OSX 10.6 server open directory authentication

Similar Messages

• OSX server open directory users and logic

  Hi guys,
  Can anyone shed light on this issue, I can't be the 1st person to encounter it. We have a lab with 10 emacs, plus a OSX Xserve, which is set up as a Open Directory Master, the students log in to the workstations through the xserve.
  When they try and run logic, we get a load of permission errors, I have tried changing the ownership and permissions to read write everyone, but it doesn't help, has anyone got a fix for this problem

  I am assuming you are not using network home directories here, purely using open directory for logging in right? Logic does not play well over a network, but using OSX server for managing users should NOT affect being able to run logic locally on a machine. If you are using network home directories for users then this WILL be a problem. For example, you will get permission errors when trying to record something.

• Open Directory authentication question

  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• OS X Server Open Directory Remote Login

  In short, I can't bind a remote machine to authenticate users at the remote location. I can get the machine to initially setup using RFC2307 search and mappings. Once I let that, "marinate" for a bit. I can then go in, change the mappings to Open Directory, and all will work. However, that doesn't persist across reboots. The only thing that will persist across reboots is RFC2307 search and mappings. But with only RFC2307, I don't get home directory access. In the above scenario, when I switch it to Open Directory, I can get home directory access. But, again, not feasible if doesn't persist across reboot.
  It works flawlessly in house / local LAN so far. Although this environment is being built from ground up as we speak. So much testing has yet to be done. This is just one big hurdle that came along.
  I sincerely appreciate any one's help or advice that could point me in the right direction to achieve this goal.
  I should note, I have check all DNS records, connectivity, but am willing to try anything again.
  Thanks in advance!!!

  Describe for me your network.  When you say remote location, do you mean two physical locations separated by distance that are connected via a VPN tunnel?  or do you mean that you punched some holes in a firewall to attempt to allow the clients to bind to the server?  I am hoping the first option.
  If you have a VPN tunnel between the two locations and DNS is available on both sides of the fence, you likely don't need to define the mappings.  I tend to leave the option set to "from server" and I've never run into any issues. 
  When you are binding, are you using the simple bind via System Preferences or are you using Directory Utility?  Are you performing authenticated binds or unauthenticated binds?
  If you have two locations, Main office 10.0.0.0/24 and Remote office 10.0.10.0/24.  Make sure that the Remote side is using DNS that resolve to devices in Main.  For example, if the server is at 10.0.0.10 and it is the DNS server, then the clients on the 10.0.10.0/24 network should be hitting 10.0.0.10 for name resolution (unless you have replicated DNS to the 10.0.10.0/24 network.
  Since you are building this from scratch, you might want to consider using two OD servers, Master and Replica, placing a replica in the remote office and then using OD Locales to better direct your clients.
  Reid
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• 10.6 Client and 10.7 Server Open Directory

  I´ve got an Mac Mini running Lion Server. It´s configured as an Open Directory Server.
  And I´ve got some 10.6 Clients running on the same local network.
  All Clients have the Mini Server as DNS Server.
  And now I want to use NetworkAccounts form the 10.7 Server on the 10.6 Clients.
  I´ve connected the 10.6 Clients to the Server (without SSL) and all Clients say "Network Accounts available".
  But if I try to log in on the Client it just shakes the login window. I´ve tried it on all my Clients with different Accounts but nothing worked.
  It just won´t work! But why? Can you please help me?
  What I´m doing wrong? Or is the combination of 10.6 Clients and 10.7 Server not Supported by OpenDirectory on 10.7 Server ?
  Thank you !

  Check your authentication against the server from one of the clients using the following command:
  dscl /LDAPv3/<server name or IP> authonly <shortname of an account that cannot login>
       The server name should be the same name or IP you used when binding your 10.6 client to a 10.7 server.
  If you get the response "Failed to authenticate user <shortname> (tDirStatus: -14103)" you are having the same issue I was having. I found an answer to this, but you are not going to like it.
  Apparently Workgroup manager and Server.app deal with accounts differently. If you are using Workgroup Manager to import a long list of accounts, don't. Server.app needs to write an addition setting that is not part of Workgroup manager or in Passenger I doesn't work correctly with accounts that have home folders that are not local. Here are the steps I used to resolve the issue:
  Export all your accounts and groups
  Using Server Admin, demote your OD to a standalone directory
  Once the demotion is complete, use Server.app to promote your server to an OD Master
  Update: I've not found it to make a difference if you use server.app or Server Admin to configure your Open Directory Master.
  Once the server is again an Open Directory Master, import the users that you exported using Server.app instead of Workgroup Manager.
  If you are importing groups, set the Home Directory by editing the account in Server.app before importing groups to avoid overwriting your group settings. Thankfully, you can select multiple accounts at a time.
  Import your groups using Server.app
  Verify group membership and test the loginsIf you test the login using the dscl command from above, you should get no error after entering the password, but as long as you have a bound client, you should be able to login at this point.
  Hope this reaches you in time to help.

