Michael Newbery

Q: Can't create Local Network Users in Yosemite

I can't create Local Network Users (or change passwords)

 

Logged on to /LDAPv3/127.0.0.1 as directory administrator

 

When I try to create a new user (press the [+], fill in the form), it brings up the message:

 

existing connection is not authenticated or secure: password change denied

 

I suspect this is emblematic of other issues. I can authenticate for Mail and SMB, but not for AFP or Xcode

Server 4.0, OS X Yosemite (10.10)

Posted on Oct 25, 2014 10:09 PM

Close

Q: Can't create Local Network Users in Yosemite

  • All replies
  • Helpful answers

Page 1 of 4 last Next
  • by Michael Newbery,

    Michael Newbery Michael Newbery Oct 26, 2014 5:08 PM in response to Michael Newbery
    Level 4 (2,424 points)
    Servers Enterprise
    Oct 26, 2014 5:08 PM in response to Michael Newbery

    After some digging, this appears to be related to

     

    OS X Server (Mavericks): After upgrading or migrating, network user cannot be created

     

    However, I've done that:

    1. Quit Server.app.
    2. On the Open Directory Server, execute these Terminal commands:

      sudo mkdir /var/db/openldap/migration/
      sudo touch /var/db/openldap/migration/.rekerberize
      sudo killall PasswordService

    3. Open Server.app.

     

    to no avail. Furthermore, when that made no difference, I removed Server.app, did step 2, and reinstalled Server.

     

    Sever is now running, as before, and supports Mail, but I can't create network users (or change their passwords), or log in via AFP, and now I can't do remote administration using another Server!

     

    Interestingly enough , I can mount SMB volumes (by explicitly "Connect to Server..." in Finder at smb://XXXX._smb._tcp.local)

  • by Don Hayes,

    Don Hayes Don Hayes Oct 30, 2014 2:21 AM in response to Michael Newbery
    Level 1 (25 points)
    Oct 30, 2014 2:21 AM in response to Michael Newbery

    You're not alone with this issue. I have been to see a client who upgraded to Yosemite for external reasons, and then found he needed to upgrade his server install to v4. Since then, he cannot login to any user account, except as server admin.

     

    Not quite true - the only pre-existing account that works as it did before is from a PC. All Mac accounts cannot connect.

     

    Further too, he also has the problem where logging in as diradmin on the server does not allow him to change passwords for users, or add a new user. The new user can be created, but the account cannot be accessed by the user.

     

    All since upgrade to Yosemite + Mac OS X Server 4.0

     

    Any suggestions (we tried the delete the 'setupdone' file and renew server setup), but no go.

  • by jbaudry,

    jbaudry jbaudry Oct 30, 2014 2:39 PM in response to Don Hayes
    Level 1 (0 points)
    Oct 30, 2014 2:39 PM in response to Don Hayes

    Hello everyone:

     

    I just got off the phone with Apple tech support. This issue results from a security enhancement to the new Server 4.0. You need to authenticate the second time with your diradmin account for open directory as opposed to your local server manager account. I.e. diradmin and the password you set for it. Was fortunate to get a great Apple engineer on the line who had the right answer on the spot.

     

    Cheers,

    Jean-Jerome

  • by Dario Pompei,

    Dario Pompei Dario Pompei Oct 30, 2014 3:41 PM in response to jbaudry
    Level 1 (5 points)
    Oct 30, 2014 3:41 PM in response to jbaudry

    Thanks Jean-Jerome...

     

    How do you authenticate "the second time"?   I tried going under "Connect to Server" under the server App menu named "Manage" and put in my diradmin info but this info just gets ignored.   If I quit server app and try opening it with the diradmin credentials, it won't let me in.  Only my server manager log-in lets me get past this point.  I also tried logging into directory utility with my diradmin log-in and although in authenticates, it does not resolve the problem of not being able to create user accounts in the server app.

  • by jbaudry,

    jbaudry jbaudry Oct 30, 2014 4:06 PM in response to Dario Pompei
    Level 1 (0 points)
    Oct 30, 2014 4:06 PM in response to Dario Pompei

    Hi Dario:

     

    You login normally to server manager with you normal credentials. Then you try to add the local network users, there will be the little lock symbol. You click to unlock and then it will ask you for the directory administrator name and password and you will have an option to enter that and add it to the keychain for future.

