Previous 1 2 Next 20 Replies Latest reply: Oct 12, 2010 2:57 PM by Big Stu
Big Stu Level 1 Level 1 (70 points)
Hi,

OpenDirectory crashed on our SLS the other day (which seems to be related to the Time Machine bug that isn't fixed in 10.6.4) and since then we've had no end of trouble with iChat Server.

Prior to the crash, all our Jabber accounts were set up with the format shortname@domain.com and everything worked absolutely fine.

However, now this won't work and if a user tried to log in with that format for their jabber account they get the error:

ODKVerifyClientRequestFixed: Unable to authenticate

which appears in the log.

I've searched these discussion forums and the command:

changeip -checkaddress

responds with no errors and DNS matches hostname

Reverse DNS is fine and hasn't changed.

Configuration hasn't changed.

The only way users can log in is if they put their account details in the format:

shortname@xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of the server.

Has anyone come across this before? Can anyone suggest a fix for this? I'm at my wit's end as I've tried absolutely everything I can think of, including a reboot. Nothing in Server Admin seems to fix it!

Cheers,

Stu

Mac Pro, Mac OS X (10.6.4)
  • Tim Harris Level 4 Level 4 (1,460 points)
    I assume that the domain you are expecting to host is listed in the Server Admin - iChat?
    When the iChat server starts up, you will see an entry in the log jabber/c2s [domain] and then realm= what does the it say - your IP address?

    Chances are you can fix this by changing the domain name listed in Server Admin iChat settings to something else, save it, and then change it back again to what you need. This should clean up the settings.
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    Yeah, the domain we're expecting to host is there. Along with several variations, all with DNS records there.

    At the moment, I've got two domains in there. The machine name (correctly set up in DNS with reverse lookup working fine) and the domain we want to host i.e. ichat.domain.com. When jabber starts up, there are two jabber/c2s domains in there with realms that correspond to the domains we have.

    Since I posted the original request on here, I've now got it working with the machine's host name, which is somewhat comforting, but the domain we want to host doesn't.

    Thus far, I've rebuilt OD, DNS and iChat. Deploying the iChat settings to a 10.5 Server works fine. Bringing them back onto 10.6.4 server and they are all FUBAR!

    It's frustrating!

    Regards,

    Stu
  • Tim Harris Level 4 Level 4 (1,460 points)
    Ok, so I'm unsure of what the issue is. I think you are saying that the domain that matches the hostname works but not the other domain. There is very little different between 10.5 and 10.6. As you probably gathered you need a SM service running for each domain. What error message do you get when you try to log in on the other domain?
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    Yeah, hostname.domain.com works fine now but ichat.domain.com doesn't. Ideally we'd like to just run domain.com as the main domain.

    SM service? I can see jabber/sm running but I only see entries for hostname.domain.com and I presumed this was the Push Notification service. You can't add SM services in Server Admin can you?

    Regards,

    Stu
  • Tim Harris Level 4 Level 4 (1,460 points)
    Hi

    If you are just wanting to log is as shortname@domain.com than just have that domain listed in the ichat setting section of Server Admin and no other domains listed. If you still cannot log in after that then post the error code you see in the logs. Can you confirm this is how it used to work before OD crashed?
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    Yeah, this is exactly how it worked before the OD crash.

    If I remove the hostname.domain.com entry so I just have domain.com as the domains iChat looks after, I get the following in the log on a connection attempt:

    Oct 10 11:09:15 arthur jabberd/c2s[81197]: [8] [::ffff:128.17.0.241, port=50660] connect
    Oct 10 11:09:16 arthur jabberd/c2s[81197]: ODKVerifyClientRequestFixed: Unable to authenticate
    Oct 10 11:09:16 arthur jabberd/c2s[81197]: [8] [::ffff:128.17.0.241, port=50660] disconnect jid=unbound, packets: 0

    Resetting the domain back to hostname.domain.com in Server Admin and making the relevant changes in iChat on the client machine results in a flawless login.

    If I set the domain to ichat.domain.com the same thing happens.

