Earlier this week i upgraded my server. And bumped into the thing that i couldn’t add users in server.app but COULD do so in Workgroup Manager (the old way). Another silly thing i noticed was that my OD Replica DOES allow user management from server.app but wrote that off as “old data” from before the replica setup.

Turns out, while the OD Master seems to work fine it is bugged anyway. I’m not sure how, though. But if you create users in Workgroup Manager the Kerberos HASH is set wrong for every user. This is not a glaring issue as most things work fine but it’s a problem nonetheless. Servers mustn’t have issues like that.

I found out about this in the logs, looking for something else.
This message was being spammed every 10 seconds into the log for each user for the past 5 days:

2012-05-13 07:33:17.133 CEST – Module: SystemCache – Misconfiguration detected in hash ‘GlobalGUID’:
User ‘arnan’ (/LDAPv3/ – ID 1025 – UUID 60AE8831-FEE8-4977-B705-D703C98619D6 – SID S-1-5-21-3113767512-2292254219-2485520413-3050

Changing the HASH manually for every user is the only solution here. And guess what? After you do so, i can suddenly add and manage users from the server.app too!!
I’m guessing because this showed up in the log:

2012-05-18 15:21:59.827 CEST – Loaded bundle at path ‘/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle’
2012-05-18 15:22:15.816 CEST – Loaded bundle at path ‘/System/Library/OpenDirectory/Modules/nis.bundle’

This, silly enough, suggests that after 5 days of trying, the server *finally* finished loading modules.
<sarcasm>So nice of Apple to make a notification of sorts telling me that things aren’t 100% </sarcasm>

So what does actually happen?
When you make users with Workgroup Manager *every* user gets the default HASH of Untitled_1@HOST.DOMAIN.TLD (where host.domain.tld is your own domainname).
Changing Untitled_1 for every user into that users shortname/loginname it works instantly and allows LDAP to finish loading modules.

How to fix this:
This explanation only applies to Lion Server as far as i know. The solution should work on most OS X Server versions, but Directory Utility looks different on every system and menus’s and such might be different. Use at your own risk!

First determine if the problem exists at all. Don’t just rely on greyed out controls in server.app. Go to the log!
1. Open The Console app from Utilities and look for the “opendirectoryd.log” in /var/log/.
2. Check if you see messages similar to the above quotes.
3. Open Server.app, go to Directory Utility via the Tools menu.
4. Navigate to the Directory Editor and in the little drop down and select the /LDAPv3/ database.
5. Select “Users” – Authenticate as your diradmin if you didn’t do it already.
On the left you’ll see all users and some extra items. Ignore anything that is not an actual person and select one user.
6. Find the “AltSecurityIdentities” variable and look at the Value. This should look like “Kerberos:Untitled_1@HOST.DOMAIN.TLD”.
7. Change “Untitled_1″ into the shortname/loginname of that user. Check spelling and press save.
Repeat steps 6 and 7 for every user!
8. Once done, check the logs and you should see it finish loading modules.

So what do we learn from this? Don’t trust Apple with server… After 12 years they still can’t get it right.
And; check the logs more often for errors, especially when you think it works.