Leopard client login problem (Tiger server)... why can't I authenticate?

I look after a number of Macs and PCs at my company. Most Macs are running the latest version of Tiger but the newest machine came with Leopard. All users log into network accounts on our Xserve, running OSX Server (Tiger). However, the Leopard client machine refuses to log in to any network account, including the one I set up specifically for the machine's user, shaking its login window at me.
Users connect using Open Directory Master on the server and none of the Tiger clients have ever had problems logging in.
On the troublesome client machine, I have bound to the server correctly in Directory Utility which declares that the server is responding normally. At the login screen I get a green light and "Network Accounts Available" when I click through the options above the user name field so I know the machine can see the server.
I can successfully log in to a local account and subsequently mount the server volumes using the new name and password I've set up for the user.
What have I missed?
So far, in my attempts to resolve this I have done the following:
Removed the password from the new account;
Unbound from the server, changed the short name of the computer, re-bound to the server;
Tried logging in to other accounts known to be working;
In WGM checked that the NFSHomeDirectory entry shows the complete path for the user's home directory;
Trawled through endless forums for clues.
Kerberos is not running. Does it need to be for authenticating Leopard users?
Is there an issue with clear text passwords in Leopard? Seemingly eliminated through a no-password test account.
I'm sure that I logged in successfully once after setting up the machine but, after installing Leopard updates, logging in has consistently failed.
Anyone else having similar problems? Better yet, anyone have any answers?

No need to apologize. I learned the same way you are...
I think you may end up re-binding the 10.4 clients if you kerberize the server.
You may want to go to the server forum for folks with more definitive annswers.
http://discussions.apple.com/category.jspa?categoryID=96
In any case, make sure you have a reliable backup before you do anything.
Jeff
Message was edited by: Jeff Kelleher

Similar Messages

  • Panther and leopard clients on a tiger server...expected problems...

    I wanted to share a scenario that is happening in the school district I work for and see if anyone has had any experiences similar and can offer some advise before I blindly proceed.
    One of the schools I work in uses a single 10.4x server, and all the users in the school have a network account where they can log into managed work groups.
    The computers are all running 10.3x and I have had no problems at all. Users are able to log in, see their network home folders, launch all the allowed applications.
    The school is purchasing 76 new Imac computers with the new 10.5 OS on them and I was wondering what kind of problems users might experience when logging into these new workstations if they are bound to the existing server.
    I was able to bind a 10.5 mac to the 10.4 server and was able to log in using a network account, see the items that were in my network home folder, launch applications I was permitted to launch and was denied applications denied in the applications preference in workgroup manager for the workgroup I was logged in to.
    This is very preliminary testing and was wonder what some of you who are in similar situations have experienced.
    Another concern is best described by painting a scenario.
    A user logs onto a 10.3 computer and launches an application like imovie, an older version of imovie, and does some work on a project. He then saves it and moves to one of the new imacs with 10.5 on it and a newer version of imovie.
    Will the newer version of the application run with the older preference files for it.
    Will the preference files be rewritten and if so will the old version of imovie be able to read those or will it try and rewrite them.
    Will the project created with the old version of imovie be readable by the new version.
    Will the new version of imovie update the project file and if so with the old version of imovie still be able to open it?
    I seem to remember reading something about how panther wrote preference files for applications completely differently than tiger did, and if so then can I expect the same for leopard client written pref files.
    As you can see I have lots of questions and if I can learn from other peoples experiences then I can go into this knowing a little bit on what I can expect and hopefully this wont be a big disaster.
    Mark
    SD34

    Will the newer version of the application run with the older preference files for it.
    While I dont know this for certain, I do know that when I did an archive and install (which copies the old preferences for applications as well as the apps themselves to the new system folder) things have worked fine. I think the preference-writing scheme depends on the individual program version, and minor updates to the program (ie: Safari 3.0.3b vs 3.0.4) shouldnt change this.
    Will the preference files be rewritten and if so will the old version of imovie be able to read those or will it try and rewrite them.
    When you modify any preferences the files will be rewritten. If the programs have similar versions then they should be fine. All preferences are written to the same directory (~/Library/Preferences/) so if the program versions are the same then the preferences will be written similarly.
    Will the project created with the old version of imovie be readable by the new version.
    I'm assuming you mean going from iMovie HD to iMovie '08. I've not done this personally, but as far as I know the files will import, but the transistions and other special effects that are only available in the older version of iMovie will be removed. The media files and sequences should be preserved.
    Will the new version of imovie update the project file and if so with the old version of imovie still be able to open it?
    I dont know about the old version of iMovie being able to import the new version's projects, but the new version will update the projects when you save it.
    I seem to remember reading something about how panther wrote preference files for applications completely differently than tiger did, and if so then can I expect the same for leopard client written pref files.
    I believe the writing of preference files usually depends on the individual application, not the system.

