Login Problems – Help – I’ve got the shakes.

[D-ma]

I have a brand new Xserve but I can’t log in?
Yesterday I installed 10.4.8 Server on our new Xserve (intel quad xeon).
I haven’t done anything fancy, the only thing out of the ordinary is that I’ve setup DHCP and DNS as in the article:

https://www.afp548.com/article.php?story=20060529143335323&query=combining%2BDHCP%2Band%2BDNS

DNS and DHCP appear to be working. both forward and reverse lookups work. and workstations are getting IP fine.
AFP and Open Directory are running and look happy.

But when I go to log in on a workstation all l get is a shaking login screen.
I have bound the workstation to the server.
I thought that it may to to do with the binding and when I go to remove the server binding it says
‘can’t connect to the server’ so I have to forceably remove it, and rebinding doen’t work.

I have tried several different workstations – all 10.4 machines. and several different users,
and for some reason one workstation works fine and all the rest don’t??
I haven’t done anything different to this workstation

lookupd, slapd, Password Server and Kerberos all report as running in Server Admin

I have tried changing Authentication under AFP to Standard but it made no difference.

I am lost for what to do next – I’m not even sure which log file to post.
Here are some of the Open Directory logs:

kdc Log

Dec 29 18:39:15 kermit.dac.ac.nz krb5kdc[235](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: ISSUE: authtime 1167370755, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: ISSUE: authtime 1167370761, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Cannot allocate memory
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.220: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Dec 29 18:39:21 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.220: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Cannot allocate memory
Dec 29 18:39:23 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Dec 29 18:39:23 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.238: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Cannot allocate memory
Dec 29 18:39:33 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.221: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Dec 29 18:39:33 kermit.dac.ac.nz krb5kdc[235](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.221: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Cannot allocate memory

LDAP Log

Dec 29 18:32:08 kermit slapd[77]: SASL [conn=861] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n
Dec 29 18:32:08 kermit slapd[77]: Entry (uid=untitled_1,cn=users,dc=kermit,dc=dac,dc=ac,dc=nz): object class ‘posixAccount’ requires attribute ‘homeDirectory’\n
Dec 29 18:32:08 kermit slapd[77]: entry failed schema check: object class ‘posixAccount’ requires attribute ‘homeDirectory’\n
Dec 29 18:32:40 kermit slapd[77]: SASL [conn=863] Failure: no user in database\n
Dec 29 18:34:21 kermit slapd[77]: SASL [conn=866] Failure: no user in database\n
Dec 29 18:34:33 kermit slapd[77]: SASL [conn=868] Failure: no user in database\n
Dec 29 18:34:44 kermit slapd[77]: SASL [conn=871] Failure: no user in database\n
Dec 29 18:34:44 kermit slapd[77]: SASL [conn=871] Failure: no user in database\n
Dec 29 18:35:10 kermit slapd[77]: SASL [conn=873] Failure: no user in database\n
Dec 29 18:36:51 kermit slapd[77]: SASL [conn=884] Failure: no user in database\n
Dec 29 18:37:03 kermit slapd[77]: SASL [conn=886] Failure: no user in database\n
Dec 29 18:37:40 kermit slapd[77]: SASL [conn=888] Failure: no user in database\n
Dec 29 18:39:15 kermit slapd[77]: SASL [conn=915] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n
Dec 29 18:39:21 kermit slapd[77]: SASL [conn=927] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n
Dec 29 18:39:21 kermit slapd[77]: SASL [conn=929] Failure: no user in database\n
Dec 29 18:39:23 kermit slapd[77]: SASL [conn=932] Failure: no user in database\n
Dec 29 18:39:33 kermit slapd[77]: SASL [conn=934] Failure: no user in database\n
Dec 29 18:40:10 kermit slapd[77]: SASL [conn=936] Failure: no user in database\n
Dec 29 18:40:41 kermit slapd[77]: SASL [conn=938] Failure: no user in database\n
Dec 29 18:40:58 kermit slapd[77]: SASL [conn=940] Failure: no user in database\n
Dec 29 18:40:58 kermit slapd[77]: SASL [conn=940] Failure: no user in database\n
Dec 29 18:41:51 kermit slapd[77]: SASL [conn=942] Failure: no user in database\n

