OSX Server 4 missing open directory

Hi,
Recently updated my Mac Mini to Yosemite then subsequently updated the Server app to 4.0.
After a quick reboot I realized that the Open Directory was disable.
When i tried to enable the OD, it wants me to create a new OD. No error message was shown.
Any ideas what happen to the existing OD? I have about 50+ users.
Let me know what kinda info is needed. Thanks!
Alwyn

Similar Messages

10.6.8 to Mavericks Server Upgrade loses Open Directory Users

Hi,
I have an OpenDirectory Master running OSX Server 10.6.8. An upgrade to Mavericks 10.9 has just failed.
The server has about 50 OD users and passwords need to be retained across the upgrade. Apart from OD, the only other active service is AFP file sharing.
DNS is good forward and back as per this article: OS X Server: Steps to take before upgrading or migrating the Open Directory database
I followed these Apple guidelines for server migration: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server.
I cloned the boot drive, booted from the clone, upgraded to Mavericks, then installed the Mavericks Server app.
On opening the Mavericks Server app "Configuring services' showed for 5 minutes, but then an error message appeared. I did not record it exactly, but it was something like, "There was an error configuring the server. Certificate not valid!".
I was able to continue through the error but on opening Server app there were no OD (local/network) users showing. Authentication was not happening.
I had underestimated the time to get the installation done and I had used up the window of downtime I had booked - I did not have much time to troubleshoot. So, I cut back to the original hard drive and the server is back to 10.6.8 again.
Can anyone point me in the right direction to find out what may have gone wrong? How can I get my users into 10.9 Server?
Many thanks,
b.

Linc Davis advice is spot-on, as usual.
There seem to be dozens of sub-databases in the LDAP database. A problem in any of them seems to derail the entire conversion process. I tried a straight conversion and was also disappointed that there were unresolved issues, and it meant that the conversion failed.
So I did the export route using WorkGroup Manager, and exported four sets:
Users
Groups
Computers
Computer groups
go to the appropriate pane (e.g., Users) and Select All, then choose Export, and give it a name (probably with an embedded date in case you need to do it again later)
Then use 10.9 WorkGroup Manager (available as a separate download) to Import.
When re-imported, everything worked just fine (except the passwords, which cannot be carried forward using this method). I did have to manually enable at least one service, such as File Sharing service in Server [admin], or users showed up as "not allowed" [to log in].
This entire process of getting Server 3 to work is fraught with peril, and everything converges on ONE diagnostic, "Network users can't log in". Which means you blew it, but provides no additional information about WHERE you blew it.
There do not appear to be any magic bullets. It is just a tough slog. Users who reported success after failing the first time reported they returned to fundamental principles and did all the steps over, in order, to attain success.

After Updating to Server 4.1 Open directory and LPAD gone

Hello,
two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.
I get the following log entries:
LDAP Log
Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $
[email protected]:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd
Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"
Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).
Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed
Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.
Open Directory Log
2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...
2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'
2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support
2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error
2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden
2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden
2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'
2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden
2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden
2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden
2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'
2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'
2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services
2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support
2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests
2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)
2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'
2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'
2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'
2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!
Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.
Pre-steps:
0. Bootable backups, Time Machine backups, and dirserv backups of everything.
1. Disk Utility: Fix disk permissions, Fix disk
2. PRAM reset, Command-Option-P-R at boot
3. DiskWarrior to rebuild the disk directory
Possible steps to fix OD:
# Fix Open Directory "Unable to load replica"
# Try this first:
# https://support.apple.com/en-us/HT200018
# Quit Server.app
sudo mkdir /var/db/openldap/migration/
sudo touch /var/db/openldap/migration/.rekerberize
sudo killall PasswordService
# Open Server.app
# Try this second:
# http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err
sudo serveradmin stop dirserv
sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo db_recover -h /var/db/openldap/authdata/
sudo /usr/libexec/slapd -Tt
sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo serveradmin start dirserv
# Try this third:
# https://discussions.apple.com/thread/6018956
sudo serveradmin stop dirserv
sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
sudo serveradmin start dirserv
# Try this fourth (assuming ccc_preflight od backup):
# https://discussions.apple.com/thread/6018956
sudo serveradmin stop dirserv
sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage
sudo serveradmin start dirserv
# Try this last:
sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/
If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.
If anyone has reliable advice how to fix a corrupt OD that would be a huge help.

