unable to get network users working in server 3

Having a very tough time with this one as well... here's my background

First up.. and I dont say this for any superiority person but I've been in IT for 10 years and have managed DNS, LDAP, AD, blah blah for very large organizations. With all modern directory services I completely agree, if your DNS isn't correct you'll end up with funky issues.

I'm currently a sysadmin at a ~200 person company that is primarily AD based. I'm putting in a Mini with Mavericks servers to manage a Mini that is in each of 7 conference rooms. Lock down some prefs, push some software, things of that nature.

This is a somewhat interim deployment as I have an AD migration coming later this year so I decided to just eschew anything Golden, Schema, MCX, LDAP, AD etc. One mac mini with Mav server, 7 mac mini's with Mav client.

I created a static DNS entry for the Mav Server on our central DNS as well as the appropriate PTR/reverse entry. The client can resolve in both directions, the server can resolve in both directions. scutil and changeip all are happy.

1000% fresh, from ESD install of both server and client. Created two users in server.app, can login to the server itself with those accounts (network local not local local accounts). Binding to the _FQDN_ from the client things are green. If I select the option to limit what accounts can login i see my two users. When I try to login, all shaky shaky.

I've seen on here recommending that you use the Mav server as your DNS for network login clients. I am really loathe to do that for a variety of reasons. With AD this is much more of a "requirement" (yes, there are ways around it) because it is just easier to allow MSFT DNS to handle the synamic SRV records and such. From what I can see here tho I am putting a "unicast" FQDN into the bind, there are no SRV records and everythign resolves so i dont see why i would have to do that.

I've read through this entire thread, despite this being frusterating it is oddly comforting to know that others are having the same issue.

Has anyone gotten network accounts to work when using a non OS X DNS server when everythign is resolving correctly? This is incredibly frusterating as this was to be a 2-3 days project and now has turned into a head banging exercise. Since there is no SSL invovled at the moment (going to buy a real cert tomorrow just for poops and grins) I may do packet captures yet to see what its speaking under the hood but I'm about at the end of my patience.

And right after I post this I got things working. I was totally in agreement with the DNS DNS DNS mantra in this thread but couldn't figure out why when everythign looks correct it wasn't working.

I knew that .local just wasn't correct for me. For starters, I'm in a multi-subnet environment so mDNS isn't going to be particularly helpful (no, i'm not routing multicast at the moment or setting up Rendezvoux beacons) and .local jsut isn't used anywhere in our network so I didn't want it around. Just about every place you see that (in particular the Sharing pref pane) its gray/unchangable/uneditable.

I had set the "host name" in Server.app to the FQDN, I left "Computer Name" alone. That's where the issue was. I went in and changed the COMPUTERNAME to not just be the shortname but also the entire FQDN. I may have misunderstood people when they said this easlier in the thread but the text in the box is very misleading. Now, Sharing still shows .local but when I look at the main page in server.app BOTH the hostname and the computer name display as the FQDN and things worked.

The "tell" for me was that when i bound to the FQDN in Mav client it only did the first warning, not the second one about SSL.

My experince may be one of several issues out there but perhaps it can help someone.

Ryan, you are obviously very experienced, I run a very simple network setup using mavericks server and clients and still have the login issue you describe. Just to be clear, if the server name is say SERVER and the FQDN is EXAMPLE.COM, you changed the computer name to be SERVER.EXAMPLE.COM and the host name to SERVER.EXAMPLE.COM.

Just to be clear!

Thanks Ryan!

Les

Hi Ryan Just to say to you and others I use the main core DNS for reverse lookup etc at our college and have never used the OSX DNS server capability in all the time since 10.2. so I dont think this was the cause of your problems.

Our system is now working very well on Mavericks(dare I say it!) servers with 1500 users and 500 mac desktops. Our main issue was time syncing after we had a log in problem after the Mavericks upgrades on the clients, once the whole network was in time synchronisation with each other again on both servers and clients our log in works very quickly.

We still have the issue of Server app 3.02 not having the edit functions like add and remove users or change passwords so i still rely heavily on Workgroup Manager for accounts admin and password changes. The DHCP,file sharing and netinstall all work ok reliably through Server.app. Glad you sorted your problem in the way you did but I have my server's computer names set to "College Arts Server" etc and everything works like that but I'll remember this if should I get any future issues.