    I've checked DNS and done a changeip -checkhostname and all is well. The serveradmin configuration dump also appears to be fine.

    Frankly, I'm a bit stumped by this one!
  • Tim Harris Level 4 Level 4 (1,460 points)
    Easiest way to fix it is to stop the ichat server using *sudo launchctl unload /System/Library/LaunchDaemons/org.jabber.jabberd.plist* then edit the file /etc/jabberd/c2s.xml and comment out the line that looks like this <digest-md5/> fo that it now looks like this <!-- <digest-md5/> -->. Then restart the iChat server *sudo launchctl load /System/Library/LaunchDaemons/org.jabber.jabberd.plist* See if that works.
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    Yeah, I'd already tried that. There's a <digest/> line already commented out and I've commented out the <cram-md5/> line too.

    Same error message when you try to log into anything other than hostname.domain.com.

    Frustrating!!!

    Regards,

    Stu
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    Just to clarify on my last, you did mean the <digest-md5/> entry in the <sasl> section, didn't you? When that is uncommented, the error message changes to:

    Oct 10 19:34:47 arthur jabberd/c2s[91002]: [8] [::ffff:128.17.0.241, port=60300] connect
    Oct 10 19:34:47 arthur jabberd/c2s[91002]: Password verification failed
    Oct 10 19:34:47 arthur jabberd/c2s[91002]: [8] [::ffff:128.17.0.241, port=60300] disconnect jid=unbound, packets: 0

    when anything other than hostname.domain.com is used.

    I've also tried commenting stuff out in the section prior to the <sasl> section but the effect is much the same.

    Regards,

    Stuart
  • Tim Harris Level 4 Level 4 (1,460 points)
    um... that is really very strange.
    how did you rebuild the OD?

    Can you make a new users in OK and try and connect and see if you get the same results?
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    OD was rebuilt from a backup. I demoted it from Master to a stand alone and then changed it back to master again. Imported the backup file once it was a Master again.

    Users can be added with no problems and the symptoms are the same regardless. It's all very weird, this!

    Regards,

    Stu
  • Tim Harris Level 4 Level 4 (1,460 points)
    I cannot understand why new users, with fresh passwords would work on server.domain.com and not domain.com.

    Can only suggest you post the log file entries whilst the iChat server starts up, i'll see if there is anything odd there - but I somehow doubt it.

    Also, can you pick one client machine and delete the Keychain record for both domains, log onto the server and change the password for that one user and change the password.

    It seems more likely to be a problem with OD then anything else. Have you look in the logs for authentication problems?
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    I must admit, I'm inclined to agree with you. There isn't anything unusual in the log when iChat server starts up - no error messages at all. All perfectly normal.

    This problem is apparent whether a user is connecting via VPN (VPN Tracker software on a MacBook with) or whether a user is in the office. Remote users have linked accounts or Mobile User accounts.

    The only other strange thing is that some users can't log on to client machines in the office. The GUI reports "You can't be logged on at this time because an error occurred". I'll post the logs from OD when I get a chance today.

    Cheers,

    Stu
  • Big Stu Level 1 Level 1 (70 points)
    Hi Tim,

    OK, I monitored the OD logs and this is what the Password Service Error Log reports when anything other than hostname.domain.com is used:

    Oct 11 2010 17:27:32 Requested identity not authenticated identity
    Oct 11 2010 17:27:47 Requested identity not authenticated identity

    The Password Service Server Log reports this:

    Oct 11 2010 17:27:32 AUTH2: {0x4cafa44b39dee26c0000005a0000005a, testuser} WEBDAV-DIGEST authentication failed, SASL error -13 (password incorrect).
    Oct 11 2010 17:27:47 AUTH2: {0x4cafa44b39dee26c0000005a0000005a, testuser} WEBDAV-DIGEST authentication failed, SASL error -13 (password incorrect).

    I can't see anywhere in the iChat config that even mentions WEBDAV-DIGEST. Am I barking up the wrong tree?

    Regards,

    Stuart
Previous 1 2 Next