Key-based SSH Authentication and AFP Home Directories

I'm setting up some users with AFP home directories (hosted on an Xserve, with a couple of G5 towers as Open Directory clients). When logging in on the console on a G5 tower, the home directories work fine. The users can SSH into the Xserve using SSH key authentication. However, the users can not SSH into the G5 towers using SSH key authentication, and are instead asked for passwords - presumably because the AFP home directory is mounted with guest access (and thus the keys are unreadable) before the password is entered.
Is there a known workaround for this? A different way of setting up the home directory mounting? I don't particularly want to go the mobile home directory route, because (among other things), as far as I know, mobile home directories only sync when a user logs into the GUI. If that's not the case (that is, if they will sync when a user logs into the machine with SSH), then I guess that would be a reasonable solution.
Thanks in advance for any suggestions!

That was just speculation on my part; I'm not sure exactly what's happening. I do know that until the user authenticates, the entire automount is mounted with guest access... and that the user can't authenticate until the key file can be read. It may be the case that I was just encountering some transient failure or the like, however.

Similar Messages

  • IPhoto '11 and network home directories

    Hi,
    We are using iPhoto '11 and network home directories which live on a SMB file server. When a user attempts to run iPhoto they get the following error: "Warning. The library could not be opened because the file system of the library's volume is unsupported."
    iPhoto '09 works fine in our environment, and if the library is relocated to the Macintosh HD > Users > Shared directory it can be loaded. This appears to be a new bug in iPhoto '11. Am i correct?

    iPhoto was never designed for a network environment. It's low end user application. If you want an image management application this is designed from networks and multi users you'll need a DAM (digital asset management) application like Media Expression.
    You can learn about EM and other DAM apps at The DAM Forum where those applications are discussed and evaluated by professional photographers.
    You can request adding a new feature to iPhoto via http://www.apple.com/feedback/iphoto.html.
    OT

  • Multiple simutaneously logged in users accessing AFP home directories?

    Hi,
    Many of our problems are described in this guy's blog:
    http://alblue.blogspot.com/2006/08/rantmac-migrating-from-afp-to-nfs.html
    The basic capability we want is to have multiple simultaneously logged in users to have access to their AFP mounted home directory, which is configured in a sane, out-of-the box setup using WGM and Server Admin.
    Multiple user access could take the form of FUS (fast user switching), or simply allowing a user to SSH into a machine that another user is already logged into and expect to be able to manipulate the contents of her home directory.
    From my extensive searches, I have no reason to believe this is currently possible with 10.4 Server and AFP.
    (here's the official word from apple: http://docs.info.apple.com/article.html?artnum=25581)
    I've read that using NFS home directories will work, though.
    I want to believe that Apple has a solution for this by now (it's been almost a year since we first had difficulty), or at least a sanctioned workaround. If Apple doesn't have one, maybe someone else has come up with something clever. I find it hard to believe that more people haven't wanted this capability! (not being able to easily search the discussion boards doesn't help, though...)
    Thanks for your help!
    Adam

    Parallels Issue. Track at http://forum.parallels.com/showthread.php?p=135585

  • OpenSSH, SFTP and Chroot home directories

    Morning all,
    I'm wanting to setup SFTP in a chroot, which is simply enough to do and I already have it working; however I also want it so that when they connect via SFTP it goes directly to their home directory. Currently I have the following in "/etc/ssh/sshd_config":
    Subsystem sftp internal-sftp
    Match Group sftp-users
    ChrootDirectory /home
    AllowTCPForwarding no
    ForceCommand internal-sftp
    Which works perfectly fine, however when they connect there are shown the contents of the "/home" directory which they then have to "cd username" to get to their home directory. This I do not like, and it confuses our clients who connect saying they can see "random folders that aren't mine", or some that think they've "hacked" the server.
    I really need it so upon connection they go to "username" directory. I can do this by using:
    usermod -d /username username
    Which changes the users home directory to "/username", and then upon connection it works just fine, they are taken directory to their home directory. However, I really really do not like the fact that "/etc/passwd" shows a different home directory to their real home directory, i.e it states "/username" when actually it is "/home/username".
    I've spent the entire day looking a different ways of doing it, and I can't come up with anything.
    Any help?

