6 Replies Latest reply: Jun 9, 2014 11:10 AM by mspritch
jonathanfrom佐倉市 Level 1 Level 1 (0 points)

After upgrading from Lion Server to Mountain Lion with OS X Server, my users are unable to logon.

 

The user gets the following error displayed:

 

You are unable to login to the user account "abcdefg" at this time.
Logging in to the account failed because an error occurred.

 

Looking at the logs, Kerberos authenticates correctly, as does Password Service Server Log.

User's can also get mail via their iDevices, so authentication does work... only logon to macs seems to be an issue.

 

Looking at Open Directory Log, I see the following (highlighted the problem areas - I think - in red):

 

2012-07-26 22:28:48.171731 JST - opendirectoryd (build 197.11.16) launched...

2012-07-26 22:28:54.575839 JST - Logging level limit changed to 'error'

2012-07-26 22:28:54.616629 JST - Initialize trigger support

2012-07-26 22:28:54.618039 JST - Registered node with name '/Active Directory' as hidden

2012-07-26 22:28:54.618248 JST - Registered node with name '/Configure' as hidden

2012-07-26 22:28:54.618466 JST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'

2012-07-26 22:28:54.618473 JST - Registered node with name '/Contacts'

2012-07-26 22:28:54.618651 JST - Registered node with name '/LDAPv3' as hidden

2012-07-26 22:28:54.640168 JST - Registered node with name '/Local' as hidden

2012-07-26 22:28:54.640866 JST - Registered node with name '/NIS' as hidden

2012-07-26 22:28:54.641101 JST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'

2012-07-26 22:28:54.641108 JST - Registered node with name '/Search'

2012-07-26 22:28:54.684561 JST - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'

2012-07-26 22:28:54.684603 JST - Registered subnode with name '/LDAPv3/127.0.0.1'

2012-07-26 22:28:54.728350 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'

2012-07-26 22:28:54.730495 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'

2012-07-26 22:28:55.733121 JST - '/Search' has registered, loading additional services

2012-07-26 22:28:55.733128 JST - Initialize augmentation support

2012-07-26 22:28:55.755096 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'

2012-07-26 22:28:55.759836 JST - Successfully registered for Kernel identity service requests

2012-07-26 22:28:55.759852 JST - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)

2012-07-26 22:28:55.777863 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

2012-07-26 22:28:55.816348 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'

2012-07-26 22:28:55.945915 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'

2012-07-26 22:28:55.946415 JST - Registered subnode with name '/Local/Default'

2012-07-26 22:28:55.954233 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'

2012-07-26 22:28:55.993617 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'

2012-07-26 22:28:55.995550 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

2012-07-26 22:28:56.832509 JST - 41.18 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:28:56.832509 JST - 41.18, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:28:56.832519 JST - 41.18 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:28:56.832519 JST - 41.18, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:29:01.008167 JST - 41.909 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:01.008167 JST - 41.909, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:29:01.008174 JST - 41.909 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:01.008174 JST - 41.909, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:29:06.009509 JST - 41.1011 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:06.009509 JST - 41.1011, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:29:06.009516 JST - 41.1011 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:06.009516 JST - 41.1011, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:30:27.507078 JST - 425.3430 - Client: Finder, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:30:27.507078 JST - 425.3430, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aeb00fd0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 22:31:31.381246 JST - 708.4663 - Client: local, UID: 0, EUID: 27, GID: 0, EGID: 27

2012-07-26 22:31:31.381246 JST - 708.4663, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aeb00fd0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 22:42:58.557202 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'

2012-07-26 22:42:58.598857 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'

2012-07-26 23:00:44.776740 JST - 714.8072 - Client: auth, UID: 214, EUID: 214, GID: 6, EGID: 6

2012-07-26 23:00:44.776740 JST - 714.8072, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aec019e0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 23:00:44.777807 JST - 714.8072 - Client: auth, UID: 214, EUID: 214, GID: 6, EGID: 6

2012-07-26 23:00:44.777807 JST - 714.8072, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aec019e0' into hash 'Kerberos' as 'non-authoritative'

 

 

Does anyone have a solution for this?  I'm scratching my head here. 


OS X Server, OS X Mountain Lion
  • DenisF Level 2 Level 2 (150 points)

    I had the same error message.

