Workgroup Manager Problem (omnigroup)

Lance Westerhoff lance at mac.com
Tue Oct 2 20:40:46 PDT 2007 

Hello All-

Sorry you you receive this twice...I haven't had any luck fixing the  
problem and I am trying to widen my search radius!

I'm have a problem with Workgroup Manager (LDAP) on OS X Server  
(10.4) and I'm hoping for some insights.  I looked around the  
archives and I saw others with similar problems, but answers to those  
problems did not seem to address mine.

Anyway within WM, I can successfully authenticate as diradmin (and  
root and my admin account), but I can't add any more users.   
Basically, I can connect to the server just fine in Workgroup  
Manager, but the "New User" button is grayed out as is most of the  
information for each account.  I'm not sure what could be going on  
here as everything else with the Server tools (Server admin et al)  
and Sharing seems to work fine and as expected.   After looking  
around the following manual, I noticed that my problem was most  
likely associated with Kerberos as noted on page 83:  http:// 
images.apple.com/server/docs/Open_Directory_v10.4.pdf

Since we just changed ISPs, it appears that the kerberos domain has  
changed.  Therefore, after getting Open Directory "Kerberized",  
everything should have worked...but unfortunately it did not....even  
after a good ol' fashioned restart.  Below are the log entries we get.

The "Server not found in Kerberos database" in system.log is of  
obvious concern.  It only happens once as repeated attempts to  
authenticate only result in the "Required Policies not supported...."  
error.  Since we only have one OS X Server box that is itself both  
the DNS and the OpenDirectory server, I don't know why this this  
"server not found in kerberos db" error would occur.  I'm new to  
kerberos, but this seems strange.  Is there a way to rebuild this  
database based upon this new realm?  The forward/reverse lookup seems  
to work fine using both nslookup and dig (aka the Network Utility),  
so I don't think to problem rests within our DNS.

In the ApplePasswordServer log, the AUTH2 line is successful while  
the KERBEROS-LOGIN-CHECK line is not again suggesting a problem with  
Kerberos...but Kerberos is running just fine (according to the  
OpenDirectory overview)...

/var/log/system.log:
Oct  2 10:15:47 HOST DirectoryService[70]: GSSAPI Error:  
Miscellaneous failure (Server not found in Kerberos database)
...
Oct  2 10:17:28 mail DirectoryService[70]: DSLDAPv3PlugIn: Required  
Policies not Supported: No ClearText, Man-In-The-Middle, Packet  
Signing, Packet Encryption. LDAP Connection for Node 127.0.0.1 denied.

/Library/Logs/PasswordService/ApplePasswordServer.Server.log
Oct  2 2007 10:17:13    RSAVALIDATE: success.
Oct  2 2007 10:17:13    AUTH2: {0x469b8ee7034e9ad00000000200000002,  
root} DHX authentication succeeded.
Oct  2 2007 10:17:28    KERBEROS-LOGIN-CHECK: user  
{0x469b8ee7034e9ad00000000200000002, root} authentication failed.
Oct  2 2007 10:17:28    QUIT: {no user} disconnected.

Thank you for any insights!

-Lance
____________________
Lance M. Westerhoff, Ph.D.
General Manager
QuantumBio Inc.

WWW:    http://www.quantumbioinc.com
Email:    lance at quantumbioinc.com

Phone:   814-235-6908
Fax:        814-235-6909

More information about the MacOSX-admin mailing list