September 13th, 2005, 11:24 AM #1
OpenDirectory authentication no longer works for users
Briefly - I have an Xserve cluster (16 nodes) - The current method for authentication across the cluster is LDAPv3 (head node is an OpenDirectory master).
I've been running 10.3.4 for a while, because of incompatibilities with some of the cluster software I'm running, although these issues are now resolved - during some recent cluster downtime (head node decided it was no longer able to fork() which was.. problematic) I applied the upgrade to 10.3.9
After the reboot, and some fiddling with /etc/hosts to get Sun Grid Engine back up and running on the cluster nodes (and fixing some permissions issues on the head node), I annouced to my users that they could start using the cluster again.
Unfortunately for them - they can't login. I can log in on the console and via ssh as admin (I assume this is because it's stored in the Netinfo database), but all my LDAPv3 users are stuffed - in fact the system no longer even believes they exist:
biocluster:~ admin$ su dswan
biocluster:~ admin$ sudo sh
sh-2.05b# su -
biocluster:~ root# su dswan
su: unknown login: dswan
As you can see - this is suboptimal.
All the user directories are there, although they're no longer chowned to the usernames, just the user ID's:
drwxrwxrwt 4 root wheel 136 13 Sep 2003 Shared
drwxrwx--- 38 admin staff 1292 13 Sep 14:31 admin
drwxr-xr-x 2 1035 admin 68 20 Jul 15:51 alina
drwxr-xr-x 3 1036 admin 102 20 Jul 15:55 cessie
drwxr-xr-x 2 1033 admin 68 20 Jul 15:45 christophe
drwxr-xr-x 17 1031 admin 578 8 Sep 16:36 cymon
If I go into Workgroup Manager - all the user accounts are there, resetting people's passwords has no effect and if I add new users to OpenDirectory they are similarly broken (user can't login etc).
I'm a Linux guy, and this OS X server business is still stumping me - but apart from the 10.3.9 upgrade I swear I haven't fiddled with the auth setup.
If anyone has a clue, I'd love to hear from you.
September 13th, 2005, 05:20 PM #2
So, Apple changed the LDAP schema when moving to 10.3.9. If you jumped from 10.3.4 -> 10.3.9, that may be what bit ya.
Use the directory service command line utility (dscl) to read the actual LDAP info out of your OD master to see what's up.
Any pertinent logs?
September 14th, 2005, 04:26 AM #3
OK this is how i resolved this issue. Simpler than I thought.
Opened up the Directory Access application.
Noted that Authentication was searching a Local path for Directory Node /Netinfo/root.
Changed this to a custom path, and added a directory node /LDAPv3/127.0.0.1
Problem solved. I wish I knew more about Mac OS X - every problem I hit takes me 2 days to solve due to my inherent unfamiliarity