Users not able to log in after recreating ldap in Mavericks

larspetter's picture
Tags: 

After recreating ldap in 10.9.2 (fresh setup, importing users/groups) and rebinding the 10.6.8 Fcsvr installation to new ldap, users are unable to log in.

Any ideas?

Users are able to login on the server så det binding in the OS is working.

Debugging fcsvr gives this:

dsAttrTypeStandard:RecordName lpo lpo

} 21:33:04.503661 0xb0103000       DEBUG2 findNodeForRecord node.C:165 [DS] using node /LDAPv3/ldapserver.xxx.xx for auth21:33:04.503681 0xb0103000       DEBUG2 runThread PmsAuthUser.C:115 [PxModelStore] found node for user:lpo21:33:04.503703 0xb0103000       { auth::auth auth.C:33 [DS] this=0xb0102d6c21:33:04.503716 0xb0103000       } auth::auth auth.C:33 [DS] this=0xb0102d6c21:33:04.503729 0xb0103000       DEBUG3 runThread PmsAuthUser.C:131 [PxModelStore] waiting on sem21:33:04.503744 0xb0103000       DEBUG3 runThread PmsAuthUser.C:133 [PxModelStore] finished waiting on sem21:33:04.503761 0xb0103000       DEBUG2 runThread PmsAuthUser.C:143 [PxModelStore] authenticating with token: username=bHBv21:33:04.503777 0xb0103000       { saslStart auth.C:432 [DS] this=0xb0102d6c PPS, username=bHBv21:33:04.516185 0xb0103000       } saslStart auth.C:432 [DS] this=0xb0102d6c21:33:04.516224 0xb0103000       DEBUG1 doAuthStep auth.C:152 [DS] auth failed with result -2421:33:04.516249 0xb0103000       DEBUG2 runThread PmsAuthUser.C:147 [PxModelStore] auth status: -1448321:33:04.516265 0xb0103000       DEBUG2 runThread PmsAuthUser.C:192 [PxModelStore] unsuccessful auth21:33:04.516364 0xb0103000       { auth::~auth auth.C:39 [DS] this=0xb0102d6c21:33:04.516470 0xb0103000       } auth::~auth auth.C:39 [DS] this=0xb0102d6c21:33:04.516476 0xa0c54540       { readCB KsSlaveThread.C:108 [KsStream] this=0x357ce9021:33:04.516495 0xb0103000         DEBUG3 ~node node.C:40 [DS] closing node21:33:04.516593 0xa0c54540         DEBUG2 acceptEvent KsNode.C:148 [KsStream] accepting event [ evt { SLAVE_REPLY_VALUE = { CODE = E_LOGIN, DESC = Please re-enter the username and password or contact the server administrator.Please note that the username and password are case-sensitive., SRC_FILE = PmsAuthUser.C, SRC_LINE = 206, OPEN_DIRECTORY_ERROR = -14483 } } ] on node ["PmsTask_UserLogin" 0x3568e80, ref=4, wref=3] lockToken=1536 holding locks:(335cffd7-6133-4910-af40-0b0154e123af WR token=1536) taskState=0 dbqueue=0x2805944 needTrans<

larspetter's picture

Follow up:

Of course familiar things like this is in system.log of the fcserver:

WARNING: couldn't determine AUTH_TYPE, defaulting to PPS

 

And interestingly on the 10.9.2 ldap server:

RSAVALIDATE: success.

Mar 18 2014 13:13:52 857268us    AUTH: {0x2d880098a77f11e3906770cd604c4c1e, lpo} requested mechanism PPS is not available.
 

I have tried to switch between auth methods 1 and 3...without any difference in behaviour or logs..

larspetter's picture

More...

Logging in from the fcsvr terminal with the same ldap user - shows as md5-digest auth in the ldap server log...that works..

But how to get fcsvr to use md5-digest? Or maybe easier - get the 10.9.2 ldap to accept pps?

 

 

addihetja's picture

I don't have FCSrv to play around with anymore and maybe you've already covered this, but what is the output of serveradmin settings dirserv:MacOSXODPolicty:Configured Security Level:No ClearText Authentications ?

addihetja's picture

Other things to check is whether the user has SACL access. Again, don't know if FCSrv will show up but you could check Server.app -> Users -> [user] -> Edit access to services and also whether the user can authenticate via AFP (to rule out user must change password on next login).

 

Sirsloth's picture

I am about to do the same thing, upgrade a clients Xsan to 3.1 and use OD from the new Mavericks Server, although reading this maybe I should create a OD on the final cut server server (10.6.8) and have this as the primary OD, the FCSvr then resolves to this OD (bound) and have replication to the new server running Mavericks as a fallback perhaps...