tjbu

Q: Can't authenticate diradmin - how to debug?

I've got a Mac mini running ML 10.8 and Server.app 2.2.1 and for several months I've had no problems. Yesterday, I wanted to change a user password and found that I can't seem to authenticate as diradmin anymore. A simple reboot doesn't fix the problem. I suspect this might have broke with the 2.2.1 Server.app update but I don't know for sure.

 

I've googled high and low and have verified all the easy stuff - DNS is correct, I verified using dscl that the diradmin password is correct; I've actually tried changing the diradmin password but that didn't help.

 

The only relevant log file entries seem to be these:

 

servermgr_accounts: got error 5000 trying to auth to local LDAP node

 

and

 

opendirectoryd[40]: GSSAPI Error:  Miscellaneous failure (see text (Message stream modified)

 

I've googled those errors and read all the revelant discussions but nothing seems to help me. Any ideas on how to debug this?

 

Thanks in advance.

Mac mini, OS X Mountain Lion (10.8.3)

Posted on Mar 21, 2013 6:20 AM

Close

Q: Can't authenticate diradmin - how to debug?

  • All replies
  • Helpful answers

Page 1 Next
  • by UptimeJeff,Helpful

    UptimeJeff UptimeJeff Mar 21, 2013 6:58 AM in response to tjbu
    Level 4 (3,477 points)
    Mar 21, 2013 6:58 AM in response to tjbu

    In the Server app, under Tools, open Directory Utility

    Click the lock to unlock

     

    In Services, double-click LDAPv3

    Delete the 127.0.0.1 entry

    Then click New to re-bind

         Server Name or IP:  127.0.0.1

         Accept all defaults.

         No need to enter Directory Admnistrator/Password

    Quit Directory Utility

    See if that fixes it.

     

    If not fixed, follow the steps here to reset the diradmin PW

    http://support.apple.com/kb/HT1194

  • by tjbu,

    tjbu tjbu Mar 21, 2013 7:55 AM in response to UptimeJeff
    Level 1 (0 points)
    Mar 21, 2013 7:55 AM in response to UptimeJeff

    That seems to have fixed it to some degree. I can now authenticate as diradmin from Directory Utility and Workgroup Manager but Server.app cannot add or remove users nor can it Reset Password on any users. I can reset the user password through Workgroup Manager though.

     

    The previous Services entry in Directory Utility was using SSL while this one defaults to not. I compared it to another Server instance where everything is working and it was set up with SSL and custom port set to 389. I tried that and it continues to work but it doesn't fix the Server.app problem.

     

    There don't appear to be any useful error messages in regards to Server.app not working either. Any ideas there?

     

    Thanks.

  • by UptimeJeff,

    UptimeJeff UptimeJeff Mar 21, 2013 7:59 AM in response to tjbu
    Level 4 (3,477 points)
    Mar 21, 2013 7:59 AM in response to tjbu

    See if this helps...

     

    In Server app, hit command-n to make a new server connection.

    Choose Other Mac, and enter:  127.0.0.1 along with your diradmin user/pw

  • by tjbu,

    tjbu tjbu Mar 21, 2013 8:21 AM in response to UptimeJeff
    Level 1 (0 points)
    Mar 21, 2013 8:21 AM in response to UptimeJeff

    No improvement. The new instance behaves the same as the old. I am seeing this error though:

     

    3/21/13 11:18:57.201 AM servermgrd[122]: servermgr_accounts: Couldn't find keychain entry for local computer record

  • by UptimeJeff,

    UptimeJeff UptimeJeff Mar 21, 2013 8:42 AM in response to tjbu
    Level 4 (3,477 points)
    Mar 21, 2013 8:42 AM in response to tjbu

    quit server app and delete its prefs

    rm ~/Library/Preferences/com.apple.Server.v2.plist

     

    Also delete any keychain entries for "Mac OS X Server Administration"

  • by tjbu,

    tjbu tjbu Mar 21, 2013 8:57 AM in response to UptimeJeff
    Level 1 (0 points)
    Mar 21, 2013 8:57 AM in response to UptimeJeff

    Sorry, that didn't help. Logging in as either an administrator user or as diradmin still does not allow adding users. I just re-verified that using Workgroup Manager does still work and I can still authenticate as diradmin there.

  • by UptimeJeff,

    UptimeJeff UptimeJeff Mar 21, 2013 9:19 AM in response to tjbu
    Level 4 (3,477 points)
    Mar 21, 2013 9:19 AM in response to tjbu

    Do you have server app set to show All Users, Local Network Users or Local Users ?

    Try switching it from one of those to another and see if any of them work.

     

    if not, your logs must have a clue... please check.

  • by tjbu,

    tjbu tjbu Mar 21, 2013 11:06 AM in response to UptimeJeff
    Level 1 (0 points)
    Mar 21, 2013 11:06 AM in response to UptimeJeff

    In Server.app, switching from All, Local, or Local Network Users doesn't improve things. In each case, I can't add or remove users (+ and - disabled). For Local Users, if one is selected, all options in the Gear pulldown are available. For Local Network Users, only the top three Gear options are available (User, Access, Mail).

