This discussion is locked
Berylium

Q: iChat Server, Can login with Adium but not with iChat

Since being able to login with Adium was not mentioned in the "iChat, login does not work" thread I started a new one.

I'm transitioning from a 10.5 server to a 10.6 server. On 10.5.8 my iChat server runs without hiccup but the 10.6.2 iChat server, with the same configuration, has problems. DNS is setup correctly with reverse lookup working as it should. I'll outline my results trying to connect to the server with iChat (client) and Adium from both inside and outside the server's private network with no firewall running.

Inside the network:
- iChat on 10.5.8
- When trying to login I'm told that my screen name or password is incorrect and asked to re-enter which continues to fail. I am using the login id: username@server.domain.tld.
- The iChat server log reads:

Jan 13 20:55:33 sl jabberd/c2s[4357]: [7] [::ffff:192.168.1.173, port=55927] connect
Jan 13 20:55:33 sl jabberd/c2s[4357]: ODKVerifyClientRequestFixed: Unable to authenticate
Jan 13 20:55:33 sl jabberd/c2s[4357]: [7] [::ffff:192.168.1.173, port=55927] disconnect jid=unbound, packets: 0

- Adium
- With the same setup as iChat (client), when I try to connect I'm told "[the server] requires plaintext authentication over an unencrypted connection. Allow this and continue authentication? If I click "yes" I can connect to the server.
- The iChat server log reads:

Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: checking user "berylium" access for service "chat"
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: mbrcheck_servicemembership returned 2
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: no access restrictions found
Jan 13 21:02:28 sl jabberd/c2s[4357]: [7] SASL authentication succeeded: mechanism=PLAIN; authzid=john@sl.enco.re
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: checking user "berylium" access for service "chat"
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: mbrcheck_servicemembership returned 2
Jan 13 21:02:28 sl jabberd/c2s[4357]: odauth_check_servicemembership: no access restrictions found
Jan 13 21:02:28 sl jabberd/c2s[4357]: [7] bound: jid=berylium@[server.domain.tld]
Jan 13 21:02:28 sl jabberd/sm[4356]: session started: jid=berylium@[server.domain.tld]


Outside the network:
- iChat on 10.6.2
- iChat (client) acts exactly the same whether inside or outside the network

- Adium
- Adium asks me to type out my Kerberos identity, if I cancel that dialog I'm asked the same question as before about allowing plaintext authentication. And, again, if I allow plaintext authentication I can connect.

Since it was asked for in a similar post for iChat Server 10.5, here's the output from 'sudo serveradmin settings jabber' run from the server:

jabber:enableSavedChats = yes
jabber:authLevel = "ANYMETHOD"
jabber:jabberdDatabasePath = "/private/var/jabberd/sqlite/jabberd2.db"
jabber:sslCAFile = ""
jabber:hosts:arrayindex:0 = "sl.enco.re"
jabber:savedChatsLocation = "/var/jabberd/message_archives"
jabber:savedChatsArchiveInterval = 7
jabber:initialized = yes
jabber:dataLocation = ""
jabber:enableXMPP = no
jabber:eventLogArchiveInterval = 7
jabber:serviceMode = "ALL"
jabber:enableAutoBuddy = no
jabber:s2sRestrictDomains = no
jabber:logLevel = "ALL"
jabber:sslKeyFile = ""
jabber:requireSecureS2S = no
jabber:s2sAllowedDomains = emptyarray

It's so odd that Adium can connect but iChat cannot. Any help on this would be greatly appreciated!

thanks,

Berylium

2.66x4 Mac Pro, 2.8x8 Mac Pro, Mac OS X (10.6.2)

Posted on Jan 13, 2010 7:19 PM

Close

Q: iChat Server, Can login with Adium but not with iChat

  • All replies
  • Helpful answers

Previous Page 2
  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 4:30 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 4:30 PM in response to Berylium
    ;243.172.15.69.in-addr.arpa. IN PTR


    That is part of the problem you have. The reverse record is missing. You need a reverse record to point back to your server name.
  • by Berylium,

    Berylium Berylium Jan 15, 2010 4:41 PM in response to Tim Harris
    Level 1 (5 points)
    Jan 15, 2010 4:41 PM in response to Tim Harris
    Weird, I thought the DNS was setup properly.

    Here's how it looks in Server Admin: http://gallery.me.com/berylium/100070/Screen%20shot%202010-01-15%20at%206.33.48% 20PM/web.png?ver=12636022290001

    The following commands along with an external ping of sl.enco.re to the correct address made me think DNS was correct:

    sl:~ berylium$ hostname
    sl.enco.re

    sl:~ berylium$ host sl.enco.re
    sl.enco.re has address 192.168.1.231
    sl.enco.re mail is handled by 10 sl.enco.re.

    sl:~ berylium$ host 192.168.1.231
    231.1.168.192.in-addr.arpa domain name pointer sl.enco.re.

    So I definitely need to remove the mail1 server from DNS but is that the whole problem? I guess I don't see how, if it's a DNS problem, Adium can connect but iChat can't?

    -John
  • by Tim Harris,

    Tim Harris Tim Harris Jan 15, 2010 5:12 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 15, 2010 5:12 PM in response to Berylium
    Sorry, getting late. Ignore me. I forgot you were behind a NAT. Settings looks good.

