4 Replies Latest reply: Sep 24, 2012 6:16 PM by Cowan Pettigrew
flowirin Level 1 Level 1 (10 points)

i've a pretty busy server, fully configured with correct DNS.


running 10.6.8, uptodate. i've stopped the ical service, and removed it from the server settings.

then i created a folder on my RAID /volumes/raid/ical, set its ownership to _calendar:_calendar (uid 93), rwx,rx,-

then added the iCal service back, and set the data store to this new folder.

authentication is set to digest (to reduce potential kerberos errors), with SSL on.

i then started the service


an existing user CANNOT connect to the caldav server. i get the error: ical "authentication failed. your username and password were rejected by the server".


if i create a NEW user, that user can correctly connect to the Caldav server. On first joining, an entry is created in the __uids__ folder and the calender works.




this is 10.6, so i do not have an option in WGM to 'enable calendering'. i've used the inspector to check for differences, but i can't see any.


help. please. and no comments about DNS. the fact i can get  a new user to function means that is excluded. no comments about SSL. ditto. no comments about kerberos, its turned off. thanks.

2x xserve, 30x MacBook, 3x MacBook Pro, 10x iMac, 20x eMac, 30x PC, Mac OS X (10.6.6), mix intel/PPC
  • flowirin Level 1 Level 1 (10 points)

    and yes, i've tried giving existing users new passwords...

  • gracoat Level 3 Level 3 (660 points)

    I often think of things in terms of time it takes to figure out the solution to the problem vs time it takes to nuke and pave.

    Dare I ask...  How many users would you have to remake? 


    150 users would probably take 2 hours to recreate?


    ...Have you spent 2 hours on this problem yet?  How about 4 or 6?

    Perhaps you could have typed up 450 remade users so far!


    I have a great idea as to how to change ownership of home folders to users after they're created.



    Thoughts on the problem... (but don't spend too much time on it!)

    What about crypt vs open directory password?

    In WGM, select the user, click the advanced tab, and ensure that your users have OD based passwords? 

    ...sometimes that pull-down menu displays OD, but it's not really.  Try selecting OD, retype the password there, and save.

    See if it works.


    What about in server admin....  Select the server in question, click the access button at the top.

    Ensure that your services are allowed for all users to use the iCal service.


    In the iCal service in Server Admin...

    Host name setting?  It's a stretch as new users seem to work.  Ensure it's correct?


    For the sake of argument...  Change authentication type to Any Method...  If you're running OD on the server, Kerberos is running.  I know that certain services require it even though you have the option.  Perhaps iCal is being finiky without it?


    I apologize if you've tried all these, but as a user forum, you'll typically get users that don't believe that you've tried the basics.  It's honestly the best place to start.  Seeing as we don't know what you've done, it's the best advice you'll get.



  • flowirin Level 1 Level 1 (10 points)

    spent about 6 hours so far.


    recreating the users would be a pITA. we've lots of groups and every user has a different set of groups.and i've about 350 users. i'd rather understand the issue and fix it rather than sidestep it and get caught by it again.


    i'm using OD passwords (crypt are not an option, as i have kerberos running for all other authentication)

    i've tried recreating the password eplicitly, no no avail, via WGM and dcsl.
    access is controlled via groups, and the users belong to groups granted access. i have explicitly allowed access to users, to no avail.


    i've rebuilt the iCal service as much as i can (apple doesn't document the actual file states, so its hard to guess, my next step will be to reinstall my spare server, image it, add ical, image it and run a difference check - how i wish apple documented stuff). the host name is correct and resolves forwards and backwards correctly.


    i've tried 'any method' as well as 'digest' and 'kerberos'. again, the fact that a new user can access and an old one can't, whilst the kerberos system is functioning elsewhere implies this is not the source of the problem. i've tried turning off the 'require md5' option in the plist file - so authentication is a simple as it can get. It is likely, i guess, that this is the cause of the problem - a failure to authenticate?


    i'm trying to understand what the old 10.5 WGM's "enable calendaring" button DID. i feel this might have something to do with things?

  • Cowan Pettigrew Level 1 Level 1 (0 points)

    Hi guys,


    Did you find the answer to this? I've got just about the exact same setup except this problem is occuring with mail not ical.