OS X Server 10.9.x Client will not bind to LDAP/OD Server 10.9.x

I'm not certain that this is the same issue, but I've been running into something very similar setting up a Sierra server to replace our current Mountain Lion install (we are not early adopters over here :-) ). I pulled some ML clients off the network to use as test cases against the new server build and found that I could neither bind nor authenticate the 10.8.6 clients to the 10.12.4 server. When trying to bind, I get the exact error you report above - -also the same log entry. I had created a test OD with a couple of users, verified that all was well in the records via Directory Utility and then could not get the 10.8.6 machine to recognize their credentials after adding the server via System Preferences/Users and Groups/Log In Options. However, test clients running 10.11.6 bind and authenticate test users just fine.

I can report limited success in finding a fix- with a caveat.

What I discovered is that there are key differences in the implementation of SSH that are preventing bind and authentication from working. I pulled up the ssh_config and sshd_config files from my current ML server and my Sierra server and noted a few items either commented out or missing altogether from the newer config files. When I copied these over (or commented out/in as appropriate to match the older settings) then voilá, the 10.8.6 clients were able to bind without a hitch and I was able to log in to them using my test user accounts on the Sierra server.

Now, the caveat:

My syslog on the Sierra Server is currently filling up with this message every second:

kernel SandboxViolation: sdmd(295) deny(1) system-package-check

Likely I'll need to back the changes out and start over again to figure out which of them actually made the critical difference.

I believe this may be related to another issue I've been experiencing, where 10.9 clients cannot authenticate to shared calendars on the 10.8.6 ML server.

Let me know if you'd like more detail about exactly what I've changed in the SSH conf files.

Cheers and good luck!

Paul

Are you using Active Directory for authentication and Open Directory / Profile Manager for Mac settings etc? If so you'll need to put the AD admin creds in the bind box as it is authenticating against AD. Also check your system time is synced with the time server on your domain. If the time is out, it wont auth.

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

I use the golden triangle for my labs. After I updated servers and clients to Mavericks, I am unable to bind Mavericks clients to OpenDirectory. Mountain Lion and prior OS's clients will bind to my Mavericks' OD server via authenticated bind.

I found that if I don't do an authenticated bind, Mavericks clients will connect.

This is like 10.5 vs 10.6 and 10.7 vs 10.8. Apple seems to be releasing a crappy OS full of poorly implemented feature, followed by a solid OS. I am beginning to wonder if Yosemite will solve the Mavericks OS issues.

Hi all,

I'm new to the forum, so apologies if I'm repeating anything. I had the same issue, where mavericks client binded without authentication. However after adding the server IP address in system pref>networks>advanced then click DNS. Under DNS address add the servers IP at top of list, make sure it's the same on the server. Simple did a restart of client and server and binding worked when adding the server in users and groups and entering diradmin password.

hope this help.

I have the same problem here, but I am using real, static IPs. Following Linc Davis suggestions:

1. The server has a static IP all right, a real one.

2. Both server name and computer name show the fully qualified domain name of the server, let's say family.myorg.org.

3. The DNS server is correctly set in both the clients and the server, and it is also a real IP address. When doing dig and dig -x for the server, returned information is correct.

4. I rebuild the kerberos, as the instructions show.

5. I am using a real Certificate, in which the computer name matches my server name.

6. I am not sure what that means. In System Preferences, in the User and Groups pane, on the server, I see only the admin user (local user) and the local groups, not the network users or groups. Can you please elaborate on this?

7. Rebooted countless times.

8. I can't log in the server with a network user account, only with admin, a local user.

9. I have no idea how to do that. Care to elaborate please.

I've also created a new network user, from Server.app, still the same behavior.

Many thanks for any help you can provide.

This ship has probably sailed already. But one thing that was not mentioned is that the clients time needs to be in sync with the Open Directory server. Kerberos requires no more than 5 minute deviation. The easiest way to fix this is to point the Server to a well known time server (time.apple.com) and point all the clients to use the server's fully qualified domain name (or IP address) for their time server. Hope that helps someone.

To be honest I don't think it's the problem here but it cold still be worth having a look at the server certificate and the server certificate's CA certificate and see that they are trusted by the clients (either manually or pushed with Apple MDM or similar).