    Best to chat online soon, it will be quicker. Email me an IM address - anyone will do. tim at bumfodder.com.
  • by garyn,

    garyn garyn Jan 19, 2010 12:15 PM in response to Tim Harris
    Level 1 (0 points)
    Jan 19, 2010 12:15 PM in response to Tim Harris
    In other words, can you get down into your system and do the grunt work that you've already paid Apple to do with their overpriced, never performing server software?
  • by DMacKay,

    DMacKay DMacKay Jan 21, 2010 10:32 AM in response to Berylium
    Level 1 (0 points)
    Jan 21, 2010 10:32 AM in response to Berylium
    John,
    Have you had any success with this so far? We're doing the same thing here on an xServe and have the same Adium success/iChat failure.
  • by Berylium,

    Berylium Berylium Jan 21, 2010 11:50 AM in response to DMacKay
    Level 1 (5 points)
    Jan 21, 2010 11:50 AM in response to DMacKay
    DMacKay,

    Not yet, however, Tim and I are going to hammer on it this coming Monday the 25th (if schedules stay the same) and I'll definitely post the results.

    -John
  • by Tim Harris,Solvedanswer

    Tim Harris Tim Harris Jan 22, 2010 1:21 PM in response to Berylium
    Level 4 (1,460 points)
    Jan 22, 2010 1:21 PM in response to Berylium
    So, the two of us looked at this offline. The problem was fixed by doing the following:

    Stop the iChat Server: *sudo launchctl unload /System/Library/LaunchDaemons/org.jabber.jabberd.plist*

    Edit the file /etc/jabberd/c2s.xml with a text editor and remove <digest-md5/> option by commenting it out thus <!-- <digest-md5/> -->

    Restart the iChat server: *sudo launchctl load /System/Library/LaunchDaemons/org.jabber.jabberd.plist*

    This stops the iChat server from offering this mode of authentication which is very sensitive DNS settings - which in a test systems is not always easy have the way you want it.
  • by daveinitiv,

    daveinitiv daveinitiv Feb 20, 2010 4:19 PM in response to Tim Harris
    Level 1 (0 points)
    Feb 20, 2010 4:19 PM in response to Tim Harris
    Thanks. This fixed the login problem in iChat. Embarrassing that their own chat client won't work out of the box with their jabber server.
  • by davidh,

    davidh davidh Feb 20, 2010 6:06 PM in response to daveinitiv
    Level 4 (1,890 points)
    Feb 20, 2010 6:06 PM in response to daveinitiv
    Actually, it sounds like it was necessary to hack iChat in order to forgive (work-around) what is potentially a DNS and/or network configuration issue.

    http://www.faqs.org/rfcs/rfc2831.html

    On a client that was having the problem, what does

    $cat /etc/resolv.conf

    show,
    and for the server, the same command ?

    and then on the client,

    $dig your-server's.fqdn.com
  • by davidh,

    davidh davidh Feb 20, 2010 6:39 PM in response to davidh
    Level 4 (1,890 points)
    Feb 20, 2010 6:39 PM in response to davidh
    A stock setup of 10.6.2 server and 10.6.2 client with my home testing server, and this works just fine.

    I have correctly configured the server to answer for itself via DNS, and setup my client machine to use it as well, to ensure proper lookups via DNS.

    I'm also using a self-signed SSL cert exported and set as trusted on the client machine, but if so,
    that would be a critical component of a correctly configured setup. It can be done, it's a matter of understanding NAT & port-forwarding where one or both are involved, as well as appropriate extern-facing DNS for the server's FQDN to match an existing publicly-available static IP.

    In my case, it's behind a firewall (and NAT) and using an RFC1918 address with a fake "TLD"
    but this is for testing purposes and no external access is required or intended.

    Please do take note: "_*SASL authentication succeeded: mechanism=DIGEST-MD5_*"


    Feb 20 21:26:20 staging jabberd/c2s[1087]: [8] [::ffff:172.16.2.4, port=57059] connect
    Feb 20 21:26:21 staging jabberd/c2s[1087]: [8] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=david@staging.slserverint.lan, TLS negotiated
    Feb 20 21:26:21 staging jabberd/c2s[1087]: odauth_check_servicemembership: checking user "david" access for service "chat"
    Feb 20 21:26:21 staging jabberd/c2s[1087]: odauth_check_servicemembership: mbrcheck_servicemembership returned 2
    Feb 20 21:26:21 staging jabberd/c2s[1087]: odauth_check_servicemembership: no access restrictions found
    Feb 20 21:26:21 staging jabberd/c2s[1087]: [8] bound: jid=david@staging.slserverint.lan/slserverD-MBP
    Feb 20 21:26:21 staging jabberd/sm[1085]: created user: jid=david@staging.slserverint.lan
    Feb 20 21:26:21 staging jabberd/sm[1085]: session started: jid=david@staging.slserverint.lan/slserverD-MBP
  • by daveinitiv,

    daveinitiv daveinitiv Feb 22, 2010 9:20 AM in response to davidh
    Level 1 (0 points)
    Feb 22, 2010 9:20 AM in response to davidh
    client:

    domain mydomain.com
    search maydomaint.com
    nameserver 10.75.6.11

    server:

    nameserver 127.0.0.1

    and dig:

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> salomo.mydomain.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18906
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;salomo.mydomain.com. IN A

    ;; ANSWER SECTION:
    salomo.mydomain.com. 10800 IN A 10.75.6.11

    ;; AUTHORITY SECTION:
    mydomain.com. 10800 IN NS salomo.mydomain.com.

    ;; Query time: 9 msec
    ;; SERVER: 10.75.6.11#53(10.75.6.11)
    ;; WHEN: Mon Feb 22 18:17:26 2010
    ;; MSG SIZE rcvd: 72

    I don't see any problems lying there, but maybe you can lighten us up.
  • by Kr3st,

    Kr3st Kr3st May 16, 2010 2:09 PM in response to Tim Harris
    Level 1 (0 points)
    May 16, 2010 2:09 PM in response to Tim Harris
    *This fix also worked for me. Thanks again Tim. This isn't the first time you've helped / saved me.*
Previous Page 2