Michael Newbery

Q: Can't create Local Network Users in Yosemite

I can't create Local Network Users (or change passwords)

 

Logged on to /LDAPv3/127.0.0.1 as directory administrator

 

When I try to create a new user (press the [+], fill in the form), it brings up the message:

 

existing connection is not authenticated or secure: password change denied

 

I suspect this is emblematic of other issues. I can authenticate for Mail and SMB, but not for AFP or Xcode

Server 4.0, OS X Yosemite (10.10)

Posted on Oct 25, 2014 10:09 PM

Close

Q: Can't create Local Network Users in Yosemite

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next
  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 11, 2014 10:29 AM in response to ADSC
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 11, 2014 10:29 AM in response to ADSC

    I don't know, I don't run Profile Manager.

  • by gracoat,

    gracoat gracoat Nov 11, 2014 10:41 AM in response to Michael Newbery
    Level 3 (660 points)
    Nov 11, 2014 10:41 AM in response to Michael Newbery

    Had the same problem here. Successfully fixed it.

     

    After upgrading to Server 4.0, I couldn't change passwords, my bound client computers couldn't log in unless I unbound and rebound them, AFP and SMB were behaving VERY strangely.  Sometimes I could log in and and sometimes not.  Weird Open Directory password errors when trying to change passwords using both Server.app and WGM.

     

    First things first.  Ensure that you have your certificates WORKING.I know a lot of people were having trouble getting OD to use their certificates.  There could be a million reasons why yours don't work, but I wanted to share that mine are working fine.  All services are able to use my certificate.

    Additionally, if you don't have DNS configured, go back to square one, say to yourself, "I need to figure this DNS things out..."  Then do so.

    Once those two things are accounted for and are correct...

     

    Here's the steps I took.

     

    Archive the OD Master.  I saved mine to my desktop with a good password.

    Stop the open directory service using the Server.app off switch.

    Destroy the Master.

    (I'm not sure if this part makes a difference, but I'll post ALL the steps that I took)

    I figured, I'd create a new master with a new blank directory, then import my users from the sparseimage.  Not thinking straight, that's the step I took.  This isn't how the sparse image contents works.  When I realized that that wasn't going to work, I stopped the service again.

    Destroyed the new one.

    With the service now stopped, I clicked the 'on' switch and it brought me to my options of Create a new master, Restore from Archive, or Create a Replica.

    I chose Restore.  I have about 260 users and 200 computers in my directory, so it only took about 30 to 40 seconds to bring everything in.

     

    I quit server.app.

     

    I opened server.app and selected Users.  All users were there. 

    I clicked Local Network Users.

    I chose a trivial user (one that I created that I know won't be logging in, but is still a valid user) and right clicked on him.

    I chose reset password, did so, and Voila!  It worked!

     

    I AM THE MASTER OF ALL THINGS OS X SERVER 4.0!

     

    Okay, maybe not, but this all seemed to work for me pretty well.

     

    I have a feeling that the act of creating a new blank directory with nothing in it is what did the trick.  After destroying the first directory, had I just restored back to the way it was, perhaps some remnants would have prevented things from working as others have noted previously here.

    Creating the new blank directory that I then destroyed reset things so that the imported Archive could come in cleanly.

     

    Hope this solution works for someone else.

    -Graham

  • by Steve Maser,

    Steve Maser Steve Maser Nov 11, 2014 10:45 AM in response to gracoat
    Level 1 (10 points)
    Nov 11, 2014 10:45 AM in response to gracoat

    Yeah, I'm fairly confident that archiving/destroying/reimporting the OD master was what got me in the first right step.

     

    It pointed out other problems (such as accounts with really old passwords), but nothing was working until I destroyed the OD master and reimported.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 12, 2014 1:14 AM in response to gracoat
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 12, 2014 1:14 AM in response to gracoat

    Alas, it looked so hopeful, but made no difference.

     

    1. Use Server App to export OD Master

    2. Destroy Master

    3. $ cat  /etc/openldap/rootDSE.ldif

    cat: /etc/openldap/rootDSE.ldif: No such file or directory

     

    4. Create New OD Domain

    5 .$ cat  /etc/openldap/rootDSE.ldif

    dn:

    dnsHostName: 5ld.4ld.3ld.2ld.tld

    saslRealm: 5LD.4LD.3LD.2LD.TLD

    krbName: ldap/5ld.4ld.3ld.2ld.tld@5LD.4LD.3LD.2LD.TLD

     

    6. Destroy master

    7. $ cat  /etc/openldap/rootDSE.ldif

    cat: /etc/openldap/rootDSE.ldif: No such file or directory

     

    8. Restore from archive

    9. $ cat  /etc/openldap/rootDSE.ldif

    dn:

    dnsHostName: 5ld.4ld.3ld.2ld.tld

    saslRealm: 5LD.4LD.3LD.2LD.TLD

     

    10. Stop OD

    11. Edit /etc/openldap/rootDSE.ldif

    12. $ cat  /etc/openldap/rootDSE.ldif

    dn:

    dnsHostName: 5ld.4ld.3ld.2ld.tld

    saslRealm: 5LD.4LD.3LD.2LD.TLD

    krbName: ldap/5ld.4ld.3ld.2ld.tld@5LD.4LD.3LD.2LD.TLD

     

    13. Start OD

    14. No change. Can't create users, change passwords or connect via AFP.

     

    Sigh. But thanks for the suggestion.