  • Local KDC (LKDC) relating to Leopard clients logging into Tiger Server

    This is a follow-up to my posting on this thread:
    http://discussions.apple.com/message.jspa?messageID=5982070#5982070
    Pursuing the problem I had when I upgraded to Leopard, I found it odd that trusted binding to Tiger OD from a Leopard client created a funny computer entry in the Workgroup Manger (WGM). Previously when using trusted binding from a Tiger machine to a Tiger server, one entry would be created. And Logging in as an OD user worked every time for me. However, it appears that under 10.5.1 Kerberos has changed significantly in that it is now being used extensively through the Leopard OS for Peer-to-Peer applications. This may account for the screwed up Computer account entries in WGM when a 10.5.1 client binds to 10.4.11 Server using trusted binding. The giveaway clue to this is the LKDC:SHA1 entry created in the WGM computer record (usually 3 seperate records for 10.5.1 instead of the normal single record with a Tiger client). My question is this:
    Are there any changes that can be performed via command line on the 10.5.1 client to mimic the old 10.4 client Kerberos configuration without pervasive Peer-to-Peer use of Kerberos? Is is a config setting for the mit.kerberos file? Could it be as simple as flipping a switch to get the older more compatible Kerberos config of a 10.4 Tiger client? Can I dump the Local KDC present in Leopard, and get back to the good old days of non-local KDC under Tiger?
    http://www.afp548.com/article.php?story=LeopardServerReview-LocalDirectory
    "The Local KDC
    Yes, you read that right, the local KDC. All Leopard client systems will now create a Local KDC for use with peer to peer file sharing.
    While this isn't even as close to as scary as it seems, it is a topic worthy of at least a separate article, if not a whole series. I put on my thinking toque and sat in my thinking corner for a while on this, and I've not yet been able to come up with a reason for why having a KDC on every machine is less secure than how 10.4 did things. Having said that, though, I fully understand how this can seriously freak out your network security team as they don't quite grasp all the ins and the outs of this. Combine this with Back to My Mac, another article that's forthcoming, and you have a very interesting collection of some "sleeper" features in Leopard.
    So, in a nutshell, a Local KDC, the LKDC, is created when 10.5 is installed. Local users will get LKDC authentication authorities allowing them to get Kerberos tickets and use that for single sign on to all the services hosted on that client system. Kerberos is supposed to be only used when you use Bonjour to discover the other machine. So primarily in peer to peer on the same LAN cases.
    It works, you can see this for yourself. Screen share to another machine as a local user by picking the machine out of the sidebar in the Finder. You'll have to enter in your password the first time, but after that you can close out of that screen sharing session and restart it without having to re-enter your password. You can also see the ticket in the Kerberos.app, still buried in /System/Library/CoreServices."

    Eric,
    Thanks so much for your thoroughness and assistance. I think we have decided, for now, to forgo the 10.5 clients attaching to the 10.4 server because of too many intermittant issues. Similar machines on 10.5 gave different results. And at this point, our client is very skittish about the process working at all. I think we need more testing and that is the directon we'll take for now.
    Here are some of our results:
    I did find information on afp548 regarding the 10.5 preference. It was specificall referenced in this article:
    http://www.afp548.com/forum/viewtopic.php?forum=18&showtopic=16064
    Clearing the check box on the 10.4 server under OD > Settings > Security "Require password change on new user login" did solve the memory issue that kerberos was having. After clearing the setting, I:
    * deleted all binding references at the server (WGM > Accounts > Lists > All Computers
    * Deleted the bindings at the client and the the LDAP server references in Directory Access
    * Restarted the machine
    * Reconnected the LDAP server, Rebind the machine
    * Check the LDAP search in issuing id <username> in Terminal
    * OPen System PReferences > Accounts > Login Items, the preference is there!
    * Yeehah
    Oh, but the user still can't login in that machine. Uhm, why? I have no idea. I take a new machine, 10.5.1, no login accounts except a local admin, and no that user still cannot login. Other users, no problem, but not that user.
    Take a new system, 10.4.11, set up the binding, the LDAP server, try to log in that same user: works every time. Ugh.
    So of course, I think there is something up with that user, but nothing in logs gives an indication of what is going on. That I can find. THis is after 10 hours of testing and trying. Needless to state, the client is frustrated, and so am I.
    You know, we do have one 10.5.1 client laptop that did work. After lots of binding and rebinding, it just somehow starting working as expected. But, the reason that we're sticking with 10.4 clients for now is that machine will not respond to password change mandates. I select that user in the WGM, check the "require password change on next login" and nothing happens on their end. They are not an admin, I have reset their account more times than I can count, and so I expect there are more non-working items with 10.5.1 clients and 10.4 server that will get me. It needs more testing for now.
    So, back to your message, I haven't tried the SSL certificate, but I will give that a try.
    In general, for your network, how are your laptop users configured? As mobile users? Network homes? Or Local homes?
    Thanks again for your help. I really appreciate it.

