Public Domain Open Directory Help

Similar Messages

• When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?

  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  I have made a magic triangle
  Thanks

  Malik-O wrote:
  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  1 ) I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  Authentication (with open directory admin username & password) is off by default. In Mountain Lion there is no longer a GUI to manage that and some of the other binding options. In Lion, I think you could use Server Admin (or was it Workgroup Manager) -- I can't remember, but there were little checkboxes.
  To make authentication mandatory in Mountain Lion, you can use this on the Server:
  sudo slapconfig -setmacosxodpolicy -binding required
  Use the following to check the binding policies:
  slapconfig -getmacosxodpolicy
  You might want to check the slapconfig man page, you'll find some of the other options that were in Server Admin in Lion, e.g. disable cleartext, block man-in-middle, etc.
  Edit, I just saw you're still using Lion Server, not Mountain Lion. I'm pretty sure the above commands will work on Lion Server as well.

• Sims 2 - Crashes when iMac part of an open directory domain

  Having a weird issue with running the The Sim 2 on my Kids machines.
  Some background, we have an Aluminum intel iMac and am intel Mac Min both running Leopard 10.5.6 which are connected to an old G4 DP800 running Leopard Server 10.5.6. When I installed the Sims 2 on the iMac or the Mac Mini it crashes almost immediately when you try to run it. Got onto Aspyr, went back and forward with them and they couldn't replicate the issues.
  Eventually I tried installing a fresh copy of Leopard 10.5.6 on an external USB drive and booting off that. It worked.
  Now for the fun part. Having been able to run the Sims 2 successfully from this vanilla usb install of 10.5.6, I then tried adding this back into the Open Directory domain, still running form the USB drive, all I did was add the machine back into the open directory domain, I didn't reboot, I didn't log out and back in again all I did was open directory utility, added the machine to the open directory domain and then re-ran The Sims 2, and you guessed it, it was crashing again.
  Just in case I did anything wrong, I repeated the whole process, and found this is repeatable, as soon as I the machine back into the open directory, then Sims 2 crashes.
  The attitude from Aspyr when I related all of this to then was that I had a "non standard" setup.
  It's a real pain having to keep a vanilla 10.5.6 install and having to re-boot each time to run this game, does anyone have any ideas or suggestions on this?
  TIA
  Dave

  So I finally got it to work.
  The Mavericks set up DNS assistant seems to add your local domain into the FQDN so you end up getting 'macsvr.domain.domain.com'
  I uninstalled server, removed the /Library/Server folder also Server.app and two files in /Library/Preferences. Serverd.plist and servermgrd.plist.
  I restarted server and let it do a first run, I set up my host name asking to set up DNS.
  I then went into DNS, deactivated it and edited the domain. I then added NS and machine records, reverse lookups and finally made sure the FQDN was in the correct zone. I repeated this for the intended replica and created my OD replica on first run.
  Check everything is good by using terminal, using the cmd: nslookup <ip address> for both master and replica, then: nslookup <FQDN> then: host <ip address>
  This should resolve both OD master and OD replica IP and hostname
  Hope this helps anyone else stuck on the set up. 

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

• Can i add a windows 2008 domain controller in a open directory  ?

  i want to add an windows 2008 r2 domain controller to a open directory .
  is this possible, and replicated all users to active directory?

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Error creating new Open Directory domain

  The wizard for creating a new Open Directory domain in Server.app on Mountain Lion responds with the following error message:
       "An error occurred while configuring My Server as a directory server.  Please check your network configuration and try again."
  Not very helpful.  How do find out what the actual error is?
  Thanks.

