od user cannot log in

Question

Level 1

29 points

od user cannot log in

Hi,

I am using a Mac server with OS X 10.9.4 and server 3.1.2 together with a Macbook Air (OS X 10.9.5). What I am trying to get working is that users created in Open Directory can log in locally on the Macbook. This is not working up to now. What I did:

On the server:

created a user that has access to filesharing, calendar, contacts, mail and messages

On the Macbook:

- added the IP of the server as DNS in network settings

- in users and groups, checked the option for network server (I have a german OS...) and it did correctly recognize the servers name. Strange was that it did not ask me for a user name to ask OD, it rather said that the server is not accepting SSL connection. But the light in this setting went green, so SSL is a second step problem to me

- checked if the client knows accounts that are not created locally, but only in OD. Therefor, I used "id user1" in terminal and it replied with informations about the user.

- checked if login in terminal with that user is possible: "su user1". The reply here was "su: Sorry" Password is correct, I am sure about that.

So somehow, login fails. Can somebody please help me to get this working?

Mac mini, OS X Mavericks (10.9.2), Mac OS X Server mail ldap

Posted on Sep 30, 2014 12:41 AM

Reply

Answer 1

Sep 30, 2014 4:53 AM in response to Khymon1

You need to enable Mobility on the user accounts. As is, the accounts on the server are just accounts with SACLs applied. You have not defined a policy to tell those accounts to function as mobile accounts.

You have two options to enable this. The first is the old way... MCX. While this will still work in Mavericks, MCX as a technology is deprecated so don't expect it all to work (it doesn't). To set MCX you need to download Workgroup Manager and then enable the Mobility settings on individual users, a group, or on a computer group.

The second option is to use Profile Manager. If you decide to go this route, you must have proper DNS, an Open Directory Master running, a third party signed SSL certificate helps but is not required, and you setup your accounts as Local Network Users. These accounts must have a valid NFSHomeFolder value. Then in addition to binding the workstations to the domain, you also must enroll them in to Profile Manager. At this point you can define policies and once again the one you want is the Mobility profile.

The accounts are not very smart. You must apply policy to those accounts to tell them how to behave in relation to the workstation.

Reid

Apple Consultants Network

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

Reply

Answer 2

Khymon1 Author

Level 1

29 points

Sep 30, 2014 7:19 AM in response to Strontium90

Okay, I got it - I think I have to switch to the Profile Manager. I activated it and - now I am just thrown over with all the posibilities I have with it. What I simply want is that the OD users can login on the Macbook. I was searching for an option that allows me to activate this, eg for user1, but I did not find anything. Is there any simple way to explain this?

What I do not want so far is to manage devices with the Profile Manager. In other words: I simply want the server to act as a ldap server and the Macbook as a ldap client. Is this possible?

Reply

Answer 3

Sep 30, 2014 10:24 AM in response to Khymon1

Yes. It is possible but you need to perform the integration. Turning Profile Manager on only sets up the database. It is useless until you configure it.

1: Enable Profile Manager.

2: Press the Configure button to enable Device Management

3: Once device management is enabled, enroll a device. Visit https://host.domain.tld/mydevices/ (replace host.domain.tld with your fully qualified host name) from the workstation.

4: Login and follow the prompts to enroll the device.

5: This will get you the base MDM policy

6: Now, go back to the server (or any machine) and go to https://host.domain.tld/profilemanager/

7: Log in as the server admin account

8: Select Devices - you should see the device your just enrolled

9: I urge (insist) that you create a device group. Add the device to the device group

10: With the device group selected, choose Settings

11: Edit the settings and add a Mobility profile to the device group

12: At minimum... Check the "Create mobile account when user logs in to network account" check box.

13: Make sure local home template is set.

14: Save the settings

Now, once you do, these should be pushed down to the enrolled device. Once the enrolled device has the Mobility payload, then you can login with domain accounts. Provided you have defined a proper home path.

Once this is done, then you can simply enforce additional policy and all enrolled devices will just get it. Yes the setup may be a bit cumbersome but the power and flexibility of the solution is evident.

