User's Password stops working in Yosemite 10.10. [Open directory 10.9]

In my experience such symptoms almost always boil down to DNS issues or password sync issues between Open Directory and the mobile account's local PW cache on the machine.

The client machine must be able to do a forward and reverse DNS lookup on the server providing OD service or network accounts won't be available. I've seen issues where a machine goes over to a secondary DNS and that secondary DNS isn't reporting the right info hence making network accounts stop working.

An alternative thing to consider (somewhat related to the above) is if the local PW and network PW have somehow gotten out of sync. Sometimes when a machine first comes online it takes a moment for the network account to become available. If a mobile user logs in during this period the system will default back to its local password cache. If the passwords are in sync the user can log in just fine and they don't notice that this failover occurred. If this cache is out of sync with the network account (and what the user thinks their password is) they will get a little shaky no no.

We had an issue earlier this year where, on new machines, the user changed their initial temporary password which changed in the network account but not the local cache. When users tried to log in they sometimes experienced the symptoms you describe. The root cause here was a difference in password policies between Open Directory and the local machine password policy. Some users had entered passwords that 'passed' the OD password test but 'failed' the local test. System behavior was that the network PW would update but the local cache update would fail silently leading to an out-of-sync situation and frustrated users calling about not being able to log in.

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Disable any internal firewalls in use, including third-party "security" software.

10. If you've created any replica servers, delete them.

11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

I think you're on the money skinet1776. I VPN to work all the time and if I forget to disconnect my VPN before leaving my computer and then my mac goes to sleep (disconnects from the wifi and vpn) and then I bring up the login screen, I can pretty much guarantee that I'll have no option but to hard reset the mac.

One painful option to get around this seems to be to turn off wifi/network before you let your mac go to sleep.

Notes about the bug I get...

I enter my password but the password text in the box just stays or shakes. Hitting return or clicking cancel etc does nothing after that failed first attempt. The mouse and keyboard work so the machine isn't frozen, just not accepting passwords. Can't even switch user which used to be an option around this. It's very annoying and I'd bet its related to my account being an OD one and the network connectivity changing. Nonetheless, it should fall back to validating against the local cached password - which it doesn't.

I'd suggest to use the console app and check out your /var/log/asl logs on the client side just before you had to reboot. In mine I see all sorts of unhappiness with heaps of utun0 errors (likely my CISCO VPN client dropped while the mac was sleeping).

Also I suspect the weird "not accepting the password text" bug that seems to happen after the first attempt to unlock fails (silently) is related to this odd error:

Apr 16 09:48:03 LACY-PH loginwindow[96] <Error>: ERROR | -[LWBuiltInScreenLockAuthLion askForPasswordBuiltIn:] | Attempted to add an observer when already observing

------- here's a small snippet from one of the /var/log/asl logs ------

.

.

Apr 16 09:46:51 LACY-PH acvpnagent[51] <Warning>: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.

Apr 16 09:46:51 LACY-PH acvpnagent[51] <Error>: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

Apr 16 09:46:51 LACY-PH acvpnagent[51] <Error>: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 16 09:46:51 LACY-PH acvpnagent[51] <Warning>: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 16 09:46:52 LACY-PH acvpnagent[51] <Notice>: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1418 The HTTPS probe to 150.229.84.115 resulted in a redirect.

Apr 16 09:46:54 LACY-PH discoveryd[79] <Notice>: Basic DNSResolver UDNSServer:: PowerState is FullWake

Apr 16 09:47:14 LACY-PH watchdogd[300] <Notice>: [watchdog_daemon] @( pm_callback) - ref=0x0 msg_type=0xe0000300 msg=0x0

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.256699 AM [AirPlay] Power: SystemHasPoweredOn

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.257618 AM [AirPlay] BTLE client starting to browse for AirPlay Solo Target Presence.

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.258974 AM [AirPlay] BTLE client stopping to browse for AirPlay Solo Target Presence.

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.259175 AM [AirPlay] BTLE client starting to browse for AirPlay Solo Target Presence.

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.259482 AM [AirPlay] BTLE client stopped to browse for AirPlay Solo Target Presence.

Apr 16 09:47:14 LACY-PH coreaudiod[664] <Notice>: 2015-04-16 09:47:14.259764 AM [AirPlay] BTLE client started to browse for AirPlay Solo Target Presence.

