Q: Can't create Local Network Users in Yosemite

You're not alone with this issue. I have been to see a client who upgraded to Yosemite for external reasons, and then found he needed to upgrade his server install to v4. Since then, he cannot login to any user account, except as server admin.

Not quite true - the only pre-existing account that works as it did before is from a PC. All Mac accounts cannot connect.

Further too, he also has the problem where logging in as diradmin on the server does not allow him to change passwords for users, or add a new user. The new user can be created, but the account cannot be accessed by the user.

All since upgrade to Yosemite + Mac OS X Server 4.0

Any suggestions (we tried the delete the 'setupdone' file and renew server setup), but no go.

Hello everyone:

I just got off the phone with Apple tech support. This issue results from a security enhancement to the new Server 4.0. You need to authenticate the second time with your diradmin account for open directory as opposed to your local server manager account. I.e. diradmin and the password you set for it. Was fortunate to get a great Apple engineer on the line who had the right answer on the spot.

Cheers,

Jean-Jerome

Thanks Jean-Jerome...

How do you authenticate "the second time"?   I tried going under "Connect to Server" under the server App menu named "Manage" and put in my diradmin info but this info just gets ignored.   If I quit server app and try opening it with the diradmin credentials, it won't let me in.  Only my server manager log-in lets me get past this point.  I also tried logging into directory utility with my diradmin log-in and although in authenticates, it does not resolve the problem of not being able to create user accounts in the server app.

Hi Dario:

You login normally to server manager with you normal credentials. Then you try to add the local network users, there will be the little lock symbol. You click to unlock and then it will ask you for the directory administrator name and password and you will have an option to enter that and add it to the keychain for future.

Worked one short for me. During the original install I had left the direct administrator username to the default of diradmin and then just entered the password I selected during the original open directory/server manager install.

Hope that helps.

Cheers,

Thanks again Jean-Jerome

I found the lock you directed me to and mine was already unlocked.  So I tried locking and then unlocking it again to see if that would work.   The correct diradmin credentials were already pre-filled from keychain and it unlocked as you stated.  However, it did not resolve the issue for me.  I can fill everything out about a new user but as soon as I hit the "create" button I get the message "existing connection is not authenticated or secure: password change denied".  I guess I will just have to stick with Mavericks server until I can get this resolved.

So I had this problem last night as well when I upgraded my 10.9.5 OD master to 10.10.

Two obvious problems after that upgrade:

1)  Could not add a new Local Network User

2)  Existing users could not connect via AFP (but could via SMB)

Through a series of trial and error (and with two Apple Support people...), we found that the following actions seemed to help fix some (but not all) of the problems.:

Problem #2 seemed to initially be fixed by archiving the OD Master, destroying the OD Master and then reimporting from the archive.  I archived from the upgraded 10.10, but should probably have tried restoring my 10.9.5 archive (which may end up being why I still have some problems...)

Problem #1 seemed to be solved when I used WorkGroup Manager to reset the password on the Directory Administrator account I use  (I also blew out all references to that account from the Keychain, so everything reprompted me to add that password

However, we think the root cause of this might have been that in /var/db/openldap/migration, the following "dot" files were still present after the upgrade

fs:migration root# ls -la

total 6308816

drwx------  10 root  wheel         340 Oct 30 18:59 .

drwxr-xr-x   6 root  wheel         204 Oct 30 18:57 ..

-rw-------   1 root  wheel           0 Oct 30 18:59 .autossl

-rw-------   1 root  wheel           0 Oct 30 18:59 .enableODProxyd

-rw-------   1 root  wheel           0 Oct 30 18:59 .rekerberize

-rw-------   1 root  wheel           0 Oct 30 18:59 .updateLocales

-rw-r--r--   1 root  wheel      333436 Oct 30 18:57 authbackup.ldif

-rw-r--r--@  1 root  wheel      617453 Oct 30 18:57 backup.ldif

-rw-r--r--   1 root  wheel      617453 Oct 30 18:57 backup.ldif.backup

-rw-r--r--   1 root  wheel  3228537344 Oct 30 18:59 oldsystem.tar

Those 4 .dot files were *not* present in that directory on the two other test OD Master servers that I upgraded without issue.

So we removed them and after having done all the above as well -- I can now add users to the server.   The OD engineer I talked to thought that the presence of those .dot files may have been triggering something to rerun every time PasswordService launched.

When all was said and done, I was then able to "kinit <mydiradminaccount>" correctly and get a "klist" without issue.

ALL THAT SAID:  As of this morning, *some* (most?  I don't know yet) of my existing OD user accounts are able to successfully log into the server.   A couple of them (so far) are reporting that their account is "disabled" (which is different from the "shaking"/can't-log-in behavior) -- but they can still log in via SMB -- so I think there was still a problem migrating OD accounts in the upgrade process.

AND -- I noticed that -- in Server 4.0 -- "change password" is greyed out, so I have to use WorkGroup Manager to change server account passwords. 

Whee...

I seem to be having this same issue. Definitely frustrated. It seems every year when I upgrade it breaks something. Hopefully they figure it out soon.

Thanks Steve,

I deleted and recreated my Master Directory and everything seems to be working fine now.

Thanks again everyone,

Working with somebody from Apple as I type this.  ;-)

It seems that one of the likely problems is a poor importing of the ldap database during the upgrade.  In my case, "kinit" shows this when an account is functional:

bash-3.2# kinit mmaynard

mmaynard@(MYSERVERFQDN)'s Password:

kinit: Password incorrect

and this when it is not:

bash-3.2# kinit ljohn

ljohn@F(MYSERVERFQDN)'s Password:

kinit: krb5_get_init_creds: Client (ljohn@(MYSERVERFQDN) unknown

In the latter case, the user must reset their password -- which resets the kerberos credentials.    This *may* be a bigger problem for users that haven't changed their OD password in years (in my case before 2011, I think, but I haven't isolated that yet...)

But then this also ended up being a certificate problem where authentication is supposed to bounce down to SSL if Kerberos fails, but the certificate was not configured correctly prior to the upgrade (apparently).  Once the certificate was fixed (and other sundry commands ran), then the fact that Kerberos wasn't working for some accounts didn't matter.

But it all needs a big cleanup...

I have the same problem, not able to create network users, and also not able to set up a OD replication

all of this steps above did not work, also the .rekerberize  thing did not do any change.

is there a chance thet some one have a other sollution?

I fixed it on mine by simply resetting the diradmin password

Mac OS X Server: How to reset the Open Directory administrator password - Apple Support