13 Replies Latest reply: Dec 8, 2015 11:56 AM by Picoscope
schoysi Level 1 (0 points)

Hi Guys,

 

im getting some errors in my Open Directory Logfile and i have really no idea how to fix this.

The server is a Lion 10.7.2 Server with an Open Directory Master (no Replicas)

 

When i use dscl to list the users in the directory (list LDAPv3/127.0.0.1/Users/) every user is shown correctly in the list.

 

Connecting to a share on that server works but we get the following errors:

 

2011-11-03 11:16:24.493 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user1.domain' (/LDAPv3/127.0.0.1) - ID 1053 - UUID B3189A5D-77EA-4A1C-91BB-DDD9CCF5A958 - SID S-1-5-21-2553502104-2799725507-638401443-3106

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:20:16.750 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user6.domain' (/LDAPv3/127.0.0.1) - ID 1025 - UUID 197D5942-72BA-4AC1-B11C-5154F0CC05C0 - SID S-1-5-21-2553502104-2799725507-638401443-3050

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:22:43.093 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user5.domainr' (/LDAPv3/127.0.0.1) - ID 1075 - UUID C3CBB296-1A6A-452D-BEB8-8AC7ABE52E44 - SID S-1-5-21-2553502104-2799725507-638401443-3150

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

2011-11-03 11:24:34.487 CET - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

          User 'user4.domain' (/LDAPv3/127.0.0.1) - ID 1074 - UUID D5C3278F-9597-41F1-9B47-1E2865F01545 - SID S-1-5-21-2553502104-2799725507-638401443-3148

          User 'user2.domain' (/LDAPv3/127.0.0.1) - ID 1058 - UUID F7D98082-D682-446B-BF2C-840901B8E623 - SID S-1-5-21-2553502104-2799725507-638401443-3116

 

Thanks for every useful hint to get rid of these errors.

Patrick


Mac mini, Mac OS X (10.7.2)
  • realzcubed Level 1 (0 points)

    +1 on freshly installed Lion Server 10.7.2, newly created network accounts, no migration whatsoever.

     

    Here's what dscl shows on the newly created network account 'fubar'. Note the funky Kerberos email id "untitled_1@HOST.DOMAIN.COM". Workgroup Manager always comes up with the default account name Untitled_1 before you edit anything. Does this persist? Is this the issue?

     

    $ sudo dscl

    Entering interactive mode... (type "help" for commands)

    > cd /LDAPv3/127.0.0.1/Users/fubar

    /LDAPv3/127.0.0.1/Users/fubar > ls

    /LDAPv3/127.0.0.1/Users/fubar > read

    dsAttrTypeNative:objectClass: person inetOrgPerson organizationalPerson posixAccount shadowAccount top extensibleObject apple-user

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM

    AppleMetaNodeLocation: /LDAPv3/127.0.0.1

    AppleMetaRecordName: uid=fubar,cn=users,dc=host,dc=domain,dc=com

    AuthenticationAuthority:

    ;ApplePasswordServer;0xf00 root@host.domain.com:10.0.1.2

    GeneratedUID: bar

    LastName: fubar

    MCXFlags:

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>simultaneous_login_enabled</key>

        <true/>

    </dict>

    </plist>

     

    NFSHomeDirectory: 99

    Password: {CRYPT}*

    PrimaryGroupID: 20

    RealName: fubar

     

    RecordName: fubar

    RecordType: dsRecTypeStandard:Users

    UniqueID: 1027

    UserShell: /bin/bash

  • tagme10k Level 1 (10 points)

    After doing a fresh install of Server 10.7.2 and noticing the property

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users.

     

    I will monitor if this fixes the error messages.

  • tagme10k Level 1 (10 points)

    Looks like it fixed the problem.

  • realzcubed Level 1 (0 points)

    Thanks! Fixed it for me too -- I didn't know about the Directory Utility app. I filed a bug report.

  • schoysi Level 1 (0 points)

    Thanks a lot, this fixed the problem!!!

  • arekdreyer Level 1 (10 points)

    It's probably a good idea to use the Server app any time you can. If you create a user with Workgroup Manager, you'll notice that the user has the untitled_1@REALMNAME for the AltSecurityIdentities attribute.

     

    However, if you create a user with the Server app, the AltSecurityIdentities attribute will be just fine.

  • fight_or_flight Level 1 (10 points)

    What exactly has to be changed in the AltSecurityIdentities attribute?

    Do i have to change the attribute on the server or the user machine?

  • im3ngs Level 1 (15 points)

    I changed the "untitled_1" part to reflect the short name of the user.

  • Lindsay Robertson1 Level 1 (5 points)

    Fixed my problem.

     

    the first symptom was users not being able to empty network based trash folders.

    Console revealed the error.

     

    What a pain!

    Glad i've only got 30 users...

     

    l.

  • RoseValley Level 1 (10 points)

    I have noticed the same issue on my server. But only one of the users is getting the error line in the log and yet all have the same untitles_1@server.domain.com in that line. Why one and not the others? Do I need to change this since no one seems to notice any problems on their end, just me looking at the logs.

     

    Help,

    Kevin

  • guitarkid55 Level 1 (0 points)

    "After doing a fresh install of Server 10.7.2 and noticing the property

    AltSecurityIdentities: Kerberos:untitled_1@HOST.DOMAIN.COM on all network users created with Workgroup Manager were causing the error: Misconfiguration detected in hash 'Kerberos', to be displayed in the Open Directory Log and System Log, I used Directory Utility (part of Server.app) to modify the AltSecurityIdentities property for those users."

     

     

    Could someone please give more info on where this setting is located in Directory Utility? I am new to OS X server and having this exact same issue. Thanks.

  • schoysi Level 1 (0 points)

    Hi guitarkid55,

     

    first you have to autheticate in the directory Utility with your directory credentials (diradmin)

     

    Then switch to Users (Viewing) and select the user with the problem.

    On the righ side you can select the "AltSecurityIdentities" and edit this setting. An click "save".

     

    Hope this helps solving your problem.

     

    Greetings

    schoysi

  • Picoscope Level 1 (5 points)

    Note that a script to fix all users with this error has been posted by Eric Dryer here:

    https://github.com/arekdreyer/Lion-Server/blob/master/FixAltSecurityIdentities.s h