Mail Service ACL problems – users intermittently cannot authenticate to mail

[jdyck]

Hey all,

I’m really hoping someone out there can offer me some advice or direction to look into…

As per instructions in both the AD-OD Integration guide on AFP548 and I believe the AD-OD guide on Mike Bombich’s site, I have setup a new OS X Mail server, bound to AD and using the Service ACLs to define which AD groups get access to email. For the most part it is working very well, but I’m getting failures to authenticate from the client email programs, and when I check the logs I’m getting a note that the service ACL is not enabled for the user. If you try again in a few minutes it’s fine, so I think this is something to do with the server…

[b]Logs look like:
[/b]
Jul 4 12:55:56 mail imaps[13951]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:55:59 mail imaps[13951]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:56:06 mail imaps[14542]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:56:13 mail imaps[11942]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:56:45 mail imaps[14542]: badlogin from: bda150.bis.na.blackberry.com [216.9.249.150]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:56:52 mail imaps[11942]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:57:02 mail imaps[11942]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user
Jul 4 12:57:07 mail imaps[11942]: badlogin from: [IPAddress]. plaintext user: username. service ACL is not enabled for this user

[b]More details of my setup:
[/b]
Intel X-Serve with X-Serve RAID for data storage. The machine is bound to Active Directory, forward and reverse DNS all look good and test fine if I do one of the changeip -checkhostname commands.

In the local NetInfo DB on the server I have defined a group called EMAIL, to which I have added all the Active Directory groups I wish to have email accounts on this server.

I am running OS X Server 10.4.10, although this was also happening with 10.4.9 before I updated.

Thanks in advance for any assistance anyone can offer.

Jeff

[jdyck]

OK, I have tried a few more things without much luck (I’m perhaps seeing a few less errors, but hard to tell for sure since a lot of our users are now away for summer vacation)…

• I updated to 10.4.10 server.
• I bypassed the OD group of nested AD groups and added the AD groups directly to the Service ACL.
• I have also got a GB switch on order, which will be used to connect all our higher throughput servers, so when this is installed the OS X Mail server should have GB communication to the AD server it authenticates against.

I’ve tried doing the memberd cache thing, but have to confess that I’m not sure how to read the results of this command to give me any information about the problems I’m seeing… When I run the memberd -l command and check the memberd_dump.log I get a big list with tonnes of entrees like:

2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mhofstrand’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mmiller’ not found by name (result added to cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)
2007-07-09 11:45:17 PDT Group ‘mscheck’ not found by name (result is from cache)

I have been watching my logs a lot and searching for the problem, and do notice that it always seems to happen in batches – ie: for a few minutes here and there several times throughout the day. Can’t see any rhyme or reason as to the times though, but the fact that it happens intermittently but in batches might mean something to somebody…

I’m going to leave this open for a bit longer to see if anyone has any further information or ideas, but I think if I can’t get this working more reliably I’m going to have to move us to an Exchange server (just kidding) – I’ll probably have to modify the AD schema to include the AppleMailAttribute and populate that. I’d rather stick with Service ACLs though as they seem a lot simpler to implement and maintain.

Thanks again for anything offered.

Jeff

[Author]

Posts