User profile for user: killmoms
killmoms Author
User level: Level 1
9 points

Cannot force password changes

I'm using Open Directory in Server 4.0 (on OS X 10.10.3) to administer users/groups permissions for file sharing. I'm not binding clients to the domain. This server was upgraded from Mavericks after shutting down all Server.app services besides DNS (first upgrading OS X, then downloading the new Server.app from the App Store).


Currently I am unable to reset passwords and force password changes for network users. I can reset passwords successfully in Server.app, but checking the "Require password change at next login" option does not result in the user being prompted to change their password when they connect to a file share with their set credentials on the client side (in either Mavericks or Yosemite). No error is thrown, they're just never prompted. Not sure what I should be looking for in which logs to help diagnose this issue but it's a big problem. I want people to be able to set their own passwords that IT does not know, and when I reset a forgotten password I want to force users to create new ones. I'd prefer not to have to completely destroy our OD users/groups as we already have a huge share of 15TB of files with gids/uids and an OD problem a month and a half ago forced us to recreate the directory once.


Any ideas?

Mac mini, OS X Yosemite (10.10.3), 2.3GHz i7, 8GB RAM, Server 4.1

Posted on May 19, 2015 7:23 AM

Reply
Question marked as ⚠️ Top-ranking reply
User profile for user: Long Lane
Long Lane
User level: Level 1
105 points

Posted on May 20, 2015 4:46 PM

I had a similar issue (upgrading from Mavericks to Yosemite, started on Saturday) and resolved it today by

  • exporting users and groups into a text file (you can do this from within server),
  • destroy the OD master,
  • delete all the certs,
  • restart
  • create a new master
  • import users from text file
  • import groups

With this method, users will have to reset their passwords, but you have all user ids, etc. preserved.


The issue stems from the way OD is relying on certificates for authentication. When you are creating the new master, the relevant certificates are created to support OD. Just archiving and restoring the OD master didn't help. I have to say though, that I had tampered with some of the certificates and this made resetting password and in the end even creating new users impossible. The above method solved it.


There are plenty of other posts covering this subject. In the end, I went for the clean slate approach and am happy about it. Everything works flawlessly.


Hope this helps


LL

View in context
2 replies
Sort By: 
Question marked as ⚠️ Top-ranking reply
User profile for user: Long Lane
Long Lane
User level: Level 1
105 points

May 20, 2015 4:46 PM in response to killmoms

I had a similar issue (upgrading from Mavericks to Yosemite, started on Saturday) and resolved it today by

  • exporting users and groups into a text file (you can do this from within server),
  • destroy the OD master,
  • delete all the certs,
  • restart
  • create a new master
  • import users from text file
  • import groups

With this method, users will have to reset their passwords, but you have all user ids, etc. preserved.


The issue stems from the way OD is relying on certificates for authentication. When you are creating the new master, the relevant certificates are created to support OD. Just archiving and restoring the OD master didn't help. I have to say though, that I had tampered with some of the certificates and this made resetting password and in the end even creating new users impossible. The above method solved it.


There are plenty of other posts covering this subject. In the end, I went for the clean slate approach and am happy about it. Everything works flawlessly.


Hope this helps


LL

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Cannot force password changes

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up