I have an OD setup which consists of 2 XServes running 10.3.5. Both servers act as file servers, serving both AFP and SMB shares. One is the OD master and the other an OD replica. The goal is to have a single sign on environment for the handfull of OS X (all currently at 10.3.5 also) clients in the shop. I've been able to achive this goal, for the most part, and have been running this setup for several months now.
Getting to this point wasn't a plug & play matter though. The 1st several weeks were spent talking to Apple techs, detsroying/rebuilding the OD, demoting/promoting the OD replica, etc. As a result, my current take on OD is that it's cumbersome and buggy. (Especially compared to Active Directory in a Win environment)
With all that said, I'm wondering if anyone has some insight into my latest problem.
I added a new user (mac05) to the OD the other day, logged into an OS X client machine with the username, and then tried to connect to an AFP share on the OD replica server. All I get is:
(on the client)
Connection Failed
An AppleShare system error occurred
(on the server)
IP 192.168.10.106 - - [03/May/2005:17:28:55 -0800] "Logout mac05" -5023 0 0
and I cannot access any shares on the replica server. However, I can access shares on the master server.
I get the same behavior when connecting to SMB shares on the replica
(on the client)
could not connect to server because the name or password is incorrect
(on the server)
[2005/05/03 17:48:42, 0] pdb_ods.c
odssam_getsampwnam: [0]get_sam_record_attributes dsRecTypeStandard:Users no account for 'mac05'!
As a test I destroyed all Kerberos tickets and then attempted to reconnect via AFP. With no active tickets, I get promted to enter the Kerberos auth info. I cancelled out of this dialog box which in turn makes the client revert to the standard AppleShare auth dialog box. I typed in the users password and clicked connect. No luck.
(on the client)
Login Failed
Sorry the password you entered is incorrect. Please try again.
(on the server)
IP 192.168.10.106 - - [03/May/2005:17:53:11 -0800] "Logout mac05" -5023 0 0
I tried restarting DirectoryServices on both servers, I restarted the AFP service on the replica server, I forced a replication from the master server, and I rebooted the replica server. None of which have made a difference. On top of that, another user account that used to be able to connect to shares on the replica server no longer can (they can still connect to the master though). And, there are several other accounts that are not affected at all, i.e. they can connect to shares on either server with no problems.
If I connect to the replica server with WGM, the new user in question is there. So basically, everything appears to be in working order, it's just that my replica server refuses to authenticate certain users while allowing others.
I haven't tried demoting the replica to standalone and then promoting it back to replica yet. I have a feeling that this may do the trick but I want to get to the root of the problem instead of just band-aid fixing it. I mean what good is all of this if you must manually drop and rebuild the OD constantly.
Is there anyone on here that's been through similar issues and may have some helpfull hints? All are appreciated.