    I think I have same problem.  I think it is because of your user's home directory and your chroot.  When you chroot you can no longer redirect people to their home directories because they are outside the chroot (to a program running inside the chroot)...clearly I'm bad at explaining stuff so I'll try an example:
    home dir = /home/bob
    chroot = /home
    When the user gets chrooted (into /home) the /home becomes /
    Then ssh tries to send them to their home in /home/bob (or to the un-chrooted /home/home/bob).  This file doesn't exist so it leaves them in / (/home to the un-chrooted).
    Unfortunately, I have not found a way to have my cake and eat it too.  If you change their home dir you will mess up the local but fix the sftp, if you leave the local you will still have the messed up sftp.
    If they are not logging on locally this isn't a problem.  Just change their home in /etc/passwd to /$user.  NOTE: you will not be able to change the home dir's through the normal user account modifying tools because they won't let you change it to a non-existent dir.
    Hope this makes sense! (and helps )
    Last edited by threetwoone (2010-08-16 19:28:05)

  • Update from 10.5.6 to 10.5.8 and lost all users and their home directories

    My server has been working flawlessly for many months. I did the upgrade to 10.5.6 and everything has been fine. I decided to do the software update to 10.5.8. When it was finished I could not log in as admin or anyone else. I finally got in as root...then it gave me an error in Workgroup Manager. Said I was not logged in and there was an error of -14008.
    All my users are gone and so is their home directories....I hate to say it but this is ridiculous...doing a simple update and losing all the users? I expect this from Windows but not my xSERVER.
    Does anyone have a fix to correct this? I really hate having to tell all the users tomorrow morning a simple update wiped all their data.
    Carl

    Hi
    I saw your issue and I feel your pain. I did the same upgrade path to 10.6 and found that I had no users!. This is not your typical apple upgrade, the same as all other 10-X from day one. I cheated and used a new drive as I feel that upgrades may cause issues and I also used that as an opportunity to upgrade to a larger hard drive. After booting up on the new system with the upgraded drive I found the same issue to be true. I used the original drive, modified all my users to allow my new admin account to have rights to a user that I called 'move' on the old system. I booted up the old system modified all the users to allow user 'move' then I copied them to the new directory I set up that I called 'move' on the old drive, The next step I set up a new user 'move' on the new system drive and copied all the data from the old system drive 'move' to the new system drive 'move' I created all of my users on the new system drive. I set up all of my user accounts with a simple password 123456 on the new system I copied the users to there new directory. You could restore your backup on spare drive or an external drive with the old OS loaded. Postits on all the users monitors for Monday morning and... grumbling users with all of the data from Friday, get KrispyCreams and leave by the coffee pot [this step i forgot]. The users will talk about how nice it was that you brought doughnuts and not how there login is messed up [ha ha....}
    I know that this is not an elegant or a quick solution but it worked for me and my 36 user accounts. If you know Unix script or Python or Apple script the procedures would be faster as you could batch the whole mess.
    Hope this helps and good luck.

  • Why can't files be locked in AFP home directories?

