Unable to sign into network users

Basically, when I try to log into a network user account the login window shakes as if the password is wrong... which is not the case. I know it also shakes when there is an authorization error...but let me list what I know thus far:

- on the login screen from a client computer, it says "Network Accounts" available
- you can sign in on the server itself using a network user account
- users have been made in the /LDAPv3/127.0.0.1 directory and have had their home folders created in an automount share point using AFP on /Users (I clicked the "Create Home Now" button to make sure)
- AFP is enabled and the service is set to be used by anyone
- I checked ACL/POSIX permission on the share points, and network users have access to them... double checked with the effective permissions viewer.
- From a client Mac computer, I can log into a local account and access the server through the network with a network account (no problems here, can access the network user's home folder normally after mounting)
-Users are set to log in using Open Directory in the advance tab of workgroup manager

For awhile I was having a DNS issue (checked with doing the whole "changeip -checkhostname") but I resolved that. While I was having the DNS issue though, I still couldnt sign on to the network user account, and I was getting a different error, it was very generic... it just said an error had occurred (no code, no clues).

SO, I'm a little bit at a loss of what to do. This isn't for anyone just yet; I'm just practicing on a personal mac mini running OS X Server 10.6, it's set as an OD Master.

Any help would be greatly appreciated

LVL 1
djadambombAsked:
Who is Participating?
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Now I suggest you give your server a static IP and when you create your DNS record, you create it as domain.com.private as it is an internal private usage.

Do not configre any other services when you start up JUST DNS.

After that and the desktop appears, open the command line and do:
- changeip -checkhostname
- next do ping of the computer's FQDN

Let me know how that goes
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
The problem is that you mostlikely have the home directory set as "/" for the user.

This is why you can logon to the server as a user and not from a workstation.

What you need to do is to specify the full unc path to where their network home folder is to be created.
0
 
djadambombAuthor Commented:
You check for that in Workgroup manage under the Home tab for each user? I don't currently have access to the server, but I know that the full path name for the home folders are listed as something like /Network/Volumes/Server HD/Users.. or something like that
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
djadambombAuthor Commented:
yea just checked, it's full network path is listed as /Network/Servers/server.fqdn.com/Users/
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
does it look like this?
Look at the settings.

homefoldersettings.png
0
 
djadambombAuthor Commented:
this is what i have. i tried several different automounts, different posix permissions on each, none worked.

this is the error i get in console in system.log:

"home directory mount failed in creating directory path: status = Operation not supported"

Screen-shot-2010-08-18-at-6.52.3.png
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Let's review some basics for a moment:
- OD isrunning and your domainName is displayed in uppercase letters?
- is this server your DNS server?
- is DNS properly configured for this host? From the terminal, if you type "changeip -checkhostname", no errors?
- are your clients also using the same DNS server for name resolution?
- can you manually mount the home directory share from a client computer?
0
 
djadambombAuthor Commented:
Sorry for the delayed response!

As per your points:
1 - OD is running, (kerberos?)domain name is not displayed in uppercase. I actually swtiched to stand alone and then back to OD master to wipe out my users/workgroups to try to re-do them in an attempt to fix my problem. When I was switching it back to OD master, it said that Kerberos couldnt be configured due to an issue with the DNS. And I checked changeip -checkhostnames at the server and indeed i was getting an error. But since then I *think* i solved the issue since -checkhostname says my current hostname and dns hostname match.

2- I have it listed in the DNS server list and the domain name in the search domains field (in addition to the ones provided by my isp) in the network preferences of the client Mac. I also have the same values on the server's network preferences (it's set to Using DHCP with Manual IP); it was the only way I could fix the -checkhostname issue (DHCP and NAT services aren't running on the server).

3 - I think really this is where the issue is, but I have no idea where I've gone wrong. -checkhostname works, but I've read that you could still have issues. In the DNS services pane, it looks like everything is set properly in terms of primary and reverse zones (see picture). I can ping, traceroute and lookup (forward and reverse) from the client Mac no problem.

4- Yes, 2 provided by the ISP and 1 is the server

5- Yes, using either the bonjour, IP or dns; they all work.

This is all the messages I get starting from the time the login window appears:

Aug 19 13:58:50 Macbook /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[3828]: Login Window Application Started
Aug 19 13:58:51 Macbook loginwindow[3828]: Login Window Started Security Agent
Aug 19 13:59:01 Macbook SecurityAgent[3838]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
Aug 19 13:59:04 Macbook authorizationhost[3837]: afp home directory mount failed in creating directory path: status = Operation not supported
Aug 19 13:59:12 Macbook loginwindow[3828]: Login Window - Returned from Security Agent
Aug 19 13:59:12 Macbook SystemUIServer[529]: Apple80211GetInfoCopy returned error: -3900
Aug 19 13:59:12 Macbook SecurityAgent[3838]: HIToolbox: received notification of WindowServer event port death.
Aug 19 13:59:12 Macbook SecurityAgent[3838]: port matched the WindowServer port created in BindCGSToRunLoop

Phew. I know it's a lot to read, but I very much appreciate your help.

-Louis
0
 
djadambombAuthor Commented:
forgot a pick of the dns settings
Screen-shot-2010-08-19-at-1.56.4.png
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
When things get this messed up, the Mac server is a pain to get going again.

Here is my suggestion to you. It this is a lab or you don't mind we have to start from scratch as in delete and reinstall.


Can you do this and if so, I will take you thru the steps.

0
 
djadambombAuthor Commented:
A clean installation is fine
0
 
djadambombAuthor Commented:
finished the installation, and ready to be configured. let me know what I should do from here

thanks!
-Louis
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Ok so now we need to determine some things

-is this server to become your sole dns box on your network?
0
 
djadambombAuthor Commented:
No, its more of a testing tool. I'm practicing for the mac server exam.

My test client mac will still be getting its dns info from the two servers provided by the isp.. in addition to the mac server I guess.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
NEVER EVER in real life let your client machines point to any other DNS but your internal DNS servers.  Also, it is not recommended that you make your Private internal DNS publicly accessible.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Hi, how's it going? Anything more you needing info?
0
 
djadambombAuthor Commented:
K thanks. I will try this on Monday when I have access to the server again. Ill let you know how it goes. Have a great weekend!
0
 
djadambombAuthor Commented:
Ok did the setup, only started DNS and ended the address with .private.

tried changeip -checkhost name and was getting errors until I added the Server's IP to the list of DNS servers (it only has itself listed now), and added the server's IP to the client Mac's list of DNS servers (only the server is listed). then i tried changeip again and it was working fine.

i actually went ahead and continued setting up... enabled share point, set up automount, create a network user, enable afp service.. and lo and behold, NETWORK ACCOUNTS WORKS.

no idea what i did differently on the previous setup, but i'm glad it's working now.

now my question is, in a real-life setting, i know you said that the client mac should never point to anything other than the server for dns service. but i guess the server itself should point to the dns servers assigned to it by the ISP?
0
 
djadambombAuthor Commented:
Extremely helpful user, nappy_d, walked me through what I needed to know.
0
 
djadambombAuthor Commented:
oh and thanks again for all your help! i went ahead and assigned you the points

-Louis
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
If the OS X server is the internal DNS server, it should use itself for resolution.

The bottom line, when you have an infrastructure such as OD, no other DNS is to be used but your internal. Just diregard what you ISP has provided to you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.