So I was sitting at my desk this morning, more or less happily working away. I needed to ssh to the xserve a couple of times for some reason or other. The last time I did it this morning, I was unable to authenticate. It asked for my password, strange enough in itself since I use ssh’s public key authentication for logging in to that server.
I had some problems a couple of months ago with my admin users losing the ability to authenticate changes on the directory, so we couldn’t do things like change user’s passwords when they forgot them. After searching far and wide on the web and finding nothing, as well as asking Applecare Premium Support for a fix, they suggested I export all the Open Directory user entries, demote the server to standalone, re-promote it to OD master, and then import all the users. Of course you can’t export the passwords since they’re all encrypted at rest, so I had to generate new passwords for the 20-odd users we have. It was slightly painful, I wouldn’t want to do it again, but not the end of the world.
I’ve always suspected I had those original authentication problems because at one point I had problems logging in as a user, so I changed them from using Open Directory password to using a crypt password, then back again. I got the impression that was a bad idea, so I didn’t want to try it again in this case.
I figured since my user couldn’t log in and changing the password didn’t help matters, I’d just delete the user and then re-create it with the same user id and attributes. When I did that, I was surprised to see Workgroup Manager complain there was already a user with that name!
A few more go-rounds with Applecare Premium Support led me to discover the user also had a stub of an entry in the NetInfo database on that server. When I deleted that entry stub, I was able to use Workgroup Manager to re-create the user’s entry, and now everything seems back to normal.
Except, of course, the three hours it took to go through this process, which I would like back. I’m beginning to think Apple isn’t too good at enterprise-level service and support, and that we should have bought a nice Linux box and a support contract from IBM or something.
I’ve entered a number of bugs against Mac OS X Server, and the response I typically get is that engineering is investigating the issue, and it usually seems to result in them advising me to upgrade to OS X Server 10.4. However, after reading all the discussion boards on Apple’s support site, I’m frankly terrified of 10.4 Server, since it seems like people have more problems with it than they did with 10.3!