Home Forums OS X Server and Client Discussion Open Directory Network user login one one computer broken others work?

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • August 10, 2007 at 10:45 pm #369687
    smithsm
    Participant

    I have one computer that all of a sudden stopped allowing any logins from Network users.
    Everything has been working fine for months. No changes to server except a power cycle.
    Local users fine. Network users no logins. Login window shakes.
    Portable home directory users can login only if not connected to network.
    I have tried everything I could find to fix it short of wiping the hard drive and reinstalling.
    I remember having this problem once before and deleting the DirectorySevices prefs and redoing the
    LDAP3 server setup in Directory access fixed it then but not now.

    I would appreciate some advice of where to look to find out why this machine is so recalcitrant.
    Other machines on the network do not have the problem, networks users can login just fine.

    Client OSX 10.4.10 Mac PB G4 17
    Server OSX 10.4.10 Server OD Master

    Network users show up in the login window

    What I tried:
    Deleted contents of /library/preferences/DirectoryService
    Deleted contents of /library/managed preferences
    Removed LDAP3 server entry in /Applications/Utilities/Directory Access
    Using /applications/utilities/netinfo manager
    Deleted /mcx_cache
    Deleted /config/mcx_cache
    sudo /system/library/coreservices/mcxd.app/contents/resources/mcxcacher -F
    Password:
    DirtyCache(1) == -14136
    sudo rm /Library/Caches/com.apple.LaunchServices*.csstore
    Deleted /Library/Preferences/com.apple.MCX.plist
    Restarted
    No network users show up in login window
    Setup LDAP3 server in directory access with blank binding
    Restarted
    Now network users show up in login window but still can’t login

    I think its a kerberos problem but nothing looks wrong. The edu.mit.kerberos file on the bad computer looks ok.
    I deleted it and it was recreated.
    I did a kadmin listprincs on the server and all the users show up. Since I can login from other computers I suspect
    something wrong with the bad computer not the server setup. No changes were made just had a power cycle on the server
    while the client was connected. Next time tried to authenticate it failed.

    August 11, 2007 at 3:51 pm #369699
    smithsm
    Participant

    I looked at the Password Server Log and KDC log and there is something odd going on.
    For computers where network login works I get the following in the Password Server Log each time a user authenticates

    Aug 11 2007 09:22:04 RSAVALIDATE: success.
    Aug 11 2007 09:22:04 AUTH2: {0x442c2aba5be330330000000d0000000d, alison} DIGEST-MD5 authentication succeeded.
    Aug 11 2007 09:22:04 QUIT: {0x442c2aba5be330330000000d0000000d, alison} disconnected.
    Aug 11 2007 09:24:37 RSAVALIDATE: success.

    I also get the following in the KDC log but not everytime

    Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
    Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

    So it appears that Kerberos is not working but network users can still log in. However Kerberos was working vering recently as there
    are expired tickets saved in preferences

    FOR THE COMPUTER WHERE NETWORK Login does not work I do not get any entries in either the passwork server or kdc log
    for failed attempts to login. So it appears that it is not accessing the password server correctly.
    How do I debug this or fix it?

    August 14, 2007 at 3:53 pm #369729
    smithsm
    Participant

    Yes one client machine that isn’t allowing network logins. More interesting, one use with portable home directory can login when
    disconnected from network. Then when logging out while connected the logout sync works and an entry shows up in the password server log on the server. So somehow password server was broken for logins but not logouts.

    I finally gave up and did a clean install on the client machine (took all weekend) because it was a development machine with all kinds of applications on it. This fixed the problem with network user login but not the kerberos problem.

    there is an app note “Kerberos authentication services man not successfully start” that says to use slapconfig and sso_util to get kerberos running. Whill this resync the kerberos passwork database with the opendirectory?

    question why once a client network user is logged in does every admin authorization access the server? Every time
    a network user with portable home directory and admin priviledges makes a configuration change, it hits the password server
    on the server instead of using local authorization. Seems unneccessary and fragile?

    August 16, 2007 at 4:49 pm #369753
    smithsm
    Participant

    >>- I’m not quite sure what Kerberos issue you’re still seeing? Do you have an actual Kerberos failure, or are you just looking at noise in the logs?

