Directory Service Unavailable from dscl

App & System Services Core OS
tbridgejc OP
Created Oct ’21
Replies 1
Boosts 0
Views 1.4k
Participants 2

Summary: Occasionally when running dscl from the command line, we are seeing "Authentication for node /Local/Default failed (-14487, eDSServiceUnavailable)" and we cannot trace why that occurs.

The most recent incident is running on an Apple M1, with Big Sur 11.6. However, we have also seen it on Intel systems, too.

DESCRIPTION OF PROBLEM

In our (JumpCloud) device agent (which runs on macOS computers), we use dscl to verify passwords. We have a customer who's computer is reporting Directory Service Unavailable. It looks like the specific error is: "Authentication for node /Local/Default failed. (-14487, eDSServiceUnavailable)". It looks like at the same time, we're also seeing 'account temporarily locked for user '.

What condition(s) would cause the Directory Service to be unavailable, and what steps can we take when this happens? Perhaps related, what would cause an account to be temporarily locked?

STEPS TO REPRODUCE Exact steps are unknown. This occurs very infrequently.

However, the command we're running is: /usr/bin/dscl . -authonly (the code then waits for the password prompt, and provides the password when prompted)

Replies  1
Boosts  0
Views  1.4k
Participants  2
DTS Engineer OP
Apple
Oct ’21

There’s two parts to this. First, you wrote:

In our (JumpCloud) device agent (which runs on macOS computers), we use dscl to verify passwords.

This isn’t an approach I’d recommend. Rather, you should do this by calling the Open Directory framework directly. This will simplify your code and eliminate a huge swath of layers between you and the OD infrastructure.

Second, I fully expect that this error is coming from the underlying OD infrastructure and thus the OD framework will hit the same problem. My advice on that front is:

  • Update your code to monitor for this error.

  • When you see it, ask the user to check whether they see the same problem when running dscl from Terminal.

  • If they do, they should trigger a sysdiagnose log.

If dscl shows the same problem, you know that your code isn’t at fault. At that point the user should discuss this issue with Apple Support.

For more information about sysdiagnose logs, see our Bug Reporting > Profiles and Logs page.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Directory Service Unavailable from dscl
First post date Last post date
 
 
Q