Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Unable to change user password (OD-Master)

Hi!

Running a xserve with 10.9.5 as an OD-Master with more than 1000 users I realized that I cannot change their passwords anymore.

I'm using WorkgroupManager, and get the following message:

"In order to set the password of a a user with an Open Directory Password, your own password type must be Open Directory. Administrators with other password types cannot set the password of a user with an Open Directory password."


In the server.app I cannot change the password too without any error-message. The dialog is just not disappearing.


Any ideas?


Thank you,

Peter

Xserve, OS X Mavericks (10.9.5), 12 GB RAM, 1TB RAID (mirror)

Posted on Apr 17, 2015 12:45 AM

Reply
15 replies

Apr 18, 2015 5:05 AM in response to Peter Borbonus

I realized, that this happened after the last secure-update this month.

If I destroy the OD-Master and reactivate it from an old archive, I cannot change the password too. So the OD-Master seems to be okay?!?

If I start from an backup with not installed last secure-update and the same OD-Master everything works fine.


So the only workaround this moment is to reinstall the server from a backup and do not install the update.

Any other suggestions?


Thanx,

Peter

Apr 18, 2015 7:36 AM in response to Peter Borbonus

Hi Peter,


This might help:

OS X Server: How to reset the Open Directory administrator password - Apple Support

if it doesn't, you might get a padlock in the bottom of the server.app application when you go to Users/Groups and select Groups. Then select the local network group and a padlock could appear.

I have seen this behaviour a couple of times and after authentication you should be able to change passwords and such.

On one server after the security update OpenDirectory seemed read only and only a destroy and restore from a ODmaster before that upgrade worked.

Goodluck


Jeffrey

Apr 18, 2015 7:43 AM in response to jepping

Hi Jeffrey,


thx for your answer.

I gonna try this soon... Until now it is working so far.

In the next days I will go and install the security update after making a fresh full backup. :-)


"On one server after the security update OpenDirectory seemed read only and only a destroy and restore from a ODmaster before that upgrade worked."

I did this today, this does not work for me. :-(


Have a nice weekend,

Peter.

Apr 24, 2015 10:08 PM in response to jepping

Hi Jeffrey,

I did reset the password of the diradmin, it didn't help.

I got no padlock at the local network group in the server.app. :-(

So I have to set up the OpendirectoryMaster from the scratch because to destroy and restore from an working backup doesn't work also.


And the problem is really just appearing after installing the security update. :-(

Before that everything is working fine!


Thank you,

Peter.

Apr 24, 2015 11:40 PM in response to Peter Borbonus

Hi Peter,


Do you have a backup of the OpenDirectory available before you installed the security update?

I have had the same issue after installing the security update as well. Nothing worked as far as quick fixes go.

So I choose a specific backup of the ODmaster before I applied the update. I was able to destroy and restore the ODmaster from that backup version and everything was editable once more.

Do you that backup available? That might work, before starting over.

Goodluck


Jeffrey

Apr 25, 2015 1:38 AM in response to Peter Borbonus

Hi Peter,


What happens if you rekerberize OD? Or try to change the diradmin password once more?

If a network user can't be created after you upgrade or migrate to OS X Server - Apple Support


If that fails well, then there seem to be only one thing left to do at this time... quite a lot of work I quess. Is there a working older bootable version still available perhaps? Otherwise export users and groups, make screendumps where applicable like mailaliases and other special entries.

Then... start over.

Goodluck


Jeffrey

Apr 25, 2015 4:16 AM in response to jepping

Hi Jeffrey,


I can test the rekerberize of the server next week not earlier (yes, it was a migrated/upgraded server one year ago from 10.6.8 (clean install with import of the OD-Master from an archive).

My DNS is working fine and as expected.


I have a bootable backup of the server. I used a copy of it to try the security-update again: Problems still persist. :-(


Now the server is running with a new backup of the state before security-update.

I also exported user, groups, computer and computer groups (just for the case....) :-)


I will tell you, if the rekerberizing did solve the problem.


Thank you again,

Peter.

Apr 26, 2015 8:27 AM in response to Peter Borbonus

I think the obstacle may be that there are limits to what you can do to the account that you have used to authenticate as a directory administrator. You can't, for example delete it and you can't, based on a quick experiment, change its password type.


I believe that the solution, which seems to work on OS X 10.6.8, is to create a new user in Workgroup Manager, say diradmin2, check the 'administer this server' on the Basic settings and give them 'FULL' under the Privileges tab. Then logout from WM as diradmin and reauthenticate as diradmin2. You can then change the diradmin password type to Open Directory and reset it. Then out and re-authenticate as diradmin and delete diradmin2.


I'm not sure what the OS X 10.10 gui equivalent steps are, but I'm think that something equivalent to the above approach is worth trying. Use the command line if necessary.


HTH


C.

Apr 27, 2015 5:39 AM in response to Peter Borbonus

Well I had exactly the same problem here with OS X 10.9.5 Mavericks Server and Security Update 2015-004 applied.


I tried several things (rekerberize my server, reset my Open Dir Admin password) but finally what worked for me:

I renewed my Certificate with Server.app > Certificates > double click on your certificate > a new window opens with the certificate > click "Renew..." > then "OK"


After that I could create a new user with a password with "Server.app" without trashing my whole OD-Master :-)


Also what could help: In "Workgroup Manager.app" > try to login with a local admin credential > then click on the right "Lock" icon > and authenticate

with the "OpenDir-Admin" credential so that you will see "Authenticated as myopendiradmin to directory; /LDAPv3/127.0.0.1


hope this helps


Gilles

Oct 24, 2015 12:02 PM in response to Peter Borbonus

Hi guys


In case this helps someone.

I ran into this problem with our 900 user OD database. At first, I assumed that the OD got corrupted, but since all existing users were able to login and did not notice any problems, I successfully tried this:


  1. Create an OD master archive on the no longer working server through the GUI or CLI (this should still work flawlessly).
  2. Restore the server to a working state from a backup (TimeMachine or whatever method you have implemented). From my experience, the OD database from the Time Machine backup is not up-to-date, even if you choose the latest backup.
  3. Destroy the OD Master, then create a new one with the previously created OD sparseimage. All your users and passwords will be restored and can be changed again.


The LDAP database or the server services themselves don't seem to be the problem. Somehow, the connection from the OS to the Server breaks which eventually leads to a password read only database. I (and all my Google-foo) was not able to fix this problem but the above procedure helped to get the system back online within 30 minutes. No user reimport or password reset necessary.


Nevertheless, we've now had it with Apple's toy server. They went from a stable and solid server OS to a useless piece of buggy app-crap. For serious work, we need a reliable and proven LDAP implementation and will therefore switch to AD.


My hearfelt sympathy to all sysadmin night-shifts this obvious bug has created 😐


Kevin

Unable to change user password (OD-Master)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.