Sitemap

Amicuk Programming Answers

Unable to authenticate with diradmin in Workgroup Manager

2015-10-11   Views:1

Advertisement

This has happened before, and I have no idea how it got fixed - too many independent variables... Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server. The setup: SLS 10.6.8 Split-brained DNS   

This has happened before, and I have no idea how it got fixed - too many independent variables...
Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server.
The setup:
SLS 10.6.8
Split-brained DNS
     Both public and private FQDNs are the same (myserver.mydomain.com). External DNS maps machine record to my static public IP address. Using an AirPort Extreme router, port fowarding services that I want open to the server. The router provides DHCP via NAT to the local network, with a fixed private IP assigned to the server. The server is running DNS with the same zones, machine records, services and aliases that the public IP DNS has, except mapped to the fixed private IP. DNS checks out with changeip, etc.
     The server is an OD master. Yesterday I exported it, demoted it, and restored it. All services (mail, web, etc.) seem to work fine (although I admit to not using Kerberos on AFP due to another issue).
     I have a wildcard certificate that is generated by GoDaddy (*.<mydomain>.com) which seems to work fine with the hosted websites.
This is what the password service error log says when I try to log in with diradmin in Workgroup Manager:
Jan 10 2012 14:01:32    AUTH2: {0x4bbe71ca6b8b45670000000200000002, diradmin} DHX authentication succeeded.
Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} is in good standing.
Jan 10 2012 14:01:32    KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} authentication succeeded.
Looks good to me. But I still get the "Information Not Valid for This Server" followed by stuff about invalid login ID or password.
I did notice in the LDAP log:
Jan 10 14:13:12 <myserver> slapd[52283]: SASL [conn=18] Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)
And at the last bootup in the directory service error log:
2012-01-10 08:52:03 EST - T[0x00007FFF7027ACC0] - DNSServiceProcessResult returned -65563
The other thing I notice when I log into the library in Workgroup Manager FROM THE SERVER, even if I use the FQDN <myserver>.<mydomain>.com that Workgroup Manager says (in the title bar of the window) <myserver>.local.
I have googled the various errors and messages, and I get folks with all sorts of variations ("change the binding options", etc.) none of which either applied or worked.
Help?

The replay answer
Advertisement
Continuing on my quest... I found this Technical note from Apple about re-kerberizing:
http://support.apple.com/kb/HT3655
Interestingly, in step 3 where it says to remove realm information from kdc.conf, there wasn't any of my realm information. Argh!
So I completed all of the steps and executed the slapconfig command. This resulted in:
bash-3.2# slapconfig -kerberize -f --allow_local_realm diradmin <MYREALM>
diradmin's Password:
Could not resolve hostname <MYDOMAIN>
Skipping Kerberos configuration
Sounds like a dreaded DNS problem. It had been working correctly, but changeip -checkhostname confirmed a problem. Turns out that there were EXTERNAL DNS servers in the Network preferences in System Preferences as well as on the router. With my Split-brained DNS this caused problems (thank you again MrHoffman). So I changed them both to my DNS server INTERNAL IP address and added the external ones to the Forwarder IP Address in DNS. Now checkhostname -changeip returns a favorable result.
So after rebooting ran the slapconfig command again and got the same result. Argh. Cleared DNS caches. Still nothing.
So I tried nslookup.
nslookup <mydomain>
Server:                    10.0.8.2
Address:          10.0.8.2#53
** server can't find <mydomain>: SERVFAIL
Where 10.0.8.2 is the fixed INTERNAL IP address.
However, nslookup on using the fixed IP address yields:
bash-3.2# nslookup 10.0.8.2
Server:                    10.0.8.2
Address:          10.0.8.2#53
2.8.0.10.in-addr.arpa          name = <mydomain>.
Scratching head here... changeip -checkhostname works, nslookup on the IP address works, but nslookup on the host name fails.

Go to See the other 5 answers

Unable to authenticate with diradmin in Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

This has happened before, and I have no idea how it got fixed - too many independent variables... Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server. The setup: SLS 10.6.8 Split-brained DNS   [More]

Unable to enable disk quotas in workgroup manager, X.4.8 server

Category:DefaultRelease time:-0001-11-30Views:130

I am trying to enable disk quotas in workgroup manager for our open directory users with mobile accounts. I select "sharing" ---> all ---> drive that home directories are stored on ---> select "Enable disk quotas on this volume.&qu[More]

