Network user's home folder can't be accessed on El capitan but it's ok on Yosemite

Question

Level 1

8 points

Network user's home folder can't be accessed on El capitan but it's ok on Yosemite

Hi everyone,

Here is my problem:

I have a Mac mini server running OS X 10.10.5 with an open directory and some local network users. Home folders are stored on the server:

There is no problems when i log an user on a 10.10.5 client, i can access my files:

But if i try with the same user on a 10.11.1 client, i can log in but this message show up:

I tried to rebuild kerberos but nothing changed

Do you have any idea how to fix this?

Regards

Posted on Oct 26, 2015 9:25 AM

Reply

Answer 1

Oct 26, 2015 11:54 AM in response to itspw

It might be a Share using afp: Vs Share using smb: problem.

Reply

Answer 2

Linc Davis

Level 10

209,547 points

Oct 26, 2015 1:43 PM in response to itspw

Is there some reason why you can't upgrade the server to 10.11?

Reply

Answer 3

itspw Author

Level 1

8 points

Oct 27, 2015 1:09 AM in response to Linc Davis

First of all, thanks for your interest.

I forgot to tell that i only use SMB:

Usually i prefer to wait some versions before upgrading my servers, it prevent some bugs sometimes. And to be honest, 10.10.5 with Server 4 is pretty stable and it's all that i ask.

Are you sure that upgrading to El Capitan can fix my problem or is it just a guess?

Reply

Answer 4

Linc Davis

Level 10

209,547 points

Oct 27, 2015 7:59 AM in response to itspw

Are you sure that upgrading to El Capitan can fix my problem or is it just a guess?

I'm not sure, but what I would do in your place is copy the boot volume to another drive, upgrade that, boot from it, and test. If you don't like the results of the upgrade, all you have to do is reboot.

Reply

Answer 5

itspw Author

Level 1

8 points

Oct 28, 2015 1:39 AM in response to Linc Davis

Yes, you're right, it's an efficient way to find out.

I'll do it this week and i'll keep you updated

thx

Reply

Answer 6

itspw Author

Level 1

8 points

Oct 30, 2015 6:08 AM in response to Linc Davis

Now my server is up to date with OS X 10.11.1 and Server 5.0.15 but it's the same.

No problems to log in with Yosemite but unfortunately the same pop up shows up with El Capitan....

I tried with a new local network user and the result is the same...

Reply

Answer 7

cdhw

Level 4

3,588 points

Oct 30, 2015 8:51 AM in response to itspw

Try using AFP. You can leave SMB sharing enabled for any Windows users but IME network homes work better with AFP.

C.

Reply

Answer 8

Linc Davis

Level 10

209,547 points

Oct 30, 2015 12:02 PM in response to itspw

The setting for the home folder seems to be wrong. Make the folder "dodos" an SMB sharepoint owned by the user and set it as the home folder—not the enclosing folder.

Reply

Answer 9

itspw Author

Level 1

8 points

Nov 2, 2015 2:44 AM in response to Linc Davis

I tried with a new sharepoint owned by the user:

Yosemite:

- SMB= OK

- AFP= OK

El Capitan:
- SMB= NOK

- AFP: NOK

I even tried with a "chmod -R 777" on the sharepoint folder to be sure but it's the same.

Reply

Answer 10

itspw Author

Level 1

8 points

Nov 2, 2015 6:01 AM in response to itspw

I managed to have a new result.

Until now, i created my sharepoint on an external drive (Pegasus R6). I tried on the mac mini server's internal hard drive with this conf:

and here is the result:

I get the same error message BUT i can browse my home folder and read/write on it.

Any ideas why this pop up still appear?

By the way, i tried with:
- the sharepoint owned by the user
- SMB
- AFP

And it's always the same

I also had this one, i don't know if it's related:

Reply

Answer 11

cdhw

Level 4

3,588 points

Nov 2, 2015 7:27 AM in response to itspw

I've got OS X 10.10.5 and OS X10.11.1 clients accessing network homes (AFP) hosted on a 10.10.5 with server 5.0.15 just fine.

You seem to have tried a lot of combinations of System and Server versions without affecting the symptoms. You've also tried creating a new network user, which rules out a lot of possibilities.

Is this just one OS X 10.11.1 client? If so, perhaps the problem is not on the server, but something is stopping it creating the mount point. I'd take a careful look at the logs and mounts on the client myself. Make sure the paths are traditional, i.e. short, simple ASCII characters, no spaces or punctuation, etc. Have a look at any automounts, login items, etc.

C.

