Michael Newbery

Q: Can't create Local Network Users in Yosemite

I can't create Local Network Users (or change passwords)

 

Logged on to /LDAPv3/127.0.0.1 as directory administrator

 

When I try to create a new user (press the [+], fill in the form), it brings up the message:

 

existing connection is not authenticated or secure: password change denied

 

I suspect this is emblematic of other issues. I can authenticate for Mail and SMB, but not for AFP or Xcode

Server 4.0, OS X Yosemite (10.10)

Posted on Oct 25, 2014 10:09 PM

Close

Q: Can't create Local Network Users in Yosemite

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next
  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 7, 2014 1:15 AM in response to ndsvfx
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 7, 2014 1:15 AM in response to ndsvfx

    Thanks for the pointer to resetting the diramin password. I tried doing that, and it certainly let me change the password. However, for me, it made no difference to any of the other problems. I still can't add users (or change their passwords), nor can any users connect via AFP.

  • by ADSC,

    ADSC ADSC Nov 7, 2014 4:40 AM in response to Michael Newbery
    Level 1 (0 points)
    Nov 7, 2014 4:40 AM in response to Michael Newbery

    Hi

     

    I am also able to change the diradmin password and i can also login with the diradmin password to the workgroupmanager but every time i try to change a password i become the message:

     

    existing connection is not authenticated or secure: password change denied

  • by Steve Maser,

    Steve Maser Steve Maser Nov 7, 2014 6:10 AM in response to ADSC
    Level 1 (10 points)
    Nov 7, 2014 6:10 AM in response to ADSC

    So you get that same error when you try to change the password using WGM?

     

    Looking back at (just about) exactly what I did here (and there were a lot of things -- including having somebody from Apple assist), I might suggest trying the following:

     

    1)  Use Server.app to archive your existing OD master, then destroy the master and reimport that archive.   (I did not attempt importing my 10.9.5 OD archive again...)

     

    2)  Change the password for your Directory Admin account again using WGM.   Delete *only* the "dot" files in /var/db/openldap/migration if they exist.

     

    (this is where my memory gets tricky -- I don't remember *exactly* when we deleted those for "dot" files in that directory...)

     

    3)  See if you can add new users with Server.app at that point (I could do that because the diradmin account was functional at that point.)

     

    I ended up having *some* of my users be able to connect via AFP (most of them), but about 20% could not after that.   The 20% that could not were accounts that had really old passwords.   I used "kinit <account>" (without having to know their password -- just hit return twice) to see which accounts needed passwords changed.

     

     

    One thing the Apple guy helped me with -- in theory, if there's a Kerberos problem, AFP authentication is supposed to default to SSL authentication.   So, if your server has a valid certificate, set up Open Directory to use the certificate (and there's a GUI bug in Server.app where it will look like this doesn't stick, but it does).

     

    This allowed my problematic AFP users to be able to authenticate to the server -- because it bounced down to SSL authentication -- until I had them reset their passwords.

     

     

    YMMV, of course, but this is what ended up working for me.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 7, 2014 3:23 PM in response to Steve Maser
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 7, 2014 3:23 PM in response to Steve Maser

    Thanks Steve. I'll have another go today to see what happens, but before that I thought I'd respond to some of your suggestions:

     

    So you get that same error when you try to change the password using WGM?

    I could not change the diradmin password with WGM.

     

    Looking back at (just about) exactly what I did here (and there were a lot of things -- including having somebody from Apple assist), I might suggest trying the following:

     

    1)  Use Server.app to archive your existing OD master, then destroy the master and reimport that archive.   (I did not attempt importing my 10.9.5 OD archive again...)

    I've done that a couple of times. I shall try again...

     

    2)  Change the password for your Directory Admin account again using WGM.   Delete *only* the "dot" files in /var/db/openldap/migration if they exist.

    I've removed all the migration files, to no avail. the .kerberize file doesn't seem to be functional in Yosemite though, anyway.

     

    (this is where my memory gets tricky -- I don't remember *exactly* when we deleted those for "dot" files in that directory...)

     

    3)  See if you can add new users with Server.app at that point (I could do that because the diradmin account was functional at that point.)

     

    I ended up having *some* of my users be able to connect via AFP (most of them), but about 20% could not after that.   The 20% that could not were accounts that had really old passwords.   I used "kinit <account>" (without having to know their password -- just hit return twice) to see which accounts needed passwords changed.

     

     

    One thing the Apple guy helped me with -- in theory, if there's a Kerberos problem, AFP authentication is supposed to default to SSL authentication.   So, if your server has a valid certificate, set up Open Directory to use the certificate (and there's a GUI bug in Server.app where it will look like this doesn't stick, but it does).

    I have a valid certificate, which is assigned. AFP still does not work. I have fallen back to a self-signed certificate with no change, and to no certificate, with no change.

     

    This allowed my problematic AFP users to be able to authenticate to the server -- because it bounced down to SSL authentication -- until I had them reset their passwords.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 7, 2014 6:05 PM in response to Steve Maser
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 7, 2014 6:05 PM in response to Steve Maser

    OK, this is what I tried:

     

    1. Use Server App to export OD Master

    2. Destroy Master

    3. Re-import master (restore from the just created archive)

    • This is a lot slower than making the archive
    • Existing services, such as Mail and File server were NOT stopped.
    • Local Network Users now (again) exist
    • Can’t change user password

    existing connection is not authenticated or secure: password change denied

    • Can’t log on to AFP

    4. Change the password using WGM

    • Can’t do this. Get the message

    The password could not be set

    In order to set the password of a a user with an Open Directory Password, your own password type must be Open Directory. Administrators with other password types cannot set the password of a user with an Open Directory password.


