N Turner

Q: Local network users can't use the caldav server

Ever since upgrading the server to Yosemite, local network users have been unable to use iCloud as well as caldav server.

 

At first I assumed this was caused by upgrading rather than a complete clean install, so I did a wipe and clean install, recreated the Open Directory, and recreated the network users using the old network home folders. I reset the permissions recommended by Apple in a KB article, but the issue persisted, so then I assumed that the old network home folders Libraries was probably the problem, so I recreated new local network users with fresh new Libraries, and then manually imported data from the old network home folders one-by-one (excluding Library). Same result.

 

What happens is that when I set up a local network I can log in no problem, set up the server calendar account, add data to it, refresh etc, but as soon as that user logs out, it's guaranteed that the next time they login and start up their calendar their will occur a never-ending 'enter password for user' loop.

 

I then called Apple support who confirmed to me that there was a current issue with local network users and setting up their iCloud accounts in their network home (BTW that seems to have been fixed with Server.app updates). I told the client who accepted this, but really wants the ability for network users to be able to use the server calendar server. They didn't believe there is an issue with local network users using the server calendar server.

 

I've since recreated the same issue back at our workshop with the latest !0.10.4 and latest Server.app - same problem.

 

Logs

 

Cal Error log

 

2015-08-26 17:51:20+0100 [-] [directoryproxy] 2015-08-26 17:51:20+0100 [txdav.dps.server.DirectoryProxyAMPFactory] DirectoryProxyAMPProtocol connection established (HOST:UNIXAddress('/var/run/caldavd/directory-proxy.sock') PEER:UNIXAddress(None))

2015-08-26 17:51:21+0100 [-] [directoryproxy] 2015-08-26 17:51:21+0100 [txdav.dps.server.DirectoryProxyAMPFactory] DirectoryProxyAMPProtocol connection established (HOST:UNIXAddress('/var/run/caldavd/directory-proxy.sock') PEER:UNIXAddress(None))

 

 

Call access log

 

 

127.0.0.1 - - [26/Aug/2015:18:06:12 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=13.4 fwd=fe80::d69a:20ff:fefa:8d6e

 

127.0.0.1 - nick [26/Aug/2015:18:06:12 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 207 423 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=45.7 cached=1 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=5.0 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=4.9 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=5.0 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/__uids__/679D8D7D-2765-4274-AD21-AA7955F2A26E/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=5.3 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=4.2 fwd=fe80::d69a:20ff:fefa:8d6e

127.0.0.1 - - [26/Aug/2015:18:06:13 +0100] "PROPFIND /principals/ HTTP/1.1" 401 141 "-" "Mac+OS+X/10.10.4 (14E46) CalendarAgent/316.1" i=1 or=1 t=4.2 fwd=fe80::d69a:20ff:fefa:8d6e

 

 

LDAP log

 

 

Aug 26 18:06:12 macmini-i5.local slapd[210]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)

 

Aug 26 18:06:12: --- last message repeated 1 time ---

Aug 26 18:06:12 macmini-i5.local slapd[210]: conn=14172 op=4: attribute "entryCSN" index delete failure

Aug 26 18:06:12 macmini-i5.local slapd[210]: conn=14172 op=3: attribute "entryCSN" index delete failure

 

 

Any help greatly appreciated!

Posted on Aug 26, 2015 12:25 PM

Close

Q: Local network users can't use the caldav server

  • All replies
  • Helpful answers

  • by N Turner,

    N Turner N Turner Aug 26, 2015 12:30 PM in response to N Turner
    Level 1 (16 points)
    Servers Enterprise
    Aug 26, 2015 12:30 PM in response to N Turner

    I should add that the exact same setup worked fine under Mountain Lion server. I should also add that I've used the deprecated Workgroup Manager to tweak Login Screen options, in case that may be relevant.

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 27, 2015 6:48 AM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Aug 27, 2015 6:48 AM in response to N Turner

    fwd=fe80::d69a:20ff:fefa:8d6e

    Those are IPv6 addresses. Are you deliberately using IPv6?

