OS X Server clients can't login after IP renumber and domain Name change

Question

Level 1

8 points

OS X Server clients can't login after IP renumber and domain Name change

I can not seem to get the logins working again on my OS X server (10.9.4 w/ server 3.1.2 on a 1 yr old. MacMini) after I needed to renumber the IP and change the domain name. I destroyed the Open Directory server, recreated it and created one test account. If I log in to the client with a local account I can connect to the server (Go>Connect To Server) from the client using my newly created account, but when I try to login to the server using the same network account login I get the "shaking head" response immediately. I have rebound the server to this client and it says that network accounts are available, but seem to be at a loss to understand why it won't let me login...

The only error message I see in any of the logs is the following:

(AFP Error Log:) Sep 15 20:21:47 isis.mydomain.com AppleFileServer[3032] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.

I'm not sure what credentials it is referring to. I created a self signed certificate that I am using with OD, could that be the one?

Posted on Sep 17, 2014 6:42 PM

Reply

Answer 1

Linc Davis

Level 10

209,535 points

Sep 17, 2014 8:21 PM in response to DragonFired

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Disable any internal firewalls in use, including third-party "security" software.

10. If you've created any replica servers, delete them.

11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

Reply

Answer 2

DragonFired Author

Level 1

8 points

Sep 18, 2014 11:24 AM in response to Linc Davis

Linc,

Thanks for the fast and though response. The only one on the list that I haven't done already is the DNS reverse, I am STILL waiting for my IT department to contact their ISP and request that change that I requested a week ago! I will have to wait until then before I can say anything definitive about whether or not this is working or not...

Arana

Reply

Answer 3

DragonFired Author

Level 1

8 points

Sep 29, 2014 4:13 PM in response to DragonFired

Well, I finally got the DNS straightened out. Then I noticed that OD wouldn't let me delete the master. So I wiped the hard drive and rebuild the server from the ground up. The problem is STILL the same, I have gone through all of the steps listed about (btw, nice list!) to no avail!

I can mount the user's home folder using connect to server, but can't login as that user. I am assuming that there is some problem with mounting the user home folder share, but I find no errors in tang of the log files that are enlightening. One strange thing I DO find is that when editing the user record in Server, no matter how many times I change the location of the user's home folder, it ALWAYS gets changed back to CUSTOM. I haven't ever seen this behavior before.

Reply

Answer 4

DragonFired Author

Level 1

8 points

Oct 7, 2014 12:18 PM in response to DragonFired

Solved! New INTERNIC policy on domain registrations, you now must verify your whois contact or the domain name gets shut off! Since I hadn't noticed the email in all the difficulties that were occurring the domain name that WAS FQDN was no no longer a FQDN...

As always FQDN first, then everything else works!

Reply