  Can anyone translate these log messages?
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]: label: default
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]:         dbname: od:/Local/Default
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]:         mkey_file: /var/db/krb5kdc/m-key
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]:         acl_file: /var/db/krb5kdc/kadmind.acl
  Aug 12 05:22:26 myhost com.apple.launchd[1] (com.apple.Kerberos.kpasswdd[60241]): Exited: Killed: 9
  Aug 12 05:22:26 myhost com.apple.launchd[1] (com.apple.Kerberos.kpasswdd): Throttling respawn: Will start in 10 seconds
  Aug 12 05:22:26 myhost com.apple.launchd[1] (com.apple.Kerberos.kadmind[60242]): Exited: Killed: 9
  Aug 12 05:22:26 myhost com.apple.launchd[1] (com.apple.Kerberos.kadmind): Throttling respawn: Will start in 10 seconds
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]: WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.
  Aug 12 05:22:26 myhost.mydomain.com kdc[60240]: KDC started
  Aug 12 05:22:26 myhost.mydomain.com Server[46707]: An error occurred while configuring My Mac Mini Server as a directory server:
          Error Domain=XSActionErrorDomain Code=-1 "A child action failed" UserInfo=0x7fb854a2ad90 {XSActionErrorActionsKey=(
              "Creating Open Directory master"
          ), NSLocalizedDescription=A child action failed}

• Help needed to log into an Open Directory account which has the same username as the local account

  Hello,
  I have successfully setup a Mac OS X Lion Server and it is an Open Directory Master. On the server Ihave created an account with the name 'Connor'. I have numerous Macs (allrunning OS X 10.7 Lion) connected to this server but on one of the Macs thereis a local account with the name 'Connor' too (the local and networked accountshave different passwords). I want to log into the Open Directory account onthat mac. So, I have done an authenticated bind to the server, but when I go tolog in the password box shakes. I think the computer thinks I am trying to loginto the local account and not the Open Directory account. On Windows, I canlog into either the local accounts or the networked accounts by typing\LOCAL-COMPUTER-NAME\Connor. So, I was wondering if there was a similar commandto do this on Mac.
  I don't think I haveworded this very well, so if someone doesn't understand please ask me somequestion about the problem and I will try and explain it better.
  Any help would be greatlyappreciated,
  Connor

  Maybe I didn't make myself clear. I have used directory utility to do an authenticated bind to my server. I also have no problem logging into other accounts in the Open Directory. But, I just can't log into the account which has the same name both in the Open Directory and locally.
  Was there something I missed in Directory Utility? Could you please help me if this is so.
  Thanks for replying so quickly

• Can't create Open Directory domain

  Using Server 3 I can't get Open Directory to work. I keep getting an error
  "xxx was successfully configured as a directory server, but an error occurred."
  Any ideas as to what's going on?  I checked my DNS settings and they seem fine.

  Hello, To whom may be concerned about this problem.
  I had the same problem with my mac mini, So what I did to fix it , I delete the Server App with AppCleaner(google it) and then I turn off my computer and re-install the Operating System to my excisting OS ( this why I repair whatever was broken within the file system. You would NOT loose any Data becuase you are just re-installing) and then I download the app again , and it works.
  Also you may contact Apple Server Support in the Application there is a link ! 
  Hope this will help somebody.

• OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

  OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old opeopen directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

  I wonder if the disk being referred to is actually your iPod which is not plugged in. Maybe something has stuck thinking the iPod should be there.
  Try completely removing all the iTunes related programs according to this method.
  http://support.apple.com/kb/HT1923
  Restart you PC and see if startup improves.
  If it doesn't improve you need to consider the possibility that there is something else going on.
  If The problem goes away, hopefully a fresh install will be OK.

• Help with mail users and setup 10.6 mail server bound to 10.8 Open Directory

  We have a 10.7 Open Directory server which was upgraded from 10.6.  We have had some Open Directory issues since the upgrade.  I am manually creating a 10.8 server as a replacement for the 10.7 server.  All settings for services are running as expected and we are ready to turn over to the new server except for a problem with the ability to receive email.
  Setup in both the original and the replacement has the OD server with DNS running with a correct MX record pointing to our 10.6 mail server.
  In the replacement OD server the mail users were created as network users, with no userhome, with access to the mail service, and email addresses given. 
  The mail server was unbound from the original OD server, bound to the replacement OD server without SSL exactly as with the original, and restarted.
  Initially the mail service said that mail clients had the wrong name or password.  Opened WGM 10.6 on the MAIL server and checked the OD records.  They showed the mail users not having the checkbox saying they were set up to receive mail selected.  Selected the checkbox to receive mail.
  Now the mail client seems to connect to the server correctly but does not show the emails in the system for the users.  It is as though there is no email and the account is brand new.
  Unbind the mail server from the replacement OD server, rebind it to the original OD server, and restart.
  Mail clients connect and receive the mail in the accounts as expected.
  Any ideas?
  Thanks