  • by N Turner,

    N Turner N Turner Aug 27, 2015 9:32 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Aug 27, 2015 9:32 AM in response to Grant Bennet-Alder

    Definitely not deliberately. I don't remember enabling IPv6 anywhere.

    Could that be relevant?

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 27, 2015 9:39 AM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Aug 27, 2015 9:39 AM in response to N Turner

    My mantra:

     

    "when you see something wrong while debugging, but can't find the fundamental problem, fixing what you saw that was wrong may change the symptoms (to something recognizable)."

     

    System Preferences > Network > Your Interface > IPv6: Link-local only

  • by N Turner,

    N Turner N Turner Aug 27, 2015 10:04 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Aug 27, 2015 10:04 AM in response to Grant Bennet-Alder

    Thanks for that. Definitely good practise.

    However, I changed it to 'link-local only' and no change.

     

    I'll post the log from the client machine that the local network user is on when trying to get Calendar.app to open and refresh normally:

     

    27/08/2015 17:53:19.353 Calendar[5000]: [com.apple.calendarui.log.auth] [Authentication operation for account nick failed but not an auth error (Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." UserInfo=0x6000002e8500 {NSLocalizedDescription=A server with the specified hostname could not be found., NSErrorFailingURLStringKey=https://nick@macmini-i5.local/principals/__uids__/679D8D7D-2765-4274-AD21-AA7955 F2A26E/, NSErrorFailingURLKey=https://nick@macmini-i5.local/principals/__uids__/679D8D7D-2765-4274-AD21-AA7955 F2A26E/, _kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, NSUnderlyingError=0x600000a55180 "A server with the specified hostname could not be found."})]

     

    27/08/2015 17:53:32.147 CalendarAgent[4948]: [com.apple.calendar.store.log.caldav.queue] [Account refresh failed with error: Error Domain=CoreDAVHTTPStatusErrorDomain Code=401 "The operation couldn’t be completed. (CoreDAVHTTPStatusErrorDomain error 401.)" UserInfo=0x7fc759b2a9f0 {AccountName=Macmini-I5, CalDAVErrFromRefresh=YES, CoreDAVHTTPHeaders=<CFBasicHash 0x7fc7587415b0 [0x7fff750efed0]>{type = immutable dict, count = 11,

    entries =>

      0 : Server = <CFString 0x7fc7585ef050 [0x7fff750efed0]>{contents = "Twisted/13.2.0 TwistedWeb/9.0.0"}

      1 : Content-Type = <CFString 0x7fc758550c10 [0x7fff750efed0]>{contents = "text/html;charset=utf-8"}

      2 : MS-Author-Via = DAV

      3 : Strict-Transport-Security = <CFString 0x7fc7585eba10 [0x7fff750efed0]>{contents = "max-age=604800"}

      4 : DAV = <CFString 0x7fc758595b00 [0x7fff750efed0]>{contents = "1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-availability, inbox-availability, calendar-proxy, calendarserver-private-events, calendarserver-private-comments, calendarserver-sharing, calendarserver-sharing-no-scheduling, calendar-query-extended, calendar-default-alarms, calendar-managed-attachments, calendarserver-partstat-changes, calendar-no-timezone, calendarserver-recurrence-split, extended-mkcol, calendarserver-principal-property-search, calendarserver-principal-search, calendarserver-home-sync"}

      5 : Connection = <CFString 0x7fc758706180 [0x7fff750efed0]>{contents = "Keep-Alive"}

      6 : Date = <CFString 0x7fc75876a6f0 [0x7fff750efed0]>{contents = "Thu, 27 Aug 2015 16:53:31 GMT"}

      9 : Www-Authenticate = <CFString 0x7fc759c2d570 [0x7fff750efed0]>{contents = "basic realm="macmini-i5.local", digest nonce="fb36954cff937bc0318d17e1", opaque="8cacd2b863ac371729a060178d8de9c7-ZmIzNjk1NGNmZjkzN2JjMDMxOGQxN2UxLDo6MS wxNDQwNjk0NDEx", algorithm="md5", realm="macmini-i5.local""}