• Mac OS Server Open Directory Will Not Turn On

  Yesterday I got the server application for Mac OS Mountain Lion.  This is my first time working with apple server software and when I try to turn on Open Directory it says:
  An Error occured on the server while processing a command.
  The error occurred while processing a command of type 'setState' in plug-in 'servermgr_dirserv'.
  I am not sure what is causing this.  I am running the server on a 2010 iMac with Mountain Lion installed and I couldn't find any answers online.  Any help would be much appriciated.
  Edit:  I would be willing to reinstall the server software and reset settings for it if I have to.  (I just don't know how)

  Thanks _Franck_!
  I had to do a few more steps than and modify the recover command based on info from Case #2 - http://www.iredmail.org/forum/topic3694-iredmail-support-power-cut-ldap-dont-sta rt.html
  1. check if this is the problem
  $ sudo /usr/libexec/slapd -Tt
  >> bdb_db_open: database "cn=authdata": db_open(/var/db/openldap/authdata/id2entry.bdb) failed: Invalid argument (22).
  2. Stop LDAP on OD Master
  $ sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  3. Repair Permissions
  $ diskutil repairPermissions /
  4. backup openldap db
  $ sudo cp /var/db/openldap/authdata/id2entry.bdb /var/db/openldap/authdata/id2entry.bdb.backup
  5. repair
  $ sudo db_recover -cv -h /var/db/openldap/openldap-data/
  >> Recovery complete at Thu Jun  6 11:01:35 2013
  >> Maximum transaction ID 8000060e Recovery checkpoint [2][6589846]
  6. run repair again to check
  $ sudo db_recover -cv -h /var/db/openldap/openldap-data/
  >> Finding last valid log LSN: file: 2 offset 6589938
  >> Recovery starting from [1][28]
  >> Recovery complete at Thu Jun  6 11:02:32 2013
  >> Maximum transaction ID 8000060e Recovery checkpoint [2][6589938]
  7. double check if things were repaired correctly
  $ sudo /usr/libexec/slapd -Tt
  >> bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
  config file testing succeeded
  8. restart the service
  $ sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

• Mac OS 10.8.3 Server Open Directory

  Hi.
  Sorry for my english.
  The problem is that to set it "OS X Server Account" on the client, in the settings of email I can not get an address that points to the account properties Open Directory. For example:
  User - Mark Douglas
  Login - m.duglas
  email - [email protected]
  But that I did not, I can not get the client automatically adjusting the desired result to me, only "[email protected]"

  Hi.
  Sorry for my english.
  The problem is that to set it "OS X Server Account" on the client, in the settings of email I can not get an address that points to the account properties Open Directory. For example:
  User - Mark Douglas
  Login - m.duglas
  email - [email protected]
  But that I did not, I can not get the client automatically adjusting the desired result to me, only "[email protected]"

• OS X Server + Active Directory Authentication Issue with Wikis

  Hello,
  I recently purchased an Apple XServe with Snow Leopard installed. The purpose of this server is to enable students and teachers to create Wikis and Blogs.
  The majority of my environment is MS, with Active Directory as our LDAP provider.
  I have joined the server to my domain and can add domain accounts to the Wiki creation access list without issue, but whenever I try to login to the server's web interface with one of those accounts the login screen shakes and prompts for another set of credinitals.
  What am I doing wrong? Open Directory seems to be setup properly and has been kerberitized as it requested when I joined the box to the domain.
  Thank you all for your help,
  David
  Message was edited by: DHeath_WJCC

  please ask in the Snow leopard server forum
  http://discussions.apple.com/category.jspa?categoryID=96

• Mavericks Server Open Directory Configure Network Wizard not displaying

  when setting up the open directory master in mavericks server i get a empty servers list and no drop down to create a new one.  Any ideas on how to force it to display the wizard? 

  You might want to try and flush the configuration, reboot, and try again.  Try this command to remove all remnants of an OD master.  All data will be deleted.
  slapconfig -destroyldapserver
  If the wizard still does not display, make sure you DNS is working properly.  And as a final attempt, use slapconfig to create an OD Master.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Initial Open Directory Authentication

  So weird! Have new 10.3 server installed, configued with Open Dir Master. Put in
  custom path based on server IP. Now, can't authenticate to my domain. Instead
  of bringing over the Administrator name & Psw, getting error messages of
  invalid login info. Stopped in my tracks! Can only access Net/info domain.
  Have already tried installing the software again, no luck. Help!!!

