How to remove authenticated Open Directory binding to itself

mojaveopen-directoryserver.app

In attempts to solve my file sharing issues I have at some point on macOS Mojave + Server, using Directory Utility, bound the Open Directory server to itself using Directory Utility (I was quite desperate). Now, with all the changes I made I was able to get the client machine use authenticated binding to the server machine and now SMB file sharing works. So far so good, but I cannot change the passwords of users anymore. When I try, I get the following error:

existing connection is not authenticated and the old password is not present: password change denied

DNS is ok. What I can find is that in the past one could 'rekerberize' the server but that information is old (Mavericks) so I don't want to try.

I was looking at removing the local authenticated binding on macOS Mojave Server. But in Directory Utility that is greyed out. And I do not dare to remove/recreate the LDAP server with Directory Utility on a production server yet (very scared).

Best Answer

While trying to get this done I accidentally found a way to do this:

On the server, in Directory Utility, in Services/LDAPv3 I tried to add another copy of the local server (127.0.0.1). The same name was not accepted so I went manual, created it with the name localhost This was created, but then it turned out that it had overwritten the previous OD. All my users, everything was gone. Panic.
I stopped OD in Server.app
Ran "sudo slapconfig -destroyldapserver" in Terminal
Ran "sudo slapconfig -restoredb 20200112-albus-odbackup.sparseimage" (I did make a backup before I went mucking about)

My OD is now up and running again, the users are back it took Server.app a while to sync with reality) and the authenticated binding between the server and itself is gone. /LDAPv3/127.0.0.1 only shows one computer, so I'll need to reauthenticate the client machine.

Probably not the way to do it and certainly not for the faint of heart.

Related Solutions

Open directory rebound, profiles not working

Okay I've managed a solution. Note this only works if the open directory hasn't been corrupted like ours was, you'll need to chown the home directory again after a rebind. Here's the steps:

Login to the machine as the network user
Go to https://your.server.com/mydevices and un-enroll
Log out
Log in as local admin user, not network user
Delete all keychain entries for old Open Directory server and MDM
Open Users & Groups
Delete network user, keep home directory
Delete /library/configuration profiles/username (network user)
Reboot
Log in as network user
Create mobile account
Go to profile manager/my devices and enroll the machine
Reboot
Log back in as network user
1. Transfer old documents/etc from /users/old user (deleted)/ to new user.

Why can’t I access File Sharing when Open Directory is enabled in macOS Mojave

The issue is the ACLs are not set up in the local directory for SMB and AFP. These used to be created in the older Server apps that had File Sharing in them. I've written an AppleScript that takes care of all this. It creates the appropriate ACL groups in the directory (/Local/Default/Groups/com.apple.access_smb and com.apple.access_afp), then adds all the users to it. The script is below. I threw it together today trying to solve this very issue. Hopefully it will help others.

-- Script to sort out ACLs for file sharing
set savedDelimiters to AppleScript's text item delimiters

display alert "Setup File Sharing ACLs" message "This script will set up the appropriate ACLs in the local directory to allow users to connect to file sharing on a macOS 10.14 server with OpenDirectory.

WARNING: Changes will be made to your local directory. Administrator privileges are required (you will be prompted for a password).

USE AT YOUR OWN RISK!

Set for all users, or only a single user?" buttons {"Cancel", "All Users", "Single User"} default button "Single User" cancel button "Cancel"

if button returned of result = "All Users" then
    set progress description to "Loading User List..."
    -- Load all directory users from the server
    -- (identified by UserShell value of '/bin/bash'; most likely to be normal users)
    -- The delimiter is horrible, but it's the only way to do it
    set delimiter to tab & tab & "UserShell = (" & return & "    \"/bin/bash\"" & return & ")"
    set AppleScript's text item delimiters to {delimiter & return, delimiter}
    set users to every text item of (do shell script "dscl /LDAPv3/127.0.0.1 search /Users UserShell \"/bin/bash\"")
else if button returned of result = "Single User" then
    repeat
        set username to the text returned of (display dialog "Enter Username:" default answer "" with icon note)
        if username is "" then
            display alert "Please enter username, or click cancel to end"
        else
            exit repeat
        end if
    end repeat
    -- Add blank element to end, as this happens with output from dscl above
    set users to {username, ""}
end if

