Open Directory: users enter accounts very slow

We have Mac OS X Server Snow Leopard 10.6.8 with OpenDirectory and some iMacs with Mac OS X Snow Leopard 10.6.8. After adding Network Account Server in iMacs (System Preferences->Accounts->Login Options->Network Account Server Edit) all works great and users login and anter thir accounts for 5-10 seconds. But some days or weeks later the time for logging and entering their accounts takes for about 5 minutes. If I re-add Network Account Server, then all works greatly again. What's the matter? How to avoid this re-adding?

What do you get when you try to logon?
Does the screen just shake at you?
Can you logon as the diradmin?

Similar Messages

  • Authentication Delays / Slow Authentication for Open Directory Users

    I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
    The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
    * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
    * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
    * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
    * Connecting with AFP takes several seconds when using an Open Directory login
    * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
    * Connecting with SSH does NOT exhibit the behavior
    In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
    The history of the problem:
    Used Tiger Server for over a year = no problems
    Clean install of Leopard Server 10.5.0 back in October = no problems
    Update to Leopard Server 10.5.1 = no problems
    Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
    So in desperation I backed up and did a clean install today. Here's the process I used:
    0. Erase the disk
    1. Install Leopard Server 10.5.0 from the install DVD
    2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
    3. Reboot
    4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
    5. Reboot
    6. Configure DNS (see below for detailed configuration)
    7. Reboot
    8. Change role to Open Directory Master
    9. Reboot
    ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
    I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
    == Basic Configuration ==
    OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
    Services Enabled:
    DNS
    Open Directory
    (All other services are not yet enabled)
    == DNS Setup ==
    Primary Zone: mydomain.private.
    Allows zone transfer: no
    Nameservers: ns.mydomain.private.
    myserver (Machine) 10.0.22.201
    ns (Alias) myserver.mydomain.private.
    Reverse Zone: 22.0.10.in-addr.arpa.
    10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
    Accept recursive queries from the following networks:
    localnets
    Forwarder IP Addresses:
    208.67.222.222
    208.67.220.220
    == Open Directory Setup ==
    Role: Open Directory Master
    LDAP Search Base: dc=myserver,dc=mydomain,dc=private
    Kerberos Realm: myserver.mydomain.private
    == Network Configuration ==
    Configure: Manually
    IP Address: 10.0.22.201
    Subnet Mask: 255.255.255.0
    Router: 10.0.22.1
    DNS Server: 127.0.0.1
    Search Domains: mydomain.private
    == Other Stuff ==
    Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
    I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
    I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
    Hopefully one of the gurus out there will be able to help me out.
    Thanks,
    jeff

    I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
    == kdc.log ==
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
    Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
    == slapd.log ==
    Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
    Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
    == sudo klist -k ==
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 cifs/[email protected]
    3 cifs/[email protected]
    3 cifs/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 xmpp/[email protected]
    3 xmpp/[email protected]
    3 xmpp/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 nfs/[email protected]
    3 nfs/[email protected]
    3 nfs/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]

  • How do I unbind a local user from an Open Directory user?

    I have a couple MacBook Pros running Leopard that successfully bound a local account to a corresponding Open Directory account using Directory Utility.
    I had to re-install Leopard Server (using Standard configuration) and re-create Open Directory accounts. Now these laptops are unable to bind to the new Open Directory accounts. They receive an error that the Open Directory user ID and password provided is incorrect. In addition the local user can no longer reset or change their password. I'm thinking this is because their local accounts are still bound to the old Open Directory accounts that no longer exist. Is there are way to unbind a local account in Leopard that has been bound to an Open Directory account via the Directory Utility.

    What account are you using to bind the machine? When binding you must authenticate using the OD admin login which is usually setup as diradmin or as the current client you are logged into the machine with, but this client needs to exist on the OD server.