  I figured out what the mail server is doing.  It has created new email stores for each of the new users.  If we bind to the original OD it uses the original set of email stores.  If we bind to the replacement OD it uses the new set of email stores.
  I have tried to make sure that the userIDs match in each OD but that did not help.
  The server is working for each OD.  Does anyone know if I can tell the 10.6 mail server to use the old emails in the mailstore for the new user in the new OD?
  If nothing else I can solve the problem by archiving the emails and copying them into the new user when running the new OD.

• Open Directory Replica Over VPN

  Hey All,
  I've got two servers, one in the office running as our Open Directory Master and one that I've placed in a remote data centre as our new web/e-mail box that I'm hoping to make a OD Replica before I move these services out to it.
  After a lot of blood/sweat/tears/coffee I was able to get it connected back to the office over site-to-site VPN with our Linksys RV082 in the office and using raccoon on the remote Tiger Server with the help of s2svpnadmin.
  I've got DNS configured on both and can ping back and forth, resolve back and forth, the VPN tunnel is running quite beautifully as if they were right beside each other on the same switch.
  The remote is on the 192.168.4.x subnet and our internal is on the local 192.168.1.x subnet. Really works well.
  But...
  When I try to make the remote box a replica of our OD Master things seem to go well, but shortly after it's done the initial 'replication' the remote box reverts back into standalone mode and I can't login to it using any directory users. (The local OD Master stays humming along just fine)
  I've found this post that mentions a very similar situation:
  http://discussions.apple.com/thread.jspa?threadID=1173913&tstart=221
  Basically it appears that the Directory Service doesn't like to talk over Tiger Server's own VPN implementation.
  I tried replicating the issue on a remote client's Tiger xServe connecting to their SonicWall and I was able to replicate over to them just fine and it sticks, so it makes me think it's definitely something about the VPN service on Tiger Server.
  This remote box is in a data centre so I want to avoid having to buy and install a dedicated hardware device to solve this problem if I can (not even sure if they'd let me). It seems silly that they wouldn't have tested this configuration as I have to expect that it would be a common one.
  Any help or insight you could offer would be invaluable! Thanks!

  Hey Leif,
  The remote box has a public IP and then I've created an internal duplicate running at 192.168.4.1 with itself as the 'router/gateway'. This seems to work.
  I can ping 'to' the remote box from the office side over the VPN tunnel by pinging '192.168.4.1'.
  And from the remote box I can ping back to the office but only after I add a route:
  route add -net 192.168.1.0/24 192.168.4.1
  ...on the remote machine.
  After that I can get traffic back and forth. It seems to work perfectly.
  I can connect using just about any service I want over the VPN, ex. AFP and things work as if the box was in the office, it's nice.
  My OD Master on the local side is also my Primary DNS Server, the remote box doubles as a Secondary DNS Slave.
  I use views in my DNS to handle both private and public traffic (we're a small business so getting the most out of our gear is important), I can ask both boxes about themselves in both public and private views and they respond correctly.
  Box A: (In The Office)
  (Internal)
  boxa.domain.com has address 192.168.1.170
  170.1.168.192.in-addr.arpa domain name pointer boxa.domain.com.
  (External)
  boxa.domain.com has address 215.25.xx.xx
  xx.xx.25.215.in-addr.arpa domain name pointer boxa.domain.com.
  (Testing Localhost)
  localhost has address 127.0.0.1
  1.0.0.127.in-addr.arpa domain name pointer localhost.
  Box B: (In The Datacentre)
  (Internal)
  boxb.domain.com has address 192.168.4.1
  1.4.168.192.in-addr.arpa domain name pointer boxb.domain.com.
  (External)
  boxb.domain.com has address 216.46.xx.xx
  xx.xx.46.216.in-addr.arpa domain name pointer boxb.domain.com.
  (Testing Localhost)
  localhost has address 127.0.0.1
  1.0.0.127.in-addr.arpa domain name pointer localhost.
  I'm convinced it's something on the remote box as I can get the replication to work reliably when trying another box whose VPN is handled by a dedicated device. I've seen posts like this one:
  http://blog.aaronmarks.com/?p=31
  That seem to discuss similar issues.