OS X Server 10.6 bound to Active directory, serve that as Open Directory

I have a OS X server 10.6 bound to an Active directory. I can log in to the afp file server with a AD account.
Now, I like the clients to be connected to Open Directory from the OS X Server and authenticate to the AD.
Is this possible?
I like to be able to use network homefolders etc that resides on the OS X server.

Yes.
You are working in the right order. Now that you are bound to AD, simply promote the Mac server to OD Master. This will enable the LDAP server. You will likely note that the Kerberos KDC will not be running. This is proper, because the AD server is the KDC.
Once this is done, you know can create OD groups and add AD users or groups so that you can manage those groups.
Now, the trick is, you will need to go back to all the workstations and bind them to OS X as well as AD. This will allow the Mac clients to use AD for user authentication and authorization but then use OD for group management policy.
Hope this helps

How to turn off Open Directory in OS X Server 10.8.2

I am configuring a MacPro with ML Server 10.8.2 for internal-only use. I have DNS working on it (with the annoyance that it goes out of its way to break wildcard host names, and it doesn't know how to properly create the zone files to allow a secondary DNS server to do reverse-name-lookups properly). I have only 2 users (admin and Time Machine), Time Machine is working for client Macs using the Time Machine user account, and File Sharing is working (using either account), sharing a RAID of internal drives an a pair of USB-attached external drives.
I briefly turned on Open Directory, just to see if I wanted or needed to go that route. I entered an Open Directory admin (diradmin) with a password. Looked around the options and decided I did NOT need to use Open Directory just to get the Time Machine stuff working, and I was right.
However, now the Server App shows Open Directory is "On." When I go to that tab, I get a message stating that there was an error reading the settings file for Open Directory services. I click it "Off" but it refuses to turn off. When I come back to the tab, I get a pop-up window with a message about an error reading the settings and the Off/On switch moves back to "On" and the green light never goes off next to Open Directory in the list of services.
I've rebooted the machine and after the reboot, sometimes, it appears as if I can add/delete/modify Users and Groups. Other times, after the reboot, the +/- buttons are greyed out and I cannot add/edit/modify Users and Groups. I have not yet tried to add/delete/modify users yet because I'm leery of trusting the server with this error message.
Can anyone help me to remove anything and everything related to Open Directory so that it is "off" as if I never ever turned it on? Or any suggestions on how to fix this short of a reinstall?
Can I download and install the Server app on a differnt machine and then just copy the Server app over to this machine? Will that zero out the Open Directory stuf that I'm trying to get rid of?
Thanks in advance.

I think I solved my problem by running the following command:
sudo slapconfig -destroyldapserver diradmin
diradmin is the name of the Open Directory admin account I created.
The Open Directory Service now appears "off" and no longer had the green dot next to it in the list of services.
Obviously, NOT a good solution to someone who was actively using Open Directory as this appears to have deleted all the data associated with Open Directory.
Users and Groups now allow me to add/delete/modify.
Sad to see an Apple product have such issues.