  • by ndsvfx,

    ndsvfx ndsvfx Nov 14, 2014 12:09 PM in response to ndsvfx
    Level 1 (15 points)
    Nov 14, 2014 12:09 PM in response to ndsvfx

    I want to say that mine is no longer working, maybe a reboot reset something since diradmin is fine but I can't change user passwords or add new users. Have tried every suggestion out there. the rekerberize trick does not seem to work in 10.10 so not sure of there is a new way. I think if I could get that to work then it might solve the issue for me

  • by ndsvfx,Solvedanswer

    ndsvfx ndsvfx Nov 19, 2014 10:54 AM in response to ndsvfx
    Level 1 (15 points)
    Nov 19, 2014 10:54 AM in response to ndsvfx

    So I fixed it for myself, but it is not a pretty solution.

     

    Archiving and Restoring was putting me in a loop where the issues was not getting fixed.

     

    the Directory Administrator account was working and authenticated but still could not create new users or change users passwords.

     

    I traced it to issues with SASL from the upgrade.

     

    1. So, downloaded WorkGroup Admin and installed (Thankfully it still works in 10.10)

    2. From Workgroup Admin I exported the users and then the groups.

    3. Open Server.app  and I turned off OpenDirectory, then quit Server.app

    4. Open terminal and destroy the directory

    sudo slapconfig -destroyldapserver

    5. Open Server app and set up a NEW OpenDirectory server

    6. Add a test user and try changing the password to verify it is all working

    7. If it works then blow away that user

    8. Select Manage import Accounts from File and import your users and verify they all come in

    9. Do the same but this time select your groups file

    10. unfortunately this does NOT preserve passwords so you can either set a temp password and have users change it at login or if you know them you can re-enter them

     

    At this point you should have a clean, functional OpenDirectory server with full control over users again.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 19, 2014 1:39 PM in response to ndsvfx
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 19, 2014 1:39 PM in response to ndsvfx

    @ndsfx, I was contemplating this. However, I just want to confirm:

     

    1. All the user directories remain (I'm not expecting the files to be removed, rather, that the ownership remains unchanged)
    2. All the user mail remains

     

    Can you confirm both of these?

  • by ndsvfx,

    ndsvfx ndsvfx Nov 19, 2014 2:20 PM in response to Michael Newbery
    Level 1 (15 points)
    Nov 19, 2014 2:20 PM in response to Michael Newbery

    No issues there, you do not even have to turn off any other services, like Mail, Wiki, Calendar, Contacts that use the directory. When you import the users and groups back in they keep their original user ID and group ID so they will be tied to the data with same permissions as when you exported them.

     

    The only thing lost are passwords. So if you want the least hassle possible, get the passwords from all your users if you don't already have them and then re-enter them for them when you get to step 10. That way when you give them the OK to start using Mail and such again it will work with no effort on their part.

  • by Michael Newbery,

    Michael Newbery Michael Newbery Nov 20, 2014 12:05 AM in response to ndsvfx
    Level 4 (2,424 points)
    Servers Enterprise
    Nov 20, 2014 12:05 AM in response to ndsvfx

    THANKS!

     

    That has worked.

    It's a pain to have to reset all the passwords, but worth it in the end

  • by superded,

    superded superded Nov 24, 2014 7:19 AM in response to ndsvfx
    Level 1 (0 points)
    Nov 24, 2014 7:19 AM in response to ndsvfx

    OMG

     

    Thanks for the help!  You just saved my bacon!

  • by ndsvfx,

    ndsvfx ndsvfx Nov 24, 2014 10:13 AM in response to superded
    Level 1 (15 points)
    Nov 24, 2014 10:13 AM in response to superded

    Glad it worked for you guys too. Unfortunately rebuilding directories has to happen far to often with OS X Server. Now off to figure out why 10.10 clients won't HomeSync at login and the login keychain is a mess

  • by mysoros,

    mysoros mysoros Nov 24, 2014 10:28 PM in response to ndsvfx
    Level 1 (12 points)
    Mac OS X
    Nov 24, 2014 10:28 PM in response to ndsvfx

    The profile manager still not work after this method....What can I do?  I am really frustrated with Apple about the OS X Server.  I nearly suffer every time when I upgrade the X Server.

    Thanks.

  • by ndsvfx,

    ndsvfx ndsvfx Nov 25, 2014 2:31 PM in response to mysoros
    Level 1 (15 points)
    Nov 25, 2014 2:31 PM in response to mysoros

    Working for me, what issues are you having? With this you should have a fresh and clean directory so if you are having Profile Manager issues it could be something else with your setup.

  • by mysoros,

    mysoros mysoros Nov 25, 2014 6:46 PM in response to ndsvfx
    Level 1 (12 points)
    Mac OS X
    Nov 25, 2014 6:46 PM in response to ndsvfx

    After upgrading to Server4, the profile manager works (my iOS device can communicate with Server4 profile manager) only with existing user and I can not modify or add new users in the Directory.  After using the method you suggest by export, destroy ldap, create ldap and import the user ... I can add / modify users from the Directory.  And in profile manager can see the users, but my iOS device can not communicate with the profile manager in Server4 anymore.  I tried to delete the profile in the device and register it again, the the device just prompt that the Profile could not be installed. 

    Anything wrong with my steps?  Thanks for your comments.

  • by ndsvfx,

    ndsvfx ndsvfx Nov 25, 2014 6:59 PM in response to mysoros
    Level 1 (15 points)
    Nov 25, 2014 6:59 PM in response to mysoros

    Sorry I don't use it with mobile devices.

     

    I am assuming you tried rebooting the phone first, if that didn't work...

     

    what I would do is login to Profile Manager go your your device list and remove the device.

    On the phone remove the MDM profile and trust profile. restart

    Make sure the device is now longer in your devices or device groups

    from the phone re-download the trust profile and re-add the device.

    When the device shows up in your devices list, re-add it to your device group with your MDM settings

    watch and make sure the settings push to the phone

    try another restart and see if you are all good after that.

     

    They is how I deal with issues on computers, have not tried it with mobile devices.

first Previous Page 3 of 4 last Next