k_knowles
Level 1 (0 points)

Q: dscl returns eDSInvalidSession

I am trying to setup Open Directory so the Macs on the network can authenticate centrally.  It was working for a while, but now it doesn't. 

 

When I run the dscl command with the authonly flag it returns "Authentication for the node failed.  DS Error: -14477 (eDSInvalidSession).

 

Here's the command:

dscl /LDAPv3/(nodename) -authonly diradmin

 

The error message is:

Authentication for node /LDAPv3/(nodename) failed. (-14477, eDSInvalidSession)

<dscl_cmd> DS Error: -14477  (eDSInvalidSession)

 

I have searched for a solution on the Internet, but have not found anything relating to this.

 

Any ideas?

 

-Ken

Mac mini, OS X Mavericks (10.9.2)

Posted on Apr 15, 2014 7:34 AM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (207,995 points)
Applications
A:

Many, if not most, Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

Posted on Apr 17, 2014 11:14 AM

Close
k_knowles

Q: dscl returns eDSInvalidSession

  • All replies
  • Helpful answers

  • by k_knowles,

    k_knowles k_knowles Apr 16, 2014 4:17 PM in response to k_knowles
    Level 1 (0 points)
    Apr 16, 2014 4:17 PM in response to k_knowles

    I have some further symptoms.  On a client machine, if I use dscl to query the directory, I always get eDSAuthFailed except for when I use diradmin as the user.  If I put in the correct password, it gives me the eDSAuthFailed.  With and incorrect password, it gives me eDSInvalidSession.

  • by k_knowles,

    k_knowles k_knowles Apr 17, 2014 10:29 AM in response to k_knowles
    Level 1 (0 points)
    Apr 17, 2014 10:29 AM in response to k_knowles

    Using kinit, I can verify the passwords are correct.

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis Apr 17, 2014 11:14 AM in response to k_knowles
    Level 10 (207,995 points)
    Applications
    Apr 17, 2014 11:14 AM in response to k_knowles

    Many, if not most, Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

    1. The OD master must have a static IP address on the local network, not a dynamic address.

    2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

    4. Follow these instructions to rebuild the Kerberos configuration on the master.

    5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

    6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

    7. Reboot the master and the clients.

    8. Don't log in to the server with a network user's account.

    9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

  • by k_knowles,

    k_knowles k_knowles Apr 21, 2014 9:28 AM in response to k_knowles
    Level 1 (0 points)
    Apr 21, 2014 9:28 AM in response to k_knowles

    Thanks for your reply.

     

    It looks like my main problem is the TLD is .local.  Is there an easy way to change this?  Or does it require rebuilding OD?

  • by Linc Davis,

    Linc Davis Linc Davis Apr 21, 2014 11:16 PM in response to k_knowles
    Level 10 (207,995 points)
    Applications
    Apr 21, 2014 11:16 PM in response to k_knowles

    See Step 2 above.

  • by k_knowles,

    k_knowles k_knowles Apr 22, 2014 12:51 PM in response to Linc Davis
    Level 1 (0 points)
    Apr 22, 2014 12:51 PM in response to Linc Davis

    I did that but it didn't change it throughout the system.  I ended up going through all the steps and creating new certificates (self-signed). 

     

    Thanks for your help.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 22, 2014 3:01 PM in response to k_knowles
    Level 10 (207,995 points)
    Applications
    Apr 22, 2014 3:01 PM in response to k_knowles

    That was Step 5.

  • by k_knowles,

    k_knowles k_knowles Apr 23, 2014 10:26 AM in response to Linc Davis
    Level 1 (0 points)
    Apr 23, 2014 10:26 AM in response to Linc Davis

    OK, thanks.

     

    It seems to be working for the most part.  I'm monitoring the logs and there are some errors in there, but the users are authenticating correctly now and the e-mail is working.