  • 10.4.7 Server- Client login problem - missing the obvious?

    used a similar setup on Xserve G4 and G5 without problems ...
    Client: 10.4.7 MacBook/ G4 PowerBook
    Server - dome G4 iMac - 10.4 retail - upgraded to 10.4.7
    - Kerberos running
    - DNS resolves to FQDN on server and client including reverse lookup
    - User home share is mounted on client under Network
    - from Finder -> Connect to Server you can access the home share
    - authentication and login works for a user Without a home folder on the server
    - when logging in as a user with home folder on the server you don't get an error message on the client, but login screen stays
    - on the server it shows AFP connection for the user
    - you can SSH into the client
    - clearing caches etc on the client does not make a difference
    - IP manually configured on server and client
    - network eliminated by using cross-over lead
    - client Bind successful
    - client displays network users
    On the server you can login as an account with home folder on AFP share and get access to the homefolder
    - kept path to homefolder short
    - same happens with homefolder on the default Users share
    Any suggestions?
    TIA,
    Wouter

    Try removing ACL's controling the drive that the homefolders are on.

  • Tiger Server: I can´t install on second HD

    Hello,
    I have a PM G5 with two internal HD, one with leopard client and other one empty.
    I can´t install Tiger Server on second HD because tiger server can´t startup on this hd.
    Can anybody help me?
    thanks.

    You may need to reformat the hard drive using the Apple Partition Map (APM) partition format.
    PowerPC-based servers can only boot from APM disks (not GPT-based disks as used in Intel machines).
    In addition to the partition format, the disk will need to be formatted as HFS+ (Extended), and optionally journaled.

  • Why do we need a portal server, why can't an application server do the same job?

    what is the need of a portal server?
    why can't the same work be done by an application server alone?
    what is are the features of portal server which make it more attractive rather than an application server?

    What Portal provides is
    authentication
    authorization,
    user management,
    security ( SRAP),
    content presentation frame work ( URL Scraper provider, RSS provider and JSP provider )
    dynamic vpn ( through netlets you can integrate any tcp based network application )
    Wireless portal :-),
    and a variety of other features ..
    I don't believe app server provides all these features. Requirements of these features necessitates a portal market which the portal server addresses.

  • SAP Client login problem

    Hi All,
    Whenever I am trying to connect to SQL server 2005 from SAP Client machine getting the following error :
    Connection failed:
    SQLState: '08001'
    SQL Server Error: 1326
    [Microsoft][SQL Native Client]Named Pipes Provider: Could not open a connection to SQL Server [1326].
    Connection failed:
    SQL State: 'HYT00'
    SQL Server Error: 0
    [Microsoft][SQL Native Client]Login timeout expired
    Connection failed:
    SQLState:'08001'
    SQL Server Error: 1326
    [Microsoft][SQL Native Client]An error has occurred while establishing a connection to the server.
    When connecting to SQL Server 2005, this failure may be caused by the fact that under default settings SQL Server does not allow remote connections.
    Regards,
    Rupa Sarkar

    What are the remote program you are using ? is it VPN, Citrix or Terminal Service ?
    SAP B1 supports only citrix or terminal service.
    you may also try the solution from this link:
    http://blogs.msdn.com/b/sql_protocols/archive/2005/09/28/474698.aspx
    JimM

  • TCP/IP problem: closes on client side, not on server side, can't reconnect!

