Error "kdc: Server not found in database" on attempted connections using Network User Credentials

CORRECTION: FileServer.local is correct. There is no fileserver.pediatricheartcenter.org. The file server is not available outside the LAN.

So I should remove all .local extensions from the network? Does this mean that I need to give each workstation a host.pediatricheartcenter.org identity?

I changed FileStorage.local to fileserver.pediatricheartcenter.org. I verified the DNS entries. There were two A records for 192.168.76.22, I removed them both and recreated a pointer to the mavericks1 server, which was renamed od.pediatricheartcenter.org to better match its primary function. After making these changes, I opened consoles on three machines: a random laptop within the clinic, one on fileserver.pediatricheartcenter.org, one on od.pediatricheartcenter.org. I opened Finder and began a "Connect as..." connection entering a valid user name and password, and just prior to sending the connection request cleared the three consoles. This is what was displayed:

Connecting Laptop:

fileserver.pediatricheartcenter.org:

od.pediatricheartcenter.org (shows no relevant traffic):

I'm not sure if this extra information is helpful. It is a transaction that was not seen before. Because of the lack of information in the consoles and the fact that the od.pediatricheartcenter.org system does not even appear to interact in this transaction, I performed again the first connection where I am attempting to use "Connect as..." via Finder on od.pediatricheartcenter.org to access files on fileserver.pediatricheartcenter.org

This time, we see again the interaction that was described in the original post:

od.pediatricheartcenter.org (source of connection and source of Open Directory for fileserver.pediatricheartcenter.org):

fileserver.pediatricheartcenter.org:

To verify the settings, I check the server settings again after performing these tests and share screen shots below from od.pediatricheartcenter.org (first) and then from fileserver.pediatricheartcenter.org (second).

fileserver.pediatricheartcenter.org:

Note: each of these systems has been upgraded to OS X 10.9.4 within the past 24 hours (after the problems started) and had server upgraded to 3.1.2 (after the problems started).

Because the error seems to stem around the existence of computer identity records in the LDAP directory, I have opened the Directory Utility and taken screen shots of the listed computers. I am interested to see that the LDAP entry for od.pediatricheartcenter.org still reflects the name of mavericks1.pediatricheartcenter.org. The current host name appears to be signified by a "$" after the name as in: od.pediatricheartcenter.org$.

The fileserver.pediatricheartcenter.org host appears to be represented by the entry filestorage$, but this entry does not reference either of the host names seen in the network during the previous experiments: FileStorage.local or fileserver.pediatricheartcenter.org.

If the error that is causing the user authentication to fail is related to the host not being listed in the LDAP directory, then the question then becomes, how does one add hosts to this listing without directly inserting them? By what process does the record filestorage$ become created, and can fileserver.pediatricheartcenter.org be created by that same process? Would this solve the issue?

Thank you, Linc.

I spent some time on the phone with Apple Support on Friday. Thank you to Linc Davis for providing some insights into the issues.

As a result of the conversation with Apple Support we learned the following, which I will report here for those who might find this page again:

First, OpenDirectories are extremely fragile. Once you have turned on your OpenDirectory, do not do any of the following:

• Do NOT change the host name.
• Do NOT change the IP address.

If you are going to attempt either of these things, you should make a clone of your drive (not just a TimeMachine backup, a fully bootable clone, just in case).

Performing these activities (particularly the changing of the host name) will "break" your open directory, and the only way to rebuild the open directory is first to fully destroy the original. Several services are also destroyed when OpenDirectory is broken, the most notable is Profile Manager.

DESTROYING OPEN DIRECTORY

To fully destroy OpenDirectory, it is more complex than simply turning off the OpenDirectory and turning it back on again. Perform the following steps:

