freefall722

Q: unable to get network users working in server 3

After upgrading to Mavericks and OS X server 3 I've been unable to log into my network accounts from any of my client machines (all also upgraded to Mavericks). The Network Account Server is showing as green on the clients and I don't get any warnings at the login screen but trying to log into any accounts results in the failed attempt "shake" of the password box.

 

I'm now on a fresh install of Mavericks on the server with some test accounts set up and I'm still not able to log in from any of my clients. I can however access any share points I set up. Not really sure what I'm doing wrong here.

Posted on Oct 23, 2013 12:11 AM

Close

Q: unable to get network users working in server 3

  • All replies
  • Helpful answers

first Previous Page 9 of 12 last Next
  • by CCSchool,

    CCSchool CCSchool Jan 8, 2014 11:27 AM in response to clcerda
    Level 1 (4 points)
    Servers Enterprise
    Jan 8, 2014 11:27 AM in response to clcerda

    Sorry about your trouble...I've always been under the impression that if you are going to have a server as the domain controller, it should also serve dns and forward it's dns queries to the router (the airport extreme in your case).  I didn't see your previous description of what you have, but my understanding is just as you listed above.  You have a client, a mini server, and an airport extreme.  Are you binding the client (which is ML or mavericks?) to the mini server (running OD I assume), you could try manually setting the DNS on the client to the mini server and see if it helps.  If it does, great, if not, sorry - but it's an easy enough try.  I hope it helps.  As you can see, lots of folks are having lots of issues with the new server and mavericks clients.  My issue (still) is that I can't log one person in, logout, and then login wiht another user without first rebooting the machine.  Frustrating!

     

    At any rate, what I described above is what I"m using in a network with 25 machines or so, and having the clients point to the server for DNS is required in MS Active Directory.  I hope this is somewhat helpful, or at least an easy something to try!

  • by lesliefromstockton-on-tees,

    lesliefromstockton-on-tees lesliefromstockton-on-tees Jan 8, 2014 11:41 AM in response to CCSchool
    Level 1 (25 points)
    Jan 8, 2014 11:41 AM in response to CCSchool

    All

     

    See today's update, Apple list that it cures the login problems, installing now.

     

    I have the same setup and issue, Airport Extreme, mini server, FQDN, DHCP by Airport, DNS by server, tried all combinations but no login and admin only access.

     

    Les

  • by clcerda,

    clcerda clcerda Jan 8, 2014 11:52 AM in response to CCSchool
    Level 1 (0 points)
    Jan 8, 2014 11:52 AM in response to CCSchool

    Thanks CCSchool. I am as frustated as you are with Mavericks Server (or clients). It used to be kind of "it just works" and now "it just doesn't". I tried DNS by server, but same results, can't connect to server from any client

     

    I'm running the latest Server version (3.0.2) installed today, no difference

  • by jwestveer,

    jwestveer jwestveer Jan 8, 2014 12:01 PM in response to clcerda
    Level 1 (0 points)
    iTunes
    Jan 8, 2014 12:01 PM in response to clcerda

    Tried todays update (3.02) and I CAN NOT do a network login to accounts that worked just fine with ML.

    Wondering if they test these updates before they are released.....

  • by CCSchool,

    CCSchool CCSchool Jan 8, 2014 12:13 PM in response to clcerda
    Level 1 (4 points)
    Servers Enterprise
    Jan 8, 2014 12:13 PM in response to clcerda

    Can you ping the server?  Did you unbind and rebind to server?  The server you are bound to shows up green?  Try creating a new account on your server and try logging in with that.  I had a handful of accounts that simply would not work once I upgraded to mavericks.  I deleted and recreated and they worked.  I only found this out by creating a new "test" account and logging in with it. 

     

    I'm fairly certain that the server side of login/logout, filesharing, etc is OK.  I believe it's the client side.  I could login/logout, switch users, access files, etc no problem with a ML client, but not a Mavericks client connecting to the same server with the same settings, etc.  Wild.

