MartinCline

Q: Binding Mavericks Clients to Maverick Server fail diradmin authentication

I've having a problem binding my clients to my OD server with authentication.

 

Factoids:

Clients OS: 10.9.4

Server OS: 10.9.4, Server 3.1.2

Server is DNS also and is working and seems check out.

I have confirmed that the diradmin's password is correct via a terminal login session.

I can bind clients to the OD anonymously.

 

Problem:

I can bind clients to the OD anonymously, but not when trying to authenticate using the diradmin's credentials. I get the error: "Authentication failed. Please check the name and password and try again."

 

It gets all the way to the "Binding..." phase before it fails:

trying.jpg

 

 

Failed:

fail.jpg

 

What am i doing wrong here...?

 

 

 

 

Results of dig -x 192.168.1.99:

 

; <<>> DiG 9.8.3-P1 <<>> -x 192.168.1.99

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32764

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

 

;; QUESTION SECTION:

;99.1.168.192.in-addr.arpa. IN PTR

 

;; ANSWER SECTION:

99.1.168.192.in-addr.arpa. 10800 IN PTR server1.***.local.

 

;; AUTHORITY SECTION:

1.168.192.in-addr.arpa. 10800 IN NS server1.***.local.

 

;; ADDITIONAL SECTION:

server1.***.local. 10800 IN A 192.168.1.99

server1.***.local. 10800 IN A 192.168.1.100

 

;; Query time: 3 msec

;; SERVER: 192.168.1.99#53(192.168.1.99)

;; WHEN: Thu Aug  7 15:39:23 2014

;; MSG SIZE  rcvd: 120

Posted on Aug 7, 2014 1:01 PM

Close

Q: Binding Mavericks Clients to Maverick Server fail diradmin authentication

  • All replies
  • Helpful answers

  • by Grant Bennet-Alder,Solvedanswer

    Grant Bennet-Alder Grant Bennet-Alder Aug 7, 2014 3:06 PM in response to MartinCline
    Level 9 (61,170 points)
    Desktops
    Aug 7, 2014 3:06 PM in response to MartinCline

    .local is different than a real domain-name, and is not neutral. Your domain should not use a name that ends in .local, and it should not look up to something that ends in .local

  • by MartinCline,

    MartinCline MartinCline Aug 7, 2014 4:21 PM in response to Grant Bennet-Alder
    Level 1 (0 points)
    Aug 7, 2014 4:21 PM in response to Grant Bennet-Alder

    Thanks Grant!  Now that you've pointed that out, I had to do some digging.  Quite frankly, I had to figure out what you meant by "not neutral"... :-/


    Ok, so it's been 13 years since I setup a directory, and back then it was AD on Window Server 2000 and it was recommended by MS to use .local on private networks that would never see the internet.  As of 2 years ago it was still in use and didn't have any problems.

     

    Apparently that is not the case now... I just found this: Another reason, albeit a much smaller one, is that mDNS, otherwise known as Bonjour, uses .local to identify nodes on the local subnet without using a DNS lookup. According to Apple, this should only happen when there is a single label in front of .local, like server1.local. If your AD is called company.local – guess what – that's a single name in front of a .local. Not a good situation to be in.

     

    In my defense:  At one time, Microsoft at least suggested the use of .local as a pseudo-TLD for small private networks with internal DNS servers, via documents that (as of this writing) are still accessible. For example, support article 296250[2] included the following option:

    • Make the name a private domain name that is used for name resolution on the internal Small Business Server network. This name is usually configured with the first-level domain of .local. At the present time, the .local domain name is not registered on the Internet.

     

     

    Mea culpa.

     

    More info:

    It is only one server and 4 clients. This time next year, it may be upwards of 8 clients.

    I own the domain mydomain.com, but my website is hosted elsewhere and I can't ever see hosting it myself. Same with email.

    I can't foresee a day when this server would be on a public IP address.

     

    So, now that I have put in a good bit of time setting this up, what are the consequences of changing it?  And how would I change it?  What is commonly done these days with naming?  Should I do something like local.mydomain.com?  Maybe server1.mydomain.com? Actually, now that I think about it, shouldn't it be exactly server1.mydomain.com?

  • by MartinCline,

    MartinCline MartinCline Aug 7, 2014 4:24 PM in response to Grant Bennet-Alder
    Level 1 (0 points)
    Aug 7, 2014 4:24 PM in response to Grant Bennet-Alder

    Would it be as simple as:

     

    1. turn off DNS and delete it

    2. change the server name

    3. Re-setup DNS

     

    ??

  • by MartinCline,

    MartinCline MartinCline Aug 7, 2014 4:36 PM in response to Grant Bennet-Alder
    Level 1 (0 points)
    Aug 7, 2014 4:36 PM in response to Grant Bennet-Alder
  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Aug 7, 2014 5:53 PM in response to MartinCline
    Level 9 (61,170 points)
    Desktops
    Aug 7, 2014 5:53 PM in response to MartinCline

    I use a very awkward made-up name with two sets of double letters and a hyphen that ends in .edu. I figure that will never be the name of a school.

     

    The only users to see that name and try to resolve it will be inside your local network, using your captive DNS. Users from the Internet at large may someday need a way to get inside your network, but that can be done with a similar name. So the name can be whatever you please, but it should not be something likely to collide with real names that you do not own.

     

    As you discovered, it should not be .local, that is already being used for something else.

     

    Just changing the hostname does not change the kerberos realm (created when the Open Directory Master is created).

     

    I am not sure whether you need a new Server certificate, or whether it will make you a new one. It will automatically add an additional directory reference in Directory.app, and generally that does not improve things.