Open Directory Users can't add printers

Similar Messages

• Lock "Print & Fax" Sys Preference user can still add printers, why?

  lock "Print & Fax" Sys Preference user can still add printers, why?

  I should add that, I click the lock icon and it shows locked, but the + sign to add a printer is not greyed out and still allows printer drivers to be installed.  It then allows the printer driver to be deleted.  I have tried quiting System Preferences and rebooting the system and still have the same results.
  Pat

• Open Directory users can't access shares

  Greetings all.
  I apologize if this has been covered, but I couldn't find a search term that would locate the issue.
  I have a 10.5.8 Server running on a MDD dual 1Ghz G4. I have it set up as an OD Master and providing time services, DNS, file sharing, portable home directories and calendaring for a small workgroup of 7 computers. At least that's the idea when it's functional.
  It is behind a NAT and only serves the local network.
  Until I have the user's data all transferred from local directories to portable home directories, I need to make it so that the users can access the shares.
  In testing, when I try to access a share, I get an error message that the login failed because the username or password was invalid.
  However, when I go look at the Password Service log, the user was authenticated and in good standing.
  Any ideas?
  Thank you,
  John

  maybe some additional information or rephrasing might help.
  I have users and groups set up with ACLs on the shares that are set up with automount over NFS. The shares should also be available via appleshare, but not automount.
  The users are configured now with Portable Home Directories.
  The client computers are bound to the Open Directory Master on which the shares reside.
  The server runs network time services and the client computers use that for their time service.
  The server also runs DNS, and the client computers use that DNS.
  Users can log into their Portable Home Directories ok.
  Users can not log into shares via "connect to server" as it says that the username/password is invalid, even though the password service log says that the user was authenticated and in good standing.
  Users can see the NFS automount shares at /Network/Servers/Library (where it is supposed to be), but they cannot write, even though the ACL gives the user account permission to do so.
  For the permissions on the automount, I can't tell if the user is not being detected as the authenticated user, and is therefore being given "everyone" permissions, or if the ACL is not working on the mount and so the user is being given ""everyone" permissions.
  Anyone have any idea how I can find out?
  As to why a user can't log in via "connect to server" I'm clueless.
  Thank you,
  John

• My spooler won't stay running, I can't add printers.

  My spooler won't stay running, I can't add printers.
  Not able to figure out even after firewall on/off, network on/off and all setting to default...
  Regards
  Reddy

  find some possibility solution for spooler wont start here
  https://social.technet.microsoft.com/Forums/en-US/d875ab83-1b17-4a28-8738-e67249a2bdfd/cannot-print-after-update-to-81-printers-gone-print-spooler-keeps-stopping-cannot-add?forum=w8itprohardware
  I recommended this step
  1. do printer troubleshooting
  http://windows.microsoft.com/en-us/windows/printer-problems-in-windows-help#fix-printer-problems=windows-8&v1h=win8tab3&v2h=win7tab1&v3h=winvistatab1&v4h=winxptab1
  2. Uninstall antivirus using removal tools (Kapersky)
  3. Registry trick as
  JSB43211 suggested, backup your registry before perform this
  1. Open Regedit as Administrator 
  2. Find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\ key. 
  3. If you are on a 64-Bit machine, browse to the "Windows x64" sub-key (else "Windows NT x86") 
  4. Under the "Print Processors" sub-key DELETE ALL THE SUB-KEYS EXCEPT "winprint" key 
  5. Start the Print Spooler service. 
  6. Test to see if you can Add a printer. 

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• How do I unbind a local user from an Open Directory user?

  I have a couple MacBook Pros running Leopard that successfully bound a local account to a corresponding Open Directory account using Directory Utility.
  I had to re-install Leopard Server (using Standard configuration) and re-create Open Directory accounts. Now these laptops are unable to bind to the new Open Directory accounts. They receive an error that the Open Directory user ID and password provided is incorrect. In addition the local user can no longer reset or change their password. I'm thinking this is because their local accounts are still bound to the old Open Directory accounts that no longer exist. Is there are way to unbind a local account in Leopard that has been bound to an Open Directory account via the Directory Utility.

  What account are you using to bind the machine? When binding you must authenticate using the OD admin login which is usually setup as diradmin or as the current client you are logged into the machine with, but this client needs to exist on the OD server.