• Creating Open Directory Replica fails with Server Admin Error Value 1127

  Hallo,
  I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
  Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
  When executing
  slapconfig -createreplica master.ourdomain.com diradmin
  as root on the prospective replica machine, I get the following error message:
  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  That makes perfect sense to me, but how is it meant to work then?
  Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
  root login is not permitted to this machine via public key authentication.
  While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
  Replica Setup failed : This machine does not have a valid computer name
  I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
  changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
  reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
  Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
  I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
  I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
  Thanks and bye, Christian Völker

  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
  Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
  Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
  In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
  Then configure the /etc/sshd_config file on the OD master like this:
  \# Authentication:
  PermitRootLogin yes
  PasswordAuthentication yes
  PubkeyAuthentication no
  and the /etc/ssh_config file on the OD replica like this:
  PasswordAuthentication yes
  PubkeyAuthentication no
  Then from the OD replica as the 'root' user issue:
  slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
  Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

• Initial setup and Open Directory problem

  Hi,
  I'm new to the MAC OS X server system and trying to get one up and running on a G5.
  Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
  The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
  I go trough following steps while installing from scratch:
  - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
  - Choose keyboard layout, enter license and create an account "admin"
  - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
  - Install as a standalone server (so I can configure dns & other network services after basic setup)
  - Check "network time server" (so time will be synced for Kerberos)
  - Proceed, install and reboot
  OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
  - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
  - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
  Start the DNS service and reboot
  - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
  DNS seems to be working fine, now I would like to get the Open Directory service to work:
  - change "Standalone" to "Open directory master" in the server configuration panel
  - provide a password for the directory admin
  - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
  - Save & start the service and perform a reboot to be sure all the new settings are in use
  Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
  Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
  Starting LDAP server (slapd)
  command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
  Hostname server.companyname.local is from Rendezvous
  Skipping Kerberos configuration
  Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
  Regards,
  Seppe
  G5 Mac OS X (10.4.6) /

  We currently have a static IP and a public dns hosted
  by MediaTemple, so I think I can create a subdomain
  on MediaTemple and link it to our fixed IP address
  ("private.companyname.com" >> static ip) instead of
  using dydns.. ?
  Of course.
  I suppose I can then use "private.companyname.com" as
  the zone name on my G5 server and use
  "server.private.companyname.com" for my local DNS?
  Sounds reasonable.
  If using this DNS, what will be the Kerberos REALM
  and Search Base? And do I still need to specify
  private.companyname.com as the Search Base in the
  Network Settings of the clients and server?
  Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
  So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
  For the LDAP search domain I'd also follow the road of using domain name space as search base.
  When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
  host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
  HTH
  -Ralph

• Open Directory and AFP

  Hello, I have been having some problems setting up Tiger Server to have the clients home directory hosted on the server. When the client tries to login, it gives them an error saying they are unable to log on at this time because of afp. If anyone could help or point me to a guide it would be appreciated.
  -Bobby

