This discussion is locked
Berylium
Level 1 (5 points)

Q: iChat Server, Can login with Adium but not with iChat

Since being able to login with Adium was not mentioned in the "iChat, login does not work" thread I started a new one.

I'm transitioning from a 10.5 server to a 10.6 server. On 10.5.8 my iChat server runs without hiccup but the 10.6.2 iChat server, with the same configuration, has problems. DNS is setup correctly with reverse lookup working as it should. I'll outline my results trying to connect to the server with iChat (client) and Adium from both inside and outside the server's private network with no firewall running.

Inside the network:
- iChat on 10.5.8
- When trying to login I'm told that my screen name or password is incorrect and asked to re-enter which continues to fail. I am using the login id: username@server.domain.tld.
- The iChat server log reads:

Jan 13 20:55:33 sl jabberd/c2s[4357]: [7] [::ffff:192.168.1.173, port=55927] connect
Jan 13 20:55:33 sl jabberd/c2s[4357]: ODKVerifyClientRequestFixed: Unable to authenticate
Jan 13 20:55:33 sl jabberd/c2s[4357]: [7] [::ffff:192.168.1.173, port=55927] disconnect jid=unbound, packets: 0

- Adium
- With the same setup as iChat (client), when I try to connect I'm told "[the server] requires plaintext authentication over an unencrypted connection. Allow this and continue authentication? If I click "yes" I can connect to the server.
- The iChat server log reads:

Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: checking user "berylium" access for service "chat"
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: mbrcheck_servicemembership returned 2
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: no access restrictions found
Jan 13 21:02:28 sl jabberd/c2s[4357]: [7] SASL authentication succeeded: mechanism=PLAIN; authzid=john@sl.enco.re
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: checking user "berylium" access for service "chat"
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: mbrcheck_servicemembership returned 2
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: no access restrictions found
Jan 13 21:02:28 sl jabberd/c2s[4357]: [7] bound: jid=berylium@[server.domain.tld]
Jan 13 21:02:28 sl jabberd/sm[4356]: session started: jid=berylium@[server.domain.tld]


Outside the network:
- iChat on 10.6.2
- iChat (client) acts exactly the same whether inside or outside the network

- Adium
- Adium asks me to type out my Kerberos identity, if I cancel that dialog I'm asked the same question as before about allowing plaintext authentication. And, again, if I allow plaintext authentication I can connect.

Since it was asked for in a similar post for iChat Server 10.5, here's the output from 'sudo serveradmin settings jabber' run from the server:

jabber:enableSavedChats = yes
jabber:authLevel = "ANYMETHOD"
jabber:jabberdDatabasePath = "/private/var/jabberd/sqlite/jabberd2.db"
jabber:sslCAFile = ""
jabber:hosts:arrayindex:0 = "sl.enco.re"
jabber:savedChatsLocation = "/var/jabberd/message_archives"
jabber:savedChatsArchiveInterval = 7
jabber:initialized = yes
jabber:dataLocation = ""
jabber:enableXMPP = no
jabber:eventLogArchiveInterval = 7
jabber:serviceMode = "ALL"
jabber:enableAutoBuddy = no
jabber:s2sRestrictDomains = no
jabber:logLevel = "ALL"
jabber:sslKeyFile = ""
jabber:requireSecureS2S = no
jabber:s2sAllowedDomains = emptyarray

It's so odd that Adium can connect but iChat cannot. Any help on this would be greatly appreciated!

thanks,

Berylium

2.66x4 Mac Pro, 2.8x8 Mac Pro, Mac OS X (10.6.2)

Posted on Jan 13, 2010 7:19 PM

by Tim Harris,Solvedanswer
Tim Harris Tim Harris
Level 4 (1,460 points)
A:
So, the two of us looked at this offline. The problem was fixed by doing the following:

Stop the iChat Server: *sudo launchctl unload /System/Library/LaunchDaemons/org.jabber.jabberd.plist*

Edit the file /etc/jabberd/c2s.xml with a text editor and remove <digest-md5/> option by commenting it out thus <!-- <digest-md5/> -->

Restart the iChat server: *sudo launchctl load /System/Library/LaunchDaemons/org.jabber.jabberd.plist*

This stops the iChat server from offering this mode of authentication which is very sensitive DNS settings - which in a test systems is not always easy have the way you want it.

Posted on Jan 22, 2010 1:21 PM

Close
Berylium

Q: iChat Server, Can login with Adium but not with iChat

  • All replies
  • Helpful answers

Page 1 Next

  • by Tim Harris,

    Tim Harris Tim Harris Jan 14, 2010 10:01 AM in response to Berylium
    Level 4 (1,460 points)
    Jan 14, 2010 10:01 AM in response to Berylium
    Hi,

    Can you post the output from *sudo changeip -checkhostname*

    Is the server behind a NAT?

    tim

  • by Berylium,

    Berylium Berylium Jan 14, 2010 10:12 AM in response to Tim Harris
    Level 1 (5 points)
    Jan 14, 2010 10:12 AM in response to Tim Harris
    Absolutely, Tim, and thank you for your help. The output from sudo changeip -checkhostname is:

    Primary address = 192.168.1.231

    Current HostName = server.domain.tld
    DNS HostName = server.domain.tld

    The names match. There is nothing to change.
    dirserv:success = "success"


    Obviously, above I changed the FQDM (which was correct) to server.domain.tld.

