Workgroup password incorrect issue

Question

Workgroup password incorrect issue

I have over 100 users on my server able to connect via afp and some vnc. Also all can access a blog and wiki online, but this new problem has arrised every time i create a new user their password is never correct when they try to connect via afp but they all can connect to the blogs and wikis. Whats goin on here? did i turn something off that i shouldnt have because this only happens to new users. I am only 16 and i manage this server for people to grab their files off the server and i have a school with over 2200 kids so i need a little bit of help here.

Xserve, Mac OS X (10.6.7), 2.66 Quad Intel 6GB RAM 2.5TB

Posted on Aug 25, 2011 5:40 AM

Reply

Answer 1

Best reply

John.Kitzmiller

Level 3

881 points

Aug 25, 2011 10:09 AM in response to Community User

This could be directory corruption. The first thing I would try is to autorize a user using dscl from the command line.

Open Terminal on your server (or ssh into it) and issue the following command:

dscl

You should then see:

Entering interactive mode... (type "help" for commands)

Now, type this command and press enter:

cd LDAPv3/127.0.0.1/Users/

Then:

ls

This should show you a list of users. Pick one of the users that is affected by the password problem, and run this command:

authonly <user>

It will prompt you for that user's password. If you enter the password and everything is good, it will return to the prompt with no feedback. If you see something like this:

Authentication for node /LDAPv3/127.0.0.1 failed. (-14090, eDSAuthFailed) <dscl_cmd> DS Error: -14090 (eDSAuthFailed)

Then something is wrong.

Try this on a sample of affected users and report back with the results.

Reply

Answer 2

Aug 25, 2011 11:56 AM in response to John.Kitzmiller

I got the error you suspected if something is wrong so now how do i fix it thank you for getting me this far

Reply

Answer 3

Aug 25, 2011 1:25 PM in response to Community User

Did you see that error on just one user, or on all users affected by the issue?

What about users who are not affected by the issue? Do they authenticate properly via this method?

Reply

Answer 4

Aug 25, 2011 1:31 PM in response to Community User

Another question: what result do you see when running the following command in Terminal?

sudo changeip -checkhostname

Reply

Answer 5

Aug 25, 2011 1:52 PM in response to John.Kitzmiller

The issue seems to have taken a turn for the worst now all my users are unable to connect because their "password is incorrect". When I went back into workgroup manager today all my users had been deleted so I imported my backup. And now yes i have gotten the same error message for all users. after using the last sudo command you told me to use i got this:

dscl (v10.6.0)

usage: dscl [options] [<datasource> [<command>]]

datasource:

localhost (default) or

localonly (activates a DirectoryService daemon process

with Local node only - daemon quits after use

<hostname> (requires DS proxy support, >= DS-158) or

<nodename> (Directory Service style node name) or

<domainname> (NetInfo style domain name)

And a bunch of options i can use...

Reply

Answer 6

Aug 25, 2011 1:56 PM in response to Community User

Whoops, that changeip command should be issued outside of dscl.

Reply

Answer 7

Aug 26, 2011 8:32 AM in response to Community User

Have you tried running

sudo changeip -checkhostname

in a new Terminal window (without entering dscl)? What were the results?

Reply

Answer 8

Aug 26, 2011 8:42 AM in response to John.Kitzmiller

These are my new results:

Primary address = 10.15.121.7

Current HostName = xserve.private

The DNS hostname is not available, please repair DNS and re-run this tool.

dirserv:success = "success"

Reply

Answer 9

Aug 26, 2011 9:06 AM in response to Community User

I think we've found the route of the problem. OS X server REQUIRES proper DNS, otherwise things can get weird really fast. Setting up Open Directory without proper DNS in place can lead to corruption, which is what I believe you're dealing with.

So before we can fix your OD, we need to fix DNS. Mr. Hoffman has a great writeup here: http://labs.hoffmanlabs.com/node/1436

A few questions for you:

What is providing DNS services on your LAN?

Are you able to use a FQDN (Fully Qualified Domain Name) instead of the xserve.private address?

Is this server (or does it need to be) reachable from the internet?

Reply

Answer 10

Aug 26, 2011 10:10 AM in response to John.Kitzmiller

Unfortunately I can not get a FQDN, it previously was viewable on the internet through its outside ip address but since these problems have begun I can no longer get to it. Now the DNS service I'm not exactly sure but I think we just have some default Comcast Servers we run off of, I'm honestly not sure if thats correct.

Reply

Answer 11

Aug 26, 2011 10:12 AM in response to Community User

The only thing I really need to be working right now is afp because if we can't backup our files on this server it is gonna be really hard to go through this school year

Reply

Answer 12

Aug 26, 2011 1:50 PM in response to Community User

So is this server part of your school's network? Or is it on your network at home?

I need a little more information about the network this server is connected to before I can advise you on how to proceed.

Reply

Answer 13

Aug 31, 2011 1:54 PM in response to John.Kitzmiller

we are having an outside service help us thank you for your time

Reply