  If you haven't already reinstalled, here are some things to check:
  • Are all of the OD services running? Check in Server Admin -> Open Directory service in the sidebar -> Overview in the toolbar.
  • Is there anything suspicious in any of the server logs (Server Admin -> Open Directory -> Logs in the toolbar -> choose various logs from the View menu near the bottom of the window)?
  • Are you using Time Machine to back up the server? It apparently shuts down OD services to get a clean backup, and has sometimes had trouble restarting them afterward (although this is supposed to be better in 10.6.5)...

• Final Cut Server & Active Directory authentication

  Hi all,
  This is an older question that was not be answered in the past.
  I have a Xserve with Mac OS X server 10.5.6, running Final Cut Server 1.1.1 and a Windows 2003 AD server with hundreds of users.
  The issue is FCS is not authenticating against AD even though clients can do it, being binded with Directory Utility without trouble.
  Could somebody tell me if is this a known issue?
  Did somedody make it work?
  Thanks

  Same problem here. We couldn't make it work, that is login to FCS using AD users.
  Don't remember where but I was reading about it in a forum, somebody said that they talk to someone in Apple and they told him this is a problem and that they were going to fix it in the next FCS update/release.
  Hope they do
  PS: De donde sos nono??

• IChat Server - Open Directory trouble

  Hello All!
  I have exactly the same problem as stated in this thread: http://discussions.apple.com/thread.jspa?threadID=1373399&tstart=-1 -- I see that there is indeed a problem between OD and the jabber server running (check the source code, it's on Apple's OpenSource page: http://www.opensource.apple.com/darwinsource/Current/ChatServer-263.1/jabberod_auth/appleauthenticate.c)
  The function in question is:
  int odauth_check_servicemembership(const char* userName, const char* service)
  which shouldn't return "No such file or directory".
  regards,
  P

  The only way i got it working is :
  • using a second shortname (first is not accapted in my case it containd uppercase and login is done lowercase
  • not using kerberos
  • manueel adding all collega clients .. :S
  I did a advanced install.
  Message was edited by: Patrick Savelberg (Private)

• Open Directory authentication error

  Hi,
  I am trying to create a replica with 10.8 server.
  Steps:
  Create OD on server 1.
  Create Replica on server 2. All works fine
  Restore OD. Replica stop working. I get an error message saying that I cannot authentificate against diradmin on main OD.
  What is the step to either merge the database or create a new diradmin password. This is driving me nuts!
  Tks

  Get a working master with all your users first.
  Make sure DNS (forward and reverse) is correct from both locations.
  Then add the replica.
  There's a good chance the OD you are restoring has references to an older hostname or IP, this can break your setup.
  Depending on the size of your setup.. it may be less painful not to bother restoring your old OD and just create from users/groups scratch (leaving behind the possibility of bringing in issues related to your previous OD config).
  Its a hassle.. but looking for a needle in a haystack is also.

• Creating Open Directory Replica fails with Server Admin Error Value 1127

  Hallo,
  I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
  Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
  When executing
  slapconfig -createreplica master.ourdomain.com diradmin
  as root on the prospective replica machine, I get the following error message:
  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  That makes perfect sense to me, but how is it meant to work then?
  Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
  root login is not permitted to this machine via public key authentication.
  While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
  Replica Setup failed : This machine does not have a valid computer name
  I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
  changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
  reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
  Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
  I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
  I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
  Thanks and bye, Christian Völker

  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
  Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
  Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
  In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
  Then configure the /etc/sshd_config file on the OD master like this:
  \# Authentication:
  PermitRootLogin yes
  PasswordAuthentication yes
  PubkeyAuthentication no
  and the /etc/ssh_config file on the OD replica like this:
  PasswordAuthentication yes
  PubkeyAuthentication no
  Then from the OD replica as the 'root' user issue:
  slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
  Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

• Open directory in mavericks server.

  Setting up mavericks server - open directory displays error " server was successfully configured as a directory server but an error occurred" I have tried everything. Can anyone help ?

  Does the server show up in the Server list as (Master)?  If so, delete it, make absolutely sure your DNS set up and try again.
  Even though I hsve a fully qualified Domain name, SERVER.DOMAIN.COM and my reverse lookup set weith my ISP. if I do a lookup for the IP of my server it returns server.domain.com, found Open Directory was much happier if  I used the DNS server on the Server Itselfl
  In Server DNS created a Primary Zone for my doman, domain.com. Then a Machine A Record for server,domain.com. It automatically made a nameserer record of server.domain.com and the Reverse Zone and server mapping for reverse lookup. Then set it to perform lookups for this server only. Then set 127.0.0.1 as the First DNS server in System Network Settings before any ISP DNS Servers. Then for good measure also entered my ISPs DNS servers in as forwarding servers. Then setup Open Directory with the correct domain with no errors.