    When I use the Kerberos utility on a client machine to try to create a new ticket for a network user I get
    “Kerberos login failed: Generic Error (see e-text)”

    The kdc log on the server produces the following entry as a result.

    Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
    Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

    I get same error whenever a network user logs in.
    The only tickets in /library/preferences such as edu.mit.Kerberos.1HEenXabeZGsK0LVFUVcl are old (dating from when kerberos used to work)

    Is there some other way to verify that its not working?

    My ServerAdmin AFP->Access setting for authentication is Any Method and I have Enable Guest Access, Enable secure connections and Enabled administrator to masquerade…, all checked. So I beleive this allows network users to log in even if
    kerberos is not working.

    In ServerAdmin OpenDirectory->Overview Lookupd is running, Netinfod is local only, slapd is running, password server is running, Kerberos is running.

    the
    edu.mit.Kerberos file looks fine to me
    # WARNING This file is automatically created, if you wish to make changes
    # delete the next two lines
    # autogenerated from : /LDAPv3/server.private
    # generation_id : 1855478373
    [libdefaults]
    default_realm = SERVER.PRIVATE
    [realms]
    SERVER.PRIVATE = {
    kdc = server.private
    admin_server = server.private
    }
    [domain_realm]
    private = SERVER.PRIVATE
    .private = SERVER.PRIVATE

    When I listprincs on the server it looks fine to me.

    server:admin$ sudo kadmin.local
    Password:
    Authenticating as principal root/[email protected] with password.
    kadmin.local: listprincs
    HTTP/[email protected]
    K/[email protected]
    XMPP/[email protected]
    [email protected]
    afpserver/[email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    ftp/[email protected]
    [email protected]
    host/[email protected]
    http/[email protected]
    imap/[email protected]
    ipp/[email protected]
    [email protected]
    kadmin/[email protected]
    kadmin/[email protected]
    kadmin/[email protected]
    kadmin/[email protected]
    krbtgt/[email protected]
    ldap/[email protected]
    [email protected]
    pop/[email protected]
    [email protected]
    [email protected]
    [email protected]
    smtp/[email protected]
    vpn/[email protected]
    [email protected]
    xgrid/[email protected]

