HardySch

Q: Yosemite Server: After upgrade, OD is read-only

Hello,

 

yesterday, I upgraded my server installation to Yosemite and Server 4.0. Although it seemed that everything went fine, a severe problem turned out.

 

Symptoms:

  • I cannot login to network accounts from other machines, although Directory Services show the right content for each user. Assumption: Kerberos authentication fails for unknown reason.
  • Then, I discovered that OD on the Yosemite Server shows all Users and Groups, but I cannot edit any of them; any "change password" or similar context menu options are grayed out.
  • I had the "fix permissions" run and reboot, but without any effect.

 

As it seems, the /Library/Server path content is considered as read-only for the Server app; this impression is supported by the RADIUS service: When keying "radiusd -X", this is the result:

Starting - reading configuration files ...

including configuration file /Library/Server/radius/raddb/radiusd.conf

Unable to open file "/Library/Server/radius/raddb/radiusd.conf": Permission denied

Errors reading or parsing /Library/Server/radius/raddb/radiusd.conf

 

Any idea how to fix this? I'm not the hardcore sysadmin, so I'd appreciate any kind of help...

 

Thanks a lot in advance!

 

Best regards,

Hardy

Posted on Oct 17, 2014 10:06 PM

Close

Q: Yosemite Server: After upgrade, OD is read-only

  • All replies
  • Helpful answers

  • by HardySch,

    HardySch HardySch Oct 17, 2014 10:53 PM in response to HardySch
    Level 1 (0 points)
    Oct 17, 2014 10:53 PM in response to HardySch

    Addition: I just found out that a login request from a client to the read-only OD leads to these system protocol entries:

     

    Oct 18 07:41:49 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57714 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

    Oct 18 07:41:52 --- last message repeated 1 time ---

    Oct 18 07:41:52 odserver.domain.tld kdc[69]: UNKNOWN -- krbtgt/odserveralias.domain.tld@odserveralias.domain.tld: no such entry found in hdbOct 18 07:41:52 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57875 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

    Oct 18 07:41:52 odserver kdc[69]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9Oct 18 07:41:52 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57875 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

    Oct 18 07:41:52 odserver.domain.tld kdc[69]: UNKNOWN -- krbtgt/odserveralias.domain.tld@odserveralias.domain.tld: no such entry found in hdbOct 18 07:41:52 odserver.domain.tld sandboxd[328] ([69]): kdc(69) deny file-read-data /private/etc/krb5.conf

    Oct 18 07:41:57 odserver kernel[0]: Sandbox: Python(5581) System Policy: deny file-write-unlink /Library/Server/Wiki/PostgresSocket/.xpg_ctl.pidOct 18 07:42:08 odserver.domain.tld collabpp[5578]: Failed to obtain sandbox extension for path=/dev/null/Library/Caches/collabpp. Errno:20

  • by JLModer2,

    JLModer2 JLModer2 Oct 18, 2014 5:24 AM in response to HardySch
    Level 1 (0 points)
    Oct 18, 2014 5:24 AM in response to HardySch

    HardySch

    I am not having kerbros fails, but I also cannot edit certain items in my Users and Groups pane.

     

    All the options on all Network Users are grayed out to change password.

     

    I also cannot change items such as global password policies nor disable login, etc.

     

    I can Add a new user, but as soon as the user is added, the options are grayed out to change password, etc.

     

    Any assistance greatly appreciated!

  • by Simon Lane,

    Simon Lane Simon Lane Oct 18, 2014 5:54 AM in response to JLModer2
    Level 1 (20 points)
    Oct 18, 2014 5:54 AM in response to JLModer2

    Thought I had the same issue until I noticed that Server.app v4 now has a lock icon at the bottom left of the Accounts > Users pane.  Click the lock icon and enter you Directory Admin username and password when prompted.

     

    Hope this helps!

  • by JLModer2,

    JLModer2 JLModer2 Oct 18, 2014 6:09 AM in response to Simon Lane
    Level 1 (0 points)
    Oct 18, 2014 6:09 AM in response to Simon Lane

    Thanks for the quick response Simon.

