odx

Q: Cannot create users in Server 3.0.1

When i try to add users in Server 3.0.1 i am continuing to experience this error:

 

 

"Existing connecting is not authenticated:  password change denied"

 

 

I tried fixing it by:

http://support.apple.com/kb/TS5289?viewlocale=en_US&locale=en_US

 

 

But this did not help.

 

 

Any hints whats wrong here?

Mac mini, OS X Server

Posted on Nov 19, 2013 12:00 AM

Close

Q: Cannot create users in Server 3.0.1

  • All replies
  • Helpful answers

  • by Lunchbox LP,

    Lunchbox LP Lunchbox LP Nov 20, 2013 4:56 PM in response to odx
    Level 1 (0 points)
    Nov 20, 2013 4:56 PM in response to odx

    Here's what I discovered just a few hours ago.

     

    I had created a new Mavericks Server install, done the migration wizard from 10.6.8 and got the same errors. "Existing connection is not authenticated. Password chage denied". Performed sudo touch /var/db/openldap/migration/.rekerberize, yada yada.

     

    http://support.apple.com/kb/TS5289

     

    Then I ran through the whole gamut of trouble shooting and norrowed it down to this:

     

    Before starting, make an archive of your previous OD (SL or Lion). After doing the migration your users may not be there and you have to reimport the LDAP again, sometimes after step 2 below.

     

    1. Double check your DNS service on the server you're building. Make sure any test DNS names and real DNS names have correct corresponding IP addresses. I used two so I could switch back and forth from names and IPs. Set your local DNS in the network control panel to 127.0.0.1 so its referrencing itself while you build.

     

    2. Double check your host name under 'fileserver' and correct any errors. The local and domain have to match. example: fileserver.local, fileserver.my.domain.com. Verify all hostnames and IP address and make sure they match in DNS service. Use changeip command in terminal if you wish, but under 'Fileserver' in the 'Server.app' menu it works fine. After this you may need to re-import from your original server's LDAP archive.

     

    3. Run the "touch" commands listed above.

     

    4. Reboot.

     

    5. Archive your directory again and name it for referrence. Save it to a flash drive so you can use it again if you need to rebuild later (you probably won't)

     

    6. (here's the kicker) Turn off OD and look at your certificates in Server.app. Generate a new self-signed certificate and assign everything to that. You might need to stop OD to change its cert. Delete any expired or unused certificates. Rerun the touch commands and reboot (to be sure).

     

    7. Reimport from the LDAP archive you just saved.

     

    8. Go through your users and edit server access. (trick, hold down the option key to turn them all on per user with a single click.s I was able to add users, edit users and connect on AFP and SMB.

     

    After I did this it all worked, even adding users. I even did a fresh build of Mavericks server and was able to just import from the new LDAP archive with no issues.

     

    (Note: If you end up making any changes to the hostname, IP address, etc., it appears you have to destroy open directory and redo-it, creating a new certificate first, then import the archive again)

     

    Hope that helps.

  • by gooberk,

    gooberk gooberk Nov 27, 2013 7:27 AM in response to odx
    Level 1 (14 points)
    Nov 27, 2013 7:27 AM in response to odx

    I had this problem too. ran this fix and it worked. the part this doesn't say is you have to have the server.app running as you run the sudo in terminal. then RESTART server.app.

     

    http://support.apple.com/kb/TS5289

     

    worked like a charm.

  • by odx,

    odx odx Nov 27, 2013 11:32 PM in response to gooberk
    Level 1 (5 points)
    Safari
    Nov 27, 2013 11:32 PM in response to gooberk

    Hi,

     

    i am still stuck with this issue. Unfortunaltey i do not have a backup of my pre-mavericks LDAP Data.

     

    Thanks for your input anyways...

  • by MacTurtleInRome,

    MacTurtleInRome MacTurtleInRome Nov 29, 2013 6:14 AM in response to odx
    Level 1 (4 points)
    Nov 29, 2013 6:14 AM in response to odx

    Hi, tonight I found the solution without reinstalling OS X Mavericks .

    After the upgrade , I could not create users in network server 3.0.1.

     

    I solved it .

     

    In my case, I realized that destroying the OD from the configuration panel in Server app , it was still visible in the Utility Directory and in the Users & Groups pane of System Preferences (check Log- In Options: the green light should be on next Sever network account, even after destroying the OD in Server.app) .