  Hi
  For 10.4 Server you should really post in the 10.4 OD Forum here:
  http://discussions.apple.com/forum.jspa?forumID=713
  However it does not really matter. You may find what follows useful:
  A Simplified Method for Deploying Open Directory Services
  A centralized authentication and authorization service providing automounting home folders for network users and control for service administrators using managed preferences. Ideal for Schools, Colleges, Libraries, Universities and in some cases, Private Companies
  These instructions are for the GUI only with no manual configuration and hardly any recourse for the command line. These instructions also assume that this will be the only server on the network.
  Substitute appropriately the examples given for your situation. The example used is for a pretend school called ‘High School’
  Assuming you have installed the Server Software and on restart the Server Setup Assistant has launched. We’ll use Administrator as the long name and admin as the short name with admin as the password for the default Server Administrator account (UID 501). We’ll assign a fixed IP address of 172.16.16.254, a subnet mask of 255.255.255.0 and the router/gateway IP address offering access to the internet as 172.16.16.1. Key in any ISP supplied DNS Server IP addresses in the DNS Servers field in the Network Preferences Control Panel. The server name will be server. You will see the server name in the Sharing Preferences Pane (server.local) as well as Server Admin > Computers & Services. The Server can be reached either using this name, its IP address, its loopback address and later on, after the DNS Service has been configured, its Fully Qualified Domain Name (FQDN). Don’t start any services apart from Remote Desktop, save the configuration as a text file and restart the Server. After the restart log in using the newly created System Administrator account details. Now would be a good time to test internet connectivity as well as running Software Update and installing all the updates relevant for the server.
  Start simple file services first: AFP and if necessary Windows. If there is more than one PC already on the network switch off Workgroup Master Browser and Domain Master Browser found in Server Admin > Windows > Advanced > Services. Create a test user in the local server directory (NetInfo) and test using a client computer to access the default share points: Users, Groups, Public. Don’t be tempted to delete these folders as the server will complain. If you don’t want to use these you can simply unshare the share points and create new ones. You could for example create share points on a connected XServe RAID and share these instead. Save any changes made.
  The instructions that follow are for simple DNS Settings which will do to successfully deploy an Open Directory Master
  Click on DNS Service Settings > Zones > click the + icon > General. The Server IP address will already be there, key in the Fully Qualified Domain Name (FQDN). This can either be a real world domain name or a pretend domain name. As long as it resembles fully qualified domain names it will do, avoid using .local.
  In this example we will use server.highschool.sch.org.
  Save the changes
  Now click Start Service. You will have to click Start Service twice as Server Admin does not start the service the first time as that is when the config files are written. These are kept in two locations: /etc/host.config and /var/named. The second time you click Start Service you will get the green light. Now set the Logging level to Debug and save the changes again. Launch System Preferences > Network > Configure > TCP/IP > key in the Server’s own IP address 172.16.16.254 in the DNS Servers field and remove any other IP address. Apply and save changes. Launch a web browser and see if you can get on the internet. Inspect the DNS logs in Server Admin and you will see entries starting with createfetch as well as received control command channel status: ready. By this time you should be on the internet using the server’s own IP address instead of ones supplied by your ISP or Router. Test and qualify the DNS Service by launching terminal and issuing the host command:
  host server.highschool.sch.org
  server.highschool.sch.org has address 172.16.16.254
  host 172.16.16.254
  254.16.16.172.in-addr.arpa domain name pointer host172-16-16-254.in-addr.server.highschool.sch.org
  This qualifies the forward and reverse pointers for the DNS Service
  Remember that a properly configured and qualified DNS service is crucial to the more advanced technologies available on OSX Server. Apple themselves recommend using DNS even if the Server is providing simple file services such as AFP
  If you want the Server to issue IP addresses then consider using the DHCP Service. If your router is already doing this then there is no need to bother just yet. Once you get comfortable and familiar with the Server you could look at this later on.
  Back to Server Admin
  Click on Open Directory > Settings > Select Standalone and now select Open Directory Master. As soon as you do this you will be prompted to create the Directory Administrator account, by default diradmin. You can’t use the standard administrator account. You dont have to use diradmin as the name you can use another name, but don’t be tempted to use admin. For this example we will leave it as it is as well as defining the password as diradmin. If DNS Services are correctly configured you will see the Kerberos Realm field already filled in for you and it will look like this: SERVER.HIGHSCHOOL.SCH.ORG. As you can see it will be the FQDN but in capitalized form. The search base will be automatically filled in also and it will look like this: dc=server,dc=highschool,dc=sch,dc=org.