    Hey folks. I have a Java servlet that establishes a TCP/IP connection (via the Socket class) to a credit card processing company. Sometimes (usually early in the morning), for some reason the servlet starts timing out when using the socket (read timeouts), and the servlet responds by attempting to close() the socket, then re-open. The reopen doesn't work (no route to host).
    The credit card processing company put a sniffer on their end, and they don't see anything when our reads time out or when we subsequently do a close(). Thus, they assume the connection is still established. When we try to open a new connection, our SYN packets do get through to them just fine, but they reply with RST packets because they think the prior connection is still established (thus they reject the new connection attempt)... but for us, that connection had gone dead.
    They recommend we send FIN packets to them etc., i.e. that we do a proper TCP/IP close.... but if the connection suddenly goes dead to us, we can't do that... our close() attempts send absolutely nothing to them (no FIN packets, nothing at all).
    Any ideas? Our servlet runs in Java 1.2 under BEA Weblogic 4.5.1 on an HP/UX box. I'm thinking that, after a long time (hours) with no data transferred, our socket times out somehow on our end only (the card company appears to have no such idle-timeout policy), and thus our read/write/close attempts send nothing to them (because the socket is now invalid), but of course the subsequent open attempt sends SYN's just fine. A search of the "weblogic.properties" file produces no apparent TCP/IP socket idle-timeout values to increase or eliminate.
    Please help if you can... right now, the connection can be down for hours because of this (with many fruitless incidents of our open-attempt SYN's responded to with RST's), and we have to call the credit card processing company to have them reset the port, which allows our next open attempt to work.
    Thanks!

    Strange... You say:
    Thus, they assume the connection is still established. When we try to open a new connection, our SYN packets do get through to them just fine, but they reply with RST packets because they think the prior connection is still established (thus they reject the new connection attempt)... but for us, that connection had gone dead.
    According to me, normal TCP behavior shouldn't behave like that.
    A connection is identified by the two ends. Each end is a pair of <IP><Port>... This pair is likely to be the same all the time on the server, but will change on the client. The first time you issue a connection to the server, you will have a TCP connection identified by <ClientIp><FreeLocalPort1>-<ServerIp><ServerListeningPort>. The second time you connect, another free local port will be used. The previous cannot be reused - either because still in use, or because of a kind of 'grace' period during which this port number cannot be reused (this is to prevent mis-interpretation of packets that might be delayed on the network - connection is in the state TIME_WAIT).
    Therefore, I don't understand why the server replies with RST when your client tries to reconnect.
    Unless it has nothing todo with the TCP layer itself... You will see the same RST packet if the server application itself (not the TCP layer) refuses the connection because of some logic that says 'only one connection per client host'. If the server didn't notice your first connection was dead, it is likely to refuse your second attempt. See what I mean?
    Remember a TCP connection can be half-closed. This means that if your client closes the connection, the server won't be able to send you anything but can still read what you send. In this case, if the server sits waiting for your data, it will never detect the connection lost... This is why most tcp daemons start a timer when reading incoming data. After a predefined period of inactivity, they decide the connection is dead and will close their side of the pipe - the connection is now fully closed.
    Hope it was clear (despites my poor English and the very late hour in the night ;-)
    Can point you to more accurate TCP doc if needed.
    -Bertrand

  • Configure PHP Server: Why Can't I Create a Folder in the Web Root?

    Hi,
    I'm trying to create a new Flex 3 app with PHP as the application server type. I'm running: Flex 3.2, MAMP, Zend, PHP on an iMac with OS X 10.5.8.
    Unfortunately, Flex won't let me validate my configuration.
    a) I created a folder in htdocs called house.
    b) I filled in Flex's Web root as: /Applications/MAMP/htdocs/house
    c) Root URL: http://localhost
    When I try to validate, it fails.
    If I remove the folder house and try to validate as:
    Flex's Web root: /Applications/MAMP/htdocs
    Root URL: http://localhost
    it works.
    Why won't it let me create a folder in the web root? I've got a lot of other stuff in my htdocs folder and I'd like to keep things organized. Any suggestions on how to solve this problem?
    Thank you.
    -Laxmidi

    Before anyone can help, they need information to work with. Basic stuff:
    - What version of iPhoto.
    - What version of the Operating System.
    - Details. What were you doing when the problem arose?
    - Did it ever work properly?
    - Are there error messages?
    - What steps have you tried already to solve the issue.
    Anything else you can think of that might allow someone else to understand your issue.

  • New client login problem

    I have just created a new client in Solution Manager 4.0 and I can't login with:
    u/name: sap*
    p/word: pass
    Please help, thankyou.

