[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
10.4.11 client cannot authenticate to 10.5 OD replica-Add'l Info

Subject: 10.4.11 client cannot authenticate to 10.5 OD replica-Add'l Info
From: Jaime Lemus <email@hidden>
Date: Wed, 23 Apr 2008 11:03:10 -0700
Delivered-to: email@hidden
Delivered-to: email@hidden
Thread-index: AcilbEozgmYCpjPqekukK7BxMWUS3g==
Thread-topic: 10.4.11 client cannot authenticate to 10.5 OD replica-Add'l Info
User-agent: Microsoft-Entourage/12.1.0.080305
I've tried to post this before..but I haven't seen it post.

I'm continuing my struggles with 10.4 client authentication to a 10.5
replica. I've done more testing which I'm hoping may lead to a solution.

I'm setting up and AD-OD replica. I'm testing OD users login with a master
down scenario.
Server: 10.5.2 Clients: 10.4.11, 10.5.2. These are fresh installs.
Replication looks to gone just fine.
Both Master and Replica are bound to AD. The Replica is bound to the od
master. The edu.mit.kerberos preference on the master and replica points to
the AD realm.

With the master up I can login both ad and od users without a problem on
both 10.5 and 10.4. With the master down, only the 10.5 machines will
authenticate OD users with the replica.

What I do know:
-nslookup forward and backward lookups are working fine for both the master
and replica
-changeip -checkhostname yields reports nothing to change
-DNS replica list is listed in properly in DSLDAPv3PlugInConfig.plist
- dscl /Search read /Config/ldapreplicas lists both the OD  Master and
Replica. (The AppleMetaNodeLocation lists: /LDAPv3/127.0.0.1. Should I be a
fqdn?)
-password server is running on both the replica. Slurd, slpad, password logs
look ok


On the replica with master down, I performed the following login tests:

On the Server:
a) id a non-admin user in the shared domain: works fine
b) /usr/libexec/chkpasswd a non-admin user in the shared domain: tested
"oduser" and password works fine
c) kinit a non-admin user in the shared domain-ad user test works fine, od
not so (is this expected?)


On the client:
a) id a non-admin user in the shared domain: works
b) /usr/libexec/chkpasswd a non-admin user in the shared domain: fails with
testing user "oduser"
c) kinit a non-admin user in the shared domain-fail od user, works with ad.
d) dscl /LDAPv3/x.x.x.replicaip -read /
Under 10.4:
This may be interesting. Record types entries are only returned for the OD
server  to which I'm bound be it the master or replica and only via dns name
lookup (dscl /LDAPv3/odmaster -read/).  Lookups by IP return no results for
record results.

Results of dscl/LDAPv2/x.x.x.x lookup via dns name
cas-m-mis-radmi:~ userx$ dscl /LDAPv3/odmaster -read /
TrustInformation: Anonymous
AuthMethod: dsAuthCrypt
AccountName: No Account Name
NodePath: LDAPv3 servername
ReadOnlyNode: ReadWrite
RecordType: AutoServerSetup Mounts Locations PresetComputerLists Groups
PresetComputerGroups OLCFrontEndConfig AccessControls ComputerGroups
PresetUsers AutomountMap PresetComputers Places Machines Printers
OLCOverlayDynamicID Resources Neighborhoods OLCBDBConfig Computers
OLCSchemaConfig Automount OLCGlobalConfig PresetGroups
CertificateAuthorities ComputerLists Config Maps FileMakerServers People
Users Augments
RealName: od_m_mis_odmaster

I ran wireshark on the clients as I did the above tests. The client tries to
communicate with both master and replica packets-client. I'm not a big
packet reader but, running the dscl command and watching the results in
wireshark show the bound od server responding very quickly with just a
couple packets when queried via dns name. The IP lookups entries are
numerous.  The terminal returns it's near empty results, but the dscl lookup
continues sending numerous packets and it looks like some ldap is being
returned. 

Under 10.5: 
Dscl /LDAPv3/servername -read / can only run again the bound server name. IP
substitution yield an invalid ldap server error.



