Linc: thanks for your inquiry.
Here are more steps I've taken to solve this problem:
1) From a Time Machine backup to a test partition, I restored the server from before the failure of the base station and found that the login problems were present then.
2) On yet another test partition, I created from scratch a new OS X Server. Added a local administrator, and a network admistrator and discovered the same problem: network administrators cannot screen share, although in this case, they are simply unauthorized.
Using dscl, things look OK: there is a /Local/Default/Groups/com.apple.access_screensharing that lists only the admin group, and the admin group contains networkAdmin.
Furthermore, I can log in as the networkadmin from the login window, as "Other".
Furthermore, I can ssh into the server using the networkadmin credential.
I used odutil to boost the logging OpenDirectory log level. The logs are very verbose, but to my eyes, it looks like OD recognizes the networkUser, but screensharingd fails to authorize. See logs below.
Can someone confirm that screen sharing from network admin accounts works at all? Is there a way to elevate screensharingd logging to find out more about why it rejects network admins?
TIA
/var/log/opendirectoryd.log
.
.
.
4643.65273.65277, Module: search - ODQueryCreateWithNode request, NodeID: 3D4241C6-FAFF-4816-8F7C-B3E0ED6F56A6, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): networkadmin, Requested Attributes: dsAttributesStandardAll, Max Results: 1
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: search - queuing request to connection - '/LDAPv3/127.0.0.1:ldap:406935A6-9ADB-413A-A82B-7F30F4E9E5A1'
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RecordName' for ambiguous name query
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RealName' for ambiguous name query
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAc count)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=networkadmin )(cn=networkadmin)))', baseDN - 'cn=users, dc=testserver,dc=local'
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - found result - 'uid=networkadmin,cn=users,dc=testserver,dc=local'
4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - ODQueryCreateWithNode completed, delivered 1 result
4643.65273, Node: /Search, Module: search - ODQueryCreateWithNode completed, delivered 1 result
4643.65278 - Client: screensharingd, UID: 0, EUID: 0, GID: 0, EGID: 0
4643.65278 - ODNodeRelease request, NodeID: 184CFA31-1EB8-4384-B9CA-D04A93736CB1
4643.65278, Node: /Search - ODNodeRelease completed
clearing all node authentication connections
/var/log/system.log:
screensharingd[4665]: Authentication: FAILED :: User Name: networkadmin :: Viewer Address: 10.0.1.6 :: Type: DH