9 Replies Latest reply: Jun 20, 2013 9:05 AM by YUZA-Tom
forappie Level 1 (25 points)

I have a problem with Network Users defined on my Lion Server accessing the server through VPN or Profile Manager (via Safari) ... I keep on getting authentication errors. Is this because they are network users or am I missing something else?


This works: when I logon to my Lion Server with either local or network users everything seems to be OK including home directory synchronisation.


I tried the following for VPN:

  • my local server account can logon to the server (ie my secret key, user account/password combination are OK ("chap peer authentication succeeded for ...")
  • when I try the same with two of my network accounts I keep on getting authentication errors (VPN) but I'm sure I use the same userid/password combinations as above ("chap peer authentication failed for ...")


I get similar results when I access the Profile Manager (https://myserver/profilemanager/)

  • my local server account can logon on to the Profile Manager and sees as all the information
  • when I try this with one of my network accounts (which has devices assigned) I keep on getting 'incorrect user name or password


Thanks in advance for the help provided.

Mac mini, Mac OS X (10.7.3), (Server)
  • forappie Level 1 (25 points)

    Anyone has any suggestions?


    In more simple terms my problem is: Mobile Accounts can not logon to the Profile Manager nor can they be used for VPN access (I am getting authentication errors in both cases). This problem does not occur for local accounts or accounts with the home directory on the server.

  • Jonathan Melville Level 2 (450 points)

    Are the Mobile Accounts part of the SACL for VPN?

  • forappie Level 1 (25 points)

    The users I tested are listed under VPN in the Server Admin Access pane (I didn't make any changes myself in the access pane).


    I also studied my logfile again and compared successful and not successful events. I found trhe follwing in case of a successful connection:

    15-04-12 08:13:00,993 pppd: L2TP connection established.
    15-04-12 08:13:00,995 pppd: Connect: ppp0 <--> socket[34:18]
    15-04-12 08:13:01,070 pppd: DSAuth plugin: Could not authenticate key agent for encryption key retrieval, err -14136
    15-04-12 08:13:01,070 pppd: CHAP peer authentication succeeded for testuser2
    15-04-12 08:13:01,074 pppd: DSAccessControl plugin: User 'testuser2' authorized for access


    but in an unsuccessful attempt I saw Open Directory crashed:

    14-04-12 18:36:29,654 pppd: L2TP connection established.
    14-04-12 18:36:29,655 pppd: Connect: ppp0 <--> socket[34:18]
    14-04-12 18:36:29,881 com.apple.opendirectoryd: Assertion failed: (request->node == NULL), function _odrequest_api_validate, file /SourceCache/opendirectoryd/opendirectoryd-172.10/src/api_requests.c, line 2230.
    14-04-12 18:36:30,773 com.apple.launchd: (com.apple.opendirectoryd[15948]) Job appears to have crashed: Abort trap: 6
    14-04-12 18:36:30,784 pppd: CHAP peer authentication failed for testuser4
    14-04-12 18:36:30,789 pppd: Connection terminated.


    About a minute later Open Directory crashes again and then continues to work normally.


    Can this information help to get my problem resolved?

  • forappie Level 1 (25 points)

    I decided to experiment a bit further and take some more drastic measures (I did not have critical data or userids on my server yet).


    1. Follow the instructions on the following thread: https://discussions.apple.com/thread/3704295?start=0&tstart=0
      Unfiortunately my problem was different and Apple's KB article http://support.apple.com/kb/HT4748 didn't solve it for me.
    2. I had read about rebuilding my OD master but was somewhat reluctant to do so. I found some 'crypted' instructions on krypted.com (http://krypted.com/mac-os-x-server/server-app-and-open-directory-rebuilds/) which I decided to follow:
      1. take a backup of my OD master (Server Admin.app)
      2. Destroy my OD master: slapconfig -destroyldapserver
      3. restart
      4. delete all my network userids in Server.app (which I had expected to disappear when deleting my OD master)
      5. restart (not sure whether this restart is required)
      6. promote my OD to a OD Master (Server Admin.app)
      7. enable SSL again for the OD master (ditto)
      8. restart (not sure whether this restart is required)
      9. create a network test user account and log in/log out remotely ...
      10. test VPN and remote profile manager access ... low and behold I could suddenly access my account remotely
      11. restore my OD backup from step 1 above
      12. no joy ... the network accounts still don't work remotely through VPN or profile manager


    At least I now know I have to recreate my OD and subsequently all my network user accounts. I hope I can still link to them to the existing home folders on the server.

  • SnakeDog Level 1 (0 points)

    This is marked as having 'solved' the problem? It seems lik you said that it didn't work.


    Was a resolution ever discovered?


    Oh, and I also can't seem to push profiles from the profile manager to the computers that have mobile accounts setup.


    Message was edited by: SnakeDog

  • forappie Level 1 (25 points)

    Hi SnakeDog. Apologies for the delayed response. I did not use VPN for some time and agree with you my response is somewhat crypted when I looked at it again today


    I wanted to use it again today and see I still have the same problems (I have moved to 10.8.2 in the mean time):

    1. My existing local network users can't get access through VPN ("chap peer authentication failed" is the message in the server log for pppd)
    2. A new local net work user does have access through VPN
    3. An existing local user also has access through VPN


    So the conclusion I have to recreate "old" local network user account is still valid. In the mean time my local network users can use profile manager ... they have to provide their credentials twice to work


    Let me know if you have found a solution in the mean time.



  • SnakeDog Level 1 (0 points)

    It sounds like the settings on your old network accounts got changed to not allow vpn. You are probably right that the easiest would be to recreate the accounts.


    Otherwise you'll have to troubleshoot and see what was changed in the old accounts. Prhaps the VPN service was restricted, or perhaps the short name or something like that got changed.

  • UptimeJeff Level 4 (3,455 points)

    your vpn log should reveal clues.


    Do you see MPPE errors? If so, then you may find solutions here searching that term or vpnaddkeyagentuser

  • YUZA-Tom Level 1 (0 points)

    I believe the problem is the password policy; my fix is here: https://discussions.apple.com/thread/5117337