Time Machine Access Denied

December 16, 2009

Okay, so we had one computer exhibiting the horrid -5023 error when performing time machine backups in a network environment. We finally resolved it.

First, here is our setup. We have an Open Directory database in place that identifies which machines are supposed to perform Time Machine backups and where they backup to. Our OD setup does not require (nor allow) client computers to authenticate as that always caused us nothing but problems. For the most part, they work fine. Occasionally we run into problems. Up to this one machine if we just reset their TM settings it would start working again. This time, we got the -5023 error and were stuck.

IP 10.0.2.82 – – [11/Dec/2009:17:51:13 0100] “Login daniel” -5023 0 0
IP 10.0.2.82 – – [11/Dec/2009:17:51:13 0100] “Logout daniel” -5023 0 0

Here is what we finally did to resolve it.

First stage: Unbind the client from Open Directory. From Workgroup Manager also delete the client computer record. Then reboot the client computer. Setup TM manually to point somewhere, it doesn’t really matter where. Then turn TM back off so it un-configures itself.

Second stage: Reboot the client again and change the local user’s password to anything else (say “password1”). Change the directory password as well to “password1”. Open up Keychain Access and delete any time machine passwords or other passwords referencing your TM backup server. Now go to the TM backup server and delete the old backup image.

Third stage: Reboot the client again and re-join the domain – you must do this as the user who is to be backed up (i.e. the primary user). From Workgroup Manager put the computer back in and re-add it to the TM backup group. Reboot again to pick up the Managed Client settings.  Login again as the primary user and attempt to start a TM backup.  It should work at this point. Cancel the backup.

Fourth stage: Perform the first 3 stages again, only this time change the password back to the original password and don’t cancel the backup. Everything should work.  It may work to change the password back to the original immediately after changing it to “password1”, but I can’t be sure. Feel free to try it.