  Save changes.
  Launch Directory Access /Applications/Utilities and click on LDAPv3, authenticate if required to do so. Inspect the configuration setting there and you should see the Server’s loopback address 127.0.0.1 has been entered as a New Configuration. This is normal and gets added upon promotion. Now launch Workgroup Manager and select the appropriate Directory Node LDAPv3/127.0.0.1. Authenticate using the newly created Directory Administrator account: diradmin. If everything has gone well you will see the Directory Administrator user (UID 1000) already there. Create a new user called Andrew Barton, short name: andybarton, UID 1025, password andyb, click Save. Select Sharing and make sure that the default Users folder is set to share, now click on Network Mount and click the lock, authenticate using the diradmin account and set the Users home folder to automount Home Directories. Click Save. Click Accounts, select Andy Barton, click Home, verify that the Home Folder path says afp://server.highschool.sch.org/Users, select this and click Create Home Now followed by Save. Navigate to the Finder, double click the Server hard drive, double click the Users folder and verify that the folder andybarton has been created. Double clicking on this folder will show the usual set of home folders with no entry signs on all of them apart from public and sites. Carry on populating the LDAP Directory Node with desired users. Once you have finished click on the Groups tab and create a group and call it Music Class, populate this group with desired users. We will look at Managed Preferences (MCX) for this group later on.
  In this example Music Class has 30 iMacs. Use the first iMac as a model for all the others. Create an administrator account on the first iMac with a strong password. Avoid using Administrator and admin as these could conflict with the Server admin account. Don’t use a User Account already created on the Server. I will use MC Administrator as the long name and mcadmin as the short name, switch off auto log-in. Install all relevant site license software on this mac. Set the iMac’s name in the Sharing Preferences Pane to iMac01, the .local part will be automatically filled in for you, save all changes. Run all software updates available for the mac, restart the mac. You can now use this mac as the ‘Golden Mac’ – a template for all the other iMacs. You can target disk mode this first mac to the second mac and after cloning change the name of the second mac to iMac02. Or you could image iMac01 to an external firewire drive, connect the drive to the server and use Apple Remote Desktop (ARD) to push out the image to all the other macs. You could also use System Image Utility, PackageMaker and NetInstall. As you can see there are numerous ways of doing this.
  Back to iMac01
  Log in using the mcadmin account, launch Directory Access (Applications/Utilities), click on the lock and authenticate, select LDAPv3, click Configure, deselect ‘Add DCHP-supplied LDAP servers to automatic search policies’, click New and key in either the IP address 172.16.16.254 or better still its FQDN. If you are going to use the Server’s FQDN then make sure the Server’s IP address is in the clients DNS Servers field. Server discovery should be fairly quick, you will see iMac01.local’s computer in the first field and you will be prompted for a network user name and password, don’t bother with this just click OK and then continue, you will then see the Server Configuration in the Services window, click OK. Click on Authentication and verify that Custom Path is displayed, you should see /LDAPv3/172.16.16.254 or the server FQDN as the second Directory Domain displayed (the first one will be the local NetInfo node and will be grayed out). Do the same for the Contacts tab, click OK and quit Directory Access, select log out from the Apple menu and you should now see a log in window displaying the local mcadmin account as well as ‘Other’. Click Other, key in andybarton as the name and andyb as the password, you should now be logged into the Home Folder for that user on the server. Launch TextEdit, type a few words and save the Untitled document to the Documents folder, now log out. Go to Workgroup Manager, select Sharing, select Users, select andybarton, select Documents and you should see the Untitled document grayed out.
  Managed Preferences or MCX
  Select the Music Class Group, click on Preferences > Finder > Views > Always > Default View and select the smallest setting for the dock size, click Done, go back to the client and log in again as andybarton and see if the dock size has changed. The order in which managed preferences take precedence are:
  User
  Computer
  Group
  If a setting is defined in Group and also defined differently in Users, the Users setting will take precedence. Managed Preferences can be accumulative also. What can be managed for Users and Groups are the same. Computer Lists are the same with the addition of Energy Saver. Play with these settings as seems appropriate to you. If you decide to manage clients using Computer Liststhen create your own (by type and location), try not to use the default lists. The same advice applies to Network Views.
  As time goes by and you become more familiar and comfortable you can start integrating the Software Update Service, NetBoot/NetInstall, Mail Services, Print Services and any other Service that seems appropriate to you.
  Hope this helps, Tony