• Mountain Lion Open Directory Users PhotoShop Elements 6.0

  Under Mac 10.8.5 , Licensing works fine for local users, but it fail for Open Directory Users.
  specifically I'm trying to launch Adobe Photoshop Elements 6.
  none of my workstations are connected
  it worked just fine under Leopard and Snow Leopard.
  running disk utilities repair permissions did not help.
  running the License Repair tool from adobe did not help.
  deleting the FLEXnet Publisher
  and Preferences/FLEXnet Publisher
  and the
  Preferences/FLEXnet Publisher/FLEXnet did not help
  all of my open directory users are group 1028
  i have
  chgrp -R 1028 /Library/Application Support/Adobe/
  chgrp -R 1028 /Applications/Adobe*
  chmod 775 /Library/Application Support/Adobe/Elements Organizer/11.0/
  chmod 775 /Library/Application Support/Adobe/Adobe PCD/cache
  chmod 775 /Library/Application Support/Adobe/Adobe PCD
  chmod 775 /Library/Application Support/Adobe/SLStore/
  chmod 777 /Library/Application Support/Adobe/Premiere Elements/11.0/AMTInfo.txt
  many of the files in these directories have permissions 664.
  several of the files that are frequently accesses were already 664 before i looked at them.
  i have over 80 user workstations.
  Mountain Lion OSX 10.8.5
  MacPro workstations 2 3.06 GHz 6-core intel Xeon
  12 Gigs of Ram
  Note i also have Adobe Premiere 11.0 installed on the workstations.
  Adobe Premiere 11.0 works fine after all the ownership and permission issues are solved.

  Hi OpenDirectoryDude,
  Photoshop Elements 6 has not been tested and has compatibility issues with Mac 10.8.5

• Cannot find bookmarks - open directory user

  We have LDAP v3 at our school. A teacher logged on to a different computer and her bookmarks were missing. Since she is an open directory user, I believe her books should follow her. We were trying to figure out where on a Mac the bookmarks are stored...and we could not figure it out.
  We see the profile where an internet search told us the bookmarks were -- but we could not see them. What specific folder are they in and what is the name of the file/folder that contains the bookmarks?

  The name of the file is '''places.sqlite'''.

• Lion: All Open Directory users obliterated

  After a rough migration from SLS, I've been running Lion Server successfully for a couple of weeks now.  However, this morning I saw that the file sharing services were down.  When I brought the server up on the monitor, the Finder was frozen solid.  I had to do a hard restart, and once it came up, all the Open Directory users are gone.  Only local users remain.  When I attempt to open the LDAP directory in Workgroup Manager it throws up a -14006 error.
  I'm going to attempt to rebuild the machine from a backup last night, but I'm wondering if anyone has any (quicker) advice.
  I'm tempted to just try and copy /var/db/openldap from the backup image over to the server, but I'm afraid it'll simply explode.  Is there a better alternative?  I don't have a current backup archive of *just* the open directory stuff...

  Restoring from a backup image "fixed" it of course, but I'm still curious how to restore the open directory database from a mirrored partition (i.e. without the use of an explicite restore from an open directory backup)

• Can't create new open directory user

  hi.
  If I use the workgroupmanager to create a new user it automatically creates one with a "crypt" password.
  first it is shown as open directory, but then if I re-load, it says "crypt" password.
  If I try to change it to open directory the system tells me that I am not authorized to do so.
  it does not matter if I try the workgroupmanager locally or via my macbook remotely.
  if I create them via the server preferences it works fine.
  since I am a newbie here, maybe I am doing something wrong... ideas? please.
  thanks.
  martindavid

  Check out this tread, you are not alone but there doesn't seem to be a single solution...
  http://discussions.info.apple.com/thread.jspa?threadID=2262981
  I had this code and MY solution came from the fact that I had turned OFF DNS because I couldn't see that "I" was using it. turning it back on and ensuring that it was correctly configured solved it for me!

• OS X Server Primary Domain Controller - Win XP clients can't add printers

  Hello all,
  I have a Xserve set up as a PDC with Open Directory / File / Print services running. I have set up a test client, a Windows XP box, with a test user, and it authenticates fine, logs in, directories are mapped, life is good
  When I browse to the Printers on that server and go to "Connect" on any print queue I get the following:
  "A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator."
  The print queues were set up in Server Admin as IPP / SMB / LPR + Bonjour shares. We don't really care who prints to what printer on our network, so access rights aren't a big deal.
  Ultimately I would like a user to login and these printers just be setup automatically via a login script, but I can't even do that until this is sorted out. Any ideas?
  Thanks for your time and assistance
  Joe Jenkins
  Network Engineer
  Davis Tool
  ...Someday I'll be an expert at this Mac Server + Win Client stuff, just not today

  I do not have guest access on, because I want to monitor who is printing, but also have no file shares either - I want to keep separation between file and print servers.
  Finally found an (the?) answer.
  1. Set up a standard TCP/IP port pointing to the IP address.
  2. When the "Additional port info required" message turns up, choose 'Custom'.
  3. Set to LPR (and tick 'LPR Byte Counting Enabled" - optional?)
  4. Continue...
  Strangely, this didn't appear to work will SMB was enabled in the print queue but it did when the queue was LPR only (maybe I just imagined that).
  Not the best solution but it works for my situation.