      10 : Content-Length = 141

      11 : Keep-Alive = <CFString 0x7fc759c72e10 [0x7fff750efed0]>{contents = "timeout=15, max=99"}

      12 : Vary = <CFString 0x7fc75858fa40 [0x7fff750efed0]>{contents = "User-Agent"}

    }

    }]

     

    FWIW changeip reports no problems with the hostname:

     

    Last login: Thu Aug 27 16:39:39 on console

    macmini-i5:~ admin$ sudo changeip -checkhostname

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

    Password:

    dirserv:success = "success"

    macmini-i5:~ admin$

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 27, 2015 7:15 PM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Aug 27, 2015 7:15 PM in response to N Turner

    You need a fully qualified domain name with three parts that does not end in .local.

     

    .local is now more tightly reserved for Bonjour.

  • by N Turner,

    N Turner N Turner Aug 30, 2015 6:44 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Aug 30, 2015 6:44 AM in response to Grant Bennet-Alder

    I redid the whole setup with a fully-qualified domain name - server.xxxxxxxx.private, including new DNS and LDAP. No change.

     

    out of curiosity, has anyone got working caldav access for local network users with Yosemite/Server.app?

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 30, 2015 8:48 AM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Aug 30, 2015 8:48 AM in response to N Turner

    I do.

     

    But I am not using .local or .private

     

    MrHoffman says in his tech note on DNS that .private, although not as troublesome as .local is also not allowed.

     

    DNS Tips: Establishing a DNS Server on Mac OS X Server 10.6 - 10.9

     

    .

  • by N Turner,

    N Turner N Turner Aug 30, 2015 9:12 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Aug 30, 2015 9:12 AM in response to Grant Bennet-Alder

    Thanks again for the reply. Much appreciated!

     

    I understand that, but this installation is to test the error/issue. The 'production' server is in a client's office, and it has a fully-qualified domain, server.xxxxxx.com, and the issue is identical.

     

    I'll post log entries from a client machine with a local network user logged in, trying to open Calendar.app (where always they are presented with a never-ending password request loop:

     

    30/08/2015 17:06:00.130 CalendarAgent[7528]: [com.apple.calendar.store.log.caldav.queue] [Account refresh failed with error: Error Domain=CoreDAVHTTPStatusErrorDomain Code=401 "The operation couldn’t be completed. (CoreDAVHTTPStatusErrorDomain error 401.)" UserInfo=0x7f9ecb01fc30 {AccountName=OS X Server, CalDAVErrFromRefresh=YES, CoreDAVHTTPHeaders=<CFBasicHash 0x7f9ec8e52770 [0x7fff7b83ded0]>{type = immutable dict, count = 12,

    entries =>

      0 : Content-Type = <CFString 0x7f9ec8e3f6c0 [0x7fff7b83ded0]>{contents = "text/html;charset=utf-8"}

      1 : Keep-Alive = <CFString 0x7f9ec8e06ef0 [0x7fff7b83ded0]>{contents = "timeout=15, max=99"}

      2 : Vary = <CFString 0x7f9ec8e49fc0 [0x7fff7b83ded0]>{contents = "User-Agent"}

      5 : DAV = <CFString 0x7f9ecb2650f0 [0x7fff7b83ded0]>{contents = "1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-availability, inbox-availability, calendar-proxy, calendarserver-private-events, calendarserver-private-comments, calendarserver-sharing, calendarserver-sharing-no-scheduling, calendar-query-extended, calendar-default-alarms, calendar-managed-attachments, calendarserver-partstat-changes, calendar-no-timezone, calendarserver-recurrence-split, addressbook, extended-mkcol, calendarserver-principal-property-search, calendarserver-principal-search, calendarserver-home-sync"}

