Skip navigation
This discussion is archived

eDSAuthFailed 14090

6623 Views 14 Replies Latest reply: Jun 26, 2006 8:13 PM by davidh RSS
Tony Mc Level 1 Level 1 (0 points)
Currently Being Moderated
Jun 9, 2006 8:05 AM
when I'm in workgroup mamanger and i try to create a new user or modify a user using open directory i get eDSAuthFailed -14090, i did a search and found that other people had a similar problem but is there a solution?
Several, Mac OS X (10.4)
  • Gordon Maynard Level 1 Level 1 (55 points)
    Currently Being Moderated
    Jun 15, 2006 12:56 PM (in response to Tony Mc)
    Hi, Tony, welcome ot the club
    I've been unable to change passwords on my 10.4 server since last autumn. There have been a couple of threads on the subject in these forums but to my knowledge no solutions have come up. Fortunately this server is just used by the family but if this were a business critical application then I would be sunk.
    Just for info I'm using Netinfo, not Open Directory, so this does not seem to be an issue.
    Does anyone at Apple have a guilty conscience about an OS upgrade or security patch released towards the end of last year?
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 16, 2006 2:36 PM (in response to Tony Mc)
    Just to check and make sure, when you're running Workgroup Manager,
    does it say at the top (beside the blue globe at the left-hand edge underneath "Admin, Sharing, Network, etc." :

    (all one line)

    Authenticated as <youropendirectoryadmin_name> to directory: /LDAPv3/127.0.0.1

    ?

    On the server, open the Terminal, and enter:

    sudo killall -USR1 DirectoryService

    This will start verbose logging from DirectoryService.
    (The password expected will be of the original admin account used when setting up the server).


    Then try authenticating to/in Workgroup Manager,
    and then use the Console.app to open
    /Library/Logs/DirectoryService/DirectoryService.debug.log
    or,

    in a Terminal window, enter:

    tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log

    And see what that tells you.

    Be sure to once again issue:

    sudo killall -USR1 DirectoryService

    to shut off the verbose logging when done.
  • Gordon Maynard Level 1 Level 1 (55 points)
    Currently Being Moderated
    Jun 17, 2006 10:21 AM (in response to davidh)
    Thanks for the reply, David,
    Is this what you were looking for?
    2006-06-17 18:17:16 BST - Internal Dispatch, API: dsDoAttributeValueSearchWithData(), NetInfo Used : DAR : Node Ref = 16777238 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
    2006-06-17 18:17:16 BST - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
    2006-06-17 18:17:16 BST - Unable to determine fPluginPtr from node table
    2006-06-17 18:17:16 BST - Determined plugin ptr for call
    2006-06-17 18:17:16 BST - Internal Dispatch, API: dsOpenDirNode(), NetInfo Used : DAC : Dir Ref = 16777218 : Node Name = /NetInfo/..
    2006-06-17 18:17:16 BST - Determined plugin ptr used and returns result -14002
    2006-06-17 18:17:16 BST - Internal Dispatch, API: dsOpenDirNode(), NetInfo Used : DAR : Dir Ref = 16777218 : Node Ref = 16958746 : Result code = -14002
    2006-06-17 18:17:16 BST - * Error NULL plug-in pointer. Returning error = -14900.
    2006-06-17 18:17:16 BST - Plug-in call "dsOpenDirNode()" failed with error = -14008.
    2006-06-17 18:17:16 BST - Port: 0 Call: dsOpenDirNode() == -14008
    2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsDoAttributeValueSearchWithData(), Search Used : DAR : Node Ref = 16777225 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
    2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777217
    2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777217 : Result code = 0
    2006-06-17 18:17:16 BST - Client: memberd, PID: 54, API: dsDoAttributeValueSearchWithData(), Search Used : DAC : 1 : Node Ref = 16777225 : Requested Attr Type = dsAttrTypeStandard:PrimaryGroupID : Attr Match String = 20 : Attr Pattern Match:8193 = eDSExact : Requested Rec Types = dsRecTypeStandard:Groups

    Gordon.
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 17, 2006 1:55 PM (in response to Gordon Maynard)
    Did you have any error messages of any kind when you originally promoted your server to Open Directory Master ?

    I wonder about that entry in the log posting referring to NetInfo.
    When you're authenticating against OpenDirectory, it should be doing an LDAP lookup.

    Did you check the little globe I mentioned in Workgoup Manager, it shows that you're authenticating to /LDAPv3/127.0.0.1 right ?

    Your original error number (-14090) means authentication failed. Which we know already of course.

    -14900 is said to be a "memory error" which is a bit non-descript:
    "Open Directory experienced a memory error"

    However, the next error, -14008 is more interesting:
    "Specified node could not be found"

    http://developer.apple.com/documentation/Networking/Reference/OpenDirectory_Ref/index.html?http://developer.apple.com/documentation/Networking/Ref erence/Open_DirectoryRef/Reference/reference.html

    (click on "Result Codes" in the left-hand frame).