• Recently cerated Open Directory user accounts not able to login.

  Hello Everyone,
  I recently updated our companies Maverick server to version 3.2.1 and now some of my users are unable to login to our Open Directory server. Our server is currently running OS X 10.9.5 Build 13F34. The server log out put is the following when a user attempts to login to Open Directory.
  12/8/14 11:35:46.995 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
  12/8/14 11:35:47.003 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
  12/8/14 11:35:47.004 AM kdc[3049]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
  12/8/14 11:35:47.011 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
  12/8/14 11:35:47.016 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
  12/8/14 11:35:47.017 AM kdc[3049]: Client sent patypes: ENC-TS
  12/8/14 11:35:47.017 AM kdc[3049]: ENC-TS pre-authentication succeeded -- [email protected]
  12/8/14 11:35:47.019 AM kdc[3049]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
  12/8/14 11:35:47.019 AM kdc[3049]: Requested flags: forwardable
  12/8/14 11:35:47.282 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:50911 for host/[email protected] [canonicalize, forwardable]
  12/8/14 11:35:47.283 AM kdc[3049]: Searching referral for mbpe-0c4de9abba49.local
  12/8/14 11:35:47.284 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
  12/8/14 11:35:47.285 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:50911
  12/8/14 11:35:47.289 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:64376 for krbtgt/[email protected] [forwardable]
  12/8/14 11:35:47.290 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
  12/8/14 11:35:47.290 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:64376
  Note: I have rebuild Open Directory and still see the message above when users attempt to login. Also, I have not changed the name of the server, all server certificates are valid and for some reason time machine restores is not working. I have tried to restore the server back to June and it made the issue worse.
  Any help would be appreciated.

  Thank you for you reply Linc. Unfortunately I tried this already and it did not fix my issue. I checked the Open directory startup log and found a possible issue with the domain name in the startup file and the signing certificate. The domain name has a $ and it can find the signing certifiate with a public key. Please take a look below and let me know what you think?
  12/8/14 11:02:42.961 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:63580 for krbtgt/[email protected]
  12/8/14 11:02:42.975 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.082 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52257 for krbtgt/[email protected]
  12/8/14 11:02:43.093 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.621 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64357 for krbtgt/[email protected]
  12/8/14 11:02:43.633 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.893 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64619 for krbtgt/[email protected]
  12/8/14 11:02:43.904 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:44.191 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:61095 for krbtgt/[email protected]
  12/8/14 11:02:44.210 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:44.560 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52115 for krbtgt/[email protected]
  12/8/14 11:02:44.576 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:45.016 PM UserEventAgent[18]: Registered Workstation service - wdpmosx [68:5b:35:ca:f7:4b]._workstation._tcp.
  12/8/14 11:02:45.193 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:54745 for krbtgt/[email protected]
  12/8/14 11:02:45.208 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:45.554 PM kdc[13723]: label: WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.554 PM kdc[13723]: dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi
  12/8/14 11:02:45.554 PM kdc[13723]: mkey_file: /var/db/krb5kdc/m_key.WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.555 PM kdc[13723]: acl_file: /var/db/krb5kdc/acl_file.WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.568 PM kdc[13723]: PKINIT: failed to find a signing certifiate with a public key
  12/8/14 11:02:45.618 PM kdc[13723]: KDC started
  Thanks again.