Bingo! lesliefromstockton-on-tees that's exactly what I did. I had to make sure that both hostname and computer name sers set to the FQDN

Had to make sure that an nslookup on the IP address (not the name, the IP address) came back to the name

Also had to make sure that the FQDN (the one you have now put in both fields) resolved in both directions from the client.

Now i'm trying to wrestle with how this beast does network homes, wether to use MCX despite being deprecated because Server.app is the new black but is sorely lacking in advanced features... learning plists and how to distrubute them....

I never thought I'd say this but i'm actually yearning for NIS after all this crap.

Like many others on this thread, I was banging my head against many walls. RODVELA, you are a genuis!!! I typed this in on every client computer (I only have 15) and it worked immdeiately. Thank you, thank you, thank you!!!!

After many attempts I have finally got my system working using Maverick Server and clients. In case it's of any help I have summarised what I did below.

I had all the normal problems post upgrade from ML, network users not being able to login, unable to change passwords, open directory issues etc.

The solution as others have said is DNS DNS DNS DNS!!!

I bought a copy of OS X Server Essentials 10.9, the one that's used on the three day Apple course and started from page 1; I also watched Todd Olthoff on Youtube, thanks Todd! The rest is as follows:

Setup AirPort Extreme with DHCP, IP range 10.0.0.x, DNS on the internet tab set to service provider external DNS servers (or Google etc)

Clean install of Mavericks on the server followed by updates

Turn wifi off on server and hardwire to AirPort Extreme

Create Local Admin account give admin privileges and set time zone

Rename the startup volume as ‘Server’

Turn on remote management

Change the Computer Name in sharing to ‘server’

On the server, in System Preferences, Network, change DHCP to manual, IP 10.0.0.2 subnet 255.255.255.0 Router 10.0.0.1 Advanced DNS tab, delete all and enter 10.0.0.1 ie the Airport Extreme. Search Domains to your domain, ie example.com and click apply.

Install server from the App store

When complete open Server Admin and change the Computer name to ‘server’ and host Name to server.example.com also click edit and ensure the networks setting have been retained. Say yes to setup DNS.

Open system prefs and network, go advanced and DNS. Change the DNS from 10.0.0.1 to 127.0.0.1 and make sure the Search Domain is still example.com.

Open network utility and Lookup 10.0.0.2 and you should get server.example.com and do it the the other way round to get 10.0.0.2

Turn on file sharing and websites and open directory to create the master with ‘diradmin’ and password.

Create network user accounts

Start mail, entering example.com in the provide mail box

On the client computer, clean install Mavericks

On client manually change the network settings to a fixed IP 10.0.0.100 and set the DNS to the server only, 10.0.0.2.

I then tried to bind a client to the server and great it worked but importantly binding server.example.com not .local

Log out and then back in, and super all users are logging in via the client computer.

The avoid manually configuring each client, back onto the airport extreme and change under Internet the first DNS to the server, 10.0.0.2 and the second to google, 8.8.8.8

back onto the client and change networks back to DHCP deleting any fixed dns entries.

Logout, login still ok, all good.

Big however, on the client away from the home network, all great, inside the network, ie at home, although access to the internet worked, login worked, no access to mail, the server website etc. Checked using Lookup and the client was unable to find www.example.com or mail.example.com, error returned, not 10.0.0.2 even though everything was good with external dns - remember it works outside the home network but was unalbe to resolve using when dns from the client is provided by the server, ie 10.0.0.2

Solution, go into Server admin, DNS and under your primary zone add machine record for www.example.com, mail.example.com with the host set to 10.0.0.2 Retain all other enties created by Mavericks.

Try again and bingo! All users logging in and out with no issues, mail running great, website up, file sharing great VPN great, the lot all working inside and outside the network.

Never an issue with ML Server but there is clearly an issue out of the box with Mavericks server as it doesn't work. Split DNS issue?

Hope this helps, but it took me with my limited knowledge of Macs a few months, as least I know a bit more now!

Les

Just an update, the above is still working well, I have no issues with Mavericks Server or Client machines. Not exactly, 'it just works' more like 'it works with a lot of hard work'

Mac Server 3 drives me crazy ... 😢

I have a brand new MacMini here with Maverick on board, and two brandnew Macbook Air and 3 27"iMac that I want to set up as small office. The MacMini should act as Server (with two thunderbolt harddisks connected) for the rest. So far the theory, meanwhile I´m the reality of Server 3 ...

