Solved

Unable to sign into network users

Posted on 2010-08-18
21
1,765 Views
Last Modified: 2013-12-21
Basically, when I try to log into a network user account the login window shakes as if the password is wrong... which is not the case. I know it also shakes when there is an authorization error...but let me list what I know thus far:

- on the login screen from a client computer, it says "Network Accounts" available
- you can sign in on the server itself using a network user account
- users have been made in the /LDAPv3/127.0.0.1 directory and have had their home folders created in an automount share point using AFP on /Users (I clicked the "Create Home Now" button to make sure)
- AFP is enabled and the service is set to be used by anyone
- I checked ACL/POSIX permission on the share points, and network users have access to them... double checked with the effective permissions viewer.
- From a client Mac computer, I can log into a local account and access the server through the network with a network account (no problems here, can access the network user's home folder normally after mounting)
-Users are set to log in using Open Directory in the advance tab of workgroup manager

For awhile I was having a DNS issue (checked with doing the whole "changeip -checkhostname") but I resolved that. While I was having the DNS issue though, I still couldnt sign on to the network user account, and I was getting a different error, it was very generic... it just said an error had occurred (no code, no clues).

SO, I'm a little bit at a loss of what to do. This isn't for anyone just yet; I'm just practicing on a personal mac mini running OS X Server 10.6, it's set as an OD Master.

Any help would be greatly appreciated

0
Comment
Question by:djadambomb
  • 12
  • 9
21 Comments
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
The problem is that you mostlikely have the home directory set as "/" for the user.

This is why you can logon to the server as a user and not from a workstation.

What you need to do is to specify the full unc path to where their network home folder is to be created.
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
You check for that in Workgroup manage under the Home tab for each user? I don't currently have access to the server, but I know that the full path name for the home folders are listed as something like /Network/Volumes/Server HD/Users.. or something like that
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
yea just checked, it's full network path is listed as /Network/Servers/server.fqdn.com/Users/
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
does it look like this?
Look at the settings.

homefoldersettings.png
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
this is what i have. i tried several different automounts, different posix permissions on each, none worked.

this is the error i get in console in system.log:

"home directory mount failed in creating directory path: status = Operation not supported"

Screen-shot-2010-08-18-at-6.52.3.png
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Let's review some basics for a moment:
- OD isrunning and your domainName is displayed in uppercase letters?
- is this server your DNS server?
- is DNS properly configured for this host? From the terminal, if you type "changeip -checkhostname", no errors?
- are your clients also using the same DNS server for name resolution?
- can you manually mount the home directory share from a client computer?
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
Sorry for the delayed response!

As per your points:
1 - OD is running, (kerberos?)domain name is not displayed in uppercase. I actually swtiched to stand alone and then back to OD master to wipe out my users/workgroups to try to re-do them in an attempt to fix my problem. When I was switching it back to OD master, it said that Kerberos couldnt be configured due to an issue with the DNS. And I checked changeip -checkhostnames at the server and indeed i was getting an error. But since then I *think* i solved the issue since -checkhostname says my current hostname and dns hostname match.

2- I have it listed in the DNS server list and the domain name in the search domains field (in addition to the ones provided by my isp) in the network preferences of the client Mac. I also have the same values on the server's network preferences (it's set to Using DHCP with Manual IP); it was the only way I could fix the -checkhostname issue (DHCP and NAT services aren't running on the server).

3 - I think really this is where the issue is, but I have no idea where I've gone wrong. -checkhostname works, but I've read that you could still have issues. In the DNS services pane, it looks like everything is set properly in terms of primary and reverse zones (see picture). I can ping, traceroute and lookup (forward and reverse) from the client Mac no problem.

4- Yes, 2 provided by the ISP and 1 is the server

5- Yes, using either the bonjour, IP or dns; they all work.

This is all the messages I get starting from the time the login window appears:

Aug 19 13:58:50 Macbook /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[3828]: Login Window Application Started
Aug 19 13:58:51 Macbook loginwindow[3828]: Login Window Started Security Agent
Aug 19 13:59:01 Macbook SecurityAgent[3838]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
Aug 19 13:59:04 Macbook authorizationhost[3837]: afp home directory mount failed in creating directory path: status = Operation not supported
Aug 19 13:59:12 Macbook loginwindow[3828]: Login Window - Returned from Security Agent
Aug 19 13:59:12 Macbook SystemUIServer[529]: Apple80211GetInfoCopy returned error: -3900
Aug 19 13:59:12 Macbook SecurityAgent[3838]: HIToolbox: received notification of WindowServer event port death.
Aug 19 13:59:12 Macbook SecurityAgent[3838]: port matched the WindowServer port created in BindCGSToRunLoop

Phew. I know it's a lot to read, but I very much appreciate your help.

-Louis
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
forgot a pick of the dns settings
Screen-shot-2010-08-19-at-1.56.4.png
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
When things get this messed up, the Mac server is a pain to get going again.

Here is my suggestion to you. It this is a lab or you don't mind we have to start from scratch as in delete and reinstall.


Can you do this and if so, I will take you thru the steps.

0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
A clean installation is fine
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:djadambomb
Comment Utility
finished the installation, and ready to be configured. let me know what I should do from here

thanks!
-Louis
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Ok so now we need to determine some things

-is this server to become your sole dns box on your network?
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
No, its more of a testing tool. I'm practicing for the mac server exam.

My test client mac will still be getting its dns info from the two servers provided by the isp.. in addition to the mac server I guess.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
NEVER EVER in real life let your client machines point to any other DNS but your internal DNS servers.  Also, it is not recommended that you make your Private internal DNS publicly accessible.
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
Comment Utility
Now I suggest you give your server a static IP and when you create your DNS record, you create it as domain.com.private as it is an internal private usage.

Do not configre any other services when you start up JUST DNS.

After that and the desktop appears, open the command line and do:
- changeip -checkhostname
- next do ping of the computer's FQDN

Let me know how that goes
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Hi, how's it going? Anything more you needing info?
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
K thanks. I will try this on Monday when I have access to the server again. Ill let you know how it goes. Have a great weekend!
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
Ok did the setup, only started DNS and ended the address with .private.

tried changeip -checkhost name and was getting errors until I added the Server's IP to the list of DNS servers (it only has itself listed now), and added the server's IP to the client Mac's list of DNS servers (only the server is listed). then i tried changeip again and it was working fine.

i actually went ahead and continued setting up... enabled share point, set up automount, create a network user, enable afp service.. and lo and behold, NETWORK ACCOUNTS WORKS.

no idea what i did differently on the previous setup, but i'm glad it's working now.

now my question is, in a real-life setting, i know you said that the client mac should never point to anything other than the server for dns service. but i guess the server itself should point to the dns servers assigned to it by the ISP?
0
 
LVL 1

Author Closing Comment

by:djadambomb
Comment Utility
Extremely helpful user, nappy_d, walked me through what I needed to know.
0
 
LVL 1

Author Comment

by:djadambomb
Comment Utility
oh and thanks again for all your help! i went ahead and assigned you the points

-Louis
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
If the OS X server is the internal DNS server, it should use itself for resolution.

The bottom line, when you have an infrastructure such as OD, no other DNS is to be used but your internal. Just diregard what you ISP has provided to you.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Apple's line of laptop computers has made significant strides forward in the last few years. The biggest change being the switch to Intel processors in 2005. One thing about Apple hardware, especially that from a few years ago, is the tendency for i…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now