Network accounts can't login to Server.

Short of creating a fresh new OD database, I followed what steps I could. Network accounts still can't log in, and now in Workgroup Manager, it says I'm not authorized to do many tasks (such as delete users.)

Somehow it's gotten worse. I've found several unresolved questions regarding the Not Authorized problem, so I've hit a dead end with that.

Looks like I'll just have to come in during the weekend and rebuild the server. For probably the 3rd time this year alone. I don't have any other choice.

I work 5 minutes from Cupertino. If I could just have ONE day with one of their engineers who could just sit down and fix the %#&^@! thing. I'm tired of wasting my time with this crap.

I love their desktop OS, and I thought I'd never say this, but I've NEVER had this much trouble with Active Directory. Microsoft seems to have their ducks in a row, despite it being obscenely expensive. And at least they'll occasionally send out an engineer.

This is totally awesome. Here I'm in on my day off and not only have I installed 10.9 from scratch with a brand new OD database, but after a FRESH install, it tells me I can't set open directory passwords for users because the directory administrator account doesn't have an Open Directory password.

In the Advanced tab, it tells me it's an open directory password. This pull down menu is grayed out. I can't change it. It is, by default, an Open Directory password because it is the directory administrator.

Now I need to waste another entire day coming in reinstalling 10.8, because 10.9 doesn't work out of the god **** box.

OK, after talking to Apple Enterprise (which I didn't realize was even an option with my little server), we got it working again.

Here're the steps we took, but please be VERY careful. I don't want anyone to run away and destroy their server.

WARNING: This will destroy your OD master.

1. Export your users, groups, comptuers, computer groups, etc.via Workgroup Manager. Make sure you have all yourt settings copied down. You will be creating a new OD master.

2. Open terminal, and run the following commands:

sudo slapconfig -destroy/ldapserver

sudo slapconfig -setstandalone

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh

3. Restart server.

4. Open Server app, create a new OD database.

5. Re-import everything.

6. Verify that the users and/or groups have correct server access settings (can access File Sharing.)

7. Verify that the users' home directory is correct, that it has the correct path (I had to change this for my users as it lost the home directory path after re-importing the users.)

8. Verify on both the server and the client machine that DNS is correct: use the host command via terminal.

9. On the client machines, bind to the server via drop-down menu in the Users & Groups system preferences pane, not by adding via IP address through the Directory Utility (which is how I did it.)

Users were now able to log in via the network.

I'm not sure how this differs from destroying the OD database from the Server app versus doing it via these three commands, but doing it via these commands actually fixes it. When I make a new OD database by deleting OD via Server app, it makes a new OD database with all the same problems.

Randomly stopped working again, exact same issue. Calling Enterprise Support again.

Sigh.

Talked to a senior Apple engineer. At some point during the import of users, slapd is crashing, and generating a ton of errors, for various reasons unknown. It completely hoses Open Directory and messes up the credentials for the directory admin.

My users started at UUID 15001 and up, and also used their email address as their username (so it matched their Google accounts.) So what I'm doing is re-exporting the users starting at UUID 1001 as it would be the default, and moved their username to the email section of their info, and just use their first and last name as their username. So nothing special.

It's a possibility there's a conflict in the UUID with something on the system, or, that the special charactes (such as @ or . ) could be causing a conflict somehwere.

So the proposed solution is rather tedious, but hopefully it'll work. I'll do a clean, fresh install of OS X and Server. Do the above changes to my user database, then import them into Server. Set their home directories. Now I export the users again and back up the export, this time (hopefully) Open Directory fixed any anomalies.

Do yet another wipe/install of OS X and Server. Set it it back up, then import the clean export of the users.

Hopefully this will resolve any errors generated by the initial import.

I'll post here again when it's done.

Been a long few days, but I think it's finally working. Server has been running for a little over a day. All accounts have been successfully imported. File Shares have been created and home directories assigned and created.

I'm now setting up managed computer groups, printers, settings, etc. After all of this setting up, thankfully, I can still create and delete users, change passwords, and have them use their network accounts once again.

Things appear to finally be working.

Probably jinxed myself.

Anyway, a rundown of the steps:

1. Export your users, but make sure not to export your Directory Admin account.

2. Import them into an application such as Passenger, then export them again with new UIDs starting at 1001, and no special characters. You can generate new passwords, or use the imported passwords.

3. Back up any important data and settings.

4. Erase your server, reinstall OS.

5. Set up the server minimally, with DNS and a new Open Directory.

6. Import your users.

7. Wait a few minutes. Might even want to check Console in the ldap log to make sure the errors have stopped or resolved.

8. Export your users again.

9. Erase your server, reinstall OS.

10. Set up server again, and reimport your accounts.

This seems to have been what solved it for me. I would have to guess I had a corrupted user, perhaps, or the special characters were causing issues. I'm uncertain. In any event, these are the steps that worked for me.

I'm afraid that if you have any fancy directory structure, you'll have to set everything up again. You'll also have to rebind all the client machines, which can take a while if you have 500+ computers and laptops and you're the only one. 😝