  • by lesliefromstockton-on-tees,

    lesliefromstockton-on-tees lesliefromstockton-on-tees Jan 8, 2014 12:48 PM in response to CCSchool
    Level 1 (25 points)
    Jan 8, 2014 12:48 PM in response to CCSchool

    No change for me, actually worse.  Trying to create a new user is now blocked, error message reporting not allowed!?

     

    This is rubbish Apple, going back to Moutain Lion I think as it did Just Work.

  • by clcerda,

    clcerda clcerda Jan 8, 2014 12:49 PM in response to CCSchool
    Level 1 (0 points)
    Jan 8, 2014 12:49 PM in response to CCSchool

    CCS, I've done most

     

    1) pings OK

    2) srever shows green

    3) Binded and unbinded several times. HOWEVER. It only binds anonymously

    4) I did create new networks accounts which log OK on ML but don't log in Mavericks

    5) scutil --get HostName gives the correct server name. FQDN and reverse resolve OK

     

    Very frustrating

  • by jwestveer,

    jwestveer jwestveer Jan 8, 2014 1:00 PM in response to lesliefromstockton-on-tees
    Level 1 (0 points)
    iTunes
    Jan 8, 2014 1:00 PM in response to lesliefromstockton-on-tees

    All, Don't forget to "rate this application" on the AppStore. 

  • by lesliefromstockton-on-tees,

    lesliefromstockton-on-tees lesliefromstockton-on-tees Jan 8, 2014 1:58 PM in response to jwestveer
    Level 1 (25 points)
    Jan 8, 2014 1:58 PM in response to jwestveer

    Can you give negative numbers?

  • by bkpippert,

    bkpippert bkpippert Jan 8, 2014 8:23 PM in response to CCSchool
    Level 1 (15 points)
    Jan 8, 2014 8:23 PM in response to CCSchool

    During my Maverick server trial and errors I have discovered (unfortunately) that you can bind to your Maverick server via it’s local hostname (i.e. bonjour name [e.g. server.local]) and you will get the green dot of joy. Unfortunately, if the server Fully Qualified Domain Name (FQDN) (i.e. server.example.com) does not match the local hostname (i.e. server.local) none of your network users will be able to logon. To enable network users to logon you must bind to the Open Directory using the Maverick server’s FQDN. Which means DNS has to be configured correctly on both the server and the client device. Below are some commands you can run to confirm your DNS is configured correctly.

     

    On the Maverick server open Terminal, and enter the text in black. If DNS is correctly configured on the Maverick server text similar to the green text provided below will be displayed after hitting the return key

     

    server:~ admin$ sudo changeip -checkhostname

     

    Primary address     = 192.168.0.2

     

    Current HostName    = server.example.com

    DNS HostName        = server.example.com

     

    The names match. There is nothing to change.

    dirserv:success = "success"

    server:~ admin$ dig -x server.example.com

     

    ; <<>> DiG 9.8.3-P1 <<>> -x server.example.com

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3757

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

     

    ;; QUESTION SECTION:

    ;com.example.server.in-addr.arpa. IN          PTR

     

    ;; AUTHORITY SECTION:

    in-addr.arpa.                    3553          IN          SOA          b.in-addr-servers.arpa. nstld.iana.org. 2011030302 1800 900 604800 3600

     

    ;; Query time: 37 msec

    ;; SERVER: 192.168.0.2#53(192.168.0.2)

    ;; WHEN: Wed Jan  8 22:24:54 2014

    ;; MSG SIZE  rcvd: 118

     

    server:~ admin$ dig -x 192.168.0.2

     

    ; <<>> DiG 9.8.3-P1 <<>> -x 192.168.0.2

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, statcom: NOERROR, id: 24902

    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

     

    ;; QUESTION SECTION:

    ;2.0.168.192.in-addr.arpa.          IN          PTR

     

    ;; ANSWER SECTION:

    2.0.168.192.in-addr.arpa. 10800 IN          PTR          server.example.com.