     

    Worked one short for me. During the original install I had left the direct administrator username to the default of diradmin and then just entered the password I selected during the original open directory/server manager install.

     

    Hope that helps.

     

    Cheers,

  • by Dario Pompei,

    Dario Pompei Dario Pompei Oct 30, 2014 4:22 PM in response to jbaudry
    Level 1 (5 points)
    Oct 30, 2014 4:22 PM in response to jbaudry

    Thanks again Jean-Jerome

     

    I found the lock you directed me to and mine was already unlocked.  So I tried locking and then unlocking it again to see if that would work.   The correct diradmin credentials were already pre-filled from keychain and it unlocked as you stated.  However, it did not resolve the issue for me.  I can fill everything out about a new user but as soon as I hit the "create" button I get the message "existing connection is not authenticated or secure: password change denied".  I guess I will just have to stick with Mavericks server until I can get this resolved.

  • by Steve Maser,

    Steve Maser Steve Maser Oct 31, 2014 7:13 AM in response to Dario Pompei
    Level 1 (10 points)
    Oct 31, 2014 7:13 AM in response to Dario Pompei

    So I had this problem last night as well when I upgraded my 10.9.5 OD master to 10.10.

     

    Two obvious problems after that upgrade:

     

    1)  Could not add a new Local Network User

    2)  Existing users could not connect via AFP (but could via SMB)

     

    Through a series of trial and error (and with two Apple Support people...), we found that the following actions seemed to help fix some (but not all) of the problems.:

     

    Problem #2 seemed to initially be fixed by archiving the OD Master, destroying the OD Master and then reimporting from the archive.  I archived from the upgraded 10.10, but should probably have tried restoring my 10.9.5 archive (which may end up being why I still have some problems...)

     

    Problem #1 seemed to be solved when I used WorkGroup Manager to reset the password on the Directory Administrator account I use  (I also blew out all references to that account from the Keychain, so everything reprompted me to add that password

     

    However, we think the root cause of this might have been that in /var/db/openldap/migration, the following "dot" files were still present after the upgrade

     

    fs:migration root# ls -la

    total 6308816

    drwx------  10 root  wheel         340 Oct 30 18:59 .

    drwxr-xr-x   6 root  wheel         204 Oct 30 18:57 ..

    -rw-------   1 root  wheel           0 Oct 30 18:59 .autossl

    -rw-------   1 root  wheel           0 Oct 30 18:59 .enableODProxyd

    -rw-------   1 root  wheel           0 Oct 30 18:59 .rekerberize

    -rw-------   1 root  wheel           0 Oct 30 18:59 .updateLocales

    -rw-r--r--   1 root  wheel      333436 Oct 30 18:57 authbackup.ldif

    -rw-r--r--@  1 root  wheel      617453 Oct 30 18:57 backup.ldif

    -rw-r--r--   1 root  wheel      617453 Oct 30 18:57 backup.ldif.backup

    -rw-r--r--   1 root  wheel  3228537344 Oct 30 18:59 oldsystem.tar

     

     

    Those 4 .dot files were *not* present in that directory on the two other test OD Master servers that I upgraded without issue.

     

    So we removed them and after having done all the above as well -- I can now add users to the server.   The OD engineer I talked to thought that the presence of those .dot files may have been triggering something to rerun every time PasswordService launched.

     

    When all was said and done, I was then able to "kinit <mydiradminaccount>" correctly and get a "klist" without issue.

     

     

    ALL THAT SAID:  As of this morning, *some* (most?  I don't know yet) of my existing OD user accounts are able to successfully log into the server.   A couple of them (so far) are reporting that their account is "disabled" (which is different from the "shaking"/can't-log-in behavior) -- but they can still log in via SMB -- so I think there was still a problem migrating OD accounts in the upgrade process.

     

     

    AND -- I noticed that -- in Server 4.0 -- "change password" is greyed out, so I have to use WorkGroup Manager to change server account passwords. 

     

    Whee...

  • by Dizzy810,

    Dizzy810 Dizzy810 Oct 31, 2014 8:01 AM in response to Michael Newbery
    Level 1 (0 points)
    Oct 31, 2014 8:01 AM in response to Michael Newbery

    I seem to be having this same issue. Definitely frustrated. It seems every year when I upgrade it breaks something. Hopefully they figure it out soon.