  • Mountain Lion Open Directory Users PhotoShop Elements 6.0

    Under Mac 10.8.5 , Licensing works fine for local users, but it fail for Open Directory Users.
    specifically I'm trying to launch Adobe Photoshop Elements 6.
    none of my workstations are connected
    it worked just fine under Leopard and Snow Leopard.
    running disk utilities repair permissions did not help.
    running the License Repair tool from adobe did not help.
    deleting the FLEXnet Publisher
    and Preferences/FLEXnet Publisher
    and the
    Preferences/FLEXnet Publisher/FLEXnet did not help
    all of my open directory users are group 1028
    i have
    chgrp -R 1028 /Library/Application Support/Adobe/
    chgrp -R 1028 /Applications/Adobe*
    chmod 775 /Library/Application Support/Adobe/Elements Organizer/11.0/
    chmod 775 /Library/Application Support/Adobe/Adobe PCD/cache
    chmod 775 /Library/Application Support/Adobe/Adobe PCD
    chmod 775 /Library/Application Support/Adobe/SLStore/
    chmod 777 /Library/Application Support/Adobe/Premiere Elements/11.0/AMTInfo.txt
    many of the files in these directories have permissions 664.
    several of the files that are frequently accesses were already 664 before i looked at them.
    i have over 80 user workstations.
    Mountain Lion OSX 10.8.5
    MacPro workstations 2 3.06 GHz 6-core intel Xeon
    12 Gigs of Ram
    Note i also have Adobe Premiere 11.0 installed on the workstations.
    Adobe Premiere 11.0 works fine after all the ownership and permission issues are solved.

    Hi OpenDirectoryDude,
    Photoshop Elements 6 has not been tested and has compatibility issues with Mac 10.8.5

  • OAM Identity Server user search is very slow after upgrading to 10.1.4.2

    We recently upgraded Identity-Server from 7.0.4 to 10.1.4.2 + BP10. The new webpass (version 10.1.4.2) is on iPlanet webserver, which does not have any bundled patch available. After this upgrade, we found the user search is very slow. It is taking double the time compare to version 7.0.4. The search performance for NetPoint admin users is fine.
    The new version is connecting to the same LDAP (Sun 5.2) as the old one. The 7.0.4 version was well tuned (like Ldap connections, caching, etc) for the performance. The migration suppose to carryover those performance configuration to the new version. Is there any new parameter (related to performance) I should look for in version 10 ? Anybody have faced these issues after migration and found a fix for it ?
    Thanks!
    Kabi

    More in this thread - Re: OAM- "You do not have sufficient access rights" message with Master Adm
    -Vinod

  • Cannot find bookmarks - open directory user

    We have LDAP v3 at our school. A teacher logged on to a different computer and her bookmarks were missing. Since she is an open directory user, I believe her books should follow her. We were trying to figure out where on a Mac the bookmarks are stored...and we could not figure it out.
    We see the profile where an internet search told us the bookmarks were -- but we could not see them. What specific folder are they in and what is the name of the file/folder that contains the bookmarks?

    The name of the file is '''places.sqlite'''.

  • Lion: All Open Directory users obliterated

    After a rough migration from SLS, I've been running Lion Server successfully for a couple of weeks now.  However, this morning I saw that the file sharing services were down.  When I brought the server up on the monitor, the Finder was frozen solid.  I had to do a hard restart, and once it came up, all the Open Directory users are gone.  Only local users remain.  When I attempt to open the LDAP directory in Workgroup Manager it throws up a -14006 error.
    I'm going to attempt to rebuild the machine from a backup last night, but I'm wondering if anyone has any (quicker) advice.
    I'm tempted to just try and copy /var/db/openldap from the backup image over to the server, but I'm afraid it'll simply explode.  Is there a better alternative?  I don't have a current backup archive of *just* the open directory stuff...

    Restoring from a backup image "fixed" it of course, but I'm still curious how to restore the open directory database from a mirrored partition (i.e. without the use of an explicite restore from an open directory backup)

  • Cisco Unity Connection 8.0 / access to the user configuration is very slow

    Hello!!
    The access to the user configuration is very slow. When you click on an user it need about 2-3 minutes until the configuration sidewill be loaded.
    What could be the reason?
    How is it possible to load the user configuration a little bit faster?
    A restart of the Cisco Unity Connection was done.
    The user will be imported from the CallManager.
    Cisco Unity Connection 8.0.2.40000-12
    WebBrowser: Internet Explorer 8.0
    Same result with Mozilla Firefox 3.6
    Any ideas?
    Thank you!!!
    Joerg K.