    Hello!
    Our setup: Lion Server on Mac Pro with 30 Lion clients.
    Several applications, notable Eclipse and R Studio, are crashing on start and complaining about not being able to lock files in their working directories. This only happens on network accounts whose home directories are on the server, not local accounts on the clients.
    These apps worked fine under Snow Leopard.
    I have three questions:
    1. I assume this is a more low-level type of locking than the "Locked" checkbox in Get Info: am I right?
    2. Could apps running on clients (logged into network accounts) get locks in Snow Leopard?
    3. If so, what's changed in Lion, and how can I re-enable locking?
    Thanks
    Louise
    Example error from R Studio:
    12 Jun 2012 18:24:23 [rsession-fintannagle] ERROR system error 45 (Operation not supported) [lock-file=/Network/Servers/xgrid.complex.ucl.ac.uk/Volumes/Users/fintannagle/. rstudio-desktop/sdb/s-333EABAB/lock_file]; OCCURRED AT: core::Error core::FileLock::acquire(const core::FilePath&) /Users/rstudio/rstudio/src/cpp/core/FileLock.cpp:117; LOGGED FROM: bool session::source_database::supervisor::<unnamed>::reclaimOrphanedSession(const std::vector<core::FilePath, std::allocator<core::FilePath> >&, core::FilePath*) /Users/rstudio/rstudio/src/cpp/session/SessionSourceDatabaseSupervisor.cpp:249
    12 Jun 2012 18:24:23 [rsession-fintannagle] ERROR system error 45 (Operation not supported) [lock-file=/Network/Servers/xgrid.complex.ucl.ac.uk/Volumes/Users/fintannagle/. rstudio-desktop/sdb/s-505698E8/lock_file]; OCCURRED AT: static bool core::FileLock::isLocked(const core::FilePath&) /Users/rstudio/rstudio/src/cpp/core/FileLock.cpp:61; LOGGED FROM: static bool core::FileLock::isLocked(const core::FilePath&) /Users/rstudio/rstudio/src/cpp/core/FileLock.cpp:63
    12 Jun 2012 18:24:23 [rsession-fintannagle] ERROR system error 45 (Operation not supported) [lock-file=/Network/Servers/xgrid.complex.ucl.ac.uk/Volumes/Users/fintannagle/. rstudio-desktop/sdb/s-505698E8/lock_file]; OCCURRED AT: core::Error core::FileLock::acquire(const core::FilePath&) /Users/rstudio/rstudio/src/cpp/core/FileLock.cpp:117; LOGGED FROM: bool session::source_database::supervisor::<unnamed>::reclaimOrphanedSession(const std::vector<core::FilePath, std::allocator<core::FilePath> >&, core::FilePath*) /Users/rstudio/rstudio/src/cpp/session/SessionSourceDatabaseSupervisor.cpp:249

    User presets and templates will only be placed within the catalog folder after the 'Store presets with catalog' is activated. Existing user presets and templates will remain in their original location. I appreciate that this is a tad confusing, but it's the way Lr works. To get all of your existing presets and templates into the catalog folder it's probably quicker and easier to just copy the entire 'Lightroom Settings' folder from the default location to the Lightroom catalog folder.

  • Create RSA keys based on p and q

    Is there a way to create a KeyPair based on p and q (BigIntegers or byte[])
    The reason i need this is because i need to encrypt files that need to be decrypted in a c# program (and vice versa). The encryption needs to be RSA (so no DES or....) although i know that there is not really a need for asymetric encryption.
    The problem is I can generate a keypair in Java but then i cannot get the data for that keypair in c# (and vice versa).
    In c# i can create an equivalent of a keyPair based on p and q or on so if there would be a way to get the p and the q of a generated keypair that would also help (or all the other paramets, d, n, e, phi,....).
    Thanks

    You can generate a PKCS8 private key bytes and X509 public key byte using something like
                final KeyPairGenerator rsaKeyPairGenerator = KeyPairGenerator.getInstance("RSA");
                rsaKeyPairGenerator.initialize(2048); // or whatever size you want
                final KeyPair rseKeyPair = rsaKeyPairGenerator.generateKeyPair();
                // The private key as PKCS8 bytes
                final byte[] privateKeyAsBytes = rseKeyPair.getPrivate().getEncoded();
                // The public key as X509 bytes
                final byte[] publicKeyAsBytes = rseKeyPair.getPublic().getEncoded();then you can import the X509 into C# (C# must have a way of importing an X509).
    OR
    do a similar thing in C# and export the X509 public key and import it into Java.
    The private key should only be used by either the C# or Java application (not both) and I would expect whichever needs the private key should generate the key pair.

  • AppleTV sync and Network home directories

    I am unable to see the AppleTV device in more than one location, using the same login account.
    I have an Xserve that contains user accounts in Open Directory. This Xserve also manages user home directories. This allows me to log on to any machine with the same account and get to my home folder. Do not confuse this with what I believe is called Mobile accounts where the home directory is copied locally to each machine and is kept in sync with the server. Once I log out, nothing remains on the client machine.
    So, turned on my AppleTV, logged into my Xserve since it was not being used. This account is also not "local" to the Xserve, i.e. not under /Users/. Launched iTunes, saw the AppleTV, typed in the 5 digit code, and watch the AppleTV sync. OK, no issues. Logged off the Xserve. Logged onto the desktop using the same account I just used on the Xserve. Launched iTunes, no AppleTV listed. Not cool!
    Is AppleTV restricted to syncing to one computer, one account, one ip address, or one MAC address? If it is one computer how does it know the different machines?