  • by Dario Pompei,

    Dario Pompei Dario Pompei Oct 31, 2014 9:19 AM in response to Steve Maser
    Level 1 (5 points)
    Oct 31, 2014 9:19 AM in response to Steve Maser

    Thanks Steve,

     

    I deleted and recreated my Master Directory and everything seems to be working fine now.

     

    Thanks again everyone,

  • by Steve Maser,

    Steve Maser Steve Maser Oct 31, 2014 10:23 AM in response to Dario Pompei
    Level 1 (10 points)
    Oct 31, 2014 10:23 AM in response to Dario Pompei

    Working with somebody from Apple as I type this.  ;-)

     

    It seems that one of the likely problems is a poor importing of the ldap database during the upgrade.  In my case, "kinit" shows this when an account is functional:

     

    bash-3.2# kinit mmaynard

    mmaynard@(MYSERVERFQDN)'s Password:

    kinit: Password incorrect

     

    and this when it is not:

     

    bash-3.2# kinit ljohn

    ljohn@F(MYSERVERFQDN)'s Password:

    kinit: krb5_get_init_creds: Client (ljohn@(MYSERVERFQDN) unknown

     

     

    In the latter case, the user must reset their password -- which resets the kerberos credentials.    This *may* be a bigger problem for users that haven't changed their OD password in years (in my case before 2011, I think, but I haven't isolated that yet...)

     

    But then this also ended up being a certificate problem where authentication is supposed to bounce down to SSL if Kerberos fails, but the certificate was not configured correctly prior to the upgrade (apparently).  Once the certificate was fixed (and other sundry commands ran), then the fact that Kerberos wasn't working for some accounts didn't matter.

     

    But it all needs a big cleanup...

  • by Michael Newbery,

    Michael Newbery Michael Newbery Oct 31, 2014 3:37 PM in response to jbaudry
    Level 4 (2,424 points)
    Servers Enterprise
    Oct 31, 2014 3:37 PM in response to jbaudry

    Thanks, but that didn't help. I am authenticated with the Directory Administrator (having connected to the server as a Server Administrator). I still get the existing connection is not authenticated or secure: password change denied message.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Oct 31, 2014 4:38 PM in response to Steve Maser
    Level 4 (2,424 points)
    Servers Enterprise
    Oct 31, 2014 4:38 PM in response to Steve Maser

    Thanks for your assistance, but still no joy.

     

    As you summarize

    1)  Could not add a new Local Network User

    2)  Existing users could not connect via AFP (but could via SMB)

     

    I've tried reverting to an archived OD master, both pre upgrade and post upgrade. Neither fixes the problem for me.

     

    Workgroup manager won't let me change the diradmin password. It tells me that I have to be using an OpenDirectory password before I can change an OpenDirectory password. Needless to say, I am logged on using an administrator account that has an OD password. And Ive tried this with a couple of such accounts.

     

    The /var/db/openldap/migration folder looked much as you show, but I've cleaned it out, to no avail. The problems persist. I'm deeply suspicious that this may be close to the answer, but as of Server 4.0, things seem to have changed in that area. See How to rekerberize in Yosemite?

     

    I have tried kinit <user> and they all seem to be OK. None of the users I have defined show up as Client unknown, and if I type the right password, I get a ticket as shown by klist.

     

    Right now, mail works, and that is the most important thing for me. I could try blowing the OD database away, and reimporting the exported users, although that would require everyone to reset their passwords. However, I'm extremely reluctant to do that lest I also lose access to mail in the process.

  • by ADSC,

    ADSC ADSC Nov 4, 2014 4:28 PM in response to Michael Newbery
    Level 1 (0 points)
    Nov 4, 2014 4:28 PM in response to Michael Newbery

    I have the same problem, not able to create network users, and also not able to set up a OD replication

    all of this steps above did not work, also the .rekerberize  thing did not do any change.

     

    is there a chance thet some one have a other sollution?

  • by ndsvfx,

    ndsvfx ndsvfx Nov 6, 2014 7:39 PM in response to ADSC
    Level 1 (15 points)
    Nov 6, 2014 7:39 PM in response to ADSC

    I fixed it on mine by simply resetting the diradmin password

     

    Mac OS X Server: How to reset the Open Directory administrator password - Apple Support

Page 1 of 4 last Next