Sitemap

Amicuk Programming Answers

Unable to authenticate with diradmin in Workgroup Manager

2015-10-11   Views:1

Advertisement

This has happened before, and I have no idea how it got fixed - too many independent variables... Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server. The setup: SLS 10.6.8 Split-brained DNS   

This has happened before, and I have no idea how it got fixed - too many independent variables...
Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server.
The setup:
SLS 10.6.8
Split-brained DNS
     Both public and private FQDNs are the same (myserver.mydomain.com). External DNS maps machine record to my static public IP address. Using an AirPort Extreme router, port fowarding services that I want open to the server. The router provides DHCP via NAT to the local network, with a fixed private IP assigned to the server. The server is running DNS with the same zones, machine records, services and aliases that the public IP DNS has, except mapped to the fixed private IP. DNS checks out with changeip, etc.
     The server is an OD master. Yesterday I exported it, demoted it, and restored it. All services (mail, web, etc.) seem to work fine (although I admit to not using Kerberos on AFP due to another issue).
     I have a wildcard certificate that is generated by GoDaddy (*.<mydomain>.com) which seems to work fine with the hosted websites.
This is what the password service error log says when I try to log in with diradmin in Workgroup Manager:
Jan 10 2012 14:01:32    AUTH2: {0x4bbe71ca6b8b45670000000200000002, diradmin} DHX authentication succeeded.
Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} is in good standing.
Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} authentication succeeded.
Looks good to me. But I still get the "Information Not Valid for This Server" followed by stuff about invalid login ID or password.
I did notice in the LDAP log:
Jan 10 14:13:12 <myserver> slapd[52283]: SASL [conn=18] Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)
And at the last bootup in the directory service error log:
2012-01-10 08:52:03 EST - T[0x00007FFF7027ACC0] - DNSServiceProcessResult returned -65563
The other thing I notice when I log into the library in Workgroup Manager FROM THE SERVER, even if I use the FQDN <myserver>.<mydomain>.com that Workgroup Manager says (in the title bar of the window) <myserver>.local.
I have googled the various errors and messages, and I get folks with all sorts of variations ("change the binding options", etc.) none of which either applied or worked.
Help?

The replay answer
Advertisement
Continuing on my quest... I found this Technical note from Apple about re-kerberizing:
http://support.apple.com/kb/HT3655
Interestingly, in step 3 where it says to remove realm information from kdc.conf, there wasn't any of my realm information. Argh!
So I completed all of the steps and executed the slapconfig command. This resulted in:
bash-3.2# slapconfig -kerberize -f --allow_local_realm diradmin <MYREALM>
diradmin's Password:
Could not resolve hostname <MYDOMAIN>
Skipping Kerberos configuration
Sounds like a dreaded DNS problem. It had been working correctly, but changeip -checkhostname confirmed a problem. Turns out that there were EXTERNAL DNS servers in the Network preferences in System Preferences as well as on the router. With my Split-brained DNS this caused problems (thank you again MrHoffman). So I changed them both to my DNS server INTERNAL IP address and added the external ones to the Forwarder IP Address in DNS. Now checkhostname -changeip returns a favorable result.
So after rebooting ran the slapconfig command again and got the same result. Argh. Cleared DNS caches. Still nothing.
So I tried nslookup.
nslookup <mydomain>
Server:                    10.0.8.2
Address:          10.0.8.2#53
** server can't find <mydomain>: SERVFAIL
Where 10.0.8.2 is the fixed INTERNAL IP address.
However, nslookup on using the fixed IP address yields:
bash-3.2# nslookup 10.0.8.2
Server:                    10.0.8.2
Address:          10.0.8.2#53
2.8.0.10.in-addr.arpa          name = <mydomain>.
Scratching head here... changeip -checkhostname works, nslookup on the IP address works, but nslookup on the host name fails.