    server:admin$ sudo klist -kt
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp Principal
    —- —————– ——————————————————–
    3 03/30/06 08:34:39 xgrid/[email protected]
    3 03/30/06 08:34:39 xgrid/[email protected]
    3 03/30/06 08:34:39 xgrid/[email protected]
    3 03/30/06 08:34:39 vpn/[email protected]
    3 03/30/06 08:34:39 vpn/[email protected]
    3 03/30/06 08:34:39 vpn/[email protected]
    3 03/30/06 08:34:39 ipp/[email protected]
    3 03/30/06 08:34:39 ipp/[email protected]
    3 03/30/06 08:34:39 ipp/[email protected]
    3 03/30/06 08:34:39 XMPP/[email protected]
    3 03/30/06 08:34:39 XMPP/[email protected]
    3 03/30/06 08:34:39 XMPP/[email protected]
    3 03/30/06 08:34:39 host/[email protected]
    3 03/30/06 08:34:39 host/[email protected]
    3 03/30/06 08:34:39 host/[email protected]
    3 03/30/06 08:34:39 smtp/[email protected]
    3 03/30/06 08:34:39 smtp/[email protected]
    3 03/30/06 08:34:39 smtp/[email protected]
    3 03/30/06 08:34:39 http/[email protected]
    3 03/30/06 08:34:39 http/[email protected]
    3 03/30/06 08:34:39 http/[email protected]
    3 03/30/06 08:34:39 HTTP/[email protected]
    3 03/30/06 08:34:39 HTTP/[email protected]
    3 03/30/06 08:34:39 HTTP/[email protected]
    3 03/30/06 08:34:39 pop/[email protected]
    3 03/30/06 08:34:39 pop/[email protected]
    3 03/30/06 08:34:39 pop/[email protected]
    3 03/30/06 08:34:39 imap/[email protected]
    3 03/30/06 08:34:39 imap/[email protected]
    3 03/30/06 08:34:39 imap/[email protected]
    3 03/30/06 08:34:39 ftp/[email protected]
    3 03/30/06 08:34:39 ftp/[email protected]
    3 03/30/06 08:34:39 ftp/[email protected]
    3 03/30/06 08:34:39 afpserver/[email protected]
    3 03/30/06 08:34:39 afpserver/[email protected]
    3 03/30/06 08:34:39 afpserver/[email protected]
    3 03/30/06 08:34:40 ldap/[email protected]
    3 03/30/06 08:34:40 ldap/[email protected]
    3 03/30/06 08:34:40 ldap/[email protected]
    3 03/30/06 09:53:40 xgrid/[email protected]
    3 03/30/06 09:53:40 xgrid/[email protected]
    3 03/30/06 09:53:40 xgrid/[email protected]
    3 03/30/06 09:53:40 vpn/[email protected]
    3 03/30/06 09:53:40 vpn/[email protected]
    3 03/30/06 09:53:40 vpn/[email protected]
    3 03/30/06 09:53:40 ipp/[email protected]
    3 03/30/06 09:53:40 ipp/[email protected]
    3 03/30/06 09:53:40 ipp/[email protected]
    3 03/30/06 09:53:40 XMPP/[email protected]
    3 03/30/06 09:53:40 XMPP/[email protected]
    3 03/30/06 09:53:40 XMPP/[email protected]
    3 03/30/06 09:53:40 host/[email protected]
    3 03/30/06 09:53:40 host/[email protected]
    3 03/30/06 09:53:40 host/[email protected]
    3 03/30/06 09:53:40 smtp/[email protected]
    3 03/30/06 09:53:40 smtp/[email protected]
    3 03/30/06 09:53:40 smtp/[email protected]
    3 03/30/06 09:53:40 http/[email protected]
    3 03/30/06 09:53:40 http/[email protected]
    3 03/30/06 09:53:40 http/[email protected]
    3 03/30/06 09:53:40 HTTP/[email protected]
    3 03/30/06 09:53:40 HTTP/[email protected]
    3 03/30/06 09:53:40 HTTP/[email protected]
    3 03/30/06 09:53:40 pop/[email protected]
    3 03/30/06 09:53:40 pop/[email protected]
    3 03/30/06 09:53:40 pop/[email protected]
    3 03/30/06 09:53:40 imap/[email protected]
    3 03/30/06 09:53:40 imap/[email protected]
    3 03/30/06 09:53:40 imap/[email protected]
    3 03/30/06 09:53:40 ftp/[email protected]
    3 03/30/06 09:53:40 ftp/[email protected]
    3 03/30/06 09:53:40 ftp/[email protected]
    3 03/30/06 09:53:40 afpserver/[email protected]
    3 03/30/06 09:53:40 afpserver/[email protected]
    3 03/30/06 09:53:40 afpserver/[email protected]
    3 03/30/06 09:53:41 ldap/[email protected]
    3 03/30/06 09:53:41 ldap/[email protected]
    3 03/30/06 09:53:41 ldap/[email protected]

    August 17, 2007 at 7:56 pm #369776
    smithsm
    Participant

    >>>So… Kerberos is failing for all network users? Is it working for anyone? Does it fail a kinit done from the server itself?

    it fails for all users including kinit done from the server.

    So there is supposed to be a CHECK_PWS_ACCT in the list of principles?

    August 18, 2007 at 12:47 am #369780
    smithsm
    Participant

    I got it working!
    Your comment about the KDC not being able to talk back to the password server gave me a clue as to what was
    might be the problem.

    I use EIMS for the mail server and EIMS also defaults to using port 106 for its password server. Tiger server lists two different
    ports for its password server in its preferences file, 3659 and 106.
    The EIMS docs say to remove the conflict by disabling port 106 for tiger server by deleting its entry from /library/preferences/com.apple.passwordserver.plist . It says that this does no harm as tiger server uses the other port.
    Apparently this changed with one of the recent updates to Tiger server.
    When I reenabled port 106 and rebooted, kerberos started working.
    In the past Kerberos worked with port 106 disabled.

    So it appears that Kerberos on tiger server uses port 106 to talk to the password server while everything else uses the standard
    port 3659.

    I will notify EIMS developer to fix his documentation.
    I just had to set EIMS’s password server to use a different port.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.