Having years of experience with "normal network" solutions like filesharing etc. I had a look at Server 3 and thought it couldn`t be that complicated to set it up - but meanwhile I`m disillusioned.

I`ve now completely reinstalled the MacMini and the Server the third time, connected directly to the Airport Extreme, started filesharing and started the Server app. afterwards. Then I just

- opened the settings of the server, set up a local network (xxx.local)

- activated push-notification and got a ceritficate

- started the profile manager

- started open directory

- started started the DNS server

- started file sharing (creating a new folder on the MacMini, offering user folders via SMB or AFP (tested both))

- started the other services (calendar, contacts, etc.)

- opened ports for the public services on the AirportExtreme

- set up a testuser (network user), giving access to all services

- gave the test user access to the network folder created

On the Macbook Air i used for testing I registered the network account server (getting a green light afterwards), put the hook at "allow network users to sign on" (I even coot see the test users name there).

But after switching to the login I only got normal users on the MacBook Air. Switching the "allow network users to sign on" sometimes resulted in a third user "other" where I could enter the Username and password - but : no result - just as explained several times in this thread ... :-( :-(

The last three days I tried several setups, switch and renamed, issued certificates, tried out the profile manager and registered the MBA, set up the user folder via AFP and SMB, ...

But : no access to the network user granted ... 😠

Just read the last lines of the Protokoll after my last attempts and could read "connection invalid" and "connection denied" several times in it ... does anyone have an idea what`s going wrong here ?!?!??!

I really need to set up this server a.s.a. possible and am really frustrated about this really not Apple like behaviour of this software *eyesroll* ...

Any help appreciated !

See my post just above yours, get the apple book and go through it exactly and it does work. Very different from other versions, yes, but, if you follow it, all is good. I have only just got my setup working after months of hassle. It's still working ok now, but yes Apple, if you are reading this, this hassle is not acceptable. It just doesn't work anymore, it need a lot of hard work, perhaps it should have been call Microsoft Mavericks Server?

Here's what worked for me. I think.

Restart server from recovery partition.

Repair permissions on server hd.

Something called System/dev/aliases or something - can't find the logs, it must be logged in the recovery partition.

Tried ot log in several users while the server was shut off. They logged in using their local home folders and didn't sync to the server.

From then on, everything worked - restarted the server, logged into several machines. Weeha!

Gah! It failed again when creating a new user, or logging in to a computer on which that user never logged in.

Ryan Dorman's solution fixed it.

Add server.local as the host name, instead of just server.

Then I had to re-add the server to the client a couple times (to be safe), make sure the server was first choice as DNS (I have a fallback in case my server is asleep or off) and then restart the client.

Didn't have to reinstall server or osx from scratch.

THANK YOU! That fixed it for me!

Hey Flick,

are you still experiencing issues

I have two schools with AD that are binded to our Mac Server and we are using to distribute user accounts etc. Both were working perfectly up until around a week ago. Now both are broken. Both are .local domains (Which i can't change unless i am going to redo the whole domain, its just simply not feasable at the moment).

Currently no AD account can log into the network, I have managed to get one school working, yet the other i still cant figure out what is wrong.

When i run the dig command with -x i get the following response:

shcolac-odm:~ macserveradmin$ dig -x shcolac-odm.od.shcolac.local

; <<>> DiG 9.8.3-P1 <<>> -x shcolac-odm.od.shcolac.local

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21787

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;local.shcolac.od.shcolac-odm.in-addr.arpa. IN PTR

;; Query time: 5424 msec

;; SERVER: 10.130.12.32#53(10.130.12.32)

;; WHEN: Thu Mar 27 11:21:15 2014

;; MSG SIZE rcvd: 59

The DNS is the AD domain controller, and if i run changeip -checkhostname it is successful.

Any help / tips on DNS or what ever could be causing this would be appreciated.
, which is different to my original issue. its like the clients are not getting the access list for users allowed to log in...

*On client with mavericks, i am getting Some network accounts are unavailable

What does the system log say? Watch the console app when some user tries to log in.