    Thanks folks for the comments but I don't believe I am coming across correctly.
    Patience this is a bit compplicated
    Infrustructure:
    1. Xserve1 running Open Directory, managing multiple client computers and users to include user home directory location via Workgroup Manager.
    2. Xserve2 handling 7 Tera Bytes of home directory storage. Repeat 7 Tera Bytes of home directory storage.
    3. Many Mac desktops running 10.4.10. Only one local account, we'll call him local-admin on any of these machines which is the local admin account for that machine. Absolutely no other information for users resides on these machines.
    When User1 logs onto Desktop1, Desktop1 makes a query for information from Xserve1. Xserve1 response saying the login is correct and that User1's home directory is located on Xserve2. User1 is now logged into Desktop1. Open a Finder window and if you did not know any better you would think User1 was a local user to Desktop1 because you see in Finder on the left column you have the standard items appear such as a "Home" icon next to the username, Desktop, Documents, Movies, Music, etc display. Click on anyone of them and you are in the proper place. User1 loggs off of Desktop1.
    User1 now logs onto Desktop2 for whatever reason. Maybe Desktop1 was being used by User34. Desktop2 repeats what Desktop1 did. Makes the call to Xserve1, mounts the home from Xserve2. If you were to go back to Desktop1 you would find no trace of User1 except maybe in log files. The only user listed in MachintoshHD -> Users or in Unix terms /Users would be local-admin. So User1 is the only user and the iTunes library located in User1's home directory is the only library being dealt with.
    On to AppleTV:
    User1 loggs into Desktop1. Types in code to lock Desktop1 as the syncing source for User1's library. What was not initially understood was AppleTV also is locking Desktop1 as the streaming source for User1's library. You will see in a moment how I found this out. User1 selects the Photos to sync, turns off Movie syncing, selects Music etc. Sync finishes. AppleTV can play content can switch to streaming source and play the videos. User1 logs off Desktop1 and AppleTV acknowledges this by greying out User1's library as a streaming source.
    User1 logs into Desktop2. User1 notices AppleTV still shows User1's library is greyed put as a streaming source. Shouldn't that no longer be greyed out since it is the same library? OK, lets add Desktop2 as a New Additional Streaming source. Types in the code that AppleTV displays on User1's library on Desktop2. The Sources screen on AppleTV now changes slightly. The new streaming source is added below a white line. The AppleTV source is still white letters and the original streaming source above the line is still greyed out. The new streaming source is selected and content is viewable. User1 logs off of Desktop2. The new streaming source greys out as expected.
    User1 logs back into Desktop1 to sync some more photos to the AppleTV. Desktop1 is used since that is the original syncing computer. iTunes is launched. User1 waits, and waits, and waits. The AppleTV device never appears back in iTunes. Checking the AppleTV, all content is gone. User1 logs back onto Desktop2 to see if streaming still works. Nope, streaming no longer works.
    Spent almost 2 hours on the phone with Apple support. Nice bunch of folks. Spoke with multiple tiers of AppleTV support and even had a gentleman on from the Enterprise Division on the phone. They are elevating this up higher and promise to get back with me. Hoping.
    Complicated, yes.
    My thoughts on how to solve this, don't lock the device to a computer, lock the device to an account for syncing. Also, don't automatically lock a streaming source when locking a syncing source.