-- Create the SMB & AFP ACL groups if necessary (this may be the first user)
createACLGroup("afp", 250)
createACLGroup("smb", 110)
-- Go through all the users now
set total to (length of users) - 1
set progress total steps to total
set progress description to "Adding Users to ACLs..."
set current to 0
repeat with idx from 1 to total
    -- Need to use indexed repeat because of issue with missing username in list from dscl
    set username to item idx of users
    try
        set progress completed steps to current
        set progress additional description to "User " & (current + 1) & " of " & total & " (" & username & ")"
        -- Now, check to see if the user is already in the file sharing lists
        set AppleScript's text item delimiters to {" "} -- Split words, not letters!
        set currList to every text item of (do shell script "dscl /Local/Default read Groups/com.apple.access_smb GroupMembership")
        if username is in currList and length of users is 1 then
            -- Only alert if in single user mode
            display alert "Username already set up"
        else
            -- Go ahead and set it up
            -- Firstly, get the user's GeneratedUID from the LDAP directory
            set isError to false
            try
                set guid to second item of (every text item of (do shell script "dscl /LDAPv3/127.0.0.1 read Users/" & username & " GeneratedUID"))
            on error
                display alert "Error" message "User " & username & " is not a directory user"
                set isError to true
            end try
            if not isError then
                -- Add the user to the group
                addUserToACL("afp", username, guid)
                addUserToACL("smb", username, guid)
            end if
        end if
        set current to current + 1
    on error
        -- Likely an empty username from the delimiters tokenising the list from dscl
    end try
end repeat
set current to total
display alert "Process completed!"

set AppleScript's text item delimiters to savedDelimiters

on createACLGroup(acltype, groupid)
    try
        do shell script "dscl /Local/Default read Groups/com.apple.access_smb"
    on error
        -- Doesn't exist, so we need to create it!
        do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype with administrator privileges
        do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype & " RealName \"" & changeCaseOfText(acltype, "upper") & " ACL\"" with administrator privileges
        do shell script "dscl /Local/Default create Groups/com.apple.access_" & acltype & " PrimaryGroupID " & groupid with administrator privileges
    end try
end createACLGroup

on addUserToACL(acltype, username, guid)
    do shell script "dscl /Local/Default append Groups/com.apple.access_" & acltype & "  GroupMembership " & username with administrator privileges
    do shell script "dscl /Local/Default append Groups/com.apple.access_" & acltype & " GroupMembers " & guid with administrator privileges
end addUserToACL

on changeCaseOfText(theText, theCaseToSwitchTo)
    if theCaseToSwitchTo contains "lower" then
        set theComparisonCharacters to "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        set theSourceCharacters to "abcdefghijklmnopqrstuvwxyz"
    else if theCaseToSwitchTo contains "upper" then
        set theComparisonCharacters to "abcdefghijklmnopqrstuvwxyz"
        set theSourceCharacters to "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    else
        return theText
    end if
    set theAlteredText to ""
    repeat with aCharacter in theText
        set theOffset to offset of aCharacter in theComparisonCharacters
        if theOffset is not 0 then
            set theAlteredText to (theAlteredText & character theOffset of theSourceCharacters) as string
        else
            set theAlteredText to (theAlteredText & aCharacter) as string
        end if
    end repeat
    return theAlteredText
end changeCaseOfText

Best Answer

Related Solutions

Open directory rebound, profiles not working

Why can’t I access File Sharing when Open Directory is enabled in macOS Mojave

Related Question