tjbu

Q: Can't authenticate diradmin - how to debug?

I've got a Mac mini running ML 10.8 and Server.app 2.2.1 and for several months I've had no problems. Yesterday, I wanted to change a user password and found that I can't seem to authenticate as diradmin anymore. A simple reboot doesn't fix the problem. I suspect this might have broke with the 2.2.1 Server.app update but I don't know for sure.

 

I've googled high and low and have verified all the easy stuff - DNS is correct, I verified using dscl that the diradmin password is correct; I've actually tried changing the diradmin password but that didn't help.

 

The only relevant log file entries seem to be these:

 

servermgr_accounts: got error 5000 trying to auth to local LDAP node

 

and

 

opendirectoryd[40]: GSSAPI Error:  Miscellaneous failure (see text (Message stream modified)

 

I've googled those errors and read all the revelant discussions but nothing seems to help me. Any ideas on how to debug this?

 

Thanks in advance.

Mac mini, OS X Mountain Lion (10.8.3)

Posted on Mar 21, 2013 6:20 AM

Close

Q: Can't authenticate diradmin - how to debug?

  • All replies
  • Helpful answers

Previous Page 2
  • by AJ 2010,

    AJ 2010 AJ 2010 May 14, 2016 9:18 AM in response to tjbu
    Level 1 (4 points)
    May 14, 2016 9:18 AM in response to tjbu

    I was able to fix this by doing what was suggested in the marked helpful reply with one extra step required. I had to enter my directory admin user name and password after removing the existing LDAPv3 entry and rebinding. If you don't enter a directory admin user, you'll bind but still be unable to edit anything even with the directory utility. This was on a 10.8.5 server.

     

    Update: It looks like it's only temporary. I went to the Kerberos ticket viewer application and removed the ticket and now I'm back to not being able to make any changes to the Open Directory server. Going through the process of removing the binding and authenticating again fixes it but I think it will  be broken when the ticket expires again.

     

    The error that brought me here was servermgrd[185]: servermgr_accounts: got error 5000 trying to auth to local LDAP node which was coming up after my OD master suddenly disappeared entirely and I performed a restore from an OD archive.

  • by AJ 2010,

    AJ 2010 AJ 2010 May 15, 2016 8:40 AM in response to AJ 2010
    Level 1 (4 points)
    May 15, 2016 8:40 AM in response to AJ 2010

    I was able to keep it fixed by removing the OD master from the server admin app first and then doing the archive restore from the server admin app as well. Originally I just did the restore from the command line without nuking the OD master first.

Previous Page 2