[Macchick]

Yeaaaaaahhhhh! It is unlocked!!!!!! Victory!

I actually tried to remove all the kerberos settings (because I read it had worked for somebody on the macos-x-server list) but I didn’t reboot after that, just re-launched OD! I guess kerberos or something else has to be re-launched too.

Chris,
you saved me big-time!

Now, let’s see if that is going to hold stable for more than 2 days :-))))))

–Yasmina

[Macchick]

This is not a passwd problem. I have been having the same issue. This is a WorkGroupManager problem, but I don’t know how to fix it. If you have any idea of what I’m doing wrong, I appreciate it. It’s supposed to be in production phase next month, and it seems that I could just use something else to connect to the LDAP, but frankly, WGM is nice. I see a few other persons that have the same problem in the mac-os-x-server mailing list I’ve posted there too but no answer so far.

It never happens when I played with it in 10.4. Yet, I never had set it up fully to have my apache server connecting to it. It started happening after I upgraded to 10.5. It did it with 10.5.1 and still doing it. The first time, I downgraded/upgraded the OD so many times that it would fail to be a master after that, I had to run manually the command to erase the ldap server. I tried to change the passwd with mkpasswd and it successfully did it (so the logs were saying) but still no unlocking from WGM.

My system Intel xserve 10.5.2. Everything is original on the xserve. I did a full install from scratch of leopard server.
No DNS server on it (we do automatic DHCP and DNS). Only service running is the OD. I’ve set the OD as follows:
OD Master no replica (the first time it happened, it had a replica on an identical xserve)
No policy on passwd
Binding policy:
enable auth directory binding (required between directory and clients)
disable clear text passwd (I’ve try after it locked without this – no change)
digitally sign all packets
block man-in-the-middle
disable client-side caching

The DNS gives us a name as Name.PRETENDCO.COM, so that’a how I’ve set the base but in the log I sometimes see the full name in uppercases as
NAME.PRETENDCO.COM. The alias in the logs are “Name” and the sever knows itself as Name.PRETENDCO.COM

Here is what I know (it is reproducible, at least twice):

At first it works:

I set the diradmin password.
I log to the OD server through the local WGM AND from a remote one. I saved the passwd in the keychain of the remote one.
I get in directly remotely (because it can read the passwd saved in the keychain) and I have to type the passwd locally.
I can lock, unlock as much as I want.
I can connect to the OD though my apache server on another machine.
Everything works fine.
I see in the log which user is authenticated, whether it authenticated through apache or through the WGM.
I did that 2 (maybe it was 3) days in a row, no problems.

Then, I wait a few days (I’m not sure how many, let’s say a week), letting apache authenticate my users it works, no worry.
Then I want to add a user in the OD, I launch the WGM and that’s when it breaks.
Either locally or remotely, the WGM gives me the same error (remember that remotely the passwd is saved in my keychain).
I got the following error “The login information is not valid for this server”
Now I know this is not a passwd problem, because the logs tell me I successfully authenticated as diradmin.
My apache server is also still happy to negotiate the binding and the authentication with the OD (everything asks for passwd)
Only the WGM is refusing to unlock.

I bought the xserve only to be able to use the WGM. I could put an LDAP server on any of the debian machines we have. I don’t know what to do.

Here are the logs I can find:

Here is the Directory Services server logs when I last restarted it:
2008-02-19 15:49:43 PST – T[0xB029A000] – Plugin “PasswordServer”, Version “4.0.2”, loaded on demand successfully.
2008-02-19 15:49:43 PST – T[0xB029A000] – Plug-in PasswordServer state is now active.

No error in the DS error log

It seems like that what happens just before in the Kerberos Admin:
Feb 19 15:47:28 kadmind[40](info): No dictionary file specified, continuing without one.
Feb 19 15:47:28 kadmind[40](info): No dictionary file specified, continuing without one.
Feb 19 15:47:29 kadmind[40](info): Seeding random number generator
Feb 19 15:47:29 kadmind[40](info): Seeding random number generator
Feb 19 15:47:29 kadmind[40](info): starting
Feb 19 15:47:29 kadmind[40](info): starting

I guess that is just now when I tried to unlock the WGM (from the Kerberos server log):
Feb 21 14:27:07 krb5kdc[87](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) : ISSUE: authtime 1203632827, etypes {rep=16 tkt=16 ses=16}, diradmin@ for ldap/@

I keep getting these in the LDAP log:
Feb 21 14:27:07: — last message repeated 1 time —
Feb 21 14:27:07 slapd[37]: <= bdb_substring_candidates: (authAuthority) index_param failed (18) Feb 21 14:27:07 slapd[37]: SASL [conn=727] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)

And that is the Password Service Server log, the one that tells me that the passwd is fine:

— Start: Server rolled log on: Feb 21 2008 14:25:55 —
Feb 21 2008 14:25:55 AUTH2: {ID, diradmin} DHX authentication succeeded.
Feb 21 2008 14:25:55 KERBEROS-LOGIN-CHECK: user {ID, diradmin} is in good standing.
Feb 21 2008 14:25:55 KERBEROS-LOGIN-CHECK: user {ID, diradmin} authentication succeeded.
Feb 21 2008 14:25:55 GETDISABLEDUSERS
Feb 21 2008 14:25:55 GETDISABLEDUSERS
Feb 21 2008 14:25:58 AUTH2: {ID, diradmin} DHX authentication succeeded.
Feb 21 2008 14:25:58 KERBEROS-LOGIN-CHECK: user {ID, diradmin} is in good standing.
Feb 21 2008 14:25:58 KERBEROS-LOGIN-CHECK: user {ID, diradmin} authentication succeeded.
Feb 21 2008 14:27:07 AUTH2: {ID, diradmin} DHX authentication succeeded.
Feb 21 2008 14:27:07 KERBEROS-LOGIN-CHECK: user {ID, diradmin} is in good standing.
Feb 21 2008 14:27:07 KERBEROS-LOGIN-CHECK: user {ID, diradmin} authentication succeeded.

I have errors in the passwd service error log:
— Start: Server rolled log on: Feb 19 2008 15:24:40 —
Feb 19 2008 15:24:40 Registration is finished error: (10, -72000).
Feb 19 2008 15:44:41 Registration is finished error: (10, -72000).
Feb 19 2008 15:44:41 Registration is finished error: (10, -72000).

Help Help Help!!!

–Yasmina

[Author]

Posts