    -Berylium

  • by Tim Harris,

    Tim Harris Tim Harris Jan 14, 2010 10:47 AM in response to Berylium
    Level 4 (1,460 points)
    Jan 14, 2010 10:47 AM in response to Berylium
    On your ichat client

    jabber id = username@server.domain.tld
    server = server.domain.tld
    port 5222
    no ssl
    all others unchecked

  • by Berylium,

    Berylium Berylium Jan 14, 2010 3:15 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 14, 2010 3:15 PM in response to Tim Harris
    Yes, Tim, those are my settings on the iChat client.

    -Berylium

  • by Tim Harris,

    Tim Harris Tim Harris Jan 14, 2010 3:32 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 14, 2010 3:32 PM in response to Berylium
    The log file entry you posted at the start shows your server with an IP address of 192.168.1.173 where and the output of the changeip shows a Primary address = 192.168.1.231. Why two different IPs?

    Do you have two LAN ports on this Server?

  • by Berylium,

    Berylium Berylium Jan 14, 2010 3:45 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 14, 2010 3:45 PM in response to Tim Harris
    Tim,

    That log entry was showing my iChat client inside the network trying to connect to the iChat server. The 192.168.1.173 address is the address of the client machine. 192.168.1.231 is the internal IP address of the server.

    -Berylium

  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 12:07 AM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 12:07 AM in response to Berylium
    As I right to assume that you have tried more than one iChat client and that they all exhibit the same problem?

  • by Berylium,

    Berylium Berylium Jan 15, 2010 8:00 AM in response to Tim Harris
    Level 1 (5 points)
    Jan 15, 2010 8:00 AM in response to Tim Harris
    Tim,

    Yes, I've tried iChat on a 10.5.8 machine inside the network and iChat on a 10.6.2 machine outside the network and both exhibited the same behavior. Adium, too, exhibited similar behavior on both machines (the difference is outlined in my original post).

    As I look at it there are only four possible sources of the problem: Open Directory, iChat server, DNS, or the firewall. I've been testing with the firewall turned off so it shouldn't be an issue and DNS resolves without issue so it's out. Adium works and iChat doesn't for authenticating to the iChat server so I would think OD isn't the problem. Which leaves iChat server. Am I overlooking something?

    -Berylium

  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 10:08 AM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 10:08 AM in response to Berylium
    The problem is that the jabber ID as managed by the client and iChat server is not being allows access due to SASL policies. This kind of suggests that possible corruption of data on the server or something is stripping information on the jabber stream.

    There are lots of things we can try dig deeper into the problem or we can make some make some config changes - to isolate the issue. Equally, there are lots of questions I could ask e.g are they upper-case characters anywhere in server names or user names, can we disable cram-md5 in c2s.xlm, that sort or thing.

    If you are happy to take off line and have a working ichat client we can share some idea's. Alternatively, i'm happy to suggest things here if you are not in a hurry. If you set up a test account on your server I could also try logging in via telnet session which can help me see the problems.

  • by Berylium,

    Berylium Berylium Jan 15, 2010 12:36 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 15, 2010 12:36 PM in response to Tim Harris
    Tim,

    My company is running fine on my 10.5.8 server at the moment and while I would like to move to 10.6 as soon as possible I'm in no specific rush. In other words, I'm open for any suggestions on how to remedy the problem. I'd definitely like to pursue further remedies with you whether in this forum or in a private IM session (I can do AIM, GTalk, or give you an account on my working iChat server) — whatever is most convenient for you. If you'd like to contact me at jsf (at) encoreresidential (dot) net.

    As to the two questions you ask: there are no uppercase characters in the server name or user names and I'd be willing to disable cram-md5 in c2s.xlm (so long as it didn't affect mail using cram-md5).

    -Berylium

    Message was edited by: Berylium

  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 4:01 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 4:01 PM in response to Berylium
    from a terminal session on *your server* can you please post the unedited response to *dig -x sl.enco.re*


    thanks

  • by Berylium,

    Berylium Berylium Jan 15, 2010 4:11 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 15, 2010 4:11 PM in response to Tim Harris
    Tim, here is the response:

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> -x sl.enco.re
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22748
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;re.enco.sl.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    in-addr.arpa. 10800 IN SOA a.root-servers.net. dns-ops.arin.net. 2010011516 1800 900 691200 10800

    ;; Query time: 74 msec
    ;; SERVER: 192.168.1.231#53(192.168.1.231)
    ;; WHEN: Fri Jan 15 18:09:22 2010
    ;; MSG SIZE rcvd: 108

  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 4:14 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 4:14 PM in response to Berylium
    sorry, i'm a jerk. should have asked for *dig -x 69.15.172.243*

  • by Berylium,

    Berylium Berylium Jan 15, 2010 4:24 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 15, 2010 4:24 PM in response to Tim Harris
    No problem at all, here are the new results:

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 69.15.172.243
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15616
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;243.172.15.69.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    172.15.69.in-addr.arpa. 3600 IN SOA mail1.rresford.com. hostmaster.rresford.com. 2 900 600 86400 3600

    ;; Query time: 5 msec
    ;; SERVER: 192.168.1.231#53(192.168.1.231)
    ;; WHEN: Fri Jan 15 18:22:02 2010
    ;; MSG SIZE rcvd: 109



    Seeing "mail1.rresford.com" in there is disconcerting, that's an old Exchange server that's still running on the network and may at one time have had the same external IP as the SL server.

    -Berylium
Page 1 Next