Client can't log to Open Directory master

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Umbre, Aug 14, 2008.

  1. Umbre macrumors newbie

    Jul 29, 2008

    I'm setting up a new network and followed the doc to do so as i'm not a specialist.

    What I have and which (apparently) works is :

    an internal DNS service - verified with changeip
    a DHCP service

    Open Directory master - with kerberos running, authentified binding not activated
    afp - share point partaged with automount and group authorisation given

    afp - share point partaged with automount and group authorisation given

    In WGM I created two test users,
    "U1" member of "grouptest" with home folders located on server2
    "U2" member of "grouptest2" with home folders located on server3

    I manually created the groups folders. First thing to note, the users home folder did not get created after I clicked the "create start" button in WGM. I suspected it is because I miswrote the path for the home folder in WGM, although I tried to copy the exemple given. E.g. I wrote : afp://FQDN/Hard disk name/folder name.

    Client configuration
    Regarding client config, I entered server2 FQDN in directory utilitary, it states the server responds normally. I was not able to bind, however, and I ignore if its necessary.

    The problem
    When I try to log using the client's login window, neither test user (u1,u2) succeed. I get an error message I cannot enter for the moment because an error occured.
    On server2, the kerberos app shows it does not give any tickets.

    I'd be grateful for any thoughts as I am not seeing which direction to follow.
  2. crackpip macrumors regular

    Jul 23, 2002
    I am not an expert at this, but I've been testing it out on a small network at home, including OpenDirectory authentication across multiple machines with networked home directories and portable home directories.

    The first thing is that when setting up the automount, you need to make sure it is enabled for guest access.

    If you use a different drive or partition for home directories under Leopard, the share point URL will be afp://FQDN/Users, but the full path will be in the /Network/Servers directory under the path: '/Network/Servers/FQDN/Volumes/Drive-Name/path-to-users'.

    When creating users, of course, make sure they are being added to the LDAP directory, not the local database.

    Using, you need to at least have the clients set-up to look at the server for authentication. If I remember correctly, you should be able to log on and see your home directory from the client at this point. For Kerberos to work, I think you have to bind the clients to the server. Then create a computer group with the clients and server in it. Finally, you need to add user records to the Kerberos database in OpenDirectory using Server Admin.

    I just moved and haven't had time to reset all of the clients, so the last part is a bit fuzzy. I did have most of this working, however.

  3. Umbre thread starter macrumors newbie

    Jul 29, 2008
    At first, thank you for your useful input.
    Yes I found this out yesterday by trying random attempts.

    Up to that point it's ok.

    Would care to precise what to use for those two points ? For the second one you mentionned server admin but I dont see where we can add user records. Are you refering to the share points authorisations ?

    I am now able to log perfectly with users whose home directory is located on the OD master, but when logging with a user whose home directory is located on another afp server, it enters but says the home directory is unreachable or has been moved. I did enter the paths the same way than I did for the main server. I'll double-check everything.
  4. Umbre thread starter macrumors newbie

    Jul 29, 2008
    OK every test user works now. I simply dishared sharepoints and reshared them.

    To sum up the problem was solved by writing correctly the paths for home directories and by adding other afp servers to the kerberos realm.

    Amazing how we get better answers here than on the apple forums ;)

    Thank you and greetings !

Share This Page