      6 : Server = <CFString 0x7f9ecb25a8f0 [0x7fff7b83ded0]>{contents = "Twisted/13.2.0 TwistedWeb/9.0.0"}

      13 : MS-Author-Via = DAV

      14 : Date = <CFString 0x7f9ec8e32590 [0x7fff7b83ded0]>{contents = "Sun, 30 Aug 2015 16:05:59 GMT"}

      15 : Strict-Transport-Security = <CFString 0x7f9ecb2251a0 [0x7fff7b83ded0]>{contents = "max-age=604800"}

      16 : Content-Length = 141

      17 : Connection = <CFString 0x7f9ecb237e10 [0x7fff7b83ded0]>{contents = "Keep-Alive"}

      21 : X-Frame-Options = <CFString 0x7f9ecb22ac70 [0x7fff7b83ded0]>{contents = "SameOrigin"}

      22 : Www-Authenticate = <CFString 0x7f9ec8e46230 [0x7fff7b83ded0]>{contents = "digest nonce="b928fc1ea713d925ad4d21af", algorithm="md5", opaque="857e9f98020ed5828f6d91de405d349e-YjkyOGZjMWVhNzEzZDkyNWFkNGQyMWFmLDEyNy 4wLjAuMSwxNDQwOTUwNzU5", realm="server.xxxxxxx.com", basic realm="server.xxxxxxx.com", negotiate"}

    }

    }]

     

     

    30/08/2015 17:06:00.333 CalendarAgent[7528]: [com.apple.calendar.store.log.caldav.queue] [Adding [<CalDAVAccountRefreshQueueableOperation: 0x7f9ecb1b5ba0; Sequence: 0>] to failed operations.]

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 30, 2015 9:28 AM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Aug 30, 2015 9:28 AM in response to N Turner

    That console log looks suspiciously like a failed Calendar and Contacts conversion.

     

    Fixing that problem in place is discussed in this thread:

     

    caldavd failing to start after upgrade to Server


    I had a similar problem, not with a failed conversion of the Calendar and Contacts database, but with NO conversion whatsoever when the Server was upgraded. A restore from the unconverted Calendar and Contacts files from a pre-upgrade version allowed Server to do the conversion correctly. That history is in this thread:


    Calendar Server error 504 and 'Server with secure communication unavailable'


    .



  • by N Turner,

    N Turner N Turner Sep 24, 2015 6:27 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Sep 24, 2015 6:27 AM in response to Grant Bennet-Alder

    Update:

     

    I started again after the Server.app 5.0.3 update.

     

    On the server:

    Wipe and install 10.10.5.

    Download Server.app 5.0.3.

    Set up the server for the Internet.

    Set hostname and computer name to server.xxxx.com (an existing and valid FQDN with DynDNS).

    Set up Open Directory Master and DNS.

    Restart.

    Ran 'sudo changeip -checkhostname' - success.

    Created share point 'NetUsers' for network home folders in /Users/Shared/.

    Created two Local Network Users with the location of their home folders in NetUsers.

    Turned on Calendar service.

    Checked DNS and search domain for server - DNS server is 127.0.0.1, search domain is server.xxxx.com

     

    On the client machine:

    Wipe and install 10.10.5.

    Create admin user.

    Set DNS server in Network Preferences to the local IP of server.xxxx.com, and search domain to server.xxxx.com.

    Restart.

    In Users and Groups preferences, 'Joined' the server - at this point a new dialogue appeared that I hadn't ever seen before giving the option to provide a Machine ID (self-propagated) and a username and password. The diradmin name and password of the server was accepted.

    Resatrt.

    Presented with 'Other' in login screen.

    Loged in with first local network user successfully.

    Logged out.

    Logged in with second local network user successfully.

    Logged out.

    Logged in as first local network user and set up caldav account and created test events. Refreshed successfully. Logged out.

    Ditto for second local network user.

    Logged in again as first network user and started up Calendar.app. Still working.

    Log in as second local network user, started up Calendar.app. Error. Password missing. Repetitive loop of requesting password that never accepts the correct password.