Go to See the other 5 answers

Unable to authenticate with diradmin in Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

This has happened before, and I have no idea how it got fixed - too many independent variables... Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server. The setup: SLS 10.6.8 Split-brained DNS   [More]

Unable to enable disk quotas in workgroup manager, X.4.8 server

Category:DefaultRelease time:-0001-11-30Views:130

I am trying to enable disk quotas in workgroup manager for our open directory users with mobile accounts. I select "sharing" ---> all ---> drive that home directories are stored on ---> select "Enable disk quotas on this volume.&qu[More]

Unable to authenticate as diradmin in WGM

Category:DefaultRelease time:-0001-11-30Views:130

Just installed the security Update 2011-002 for OS 10.6.7 Server. After the reboot I was able to login as diradmin into WGM but all settings were grayed out. I could not authenticate to /LDAPv3/127.0.0.1 any longer, using the lock in the top right co[More]

Open Directory - Unable to login Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

I am unable to login to Workgroup Manager with my diradmin account. I know the password is correct. This is on Mac OS X Lion 10.7.2 Everything was working fine last night, but then it stopped functioning.  I am able to see all the users, but they are[More]

Workgroup Manager Won't Authenticate Anymore

Category:DefaultRelease time:-0001-11-30Views:130

I'm using 10.5.2 on both a client and a server and I'm seeing some weirdness with Workgroup Manager. Last week, I had no problem using workgroup manager on my machine to connect to the server. Today, WM is not allowing me (or any other admin accounts[More]

Authenticating Workgroup Manager to Active Directory.

Category:DefaultRelease time:2015-10-11Views:130

Dear all, I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues. I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the[More]

Can no longer change or Edit in Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

I just moved and I was migrating my files to another computer and domain. No I can no longer authenticate to my workgroup manager to change anything. Here is what I did. Moved across the country Carbon Copied my 10.4 Server from my G5 tower to a G5 X[More]

Can't add in new users any more in Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

Hello all, You all might remember me from my other post about problems with the server - I gave up yesterday and reformatted the hard drive, reinstalled OSX and set everything up. All worked lovely and perfect. Put in a few users, worked fine. Could[More]

AD Users not showing up in Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I'm configuring a new installation of 10.4 server on an Intel Xserve to integrate with an already existing AD domain and provide group policies to Mac users via OD. So far, the install has been so smooth, fast, and simple. The Xserve has been joi[More]

Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

When I create a new account in workgroup manager and type in a password for that user, it just resets the password to the diradmin's password. I have DNS configured and Kerberos is running. Is there anyway to fix this problem? And when I try to login[More]

Mobile users - unable to authenticate or log-in

Category:DefaultRelease time:-0001-11-30Views:130

I am having some difficulty in allowing mobile users to authenticate and log-in to thier notebooks when they are away from the network. Everything works great as long as they are attached. I think I have have configured the users correctly for mobile[More]

Hot
Hi, I recently got an external hard drive to free up some memory on my powerbook. I put all of my music on there and deleted it from my computer, following the article about "Moving your iTunes folder". It copied most of the songs and worked tem [More]
I was add some code to my site to help my site get found in search.  When I finished I saw banner very big and not in position I want I decide to delete the banner.  But now I got problem every social widget I will get that big banner the one I was d [More]
this is a support issue....the user has an issue with a report supply planning area today monthly.  The user is getting wrong values in BW, it sums PLOs and POs under production (config).  for eg:  BW says we are producing 46T while in R/3 we have 4T [More]
Hello. I was looking for this in the docs and I can�t found something. If I have a server with IMS 5.2 with LDAP Direct Mode and this is called host.domain.com and I have another machine with another mail system, called for example host2.domain.com, [More]
We are converting some of our apps to a Linux platform. The problem is some of our vendors furnish their SDKs only in Windows DLLs. Does anyone know of a method to communicate between the Linux app and the Windows DLL on the same Linux box. MichaelOK [More]
I have a ton of real spam in my Junk folder. A genuine email slips into Junk. How can I search for it? Thanks!Hi Heydar Aspirant, First we can first use the XDocument to load the xml file, after that we can read all the data in the xml and do the bin [More]
Why have you deleted all the common search engine in the search engine box. It appears that all you want to do is irritate your public!They have not been deleted, as they are not present in your computer it indicates there is a problem with your syst [More]
Hi again, I'm facing a big problem. I have created a selectOneChoice which is binded to a dynamic list: <af:selectOneChoice value="#{bindings.managerId.inputValue}" label="Manager" valign="middle" binding="#{backing_s [More]
If the Mac Pro came with 2 512mb dimms and I want to install 2 2gb dimms is there any advantage to installing one of those dims in the second memory card?It works, and the original Mac Pro (ie, 512MB DIMMs as OP has) has a chart on the inside of the [More]
Hi, I am running Crystal 11.0 and I am having  problem fitting all of my data on to the report. I have 48 data elements I would like to see. I have set the printer to 11x17 and have selected landscape yet it does not provide enough space. Any ideas w [More]