     

    Even if you are probably more experts than me, have a look to my post:

     

    TIPS: OS X server installation lessons learnt (for non Guru)

  • jonathanfrom佐倉市 Level 1 Level 1 (0 points)

    Essentially, I realized DNS was at fault here.  there were some other things involved as well, so I decided best was to reinstall... ensure a perfect DNS and then go forward.

     

    That did the trick.  One thing I also realized I forget was to turn off SSL before the upgrade.  That likely broke stuff too.

  • epoc1000 Level 1 Level 1 (10 points)

    I ran into the same problem. I had to revert back to old 10.7, because the Open Directory was completly broken. Anyone has another solution then reinstall?

  • Think Touch Level 1 Level 1 (0 points)

    You have to make sure that the Net Directory Folder where all the user have their home folder is reachable by the user that is logging in. In fact, it has to be reachable to all the users that has an account with their home folder on the server. Make sure the access for Everyone else is set to read only. If by any means Everyone else is set to No Access. Users wont be able to logon.

  • mspritch Level 1 Level 1 (0 points)

    We just had a similar issue here.

     

    On the MacBook Pro, we needed a new user to log in. Existing MBP users were fine, new users no chance, although administrator accounts were OK. OSX 10.7.4, same issue with 10.7.5.

     

    What we did to fix it was this:-

     

    Ensure the Mac will create a local folder for new user accounts (top tick-box)

    In AD, turn off the Z: drive mapping to the home folder (or whatever drive you use) for that particular user

    On the Mac, log in and let it create the local home folder

    In AD, turn the drive mapping back on and respecify the home folder path

     

    The account should now continue to work as it's already created the local home folder.

     

    Admin accounts worked because we don't map the home folder for those. Originally we were mapping using a logon script, which is why we didn't have an issue when setting up the other users initially. What probably doesn't help is that we use DFS, and the Macs don't like talking to DFS (we have to map to the \\servername\share instead of \\domainname\dfs-share for those).

     

    Hope this helps. Many thanks to "Think Touch" above for providing the clues.

  • mspritch Level 1 Level 1 (0 points)

    Following on from my earlier post, I've just upgraded three Mac Pros and a MacBook Pro to 10.9.3.

     

    One of the Mac Pros is happy to let users log in first time and create a mobile profile, no need to meddle with the AD profile and delete home folder mappings.

     

    The other two Mac Pros and the MacBook are having none of it. Try it once and "an error has occurred". Try a second time and you're stuck with a pinwheel until you hold down the power button to force a shutdown.

     

    I've checked dsconfigad -show, the settings on both Mac Pros are IDENTICAL in all but Computer Account and are as follows (some bits ***'d out):-

     

    Active Directory Forest          = p***c.local

    Active Directory Domain          = p***c.local

    Computer Account                 = ck8*****1bj$

     

    Advanced Options - User Experience

      Create mobile account at login = Enabled

         Require confirmation        = Disabled

      Force home to startup disk     = Enabled

         Mount home as sharepoint    = Enabled

      Use Windows UNC path for home  = Enabled

         Network protocol to be used = smb

      Default user Shell             = /bin/ba*h

     

    Advanced Options - Mappings

      Mapping UID to attribute       = not set

      Mapping user GID to attribute  = not set

      Mapping group GID to attribute = not set

      Generate Kerberos authority    = Enabled

     

    Advanced Options - Administrative

      Preferred Domain controller    = llw-***-01.p***c.local

      Allowed admin groups           = domain admins,enterprise admins

      Authentication from any domain = Enabled

      Packet signing                 = allow

      Packet encryption              = allow

      Password change interval       = 14

      Restrict Dynamic DNS updates   = not set

      Namespace mode                 = domain

     

    As before, users with no home directory path specified in their AD profile can log in anyway. If it's specified then only one of the Mac Pros will let them in.

     

    DFS now seems to resolve properly in 10.9.3 (\\domainname.local\dfs-share works) so it shouldn't be that.

     

    Any suggestions? I suspect an OSX rather than AD issue otherwise why would one of the machines work OK?  Also, "Net Directory Folder" shouldn't come into it as there is no OSX Server involved here (we don't have one).