accounts log in fine if their homes are on one box but NOT if their homes are on another box.

[glen.page]

I rebuilt our 3 XServes over the Christmas break to bring them to 10.5.x server.
Long story short is that I wound up blowing away the entire ldap data and having to use Passenger to rebuild all accounts.
Here is the planned basic setup.
Thetkey.thet.net – authenication – OD Master properly kerberized.
TAhome.thet.net – home directories for TA staff and students
tehome.thet.net – home directories for TE staff and students
All resolve forward and backwards in DNS.

Ran in to the following issue.
I can get all accounts who have homes on TAhome.thet.net to work properly.
I originally coudn’t get ANY accounts if their home was on tehome.thet.net
I think this was due to having too many sharepoints and/or too long of sharepoint names on TAhome.thet.net

To get back in business after Christmas break – I put ALL homes on TAhome.thet.net and got all accounts working. This is not a great solution as having 700+ accounts hammering 1 servers HD makes things a bit slower than we would like.

We are on break this week and I came in to see if I could fix it.
Here is what I have done so far.
1. Unshared all shares on tahome.thet.net with the exception of TATeachers, TETeachers and Users (I originally had shares for each year of grad (2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018)
2. Shared out the Students folder that houses all the year of graduation folders).
3. Cleared all shares off of tehome.thet.net except Users.
4. Created a new share on tehome.thet.net called TEFaculty and set it to automount for homes.
5. Created a new account teteach2 and set it to have its home in TEFaculty share created in step 4.
6. I used the “Create Home” now option in WGM to create the home (from thetkey) and then checked to see that the folder was created properly.
7. Tried to log in to a client (10.4) machine as teteach2 – I get “The home folder for user teteach2 is not located in the usual place or cannot be accessed.
8. I checked in the /Network/Servers folder and both tahome.thet.net and tehome.thet.net are there but clicking on tehome.thet.net shows it to be a broken alias.

I noticed that tehome.thet.net – in server admin – open directory – settings – does not have a “Join Kerberos” button but that tahome.thet.net does have one.

I decided to look at the server logs on thetkey to see if I see anything jumped out at me. I found the following of interest:
Feb 16 10:26:52 thetkey.thet.net krb5kdc[381](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.5.3.255: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required

Feb 16 09:31:44 thetkey slapd[440]: Entry (uid=untitled_1,cn=users,dc=thetkey,dc=thet,dc=net): object class ‘posixAccount’ requires attribute ‘homeDirectory’
Feb 16 09:31:44 thetkey slapd[440]: entry failed schema check: object class ‘posixAccount’ requires attribute ‘homeDirectory’
Feb 16 09:31:59 thetkey slapd[440]: Entry (uid=teteacher2,cn=users,dc=thetkey,dc=thet,dc=net): object class ‘posixAccount’ requires attribute ‘homeDirectory’
Feb 16 09:31:59 thetkey slapd[440]: entry failed schema check: object class ‘posixAccount’ requires attribute ‘homeDirectory’

I am hoping that some on here can help me out.

TIA,

Glen

[glen.page]

[QUOTE][u]Quote by: MacTroll[/u][p]The pre-auth error is normal.

The ‘homeDirectory’ errors are much much nastier. What’s the full dscl output for teteacher2?[/p][/QUOTE]

I am at home now but planning to stop by the office for a little while around noon today. If you can tell me how and where to find the dscl output for teteacher2 I will gladly send it. Is it on the client machine or one of the servers and where and how do I access it?

Thanks for the help.

[tlarkin]

I had the same problem and it was DNS related with mapping home directories with FQDN. Just to make sure if you use changeip -checkhostname everything resolves right?

Also if you blew away your old LDAP and did fresh imports you may also have to reapply new ownerships since the users probably have different UIDs if you did not copy it from an export. Which is easy to do with Passenger.

[Author]

Posts