  • JAXWS EJB3.0 Based WebService Authentication and Authorization - Weblogic

    Hi Experts,
    I need to Create a EJB3.0 WS where this Service has static Authentication and Authorization. How can I achieve it, any pointer.
    TIA

    The below sample is for basic authentication and authorization.
    Web service
    ========
    import javax.ejb.Stateless;
    import javax.ejb.TransactionAttribute;
    import javax.ejb.Remote;
    import javax.jws.WebMethod;
    import javax.jws.WebService;
    import javax.annotation.security.RolesAllowed;
    import javax.ejb.SecurityRoles;
    @Stateless(mappedName="com.slsbBean")
    @Remote( { com.bea.Service.class})
    @WebService(name="TransactionPortType", serviceName="TransactionService",
    targetNamespace="http://example.org")
    public class ServiceBean implements Service {
    @WebMethod()
    @RolesAllowed ( {"Admin","Manager"})
    public void testMethod(String s) {
    System.out.println("inside ejb method");
    System.out.println("username : " + weblogic.security.SubjectUtils.getUserPrincipal(weblogic.security.Security.getCurrentSubject()));
    Client
    ====
    import java.util.Map;
    import javax.xml.ws.BindingProvider;
    public class Test {
    public static void main(String[] args) {
    TransactionService simple = new TransactionService();
    TransactionPortType port = simple.getTransactionPortTypePort();
    BindingProvider bindingProvider = (BindingProvider) port;
    Map<String, Object> reqContext = bindingProvider.getRequestContext();
    reqContext.put(BindingProvider.USERNAME_PROPERTY, "XXXXXX");
    reqContext.put(BindingProvider.PASSWORD_PROPERTY, "XXXXXX");
    port.testMethod("hello");
    Regards,
    Sunil P

  • AFP Home Directories Working - Except for...

    Hello. I have a test model for a network environment I am preparing to deploy. AFP is working - for the most part - properly and as expected in providing a network home for open directory users.
    However I have three issues I have run into and still can't find the reasoning.
    1) When creating a new home folder in the workgroup manager I get the error below. However it still creates the home and functions - for the most part - properly. This could be connected to any of the below two issues.
    +Error of type Not a known DirStatus (-1) on line 2112 of /SourceCache/WorkgroupManager/WorkgroupManager-319.2.2/Plugins/UserAccounts/Use rAdvancedPluginView.mm+
    2) When viewing the home folder in the finder it doesn't appear that home folder disc quotas are applying correctly. In the guest machine home folder it shows "9 items 26GB Available" at the bottom while the quota is set for 5GB per user.
    3) Write and read (saving files) is working for all applications except for iWeb. About half way through a publish to a folder in iWeb it fails the publish very with a this disk is unwritable error. However it gets many of the files published before it finally fails. Sometimes, but not all times the AFP connection will drop completely and it will come up with an OS "server disconnected" dialogue box.
    Looking at the AFP access log it shows the following hundreds and hundreds of time - probably about 700 or so times repeated. The error log shows no errors. It seems like it is just overloading the server somehow?
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:52 -0500] "Reconnected User: testuser7" 501 0 0+
    +<Connection> - - [22/Nov/2008:20:02:52 -0500] "Saved for Reconnect User: testuser7" 1227390615 503 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:52 -0500] "Login testuser7" 0 0 0+
    +** - - [22/Nov/2008:20:02:52 -0500] "<D> testuser7" 89 503 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:52 -0500] "Reconnected User: testuser7" 503 0 0+
    +<Connection> - - [22/Nov/2008:20:02:53 -0500] "Saved for Reconnect User: testuser7" 1227390615 505 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:53 -0500] "Login testuser7" 0 0 0+
    +** - - [22/Nov/2008:20:02:53 -0500] "<D> testuser7" 89 505 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:53 -0500] "Reconnected User: testuser7" 505 0 0+
    +<Connection> - - [22/Nov/2008:20:02:53 -0500] "Saved for Reconnect User: testuser7" 1227390615 507 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:53 -0500] "Login testuser7" 0 0 0+
    +** - - [22/Nov/2008:20:02:53 -0500] "<D> testuser7" 89 507 0+
    +IP fe80::21c:42ff:fe7d:1638 - - [22/Nov/2008:20:02:53 -0500] "Reconnected User: testuser7" 507 0 0+
    +<Connection> - - [22/Nov/2008:20:02:53 -0500] "Saved for Reconnect User: testuser7" 1227390615 509 0+
    Thanks so incredibly much for any suggestions or ideas.
    ~ Ben