    Log out.

    Ditto with first local network user.

     

     

    I have now tested this in different environments, and out of frustration I repeated this with clean installations all round to rule stuff out as causes.

    The only notable log entries that I can find is this from the client machine:

     

    24/09/2015 14:21:24.605 CalendarAgent[889]: [com.apple.calendar.store.log.caldav.queue] [Account refresh failed with error: Error Domain=CoreDAVHTTPStatusErrorDomain Code=401 "The operation couldn’t be completed. (CoreDAVHTTPStatusErrorDomain error 401.)" UserInfo=0x7fcd1c0b4030 {AccountName=server.xxxx.com, CalDAVErrFromRefresh=YES, CoreDAVHTTPHeaders=<CFBasicHash 0x7fcd1ae72d00 [0x7fff74cc2ed0]>{type = immutable dict, count = 8,

    entries =>

      0 : Server = <CFString 0x7fcd1ac31a90 [0x7fff74cc2ed0]>{contents = "Twisted/15.2.1 TwistedWeb/9.0.0"}

      1 : Content-Type = <CFString 0x7fcd1acd1eb0 [0x7fff74cc2ed0]>{contents = "text/html;charset=utf-8"}

      3 : Strict-Transport-Security = <CFString 0x7fcd1aec93b0 [0x7fff74cc2ed0]>{contents = "max-age=604800"}

      6 : Date = <CFString 0x7fcd1ae99fe0 [0x7fff74cc2ed0]>{contents = "Thu, 24 Sep 2015 13:21:22 GMT"}

      9 : Www-Authenticate = <CFString 0x7fcd1aed2460 [0x7fff74cc2ed0]>{contents = "digest algorithm="md5", opaque="ae4f9e81e127b8b370faa3faf0864263-ZmI0ZDU0OTc2ZTkwMDAxYmQxZTBlOTc4LDAuMC 4wLjAsMTQ0MzEwMDg4Mg==", realm="mildmay.dyndns.org", nonce="fb4d54976e90001bd1e0e978", basic realm="mildmay.dyndns.org", negotiate"}

      10 : Content-Length = 141

      11 : Keep-Alive = <CFString 0x7fcd1aecde00 [0x7fff74cc2ed0]>{contents = "timeout=5, max=95"}

      12 : Connection = <CFString 0x7fcd1ae4bb40 [0x7fff74cc2ed0]>{contents = "Keep-Alive"}

    }

    }]

     

    What am I doing wrong?

  • by N Turner,

    N Turner N Turner Sep 24, 2015 9:02 AM in response to Grant Bennet-Alder
    Level 1 (16 points)
    Servers Enterprise
    Sep 24, 2015 9:02 AM in response to Grant Bennet-Alder

    Seems as if there are some bugs in Apple's forum software (BTW I'm using the LATEST RELEASE OF SAFARI!)

    First my reply appears. I log out. Log back in a couple of hours later and my reply has disappeared. I try to repost and see that there is an 'auto-recovery' post that I recover and then post. Refresh and the previous post AND the new repost now BOTH appear.

     

    TBH this is the least of my worries, but am I the only person getting a bit worried about some of the more recent Apple software?

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Sep 24, 2015 9:46 AM in response to N Turner
    Level 9 (60,677 points)
    Desktops
    Sep 24, 2015 9:46 AM in response to N Turner

    The forum software is s special build of Jive, a commercial product not made by Apple.

     

    It does not meet the Apple Interface guidelines to be an Apple product, but it appears to be the only software available that can handle the huge Volume of traffic this site gets.

  • by Fredriksson,

    Fredriksson Fredriksson Jul 30, 2016 3:59 PM in response to N Turner
    Level 1 (4 points)
    Servers Enterprise
    Jul 30, 2016 3:59 PM in response to N Turner

    Hi!

     

    I'm having exactly the same problem here, using Server 5.1.7 with OS X 10.11.6. I tried a lot of things, but nothing worked. How did you solve your problem?

     

    Thanks!