1. Install WorkGroup Manager (it is depricated, but Apple still has a version available for use with OS X Mavericks to handle functions that the Server App does not perform like exporting users and groups).
2. Sign into WorkGroup Manager as the directory administrator (user name defaults to "diradmin" the password is defined on OpenDirectory creation).
3. Export the Users, Groups, Computers and Computer Groups to the Desktop or another safe location.
4. Close WorkGroup Manager
5. Turn off the OpenDirectory in Server App.
6. Delete the Server App from the Applications folder and put it in the Trash. (This will disable any active services that are marking various files as being currently in use. Don't worry, we will restore it from the Trash when we are done).
7. In the terminal, run the following command: sudo slapconfig -destroyldapserver
8. Make a backup of all website files (just in case)
9. Navigate to the folder /Library/Server and delete the ProfileManager folder. (If you willing to do so, delete the whole Server folder).
10. After deleting various folders in the /Library/Server directory, restore the Server.app from the Trash.
11. Run the Server App.
12. Set the computer's network connection and host name.
13. Create a new OpenDirectory.
14. Use WorkGroup Manager to import any exported files from Step 3.
15. If you deleted the entire Server directory, use the website backup to retrieve the files that comprise your web site(s) and use the Server App to link the file directories to the Web site's domain name(s).

Personal Note: These instructions got me farther than any other tips I had received previously. After following these instructions, I was able to rebuild my Open Directory. During the process of copying files from the old user home folders into the new user home folders, the computer froze and when it rebooted, all the users and groups I had created during the day had disappeared. Rather than trouble-shooting it again, I decided to do a fresh installation.

A NOTE ON HOME FOLDERS

PER APPLE SUPPORT: Do NOT use the default /Users directory for Network users. Apple Support wanted me to rebuild the home directory, but they noted I was not able to do this, because I had used /Users. This folder ("/Users") is a critical component of the OS X system, and will cause additional problems if the folder is destroyed and rebuilt. The directory id and permissions must remain unchanged from the original installation.

For this reason, Server administrators (like yourself) should use File Sharing in the Server App to create a new anchor point for home directories. Create a shared folder. Ensure that it is shared over the protocols that you will be using (AFP, SMB, WebDav), and then after selecting these values, check the box that allows the folder to be used as a home directory at the bottom of this list. This box will be greyed out if the system is not already bound to an OpenDirectory. If you have activated OpenDirectory on the same machine, the machine will operate as if bound to itself, and this field will be active. If the FileShare server is NOT an OpenDirectory master or replica, then bind the machine to an OpenDirectory via the "System Preferences > Users & Groups > Login Options".

If the local area network has FileShares that are enabled for home directory use, the folders will appear in the User Profile editor under the Home Folder list (See image)

In the screenshot above, I have selected a shared directory named "HomeFolders". By using specially defined home folder directory, the server administrator has the option of deleting and modifying the home folder if necessary. Creating a home folder directory in a location other than "/Users" is the recommended best practice by Apple Support.

If you are inserting files into the home folders, you will need to change the owner and the group to the new owners names. I copied files from the old user directories into the new user directories so that the users would have access to their old files. When my OpenDirectory crashed, and all the users were recreated, they were recreated with different system level user id's. The system therefore maintains a memory that the file was owned by the original owner, even though the system administrator has put it in the new user profile's folder. To fix this, do the following:

1. Prior to making the copy, run "ls -al" from the terminal on the new home directory root. You are looking for the default folder owner and default folder group. On my system it was the user name and a group named "staff".

2. When making the copy, do not replace the user folder. Copy the files into the file folder, not over it.

3. After you have moved files into the user's folders, you can use "sudo chown -R [owner]:[group] [homeFolderPath]/*" and "sudo chmod -R 700 [homeFolderPath]/*" (replace the [owner] and [group] portions of these commands with the owners and groups identified by the command in step 1, and replace [homeFolderPath] with a path to the user directory created for the specific user.

For example:

For the user johnnybgood, we might see the following:

1. We run "ls -al" on the newly created home folder and find that the folder /Volumes/HomeFolders/johnnybgood is owned by johnnybgood and the group "staff".

2. We copy or move files from the old locations using commands similar to the following:

sudo mv /OldFolderLocation/johnnybgood/Documents/* /Volumes/HomeFolders/johnnybgood/Documents

sudo mv /OldFolderLocation/johnnybgood/Desktop/* /Volumes/HomeFolders/johnnybgood/Desktop

sudo mv /OldFolderLocation/johnnybgood/Music/* /Volumes/HomeFolders/johnnybgood/Music

....etc....

(notice how we are not just moving the old johnnybgood folder to the new location.)

3. Next, we change the ownership and file permissions:

sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Documents

sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Desktop

sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Music

...etc...

sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Documents

sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Desktop

sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Music

...etc...

4. Let the user log in and use the system normally.