Unable to set Open Directory master on brand new server

I have a brand new Mac Mini server running 10.6.2 which I am unable to set as an OD master, receiving the error "There was a configuration error when configuring your server as an Open Directory Master. See the Configuration Log for more information about the failure."
The log reads as follows...
2010-01-10 10:34:31 +1100 - slapconfig -createldapmasterandadmin
2010-01-10 10:34:31 +1100 - Creating password server slot
2010-01-10 10:34:31 +1100 - command: /usr/sbin/mkpassdb -a -u diradmin -p -q
2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -a -u root -p -q
2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -a -u paisleypark.local$ -p -q
2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -setcomputeraccount 0x4b4912886b8b45670000001b0000001b
2010-01-10 10:34:32 +1100 - Setting SASL realm to <OpenDirectory.pIxrV9>
2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -setrealm OpenDirectory.pIxrV9
2010-01-10 10:34:32 +1100 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
2010-01-10 10:34:34 +1100 - command: /usr/bin/net getlocalsid
2010-01-10 10:34:34 +1100 - Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2010-01-10 10:34:34 +1100 - Starting LDAP server (slapd)
2010-01-10 10:34:54 +1100 - Error: The slapd process did not start.
2010-01-10 10:34:54 +1100 - Stopping LDAP server (slapd)
2010-01-10 10:34:54 +1100 - Removed file at path /var/run/slapconfig.lock.
... but I am unable to locate any reference to the specific error in these forums or via my friendly neighbourhood Google.
Any ideas greatly appreciated.

Well, like I mentioned, if DNS is not properly configured, all bets are off. And again, if you start services before making it an OD master, you could be asking for trouble. You may be able to fix the installation, but I'd seriously consider starting over.
You might be able to fix what you have well enough to make it work, but what happens in 6 months when it gets flaky about something. You may end up wondering of there was something wrong to begin with.
So yes, I'd start over.

Please advice mac server & os x server for open directory ?

I have plans to create an open directory server, please advise what kind of computer I can use for mac os x server?
and use the mac os x server version number?

Technically, any Mac model capable of running Mavericks (10.9.x) can be used as a Mac OS X Server system running Open Directory. That's the least of your problems, but there's not enough data in your post to tell if that's enough.
There's a world of difference between running a home server with half a dozen accounts and a 10,000 user enterprise with network accounts, network home directories, etc., etc.
You may or may not need to consider availability (e.g. run multiple Open Directory servers to manage load/failure, etc.) - a small home network might not care, and enterprise would.

DNS conflict when running Open Directory Master inside of WIndows network..

We installed Snow Leopard Server as an Open Directory Master in a building that already has a Windows Primary Domain Controller. The intent was to create a Mac network inside of the building with their own services. The Mac server does not pull LDAP/Kerberos/etc. from the Windows server and the Mac clients do not use the WIndows server for any other services.
Everything (Final Cut Server, Open Directory, DNS, File Sharing) worked fine for a day. The next day, all of the windows machines were getting DNS conflict messages on their screens every 15 minutes. After shutting down the Snow Leopard Server, the Windows machines are back to normal.
Ideas?
Thanks!

Hi
Is it possible the Window's Administrators have added your server as a DNS Server in their DHCP Service for some reason unknown to you? Or possibly you've chosen an IP address that is listed as a DNS Server in their DHCP Service?
If you launch terminal from a client mac and issue the host command for the server's IP address what's the result?
+"we understood the Mac server has to be hosting DNS in order for Open Directory to function"+
DNS does not have to be running on the Server itself for any of the Services in OSX Server to function. Just as long as it can resolve itself on both pointers is all that matters. If it was the only server on the network then yes configure the Service. If there already is an existing and mature DNS Service then it makes sense to use it.
Tony

How to transfer user accounts from Active Directory to Open Directory

Please help me , want to tranfer user accounts from Active Directory (Windows server 2012 ) to Open Directory (OS X server 10..2.9)

Hi,
Go to the advanced administration for the OSX Server:
https://help.apple.com/advancedserveradmin/mac/3.1/#apd6D7FE39D-32AA-400C-91E1-5 0ABC15655C8
This pretty easy way of connecting your server to the Windows server should give AD users access to OD services. That will be a good start.
Read up on this as well:
http://support.apple.com/kb/PH15469
Do you want to import them all or just the Mac users?
Goodluck!
Jeffrey

OSX server "sharing" problem

G4 Mac OS X (10.4.6) OS x 10.4.6 server with network of 9 clients
Since upgrading to Server 10.4.6, I cannot get any access to "sharing" in Workgroup Manager. The sharing icon is greyed out all the time. Am I missing something obvious? Or is this a bug in the system?
Also in server admin, the open directory page now shows "Not Available" for System version, Server version, Computer name, Local hostname etc. It used to give all that info every time I opened the Server Admin window.
Any ideas? Thanks
G4 Mac OS X (10.4.6) OS x 10.4.6 server with network of 9 clients

If you are trying to solve a server question, you should post your question under the "Server" discussions forum. This is the iMac G5 forum

Exception in servermgr_accounts when creating open directory master...