    Hi,
    Go to RZ10 -> Select Instance Profile --> Choose  'Extended Maintenace' from Edit Profile Tab -> Click on Change.
    Click Create Parameter(4tth icon),specify the Parameter Name and Value in the respective fields,Click 'Copy' ,Click the back button ,Click the Copy button again,Click  back button again.Cilck the save option and click yes.
    You have to restart the application server to have make this changes happen.
    Regards,
    Cherry

  • Crm client login problem

    I have installed CRM 2005(ides version) on windows 2003.after installation I got 3 default clients(000,001,800).I can login to 000,001 but I cant login through 800 client using sap*.I have checked logging with password pass and the password which I have mentioned when installing,Both the passwords are not correct.can anyone help in this regard.

    Hi Jan,
    That's because it uses a different user logon not CRM logon.
    You need to create an employee business partner.  Then in the admin console create the username and password for that employee.  Then create a subscription for that user (publication user) and assign it to your site.  Download data to mobile and logon to it.
    Cheers
    Andrew

  • Leopard initial login problem!

    I just upgraded to Leopard from Tiger and everything went well in the installation, but I got the the login screen and tried to login but everytime it says, "your file-vault protected home folder did not open and needs to be repaired". So I tell it to repair it and to continue logging in, but then it says "logging into user account failed". PLEASE HELP ME!! I have a school project on that computer that i need by monday!

    This worked for me....Good Luck!
    found this on the internet. I'm going to try it now.
    This might make more sense then the Apple Support Document.
    Insert Your Leopard DVD.
    Shutdown and restart holding down C
    pick your language
    from the menu go to Utilities
    Pick reset Password
    Pick your hard drive (mines Macintosh HD)
    From the users list select system Administrator
    Enter a password and renter it and select reset
    Quit password reset
    Then quit OS x installer
    Click the restart button
    When your system restarts go to system preferences
    Accounts and click the unlock button (the padlock in the bottom left hand corner)
    It will ask for user name and password
    For user name use the name Roots and the password you entered in the password reset.
    This should unlock all the greyed out menus.
    Check the Allow changes box to give you back Admin status.
    Restart your computer.
    This worked for me without another install. Hope it helps.

  • I have Snow Leopard and my Dad has Lion, why can my computer read things that his can't?

    My Dad just got a new Mac Book Pro that has Lion installed, I have the same computer but it's one year older and has Snow Leopard. He is moving all of his stuff to his new computer and burned a DVD with pictures on from his old Toshiba. My computer can read the DVD just fine and I can take the pictures and put it on my computer, but when the DVD is instered into his computer it says the disk is blank. The pictures are saved on the old computer in JPEG form. Is there any way we can get his computer to read the disk/why isn't his computer reading the disk? Or do we just have to move the pictures a different way?

    Perhaps you have some additional software to read whatever that Toshiba is writing. Regardless, it would probably be easier and faster to use a USB flash disk or share files from one of the machines to the other.

  • R12 Client Login Problem

    I have successfully installed EBS r12 in a Windows 2003 Server and I can directly login on Vision in the Windows 2003 server by sysadmin username & password via
    http://tpcl.tpclnh.local:8008/OA_HTML/AppsLogin
    The IP address of my Windows 2003 is 10.130.128.220
    Then I tried logging in the Application through some workstations on the LAN through http://10.130.128.220:8008
    A page shown
    The E-Bussiness Home Page is located at http://tpcl.tpclnh.local:8008/OA_HTML/AppsLogin
    The browser autmatically redirects the page to http://tpcl.tpclnh.local:8008/OA_HTML/AppsLogin
    But Internet Explorer cannot not display the webpage.
    What can I do to make the workstation logging in the system?

    Add an entry on the LAN workstation's c:\windows\system32\drivers\etc\hosts
    10.130.128.220 tpcl.tpclnh.local tpcl
    Or register the server in your company's DNS.
    Then use the http://tpcl.tpclnh.local:8008/OA_HTML/AppsLogin URL.

  • Problems with actions - why can´t I record my changes on adjustement layers

    I use Photoshop CC 2014 on OSX 10.7.5.
    Today I started to record an action. I added some adjustement layers and did some adjustements. But the action did only record the adding of the adjustement layers, but not the adjustement or the changes I did on those layers.
    What happend? The last time I recorded actions it all worked out...
    Please help

    Do you have photoshop cc 2014.2.0?
    In photoshop under Help>System Info, the version should be the top line.
    I'd reset the photoshop cc 2014 preferences and see if that makes a difference.
    Press and hold the Shift+Command+Option keys while starting photoshop
    Keep holding the keys down until you get a dialog asking if you want to delete the adobe photoshop settings file
    Press Yes because you do

Maybe you are looking for