Unable to authenticate as diradmin in WGM

Category:DefaultRelease time:-0001-11-30Views:130

Just installed the security Update 2011-002 for OS 10.6.7 Server. After the reboot I was able to login as diradmin into WGM but all settings were grayed out. I could not authenticate to /LDAPv3/127.0.0.1 any longer, using the lock in the top right co[More]

Open Directory - Unable to login Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

I am unable to login to Workgroup Manager with my diradmin account. I know the password is correct. This is on Mac OS X Lion 10.7.2 Everything was working fine last night, but then it stopped functioning.  I am able to see all the users, but they are[More]

Workgroup Manager Won't Authenticate Anymore

Category:DefaultRelease time:-0001-11-30Views:130

I'm using 10.5.2 on both a client and a server and I'm seeing some weirdness with Workgroup Manager. Last week, I had no problem using workgroup manager on my machine to connect to the server. Today, WM is not allowing me (or any other admin accounts[More]

Authenticating Workgroup Manager to Active Directory.

Category:DefaultRelease time:2015-10-11Views:130

Dear all, I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues. I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the[More]

Can no longer change or Edit in Workgroup Manager

Category:DefaultRelease time:2015-10-11Views:130

I just moved and I was migrating my files to another computer and domain. No I can no longer authenticate to my workgroup manager to change anything. Here is what I did. Moved across the country Carbon Copied my 10.4 Server from my G5 tower to a G5 X[More]

Can't add in new users any more in Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

Hello all, You all might remember me from my other post about problems with the server - I gave up yesterday and reformatted the hard drive, reinstalled OSX and set everything up. All worked lovely and perfect. Put in a few users, worked fine. Could[More]

AD Users not showing up in Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I'm configuring a new installation of 10.4 server on an Intel Xserve to integrate with an already existing AD domain and provide group policies to Mac users via OD. So far, the install has been so smooth, fast, and simple. The Xserve has been joi[More]

Workgroup Manager

Category:DefaultRelease time:-0001-11-30Views:130

When I create a new account in workgroup manager and type in a password for that user, it just resets the password to the diradmin's password. I have DNS configured and Kerberos is running. Is there anyway to fix this problem? And when I try to login[More]

Mobile users - unable to authenticate or log-in

Category:DefaultRelease time:-0001-11-30Views:130

I am having some difficulty in allowing mobile users to authenticate and log-in to thier notebooks when they are away from the network. Everything works great as long as they are attached. I think I have have configured the users correctly for mobile[More]

Hot
Exactly as it says above. The computer was given to me as a gift, and the person who gave it to me had already bought photoshop and put it on for me. Photoshop was working perfectly before AVG did the computer scan, and now every time i try to use it [More]
I will be going on a photo outing in October and I would like to kill a couple birds with one stone. There are devices on the market that are used by photogs to store large GB's of images while on assignment to free up space on their camera flash car [More]
I would like to connect my Samsung DVD player directly into my router(m1424wr) to utilize netflix. How do I do thisdesertdad wrote: I would like to connect my Samsung DVD player directly into my router(m1424wr) to utilize netflix. How do I do this Wi [More]
We have been facing an issue with a domain controller (Windows Server 2008 R2, VM on ESX 5.0) over the past week. Around twice a day, the CPU spikes at 100% for about 10 minutes. We notice because we receive an alert from the hypervisor, but by the t [More]
Hi. Im a newbie on java and want some help, im trying to load in a image(gif) from my hardrive into a class, and draw it on the screen. I know how to do it with swing, but just want to do it with awt. And i dont want too use applet, is this possible? [More]
Just setup my OfficeJet 6500 printer. Works great so far, but when I print a .pdf file using Duplex (2-sided mode), the color and text color (black) appear a bit less "bold" then when printing normally. I tried putting the settings exactly as it [More]
Hello, I have one PC and one laptop. Both of them are connected by wire to my linksys router and I can copy files between two systems without any problem. I have FMS running on my laptop and I have Flash Live Encoder 3.1 on my PC. I want to use Flash [More]
I am running Xcode 4.6.2 on OSX 10.7.5. I have written an app for IOS6.1 and want to download it for testing onto a 5s iPhone running ios 7.0.6. I can't upgrade to OSX 10.8 in order to run Xcode 5 due to the limitations of my imac. When I try to conn [More]
Started having this problem a few weeks ago, up until then I have always been able to use Bridges Batch command to process images on our file server. Our file server runs Samba, and no user authentication is needed. If I use Bridge, and try to batch [More]
hey folks newbie here i am designing a client server program with my client i want to send serialized objects & primitive types across the socket to the server is it possible to creat two output streams on the same socket i.e an ObjectOutputStream &am [More]