     

    ;; AUTHORITY SECTION:

    0.168.192.in-addr.arpa.          10800          IN          NS          server.example.com.

     

    ;; ADDITIONAL SECTION:

    server.example.com.          10800          IN          A          192.168.0.2

     

    ;; Query time: 36 msec

    ;; SERVER: 192.168.0.2#53(192.168.0.2)

    ;; WHEN: Wed Jan  8 22:25:01 2014

    ;; MSG SIZE  rcvd: 106

     

    If you did not receive text similar to the green text above, the DNS configuration of your Maverick server needs to be modified. I recommend reading Mr. Hoffman’s DNS tips for Maverick servers at http://labs.hoffmanlabs.com/node/1436

     

    On the Maverick client(s) open Terminal, and enter the text in black. If DNS is correctly configured on the Maverick client text similar to the green text provided below will be displayed after hitting the return key, press control c to stop the ping command

     

    client4:~ admin$ ping server.example.com

    PING server.example.com (192.168.0.2): 56 data bytes

    64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=0.425 ms

    64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.482 ms

    64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.464 ms

    64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.446 ms

    64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.475 ms

    64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.436 ms

    64 bytes from 192.168.0.2: icmp_seq=6 ttl=64 time=0.467 ms

    64 bytes from 192.168.0.2: icmp_seq=7 ttl=64 time=0.454 ms

    ^C

    --- server.example.com ping statistics ---

    8 packets transmitted, 8 packets received, 0.0% packet loss

    round-trip min/avg/max/stddev = 0.425/0.456/0.482/0.018 ms

     

    If you did not receive text similar to the green text above, the DNS configuration of your Maverick client needs to be modified. On the client machines under system preferences - network - advanced… - DNS tab, remove all DNS IPs but the Open Directory Server (which is running DNS), if the Open Directory IP is not listed added it.

  • by Ofir Gal,

    Ofir Gal Ofir Gal Jan 8, 2014 8:42 PM in response to bkpippert
    Level 1 (135 points)
    Jan 8, 2014 8:42 PM in response to bkpippert

    Yes, this is how all my 15 or so servers are setup and always have been, DNS and RDNS match up etc. I still have problems with logins and I am not able to create new users or change existing users password on the server.

  • by clcerda,

    clcerda clcerda Jan 10, 2014 10:04 AM in response to clcerda
    Level 1 (0 points)
    Jan 10, 2014 10:04 AM in response to clcerda

    Ok, after all this trying and failing, I decided to give a last chance to this and now its finally working. I'll describe what I did and found with details intended for mom and dad. I'm sorry to bother most of you (the experts) with the amount of info I'll post.

     

    THE SETUP

    Home environment, airport extreme DHCP, mini server 10.9.1 and server 3.0.2, macbookpro 10.9.1 and Mac Pro old beast 10.7.5

     

    WHAT I HAD

    Before upgrading to Mavericks I had a fully working setup with airport handling DHCP and DNS (I never turned on DNS on server, nor I change DNS server on clients network preferences); mini server with ML and Server 2.2 as open directory master, file, contact and calendar server; MBP with ML and Mac Pro with Lion. 5 mobile accounts. I installed ML server with clicks and nexts and it just worked. Server name was server.local!! and it DID WORK (sure it also works with a real FQDN like xxxx.com). I had been having this setup since Leopard server with no issues except the annoying server app everytime with less functionality.

     

    After upgrading to Mavericks, all the issues with network accounts that you all know, making server 3 useless. I couldn't even connect to shared folders.

     

    WHAT I DID

    yesterday I did a clean install of Mavericks on the server and macbook pro. I don't think you really need to do this, but after all this deleting and reinstalling server app and accounts and trying everything described in this post, I decided to go for the full monty. My mac pro lion machine kept the mobile accounts with their local copies of everything.

