some 10.4.x-Clients won´t log in to new or changed OD-accounts on 10.3.9-Server

[svenc]

Hi,

strange problem here
Server: Xserve with 10.3.9 Server, OD-Master with Kerberos, homedirectories located on this server
Clients 35 Clients with 10.3.9 (only a few) and 10.4.9-10.4.11

All clients work fine, only two clients (PPC G5) have a problem to login to new or changed accounts (e. g. password was changed).
There was nothing changed on these machines, the error occured the first time, after we changed a password of a OD-User and added a new one

I checked everything, what is mentioned in the many discussions here.

These two clients with 10.4.11 (error also happend on 10.4.9 and 10.4.10) can´t log in these new/changed accounts.
The accounts work on every other machine here, so the accounts are ok.

I also can log in to the server from these clients (with these changed/new accounts), when logged in via a local admin-account (Kerberos-authentication to the server is working fine).
Conclusion: The Kerberos-entries are ok, too.

I deleted and created new entries in DirectoryServices on the clients -> no change
I deleted the /Library/Preferences/DirectoryService-folder on the clients -> no change
I deleted all Cache-Folder (System/Library/Caches and Library/Caches) -> no change
I checked all Network-Preferences -> ok
I checked DNS-responds from the clients -> ok
I also tried the setting to use the LDAP-server distributed by the DHCP-Server (which is working on other clients I also tried this setting on) -> no change

All other clients work in the same setup (LDAP-manuall or automatically), all other clients accept new passwords and accounts instantly (no reboot required). The accounts are ok, the Kerberos-entries are ok.

These two mentioned clients have only one local administration-account, which is the same account all clients have.

the passwords are “keyboard-layout-independent” (we have had some problems here some time ago, with clients using US-layout, even though the layout was set to German-layout at the LoginWindow (we are located in Germany).

Does anyone have an idea, what else to check?

an additional discovery I made:

I tried one account, which is functioning on these two “problem-clients”. I change the password from “123456” to “abcdef”.
I try to log in this account with one of these two Macs… -> does NOT work
I try to log in this account with another Client (w/o problems) -> does work

I change the password back to “123456”
I try to log in this account with one of these two Macs -> does work

I deleted the accounts and created new ones. The accounts work fine on every Mac despite these two machines.

It looks like these two clients are not updating the directoryservice information. This would be consequent after the tests I made…

BUT:
I tried to get a look, which information is readable at the client machines (which are making the trouble):

lookupd -d
lookupd version 369.5 (root 2006.12.02 12:00:25 UTC)
Enter command name, “help”, or “quit” to exit
userWithName: test
Dictionary: “DS: user test”
_lookup_agent: DSAgent
_lookup_validation: 1195423412
gid: 1025
home: /Network/Servers/xserve/Volumes/DATA/HomeDir/test
name: test testuser Test User
passwd: ******** ********
realname: Test User
shell: /bin/bash
uid: 1026
+ Category: user
+ Time to live: 43200
+ Age: 0 (expires in 43200 seconds)
+ Negative: No
+ Cache hits: 0
+ Retain count: 7

I gathered this information on the client, which can NOT log into this account. I can try all new or changed accounts, all are visible to the client….

Does anybody here unterstand this?

• the used accounts are all ok (working on 33 of 35 clients)
• the Kerberos-entries are all ok (working on all clients)
• other accounts work fine on this two machines (40 other accounts)
• the problem only occurs on changed or new accounts.
• reverting the changed accounts to the old state: the accounts work again
• new accounts only work on 33 of 35 machines, only these two Macs can not use these accounts…

any ideas to solve this?

Many thanks in advance

Regards

svenc

P.S.:

another thing I checked:

I tried to login to these two clients from the server via ssh.
Login via one of the changed/new accounts does NOT work.
Login via another (unchanged/old) account DOES work…

😕

[Author]

Posts