HT200018: If a network user can't be created after you upgrade or migrate to OS X Server

Learn about If a network user can't be created after you upgrade or migrate to OS X Server
David Green4

Q: How do I rekerberize in Yosemite?

I can no longer create a Local Network User in Yosemite (Server 4.0.3). After some research, I found this solution, which describes the problem I'm having and the fix, but for Mavericks only. OS X Server (Mavericks): After upgrading or migrating, network user cannot be created - Apple Support

 

It says "Do not use these commands if you are using Yosemite." But I can't find a similar process for Yosemite!

 

Does anyone know the correct process, please?

 

Thank you,

 

David

MacBook Pro with Retina display, OS X Mavericks (10.9), 2.6GHz i7, 16 GB RAM, 750GB HD

Posted on Jan 13, 2015 4:11 PM

Close

Q: How do I rekerberize in Yosemite?

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Jan 13, 2015 4:34 PM in response to David Green4
    Level 10 (207,963 points)
    Applications
    Jan 13, 2015 4:34 PM in response to David Green4

    There is no correct process that anyone has documented. What do you get in the logs?

  • by David Green4,

    David Green4 David Green4 Jan 13, 2015 5:04 PM in response to Linc Davis
    Level 1 (54 points)
    Jan 13, 2015 5:04 PM in response to Linc Davis

    Hi Linc,

     

    Thanks once again for your speedy help, and for all the help you give this community.

     

    I had not looked at the logs, so I went to try and recreate the problem to generate a log, and now the option to create a Local Network User is not displayed at all in the Create User screen! (It was there just an hour ago.) I quit and restarted the Server app, but no change.

     

    This may be diagnostic: When I click on the gear popup at the bottom of the screen, the bottom 4 options are all grayed out. (Change Password, Create Template from User, Edit Template, and Change Password Policy.) I have tried logging in using different Admin accounts, one local and one network, with no difference. I cannot reset any passwords any more. (It almost seems as though my Admin account does not have full privileges any more.)

     

    Related to this problem, I can no longer delete Network Users either. They are marked with "Not Allowed" in gray, but the user still appears.

     

    I tried browsing the system.log to get an answer to your question, but it is pretty large. Is there anywhere else I could look that might help you find what you are looking for?

     

    Thanks,

     

    David

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Jan 13, 2015 5:53 PM in response to David Green4
    Level 10 (207,963 points)
    Applications
    Jan 13, 2015 5:53 PM in response to David Green4

    Search the System keychain on the server for application passwords with the name "/LDAPv3/127.0.0.1" and delete any you find. Sign out of the Server app and sign back in using the FQDN of the server, not "localhost" or "127.0.0.1".

    Credit for this observation to ASC member Peter Jurg2. See also this discussion.

  • by David Green4,

    David Green4 David Green4 Jan 13, 2015 6:10 PM in response to Linc Davis
    Level 1 (54 points)
    Jan 13, 2015 6:10 PM in response to Linc Davis

    Hi Linc,

     

    I tried that (deleted two), and it did not seem to change anything. Note that I am working on the server directly, not running the app on a remote computer, so it does not seem to give me the opportunity to use the FQDN. (The Host Name or IP Address is displayed as non-editable text above the fields for Administrator Name and Password.)

     

    I am going to a meeting for a few hours, so I won't be able to try anything else until later this evening.

     

    Thanks so much again.

     

    David

  • by David Green4,

    David Green4 David Green4 Jan 13, 2015 6:21 PM in response to Linc Davis
    Level 1 (54 points)
    Jan 13, 2015 6:21 PM in response to Linc Davis

    P.S. I also referred to the article you linked to, and may have gotten myself into some trouble. My server's Internet IP address is XX.YYY.UUU.ZZZ. I followed the article and recreated a Directory entry for 127.0.0.1, but after reading (mis-reading), I thought maybe I also need to add one for XX.YYY.UUU.ZZZ. I did, and the Server took a long time to start up when I restarted it. I panicked a little, and immediately opened the Directory Utility, and now I cannot access the new entry in the utility to delete it. The server became slow and unresponsive. After a few minutes, the Services panel opened, and I was able to delete the entry.

     

    I've really got to be more careful when playing with this stuff. We have 8 people working on a deadline right now, and they would kill me if I crashed the server!

     

    Cheers,

     

    David

  • by Linc Davis,

    Linc Davis Linc Davis Jan 13, 2015 8:19 PM in response to David Green4
    Level 10 (207,963 points)
    Applications
    Jan 13, 2015 8:19 PM in response to David Green4

    If you can't resolve the DNS name of the server on itself, then either your DNS isn't set up properly or the server is not a DNS client of itself.

  • by David Green4,

    David Green4 David Green4 Jan 13, 2015 9:40 PM in response to Linc Davis
    Level 1 (54 points)
    Jan 13, 2015 9:40 PM in response to Linc Davis

    Thanks Linc. Either one of those is possible. Although, it has worked solidly over several years, through multiple OS updates until now. I will admit to not keeping up as much as I perhaps should have, but it seems that some changes wrought by Yosemite have broken what was a working configuration.

     

    Thanks again.

     

    David