Apple Support Communities > Servers and Enterprise Software > Mac OS X Server v10.4 and earlier > Discussions
This discussion is archived
6585 Views 14 Replies Latest reply: Jun 26, 2006 8:13 PM by davidh
Hi, Tony, welcome ot the club
I've been unable to change passwords on my 10.4 server since last autumn. There have been a couple of threads on the subject in these forums but to my knowledge no solutions have come up. Fortunately this server is just used by the family but if this were a business critical application then I would be sunk.
Just for info I'm using Netinfo, not Open Directory, so this does not seem to be an issue.
Does anyone at Apple have a guilty conscience about an OS upgrade or security patch released towards the end of last year?
Currently Being ModeratedJun 16, 2006 7:02 AM (in response to Gordon Maynard)I need the server for business, have 15 new staff waiting for passwords, 2 more waiting for password resets and have been dealing with apple care fore ages and provided them with lots and lots of requested info.Several, Mac OS X (10.4)
Just to check and make sure, when you're running Workgroup Manager,
does it say at the top (beside the blue globe at the left-hand edge underneath "Admin, Sharing, Network, etc." :
(all one line)
Authenticated as <youropendirectoryadmin_name> to directory: /LDAPv3/127.0.0.1
On the server, open the Terminal, and enter:
sudo killall -USR1 DirectoryService
This will start verbose logging from DirectoryService.
(The password expected will be of the original admin account used when setting up the server).
Then try authenticating to/in Workgroup Manager,
and then use the Console.app to open
in a Terminal window, enter:
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log
And see what that tells you.
Be sure to once again issue:
sudo killall -USR1 DirectoryService
to shut off the verbose logging when done.
Thanks for the reply, David,
Is this what you were looking for?
2006-06-17 18:17:16 BST - Internal Dispatch, API: dsDoAttributeValueSearchWithData(), NetInfo Used : DAR : Node Ref = 16777238 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
2006-06-17 18:17:16 BST - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
2006-06-17 18:17:16 BST - Unable to determine fPluginPtr from node table
2006-06-17 18:17:16 BST - Determined plugin ptr for call
2006-06-17 18:17:16 BST - Internal Dispatch, API: dsOpenDirNode(), NetInfo Used : DAC : Dir Ref = 16777218 : Node Name = /NetInfo/..
2006-06-17 18:17:16 BST - Determined plugin ptr used and returns result -14002
2006-06-17 18:17:16 BST - Internal Dispatch, API: dsOpenDirNode(), NetInfo Used : DAR : Dir Ref = 16777218 : Node Ref = 16958746 : Result code = -14002
2006-06-17 18:17:16 BST - * Error NULL plug-in pointer. Returning error = -14900.
2006-06-17 18:17:16 BST - Plug-in call "dsOpenDirNode()" failed with error = -14008.
2006-06-17 18:17:16 BST - Port: 0 Call: dsOpenDirNode() == -14008
2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsDoAttributeValueSearchWithData(), Search Used : DAR : Node Ref = 16777225 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777217
2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777217 : Result code = 0
2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsDoAttributeValueSearchWithData(), Search Used : DAC : 1 : Node Ref = 16777225 : Requested Attr Type = dsAttrTypeStandard:PrimaryGroupID : Attr Match String = 20 : Attr Pattern Match:8193 = eDSExact : Requested Rec Types = dsRecTypeStandard:Groups
Currently Being ModeratedJun 17, 2006 1:55 PM (in response to Gordon Maynard)Did you have any error messages of any kind when you originally promoted your server to Open Directory Master ?
I wonder about that entry in the log posting referring to NetInfo.
When you're authenticating against OpenDirectory, it should be doing an LDAP lookup.
Did you check the little globe I mentioned in Workgoup Manager, it shows that you're authenticating to /LDAPv3/127.0.0.1 right ?
Your original error number (-14090) means authentication failed. Which we know already of course.
-14900 is said to be a "memory error" which is a bit non-descript:
"Open Directory experienced a memory error"
However, the next error, -14008 is more interesting:
"Specified node could not be found"
(click on "Result Codes" in the left-hand frame).
Please launch /Applications/Utilities/Directory Access
Click on the tab for Authentication.
Ensure that you see
Search: Custom Path
with /LDAPv3/127.0.0.1 listed below
Also, check /Library/Logs/slapconfig.log
for error messages.