When the master is up:
Dscl /LDAPv3/master or replica returns much more information
dscl /LDAPv3/servername -read /
AccountName:
 No Account Name
AuthMethod: dsAuthMethodStandard:dsAuthCrypt
dsAuthMethodStandard:dsAuthClearText
dsAuthMethodStandard:dsAuthNodeNativeCanUseClearText
dsAuthMethodStandard:dsAuthNodeNativeCannotUseClearText
dsAuthMethodStandard:dsAuthKerberosTickets
LDAPSearchBaseSuffix: cn=config,dc=snaggle,dc=calacademy,dc=org
NodePath: LDAPv3 servername
ReadOnlyNode: ReadWrite
RealName: x_x_x_x
RecordType: dsRecTypeStandard:OLCFrontEndConfig
dsRecTypeStandard:AccessControls dsRecTypeStandard:Users
dsRecTypeStandard:PresetComputerLists dsRecTypeStandard:Groups
dsRecTypeStandard:AutoServerSetup dsRecTypeStandard:AutomountMap
dsRecTypeStandard:OLCOverlayDynamicID dsRecTypeStandard:Config
dsRecTypeStandard:Neighborhoods dsRecTypeStandard:OLCGlobalConfig
dsRecTypeStandard:Automount dsRecTypeStandard:PresetGroups
dsRecTypeStandard:Mounts dsRecTypeStandard:OLCSchemaConfig
dsRecTypeStandard:Machines dsRecTypeStandard:PresetComputers
dsRecTypeStandard:Augments dsRecTypeStandard:OLCBDBConfig
dsRecTypeStandard:CertificateAuthorities dsRecTypeStandard:Computers
dsRecTypeStandard:ComputerGroups dsRecTypeStandard:Resources
dsRecTypeStandard:PresetUsers dsRecTypeStandard:Maps
dsRecTypeStandard:FileMakerServers dsRecTypeStandard:PresetComputerGroups
dsRecTypeStandard:Places dsRecTypeStandard:Printers
dsRecTypeStandard:ComputerLists dsRecTypeStandard:Locations
dsRecTypeStandard:People
ServerConnection: x.x.x.x
TrustInformation: Anonymous


With the master down, running DirectoryServices on the 10.4 machines in
debug mode and logging in as an od user, returns:

2008-04-03 10:58:16 PDT - PasswordServer PlugIn: Attempting use of
authentication method dsAuthMethodStandard:dsAuthNodeNativeCanUseClearText
2008-04-03 10:58:16 PDT - GetAuthMethodConstant siResult=0,
uiAuthMethod=1228, mech=
2008-04-03 10:58:16 PDT - hexHash=0E80B63AFDC8ACAB2AF9BF2E152C29D0
2008-04-03 10:58:16 PDT - HandleFirstContact
2008-04-03 10:58:40 PDT - CLDAPNode: Status Node: moof -- Server:
10.1.10.135 - Time: 30 sec -- Idle
2008-04-03 10:58:46 PDT - CPSPlugIn::DoAuthentication returning -14102
2008-04-03 10:58:46 PDT - Internal Dispatch, API: dsDoDirNodeAuth(),
PasswordServer Used : DAR : Node Ref = 16778123 : Result code = -14102
2008-04-03 10:58:46 PDT - Plug-in call "dsDoDirNodeAuth()" failed with error
= -14102.
2008-04-03 10:58:46 PDT - Port: 0 Call: dsDoDirNodeAuth() == -14102
2008-04-03 10:58:46 PDT - Client: chkpasswd, PID: 488, API:
dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16778121 : Result code =
-14102
2008-04-03 10:58:46 PDT - Plug-in call "dsDoDirNodeAuth()" failed with error
= -14102.
2008-04-03 10:58:46 PDT - Port: 0 Call: dsDoDirNodeAuth() == -14102
2008-04-03 10:58:46 PDT - Internal Dispatch, API: dsCloseDirNode(), NetInfo
Used : DAC : Node Ref = 16778118
 
All that said, I just want to make sure 10.4 clients  Can anyone guide me to
the right direction? Is this a password server issue or ldap?


Thanks,
Jaime


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
Prev by Date: Re: Way to daisy chain SUS?
Next by Date: Re: Way to daisy chain SUS?
Previous by thread: Trouble with Shared disk permissions
Next by thread: Mail delays--temporarily solved
Index(es):
- Date
- Thread
Home