Reply

Answer 12

itspw Author

Level 1

8 points

Nov 3, 2015 1:35 AM in response to cdhw

I tried with 2 differents El capitan clients and the result is still the same.

Right now here is my server's config:

- OS X 10.11.1 (15B42)

- Server 5.0.15 (15S4033)

the client runs OS X 10.11.1 (15B42)

Here is some logs when i logged in:

SERVER:

Nov 3 10:18:41 server digest-service[12952]: label: default

Nov 3 10:18:41 server digest-service[12952]: dbname: od:/Local/Default

Nov 3 10:18:41 server digest-service[12952]: mkey_file: /var/db/krb5kdc/m-key

Nov 3 10:18:41 server digest-service[12952]: acl_file: /var/db/krb5kdc/kadmind.acl

Nov 3 10:18:41 server digest-service[12952]: digest-request: uid=0

Nov 3 10:18:41 server digest-service[12952]: digest-request: netr probe 0

Nov 3 10:18:41 server digest-service[12952]: digest-request: init request

Nov 3 10:18:41 server kdc[147]: AS-REQ dodos@SERVER.TOTO.PRIVATE from 10.80.100.100:58390 for krbtgt/SERVER.TOTO.PRIVATE@SERVER.TOTO.PRIVATE

Nov 3 10:18:41 server sandboxd[244] ([147]): kdc(147) deny file-read-data /private/etc/krb5.conf

Nov 3 10:18:41 server kdc[147]: AS-REQ dodos@SERVER.TOTO.PRIVATE from 10.80.100.100:58390 for krbtgt/SERVER.TOTO.PRIVATE@SERVER.TOTO.PRIVATE

Nov 3 10:18:41 server kdc[147]: Client sent patypes: REQ-ENC-PA-REP

Nov 3 10:18:41 server kdc[147]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

Nov 3 10:18:41 server digest-service[12952]: digest-request: init return domain: SERVER server: SERVER indomain was: <NULL>

Nov 3 10:18:41 server digest-service[12952]: digest-request: uid=0

Nov 3 10:18:41 server digest-service[12952]: digest-request: init request

Nov 3 10:18:41 server kdc[147]: AS-REQ dodos@SERVER.TOTO.PRIVATE from 10.80.100.100:56313 for krbtgt/SERVER.TOTO.PRIVATE@SERVER.TOTO.PRIVATE

Nov 3 10:18:41 --- last message repeated 1 time ---

Nov 3 10:18:41 server kdc[147]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP

Nov 3 10:18:41 server kdc[147]: ENC-TS pre-authentication succeeded -- dodos@SERVER.TOTO.PRIVATE

Nov 3 10:18:41 server digest-service[12952]: digest-request: init return domain: SERVER server: SERVER indomain was: <NULL>

Nov 3 10:18:41 server kdc[147]: DSUpdateLoginStatus: Unable to synchronize login time for dodos: 77009

Nov 3 10:18:41 server kdc[147]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

Nov 3 10:18:41 server kdc[147]: Requested flags: renewable, forwardable

Nov 3 10:18:42 server kdc[147]: Got a canonicalize request for a LKDC realm from local-ipc

Nov 3 10:18:42 server kdc[147]: Asked for LKDC, but there is none

Nov 3 10:18:42 server sandboxd[244] ([147]): kdc(147) deny file-read-data /private/etc/krb5.conf

Nov 3 10:18:42 server kdc[147]: TGS-REQ dodos@SERVER.TOTO.PRIVATE from 10.80.100.100:50900 for cifs/server.toto.private@SERVER.TOTO.PRIVATE [canonicalize, forwardable]

Nov 3 10:18:42 server kdc[147]: TGS-REQ dodos@SERVER.TOTO.PRIVATE from 10.80.100.100:62847 for cifs/server.toto.private@SERVER.TOTO.PRIVATE [forwardable]

CLIENT:

03/11/15 10:18:07,666 lsd[919]: LaunchServices: Scheme mapping file does not exist, creating file.

03/11/15 10:18:08,022 sharingd[935]: 10:18:08.020 : Starting Up...

