Peter Borbonus

Q: Unable to change user password (OD-Master)

Hi!

Running a xserve with 10.9.5 as an OD-Master with more than 1000 users I realized that I cannot change their passwords anymore.

I'm using WorkgroupManager, and get the following message:

"In order to set the password of a a user with an Open Directory Password, your own password type must be Open Directory. Administrators with other password types cannot set the password of a user with an Open Directory password."

 

In the server.app I cannot change the password too without any error-message. The dialog is just not disappearing.

 

Any ideas?

 

Thank you,

Peter

Xserve, OS X Mavericks (10.9.5), 12 GB RAM, 1TB RAID (mirror)

Posted on Apr 17, 2015 12:45 AM

Close

Q: Unable to change user password (OD-Master)

  • All replies
  • Helpful answers

Page 1 Next
  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 18, 2015 5:05 AM in response to Peter Borbonus
    Level 1 (140 points)
    Servers Enterprise
    Apr 18, 2015 5:05 AM in response to Peter Borbonus

    I realized, that this happened after the last secure-update this month.

    If I destroy the OD-Master and reactivate it from an old archive, I cannot change the password too. So the OD-Master seems to be okay?!?

    If I start from an backup with not installed last secure-update and the same OD-Master everything works fine.

     

    So the only workaround this moment is to reinstall the server from a backup and do not install the update.

    Any other suggestions?

     

    Thanx,

    Peter

  • by jepping,Helpful

    jepping jepping Apr 18, 2015 7:36 AM in response to Peter Borbonus
    Level 2 (430 points)
    Apr 18, 2015 7:36 AM in response to Peter Borbonus

    Hi Peter,

     

    This might help:

    OS X Server: How to reset the Open Directory administrator password - Apple Support

    if it doesn't, you might get a padlock in the bottom of the server.app application when you go to Users/Groups and select Groups. Then select the local network group and a padlock could appear.

    I have seen this behaviour a couple of times and after authentication you should be able to change passwords and such.

    On one server after the security update OpenDirectory seemed read only and only a destroy and restore from a ODmaster before that upgrade worked.

    Goodluck

     

    Jeffrey

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 18, 2015 7:43 AM in response to jepping
    Level 1 (140 points)
    Servers Enterprise
    Apr 18, 2015 7:43 AM in response to jepping

    Hi Jeffrey,

     

    thx for your answer.

    I gonna try this soon... Until now it is working so far.

    In the next days I will go and install the security update after making a fresh full backup. :-)

     

    "On one server after the security update OpenDirectory seemed read only and only a destroy and restore from a ODmaster before that upgrade worked."

    I did this today, this does not work for me. :-(

     

    Have a nice weekend,

    Peter.

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 24, 2015 10:08 PM in response to jepping
    Level 1 (140 points)
    Servers Enterprise
    Apr 24, 2015 10:08 PM in response to jepping

    Hi Jeffrey,

    I did reset the password of the diradmin, it didn't help.

    I got no padlock at the local network group in the server.app. :-(

    So I have to set up the OpendirectoryMaster from the scratch because to destroy and restore from an working backup doesn't work also.

     

    And the problem is really just appearing after installing the security update. :-(

    Before that everything is working fine!

     

    Thank you,

    Peter.

  • by jepping,Helpful

    jepping jepping Apr 24, 2015 11:40 PM in response to Peter Borbonus
    Level 2 (430 points)
    Apr 24, 2015 11:40 PM in response to Peter Borbonus

    Hi Peter,

     

    Do you have a backup of the OpenDirectory available before you installed the security update?

    I have had the same issue after installing the security update as well. Nothing worked as far as quick fixes go.

    So I choose a specific backup of the ODmaster before I applied the update. I was able to destroy and restore the ODmaster from that backup version and everything was editable once more.

    Do you that backup available? That might work, before starting over.

    Goodluck

     

    Jeffrey

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 24, 2015 11:43 PM in response to jepping
    Level 1 (140 points)
    Servers Enterprise
    Apr 24, 2015 11:43 PM in response to jepping

    Hi Jeffrey,

     

    yes I did it like you, the backup was before update. But I could not edit users pas or create new users (with working password). Everything else worked (user was created, just the password is not working).

     

    Thank you,

    Peter

  • by jepping,

    jepping jepping Apr 25, 2015 1:38 AM in response to Peter Borbonus
    Level 2 (430 points)
    Apr 25, 2015 1:38 AM in response to Peter Borbonus

    Hi Peter,

     

    What happens if you rekerberize OD? Or try to change the diradmin password once more?