    Hello Joerg,
    could it be possible that you have some problems with the AXL integration for example wrong /dead server IP:
    CSCth86004 Import page takes long time to load if AXL integration is broken
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth86004
    Kind regards,
    Marcel Ammann
    P.S.: Please rate helpful post's

  • Cd tray opening on boot up and very slow boot up, 5 mins plus

    Hello, very new to Macs, only had this a few days. G4 800 mzh 1.5 gb ram running os 10.4. Cd tray opens on boot up and very slow boot up. Tried resetting pram and fsck. No joy with either.
    Any help and advice much appreciated
    Thanks
    Jon

    A warm welcome to Macdom & Apple's forums!
    You may need to reinstall some things, or maybe even the whole OS.
    How much free space is on the HD of what size?
    At this point I think you should get Applejack...
    http://www.versiontracker.com/dyn/moreinfo/macosx/19596
    After installing, reboot holding down CMD+s, then when the prompt shows, type in...
    applejack AUTO
    Then let it do all 5 of it's things.
    At least it'll eliminate some questions if it doesn't fix it.
    The 5 things it does are...
    Correct any Disk problems.
    Repair Permissions.
    Clear out Cache Files.
    Repair/check several plist files.
    Dump the VM files for a fresh start.
    Sometimes 2 or 3 restarts will be required for full benefit... my guess is files relying upon other files relying upon other files!

  • Recently cerated Open Directory user accounts not able to login.

    Hello Everyone,
    I recently updated our companies Maverick server to version 3.2.1 and now some of my users are unable to login to our Open Directory server. Our server is currently running OS X 10.9.5 Build 13F34. The server log out put is the following when a user attempts to login to Open Directory.
    12/8/14 11:35:46.995 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
    12/8/14 11:35:47.003 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
    12/8/14 11:35:47.004 AM kdc[3049]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
    12/8/14 11:35:47.011 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
    12/8/14 11:35:47.016 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
    12/8/14 11:35:47.017 AM kdc[3049]: Client sent patypes: ENC-TS
    12/8/14 11:35:47.017 AM kdc[3049]: ENC-TS pre-authentication succeeded -- [email protected]
    12/8/14 11:35:47.019 AM kdc[3049]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
    12/8/14 11:35:47.019 AM kdc[3049]: Requested flags: forwardable
    12/8/14 11:35:47.282 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:50911 for host/[email protected] [canonicalize, forwardable]
    12/8/14 11:35:47.283 AM kdc[3049]: Searching referral for mbpe-0c4de9abba49.local
    12/8/14 11:35:47.284 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
    12/8/14 11:35:47.285 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:50911
    12/8/14 11:35:47.289 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:64376 for krbtgt/[email protected] [forwardable]
    12/8/14 11:35:47.290 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
    12/8/14 11:35:47.290 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:64376
    Note: I have rebuild Open Directory and still see the message above when users attempt to login. Also, I have not changed the name of the server, all server certificates are valid and for some reason time machine restores is not working. I have tried to restore the server back to June and it made the issue worse.
    Any help would be appreciated.

    Thank you for you reply Linc. Unfortunately I tried this already and it did not fix my issue. I checked the Open directory startup log and found a possible issue with the domain name in the startup file and the signing certificate. The domain name has a $ and it can find the signing certifiate with a public key. Please take a look below and let me know what you think?
    12/8/14 11:02:42.961 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:63580 for krbtgt/[email protected]
    12/8/14 11:02:42.975 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:43.082 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52257 for krbtgt/[email protected]
    12/8/14 11:02:43.093 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:43.621 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64357 for krbtgt/[email protected]
    12/8/14 11:02:43.633 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:43.893 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64619 for krbtgt/[email protected]
    12/8/14 11:02:43.904 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:44.191 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:61095 for krbtgt/[email protected]
    12/8/14 11:02:44.210 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:44.560 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52115 for krbtgt/[email protected]
    12/8/14 11:02:44.576 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:45.016 PM UserEventAgent[18]: Registered Workstation service - wdpmosx [68:5b:35:ca:f7:4b]._workstation._tcp.
    12/8/14 11:02:45.193 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:54745 for krbtgt/[email protected]
    12/8/14 11:02:45.208 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
    12/8/14 11:02:45.554 PM kdc[13723]: label: WDPMOSX.XYZ.ORG
    12/8/14 11:02:45.554 PM kdc[13723]: dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi
    12/8/14 11:02:45.554 PM kdc[13723]: mkey_file: /var/db/krb5kdc/m_key.WDPMOSX.XYZ.ORG
    12/8/14 11:02:45.555 PM kdc[13723]: acl_file: /var/db/krb5kdc/acl_file.WDPMOSX.XYZ.ORG
    12/8/14 11:02:45.568 PM kdc[13723]: PKINIT: failed to find a signing certifiate with a public key
    12/8/14 11:02:45.618 PM kdc[13723]: KDC started
    Thanks again.

  • Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

    I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
    Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
    If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
    Here are some things I've tried:
    * stopping and restarting the Open Directory service in Server.app
    * restarting the server
    * disabling and re-enabling an existing user account
    * inspecting user records in Directory Utility for any peculiar attributes
    * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
    Does anyone have any other ideas or suggestions?

    UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
    1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
    2) Create a new user in Open Directory.
    3) Log in once. No problem.
    4) Now check the "Passwords must: be reset on first user login" box.
    5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

  • IChat not working with Open Directory users

    I have a Mac Mini running Snow Leopard Server 10.6.1. It provides services like Address Book, iCal, iChat, Mobile Access, MySQL, Web, SMB, Push, etc... I named the server 'Alpha' with the hostname 'alpha.markhadjar.com'
    I use DynDNS to help update my dynamic IP address with my ISP. They host my domain markhadjar.com. I created an 'A' record for markhadjar.com using my current IP. The DynDNS software client sends my current dynamic IP address and updates the record. I also created an alias for 'www'.
    Airport Extreme port forwards the correct ports to the requested server providing those services.
    All my users are listed in the Open Directory. My trouble is I can't seem to get iChat to work for the OD users. I get a connection error.
    The jabber account i'm using is the [email protected] I use the server 'ichat.markhadjar.com' with port 5222 without SSL as I do not have a SSL certificate.
    In the ichat settings of Server Admin, I specified ichat.markhadjar.com as the server name. I also created an alias in DynDNS for ichat.markhadjar.com - not sure if that was needed.
    I cannot connect using iChat to the server. I even changed the server in the iChat preferences (client side) to just markhadjar.com with no luck.
    Any help is greatly appreciated!
    Thanks.

    Mark, you mention that this server 'alpha' is running many things including Mobile Access Server. Do you also run Open Directory on the server? I am trying to figure out if Open Directory is required to be running on the server that runs Mobile Access for it to work in authenticating users and granting them appropriate access. I am hoping it is not required, because I'm having problems getting it to replicate from the Master OD server. It would be easier if it doesn't need to run OD at all. But then if it doesn't run OD, what do I need to do to "bind" it to the other internal origin server? I have read all the MObile Access doc's 50 times, and this is not clear to me. Just wondering how you are using Mobile Access. thanks man!

  • AFP Directory Listings via VPN very slow in Finder

    Hello all!
    I recently exchanged my existing Apple iMac Core2Duo (with Mac OS X 10.6.8) to a brand new iMac 27" i7 (10.9.4). Besinde to this new iMac I´m using a MacBook Pro 15" (with 10.6.8). WLAN/Airport is turned off; only Ethernet / LAN is used.
    My problem right now is: since the upgrade to OS X Mavericks we are experiencing server problems, browsing AFP shares on remote servers (VPN). The Directory Listing is very slow an can take up to 30 minutes for large listings. I can't browse network folders with Finder because it's too slow. It takes forever just list all the subfolders. If I try to transfer or open a file, everything is fine and I can do it at the right speed.
    Here's the setup
    2 networks are connected thanks to a VPN connection.
    All clients, in all connected networks can communicate to a common fileserver (MacPro with OS X 10.6.8 SnowLeopard Server) in Network A
    Firewall is not an issue between those networks
    The clients authenticate via OpenDirectory and Kerberos to the fileserver
    So the problems occur if i want to connect a client on network B to the server on network A. Connection, authentication, ... all good. Even the performance over the VPN, to tranfer files is OK. But browsing subfolders is catastrophic. I used AFP , results are the same. I also made tests on older clients, to see if the fileserver is the problem. 10.6 and 10.8 clients can browse normally, speed is OK.
    So my question: What can I do to accelerate the browsing of my AFP/SMB shares for all my Mavericks clients? What can I do to speed up the Directory Listing? And yes: i know about solutions like PathFinder, TotalFinder, .... but i'm more interested in a native solution to this problem.
    Thx!!
    OS X Mavericks (10.9.4), 10.6.8 Server