03/11/15 10:18:08,028 sharingd[935]: 10:18:08.028 : Device Capabilities (Handoff:NO, Instant Hotspot:NO, AirDrop:NO, Legacy AirDrop:YES, Remote Disc:NO)

03/11/15 10:18:08,096 Spotlight[929]: spot: agent checkin

03/11/15 10:18:08,183 SpotlightNetHelper[939]: ### Failed to load Addressbook class CNContactNameFormatter

03/11/15 10:18:08,214 SpotlightNetHelper[939]: Failed to obtain sandbox extension for path=/var/folders/zd/nfs4yhs925zbcrbznsmcgvcc000102/C/com.apple.metadata.Spotli ghtNetHelper. Errno:1

03/11/15 10:18:08,342 PowerChime[957]: PowerChime: chime enabled by hardware: 0

03/11/15 10:18:08,342 PowerChime[957]: PowerChime disabled - ChimeOnNoHardware default: 0

03/11/15 10:18:08,605 fmfd[977]: ### Failed to load Addressbook class CNContactNameFormatter

03/11/15 10:18:08,613 fmfd[977]: Initialized sandbox

03/11/15 10:18:08,879 NotificationCenter[949]: Dock connection invalid!

03/11/15 10:18:08,906 SpotlightNetHelper[939]: Connection error while checking Apple Internalness. Error: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.CrashReporterSupportHelper was invalidated." UserInfo={NSDebugDescription=The connection to service named com.apple.CrashReporterSupportHelper was invalidated.}

03/11/15 10:18:08,918 pkd[474]: enabling pid=925 for plug-in com.adobe.accmac.ACCFinderSync(1.4.2.105) DF1D453C-51D6-4A8A-A7E5-AF5D40A37A49 /Applications/Utilities/Adobe Creative Cloud/CoreSync/Core Sync.app/Contents/PlugIns/ACCFinderSync.appex

03/11/15 10:18:09,080 sharingd[935]: 10:18:09.079 : No delegate parameters from account, account exists = NO

03/11/15 10:18:09,080 sharingd[935]: 10:18:09.080 : Tethering: Identifier needs fixing

03/11/15 10:18:09,091 sharingd[935]: 10:18:09.091 : No delegate parameters from account, account exists = NO

03/11/15 10:18:09,112 sharingd[935]: 10:18:09.111 : No delegate parameters from account, account exists = NO

03/11/15 10:18:09,154 nsurlsessiond[982]: No directory for bundleID: com.apple.cloudd

03/11/15 10:18:09,259 pkd[474]: client 949 plug-in com.apple.ncplugin.calculator election := (null)

03/11/15 10:18:09,260 pkd[474]: client 949 plug-in com.apple.ncplugin.WorldClock election := (null)

03/11/15 10:18:09,261 pkd[474]: client 949 plug-in com.apple.share.SocialWidget election := (null)

03/11/15 10:18:09,262 pkd[474]: client 949 plug-in com.apple.ncplugin.FindMyFriends election := (null)

03/11/15 10:18:09,307 ACCFinderSync[980]: Failed to connect (colorGridView) outlet from (NSApplication) to (NSColorPickerGridView): missing setter or instance variable

03/11/15 10:18:09,307 ACCFinderSync[980]: Failed to connect (view) outlet from (NSApplication) to (NSColorPickerGridView): missing setter or instance variable

03/11/15 10:18:09,606 syncdefaultsd[941]: accountsd has been removed from syncing apps.

03/11/15 10:18:09,720 ACCFinderSync[980]: building singleton CFMessage dispatcher

03/11/15 10:18:09,720 ACCFinderSync[980]: Dispatcher: no remote port found for com.adobe.accmac.explinder.coresync

03/11/15 10:18:09,721 ACCFinderSync[980]: Dispatcher: no remote port found for com.adobe.accmac.explinder.coresync

03/11/15 10:18:09,721 ACCFinderSync[980]: Dispatcher: no remote port found for com.adobe.accmac.explinder.coresync

03/11/15 10:18:10,034 identityservicesd[951]: <IMMacNotificationCenterManager: 0x7f83b3d008f0>: Configuring notification center for identifier: com.apple.iChat topics: (

)

03/11/15 10:18:10,069 identityservicesd[951]: <IMMacNotificationCenterManager: 0x7f83b3d008f0>: NC Disabled: NO

03/11/15 10:18:10,079 identityservicesd[951]: <IMMacNotificationCenterManager: 0x7f83b3d008f0>: DND Enabled: NO

03/11/15 10:18:10,079 identityservicesd[951]: <IMMacNotificationCenterManager: 0x7f83b3d008f0>: Updating enabled: YES (Topics: (

))

03/11/15 10:18:10,122 imagent[960]: ### Failed to load Addressbook class CNContactNameFormatter

03/11/15 10:18:10,219 Spotlight[929]: [com.apple.calendar.store.log] [Couldn't update cached me card from CalendarAgent]

