Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

iChat Server (jabberd) troubles

Hi,

OpenDirectory crashed on our SLS the other day (which seems to be related to the Time Machine bug that isn't fixed in 10.6.4) and since then we've had no end of trouble with iChat Server.

Prior to the crash, all our Jabber accounts were set up with the format shortname@domain.com and everything worked absolutely fine.

However, now this won't work and if a user tried to log in with that format for their jabber account they get the error:

ODKVerifyClientRequestFixed: Unable to authenticate

which appears in the log.

I've searched these discussion forums and the command:

changeip -checkaddress

responds with no errors and DNS matches hostname

Reverse DNS is fine and hasn't changed.

Configuration hasn't changed.

The only way users can log in is if they put their account details in the format:

shortname@xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of the server.

Has anyone come across this before? Can anyone suggest a fix for this? I'm at my wit's end as I've tried absolutely everything I can think of, including a reboot. Nothing in Server Admin seems to fix it!

Cheers,

Stu

Mac Pro, Mac OS X (10.6.4)

Posted on Oct 8, 2010 2:18 PM

Reply
20 replies

Oct 9, 2010 2:17 PM in response to Big Stu

I assume that the domain you are expecting to host is listed in the Server Admin - iChat?
When the iChat server starts up, you will see an entry in the log jabber/c2s [domain] and then realm= what does the it say - your IP address?

Chances are you can fix this by changing the domain name listed in Server Admin iChat settings to something else, save it, and then change it back again to what you need. This should clean up the settings.

Oct 9, 2010 2:45 PM in response to Tim Harris

Hi Tim,

Yeah, the domain we're expecting to host is there. Along with several variations, all with DNS records there.

At the moment, I've got two domains in there. The machine name (correctly set up in DNS with reverse lookup working fine) and the domain we want to host i.e. ichat.domain.com. When jabber starts up, there are two jabber/c2s domains in there with realms that correspond to the domains we have.

Since I posted the original request on here, I've now got it working with the machine's host name, which is somewhat comforting, but the domain we want to host doesn't.

Thus far, I've rebuilt OD, DNS and iChat. Deploying the iChat settings to a 10.5 Server works fine. Bringing them back onto 10.6.4 server and they are all FUBAR!

It's frustrating!

Regards,

Stu

Oct 9, 2010 3:24 PM in response to Big Stu

Ok, so I'm unsure of what the issue is. I think you are saying that the domain that matches the hostname works but not the other domain. There is very little different between 10.5 and 10.6. As you probably gathered you need a SM service running for each domain. What error message do you get when you try to log in on the other domain?

Oct 9, 2010 3:31 PM in response to Tim Harris

Hi Tim,

Yeah, hostname.domain.com works fine now but ichat.domain.com doesn't. Ideally we'd like to just run domain.com as the main domain.

SM service? I can see jabber/sm running but I only see entries for hostname.domain.com and I presumed this was the Push Notification service. You can't add SM services in Server Admin can you?

Regards,

Stu

Oct 10, 2010 3:15 AM in response to Tim Harris

Hi Tim,

Yeah, this is exactly how it worked before the OD crash.

If I remove the hostname.domain.com entry so I just have domain.com as the domains iChat looks after, I get the following in the log on a connection attempt:

Oct 10 11:09:15 arthur jabberd/c2s[81197]: [8] [::ffff:128.17.0.241, port=50660] connect
Oct 10 11:09:16 arthur jabberd/c2s[81197]: ODKVerifyClientRequestFixed: Unable to authenticate
Oct 10 11:09:16 arthur jabberd/c2s[81197]: [8] [::ffff:128.17.0.241, port=50660] disconnect jid=unbound, packets: 0

Resetting the domain back to hostname.domain.com in Server Admin and making the relevant changes in iChat on the client machine results in a flawless login.

If I set the domain to ichat.domain.com the same thing happens.

I've checked DNS and done a changeip -checkhostname and all is well. The serveradmin configuration dump also appears to be fine.

Frankly, I'm a bit stumped by this one!

Oct 10, 2010 11:21 AM in response to Big Stu

Easiest way to fix it is to stop the ichat server using *sudo launchctl unload /System/Library/LaunchDaemons/org.jabber.jabberd.plist* then edit the file /etc/jabberd/c2s.xml and comment out the line that looks like this fo that it now looks like this . Then restart the iChat server *sudo launchctl load /System/Library/LaunchDaemons/org.jabber.jabberd.plist* See if that works.

Oct 10, 2010 11:50 AM in response to Tim Harris

Hi Tim,

Just to clarify on my last, you did mean the <digest-md5/> entry in the <sasl> section, didn't you? When that is uncommented, the error message changes to:

Oct 10 19:34:47 arthur jabberd/c2s[91002]: [8] [::ffff:128.17.0.241, port=60300] connect
Oct 10 19:34:47 arthur jabberd/c2s[91002]: Password verification failed
Oct 10 19:34:47 arthur jabberd/c2s[91002]: [8] [::ffff:128.17.0.241, port=60300] disconnect jid=unbound, packets: 0

when anything other than hostname.domain.com is used.

I've also tried commenting stuff out in the section prior to the <sasl> section but the effect is much the same.

Regards,

Stuart

Oct 11, 2010 12:19 AM in response to Big Stu

I cannot understand why new users, with fresh passwords would work on server.domain.com and not domain.com.

Can only suggest you post the log file entries whilst the iChat server starts up, i'll see if there is anything odd there - but I somehow doubt it.

Also, can you pick one client machine and delete the Keychain record for both domains, log onto the server and change the password for that one user and change the password.

It seems more likely to be a problem with OD then anything else. Have you look in the logs for authentication problems?

Oct 11, 2010 12:36 AM in response to Tim Harris

Hi Tim,

I must admit, I'm inclined to agree with you. There isn't anything unusual in the log when iChat server starts up - no error messages at all. All perfectly normal.

This problem is apparent whether a user is connecting via VPN (VPN Tracker software on a MacBook with) or whether a user is in the office. Remote users have linked accounts or Mobile User accounts.

The only other strange thing is that some users can't log on to client machines in the office. The GUI reports "You can't be logged on at this time because an error occurred". I'll post the logs from OD when I get a chance today.

Cheers,

Stu

Oct 11, 2010 9:32 AM in response to Tim Harris

Hi Tim,

OK, I monitored the OD logs and this is what the Password Service Error Log reports when anything other than hostname.domain.com is used:

Oct 11 2010 17:27:32 Requested identity not authenticated identity
Oct 11 2010 17:27:47 Requested identity not authenticated identity

The Password Service Server Log reports this:

Oct 11 2010 17:27:32 AUTH2: {0x4cafa44b39dee26c0000005a0000005a, testuser} WEBDAV-DIGEST authentication failed, SASL error -13 (password incorrect).
Oct 11 2010 17:27:47 AUTH2: {0x4cafa44b39dee26c0000005a0000005a, testuser} WEBDAV-DIGEST authentication failed, SASL error -13 (password incorrect).

I can't see anywhere in the iChat config that even mentions WEBDAV-DIGEST. Am I barking up the wrong tree?

Regards,

Stuart

iChat Server (jabberd) troubles

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.