PDA

View Full Version : Network user login - can't create new user, probably related to home folder




JimboStormforce
Jul 9, 2012, 05:44 AM
I have a persistent problem with our Network Accounts at work. I took over here after the server was set up, so didn't build it from the ground up.

The problem I have is that when I add a new network user, I can add them to a group, 'set' their home folder, enable login, do everything you would expect. They appear in the list of network users absolutely fine.

However, every time they try to login, the box simply 'shakes' as though the password is incorrect. If I login to the server as them, that works fine, it's just on a network machine that it doesn't work.

Previous research into this has suggested that it may have been a problem with the home folder creation - however I've checked both the ACL and Posix permissions, and they appear the same as for other users.

Any advice on how to go about resolving this would be gratefully received - we have a new staff member who is limited on the work they can do while I resolve it! I'm not that clever on OSX (recent PC convert!) but learn quickly...



JimboStormforce
Jul 9, 2012, 08:32 AM
So, some more web digging has led me to do a number of things.

I've tried adding a new user (Test User 1) using server.app, and also tried adding a new user (Test User 2) using the Workgroup Manager. Again, both show up in the Network Users list on the client machines, but I can log in to neither.

I don't know if this is a Kerberos issue, and LDAP issue, an Active Directory issue, or quite what, and I'm also not really sure how to investigate the logs etc to find out.

I've also tried unbinding a client machine from the server, and then rebinding in Login Options, but still no joy.

Alrescha
Jul 9, 2012, 09:16 AM
Make sure that you can see the network share from over the network. From one of your network machines try and share the problem user's home directory. If the remote directory can't be mounted, you can get the same bad password shake.

A.

JimboStormforce
Jul 10, 2012, 02:36 AM
Hi Alrescha,

Thanks for your reply. I can access the home folders over the network no problem - I can see that they have all the relevant sub folders in them (Library, Documents, Desktop etc), and that they appear to be working. This is when I'm logged in as another user to one of the client machines.

I had hoped the network login shake might have resolved itself overnight, but it was not to be.

Kind Regards,

Jimbo

JimboStormforce
Jul 12, 2012, 07:51 AM
I'm no further along, but have discovered something else.

If I try and access the file sharing service on the server, using 'connect as', then the new users created don't work - i.e. I can't authenticate as them. This suggests to me a Kerberos issue?

MiloAppleby
Jul 14, 2012, 03:02 AM
What location are you trying to use for the home folder? Local, Server or a volume mounted on the Server?

To have a proper network user ensure that you have a working Directory Master with proper DNS records.

Check LDAP using Server Admin App. Kerberos/LDAP/Password Server are all running.

Check DNS by opening network utility and doing a lookup of first your server IP address (e.g. 192.168.1.10) this should resolve to (e.g server.example.private) and the reverse should be true. server.example.private = 192.168.1.10

Then go to Network in Sys Prefs on client machine and ensure that the DNS records point to your server (eg. 192.168.1.10)

On your server they should point to 127.0.0.1 and your router, normally.

Create a user using Server App. Ensure that you get the globe type icon confirming they are a network user and a member of Workgroup. Option click the user to edit then and confirm the location of the home folder is where you want it to be (Not local I guess but wotevs)

NB Workgroup Manager is a bit of a pain. For simple setups just use the Server App.

File sharing should be active and the user be enabled for this.

Go to client machine Sys Prefs, Users and Groups in 10.7 click Network account Join type server.example.private in Directory Utility and allow whirryness to take place after authenticating.

Logout out local account click 'Others' and login. First login always takes longer as it creates folders.

Even money it's a DNS issue.

If it's not a DNS issue and your trying to locate the Home Folders on an external drive then it's a permissions issue for the volume. Change this in file sharing.

JimboStormforce
Jul 17, 2012, 06:08 AM
What location are you trying to use for the home folder? Local, Server or a volume mounted on the Server?

It's a volume mounted on the server. We have about 12 network users who are fully working with it - this problem is only for new users.

To have a proper network user ensure that you have a working Directory Master with proper DNS records.
Can you elaborate on how I do this?

Check LDAP using Server Admin App. Kerberos/LDAP/Password Server are all running.
Yep, kerberos/LDAP/Password server all running

Check DNS by opening network utility and doing a lookup of first your server IP address (e.g. 192.168.1.10) this should resolve to (e.g server.example.private) and the reverse should be true. server.example.private = 192.168.1.10

Ok, so if I lookup the server IP, I get this: Lookup has started…


; <<>> DiG 9.6-ESV-R4-P3 <<>> -x 192.168.1.14 +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options: +cmd
14.1.168.192.in-addr.arpa. 10800 IN PTR server1.stormforce.private.
1.168.192.in-addr.arpa. 10800 IN NS server1.stormforce.private.
server1.stormforce.private. 10800 IN A 192.168.1.14


If I lookup server1.stormforce.private, I get this:
Lookup has started…


; <<>> DiG 9.6-ESV-R4-P3 <<>> server1.stormforce.private +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options: +cmd
server1.stormforce.private. 10800 IN A 192.168.1.14
stormforce.private. 10800 IN NS server1.stormforce.private.

