Login to OS X Server User Account from Local Computer

I have OS X Server installed on a mac mini. I've created several User accounts, one of which is

Account Name: Bob

Password: abc123

From the Mac Mini's login screen I can choose "Server" (main account) "Bob" (Bobs account) and "Other..." OS X Server Accounts, from "Other..." if I input Bobs credentials it will log me in.

I also have a macbook air, I would like to be able to select from the Login Screen "Other..." input Bobs credentials and have it login to Bobs account, or any other User Account for that matter.

My Server is setup as private with the server address: server.network.private

Following some googled instructions as well as apples very own instructions I have:

Setup an Open Directory with Username: diradmin Password: abc123

Then on the macbook air gone into

System Preferences > Users & Groups > Login Options

and clicked Join next to Network Account Server, input my server (server.network.private) with diradmin credentials and its connected. Great.

I've also ticked Allow Network Users to Login and Login Window and selected All Users.

I was assuming this would allow my macbook air to login to the "Bob" account by selecting "Other..." from the login window although there is no "Other..." option.

I then setup a VPN, basic credentials, logged into it on the macbook air and still not much has changed. I am able to share screens with the "Bob" account form my macbook air by logging in by clicking Share Screen... from the Finder under Shared > Network Server and then clicking Login In but this obviously requires the macbook air to already be logged into an account before it can share screens which is not suitable.

Is there any way to simply login to the OS X Server User Account from the macbook air's login screen via the "Other..." like it does on the mac mini's login screen?

Thanks in advance.

Operating System: OS X 10.9 Mavericks

OS X Server: Version 3

Brod Wilkinson

Posted 2013-11-03T03:30:55.580

Reputation: 1

Answers

If the server and client time is out of sync by 5 minutes or more the client will not be able to sign in. If this is the case change the time on the client machine to match the server's time

Makk

Posted 2013-11-03T03:30:55.580

Reputation: 21

I can't give you a solution, but I can give you some troubleshooting steps to help narrow down where the problem's coming from. First, I'm assuming the client & server are both on the same private network, right? Otherwise, this is going to be a lot more complicated. Anyway, here are the standard steps I'd follow in a situation like this:

On the server, is Bob's account listed as a Local Account, or a Local Network Account? Only network accounts will be available on other computers.
Still on the server, open the Terminal utility, and run the command host server.network.private; it should give the server's IP address. If it doesn't, your server's DNS is messed up.
Still on the server, run the command host on the server's IP address (e.g. host 192.168.1.5); if should give the server's name ("server.network.private"). Again, if it doesn't, DNS is messed up.
On the client, open System Preferences -> Users & Groups pane -> Login Options -> click the Network Account Server: ... Edit button. Check the status indicator; if it's anything other than green, there should be a message to the right with an indication of what's wrong.
Repeat steps 2 and 3 on the client; if either one doesn't give the right result (but it worked on the server), your client is not using your server's DNS.
If all of the above worked, run the command id bob (or whatever bob's account name is) on the client. It should give a bunch of id numbers and group names. If it says "id: bob: no such user", your client is failing to look up users on the server (for some reason other than DNS), probably something to do with the LDAP protocol connection to the server.
On the client, run the command su bob, and enter Bob's password. If it works, it'll switch you into Bob's account (you'll have a different terminal prompt), and you should immediately switch back with the command exit. If it doesn't work (but step 6 did), there's some problem with the password service. Take a look in the Password Service Server Log on the server for more information.
(Optional, if you're using Kerberos) On the client, run the command kinit bob, and enter Bob's password (note that it's critical to use the correct account name, not Bob's "Full Name" or an alias; the id command in step 6 will have printed the account name. If this succeeds, it won't print anything; if it fails, it'll print some sort of error message.

OS X Server's Open Directory service actually provides two mostly-independent authentication services, the password server and the Kerberos server (called the KDC). You might or might not need Kerberos, and it doesn't always get set up. If it's not running, it's not really necessary, but if it is running and failing it'll cause trouble, which makes interpreting Kerberos failures tricky.

BTW, on the server side, the Kerberos KDC doesn't have its own log. If you want to see what it's doing, you have to look at the System log, and filter for entries thad contain "kdc".

Gordon Davisson

Posted 2013-11-03T03:30:55.580

Reputation: 28 538

I had same problem, and all works beside step 7. But after reading this page, https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration, I found out with kinit that the client machine was using wrong hostname. After reboot of the server and the client, it worked again.

– Jesper Grann Laursen – 2013-11-08T10:45:06.593

@Lauer: Interesting; I'm not sure why a Kerberos problem would interfere with password-server-based authentication... I'll add a Kerberos check step just in case. – Gordon Davisson – 2013-11-08T15:53:48.250