    If a network user can't be created after you upgrade or migrate to OS X Server - Apple Support

     

    If that fails well, then there seem to be only one thing left to do at this time... quite a lot of work I quess. Is there a working older bootable version still available perhaps? Otherwise export users and groups, make screendumps where applicable like mailaliases and other special entries.

    Then... start over.

    Goodluck

     

    Jeffrey

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 25, 2015 4:16 AM in response to jepping
    Level 1 (140 points)
    Servers Enterprise
    Apr 25, 2015 4:16 AM in response to jepping

    Hi Jeffrey,

     

    I can test the rekerberize of the server next week not earlier (yes, it was a migrated/upgraded server one year ago from 10.6.8 (clean install with import of the OD-Master from an archive).

    My DNS is working fine and as expected.

     

    I have a bootable backup of the server. I used a copy of it to try the security-update again: Problems still persist. :-(

     

    Now the server is running with a new backup of the state before security-update.

    I also exported user, groups, computer and computer groups (just for the case....) :-)

     

    I will tell you, if the rekerberizing did solve the problem.

     

    Thank you again,

    Peter.

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 25, 2015 10:23 PM in response to jepping
    Level 1 (140 points)
    Servers Enterprise
    Apr 25, 2015 10:23 PM in response to jepping

    Hi again,

     

    I did what you suggested. The problem doesn't disappear. Right now I restore a backup and in a few weeks I have to make I clean install and import users groups... in WGM, I guess. I will loose all passwords but I hope everything will work after this.

     

    I thank you for your assistance,

    Peter.

  • by cdhw,

    cdhw cdhw Apr 26, 2015 8:27 AM in response to Peter Borbonus
    Level 4 (2,653 points)
    Servers Enterprise
    Apr 26, 2015 8:27 AM in response to Peter Borbonus

    I think the obstacle may be that there are limits to what you can do to the account that you have used to authenticate as a directory administrator. You can't, for example delete it and you can't, based on a quick experiment, change its password type.

     

    I believe that the solution, which seems to work on OS X 10.6.8, is to create a new user in Workgroup Manager, say diradmin2, check the 'administer this server' on the Basic settings and give them 'FULL' under the Privileges tab. Then logout from WM as diradmin and reauthenticate as diradmin2. You can then change the diradmin password type to Open Directory and reset it. Then out and re-authenticate as diradmin and delete diradmin2.

     

    I'm not sure what the OS X 10.10 gui equivalent steps are, but I'm think that something equivalent to the above approach is worth trying. Use the command line if necessary.

     

    HTH

     

    C.

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 26, 2015 11:43 PM in response to cdhw
    Level 1 (140 points)
    Servers Enterprise
    Apr 26, 2015 11:43 PM in response to cdhw

    Hi!

    Than you for your thoughts.

    I will give it a try next weekend because in the week it's difficult to work on the server...

     

    WGM is working under 10.9.5 also.

    I realized, that in the OpenDirectory-Admin-Group root is listed two times. I deleted them both.

     

    I gonna tell you!

     

    Peter.

  • by gilcel,

    gilcel gilcel Apr 27, 2015 5:39 AM in response to Peter Borbonus
    Level 1 (0 points)
    Apr 27, 2015 5:39 AM in response to Peter Borbonus

    Well I had exactly the same problem here with OS X 10.9.5 Mavericks Server and Security Update 2015-004 applied.

     

    I tried several things (rekerberize my server, reset my Open Dir Admin password) but finally what worked for me:

    I renewed my Certificate with Server.app > Certificates > double click on your certificate > a new window opens with the certificate > click "Renew..." > then "OK"

     

    After that I could create a new user with a password with "Server.app" without trashing my whole OD-Master :-)

     

    Also what could help: In "Workgroup Manager.app" > try to login with a local admin credential > then click on the right "Lock" icon > and authenticate

    with the "OpenDir-Admin" credential so that you will see "Authenticated as myopendiradmin to directory; /LDAPv3/127.0.0.1

     

    hope this helps

     

    Gilles

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 27, 2015 10:17 AM in response to gilcel
    Level 1 (140 points)
    Servers Enterprise
    Apr 27, 2015 10:17 AM in response to gilcel

    Hi!

    My Open Directory is running without a certificate. The renew of the "Server Fallback SSL Certificate" is renewed and running for other services!

    The problem is still the same. :-(

     

    Your second hint is how I connect to the WGM each time.

     

    Thank you for your help,

    Peter.

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Apr 27, 2015 11:07 AM in response to cdhw
    Level 1 (140 points)
    Servers Enterprise
    Apr 27, 2015 11:07 AM in response to cdhw

    Hi!

    I did what you suggested this evening but it doesn't work for me.

    Now I will do a nightshift and restore my working backup... :-)

     

    Thanks for your idea,

    Peter.

Page 1 Next