Apr 16 09:47:19 LACY-PH UserEventAgent[44] <Error>: assertion failed: 14D131: com.apple.cts + 6509 [A35312EF-AC04-3BB6-83B0-4A251232C766]: 0xffffffffe00002f0

Apr 16 09:47:20 LACY-PH periodic-wrapper[10646] <Notice>: Running weekly periodic task.

Apr 16 09:47:24 LACY-PH UserEventAgent[598] <Error>: assertion failed: 14D131: com.apple.cts + 6509 [A35312EF-AC04-3BB6-83B0-4A251232C766]: 0xffffffffe00002f0

Apr 16 09:47:35 LACY-PH discoveryd[79] <Notice>: Basic DNSResolver UDNSServer:: PowerState is FullWake

Apr 16 09:47:35 LACY-PH mapspushd[859] <Notice>: 2015-04-16 09:47:35.949, 859, a5258d0, [MapsAnnouncements]: server returned error: 404 for URL http://gspe21.ls.apple.com/config/announcements?hardware=MacBookPro11,3&lang=en& os=osx&os_build=14D131&os_version=10.10.3

Apr 16 09:47:35 LACY-PH mapspushd[859] <Notice>: 2015-04-16 09:47:35.949, 859, a5258d0, [MapsAnnouncements]: Failed to load announcements document: Error Domain=GEOErrorDomain Code=-601 "The operation couldn’t be completed. (GEOErrorDomain error -601.)" UserInfo=0x7f850c111290 {NSErrorFailingURLStringKey=http://gspe21.ls.apple.com/config/announcements?hardware=MacBookPro11,3&lang=en& os=osx&os_build=14D131&os_version=10.10.3, HTTP Status Code=404}

Apr 16 09:47:47 LACY-PH discoveryd[79] <Notice>: Basic DNSResolver Error 9 on socket - this might be a closed socket

Apr 16 09:48:03 LACY-PH loginwindow[96] <Error>: ERROR | -[LWBuiltInScreenLockAuthLion askForPasswordBuiltIn:] | Attempted to add an observer when already observing

Apr 16 09:48:03 LACY-PH WindowServer[154] <Warning>: CGError post_notification(const CGSNotificationType, void *const, const size_t, const bool, const CGSRealTimeDelta, const int, const CGSConnectionID *const, const pid_t): Timed out 1.000 second wait for reply from "owncloud" for synchronous notification type 102 (kCGSDisplayWillSleep) (CID 0x26703, PID 863)

Apr 16 09:48:03 LACY-PH WindowServer[154] <Warning>: device_generate_desktop_screenshot: authw 0x7f81106e76c0(2004), shield 0x7f81194282b0(2001)

Apr 16 09:48:04 LACY-PH WindowServer[154] <Warning>: device_generate_lock_screen_screenshot: authw 0x7f81106e76c0(2004)[0, 0, 1920, 1200] shield 0x7f81194282b0(2001), dev [1920,1200]

Apr 16 09:48:04 LACY-PH WindowServer[154] <Warning>: CGXDisplayDidWakeNotification [98963896177292]: posting kCGSDisplayDidWake

Apr 16 09:48:04 LACY-PH WindowServer[154] <Warning>: handle_will_sleep_auth_and_shield_windows: Deferring.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.AccountPolicyHelper" claims selected messages.

Those messages may not appear in standard system log files or in the ASL database.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.authd" sharing output destination "/var/log/asl" with ASL Module "com.apple.asl".

Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.authd" sharing output destination "/var/log/system.log" with ASL Module "com.apple.asl".

Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.authd" claims selected messages.

Those messages may not appear in standard system log files or in the ASL database.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.awdd" claims selected messages.

Those messages may not appear in standard system log files or in the ASL database.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.callhistory.asl.conf" claims selected messages.

Those messages may not appear in standard system log files or in the ASL database.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.cloudd" claims selected messages.

Those messages may not appear in standard system log files or in the ASL database.

Apr 16 09:48:35 localhost syslogd[44] <Notice>: Configuration Notice:

ASL Module "com.apple.clouddocs" claims selected messages.

.

.

these errors continue for some time