The only one you can safely ignore is regarding KDC, and "no policy specified"
Finally, as a worst-case scenario, you may need to demote the server to Standalone, and then re-promote it to OD Master. You'll lose any user accounts (and passwords) setup in OpenDirectory, as well as Sharepoints, but it might be necessary as the last available option.
Prior to re-promoting, be sure to verify forward and reverse DNS for your server of course.
Be sure not to edit /etc/hostconfig as some have mistakenly suggested elsewhere. If anything - if you must - add an entry in /etc/hosts for your server's fqdn and IP address.
Hi, David, thanks for your reply,
I perhaps should have been clearer that my server is using NetInfo, not Open Directory. Tony Mc, who started this particular thread, is using LDAP and it is interesing, and possibly significant, that we seem to be experiencing similar problems.
For completeness, my server is set up in the role of NetInfo Master. In answer to your question about authentication on WGM, the text by the small globe is "Authenticated as gordon to directory: /NetInfo/root"
Please let me know if you think there's anything else worth trying or checking.
if i export all users account from workgroup manager, do a demote and re-promote and re-import will i only loose users passwords or will i loose share points etc etc.
Also I have an LDAP backup from feb but there have been changes since then which would be the better option?Several, Mac OS X (10.4.6)
NetInfo is deprecated for network user accounts and authentication.
I'd recommend against using it, vs. a proper Open Directory master for non-local user accounts (ie: for anyone other than original admin account created when first setting up the server).
If you can't authenticate to Open Directory, then you did not properly promote your server. When you do so (successfully), 10.4 Server Admin requires you to create a new Open Directory admin account & associated password.
One good suggestion is to add "od" (without quotes of course) to the beginning or end of your existing admin account-name, to be your OD admin account-name.
You can re-import your users, but passwords will be lost. Well, there's a way to export them and reimport them (see afp548.com), but I'd strongly recommend against that path.
You risk simply re-introducing problems. But this is really all much too vague for my comfort. How many users are you talking about ?
Launch /Applications/Utilities/NetInfo Manager, and look in
config > SharePoints
If you see them listed there, they should remain when demoted to Standalone, which destroys the existing OD LDAP config.
Of course, I can't emphasize enough the importance of a known-good backup before proceeding. That's just totally standard practice for real server management
Thanks for your reply.
I agree with your views on Netinfo, on this network we authenticate on the local machines, the server authentication is just used for shares, mail and iChat.
That said, we do still have an issue about changing passwords which seems to affect both Open Directory and Netinfo servers which, IMHO if it is widespread, makes OSX Server not fit for purpose.
Currently Being ModeratedJun 24, 2006 10:18 PM (in response to Gordon Maynard)Gordon, your issue is not that OS X Server won't support what you want to do, but that something is wrong/damaged/corrupted/misconfigured.
I have a server I assist with, supporting more than more than your 57 users, running 10.4.x , and it's using NetInfo still. I'll be migrating the users to OpenDirectory as time allows, but the point being that I can still change user passwords without incident.
One thing that it could be Gordon:
run Server Admin, authenticate as your NetInfo admin (first/original admin account you setup), and click on Open Directory, then choose Settings (at the right-hand bottom), then Protocols (right hand top).
Is "Use SSL" selected ?
See if your SSL is expired or is believed to be.
You can shut of "Use SSL" although it's greatly preferable (of course).
You can generate another self-signed cert via Server Admin, but there are some very good tuturials on this as well at
Thanks for your two replies. I'm not sure what the issue is in the first reply, I know that NetInfo can support many users I was agreeing with the point I thought you were making that it is better to move forward to Open Directory. However, like the example you give, I just have not got round to it and given the current uncertainty over passwords I am worried that I might hit problems during the migration. It is also my assumption that something is wrong/damaged/corrupted/misconfigured, I've been posting here to try to find a solution.
The suggestion in your second post is very interesting, in fact the certificates on the server had all expired but in May 2006 so this postdates the start of this problem. The 'Use SSL' checkbox you describe is actually greyed out (unselected) in Server Admin.
Currently Being ModeratedJun 26, 2006 8:13 PM (in response to Gordon Maynard)You should probably generate a new certificate, at least for use for LDAP,
search for "ssl" at afp548.com
There's an article about using 10.4's Certificate Assistant, as well as one using the Terminal and openssl.