Saturday, December 18, 2010

Bound Leopard Server not allowing SMB or AFP connections

Problem:  A 10.5.8 server was not allowing SMB or AFP connections.  The server was bound to AD but "id" commands were failing- sometimes.

Looking at the logs I saw that they were filled with launchd errors:

 com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 10

These were causing very, very poor performance and pretty much preventing Directory Service from operating; that in turn prevented any logins.

The first thing I attempted was to unbind the server but as it couldn't connect to the domain I did a Force Unbind, deleted the edu.mit.kerberos file and the Directory Services folder and restarted.  I then re-bound the server and immediately unbound: this ensured that the server's AD account would be removed.

From the unbound server I took these actions:
  • Changed the Windows role to Standalone server
  • Stopped the SMB services
  • Opened Terminal and ran "sudo –s /usr/libexec/slapd –Tt"
This returned:

could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2)
slaptest: bad configuration file!
I then viewed the contents of the directory:  cd /etc/openldap/ls

There was no slapd.conf file present but there was a slapd.conf.default file so I renamed  it: "cp slapd.conf.default slapd.conf"
I then re-ran the slapd command:  "/usr/libexec/slapd –Tt" and it returned:

bdb_db_open: Warning - No DB_CONFIG file found in directory /private/var/db/openldap/openldap-data: (2)
Expect poor performance for suffix dc=my-domain,dc=com.
config file testing succeeded

Since LDAPv3 is turned off in Directory Services this shouldn't be a problem
  • Reboot 
  • Launch Server Manager
  • Change the Windows role to Domain Member
  • Start the SMB service
AFP and SMB log-ins now worked.

These steps and more info can be found here:  http://discussions.apple.com/message.jspa?messageID=10613310

Thursday, December 9, 2010

Can not log in to bound Mac using an AD account

Symptom 
A Mac that has been bound to the AD will not allow log-in from a particular AD user.  Other AD accounts are able to log-into the bound Mac and the user can log-into other computers.

This is generally a symptom of a corrupt account on the computer.  You have several options to remedy the situation.

Solutions

Scenario One:  You are migrating a local account to a domain account.  You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".  Follow these steps to create a new local account, migrate the user’s data to that account then create an AD account and migrate the data to the AD account.

  • Log in as root
  • Unbind the computer and delete the entire /Library/Preferences/Directory Service folder and the edu.mit.kerberos file
  • Restart the computer
  • Log in as root
  • Go to System Preferences/Accounts
  • Create a new local account for the user
    • Do not use the same name as the user’s AD account
    • Do not use the same name as the existing account
  • Go to Users and locate the user’s old home folder
  • Select all the folders in the old home folder and drag them into the new home folder for the account you just created.  When it prompts you select Replace All
  • Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
  • Launch Terminal
  • Type cd /Users
  • Type chown –R [user name]:staff /Users/[user name]. For example:  chown –R tsmith:staff /Users/mlewis
    • Remember, you are doing the above command on the newly created home folder- the one you copied all the data into
    • Use the newly created account name for “user name”
  • Re-bind the computer
  • Log out and then back in with the user’s AD account
    • This will create a new blank profile
  • Log out and back in as root
  • Go to Users and locate the local home folder you created in a previous step (the one you moved all the data into and did a “chown” on)
  • Select all the folders in the folder and drag them into the newly create home folder (it will have the user’s AD name)  When it prompts you select Replace All
  • Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
  • Launch Terminal
  • Type cd /Users
  • Type chown –R [user name]:staff /Users/[user name]. For example:  chown –R tom.smith:staff /Users/tom.smith
  • Log out and back in using the user’s AD account credentials
  • Their desktop icons should appear
  • Go to Users/[user name]/Library/Keychains and rename the login.keychain to login.keychain.old 
 
Scenario Two:  Sometimes having a UNC path to a home folder in AD prevents a user from logging in.  In this case the user can not log into any Mac but loggin into a PC works.

Open the user's AD account and go to the Profile tab.  If there is a UNC path to a home folder, remove it.  Wait for replication and attempt to log in again.

Scenario Three:  You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".

Other users can log in using their AD accounts.  Checking System Preferences/Users DOES NOT show an account for the user that is unable to log in.

It is possible that the AD profile was partially created but that the process failed somewhere along the way.   You first need to check if the profile exists on the computer even though it is not in "Users".
  • Open a Terminal window
  • Type "dscl localhost"
  • Type "cd /Local/Default/Users
  • Type "ls"
  • If the problem user's account is displayed you must remove it
To remove the account you must first download and install Apple Server Admin Tools onto the client computer.  10.6.4 admin tools can be found here:
http://support.apple.com/kb/DL1071

After you have installed Admin Tools follow these steps to remove the problem account:
  • Go to Applications/Server
  • Launch Workgroup Manager (WGM)
  • At the connection screen enter an address of "localhost" and the UID and password of the local machine administrator
  • In WGM click on the "Accounts" icon
  • Make sure you are authenticated to /Local/Default
  • Click on the single-user icon above the search menu
  •  Find the problem account in the list and click on the "Delete" icon
  •  Exit WGM and attempt to log into the machine again with the user's AD account







 

Monday, December 6, 2010

Check GPOs applied in Win7

This will export the results of the "gpresult" command to an html file:

Gpresult /H c:\temp\[machine name].html

I.g. Gprusult /H c:\temp\FRAMBW-DXP1234