LDAP/OD user login rights to the server?
  Thanks in advance,
  Tim

  I would prefer to keep the two databases seperate, with the local database providing a few specific users with access when OD is inaccessable.
  The local database is basically a self-hosted LDAP server. 
  The local and OD databases do function with the appearance of one single user account presentation at login and for typical operations, too.
  Do keep all of the usernames unique; the local users, as well as the OD users.
  For your configuration, the usual pattern here is one or more open directory replicas in each lobe of the network.
  These replicas then coordinate with the master copy among themselves.  You'll have one distributed copy, but the lobes won't be tied to authentication across what may or may not be an entirely stable network; users authenticate off the local replica.
  There are also folks that use Microsoft Active Directory as the back-end for Mac OS X, as well; there are various means to this end, including what is known as the magic triangle configuration.
  As for learning more about OD, I'd read the Snow Leopard Server Open Directory administration documentation as a starting point.  The Lion Server documentation is thin.
  The Mac Enterprise Mailing List archives can also be enlightening; that's probably the most concentrated source of information on more complex management environments.

• Inital setup of Open Directory

  I am very new to setting up a server (of any kind), and am trying to set up Snow Leopard server, so please bear with me. At this point I am simply trying to create the users and groups so I can have file sharing and permissions set up. I am sure that I am missing some small, but crucial elements to understand the software, at this point specifically how to create users and groups. My main instructions come from three books (one of which is a "dummies" book to breakdown what is said in the other ones), and I have come to the realization that I need help that doesn't come from a book.
  I paid a technician to help me install the server software, and in the process create the correct settings I needed from what services I told him that I wanted to use. Having a server where I can share files, and eventually applications, is the goal. However, when I try to follow the books on creating/configuring the OD master, I am completely lost, as I show that AFP and OD are already green and therefore setup?
  I did not touch anything in those settings. From what I can gather, I need to configure the Kerberous and LDAP names. Still, I am lost, as there is apparently already something setup from the instructions I received from the the technician.
  If I haven't explained it enough, I'm in dire need of help and guidance. I am sure I am just overlooking a specific setting. But regardless, short of hiring someone (again), I can't move forward.
  Thank you in advance,
  Lisa

  Are you setting something up to use at home or in a business/school?
  There are some manuals here. I don't know if it will be more helpful to you than those books you have.
  http://support.apple.com/manuals/#serversandenterprisesoftware
  I would check out:
  -Getting Started
  -Installation and Setup
  -File Server
  -Open Directory
  -User Management
  Message was edited by: InterHmai

• Authenticate windows users accessing os x client using open directory?

  I need to setup an OS X client machine (10.4.6) so that windows users (XP) can access folders based on their open directory credentials. (Using OS X server, open directory, windows PDC). If I turn on windows sharing in system preferences on the mac, it will only share local home folders to users with local accounts - not what I need. Any ideas? thanks.

  Thanks!  So now I see Open Directory, but it seems like it should be listed under the Server app with all the other services...
  Anyhow, I seem to remember a way to administer the users and groups.  This app shows me the status of the services, logs, settings.  The Server app, if I click on Add Users button, then click "connect to it" to supposedly connect to the directory server, it won't take my credentials.  I always get "Cannot authenticate to server.  Please authenticate by entering the name and password of a user account in this server's directory."
  Connect anonymously doesn't seem to do anything, it doesn't even dismiss the dialog.
  So what am I missing?

• Using iChat Server with Windows clients in an integrated Active Directory/Open Directory environment

  A co-worker (Super Brent) and I were working on using iChat as an internal IM server after having used Openfire for a couple days. The reason for switching was basically that we had a Mac Mini Server that was available so we decided to take this on.
  First problem: Knowing whether or not Kerberos was needed for AD/OD integration. We spent a ton of time on this, not knowing a huge amount about AD and with our server administrator on courses, we just kept poking at it and removed Kerberos.
  For the AD/OD integration, we first bound the Mac Mini to our Active Directory server. We shut off LDAPv3 support as we only wanted to use the AD functionality. Additionally, we ensured that the search policy in Directory Utility only used Active Directory. Then we created an Open Directory master in the Open Directory service. We enabled a self-signed certificate and trusted it locally. After creating the iChat service, ensure that you use the self-signed SSL Certificate and set authentication to Standard. (no kerberos).
  Second problem: Once this was complete, we started to test clients out. We were unable to successfully login using our AD credentials using Spark IM and Pandium IM. After trying nearly 100 different variations of server configs, we decided to try a new client. I installed Miranda IM on my Windows XP machine and tried a few different setups. It turned out that the magic potion was to make sure that the "resource" field was set to "Home" and use SSL for encryption. This resource setting was the deal breaker for the other IM clients as many of them such as Spark and Pandium do not have this as a login option.
  We ended up using Pidgin IM as the Windows client of choice as it did have the resource variable and it's interface was the best suited for our environment and users.
  I hope this helps someone out there as we spent days looking all over the internet trying to figure this out.
  Cheers,
  Frenchy and Super Brent

  Hi,
  iChat Server is not something that I know a great deal about.
  I tend to point people to the OS  X Server Communities and to look out for posts by Tim Harris.
  Thanks for taking the time to post this.
  9:58 PM      Friday; February 10, 2012
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
    iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
  "Limit the Logs to the Bits above Binary Images."  No, Seriously