    I pressed the Edit button next to Server network account and i found Server.local still turned on as Open Directory Service

     

    I suggest to do so, it worked for me:

     

    DESTROY THE OPEN DIRECTORY IN SERVER.APP (YOU CAN ARCHIVE, BUT YOU WILL HAVE TO CREATE A FULLY NEW OPEN DIRECTORY ANYWAY).

     

    TURN OFF THE OPEN DIRECTOTY SERVICE.

     

    DELETE ALL DNS RECORD : ALL RECORDS AND ALL ZONES! DO NOT TURN OFF THE SERVICE!

     

    OPEN UTILITY DIRECTORY (IN SYSTEM PREFERENCES OR DIRECTLY FROM SERVER . APP).

    TO EDIT, LOG IN AS ADMINISTRATOR BY PRESSING THE USUAL PADLOCK ON BOTTOM LEFT CORNER OF THE PANEL AND CLICK TWICE ON LDAPv3.

    YOU SHOULD FIND THE DIRECTORY STILL IN THE LIST! (SHOULD BE 127.0.0.1 AS DEFAULT) IS IT SO? SELECT AND DESTROY!!!

     

    GO BACK TO SERVER.APP AND CREATE A NEW DOMAIN. FOR EXAMPLE :

     

    COMPUTER NAME: SERVER.LOCAL

    HOST NAME : SERVER.MYDOMAIN.PRIVATE

     

    I HAVE A VPN. TO BE SURE, I MATCHED COMPUTER NAME AND HOST NAME.

    IN MY CASE : "SERVER" AND I LEFT THE SAME IP THAT I HAD BEFORE .

     

    FOLLOW ALL THE STEPS FOR THE CREATION OF THE NEW DOMAIN AS SUGGESTED BY SERVER.APP, INCLUDING THE UPDATE OF DNS SERVICE.

     

    AFTER THIS STEP, AS USUAL, SERVER.APP GENERATES A NEW ALERT.

     

    CHECK THE ALERT SERVICE IN THE SIDEBAR: “THE HOST NAME IS CHANGED”.

    DOUBLE CLICK ON ALERT AND CLICK THE "RECOVERY" BUTTON.

    THE GREEN CONTROL SIGN SHOULD APPEAR, AFTER SERVICES UPDATING.

     

    CHECK THE DNS: SERVER.APP CREATED THE PRIMARY AND SECONDORY ZONES WITH THE NEW NAME SERVER AND THE COMPUTER, EVEN IN THE REVERSE ZONE.

     

    NOW ACTIVATE OPEN DIRECTORY SERVICE.

    IT SHOULD START FROM SCRATCH AND FULL FUNCIONALLY.

    YOU CAN CREATE A NEW ADMINISTRATOR ACCOUNT AND EVERYTHING GOES.

     

    PLEASE, LET ME KNOW IF IT WORK FOR SOMEBODY ELSE.

     

    THANK YOU

  • by coqenstock,

    coqenstock coqenstock Jan 6, 2014 2:35 PM in response to Lunchbox LP
    Level 1 (0 points)
    Jan 6, 2014 2:35 PM in response to Lunchbox LP

    This worked fine, thanks for the workaround

  • by odx,

    odx odx Jan 6, 2014 10:41 PM in response to MacTurtleInRome
    Level 1 (5 points)
    Safari
    Jan 6, 2014 10:41 PM in response to MacTurtleInRome

    ATTENTION

     

    This has been proved to break your previous group names at least for the wiki server.

    The wiki copies the groups with along with their uuids into the collab PostgreSQL database. When you recreate the groups with identical names the wiki server does not update the group ids in the DB.

  • by odx,

    odx odx Jan 7, 2014 11:18 PM in response to odx
    Level 1 (5 points)
    Safari
    Jan 7, 2014 11:18 PM in response to odx

    Please refer to https://discussions.apple.com/message/24077593#24077593 on how to fix the Group IDs after recreating the groups in the Open Directory.

  • by Will Pekelharing,

    Will Pekelharing Will Pekelharing May 13, 2014 7:52 AM in response to odx
    Level 1 (0 points)
    May 13, 2014 7:52 AM in response to odx

    Just reinstalling the Open Directory did the trick for me.

  • by RHartman,

    RHartman RHartman May 13, 2014 2:11 PM in response to Will Pekelharing
    Level 1 (90 points)
    May 13, 2014 2:11 PM in response to Will Pekelharing

    Did you have to remake all of your users, etc?

  • by MacTurtleInRome,

    MacTurtleInRome MacTurtleInRome May 13, 2014 3:04 PM in response to RHartman
    Level 1 (4 points)
    May 13, 2014 3:04 PM in response to RHartman

    I did.