Password Service Server Log

Dec 29 2006 18:43:12 KERBEROS-LOGIN-CHECK: policy violation (-7) for user {0x4594556f5f0dfb4f0000000a0000000a, test}
Dec 29 2006 18:43:12 QUIT: {no user} disconnected.
Dec 29 2006 18:43:12 KERBEROS-LOGIN-CHECK: user {0x4594556f5f0dfb4f0000000a0000000a, test} authentication failed.
Dec 29 2006 18:43:12 QUIT: {no user} disconnected.
Dec 29 2006 18:43:12 RSAVALIDATE: success.
Dec 29 2006 18:43:12 USER: {0x4594556f5f0dfb4f0000000a0000000a, test} is the current user.
Dec 29 2006 18:43:12 AUTH2: {0x4594556f5f0dfb4f0000000a0000000a, test} password change required.
Dec 29 2006 18:43:12 QUIT: {0x4594556f5f0dfb4f0000000a0000000a, test} disconnected.
Dec 29 2006 18:43:14 AUTH2: {0x4594556f5f0dfb4f0000000a0000000a, test} password change required.
Dec 29 2006 18:43:14 KERBEROS-LOGIN-CHECK: policy violation (-7) for user {0x4594556f5f0dfb4f0000000a0000000a, test}
Dec 29 2006 18:43:14 QUIT: {no user} disconnected.
Dec 29 2006 18:43:14 KERBEROS-LOGIN-CHECK: user {0x4594556f5f0dfb4f0000000a0000000a, test} authentication failed.
Dec 29 2006 18:43:14 QUIT: {no user} disconnected.
Dec 29 2006 18:43:14 RSAVALIDATE: success.
Dec 29 2006 18:43:14 USER: {0x4594556f5f0dfb4f0000000a0000000a, test} is the current user.
Dec 29 2006 18:43:14 AUTH2: {0x4594556f5f0dfb4f0000000a0000000a, test} password change required.
Dec 29 2006 18:43:14 QUIT: {0x4594556f5f0dfb4f0000000a0000000a, test} disconnected.
Dec 29 2006 18:43:14 AUTH2: {0x4594556f5f0dfb4f0000000a0000000a, test} password change required.
Dec 29 2006 18:43:14 KERBEROS-LOGIN-CHECK: policy violation (-7) for user {0x4594556f5f0dfb4f0000000a0000000a, test}
Dec 29 2006 18:43:14 QUIT: {no user} disconnected.
Dec 29 2006 18:43:14 KERBEROS-LOGIN-CHECK: user {0x4594556f5f0dfb4f0000000a0000000a, test} authentication failed.
Dec 29 2006 18:43:14 QUIT: {no user} disconnected.
Dec 29 2006 18:43:14 RSAVALIDATE: success.
Dec 29 2006 18:43:14 USER: {0x4594556f5f0dfb4f0000000a0000000a, test} is the current user.
Dec 29 2006 18:43:14 AUTH2: {0x4594556f5f0dfb4f0000000a0000000a, test} password change required.
Dec 29 2006 18:43:14 QUIT: {0x4594556f5f0dfb4f0000000a0000000a, test} disconnected.

Password Service Replication Log

Dec 29 2006 09:45:43 DoSync: This password server does not have replicas.
Dec 29 2006 10:01:17 DoSyncKerberosDeferrals: This password server does not have replicas.
Dec 29 2006 10:01:17 DoSync: This password server does not have replicas.
Dec 29 2006 11:13:00 DoSyncKerberosDeferrals: This password server does not have replicas.
Dec 29 2006 11:13:00 DoSync: This password server does not have replicas.
Dec 29 2006 12:30:06 DoSyncKerberosDeferrals: This password server does not have replicas.
Dec 29 2006 12:30:06 DoSync: This password server does not have replicas.
Dec 29 2006 12:50:06 DoSync: This password server does not have replicas.
Dec 29 2006 13:02:56 DoSync: This password server does not have replicas.
Dec 29 2006 18:31:52 DoSync: This password server does not have replicas.

slapconfig Log

2006-12-28 15:13:43 +1300 – command: /usr/sbin/sso_util configure -x -r KERMIT.DAC.AC.NZ -f /LDAPv3/127.0.0.1 -a dan -p **** -v 1 ldap
2006-12-28 15:13:43 +1300 – sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for ldap/[email protected]; defaulting to no policy
Creating the keytab file
kadmin.local: No entry for principal ldap/[email protected] exists in keytab WRFILE:/etc/krb5.keytab
Configuring services
WriteSetupFile: setup file path = /temp.Nc57/setup

Any help would be very much appreciated.

Thanks.

[D-ma]

Hi Guys

I have been working hard to try and figure out this problem of mine,
and I’ve have made an interesting discovery.

When configuring LDAPv3 Directory Access on a workstation:

If I add the Directory Administrator’s name and password into the Directory Binding it is accepted but I have the login problem described earlier.

Whereas, If I don’t add the Directory Administrator’s details and simply click ‘Continue’ I can login fine.

Can anyone could shed some more light on why this is occurring?

Thanks.

[fherbert]

You may need to check that your security policies on the client and server match. Most likely, your client will have a setup which (since you have used binding) has disabled clear text passwords. If your OD server setup has clear text passwords enabled, then you will see the symptoms you are experiencing. You should see some error messages to this effect on the client machine in /var/log/system.log.
The solution then would be to match up the security policies between the client and server so that they either both allow or not allow clear text passwords.

[D-ma]

As an update I have reinstalled the server and it now seems to behave a lot better now.
Although I have had a machine loose it’s binding and I had to rename it before I could rebind.

Thanks fherbert – Unfortunately this wasn’t the problem.
I have noticed that clear text passwords are disabled by default on the client
and enabled by default on the server.
So I have been making this policy the same since I first installed the server.

[citibob]

I had this problem too. Rebuilding my server was not an option. After trying many things I found the solution to the problem.

The problem is caused by an option in
Server Admin -> Open Directory -> Settings -> Policy -> Passwords
The option is “Password must be reset on first user login”

When this option is checked, it interferes badly with the part of Open Directory required to add a new computer to the network. Apparently, when you add a new computer of name XXX, it creates a new “user” in Open Directory of name XXX. When the new computer tries to bind to OpenDirectory on the server, it is denied access because it is “supposed” ot change its password. The clues of all this can be seen in the “Password Service Server Log” above.

Solution (work-around):
1. Un-check the option in question.
2. Delete the non-working binding from client and server.
2. Re-name your client machine and re-do the binding under the new name; reboot the client just before binding to be sure. Using a new name is necessary; the old name is stuck forever in a “need” to change its password on first login, even though you have un-checked the option in question.

[D-ma]

Well Done citibob

You’re dead right – thanks very much.

[charleslcso]

Is there any ways to erase the bad record/entry in the Open Directory server? It seems that too many of these error will cause the server to auto-restart, without even leaving a trace of kernel panic or whatsoever! It is happening to our 10.5.8v11 PowerMac G4 used only for hosting OD. No logs/signs of the cause of the restarts.

[Author]

Posts