03/11/15 10:18:10,898 pkd[474]: enabling pid=949 for plug-in com.apple.ncplugin.weather(1.0) 8ED66DC9-510E-46C7-BD9A-43100A9F1926 /System/Library/CoreServices/Weather.app/Contents/PlugIns/com.apple.ncplugin.we ather.appex

03/11/15 10:18:10,899 pkd[474]: enabling pid=949 for plug-in com.apple.iCal.CalendarNC(1.0) 4896484D-A5B8-4254-ABE1-8014CD7C3C17 /Applications/Calendar.app/Contents/PlugIns/com.apple.iCal.CalendarNC.appex

03/11/15 10:18:10,901 pkd[474]: enabling pid=949 for plug-in com.apple.ncplugin.stocks(1.0) C8939234-B40D-4C85-8CFC-B85A16A90A8B /System/Library/CoreServices/Stocks.app/Contents/PlugIns/com.apple.ncplugin.sto cks.appex

03/11/15 10:18:10,972 com.apple.ncplugin.weather[1000]: ### Failed to load Addressbook class CNContactNameFormatter

03/11/15 10:18:11,225 com.apple.iCal.CalendarNC[1001]: [com.apple.calendar.store.log] [Couldn't update cached me card from CalendarAgent]

03/11/15 10:18:11,329 NotificationCenter[949]: plugin com.apple.iCal.CalendarNC invalidated

03/11/15 10:18:11,329 com.apple.iCal.CalendarNC[1001]: host connection <NSXPCConnection: 0x7fbae2f27ed0> connection from pid 949 invalidated

03/11/15 10:18:11,335 NotificationCenter[949]: plugin com.apple.ncplugin.weather invalidated

03/11/15 10:18:11,335 com.apple.ncplugin.weather[1000]: host connection <NSXPCConnection: 0x7f9772d1f9c0> connection from pid 949 invalidated

03/11/15 10:18:11,336 CoreLocationAgent[1003]: locationRequest for pid=1000 message=0

03/11/15 10:18:11,388 NotificationCenter[949]: plugin com.apple.ncplugin.stocks invalidated

03/11/15 10:18:11,388 com.apple.ncplugin.stocks[1002]: host connection <NSXPCConnection: 0x7f83a1f1bb20> connection from pid 949 invalidated

03/11/15 10:18:11,414 storeaccountd[972]: Failed to obtain sandbox extension for path=/var/folders/zd/nfs4yhs925zbcrbznsmcgvcc000102/C//storeaccountd. Errno:1

03/11/15 10:18:11,417 storeaccountd[972]: Failed to obtain sandbox extension for path=/var/folders/zd/nfs4yhs925zbcrbznsmcgvcc000102/C//storeaccountd. Errno:1

03/11/15 10:18:12,567 cloudpaird[961]: DEBUG cloudpaird: system does not support Continuity

03/11/15 10:18:14,338 diagnostics_agent[966]: AutoSubmitPreference is 1

03/11/15 10:18:14,351 diagnostics_agent[966]: AutoSubmitPreference is 1

03/11/15 10:18:14,361 diagnostics_agent[966]: AutoSubmitPreference is 1

03/11/15 10:18:15,021 MRT[970]: Agent finished.

03/11/15 10:18:15,022 MRT[970]: Finished MRT run

03/11/15 10:18:15,229 WiFiAgent[965]: [NO client logger] <Sep 13 2015 16:24:54> WIFICLOUDSYNC WiFiCloudSyncEngineCreate: created...

03/11/15 10:18:15,229 WiFiAgent[965]: [NO client logger] <Sep 13 2015 16:24:54> WIFICLOUDSYNC WiFiCloudSyncEngineRegisterCallbacks: WiFiCloudSyncEngineCallbacks version - 0, bundle id - com.apple.wifi.WiFiAgent

03/11/15 10:18:15,579 Keychain Circle Notification[947]: Posted at launch: (

)

03/11/15 10:18:15,590 Keychain Circle Notification[947]: rawStatus -1, #applicants 0, #peers 0, err=Error Domain=com.apple.security.sos.error Code=2 "Public Key not available - failed to register before call" UserInfo={NSDescription=Public Key not available - failed to register before call}

03/11/15 10:18:15,590 Keychain Circle Notification[947]: {ChangeCallback}

03/11/15 10:18:15,876 Keychain Circle Notification[947]: {ChangeCallback} scheduleActivity 4001-01-01 00:00:00 +0000

03/11/15 10:18:15,876 Keychain Circle Notification[947]: {ChangeCallback} Applicants

03/11/15 10:18:15,878 Keychain Circle Notification[947]: Checking validity of 0 notes

