You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: HardySch
HardySch Author
User level: Level 1
0 points

Yosemite Server: After upgrade, OD is read-only

Hello,


yesterday, I upgraded my server installation to Yosemite and Server 4.0. Although it seemed that everything went fine, a severe problem turned out.


Symptoms:

  • I cannot login to network accounts from other machines, although Directory Services show the right content for each user. Assumption: Kerberos authentication fails for unknown reason.
  • Then, I discovered that OD on the Yosemite Server shows all Users and Groups, but I cannot edit any of them; any "change password" or similar context menu options are grayed out.
  • I had the "fix permissions" run and reboot, but without any effect.


As it seems, the /Library/Server path content is considered as read-only for the Server app; this impression is supported by the RADIUS service: When keying "radiusd -X", this is the result:

Starting - reading configuration files ...

including configuration file /Library/Server/radius/raddb/radiusd.conf

Unable to open file "/Library/Server/radius/raddb/radiusd.conf": Permission denied

Errors reading or parsing /Library/Server/radius/raddb/radiusd.conf


Any idea how to fix this? I'm not the hardcore sysadmin, so I'd appreciate any kind of help...


Thanks a lot in advance!


Best regards,

Hardy

Posted on Oct 17, 2014 10:06 PM

Reply
12 replies
User profile for user: HardySch
HardySch Author
User level: Level 1
0 points

Oct 17, 2014 10:53 PM in response to HardySch

Addition: I just found out that a login request from a client to the read-only OD leads to these system protocol entries:


Oct 18 07:41:49 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57714 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

Oct 18 07:41:52 --- last message repeated 1 time ---

Oct 18 07:41:52 odserver.domain.tld kdc[69]: UNKNOWN -- krbtgt/odserveralias.domain.tld@odserveralias.domain.tld: no such entry found in hdbOct 18 07:41:52 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57875 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

Oct 18 07:41:52 odserver kdc[69]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9Oct 18 07:41:52 odserver.domain.tld kdc[69]: AS-REQ user@odserveralias.domain.tld from 10.0.10.55:57875 for krbtgt/odserveralias.domain.tld@odserveralias.domain.tld

Oct 18 07:41:52 odserver.domain.tld kdc[69]: UNKNOWN -- krbtgt/odserveralias.domain.tld@odserveralias.domain.tld: no such entry found in hdbOct 18 07:41:52 odserver.domain.tld sandboxd[328] ([69]): kdc(69) deny file-read-data /private/etc/krb5.conf

Oct 18 07:41:57 odserver kernel[0]: Sandbox: Python(5581) System Policy: deny file-write-unlink /Library/Server/Wiki/PostgresSocket/.xpg_ctl.pidOct 18 07:42:08 odserver.domain.tld collabpp[5578]: Failed to obtain sandbox extension for path=/dev/null/Library/Caches/collabpp. Errno:20

Reply
User profile for user: JLModer2
JLModer2
User level: Level 1
0 points

Oct 18, 2014 5:24 AM in response to HardySch

HardySch

I am not having kerbros fails, but I also cannot edit certain items in my Users and Groups pane.


All the options on all Network Users are grayed out to change password.


I also cannot change items such as global password policies nor disable login, etc.


I can Add a new user, but as soon as the user is added, the options are grayed out to change password, etc.


Any assistance greatly appreciated!

Reply
User profile for user: Nuclear Apple
Nuclear Apple
User level: Level 1
0 points

Dec 18, 2014 9:18 AM in response to toop68

My Exact rendition of this process (summarized from this forum):

Still logged in as Macintosh Administrator

Clicked on Server app and clicked on "manage" on the top bar

"Connect to server"

User uploaded file


Choose the server then continue

The Credentials box pops up and I trade the Macintosh Administrator username for the Directory Administrator username

I use the Directory Administrator password and remember in keychain

Server App Starts up/reconnects

I click on "Users" under Accounts on the left column

User uploaded file


At the top right I click the dropdown arrows to select "Local Network Users"

User uploaded file

The Lock Icon now shows up at the bottom

I unlock, supply the Directory Administrator Credentials, and now I can make changes to user accounts


User uploaded file


Previous to this, after the server v.4.0 update, I had read-only privilege in Open Directory and could only create a local user account.

The option to create a local network account wasn't even there and attempts to add a user to a network group was met with the

"The operation couldn't be completed..(com.apple.Server.Accounts error 2.)" message.

All set now so thank you for everyone's input. I just summarized what you all said for some of my co-workers and figured I'd share..

Reply

Yosemite Server: After upgrade, OD is read-only

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up