Recently cerated Open Directory user accounts not able to login.

Question

Level 1

0 points

Recently cerated Open Directory user accounts not able to login.

Hello Everyone,

I recently updated our companies Maverick server to version 3.2.1 and now some of my users are unable to login to our Open Directory server. Our server is currently running OS X 10.9.5 Build 13F34. The server log out put is the following when a user attempts to login to Open Directory.

12/8/14 11:35:46.995 AM kdc[3049]: AS-REQ jdoe@WDPMOSX.XYZ.ORG from 192.168.15.95:59274 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:35:47.003 AM kdc[3049]: AS-REQ jdoe@WDPMOSX.XYZ.ORG from 192.168.15.95:59274 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:35:47.004 AM kdc[3049]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

12/8/14 11:35:47.011 AM kdc[3049]: AS-REQ jwein@WDPMOSX.XYZ.ORG from 192.168.15.95:50783 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:35:47.016 AM kdc[3049]: AS-REQ jdoe@WDPMOSX.XYZ.ORG from 192.168.15.95:50783 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:35:47.017 AM kdc[3049]: Client sent patypes: ENC-TS

12/8/14 11:35:47.017 AM kdc[3049]: ENC-TS pre-authentication succeeded -- jdoe@WDPMOSX.XYZ.ORG

12/8/14 11:35:47.019 AM kdc[3049]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

12/8/14 11:35:47.019 AM kdc[3049]: Requested flags: forwardable

12/8/14 11:35:47.282 AM kdc[3049]: TGS-REQ jdoe@WDPMOSX.XYZ.ORG from 192.168.15.95:50911 for host/mbpe-0c4de9abba49.local@WDPMOSX.XYZ.ORG [canonicalize, forwardable]

12/8/14 11:35:47.283 AM kdc[3049]: Searching referral for mbpe-0c4de9abba49.local

12/8/14 11:35:47.284 AM kdc[3049]: Server not found in database: krbtgt/LOCAL@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:35:47.285 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:50911

12/8/14 11:35:47.289 AM kdc[3049]: TGS-REQ jwein@WDPMOSX.PALCS.ORG from 192.168.15.95:64376 for krbtgt/LOCAL@WDPMOSX.XYZ.ORG [forwardable]

12/8/14 11:35:47.290 AM kdc[3049]: Server not found in database: krbtgt/LOCAL@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:35:47.290 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:64376

Note: I have rebuild Open Directory and still see the message above when users attempt to login. Also, I have not changed the name of the server, all server certificates are valid and for some reason time machine restores is not working. I have tried to restore the server back to June and it made the issue worse.

Any help would be appreciated.😕

Open Directory-OTHER, OS X Mavericks (10.9.5), Server version 3.2.1

Posted on Dec 8, 2014 11:08 AM

Reply

Answer 1

Linc Davis

Level 10

209,541 points

Dec 8, 2014 2:10 PM in response to Server_guy

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Disable any internal firewalls in use, including third-party "security" software.

10. If you've created any replica servers, delete them.

11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

Reply

Answer 2

Server_guy Author

Level 1

0 points

Dec 8, 2014 8:17 PM in response to Linc Davis

Thank you for you reply Linc. Unfortunately I tried this already and it did not fix my issue. I checked the Open directory startup log and found a possible issue with the domain name in the startup file and the signing certificate. The domain name has a $ and it can find the signing certifiate with a public key. Please take a look below and let me know what you think?

12/8/14 11:02:42.961 PM kdc[13708]: AS-REQ wdpmosx.palcs.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:63580 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:42.975 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:43.082 PM kdc[13708]: AS-REQ wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:52257 for krbtgt/WDPMOSX.PALCS.ORG@WDPMOSX.PALCS.ORG

12/8/14 11:02:43.093 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:43.621 PM kdc[13708]: AS-REQ wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:64357 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:43.633 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.xyz.ORG: no such entry found in hdb

12/8/14 11:02:43.893 PM kdc[13708]: AS-REQ wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:64619 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:43.904 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:44.191 PM kdc[13708]: AS-REQ wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:61095 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:44.210 PM kdc[13708]: UNKNOWN -- wdpmosx.XYZ.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:44.560 PM kdc[13708]: AS-REQ wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG from 127.0.0.1:52115 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:44.576 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:45.016 PM UserEventAgent[18]: Registered Workstation service - wdpmosx [68:5b:35:ca:f7:4b]._workstation._tcp.

12/8/14 11:02:45.193 PM kdc[13708]: AS-REQ wdpmosx.palcs.org$@WDPMOSX.PALCS.ORG from 127.0.0.1:54745 for krbtgt/WDPMOSX.XYZ.ORG@WDPMOSX.XYZ.ORG

12/8/14 11:02:45.208 PM kdc[13708]: UNKNOWN -- wdpmosx.xyz.org$@WDPMOSX.XYZ.ORG: no such entry found in hdb

12/8/14 11:02:45.554 PM kdc[13723]: label: WDPMOSX.XYZ.ORG

12/8/14 11:02:45.554 PM kdc[13723]: dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi

12/8/14 11:02:45.554 PM kdc[13723]: mkey_file: /var/db/krb5kdc/m_key.WDPMOSX.XYZ.ORG

12/8/14 11:02:45.555 PM kdc[13723]: acl_file: /var/db/krb5kdc/acl_file.WDPMOSX.XYZ.ORG

12/8/14 11:02:45.568 PM kdc[13723]: PKINIT: failed to find a signing certifiate with a public key

12/8/14 11:02:45.618 PM kdc[13723]: KDC started

Thanks again.

Reply

Answer 3

Linc Davis

Level 10

209,541 points

Dec 8, 2014 8:49 PM in response to Server_guy

The domain name has a $

That's not a valid domain name.

Reply