10 Replies Latest reply: Oct 9, 2012 9:42 PM by osgjl
Puddletown*Jim Level 1 Level 1

I am having difficulty troubleshooting this error.  I have attached a section of the /var/log/opendirectoryd.log file while in debug mode.  This is a 10.7.3 Open Directory master with no replicas.  I put logging into debug mode to try to get to the root of this problem but I am not finding an answer to this issue.  I am getting this same error message with multiple users, but they can all log in and function just fine.  We are doing Radius auth to OD from our Cisco ASA for VPN connectivity and that works fine as well.

 

Any help would be greatly appreciated.  Thanks!

 

 

2012-03-12 11:30:09.119 PDT - Multiple names for non-user record 'wleler' - will be cache miss for others

2012-03-12 11:30:09.119 PDT - Module: SystemCache - Attaching Kerberos id 'wleler@OSXSERVER01.UTIL.PDX.

OFFICE' to record 'wleler'
2012-03-12 11:30:09.119 PDT - Setting item 'wleler' with expiration 406137
2012-03-12 11:30:09.119 PDT - Adding item 'wleler' with expiration 406137
2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalGUID - adding entry wleler (0x43E09310) - node 0x45903830
2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalUID - adding entry wleler (0x43E09310) - node 0x45903B30
2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - UserName - adding entry wleler (0x43E09310) - node 0x45903C60
2012-03-12 11:30:09.119 PDT - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
    User 'wleler' (/LDAPv3/127.0.0.1) - ID 1043 - UUID C66E0823-A91D-4C27-9A37-4BA25090F3AC - SID S-1-5-21-2682738804-2853610044-371931698-3086
     User 'cvaraghur' (/LDAPv3/127.0.0.1) - ID 1055 - UUID 062DA3EC-8197-460A-94DA-8F94008B4B0F - SID S-1-5-21-2682738804-2853610044-371931698-3110
2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalSID - adding entry wleler (0x43E09310) - node 0x45903DE0
2012-03-12 11:30:09.119 PDT - Module: SystemCache - Merged record 'wleler' (0x459033E0) into 0x43E09310 - new authority 'Name'
2012-03-12 11:30:09.120 PDT - Finalizing request 6369 object 0x7fb445d3b860
2012-03-12 11:30:09.120 PDT - Finalizing request 6366 object 0x7fb445902f30
2012-03-12 11:30:09.130 PDT - 1458.6370 - Client: AppleFileServer, UID: 0, EUID: 0, GID: 0, EGID: 0
2012-03-12 11:30:09.130 PDT - 1458.6370 - Adding to global request list - new count 1
2012-03-12 11:30:09.130 PDT - 1458.6370 - ODQueryCreateWithNode request, NodeID: 425F4A0A-25C3-4E46-8A8E-EC4C2DD3465B, RecordType(s): dsRecTypeStandard:AFPUserAliases, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseExact, Value(s): wleler, Requested Attributes: dsAttributesAll, Max Results: 1


Mac mini, Mac OS X (10.7.3), Mini server
Solved by Brettermeier on Mar 13, 2012 8:03 AM Solved

Hi,

 

your log tells me that the users wleler and cvaraghur have the same values in "AltSecurityIdentities" -> something like "kerberos:untitled_1@OSXSERVER01.UTIL.PDX".

 

Go to: Systemsettings -> User & Groups -> Login options (the little House Symbol).

Then Klick the edit button beside the networkaccount server entry. In the new opened window click the open directory service button. Choose the right tree (Users) - (/LDAPv3/127.0.0.1) and authenticate yourself with the diradmin user. Check every single users entry  "AltSecurityIdentities" and change untitled_1 to the users short name.

 

Example, change: "kerberos:untitled_1@OSXSERVER01.UTIL.PDX". to "kerberos:wleler@OSXSERVER01.UTIL.PDX" for your user wleler and

"kerberos:cvaraghur@OSXSERVER01.UTIL.PDX" for user cvaraghur.

 

thats it

 

 

 


  • Newbie-2-macs Level 1 Level 1

    I may be wrong as it's a bit over my head but it looks as though the already cached username does not match the new username being cached. It then seems to use the new cached username. This may be due to as it states multiple short names being available?

     

    Sorry i can't help more than state the obvious

  • Brettermeier Level 1 Level 1

    Hi,

     

    your log tells me that the users wleler and cvaraghur have the same values in "AltSecurityIdentities" -> something like "kerberos:untitled_1@OSXSERVER01.UTIL.PDX".

     

    Go to: Systemsettings -> User & Groups -> Login options (the little House Symbol).

    Then Klick the edit button beside the networkaccount server entry. In the new opened window click the open directory service button. Choose the right tree (Users) - (/LDAPv3/127.0.0.1) and authenticate yourself with the diradmin user. Check every single users entry  "AltSecurityIdentities" and change untitled_1 to the users short name.

     

    Example, change: "kerberos:untitled_1@OSXSERVER01.UTIL.PDX". to "kerberos:wleler@OSXSERVER01.UTIL.PDX" for your user wleler and

    "kerberos:cvaraghur@OSXSERVER01.UTIL.PDX" for user cvaraghur.

     

    thats it

     

     

     


  • Puddletown*Jim Level 1 Level 1

    Thanks Brettermeier!  That was exactly the problem.  The strange thing is that I had created all those users using Workgroup Manager, and they all had the same problem.  The users that got created with the server app did not have this issue. 

  • Brettermeier Level 1 Level 1

    It seems that Apple don't want us to use the good "old" Server-Admin Tools and Workgroup Manager anymore.

     

    ... I don't like the server.app... 

  • Puddletown*Jim Level 1 Level 1

    hah.  Server.app is failing me with group memberships.  The members of groups are not showing up in Server.app and I can't add users to groups with the Server.app.  The groups are working fine, and WGM works just fine for managing the groups... but I think I might have a hard time remembering what functionality works (or doesn't work) where.  :-/

     

    Other than that, I am very happy with the OS X server.  There is just a little 'weirdness' here that makes me a bit uncomfortable.

  • stumcgregor Level 1 Level 1

    thanks Brettermeier fixed my issue too.

  • Julien vander Straeten Level 1 Level 1

    same here.

    thank you very much!

  • Philip Woods Level 1 Level 1

    Thanks for this help Brettermeier.  We had about a dozen missconfigured AltSecurityIdentities.  Our 10.7.4 iCal server was getting so concerned about it that the caldav responses to clients had slowed down to a crawl and often gave errors saying that the server could not be found.

     

    Saved me a lot of headscratching.  Much appreciated.

  • craigfromco Level 1 Level 1

    Thanks for the insight Brettermeier, saved me a tone of poking abound the directory

  • osgjl Level 1 Level 1

    Thanks for this tidbit, great stuff. I think the users that had this issue (including me) were the ones created with WGM and not the Server App. They've forever been second class citizens on our OD, as they always have issues trying to use shortnames for access to services.

     

    If it's gonna do a h-a job of creating the users in WGM, I'd rather not be able to do it there at all!