• Make Open Directory Users/Groups Administrators on Mac clients

  I have setup a OS X 10.8 server with Open Directory and have 2 mac os x mountain lion clients.  I would like for the user accounts I have created in the Open Directory to have admin access to the 2 mac client machines.  How can I do this?  I am new to OS X server.  Is there a Group Policy type equivalent like in Windows? 

  Ah! Thanks! No wonder I cannot do this...
  Unfortunately, the printers are all USB shared printers connected to computers on the network. Is there anyway to preset these printers? They don't show up in the Print manage settings at all.

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• IChat not working with Open Directory users

  I have a Mac Mini running Snow Leopard Server 10.6.1. It provides services like Address Book, iCal, iChat, Mobile Access, MySQL, Web, SMB, Push, etc... I named the server 'Alpha' with the hostname 'alpha.markhadjar.com'
  I use DynDNS to help update my dynamic IP address with my ISP. They host my domain markhadjar.com. I created an 'A' record for markhadjar.com using my current IP. The DynDNS software client sends my current dynamic IP address and updates the record. I also created an alias for 'www'.
  Airport Extreme port forwards the correct ports to the requested server providing those services.
  All my users are listed in the Open Directory. My trouble is I can't seem to get iChat to work for the OD users. I get a connection error.
  The jabber account i'm using is the [email protected] I use the server 'ichat.markhadjar.com' with port 5222 without SSL as I do not have a SSL certificate.
  In the ichat settings of Server Admin, I specified ichat.markhadjar.com as the server name. I also created an alias in DynDNS for ichat.markhadjar.com - not sure if that was needed.
  I cannot connect using iChat to the server. I even changed the server in the iChat preferences (client side) to just markhadjar.com with no luck.
  Any help is greatly appreciated!
  Thanks.

  Mark, you mention that this server 'alpha' is running many things including Mobile Access Server. Do you also run Open Directory on the server? I am trying to figure out if Open Directory is required to be running on the server that runs Mobile Access for it to work in authenticating users and granting them appropriate access. I am hoping it is not required, because I'm having problems getting it to replicate from the Master OD server. It would be easier if it doesn't need to run OD at all. But then if it doesn't run OD, what do I need to do to "bind" it to the other internal origin server? I have read all the MObile Access doc's 50 times, and this is not clear to me. Just wondering how you are using Mobile Access. thanks man!

• 10.6.8 to Mavericks Server Upgrade loses Open Directory Users

  Hi,
  I have an OpenDirectory Master running OSX Server 10.6.8. An upgrade to Mavericks 10.9 has just failed.
  The server has about 50 OD users and passwords need to be retained across the upgrade. Apart from OD, the only other active service is AFP file sharing.
  DNS is good forward and back as per this article: OS X Server: Steps to take before upgrading or migrating the Open Directory database
  I followed these Apple guidelines for server migration: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server.
  I cloned the boot drive, booted from the clone, upgraded to Mavericks, then installed the Mavericks Server app.
  On opening the Mavericks Server app "Configuring services' showed for 5 minutes, but then an error message appeared. I did not record it exactly, but it was something like, "There was an error configuring the server. Certificate not valid!".
  I was able to continue through the error but on opening Server app there were no OD (local/network) users showing. Authentication was not happening.
  I had underestimated the time to get the installation done and I had used up the window of downtime I had booked - I did not have much time to troubleshoot. So, I cut back to the original hard drive and the server is back to 10.6.8 again.
  Can anyone point me in the right direction to find out what may have gone wrong? How can I get my users into 10.9 Server?
  Many thanks,
  b.

  Linc Davis advice is spot-on, as usual.
  There seem to be dozens of sub-databases in the LDAP database. A problem in any of them seems to derail the entire conversion process. I tried a straight conversion and was also disappointed that there were unresolved issues, and it meant that the conversion failed.
  So I did the export route using WorkGroup Manager, and exported four sets:
  Users
  Groups
  Computers
  Computer groups
  go to the appropriate pane (e.g., Users) and Select All, then choose Export, and give it a name (probably with an embedded date in case you need to do it again later)
  Then use 10.9 WorkGroup Manager (available as a separate download) to Import.
  When re-imported, everything worked just fine (except the passwords, which cannot be carried forward using this method). I did have to manually enable at least one service, such as File Sharing service in Server [admin], or users showed up as "not allowed" [to log in].
  This entire process of getting Server 3 to work is fraught with peril, and everything converges on ONE diagnostic, "Network users can't log in". Which means you blew it, but provides no additional information about WHERE you blew it.
  There do not appear to be any magic bullets. It is just a tough slog. Users who reported success after failing the first time reported they returned to fundamental principles and did all the steps over, in order, to attain success.