Just to give you some background, I'm new to Mac Os X Server. And I'm trying to get a mail/ical/web-server with "open directory" setup. The server is placed in a remote location, behind a NAT-firewall.
I thought I hade everything setup, took a while to figure out the DNS-configs. But I managed to get everything working, and apply the server through a NetworkAccountServer on a client.
When I wanted to setup some e-mail aliases for my e-mail accounts, I remembered I hade seen that in "Server Preferences".
But when opening "Server Preferences" i got the following message:
"Multiple errors occurred on the server while processing commands. Use the Console application to view the error messages.", I could access everything accept Users and Groups, when clicking these it tried to create a new open directory.
The Console App shows this Message:
2/4/11 1:15:31 AM servermgrd[3725] servermgr_accounts: noteDirectoryNodeAdded (reopening nodes)
2/4/11 1:15:31 AM servermgrd[3725] * Terminating app due to uncaught exception 'NSUnknownKeyException', reason: '[<NSCFDictionary 0x102021680> valueForUndefinedKey:]: this class is not key value coding-compliant for the key VR.'
* Call stack at first throw:
0 CoreFoundation 0x00007fff878fc7b4 __exceptionPreprocess + 180
1 libobjc.A.dylib 0x00007fff890ce0f3 objcexceptionthrow + 45
2 CoreFoundation 0x00007fff87954969 -[NSException raise] + 9
3 Foundation 0x00007fff87e61c92 -[NSObject(NSKeyValueCoding) valueForUndefinedKey:] + 245
4 Foundation 0x00007fff87d915a8 -[NSObject(NSKeyValueCoding) valueForKey:] + 420
5 Foundation 0x00007fff87d8d0f6 -[NSDictionary(NSKeyValueCoding) valueForKey:] + 173
6 servermgr_accounts 0x00000001005799c1 scDynamicStoreNotificationCallback + 25876
7 servermgr_accounts 0x0000000100579948 scDynamicStoreNotificationCallback + 25755
8 servermgr_accounts 0x0000000100577648 scDynamicStoreNotificationCallback + 16795
9 servermgr_accounts 0x0000000100573521 scDynamicStoreNotificationCallback + 116
10 SystemConfiguration 0x00007fff82273dad rlsPerform + 115
11 CoreFoundation 0x00007fff87899401 __CFRunLoopDoSources0 + 1361
12 CoreFoundation 0x00007fff878975f9 __CFRunLoopRun + 873
13 CoreFoundation 0x00007fff87896dbf CFRunLoopRunSpecific + 575
14 Foundation 0x00007fff87dc08e4 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270
15 Foundation 0x00007fff87dc07c3 -[NSRunLoop(NSRunLoop) run] + 77
16 servermgrd 0x0000000100003f13 0x0 + 4294983443
17 servermgrd 0x0000000100001388 0x0 + 4294972296
18 ??? 0x0000000000000002 0x0 + 2
2/4/11 1:15:31 AM com.apple.launchd[1] (com.apple.servermgrd[3725]) Job appears to have crashed: Abort trap
2/4/11 1:15:31 AM com.apple.ReportCrash.Root[3831] 2011-02-04 01:15:31.997 ReportCrash[3831:2a03] Saved crash report for servermgrd[3725] version ??? (???) to /Library/Logs/DiagnosticReports/servermgrd2011-02-04-011531localhost.crash
2/4/11 1:15:32 AM edu.mit.Kerberos.kadmind[3848] kadmind: starting...
2/4/11 1:15:33 AM Server Admin[1931] Error '-1' when applying directory role change
2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.kadmind[3848]) Exited with exit code: 2
2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.kadmind) Throttling respawn: Will start in 9 seconds
2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.krb5kdc) Throttling respawn: Will start in 9 seconds
2/4/11 1:15:43 AM edu.mit.Kerberos.kadmind[3951] kadmind: starting...
2/4/11 1:15:51 AM com.apple.launchd[1] (com.apple.suhelperd[4009]) Exited with exit code: 2
I tried reseting the "Open Directory Service" in "Server Admin", by setting it to "standalone directory".
It did stop the "Open directory", but the console was again showing the message above.
With the server in stand-alone mode, I could access "Server Preferences" again, but as soon as I create an "Open Directory again", it fails with the above error, and I cant access the Open Directory from Server Preferences.
To summarize, the message shows when:
1. Creating an Open Directory Master.
2. Removing a Open Directory Master.
3. Entering Server Preferences with Open Directory Master running.
A wierd thing is that the "Open directory" seems to be fine. I can manage it in "Workgroup manager", login to webmail, calenders, VPN etc. I just can't manage it from "Server Preferences".
I did make som misstakes in the beginning (primarly not setting a proper host-name before creating the first "Open Directory", and also having a local-user with the same short-name as a user in the "Open Directory") But that should all solved now.
Any Idea's on what could be wrong?
Where else can I set e-mail aliases for my "Open Directory" users? Is it possible for them to administer aliases themselves?
Thanks in advance!
PS. Anyone have any tips on mail-forwarding to multiple external accounts? Do I really need to edit this manually in /etc/postfix/aliases? Is there anyway I can let my users administer forwarding?

