[MDLarson]

Just want to say… thanks for that reply. I am not good with the command line but that saved me. 🙂

[MDLarson]

I figured it out!

After poking around some, I found the offending settings here:
Server Admin > (select the server on the left) > Settings > Access > Services

For some unknown reason my services were setup as follows:
AFP “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
Blog “Allow all users and groups”
FTP “Allow all users and groups”
iCal “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
iChat “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
Login Window “Allow all users and groups”
Mail “Allow only users and groups below:” (area was blank)
Podcast Producer “Allow all users and groups”
QuickTime Streaming “Allow all users and groups”
RADIUS “Allow all users and groups”
SMB “Allow only users and groups below:” 533997AA-89C4-4CD9-AB2B-06603B00D5D4
SSH “Allow all users and groups”
VPN “Allow only users and groups below:” (area was blank)
Xgrid “Allow all users and groups”

I switched AFP to “Allow all users and groups” and now I can log in via username / password flawlessly.

Dragging users into that list displays the real user name, so the big long code listed above looks out of place and buggy to me. I did switch the server from the simple setup to the advanced setup along my journey, so perhaps something got messed up there? I don’t know but now things are working right and I am happy again.

[MDLarson]

Hello and thanks for the tips; you’re right in looking at the logs first!

I couldn’t find a “kdc” log, but here’s the results of a login I just attempted where I am positive I’m entering in the correct password…

[b]AFP > Access Log[/b]
“The selected log file does not exist”

[b]Open Directory > Kerberos Server Log[/b]
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): handling authdata
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): handling authdata
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): .. .. ok
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](debug): .. .. ok
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for afpserver/[email protected]
Oct 23 09:08:55 smpl-xserve.private krb5kdc[110](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.172: ISSUE: authtime 1224770935, etypes {rep=16 tkt=16 ses=16}, [email protected] for afpserver/[email protected]

[b]Open Directory > Password Service Server Log[/b]
Oct 23 2008 09:08:55 KERBEROS-LOGIN-CHECK: user {0x48c83b7837f326720000000600000006, mdlarson} is in good standing.
Oct 23 2008 09:08:55 KERBEROS-LOGIN-CHECK: user {0x48c83b7837f326720000000600000006, mdlarson} authentication succeeded.
Oct 23 2008 09:08:57 AUTH2: {0x48c83b7873f236720000000600000006, mdlarson} DIGEST-MD5 authentication succeeded.

[b]Open Directory > LDAP Log[/b]
Oct 23 09:08:55 smpl-xserve slapd[40]: <= bdb_substring_candidates: (authAuthority) index_param failed (18) The only thing that looks suspicious to me is that the AFP log doesn't exist. 😛 -Matt

[MDLarson]

Problem solved. I actually called up Apple tech support, and it turns out I need to delete some things called receipts in my Library folder. I did that, and I was able to successfully reinstall the Admin Tools again. I had to delete the “ServerAdministrationSoftware.pkg” to reinstall the Admin Tools, and also delete the “AdminToolsUpdate10.3.5.pkg” to apply the software update again.

[MDLarson]

OK, so as far as this thread is concerned, it’s done. I couldn’t make the L2TP / IPSec connection work on the PC. I switched to PPTP for the PC and it’s working half-way. Connecting to the VPN breaks the internet, mail and AIM connections, so there is obviously something wrong there.

I’ll probably start a new thread on that issue if I can’t figure it out… hopefully I can get more help with that…

[MDLarson]

Firewall, firewall, firewall!

I told you I was brand new to all of this! The very port that this site is named after, the Apple File Service, was turned off in the Mac OS X Server firewall. I also turned on the LDAP Service in the firewall.

After turning this port on, I can connect from my remote iMac G5 via L2TP and mount a local share, whereas before I could not. Furthermore, I turned on the “PPTP VPN” port and I can now connect from the same iMac via PPTP whereas before I could not.

After worrying about having to configure etc/host files, once again I am pleasantly surprised by an easily overlooked firewall option.

Now I will need to get my Windows XP Home PC running…

[MDLarson]

Argghh… I’m still not up and running. I checked the Mac OS X client Network settings, which can be seen here:
Mac OS X Client / System Preferences / VPN (L2TP)
Where’s the subnet mask???

[MDLarson]

I turned on the AFP service, and tested it out from My Desk, in the Main Location. Using the Connect to Server… command in the Finder and typing “10.0.0.1” times out, but typing “Xserve.local” establishes a connection where I can logon and view the Groups, Public and Users volumes. (And yes, I know it was incredibly creative of me to name the Xserve “Xserve”)

From the VPN connection, I can login to the VPN service, but doing the same procedure as above (Connect to Server) results in time outs for both methods. In addition, the time outs seem to be rather premature and do not last the full 120 second tickdown.

I really appreciate your help MacTroll.

[MDLarson]

OK, I changed my Secondary Location’s subnet from 10.0.0.XXX to 10.0.1.XXX, and also updated my diagram to reflect the change.

I can now ping LAN IP addresses (10.0.0.XXX) in the Main Location, when before I could not. Great!

However, I still cannot mount a share on the File Server (10.0.0.102) or hit the FileMaker Server (10.0.0.104) via remote FM client or establish a VNC connection on my computer (10.0.0.70). Functionally, I can still establish the VPN, but I can’t do anything with it.

The Windows XP (Home) client still cannot connect. I get the exact same behavior (same error message, same log entries on the VPN server).

By the way, the “mood” thing is cool, and I really like the ability to do true HTML in my messages.

[MDLarson]

[QUOTE BY= MacTroll] Aiiiieeee!

You have the same subnet on either side of the network. Can’t do that with these types of VPNs. Change one side or the other to a different naming scheme 10.0.1.x for example.[/QUOTE]Ha! that’s what I was looking for. The basic piece of information that I just couldn’t figure out. It’s been tough just figuring out the basics… thanks! I’ll switch it up today and see if that solves my issues.

[MDLarson]

For good measure, here are screenshots of the VPN settings…

Mac OS X Server (10.3.8)
VPN / Overview
VPN / Connections (proof!)
VPN / Settings / General
VPN / Settings / Logging
VPN / Settings / Client Information

Windows XP Client (Professional)
Properties / General
Properties / Options
Properties / Security
Properties / Networking
Properties / Advanced
The error message

[Author]

Posts