    Please launch /Applications/Utilities/Directory Access

    Click on the tab for Authentication.
    Ensure that you see
    Search: Custom Path
    with /LDAPv3/127.0.0.1 listed below

    Also, check /Library/Logs/slapconfig.log

    for error messages.
    The only one you can safely ignore is regarding KDC, and "no policy specified"


    Finally, as a worst-case scenario, you may need to demote the server to Standalone, and then re-promote it to OD Master. You'll lose any user accounts (and passwords) setup in OpenDirectory, as well as Sharepoints, but it might be necessary as the last available option.

    Prior to re-promoting, be sure to verify forward and reverse DNS for your server of course.
    Be sure not to edit /etc/hostconfig as some have mistakenly suggested elsewhere. If anything - if you must - add an entry in /etc/hosts for your server's fqdn and IP address.
  • Gordon Maynard Level 1 Level 1 (55 points)
    Currently Being Moderated
    Jun 18, 2006 1:22 PM (in response to davidh)
    Hi, David, thanks for your reply,
    I perhaps should have been clearer that my server is using NetInfo, not Open Directory. Tony Mc, who started this particular thread, is using LDAP and it is interesing, and possibly significant, that we seem to be experiencing similar problems.
    For completeness, my server is set up in the role of NetInfo Master. In answer to your question about authentication on WGM, the text by the small globe is "Authenticated as gordon to directory: /NetInfo/root"
    Please let me know if you think there's anything else worth trying or checking.
    Regards,
    Gordon.
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 19, 2006 7:55 PM (in response to Tony Mc)
    To Gordon:

    NetInfo is deprecated for network user accounts and authentication.
    I'd recommend against using it, vs. a proper Open Directory master for non-local user accounts (ie: for anyone other than original admin account created when first setting up the server).

    If you can't authenticate to Open Directory, then you did not properly promote your server. When you do so (successfully), 10.4 Server Admin requires you to create a new Open Directory admin account & associated password.
    One good suggestion is to add "od" (without quotes of course) to the beginning or end of your existing admin account-name, to be your OD admin account-name.

    To TonyMC:

    You can re-import your users, but passwords will be lost. Well, there's a way to export them and reimport them (see afp548.com), but I'd strongly recommend against that path.

    You risk simply re-introducing problems. But this is really all much too vague for my comfort. How many users are you talking about ?

    Launch /Applications/Utilities/NetInfo Manager, and look in
    config > SharePoints

    If you see them listed there, they should remain when demoted to Standalone, which destroys the existing OD LDAP config.

    Of course, I can't emphasize enough the importance of a known-good backup before proceeding. That's just totally standard practice for real server management
  • Gordon Maynard Level 1 Level 1 (55 points)
    Currently Being Moderated
    Jun 23, 2006 3:33 PM (in response to davidh)
    David,
    Thanks for your reply.
    I agree with your views on Netinfo, on this network we authenticate on the local machines, the server authentication is just used for shares, mail and iChat.
    That said, we do still have an issue about changing passwords which seems to affect both Open Directory and Netinfo servers which, IMHO if it is widespread, makes OSX Server not fit for purpose.
    Gordon.
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 24, 2006 10:18 PM (in response to Gordon Maynard)
    Gordon, your issue is not that OS X Server won't support what you want to do, but that something is wrong/damaged/corrupted/misconfigured.

    I have a server I assist with, supporting more than more than your 57 users, running 10.4.x , and it's using NetInfo still. I'll be migrating the users to OpenDirectory as time allows, but the point being that I can still change user passwords without incident.
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 25, 2006 7:49 PM (in response to davidh)
    One thing that it could be Gordon:

    run Server Admin, authenticate as your NetInfo admin (first/original admin account you setup), and click on Open Directory, then choose Settings (at the right-hand bottom), then Protocols (right hand top).

    Is "Use SSL" selected ?

    See if your SSL is expired or is believed to be.

    You can shut of "Use SSL" although it's greatly preferable (of course).
    You can generate another self-signed cert via Server Admin, but there are some very good tuturials on this as well at
    afp548.com
  • Gordon Maynard Level 1 Level 1 (55 points)
    Currently Being Moderated
    Jun 26, 2006 8:43 AM (in response to davidh)
    Hi, David,
    Thanks for your two replies. I'm not sure what the issue is in the first reply, I know that NetInfo can support many users I was agreeing with the point I thought you were making that it is better to move forward to Open Directory. However, like the example you give, I just have not got round to it and given the current uncertainty over passwords I am worried that I might hit problems during the migration. It is also my assumption that something is wrong/damaged/corrupted/misconfigured, I've been posting here to try to find a solution.
    The suggestion in your second post is very interesting, in fact the certificates on the server had all expired but in May 2006 so this postdates the start of this problem. The 'Use SSL' checkbox you describe is actually greyed out (unselected) in Server Admin.
  • davidh Level 4 Level 4 (1,890 points)
    Currently Being Moderated
    Jun 26, 2006 8:13 PM (in response to Gordon Maynard)
    You should probably generate a new certificate, at least for use for LDAP,

    search for "ssl" at afp548.com

    There's an article about using 10.4's Certificate Assistant, as well as one using the Terminal and openssl.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.