Can't Login With Network Account After Upgrade To Yosemite Server 4

Yes, I forgot to mention that I suspected it's a certificate issue. There were a few instances in my troubleshooting, where I would add the OD using the Join button from Users and Groups preferences, then use the Directory Utility and uncheck the SSL option. This sort of worked, and let me login, but still didn't seem to add a binding on the server. When I went back to Directory Utility, it had made a duplicate entry with SSL enabled. So I now had one with SSL and one without. Let me also stress, that it adds the server using the IP address, even though I entered the FQDN in the Join dialog window. And, unlike adding an LDAP connection directly with Directory Utility, it would not let me change the server name, and also doesn't enable the "Use for authentication" or "Use for contacts" check boxes (even though those features worked intermittently). To me, that would be the cause of certificate errors and rejection of logins, no?

All in all, it's obviously a major bug, as everything worked as expected in the Mavericks iteration of the client and server software packages.

Hey Robison,

I think I have it working, as I'm typing to you from my network admin account on my MacBook Pro. It's a bit strange to get going but, like I said, it's working and BINDed to the server.

I updated to Server 4.0.3 that was released a couple of days ago, hoping this would help...it did not. But I started troubleshooting agin anyway. This is what I did, and it was not started through the Join button in the User and Groups preferences:

- Open the Directory Utility (Spotlight search for Directory)

- Unlock the dialog window by clicking the lock icon and entering your credentials

- Double-click the LDAPv3 service

- Click the "New..." button

- Enter your OS X's FQDN in the "Server Name or IP Address:" box

- Check all three items (Encrypt..., Use for auth..., and Use for contacts)

- Click the "Continue" button

- After it begins processing, it will ask for Directory Admin credentials

- Enter your Directory Administrator's credentials.

* If you have been using your own, self created network user for administration, before you upgraded to Server 4, you'll likely need to add that user to the Directory Administrators group, first, using the built-in diradmin account credentials in Server.app. You can also just use the diradmin account for the BINDing credentials.

- Once it completes, you see the one entry, likely using the servers IP address as the server name.

- Click OK; you can leave it open, if you want to check how it looks after this is done, otherwise close the Directory Utility

- Now go into Login Options, under the Users and Groups settings in System Preferences

- Unlock the dialog box with the Lock button again

- The "Network Account Server:" value should state "Multiple"

- Click the "Edit..." button, at the bottom

- You should see two servers, one that is marked with a green dot (likely utilizing your server's FQDN), and one that is not communicating (likely using your server's IP address).

- Click the one that is not communicating, and then click the minus button ( – )

- Choose to stop using that server

- Now you'll need to Allow network users to log in at the login window

* I would allow all users, for now, just to test, then you can go back and change it

- Log out, and try logging in with a network user

I'm throwing these instructions out after banging my head against a wall, so I have no idea if they'll work for you or not. Plus, this has only been working for about 10 minute´s, so who knows if it'll stick. Let me know if you have any success.

-- Mike

This fails to work after reboot...back to the drawing board.

So anyone have any luck at all with this, or do we just have to wait for the next update? I can't believe I can't have network users logging in anymore, this is crazy! 10.10.2 did nothing to help...

Okay, gotacha'. I did start a bug report, that has now escalated into a full on email exchange. The Apple Enterprise team has me running scripts, sending results, etc...the works. I hope the articles about Apple changing focus to bug fixes is true, this is making my head spin.

Okay, I've finally resolved the issue, thanks to the Apple Enterprise tech support team. I'm thinking they wouldn't mind if I share this information, but I can't guarantee that this will work on your system or, worse yet, degrade your system further. However, that's fairly unlikely, just make sure you have plenty of backups before you begin any troubleshooting session.

So I was told to perform the following instructions, which I did, line for line. The part about closing Server.app seems a given, but I'm not sure why they want you to open Server.app at the the end (maybe taken out of context from some other instructions?). I did it anyway, but you should be able to begin testing, on a client workstation, right after rekerberizing is complete. I did, however, need to reboot my client, login as local admin, and then binding would proceed, and network users are able to login again. The engineer also let me know to expect an error, something like the following: "2015-03-11 21:58:38 +0000 Error synchronizing removal of attribute draft-krbPrincipalACL from record 72519e4c-7ac7-15e4-bd42-10adb1944cbc: 77013 result: 16 No such attribute" - this is apparently normal, and did in fact happen in my experience.

So here's the fix:

- Quit Server.app (don’t just close the window)

- On the Open Directory Server, execute these Terminal commands:

- sudo mkdir /var/db/openldap/migration/

- sudo touch /var/db/openldap/migration/.rekerberize

- sudo slapconfig -firstboot

- Open Server.app

And that's it. I did nothing else on my OD server, just logged out. Immediately tried binding on my MacBook client, it failed, I rebooted, tried again, it worked quickly, and I'm able to login with network user accounts again.