nick-without-a-name

Q: After upgrade server 5.1.5 network user login impossible from most workstations

Hello all,



 

Intro


I upgraded one of my customer's Xserves from 10.6.8 server to El Capitan / Server app 5.1.5.


The server is set up with network homefolders and mobile homefolders. Also we use MCX. The 10.6.8 configuration has run perfectly fine and still does. But now it's time to move on.



 

The upgrade process from was relatively smooth. I had to configure network interface again, next check DNS (forward / reverse) and also I had to re-setup the sharepoints including the network homes sharepoint (using AFP).



 

Problem:

Next, I started testing login as network users from the client computers. I found that it was not possible to login from most client computers. 


After entering the credentials login was denied right away. As would be the case when entering incorrect credentials.

On the client computers nothing was changed.


Client computers are running Yosemite 10.10.5 and some are running 10.6.8


 

As soon as I reboot the Xserve from it's original 10.6.8 everything is back to normal.


 

What does work:

The ones that would login worked fine:


    •    Mobile sync (on computers not affected)


    •    Log is as network home user (on computers not affected)


    •    MCX worked fine. New settings were deployed correctly. On all computers.


    •    Automatically mount certain shares worked fine on all computers. There is a local admin on the client computers. When logging in to the account, network shares are mounted using MCX.


    •    DNS resolving from all client computers


    •    DHCP is working OK


    •    Client computers running 10.6.8 seem to be not affected.



 

At one point one of the affected workstations that didn't work, started to work.



 

What I tried and did not resolve the problem:

    •    Renew DHCP on client


    •    Removed OD binding and set it up again


    •    Trashed Managed Preferences folders (these were correctly recreated)




 

Ideas on possible causes:


The most logical causes for this behaviour could be:

1) Client machine cannot find the OD master.


2) Negotiating the credentials fails.


 

Since the OD binding works, MCX works etc, the client machine does find the OD Master.

The latter seems the more lickely cause. Ticketviewer doesn't show any tickets. Manually requesting a TGT from Ticketviewer using the credentials of a OD user works fine.



 

Any advise is appreciated.



 

Regards,


 

Nico

Mac mini, OS X Server, CentOS Linux

Posted on May 30, 2016 3:07 AM

Close

Q: After upgrade server 5.1.5 network user login impossible from most workstations

  • All replies
  • Helpful answers

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus May 30, 2016 6:06 AM in response to nick-without-a-name
    Level 1 (140 points)
    Servers Enterprise
    May 30, 2016 6:06 AM in response to nick-without-a-name

    Hi Nico,

    maybe the problem is related to AFP. Did you try to disable AFP in Systempreferences and remove all shares. After this restart AFP and try to add the shares again. Have a look at the access privileges. It is urgent to remove and add the share of the userfolders on the server again.

    Good luck,

    Peter.

  • by nick-without-a-name,

    nick-without-a-name nick-without-a-name May 30, 2016 7:31 AM in response to Peter Borbonus
    Level 1 (12 points)
    Servers Enterprise
    May 30, 2016 7:31 AM in response to Peter Borbonus

    Hello Peter,

     

    Thanks for your reply, however this problem doesn't have to do with AFP at all.

    After some more digging, this time in a testing environment on clones of the server and a client machine, I discovered that the problem has to do with Kerberos.

    It looks like Kerberos did not survive the migration.

    These easy steps are looking very promissing:

    1. On El Capitan server destroy the OD.
    2. On SL server make backup of OD
    3. Import the backup into El Capitan server

     

    This resolves the situation on my test server. For some unkown reason even the user passwords are resolved. No reason to reset these.

     

    I'll try this ASAP on the production server and post my findings.

  • by Peter Borbonus,Solvedanswer

    Peter Borbonus Peter Borbonus May 30, 2016 9:22 AM in response to nick-without-a-name
    Level 1 (140 points)
    Servers Enterprise
    May 30, 2016 9:22 AM in response to nick-without-a-name

    Hi Nico,

    thx for these infos. Nice to hear the problem is solved. Nice also to hear that the import of the OD-Database from MacOS 10.6.8 to 10.11.5 (Server 5.1.5) is no problem. I didn't expect this!

     

    Regards,

    Peter.

  • by nick-without-a-name,

    nick-without-a-name nick-without-a-name Jun 6, 2016 9:16 AM in response to Peter Borbonus
    Level 1 (12 points)
    Servers Enterprise
    Jun 6, 2016 9:16 AM in response to Peter Borbonus

    Hello,

     

    The server is in production for a few days now, users are happy. So we can conclude this is the final solution:

     

    1. Check, recheck and double check DNS (what else is new...)
    2. Export OD from old server, import on Server 5.--> forget the OD that was the result of the upgrade to Server 5.
    3. On clients login in as local admin, if using MCX trash /Library/Managed Preferences
    4. Check TicketViewer for any existing tickets. Delete them.

    That should do the trick!

  • by Peter Borbonus,

    Peter Borbonus Peter Borbonus Jun 7, 2016 7:38 PM in response to nick-without-a-name
    Level 1 (140 points)
    Servers Enterprise
    Jun 7, 2016 7:38 PM in response to nick-without-a-name

    Hi Nico,

     

    thank you for posting your solution to the community. Nice to hear you got the problem solved.

    Greetings,

    Peter.