As mentioned you can do this with MCX. The challenge is that MCX is dead and likely will not function beyond Mavericks (it already has some major issues). If you do not want to run Profile Manager, you can download Workgroup Manager for Mavericks. You can then select a group, choose Preferences tab, select Mobility, and complete the Mobility form by enforcing an Always enforce policy and setting create mobile account and local home template. I recommend you reboot the workstation before attempting to login as MCX under Mavericks tends to show up on startup.

Reid

Apple Consultants Network

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

Reply

Answer 4

Khymon1 Author

Level 1

29 points

Oct 1, 2014 10:38 PM in response to Strontium90

I did what you wrote, created a device group, added the Macbook, went to settings and added the mobility option (with "create network account..." checked. Still, it doesn´t work: I cannot login with OD users. Perhaps another thing may be useful to find the cause: In the device group, I added the settings for login window and checked the option to show mobile users there - but the OD users do not show up here.

Still, when I open a terminal on the Macbook and type in "id user1", I get the correctly informations about that user in OD. So generelly, the connection seems to work, Can you help me to find the cause?

Reply

Answer 5

Oct 2, 2014 1:05 PM in response to Khymon1

Can you show the advanced pane of the user you are trying to log in with? I suspect you are missing an attribute. Here is a sample of a working account:

This panel is accessed by right-clicking on the user and choosing Advanced Options... from the contextual menu.

Make sure the user has a valid shell and home directory.

Reply

Answer 6

Khymon1 Author

Level 1

29 points

Oct 3, 2014 11:54 PM in response to Strontium90

Hi,

unfortunately, I couldn´t open the screenshot you attached, but I guess you meant something like this:

The bash is correctly available, the path "/home/klaus" leads to a dir that is attached as a NFS-share (as home-dirs from Users are located on another server). Has this dir to be accessible? What I tried is to switch on ssh access to the server for user "klaus" and then did a logon with that user. This worked and I was in the correct dir. What I noticed is that the /home-Path is not accessible for any OD Admin I have. Is this a prerequiste?

Reply

Answer 7

Oct 6, 2014 4:41 AM in response to Khymon1

I don't think Apple official supports NFS home mounts. Apple supports AFP and SMB network home folders but in theory, provided the NFS mount is present during login window, this could work.

First, try changing the home path to /Users/klaus. Note the cap U in users. This is a known location and if you have all the other pieces in place, a home folder will be created there proving the foundation pieces are in place.

Now, once that is established, you can start working on getting the homes to work via an NFS mount. Again, you are in uncharted waters here. I would suggest extending what you have already started. Boot a machine. Log into it via SSH. Mount the NFS share so the path is visible to the workstation and you can traverse it. Next, you likely will need to create the home folder in advance. Network home folders on SMB shares will occasionally do the same thing (will not create the home on demand).

Confirm that you are using a permission model that is conducive to home folders on an NFS share. world access is likely not wise.

The reason for the shake off is that either the NFS mount is not setup at time of login or that the home folder simply is not present.

Reply

Answer 8

Khymon1 Author

Level 1

29 points

Oct 6, 2014 5:49 AM in response to Strontium90

Okay. So I changed the home dir to /Users/klaus, but nothing changed: I cannot login on the Macbook with this user. At this point, I wanted to see if there is any possibility to view logs. First, I opened the logs on the server. Then, I tried to login with user klaus on the Macbook (which didn´t work). Strangely, the were no entries concerning this login trial on the server - neither in the password server protocol nor in the password error protocol.

Do I have any chance to views logs on the Macbook to see if it tries to connect to the server at all? If yes: Where do I find these logs?

Generelly, this seems to be an issue concerning user accounts. Other profile settings (such as limitiations) seem to be pushed correctly onto the Macbook.

Reply

Answer 9

Khymon1 Author

Level 1

29 points

Oct 20, 2014 11:37 PM in response to Khymon1

Hi,

as I had other problems as well (with profilemanager), I reinstalled the whole system with 10.10. Now, it´s working, so although this is not solved, the reinstallation was a workaround in my case.

Reply