Open Directory Users cannot connect to iCal Server

[danomatic]

Situation: 10.6.4 Server (with recent Wiki Server Update’s installed), running its own DNS zone, Web, AFP, Open Directory Master, iCal Server. Any Mac 10.6.x client.
Currently when I try to connect from iCal using an Open Directory acoount I get the error “iCal found the CalDAV Server berney.hiero, but couldn’t login with the user name “daanhermans”. Make sure the user name and password you entered are correct, then try again.”

Steps that I have figured out from bot client and server side:
– The server appears to agree with its naming settings (i.o.w correct DNS setup a.f.a.i.k), when running changip -checkhostname, all says to be fine. More about this later.
– OpenDir claims to be running fine, all parst (LDAP Server, Password Server, Kerberos) are green in the overview. Added to this, when I bind a laptop to the server, and login (Login Window) with an OpenDir account, with AFP network homedir, it’s all fine. This indicates me that OpenDir is running, Kerberos is indeed fine (it gets a ticket). Opening an AFP connection then also works, without password, since it’s Kerberised.
– iCal connection doesn’t work with the OpenDir account, as described above.
– When opening a webbrowser to https://berney.hiero:8443/ I am able to connect, and see the CalDAV data. If I then click on the calendars folder, it wants me to authenticate. Using the OpenDir account info, I get:
“The user name or password you entered for area “/Search” on berney.hiero:8443 was incorrect. Make sure you’re entering them correctly, and then try again.”
Using the local admin account cred’s does get me through, which let met to test:
– Connecting from iCal (from another Mac) using the local admin account on the server does work, and gives me a proper workable experience.
– I’m also running Web on this, but had disabled the WebDAV on the default site. Enablind this doesn’t make a difference in logging in, but does in checking things on the server. I’m running ‘sudo opensnoop -v’ on the server to check what process is acces what files.
When WebDAV is disabled, ouptut is:
[code]2010 Jul 27 17:34:24 70 36131 httpd -1 /var/run/proxy/e@/J0/Oj/AVGqdRIbQWS6qAkQ.header
2010 Jul 27 17:34:24 70 36131 httpd 13 /usr/share/httpd/error/HTTP_METHOD_NOT_ALLOWED.html.var
2010 Jul 27 17:34:24 70 36131 httpd -1 /var/run/proxy/hB/6A/8W/cRg58E@@sPBl9CRA.header
2010 Jul 27 17:34:24 70 36131 httpd 14 /usr/share/httpd/error/include/top.html
2010 Jul 27 17:34:24 70 36131 httpd -1 /var/run/proxy/vM/BU/g@/E1rwSWAIP1B_zTGg.header
2010 Jul 27 17:34:24 70 36131 httpd 15 /usr/share/httpd/error/include/bottom.html
2010 Jul 27 17:34:24 70 36131 httpd -1 /var/run/proxy/fb/oD/8t/s7KyemYP96qZLdXw.header
2010 Jul 27 17:34:24 70 36131 httpd 16 /usr/share/httpd/error/contact.html.var
2010 Jul 27 17:34:25 0 29 DirectoryServic 25 /var/db/authserver/authserverreplicas.local [/code]

When WebDAV is enabled, output is:
[code]2010 Jul 27 17:26:46 70 18542 httpd -1 /Library/WebServer/DaanHermansNL/.DAV/.state_for_dir.dir
2010 Jul 27 17:26:46 70 18545 httpd 13 /Library/WebServer/DaanHermansNL/
2010 Jul 27 17:26:46 70 18545 httpd -1 /var/run/proxy/n4/jD/tB/[email protected]
2010 Jul 27 17:26:46 70 18545 httpd 13 /Library/WebServer/DaanHermansNL/error.html
2010 Jul 27 17:26:46 0 29 DirectoryServic 25 /var/db/authserver/authserverreplicas.local [/code]

– As a bit of history / sidenote: this server was clean installed with 10.6.0, and updated since. When installed I had been messing with DNS and names, so ran ‘sudo changeip …’ to change names. All services that matter (OpenDir, iCal, Web) where configured later than the changip, and all config info I can currently look into, claim to have the current name.
Only currently did I find the “don’t use changeip, use scutil since 10.6” documentation (which I believe should be shouted at you when running changeip in the first place…), so ‘something’ being wrong in the names is my biggest suspect, but I’m a bit lost in what to check next.

Anybody else seen any of these behaviours? Any tips on where to check next?

All pointers are highly appreciated, since besides this one server, I am now getting similair behaviour on a second one I installed last week.

[danomatic]

Ok, sorry, answering your own post a couple of hours later, sort of shows I should have waited posting, but possibly for historic reasons then:
– From the Password Service Server Log I found
[code]Jul 28 2010 02:46:49 AUTH: {0x4af864941ef9a0ab0000000600000006, daanhermans} requested mechanism WEBDAV-DIGEST is not available.
[/code]
I had previously switched to Digest only in the iCal Server Authentication method, to exclude Kerberos problems. I’d also switched of the WebDAV Digest as auth methods in the Open Directory -> Settings -> Policies -> Authentication in Server Admin.

Once I switched that back on, and reset the password from WGM (to have it regenerated as WebDAV version I suppose), login worked…

[Author]

Posts