I often think of things in terms of time it takes to figure out the solution to the problem vs time it takes to nuke and pave.
Dare I ask... How many users would you have to remake?
150 users would probably take 2 hours to recreate?
...Have you spent 2 hours on this problem yet? How about 4 or 6?
Perhaps you could have typed up 450 remade users so far!
I have a great idea as to how to change ownership of home folders to users after they're created.
Thoughts on the problem... (but don't spend too much time on it!)
What about crypt vs open directory password?
In WGM, select the user, click the advanced tab, and ensure that your users have OD based passwords?
...sometimes that pull-down menu displays OD, but it's not really. Try selecting OD, retype the password there, and save.
See if it works.
What about in server admin.... Select the server in question, click the access button at the top.
Ensure that your services are allowed for all users to use the iCal service.
In the iCal service in Server Admin...
Host name setting? It's a stretch as new users seem to work. Ensure it's correct?
For the sake of argument... Change authentication type to Any Method... If you're running OD on the server, Kerberos is running. I know that certain services require it even though you have the option. Perhaps iCal is being finiky without it?
I apologize if you've tried all these, but as a user forum, you'll typically get users that don't believe that you've tried the basics. It's honestly the best place to start. Seeing as we don't know what you've done, it's the best advice you'll get.
spent about 6 hours so far.
recreating the users would be a pITA. we've lots of groups and every user has a different set of groups.and i've about 350 users. i'd rather understand the issue and fix it rather than sidestep it and get caught by it again.
i'm using OD passwords (crypt are not an option, as i have kerberos running for all other authentication)
i've tried recreating the password eplicitly, no no avail, via WGM and dcsl.
access is controlled via groups, and the users belong to groups granted access. i have explicitly allowed access to users, to no avail.
i've rebuilt the iCal service as much as i can (apple doesn't document the actual file states, so its hard to guess, my next step will be to reinstall my spare server, image it, add ical, image it and run a difference check - how i wish apple documented stuff). the host name is correct and resolves forwards and backwards correctly.
i've tried 'any method' as well as 'digest' and 'kerberos'. again, the fact that a new user can access and an old one can't, whilst the kerberos system is functioning elsewhere implies this is not the source of the problem. i've tried turning off the 'require md5' option in the plist file - so authentication is a simple as it can get. It is likely, i guess, that this is the cause of the problem - a failure to authenticate?
i'm trying to understand what the old 10.5 WGM's "enable calendaring" button DID. i feel this might have something to do with things?