     

    Umm, I must be blind--  I am seeing no lock in Server.app under Accounts>Users

     

    ServerAccuser.tiff

  • by toop68,Helpful

    toop68 toop68 Oct 18, 2014 6:44 AM in response to JLModer2
    Level 1 (27 points)
    Servers Enterprise
    Oct 18, 2014 6:44 AM in response to JLModer2

    you only see the lock if you select at the top the network users or network group

  • by JLModer2,

    JLModer2 JLModer2 Oct 18, 2014 7:04 AM in response to toop68
    Level 1 (0 points)
    Oct 18, 2014 7:04 AM in response to toop68

    Looks like the automated moderator got me...

     

    Thank you toop68.  You are correct, and I can now edit/update network users but you do need to limit the view to network user/group and auth with diradmin.

     

    Thanks!

     

    John

  • by Remail,

    Remail Remail Oct 21, 2014 6:22 AM in response to HardySch
    Level 1 (10 points)
    Oct 21, 2014 6:22 AM in response to HardySch

    I've just update My test server and I can't add or change network user.

     

    When I login with my diradmin account to unlock, the window refuse my login (but it work I can connect to the server.app with this account).

     

    Someone else have this issue ?

  • by Remail,Solvedanswer

    Remail Remail Oct 21, 2014 7:52 AM in response to Remail
    Level 1 (10 points)
    Oct 21, 2014 7:52 AM in response to Remail

    I follow this proc 2 times : http://apple.stackexchange.com/a/88395 and it works

  • by ndsvfx,

    ndsvfx ndsvfx Oct 21, 2014 10:40 PM in response to HardySch
    Level 1 (15 points)
    Oct 21, 2014 10:40 PM in response to HardySch

    I had to reset the diradmin password using this

     

    OS X Server: How to reset the Open Directory administrator password in Mavericks

     

    Then I was able to unlock the lock using the diradmin login. After that all was good.

     

    Definitely easier than doing it the stack exchange method which is based on pre-OSX 10.7 authentication.

  • by psw,

    psw psw Nov 12, 2014 1:03 AM in response to Simon Lane
    Level 1 (0 points)
    Nov 12, 2014 1:03 AM in response to Simon Lane

    Thanks, that was the easy solution

  • by Nuclear Apple,

    Nuclear Apple Nuclear Apple Dec 18, 2014 9:18 AM in response to toop68
    Level 1 (0 points)
    Dec 18, 2014 9:18 AM in response to toop68

    My Exact rendition of this process (summarized from this forum):

    Still logged in as Macintosh Administrator

    Clicked on Server app and clicked on "manage" on the top bar

    "Connect to server"

    CaptureA.PNG

     

    Choose the server then continue

    The Credentials box pops up and I trade the Macintosh Administrator username for the Directory Administrator username

    I use the Directory Administrator password and remember in keychain

    Server App Starts up/reconnects

    I click on "Users" under Accounts on the left column

    CaptureD.PNG

     

    At the top right I click the dropdown arrows to select "Local Network Users"

    CaptureB.PNG

    The Lock Icon now shows up at the bottom

    I unlock, supply the Directory Administrator Credentials, and now I can make changes to user accounts

     

    CaptureC.PNG

     

    Previous to this, after the server v.4.0 update, I had read-only privilege in Open Directory and could only create a local user account.

    The option to create a local network account wasn't even there and attempts to add a user to a network group was met with the

    "The operation couldn't be completed..(com.apple.Server.Accounts error 2.)" message.

    All set now so thank you for everyone's input. I just summarized what you all said for some of my co-workers and figured I'd share..

  • by trilogy1000,

    trilogy1000 trilogy1000 Jan 5, 2015 6:42 PM in response to Simon Lane
    Level 1 (45 points)
    Jan 5, 2015 6:42 PM in response to Simon Lane

    Thanks Simon, we had the same issue but hadn't seen the padlock due to having 'All Users' selected. Changed to Network accounts, unlocked with Directory Admin credentials and all is well again.