If anyone else has similar issues, I didn't find a solution. Re-installed the server from scratch...

Authentication Delays / Slow Authentication for Open Directory Users

I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
* On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
* In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
* On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
* Connecting with AFP takes several seconds when using an Open Directory login
* On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
* Connecting with SSH does NOT exhibit the behavior
In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
The history of the problem:
Used Tiger Server for over a year = no problems
Clean install of Leopard Server 10.5.0 back in October = no problems
Update to Leopard Server 10.5.1 = no problems
Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
So in desperation I backed up and did a clean install today. Here's the process I used:
0. Erase the disk
1. Install Leopard Server 10.5.0 from the install DVD
2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
3. Reboot
4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
5. Reboot
6. Configure DNS (see below for detailed configuration)
7. Reboot
8. Change role to Open Directory Master
9. Reboot
... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
== Basic Configuration ==
OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
Services Enabled:
DNS
Open Directory
(All other services are not yet enabled)
== DNS Setup ==
Primary Zone: mydomain.private.
Allows zone transfer: no
Nameservers: ns.mydomain.private.
myserver (Machine) 10.0.22.201
ns (Alias) myserver.mydomain.private.
Reverse Zone: 22.0.10.in-addr.arpa.
10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
Accept recursive queries from the following networks:
localnets
Forwarder IP Addresses:
208.67.222.222
208.67.220.220
== Open Directory Setup ==
Role: Open Directory Master
LDAP Search Base: dc=myserver,dc=mydomain,dc=private
Kerberos Realm: myserver.mydomain.private
== Network Configuration ==
Configure: Manually
IP Address: 10.0.22.201
Subnet Mask: 255.255.255.0
Router: 10.0.22.1
DNS Server: 127.0.0.1
Search Domains: mydomain.private
== Other Stuff ==
Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
Hopefully one of the gurus out there will be able to help me out.
Thanks,
jeff

I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
== kdc.log ==
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
== slapd.log ==
Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
== sudo klist -k ==
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 cifs/[email protected]
3 cifs/[email protected]
3 cifs/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 http/[email protected]
3 http/[email protected]
3 http/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]

When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?

