I've seen this in other threads (at least on Apple's discussion board) and thought I had a temp fix, but it hit again today. When you add aliases to a user in Workgroup Manager, it can/has change the primary shortname for one of the aliases, thereby changing the short login name used for network logins, email login etc. It happened again today. I wasn't able to check my email because it wouldn't authenticate, I looked at WGM, and sure enough the primary (first in the list greyed out can't edit) shortname had been changed to one of the aliases I had added for email purposes, and my original shortname had been demoted to an alias.
Does anyone else know id Apple is aware of this? Does anyone had an actual fix?
Additional development. My original shortname has been deleted by the system. If I go to terminal and id origname it doesn't exist. Very weird. On hold with support now.
OK, was able to reproduce the behavior on the phone. It seems as soon as you add a 3rd alias (fourth total shortname) and quit/reopen WGM, it will reassign and possibly delete the original shortname I had setup.
Just for fun, I started adding more aliases to my test user, quitting WGM, reopening, looking at the user, and it was indeed reassigning and deleting shortnames.
There were times when it wouldn't remember more than three aliases (as in it would delete some). Right now it seems to be able to hang on to five.
Anyone else care to reproduce? BTW, they said this wasn't the first report of this, they are tracking the issue. But now that they have a reproducible workflow they should be able to get a grip on it.
They have had some calls reporting similar behaviors, but this might be the first time someone called able to reproduce the issue. Don't know if it's a WGM app issue or the underlying goodies going wonky. At any rate, I have an open case on it, I've submitted the logs and all from the server, they can not make it happen at will, hopefully an update or even a terminal script patch will become available soon.
I'm on the phone with Apple right now about this. I see in my logs the there is a "Misconfigurations detected in hash 'Kerberos':" and then goes on about the UUID of the broken user. Maybe this is a Kerberos issue and not WGM.
My problem is replicable with every user. Here's what I do...
1) Create and save a user
2) add a second shortname
--No problems after save
3) Add a third shortname and the first and second shortnames swap.
--Mail services break for all shortnames
--Users can be just shortnames or fully qualified domains or just shortnames
This is replicable every time I create a user.
Support guy says there are reports of similar issues, but it needs to go to engineering. I could probably live with the problem, except the edited user that is broken either 1) Is out of commission until fixed or 2) Delete user and recreate...which means he loses all email/documents/etc.
Given my ability to reproduce this consistently, I'm surprised there are not more reports.
This may or may not be germane to your issue, but I had all kinds of trouble when I initially set up OS X server, migrating from - among other things - a separate mailserver. This related to using periods in usernames and also from creating second usernames (with periods) in WGM. There seems to be an issue with anything other than letters and numbers in usernames.
For around 20 years, our email addresses had been in the form firstname.lastname@domain, so my first run at setting up snow leopard server used these existing usernames. I am no longer certain of the details, but depending on the method used (server preferences or workgroup manager, as I recall), the system would either accept or reject usernames containing periods. Since I was concerned that using our legacy firstname.lastname usernames might be a problem, I checked with apple enterprise support, and the person I spoke to could not identify a reason why the periods might cause a problem, so I went ahead.
I cannot recall the specific initial problems, but there were several and I ended up purging my firstname.lastname users and going with usernames that had no periods or other offending characters. This time, in order to continue receiving mail at our legacy addresses, each user had a second "firstname.lastname" username entered in WGM. Among the problems I recall arising at this juncture was WGM becoming semi-disabled (I was unable to add users, for instance) and, in some cases, and for no apparent reason, the firstname.lastname usernames swapped places with the "legal" usernames in WGM.
I ended up purging the users and groups again, using only the "legal" usernames and no second username in WGM, and manually editing the etc/postfix/aliases file, to deal with our legacy firstname.lastname usernames. Everything has been well behaved for several weeks now, and adding a couple of second names that had no (apparently) illegal characters has not caused any problem.
Scott - I've noticed that I can still login as the effected user using one the the existing aliases, if not the top most one in the WGM list. Not a fix, but it works for now.
nxwx - My experience and my conversation with support tell me that, at least for the issue I'm seeing, having a period in the name doesn't seem to effect anything. In other words, the problem is as persistent with a period in the name as without.
As I was on the phone I had the tech walk through creating a shortname with a period and was able to reproduce the issue with (in WGM) the first shortname not taking a period, but aliases would. This is contrary to the documentation and he said he would include that in the notes on this larger issue as possibly a WGM glitch, seeing as you can create the first shortname with a period in Server Prefs.
All that to say, periods shouldn't be a problem, in theory. If they are, it's up to Apple to fix it, or remove the feature, at least as it relates to the primary short/login name. Aliases shouldn't be a big deal.
Works for me, and I can login into mail with that new primary shortname. I've found that, so long as the shortname is showing in WGM, I can login with it via email, but not anything requiring Kerberos. Is your email set to use kerberos for auth?
Yeap...I can login to both mail and squirrel mail with the user. But, if I try to send that user an email, the server bounces back saying that the email address does exist. The reason I am creating the aliases is so that one person gets email from a few different addresses. After the WGM issue, the ability to send the user email is broken.
Hm. If the alias still shows in WGM it seems like it should still get the email. I'm kind of new at some of this and I don't know where you are, but try this. Open terminal and type in "id" followed by the short name you are trying to email, as in shortname@yourdomain.com, but just type "id shortname". If you get a bunch of stuff, it's still in the system. If you get something like "no such user" quit and reopen WGM to see if its still there.
This has just been a pain...but I fixed it through a stupid series of lucky guesses and hacks.
Using your suggestion and the link below, I was able to use a combination of deleting shortname entries in the WGM and renaming the UID enough times to get the original short name back as the first listing. The article even explains that this command swaps out the first listing....so my guess is the WGM uses this command to change and OD entry. Unfortunately, it's not supposed to break the user like it does when done through the GUI.
I'm not going to touch these users again until I hear back from Apple...but how can we expect to do any kind of large scale deployment when it's so easily possible to break a user account? (Me venting)
Thanks so much for your quick responses and suggestions! I would be completely out of luck otherwise!