     

    There is this error but I don't have Messages enabled in Server.app:

     

    Error reading data store for Messages service

     

    and still this one though I didn't notice the middle line before because Console.app is not showing it while the raw system.log is!:

     

    servermgrd[122]: servermgr_accounts: Couldn't find keychain entry for local computer record

    servermgrd[122]: -[AccountsRequestHandler(AccountsOpenDirectoryHelpers) authLocalLDAP]: Local LDAP node authentication credentials could not be found

    servermgrd[122]: servermgr_accounts: Couldn't find keychain entry for local computer record

  • by aliveonearth,

    aliveonearth aliveonearth Jul 29, 2013 4:33 AM in response to tjbu
    Level 1 (0 points)
    Jul 29, 2013 4:33 AM in response to tjbu

    Im having an identical problem again now.

    Its been an ongoing nightmare to get this runnig certainly no worth the time I have put into it.

     

    Im considering either disabling open directly completly and just given every one a local account

    or tryign to upgrade to 10.8

     

    any ideas on how painfull the 10.7 to 10.8 upgrade is. ?

     

    My understandign is that they have done away with server Admin in 10.8 and now added open directory  into server.app, This intergration should have fixed some of these issues.

  • by aliveonearth,

    aliveonearth aliveonearth Jul 29, 2013 5:03 AM in response to aliveonearth
    Level 1 (0 points)
    Jul 29, 2013 5:03 AM in response to aliveonearth

    Ok .. he we go again .

     

    What appear to have happend is mac ports has added a new user.

    The result of that on my system is instant death see pervious posts

     

    Kerbrose server stops .... system fails..

  • by Michael Priestley,

    Michael Priestley Michael Priestley Nov 15, 2013 1:06 AM in response to tjbu
    Level 1 (35 points)
    Nov 15, 2013 1:06 AM in response to tjbu

    I have the same experience with an upgrade to 10.9 where all my 1500 network users/groups in Server v3.01 are not editable and not addable and password reset is not showing. WGM works as usual and adds users and changes passwords etc which just as well or we would be totally out of action. I had this happen with the last upgrades to Lion and Mountain Lion and I fear I'm going to have to repeat the procedure that fixed it before. Make a clone of your drive as a back up to this if it goes wrong.

        First of all export all the services and lists you can possibly do in WGM, select all users apart from your diradmin and all the other groups computer lists and such like. You can also at this stage export the archive of your existing OD master if you want but I found that in my case importing the OD archive back into a newly created OD master just brought back the original problems.

         Delete your Open directory and recreate  a new master one with a new Directory Admin short name other than diradmin i.e. mladmin(just so you know that everything is new etc). Go to Server app and see if you can add or edit users by adding a test account(I found it was functioning as expected).

         Check you can log into WGM using your new directory admin name. If all is well and test user can log/in/out import all your users/computer lists and other data from your WGM exports back into WGM. You will have to reset all the passwords for the network users but this is easy enough to do. All the new imported users should appear in server App accounts and they will be editable and all settings working. Its a bit of a task to do all this but it did restore the functionality of server app. Good luck!

  • by ozialien,

    ozialien ozialien Jul 20, 2014 2:34 AM in response to Michael Priestley
    Level 1 (0 points)
    Jul 20, 2014 2:34 AM in response to Michael Priestley

    Hope this helps somebody:

     

    I found its "NONE OF THE ABOVE".

     

    In my case its cased by the client not setting the relm correctly.  It was using diradmin@127.0.0.1 instead of diradmin@<my dns server name>.

     

    1. Grabbing a Kerberos Ticket via GSAPI interface required diradmin@<my dns server name> and it would fail to get credentials from diradmin@127.0.0.1
    2. Ticket is send to the LDAP server which then checks the ticket signature and allows access.

     

    For Simple Authentication <username>/<password>   clients seem to be forbidden by internal setting.  Which kinda explains the older versions mentioned above switching off those settings.

     

    For OSX Server 3.x.x it seems to be one you have moved passed simple and enable the others restoring the database puts you in the deadlock state of not knowing kerberos will be highly fussy about the realm <dns server name> instead of what the client software defaults to when using simple authentication.

     

    So restoring the proper realm as a client you can go backwards enabling simple authentication again, without restarting restoring databases etc.....

  • by Picoscope,

    Picoscope Picoscope Nov 6, 2014 1:35 PM in response to tjbu
    Level 1 (14 points)
    Servers Enterprise
    Nov 6, 2014 1:35 PM in response to tjbu

    Tjbu, did you ever find the complete solution for this issue? I'm wrestling with the same issue, have tried everything other than the drastic measures suggested by Michael Priestley above and would rather avoid that if possible.

     

    Thanks!

     

    Paul

  • by ndsvfx,

    ndsvfx ndsvfx Nov 6, 2014 7:23 PM in response to Picoscope
    Level 1 (15 points)
    Nov 6, 2014 7:23 PM in response to Picoscope

    After doing a 10.10 plus server 4.0 update I had to reset diradmin password.

     

    Mac OS X Server: How to reset the Open Directory administrator password - Apple Support

Page 1 Next