Unable to sign into network users

Basically, when I try to log into a network user account the login window shakes as if the password is wrong... which is not the case. I know it also shakes when there is an authorization error...but let me list what I know thus far:

- on the login screen from a client computer, it says "Network Accounts" available
- you can sign in on the server itself using a network user account
- users have been made in the /LDAPv3/127.0.0.1 directory and have had their home folders created in an automount share point using AFP on /Users (I clicked the "Create Home Now" button to make sure)
- AFP is enabled and the service is set to be used by anyone
- I checked ACL/POSIX permission on the share points, and network users have access to them... double checked with the effective permissions viewer.
- From a client Mac computer, I can log into a local account and access the server through the network with a network account (no problems here, can access the network user's home folder normally after mounting)
-Users are set to log in using Open Directory in the advance tab of workgroup manager

For awhile I was having a DNS issue (checked with doing the whole "changeip -checkhostname") but I resolved that. While I was having the DNS issue though, I still couldnt sign on to the network user account, and I was getting a different error, it was very generic... it just said an error had occurred (no code, no clues).

SO, I'm a little bit at a loss of what to do. This isn't for anyone just yet; I'm just practicing on a personal mac mini running OS X Server 10.6, it's set as an OD Master.

Any help would be greatly appreciated

LVL 1
djadambombAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
The problem is that you mostlikely have the home directory set as "/" for the user.

This is why you can logon to the server as a user and not from a workstation.

What you need to do is to specify the full unc path to where their network home folder is to be created.
djadambombAuthor Commented:
You check for that in Workgroup manage under the Home tab for each user? I don't currently have access to the server, but I know that the full path name for the home folders are listed as something like /Network/Volumes/Server HD/Users.. or something like that
djadambombAuthor Commented:
yea just checked, it's full network path is listed as /Network/Servers/server.fqdn.com/Users/
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
does it look like this?
Look at the settings.

homefoldersettings.png
djadambombAuthor Commented:
this is what i have. i tried several different automounts, different posix permissions on each, none worked.

this is the error i get in console in system.log:

"home directory mount failed in creating directory path: status = Operation not supported"

Screen-shot-2010-08-18-at-6.52.3.png
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Let's review some basics for a moment:
- OD isrunning and your domainName is displayed in uppercase letters?
- is this server your DNS server?
- is DNS properly configured for this host? From the terminal, if you type "changeip -checkhostname", no errors?
- are your clients also using the same DNS server for name resolution?
- can you manually mount the home directory share from a client computer?
djadambombAuthor Commented:
Sorry for the delayed response!

As per your points:
1 - OD is running, (kerberos?)domain name is not displayed in uppercase. I actually swtiched to stand alone and then back to OD master to wipe out my users/workgroups to try to re-do them in an attempt to fix my problem. When I was switching it back to OD master, it said that Kerberos couldnt be configured due to an issue with the DNS. And I checked changeip -checkhostnames at the server and indeed i was getting an error. But since then I *think* i solved the issue since -checkhostname says my current hostname and dns hostname match.

2- I have it listed in the DNS server list and the domain name in the search domains field (in addition to the ones provided by my isp) in the network preferences of the client Mac. I also have the same values on the server's network preferences (it's set to Using DHCP with Manual IP); it was the only way I could fix the -checkhostname issue (DHCP and NAT services aren't running on the server).

3 - I think really this is where the issue is, but I have no idea where I've gone wrong. -checkhostname works, but I've read that you could still have issues. In the DNS services pane, it looks like everything is set properly in terms of primary and reverse zones (see picture). I can ping, traceroute and lookup (forward and reverse) from the client Mac no problem.

4- Yes, 2 provided by the ISP and 1 is the server

5- Yes, using either the bonjour, IP or dns; they all work.

This is all the messages I get starting from the time the login window appears:

Aug 19 13:58:50 Macbook /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[3828]: Login Window Application Started
Aug 19 13:58:51 Macbook loginwindow[3828]: Login Window Started Security Agent
Aug 19 13:59:01 Macbook SecurityAgent[3838]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
Aug 19 13:59:04 Macbook authorizationhost[3837]: afp home directory mount failed in creating directory path: status = Operation not supported
Aug 19 13:59:12 Macbook loginwindow[3828]: Login Window - Returned from Security Agent
Aug 19 13:59:12 Macbook SystemUIServer[529]: Apple80211GetInfoCopy returned error: -3900
Aug 19 13:59:12 Macbook SecurityAgent[3838]: HIToolbox: received notification of WindowServer event port death.
Aug 19 13:59:12 Macbook SecurityAgent[3838]: port matched the WindowServer port created in BindCGSToRunLoop

Phew. I know it's a lot to read, but I very much appreciate your help.

-Louis
djadambombAuthor Commented:
forgot a pick of the dns settings
Screen-shot-2010-08-19-at-1.56.4.png
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
When things get this messed up, the Mac server is a pain to get going again.

Here is my suggestion to you. It this is a lab or you don't mind we have to start from scratch as in delete and reinstall.


Can you do this and if so, I will take you thru the steps.

djadambombAuthor Commented:
A clean installation is fine
djadambombAuthor Commented:
finished the installation, and ready to be configured. let me know what I should do from here

thanks!
-Louis
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Ok so now we need to determine some things

-is this server to become your sole dns box on your network?
djadambombAuthor Commented:
No, its more of a testing tool. I'm practicing for the mac server exam.

My test client mac will still be getting its dns info from the two servers provided by the isp.. in addition to the mac server I guess.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
NEVER EVER in real life let your client machines point to any other DNS but your internal DNS servers.  Also, it is not recommended that you make your Private internal DNS publicly accessible.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Now I suggest you give your server a static IP and when you create your DNS record, you create it as domain.com.private as it is an internal private usage.

Do not configre any other services when you start up JUST DNS.

After that and the desktop appears, open the command line and do:
- changeip -checkhostname
- next do ping of the computer's FQDN

Let me know how that goes

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Hi, how's it going? Anything more you needing info?
djadambombAuthor Commented:
K thanks. I will try this on Monday when I have access to the server again. Ill let you know how it goes. Have a great weekend!
djadambombAuthor Commented:
Ok did the setup, only started DNS and ended the address with .private.

tried changeip -checkhost name and was getting errors until I added the Server's IP to the list of DNS servers (it only has itself listed now), and added the server's IP to the client Mac's list of DNS servers (only the server is listed). then i tried changeip again and it was working fine.

i actually went ahead and continued setting up... enabled share point, set up automount, create a network user, enable afp service.. and lo and behold, NETWORK ACCOUNTS WORKS.

no idea what i did differently on the previous setup, but i'm glad it's working now.

now my question is, in a real-life setting, i know you said that the client mac should never point to anything other than the server for dns service. but i guess the server itself should point to the dns servers assigned to it by the ISP?
djadambombAuthor Commented:
Extremely helpful user, nappy_d, walked me through what I needed to know.
djadambombAuthor Commented:
oh and thanks again for all your help! i went ahead and assigned you the points

-Louis
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
If the OS X server is the internal DNS server, it should use itself for resolution.

The bottom line, when you have an infrastructure such as OD, no other DNS is to be used but your internal. Just diregard what you ISP has provided to you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple Hardware

From novice to tech pro — start learning today.