When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
I don't want all people can integrate mac client to the open directoy without authentification
I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
I have made a magic triangle
Thanks

Malik-O wrote:
When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
I don't want all people can integrate mac client to the open directoy without authentification
1 ) I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
Authentication (with open directory admin username & password) is off by default. In Mountain Lion there is no longer a GUI to manage that and some of the other binding options. In Lion, I think you could use Server Admin (or was it Workgroup Manager) -- I can't remember, but there were little checkboxes.
To make authentication mandatory in Mountain Lion, you can use this on the Server:
sudo slapconfig -setmacosxodpolicy -binding required
Use the following to check the binding policies:
slapconfig -getmacosxodpolicy
You might want to check the slapconfig man page, you'll find some of the other options that were in Server Admin in Lion, e.g. disable cleartext, block man-in-middle, etc.
Edit, I just saw you're still using Lion Server, not Mountain Lion. I'm pretty sure the above commands will work on Lion Server as well.

Unable to set up Kerberos when creating Open Directory Master-beginner!

I'm trying to promote a standalone server to an Open Directory master.
In the Kerberos section I am typing my FQDN into the Realm field
which is studioserver.example.com.
However the searchbase is already filled with dc=studioserver,dc=local
I've tried every different permutation but when I save the settings, the overview shows that Kerberos is stopped and therefore no KDC is created.
I've used Lookup to confirm that DNS is ok...could this still be the problem?
Any help much appreciated.

Hi
If DNS is configured correctly then the Kerberos Realm and search base fields will be both filled in automatically. The only difficult you have to do is decide on the Directory Administrator name and password and click OK.
The only way out of this is to demote back to Standalone. This will trash the LDAP configuration and database effectively allowing you to start again. Export any users and groups first. Home folders (if you have created any) will not be affected.
Go back and stop the DNS Service and delete the configuration you have in there, stop any other service you have running as well as deleting any configuration that depends on DNS. If you have configured DHCP, stop this and delete the configuration. Restart the server. Start simple file services first, AFP etc and then move onto DNS. Make sure this is resolving correctly. Avoid .local.
Follow the instructions given in the first thread.
You could also download the Open Directory Administration Manual from here:
http://www.apple.com/support/manuals/macosxserver/
Tony

Possible to convert ordinary accounts to Open Directory accounts?

This might be a naive question. But I need to set up accounts for users on this Mac Pro configured with Leopard Server and they may need to be Open Directory accounts, i.e. we may decide to create portable accounts for the whole cluster and have them hosted on this server. I won't know for sure until we have fully discussed the intended uses of the machine, which could take some time. So I am wondering if I can just give users ordinary accounts using System Preferences and then convert them at a later date to Open Directory accounts. I tried to do this with the first account I created for myself on the system and found that the name spaces of the two kinds of accounts conflict, and it's especially hard/dangerous to change a short name (is this really true??)
It would be confusing for users and a headache for me if everyone has two distinct and unrelated accounts. Thanks in advance for any help.

Hi Liz
+I do get a warning if I launch Server Preferences: it says "Server Preferences can't be used with advanced configurations of Mac OS X Server." Doesn't that confirm that I chose Advanced?+
I guess it does?
I'm thinking you might be getting System Preferences and Server Preferences confused? Your original post was about converting ordinary accounts to Open Directory ones? Provided you've configured the Server as an Open Directory Master with all that that entails then you can install a clean OS on your clients. Provided the DHCP Server is handing out the correct information then after the OS has been installed and at the point the Setup Assistant asks you to create the initial account you should be given a choice to either create one locally or use one that is from Open Directory. If you choose the latter option then a generic local admin account gets created anyway. This is how its supposed to work. However you could forego all of this and simply create a secure local admin account. Join the client to the ODM using the well established method. The same result is achieved.
If you had chosen Standard instead of Advanced a lot of the auto-discovery bit comes into play. To be honest I don't really know although judging by the documentation and what some have posted here this is what happens.
You might find this useful?
http://discussions.apple.com/message.jspa?messageID=8940512#8940512
Tony

OSX Server 4 missing open directory

Similar Messages

Maybe you are looking for