03/11/15 10:18:15,879 Keychain Circle Notification[947]: writeToStorage plist={

absentCircleWithNoReason = 0;

applicationDate = "0000-12-30 00:00:00 +0000";

lastCircleStatus = "-1";

lastWritten = "2015-11-03 09:18:15 +0000";

pendingApplicationReminder = "4001-01-01 00:00:00 +0000";

pendingApplicationReminderInterval = 86400;

}

03/11/15 10:18:15,922 cloudphotosd[989]: +[CSLogger preferencesChanged:] reconfiguring logging

03/11/15 10:18:26,027 SpotlightNetHelper[939]: [SLSUGGESTIONS] Location managed failed with error Error Domain=kCLErrorDomain Code=0 "(null)"

03/11/15 10:18:26,417 Spotlight[929]: applications query - started

03/11/15 10:18:26,547 SpotlightNetHelper[939]: CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data

03/11/15 10:18:26,549 SpotlightNetHelper[939]: CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data

03/11/15 10:18:26,549 SpotlightNetHelper[939]: CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data

03/11/15 10:18:26,549 SpotlightNetHelper[939]: CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data

03/11/15 10:18:27,911 Spotlight[929]: applications query - finished in 1.5 seconds

03/11/15 10:18:29,225 quicklookd[1028]: [QL] Could not open the Quick Look cloud thumbnails database: Error Domain=SqliteErrorDomain Code=2 "cannot set journal_mode to WAL" UserInfo={NSDescription=cannot set journal_mode to WAL, SqliteExtendedCode=2}

03/11/15 10:18:29,485 Console[1033]: Failed to connect (_consoleX) outlet from (NSApplication) to (ConsoleX): missing setter or instance variable

03/11/15 10:18:37,689 lsd[919]: LaunchServices: Currently 0 installed placeholders: (

)

03/11/15 10:18:37,859 Bluetooth Setup Assistant[1034]: initiateDeviceSetup

03/11/15 10:18:38,015 Bluetooth Setup Assistant[1034]: readHIDEmulationDevice: HID emulation device found: Clavier de test

03/11/15 10:18:38,015 Bluetooth Setup Assistant[1034]: readHIDEmulationDevice: HID emulation device found: 7c-c3-a1-8e-4b-3b

03/11/15 10:18:38,015 Bluetooth Setup Assistant[1034]: readHIDEmulationDevicesComplete: error: 0

this is becoming very frustrating, anyway thanks for your help guys!

Reply

Answer 13

Linc Davis

Level 10

209,547 points

Nov 3, 2015 5:14 AM in response to itspw

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.

2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. If you have accounts with network home directories, make sure the URL's are correct in the user settings. A return status of 45 from the authorizationhost daemon in the log may mean that the URL for mounting the home directory was not updated after a change in the hostname or in the file-sharing protocol (from AFP to SMB or vice versa.) If the server and clients are all running OS X 10.10 or later, directories should be shared with SMB rather than AFP.

5. Follow these instructions to rebuild the Kerberos configuration on the server.

6. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

In the case of a self-signed certificate, create a trust profile in Profile Manager and deploy it on the clients. On the server, you may need to create the folder

/etc/openldap/certs

and put a copy of the server's certificate in it; for example:

/etc/openldap/certs/server-name

Also add a directive to the file

/etc/openldap/ldap.conf

of the form

TLS_CACERT /etc/openldap/certs/server-name

7. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

8. Reboot the master and the clients.

9. Don't log in to the server with a network user's account.

10. Disable any internal firewalls in use, including third-party "security" software.

11. If you've created any replica servers, delete them.

12. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.

13. If there are slapd errors in the log, try the following steps.

Turn off Open Directory in the Server app.

Enter in a shell:

cd /var/db/openldap

sudo -s

db_recover -c -h authdata

db_recover -c -h openldap-data

Turn Open Directory back on.

14. Reset the password policy database:

sudo pwpolicy -clearaccountpolicies

15. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. In some cases, you may have to use the shell to delete the server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

Reply

Answer 14

nlagaros

Level 1

0 points

Nov 27, 2015 8:48 AM in response to itspw

Have you resolved this issue? I'm having a similar problem in that I cannot map a user to a network home directory. When I log on to the client with a valid network path, I get the beachball of doom. I'm running 10.11 on both client and server. I have tried network directories on the 10.11 server as well as a NAS - same result with each.

Reply

Answer 15

Nov 27, 2015 11:07 AM in response to itspw

Server-names ending in .local are reserved for Boujour, and will not work properly. Server-names ending in .private are also trouble. You should use a different name.

Reply