Does that look as espected?

Then go to Network in Sys Prefs on client machine and ensure that the DNS records point to your server (eg. 192.168.1.10)

On your server they should point to 127.0.0.1 and your router, normally.
Yes - on the client machine it's set up as 192.168.1.14. On the server, it's set to 192.168.1.1 (router). I would go in and check to see if 127.0.0.1 appears in the server, however, I now seem to have locked myself out. I can't login to the server with any user at the moment, which is a bit troubling!

Create a user using Server App. Ensure that you get the globe type icon confirming they are a network user and a member of Workgroup. Option click the user to edit then and confirm the location of the home folder is where you want it to be (Not local I guess but wotevs)

NB Workgroup Manager is a bit of a pain. For simple setups just use the Server App.

File sharing should be active and the user be enabled for this.
Yep, all done for Test User 1
Go to client machine Sys Prefs, Users and Groups in 10.7 click Network account Join type server.example.private in Directory Utility and allow whirryness to take place after authenticating.

Logout out local account click 'Others' and login. First login always takes longer as it creates folders.

Still no joy. Just the 'shake' which prevents login.

Even money it's a DNS issue.

If it's not a DNS issue and your trying to locate the Home Folders on an external drive then it's a permissions issue for the volume. Change this in file sharing.

A DNS issue sounds likely. I've been through all the permissions for the home folder and volume etc - and as it works for other users, I can't see where I might be going wrong on permissions.

modernlifeiswar
Jul 17, 2012, 05:35 PM
DNS in System Preferences on the Server should only point to itself, 127.0.0.1.
In Server Admin.app -> DNS -> Settings the Forwarder IP Address should point to your external DNS, probably your router.

In Server Admin.app -> DNS -> Zones you need to have a primary zone and the corresponding reverse zone.

Check your DNS by using Terminal.app:

sudo changeip -checkhostname

This should result in:


Primary address = 192.168.1.14

Current HostName = server1.stormforce.private
DNS HostName = server1.stormforce.private

The names match. There is nothing to change.
dirserv:success = "success"



Yep, kerberos/LDAP/Password server all running

This unfortunately does not say that it is running correctly.

And do not forget to review the log files Server.app and/or Server Admin.app! They can be quite useful.

JimboStormforce
Jul 18, 2012, 03:27 AM
Thanks modernlifeiswar - I'll try all of that, as soon as I've worked out why I can't login to the server!

It's an odd problem, the Server is set on the login screen - if I type a correct username and password, the grey login screen briefly disappears, before returning... any thoughts?

JimboStormforce
Jul 25, 2012, 02:46 AM
This is quite frustrating! As soon as I can get into the server I'm going to enable SSH, but for the now, I just can't get past that login screen...

This means if I need to make any changes at any point, I'm nixed. Whoops.

AtomicGrog
Jul 25, 2012, 09:52 PM
I had a problem like this some time ago when the client was running OSX Lion server (as opposed to just OSX Lion).

Essentially the home mount point wasn't being created and the user wasn't able to log on with these symptoms. There was an error in the log indicating this, what does your error log show?

JimboStormforce
Jul 30, 2012, 03:38 AM
I had a problem like this some time ago when the client was running OSX Lion server (as opposed to just OSX Lion).

Essentially the home mount point wasn't being created and the user wasn't able to log on with these symptoms. There was an error in the log indicating this, what does your error log show?

AtomicGrog, thanks for that - sounds like something I need to explore further. Unfortunately, I'm still unable to login to the server, which is proving frustrating! All I get is the login screen, and can't get any further.

I'm working on it!

JimboStormforce
Aug 27, 2012, 06:58 AM
OK, so, we're back up and running! In the end, the issues with the server reached such high levels, I did an over the top install of Lion.

This seems to have been mostly successful - I had to reinstall Server Admin Tools, and we lost all of our users and settings, but I've been rebuilding them as we speak.

So, new problem; the client machines show Network Accounts Available, but no longer show the list of users. I can get any user to login as before, as a network user, it's just that their name doesn't show up on the list of available users.

Any suggestions here gratefully received, again!