ChrisJenkins
Level 1
(21 points)
Q: Since upgrade cannot reset OD user passwords nor create new users
had an OS X Server 2.0 / OS X 10.8 setup which had been running fine for about a year. 12 days ago I upgraded it to Mavericks (10.9.1) and OS X Server 3.0.2. Pretty much everything is working okay except for one serious problem…
Since the upgrade I am no longer ably to perform any operation that requires creation/modification of a password within OD. I can delete existing users, edit users (as long as i do not change their password) and so on but I cannot (a) reset a users password or (b) create a new user (since this requires creation of their password). In fact if I try and create a new user out says it has failed but in fact the user gets created but without a valid password.
In each case the error reported is a variation on not authorised / not authenticated. I have tried with Server.app, Directory utility and Workgroup Manager and all have the same issue. However, I *can8 change the password for an existing user if I log into a Mac that is bound to the OD server and change the password there. That change then *does* take effect within OD.
I found the apple support article regarding rekerberizing here: http://support.apple.com/kb/TS5289?viewlocale=en_US&locale=en_US
I tried this (several times) but it did not help.
I really need to be able to create users and modify passwords via the normal means.
Can anyone suggest what the issue may be or at least what to look for to try and figure out the cause?
ChrisJenkins
Level 1
(21 points)
Okay, I have solved this. I am posting details of the cause, and the resolution, in case it helps anyone else.
The issue was that when I originally setup my server (Mountain Lion and Server 2.2) and created my Open Directory master the machine had a hostname of 'xyz.mydomain.com'. DNS was all set up perfectly for this with forward and reverse resolution working fine.
Some time later, for good reason, I changed the host name to 'abc.mydomain.com'. DNS was also suitably modified. This didn't seem to cause any big issues at the time. Mountain Lion and Server 2.2 seemed quiet happy and all the servcies that I use (most of them) were working fine.
Then I upgraded to Mavericks and Server 3.0 and my problems began... As well as the problem I described earlier in this post I also had other issues:
- Network (OD) users could mount shares via SMB but not via AFP.
- Network users could not login via SSH.
The errors in the system log seemed to indicate some fundamenal problem with Kerberos authentication. I tried re-kerberizing but it did not help. Lookign in the OD database under 'Computers' I saw that my server's name was still listed as 'xyz.mydomain.com' instead on 'abc.mydomain.com'.
So, as a last attempt before I destroyed and re-built my Open Directory master (aa major job that I was not keen to undertake) I tried the following:
1. Shutdown all services except DNS and DHCP
2. Adjusted DNS for the original server hostname (xyz.mydomain.com)
3. Changed the server's hostname (via Server Manager) back to its original name of 'xyz.mydomain.com'
4. Rebooted the server
5. Re-kerberized
6. Started all required services
Now all is working perfectly! All the problems I had have disappeared and no more horrible Kerberos messages in the system log.
It seems that Server 3.0 is much more pernickety about the hostname that was in use at the time OD was created compared to Server 2.2.