     

    So, after installing server 3.0.2, I created the network accounts again through server app with the same user id numbers (1025, 1026, etc) and same user names. The way to do it is obviously creating them with the same usernames in the same order as their user id number. As you'd see later, all accounts on Mac Pro lion synced perfect with server and now I have my usual setup working with the same mobile users all syncing as expected

     

    WHAT HAPPENED

    It DID NOT work with just clicks and next which didn't surprised me. Mavericks server is not "it just works" mom and dad home server as it used to be until ML. What was courious though was that now there was no vibrating username and password on the login screen at clients. Now you get a clear message saying that my accounts were denied access which I had never seen before. This encouraged me to continue

     

    2 As almost anybody on this post mentioned to have DNS serve turned on and server 3 REQUIRES my mini to be the DNS server. Airpor DNS service  (which appears as a service when you click on the airport option at the menu on the left) was installed and I don't know what it really does. Of course when you configure server after installing,  it doesn't ask you anything and it doesn't configure primary zones, machine records and reverse resolving (again this is not install and click for mom and dad).

     

    You know it's pretty easy to configure, just start dns server, add your primary zone (local in my case) add machine record and give a hostname and fixed IP and that's it. In my case I tried server.local (IT DOES WORK) and 10.0.1.2 fixed local IP. PLease beware to name it server instead of Server (No capital S) as it did show different while you check is all OK as correctly described by bkpippert in his post. Resolve for some clients was checked (first 2 options ticked ok) and forwarded to my 10.0.1.1 airport.

     

    Remember to change DNS server to your server in network -> advanced in systems preferences on all clients (in my case 10.0.1.2). By defaut they were pointing to my airport (10.0.1.1) as expected.

     

    3 At first, before and after starting DNS server on my server.local, I could only bind anonymouly when I was binding my machines to server in users preference pane on clients. I kept receiving that acces denied message on login screen. This used to be my previous setup in ML server, I never binded with diradmin and password and I never saw any of my machines in workgroup manager computers list, and it all worked. But know it wasn't!!

     

    All of this with my Mavericks server app on my MBP connecting perfectly to my server.local.

     

    4 After several tries, what worked was to bind my mini to the server.local first. So I joined server.local anonymously through users preference pane on system preferences, trusting my selfsigned certificates and THEN continued to open directory utility. Select your server, CHECK SSL and then click bind and use your diradmin and password. Now it does bind! Then, the same process on MBP with Mavericks and again it did bind. I checked on workgroup manager and both machines appeared on the computers list.

     

    5 logegd in on MBP and finally worked!. All my five users recognized, able to login and syncing with their new accounts on server

     

    6 logged in on Mac pro with lion and now accounts started to sync with server, automatically copying everything back to server.local (accounts ranging from 200MB to 30GB on user data). Now I'm in the process of restoring my shared itunes, photos and movies folders (1.8 TB) which I backed up before the server clean install.

     

    Again, sorry for alI the wording, I sincerely hope this helps.

  • by jwestveer,

    jwestveer jwestveer Jan 10, 2014 12:08 PM in response to clcerda
    Level 1 (0 points)
    iTunes
    Jan 10, 2014 12:08 PM in response to clcerda

    It did help.  Thanks.

     

    I also have a small network at home.  But I work with larger networks at customer sites, and If I cant get something to work on my small network, I shurely will not try it at a site with 10's or hundreds of users.  To that end I have tried to get the network login working WITHOUT FORMATING MY DISK AND STARTING OVER.  That to me is a new install, not a upgrade.

     

    After reading your post I noticed the one thing I had not tried, was setting up DNS with the names  server.local

    and workstation.local.  To my suprise it worked.  Where before you could not get bonjour to do a reverse lookup, now one could.  Cool.  I had previously tried 'real' dns names with no success.  Probably because the open server ldap/kerb was set up with "server.local" originally, but that is just a guess.

     

    After making the DNS change, booting the server, and deleting and re-entering the Network Accont Server under

    SystemPreferences>Users, I booted the workstation machine, and tried to log in as a network user (not local user).

     

    ****.....it worked!!!!!

     

    In all fairness, I have tried many/many things over the past few months to get Network Users to be able to login.