    5. Change the password usingsudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=etc

    6. Delete /var/db/openldap/migration dot files

    7. Try to create new users with Server App (authenticated with the new diradmin password)

    existing connection is not authenticated or secure: password change denied8. Tried to change diradmin password from WGMfailed as before


    In summary: status quo.

    • Can’t create new users
    • Can’t change user passwords
    • Can’t log on to AFP
    • Can’t remotely administer server

     

    I also tried some games with certificates

     

    1. Changed Cert to self-signed

    2. de-auth and re-auth diradmin

    Can’t change password

    3. Show all certificates

    4. Delete three code signing certificates homed off public CA Cert

    5. de-auth and re-auth diradmin

    6. Try to change password

    Nope

    7. Delete self signed xxx.yyy.private cert

    8. Create new private cert (self-signed root, SSL server)

    Server crashed (Server Quit Unexpectedly)

    Cert apparently not created

    9. Tried to change password.

    Nope

    10. Try to create new cert, again.

    Succeeded

    11. Change to use new private cert

    12. de-auth and re-auth diradmin

    13. Try to change password

    Nope

    14. Try to AFP

    Nope. And does not ask for permission to use cert

    Mail DOES try to use new cert

    15. Back to normal cert

    Mail uses old cert and is happy

  • by ADSC,

    ADSC ADSC Nov 8, 2014 1:03 PM in response to Michael Newbery
    Level 1 (0 points)
    Nov 8, 2014 1:03 PM in response to Michael Newbery

    here more or less the same.

     

    any other ideas?

     

    is that some thing that works for you?

     

    reset diradmin password

    Mac OS X Server: How to reset the Open Directory administrator password - Apple Support

     

    and authenticate and all should be good again.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 8, 2014 5:11 PM in response to ADSC
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 8, 2014 5:11 PM in response to ADSC

    No, that's step 5 in my list of things I tried.

     

    Change the password using sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=etc

     

    While it seems to help some people, it has not worked for others, including me.

  • by Don Hayes,

    Don Hayes Don Hayes Nov 8, 2014 11:06 PM in response to Michael Newbery
    Level 1 (25 points)
    Nov 8, 2014 11:06 PM in response to Michael Newbery

    Agreed. There is no "one-size-fits-all" solution to this problem; regardless of all the try-this-try-that, still can't login Mac users or create users/change passwords, since the server 3 -> 4 upgrade.

     

    Some bits work for some folk, other bits for others; as a comprehensive answer to the upgrade problem nothing so far has had a definitive answer.

     

    I think maybe we need Apple engineers who've been well alerted to the issues, to come forward now - there are businesses who rely on Apple server and clients suffering here!

  • by ADSC,

    ADSC ADSC Nov 10, 2014 4:02 AM in response to Don Hayes
    Level 1 (0 points)
    Nov 10, 2014 4:02 AM in response to Don Hayes

    Hi

     

    I am also able to do that:


    Change the password using sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=etc


    i can then change the password and also login with that password to the Groupmnager and so on but still the same, i have no rights to change passwords ...

    Any news on that?


  • by ADSC,

    ADSC ADSC Nov 10, 2014 4:48 AM in response to ADSC
    Level 1 (0 points)
    Nov 10, 2014 4:48 AM in response to ADSC

    what is your output from:

     

     

    cat /etc/openldap/rootDSE.ldif

  • by ADSC,

    ADSC ADSC Nov 10, 2014 4:48 AM in response to ADSC
    Level 1 (0 points)
    Nov 10, 2014 4:48 AM in response to ADSC

    what is the output of::

     

    cat  /etc/openldap/rootDSE.ldif

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 10, 2014 10:42 AM in response to ADSC
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 10, 2014 10:42 AM in response to ADSC

    $ cat  /etc/openldap/rootDSE.ldif

    dn:

    dnsHostName: 5ld.4ld.3ld.2ld.tld

    saslRealm: 5LD.4LD.3LD.2LD.TLD

    Allowing for suitable anonymisation.

  • by ADSC,

    ADSC ADSC Nov 10, 2014 1:20 PM in response to Michael Newbery
    Level 1 (0 points)
    Nov 10, 2014 1:20 PM in response to Michael Newbery

    Apple told me today that i also need this:

     

     

    krbName: ldap/5ld.4ld.3ld.2ld.tld@5LD.4LD.3LD.2LD.TLD

     

    in that file, but it does not work for me, stragne is that i can remote login to my LDAP by apache LDAP studio or some other ldap software...

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 11, 2014 2:58 AM in response to ADSC
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 11, 2014 2:58 AM in response to ADSC

    Thanks. I tried adding  krbName: ldap/5ld.4ld.3ld.2ld.tld@5LD.4LD.3LD.2LD.TLD as well, but it has made no change.

     

    Oh well.

  • by ADSC,

    ADSC ADSC Nov 11, 2014 8:26 AM in response to Michael Newbery
    Level 1 (0 points)
    Nov 11, 2014 8:26 AM in response to Michael Newbery

    Just wondering

     

    i have also a profile manager setup on the same server and i see now on yosemite that it is not anymore depending on opendirectory, could this be?

    before on maveriks i was not able to enable profilemanager without a running opendirectory, now i can do that.

     

    is this true? or do i left something?

Previous Page 2 of 4 last Next