Network user login - can't create new user, probably related to home folder

Discussion in 'Mac OS X Server, Xserve, and Networking' started by JimboStormforce, Jul 9, 2012.

  1. macrumors newbie

    Joined:
    Jul 9, 2012
    #1
    I have a persistent problem with our Network Accounts at work. I took over here after the server was set up, so didn't build it from the ground up.

    The problem I have is that when I add a new network user, I can add them to a group, 'set' their home folder, enable login, do everything you would expect. They appear in the list of network users absolutely fine.

    However, every time they try to login, the box simply 'shakes' as though the password is incorrect. If I login to the server as them, that works fine, it's just on a network machine that it doesn't work.

    Previous research into this has suggested that it may have been a problem with the home folder creation - however I've checked both the ACL and Posix permissions, and they appear the same as for other users.

    Any advice on how to go about resolving this would be gratefully received - we have a new staff member who is limited on the work they can do while I resolve it! I'm not that clever on OSX (recent PC convert!) but learn quickly...
     
  2. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #2
    So, some more web digging has led me to do a number of things.

    I've tried adding a new user (Test User 1) using server.app, and also tried adding a new user (Test User 2) using the Workgroup Manager. Again, both show up in the Network Users list on the client machines, but I can log in to neither.

    I don't know if this is a Kerberos issue, and LDAP issue, an Active Directory issue, or quite what, and I'm also not really sure how to investigate the logs etc to find out.

    I've also tried unbinding a client machine from the server, and then rebinding in Login Options, but still no joy.
     
  3. macrumors 65816

    Joined:
    Jan 1, 2008
    #3
    Make sure that you can see the network share from over the network. From one of your network machines try and share the problem user's home directory. If the remote directory can't be mounted, you can get the same bad password shake.

    A.
     
  4. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #4
    Hi Alrescha,

    Thanks for your reply. I can access the home folders over the network no problem - I can see that they have all the relevant sub folders in them (Library, Documents, Desktop etc), and that they appear to be working. This is when I'm logged in as another user to one of the client machines.

    I had hoped the network login shake might have resolved itself overnight, but it was not to be.

    Kind Regards,

    Jimbo
     
  5. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #5
    I'm no further along, but have discovered something else.

    If I try and access the file sharing service on the server, using 'connect as', then the new users created don't work - i.e. I can't authenticate as them. This suggests to me a Kerberos issue?
     
  6. MiloAppleby, Jul 14, 2012
    Last edited: Jul 14, 2012

    macrumors newbie

    Joined:
    Oct 13, 2011
    #6
    What location are you trying to use for the home folder? Local, Server or a volume mounted on the Server?

    To have a proper network user ensure that you have a working Directory Master with proper DNS records.

    Check LDAP using Server Admin App. Kerberos/LDAP/Password Server are all running.

    Check DNS by opening network utility and doing a lookup of first your server IP address (e.g. 192.168.1.10) this should resolve to (e.g server.example.private) and the reverse should be true. server.example.private = 192.168.1.10

    Then go to Network in Sys Prefs on client machine and ensure that the DNS records point to your server (eg. 192.168.1.10)

    On your server they should point to 127.0.0.1 and your router, normally.

    Create a user using Server App. Ensure that you get the globe type icon confirming they are a network user and a member of Workgroup. Option click the user to edit then and confirm the location of the home folder is where you want it to be (Not local I guess but wotevs)

    NB Workgroup Manager is a bit of a pain. For simple setups just use the Server App.

    File sharing should be active and the user be enabled for this.

    Go to client machine Sys Prefs, Users and Groups in 10.7 click Network account Join type server.example.private in Directory Utility and allow whirryness to take place after authenticating.

    Logout out local account click 'Others' and login. First login always takes longer as it creates folders.

    Even money it's a DNS issue.

    If it's not a DNS issue and your trying to locate the Home Folders on an external drive then it's a permissions issue for the volume. Change this in file sharing.
     
  7. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #7
    It's a volume mounted on the server. We have about 12 network users who are fully working with it - this problem is only for new users.

    Can you elaborate on how I do this?

    Yep, kerberos/LDAP/Password server all running

    Ok, so if I lookup the server IP, I get this:
    Code:
    Lookup has started…
    
    
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> -x 192.168.1.14 +multiline +nocomments +nocmd +noquestion +nostats +search
    ;; global options: +cmd
    14.1.168.192.in-addr.arpa. 10800 IN PTR	server1.stormforce.private.
    1.168.192.in-addr.arpa.	10800 IN NS server1.stormforce.private.
    server1.stormforce.private. 10800 IN A 192.168.1.14
    
    If I lookup server1.stormforce.private, I get this:
    Code:
    Lookup has started…
    
    
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> server1.stormforce.private +multiline +nocomments +nocmd +noquestion +nostats +search
    ;; global options: +cmd
    server1.stormforce.private. 10800 IN A 192.168.1.14
    stormforce.private.	10800 IN NS server1.stormforce.private.
    Does that look as espected?

    Yes - on the client machine it's set up as 192.168.1.14. On the server, it's set to 192.168.1.1 (router). I would go in and check to see if 127.0.0.1 appears in the server, however, I now seem to have locked myself out. I can't login to the server with any user at the moment, which is a bit troubling!

    Yep, all done for Test User 1
    Still no joy. Just the 'shake' which prevents login.

    A DNS issue sounds likely. I've been through all the permissions for the home folder and volume etc - and as it works for other users, I can't see where I might be going wrong on permissions.
     
  8. macrumors newbie

    Joined:
    Jul 17, 2012
    #8
    DNS in System Preferences on the Server should only point to itself, 127.0.0.1.
    In Server Admin.app -> DNS -> Settings the Forwarder IP Address should point to your external DNS, probably your router.

    In Server Admin.app -> DNS -> Zones you need to have a primary zone and the corresponding reverse zone.

    Check your DNS by using Terminal.app:

    Code:
    sudo changeip -checkhostname
    This should result in:


    This unfortunately does not say that it is running correctly.

    And do not forget to review the log files Server.app and/or Server Admin.app! They can be quite useful.
     
  9. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #9
    Thanks modernlifeiswar - I'll try all of that, as soon as I've worked out why I can't login to the server!

    It's an odd problem, the Server is set on the login screen - if I type a correct username and password, the grey login screen briefly disappears, before returning... any thoughts?
     
  10. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #10
    This is quite frustrating! As soon as I can get into the server I'm going to enable SSH, but for the now, I just can't get past that login screen...

    This means if I need to make any changes at any point, I'm nixed. Whoops.
     
  11. macrumors regular

    Joined:
    Jul 25, 2011
    #11
    I had a problem like this some time ago when the client was running OSX Lion server (as opposed to just OSX Lion).

    Essentially the home mount point wasn't being created and the user wasn't able to log on with these symptoms. There was an error in the log indicating this, what does your error log show?
     
  12. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #12
    AtomicGrog, thanks for that - sounds like something I need to explore further. Unfortunately, I'm still unable to login to the server, which is proving frustrating! All I get is the login screen, and can't get any further.

    I'm working on it!
     
  13. thread starter macrumors newbie

    Joined:
    Jul 9, 2012
    #13
    OK, so, we're back up and running! In the end, the issues with the server reached such high levels, I did an over the top install of Lion.

    This seems to have been mostly successful - I had to reinstall Server Admin Tools, and we lost all of our users and settings, but I've been rebuilding them as we speak.

    So, new problem; the client machines show Network Accounts Available, but no longer show the list of users. I can get any user to login as before, as a network user, it's just that their name doesn't show up on the list of available users.

    Any suggestions here gratefully received, again!
     

Share This Page