    This has been a major issue in Mavericks all along.   SMB has been a total disaster for anyone who works with MACs on a corporate network, causing admins night terrors, anxiety disorders, and general sadness.    10.9.4 + some server side fixes (smbcreditsmax and smbcreditsmin)  fixed many of the issues, but the slow finder listings over VPN connections is still unusable.  the only workarounds i know of are:
    - switch to windows
    - downgrade to mountian lion
    - use FTP or webDav protocols
    - use a 3rd party finder replacement:  mucommander     (clunky additional app but works!) 
    I will be testing Yosemite beta this weekend, i have heard reports that some of this nonsense is fixed. 

  • Make Open Directory Users/Groups Administrators on Mac clients

    I have setup a OS X 10.8 server with Open Directory and have 2 mac os x mountain lion clients.  I would like for the user accounts I have created in the Open Directory to have admin access to the 2 mac client machines.  How can I do this?  I am new to OS X server.  Is there a Group Policy type equivalent like in Windows? 

    Ah! Thanks! No wonder I cannot do this...
    Unfortunately, the printers are all USB shared printers connected to computers on the network. Is there anyway to preset these printers? They don't show up in the Print manage settings at all.

  • Lightroom Catalog and Apple Open Directory Users

    We are attempting to run Lightroom in our photo journalism classes and we are unable to setup the application because it will not create the Catalog file. 
    All of the users in Open Directory have their OSX 10.8 home folder stored on our Apple Server. This enabled them to log into any one of the computers in the lab and have access to their data/documents.
    Lightroom refuses to create the Catalog file because it treats the home folder as a network folder.
    My predecessor found some way around this in the past but he didn't document it and I can't find any evidence of it either.
    Can anyone help me out here?  Surely there are other people out there trying to use Adobe Products who also utilize Apple's "Open Directory" (its like apple's version of Active Directory).
    The only help online I've found was to try and create symbolic links but even after making symbolic links from the local HD to the Network user Home folder lightroom still refused to create the catalog file.

    its been almost a year and we still don't have any good answers to this issue.
    Lightroom is not usable for any domain/directory enabled accounts because their home directories are stored on the network. 
    Is there anything else we can do?  We do not want them to "share" their catalogs but we really need them to be able to store their catalog on their network home because they do not always use the same computer and policy disallows saving documents or files to the local hard drives for students.

Maybe you are looking for

  • IPod synch - not updating iCal events

    Several people have posted that their calendars are not synching to their iPods/iPhones/&c. at all. When I synch my iPod(s) (80GB video), the iCal calendars show up, but using an older database. That's to say that I change and add and delete events o

  • Mail no longer working properly after update

    Since the recent mail update, my work email (which is run by google) has been a disaster (believe me, that's not hyperbole). Deleted emails, emails with a different person indicated in the inbox but when you open it it's a completely different email

  • Is snow lepoard 10.6.8 compatiable with aol desktop for mac?

    I updated my aol desktop for mac to the 1.7.763 version and Im running snow leopard 10.6.8 on my imac.Im now haveing all kinds of issues useing the aol desktop for mac.Mail wont open and sometimes it does, web pages dont load, freeze ups in the mail

  • Update 2 tables in 1 mapping fails when using DB link

    Hi, We use OWB10 R2. We have a mapping which should update 2 target tables. 1 table is part of the target schema of the mapping, the other table is located on a different database and is updated through a database link. What we encounter is that only

  • Display not working after using external monitor

    I was using my Macbook Air last night to watch via my external monitor displayed to a tv.  After I was done, I put my macbook Air in "Sleep" mode via the external display.  This morning when I startup my Macbook, I have a blank screen.  My suspicians