    The DNS changes may not be the only changes that made it again function.

     

    I am still extremely dissatisfied that the Mavericks and Mavericks Server upgrade has caused me months of agony, espically in front of customers.  By the way, if you make a poor rating for Mavericks server in the app store, Apple will email you and offer assistance.

  • by kristin119,

    kristin119 kristin119 Jan 10, 2014 1:43 PM in response to freefall722
    Level 1 (15 points)
    Jan 10, 2014 1:43 PM in response to freefall722

    Finally got around to upgrading after the holidays. Based on excellent posts at the beginning of this discussion, I began with my client machines and everything worked fine with my old ML Server and network users.

     

    With trepidation, I upgraded the server machine to Mavericks and Server 3. The only glitches I saw along the way were the client machines had to be re-enrolled in Profile Manager and the Network Users had to be re-added to the profile that served out the loginwindow preferences (Mine are called out individually, rather than "all"; don't ask).

     

    That was it. Everything works, very little pain.

     

    Thank-you to everyone who followed the error leads in the early weeks of the release; it made my job so much easier.

     

    For everyone stil having troubles, I will repeat: DNS, DNS, DNS. I spent most of last year following down my DNS errors in ML and it paid off in the ease of this upgrade. The steps followed by Ali Kaylan on Nov 13 most closely resemble the steps I took in ML.

     

    Good Luck.

  • by Masterofnonsense,

    Masterofnonsense Masterofnonsense Jan 10, 2014 3:07 PM in response to Ofir Gal
    Level 1 (10 points)
    Jan 10, 2014 3:07 PM in response to Ofir Gal

    I made a little headway yesterday on getting Server 3.0 and OpenDirectory to actually work after an upgrading from 10.8.

     

    The server is in use as the main accounts server for a small business. DNS is properly configured with forward and reverse lookups and I am using a standard tld.

     

    I experienced the same issues of being unable to change a users password, or create a new user. Also, accounts which had been granted access to administer the server were unable to login. However, external clients were able to authenticate. This led me to believe something was not working properly with the local connection to OD.

     

    I compared against a fresh install of OD and noticed that there was not any Security Policy (This is different from the password policy) defined on the fresh OD install.  Using the serveradmin command line settings I changed the following items from a yes to a no

     

     

    dirserv:MacOSXODPolicy:Configured Security Level:Binding Required = no
    dirserv:MacOSXODPolicy:Configured Security Level:Advisory Client Caching = no
    dirserv:MacOSXODPolicy:Configured Security Level:Man In The Middle = no
    dirserv:MacOSXODPolicy:Configured Security Level:Packet Signing = no
    dirserv:MacOSXODPolicy:Configured Security Level:No ClearText Authentications = no
    dirserv:MacOSXODPolicy:Configured Security Level:Packet Encryption = no
    
    

     

    The only item left on was

     

    dirserv:MacOSXODPolicy:Directory Binding = yes
    

     

    I then went to System Preferences -> Users and Groups -> Login Options. The Network Account Server was listed as the Local Server and the indicator was green. Despite this I chose edit and opened up Directory Utility. Under Services I edited the LDAPv3 entry. This brought up the list of configurations and again I edited the 127.0.0.1 entry. On the security tab I noticed that all the items under Security Policy were checked. I unchecked all of the items and OK'd my way out of the windows. Then I restarted the machine.

     

    I was now able to login to the server with a network account, add network users, and change user passwords.

     

    My guess is the upgrade process reads the OD security policy and then puts those flags into Directory Utility during the migration. Unfortunately this causes the server to be unable to communicate with OD locally even though the indicator shows its working.

     

    The only remaining issue I ran into was not being able to bind a machine to OpenDirectory. It gave me an OD error 5101 using both the Directory Administrator account as well as another admin account I tried. After this I tried to rekerbrize and broke the system. I have since rolled back to 10.8.5.  I will try the upgrade again when I can get some time and report my findings.

     

    Maybe this might help someone.

first Previous Page 9 of 12 last Next