    Parallels Issue. Track at http://forum.parallels.com/showthread.php?p=135585

  • Users and Remote Home Directories

    I have a lab of brand new 24" iMacs running 10.5.4 set up to authenticate to our 10.5.4 Server which is running Open Directory. When I log in as myself, the iMac logs in fine, I get my Home Directory from the server. Everything is happy. If I log in as a Student, the computer hangs on the login screen. I either have to use ARD to Restart the computer or I have to pull the plug. Here's where it gets weird. If I log in as myself, then log off and log in as a student, it works. The student gets their Home Directory from the Server and everything is happy again. It only seems to hang if the Student is the first one to log into the computer.
    The only difference I've been able to find is that my Home Directory lives under /Users on the server, where a Student's home directory would be under the folder for their class. For example a Senior would have a Home Directory in /Users/2009. Each class folder is set to share out with the same permissions as Users, and they all show up in Workgroup Manager as being options on the Home tab. Is there something I need to know about enabling Automount on multiple shares? Or can anyone else out there think of something else to explain this behavior.
    Thanks in advance.

    As far as I know, its buggy software. If your school has an Apple tech support contract, you might try calling or emailing Apple to ask about this problem.

  • My arrow keys do not work and the Home, pgup and pgdn keys do not work. The arrow keys seem to be the home key and pgup key. almost like they switched? They do work on IE browser.

    I do not know what else to relate to you other than what i posted.

    Joao suggested already the best way to test this.
    I will only add a link to a previous post with a keyboard test program:
    http://forums.computers.toshiba-europe.com/forums/thread.jspa?threadID=19971&messageID=73525
    I believe the thin film of your keyboard connector got loose and needs to be reseated. Either have this sorted out through the authorized service (especially if your notebook is still under warranty) or find somebody who is confident in following some easy guides (picture 5,6 and 7) from this link:
    http://www.irisvista.com/tech/laptops/ToshibaM2/tecra_M2_disassembly_1.htm
    Good luck
    electrochain

  • Spotlight and network home directories

    I've run into a recurring problem in which Spotlight stops working--entirely or in part--for my network user accounts.
    Often, I'll notice that the Mail.app search feature no longer works. Interestingly, the most recent failure was that the "entire message" option would produce no results while "subject", "to", and "from" would search my mail successfully.
    This has occured on other user accounts hosted by the same machine. Some users have found that their entire spotlight system (menu bar search, etc) fails to function.
    Last time I just went into the server and chown/chgrp all the user accounts. For some reason, this forced spotlight to re-index and the spotlight issues went away for about a month. Now they are beginning to return.
    I'm a bit confused by this. Any suggestions?

    iPhoto was never designed for a network environment. It's low end user application. If you want an image management application this is designed from networks and multi users you'll need a DAM (digital asset management) application like Media Expression.
    You can learn about EM and other DAM apps at The DAM Forum where those applications are discussed and evaluated by professional photographers.
    You can request adding a new feature to iPhoto via http://www.apple.com/feedback/iphoto.html.
    OT

  • Irregular failure to authenticate OpenDirectory users via password-based ssh

    TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh). 
    I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10.  I archived the OD config on the Xserve and then took it offline.  Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration.  Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp.  This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason). 
    The failures are only for password authentication using ssh.  Other mechanisms do not exhibit the auth failures.  For instance, AFP and SMB user auth never fails (with proper credentials).  Nor do users to a FileMaker Server machine that authenticate via the OD server have problems.  Public key based ssh authentication never fails.  Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
    The failures are irregular.  The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again.  That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range.  Sometimes that time range lasts seconds, sometimes it lasts hours.
    The time range failure pattern is host specific.  For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines.  If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
    The failure pattern does not seem to correlate to any other events or activity on the server (even remotely).  CPU utilization never gets above about 15%.  Memory utilization is similarly very low.  Network traffic is occasionally high, but it does not seem in any way related to the auth failures.  There are not other log messages that occur before or after the failures with any consistency.
    I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users). 
    The adaptive firewall is not running on the OD server.  Nor is any other firewall.
    Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances).  The log entries have been sanatized as described.
    Rebooting the OD server does not affect the bound clients' authentication.  Rebooting the OD server is problematic, and I cannot do it often.  When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
    If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it.  Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
    Thanks for reading.
    First failure:
        Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
        Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
        Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
        Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
    Now successful auth:
        Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
        Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
        Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
        Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
       Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
    I've sanitized the entries as follows, replacing...
    My username by myusername
    The ssh source host IP address by 10.50.50.99
    The ssh source hostname by clienthost.myorg.gov
    The server hostname by odserver.myorg.gov
    The server hostname (in caps) by ODSERVER.MYORG.GOV
    The server IP address by 10.50.50.50

