Newly created OD users not working

Question

Newly created OD users not working

Hi all,

Hoping one or more of you have come across this problem and can help.

2 Snow Leopard Servers, one OD Master one OD Replica

master is running following services:

OD, DNS, Mail, iCal, DHCP, Web, Webmail, Wiki, VPN,

Replica mac

running

OD, DNS, AFP, SMB

No, Network Home folders enabled, all are working from local accounts

Up until now pretty much all has been well.

Roughly around 20 users on the network.

Any new users I create are NOT able to login, AFP SMB iCal, Mail and any other services don't work .

Creating a new user on the master seems to occur without issue and the user is synched with replica.

DNS seems to be fine on both servers.

Following errors occur on the master.

ApplePassword Server.server.log

_ldap_replicator} CRAM-MD5 authentication failed, SASL error -13 (password incorrect).

slapd.log

_ldap_replicator} CRAM-MD5 authentication failed, SASL error -13 (password incorrect).

Password Service Repliation Log

Jan 28 2013 00:00:56 Replica1:Connecting to 192.168.10.10, synchronizing all records since 01/27/2013 01:00:15 PM GMT

Jan 28 2013 00:00:56 Replica1:The remote replica list has 1 parent and 1 replica.

Jan 28 2013 00:00:56 Replica1:sending 1 record from tid 1816434

Jan 28 2013 00:00:56 Replica1:sent 1 record, 52 kerberos principals

Jan 28 2013 00:00:56 DoSync: the next scheduled replication will occur on 01/29/2013 at 12:00:00 AM

Following errors on the replica.

Directory Service Error log

DNSServiceProcessResult returned -65563

slapd.log

slapd[7682]: SASL [conn=2950] Failure: incorrect digest response

Password Service Server Log

_ldap_replicator} CRAM-MD5 authentication failed, SASL error -13 (password incorrect).

Creating a new user on replica brings up this error however the user is created fine and it syncs with the master fine.

Error of type eDSAuthFailed (-14090) on line 3912 of /SourceCache/WorkgroupManager/WorkgroupManager-361.3.1/Plugins/UserAccounts/Use rAdvancedPluginView.mm

Any help would be appreciated.

Posted on Jan 28, 2013 3:27 AM

Reply

Answer 1

Don Roedl

Level 2

211 points

Jan 29, 2013 4:28 AM in response to Robert Talevski1

Hello - Can you give more detail about what you are seeing on the client machine during a login attempt? Is it just the shaking login window or is there some other event? Also, If you log in to the workstation as the workstation administrator, can you connect with the users name and password via AFP?

Reply

Answer 2

Jan 29, 2013 3:36 PM in response to Don Roedl

Hi Don,

Not using network home folders, so can't test that.

No, any new users that are created are unable to connect to AFP or any other services.

All current users are able to connect to all services without a problem, only new users seem to be locked out.

I guess it may be Password Server problem but I don;t understand the authentication mechanism (Kerberos Digest etc) enought to know where to go from here.

I checked Service Access Control and verified that users are not restricted.

Thanks for your reply

Reply

Answer 3

Don Roedl

Level 2

211 points

Jan 29, 2013 5:36 PM in response to Robert Talevski1

I see. So essentially what you are seeing in the finder is a shaking window indicating invalid login credentials when you attempt to connect to a share via AFP, for instance?

Reply

Answer 4

Jan 29, 2013 5:52 PM in response to Don Roedl

Yes that is correct.

Reply

Answer 5

Don Roedl

Level 2

211 points

Jan 29, 2013 6:01 PM in response to Robert Talevski1

Hard to say without seeing your setup. This is generally a straight forward process. All things being equal in a proper setup, I would be looking at the possibility of a corrupt ldap database, and therfore remedy by saving all settings and data and rebuilding either the ldap database or the entire OD server.

Reply

Answer 6

Jan 29, 2013 6:18 PM in response to Don Roedl

I agree, ldap is def. corrupt. I will be rebuilding the directory this weekend. Not looking forward to it.

Reply