    Hello James,
    I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization auth-proxy default group tacacs+ local
    aaa session-id common
    ip auth-proxy name AUTHPROXY http inactivity-time 60
    interface FastEthernet0/0
    ip address 192.168.250.19 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.200.120 255.255.255.0
    ip access-group 110 in
    ip nat inside
    ip virtual-reassembly
    ip auth-proxy AUTHPROXY
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 192.168.250.1
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip nat inside source list nat interface FastEthernet0/0 overload
    ip access-list extended nat
    permit ip 192.168.200.0 0.0.0.255 any
    access-list 110 permit ip any any
    tacacs-server host 192.168.250.20
    tacacs-server key cisco123
    end
    Please check if the commands are supported on your router as well.
    If this ws helpful please rate.
    Regards.

  • Stumped on AFP network home directories.

    Heyo,
    Been RTFMs on File Services, User Management and Open Directory. Also looked in www.AFP548.com but didn't find anything helpful.
    We have a mixed environment and windows users aren't having any problem with network domain logins or using smb shares. Mac clients can mount the network shares with afp but network homes are a no go.
    Made the changes needed for the firewall and tried it with the firewall off just to be sure.
    The /Home share is automounted (not using the default /Users).
    Guest access is on in Sharing and AFP.
    Network Mount for /Home is set to Enable network mounting, AFP and User Home Directories.
    SMB Windows Homes are in the same directory and run without problems.
    Directory Access on the Client saw the server and looks ok.
    Only ref. I can find for the login attempt is under Open Directory Password Service Server Log:
    Apr 23 2006 16:42:31 RSAVALIDATE: success.
    Apr 23 2006 16:42:31 USER: {0x00000000000000000000000000000001, netadmin} is the current user.
    Apr 23 2006 16:42:31 AUTH2: {0x00000000000000000000000000000001, netadmin} CRAM-MD5 authentication succeeded.
    Apr 23 2006 16:42:31 QUIT: {0x00000000000000000000000000000001, netadmin} disconnected.
    and OD LDAP log:
    Apr 23 16:42:31 ci slapd[81]: bind: invalid dn (netadmin)\n
    Nothing in the AFP log.
    Any thoughts on what I should try or something obscure I may have missed when setting up MacOS client network home directories with AFP?
    Thanks
    Mitch
    Server: 10.4.6
    Workstations: 10.4.6

    Getting closer.
    Kerberos wasn't running and the ODM wouldn't Kerberize.
    This thread sorted out the issue:
    http://discussions.apple.com/thread.jspa?messageID=2186542&#2186542
    Kerberos is running now but still canna login for mac clients.
    hostname and sso_util info -g both resolve properly.
    but when i run:" slapconfig -kerberize diradmin REALM_NAME "
    all looks good until the command (with the proper substituions)
    "sso_util configure -r REALM_NAME -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 all"
    automatically runs and I get a list of:
    SendInteractiveCommand: failed to get pattern.
    SendInteractiveCommand: failed to get pattern.
    SendInteractiveCommand: failed to get pattern.
    and "sso_util command fialed with status 2"
    the sso_util command by itself spits out
    Contacting the directory server
    Creating the service list
    Creating the service principals
    kadmin: Incorrect password while initalizing kadmin interface
    SendInteractiveCommand: failed to get pattern.
    kadmin: Incorrect password while initalizing kadmin interface
    SendInteractiveCommand: failed to get pattern.
    kadmin: Incorrect password while initalizing kadmin interface
    SendInteractiveCommand: failed to get pattern.
    etc...
    even though the login/pass are good
    any thoughts on what i should check or where i should go next?
    Thanks
    Mitch
    iMac G5   Mac OS X (10.4.6)  
    iMac G5   Mac OS X (10.4.6)  

Maybe you are looking for