Skip navigation

Open Directory fails to migrate with Lion Server upgrade

5852 Views 29 Replies Latest reply: Jul 3, 2012 4:56 AM by Driver28 RSS
  • kbacon Calculating status...

    I started out having a strange issue where the App Store in Snow Leopard Server said that I already had Lion installed. I then went to purchase and download Lion Server which told me I also needed Lion client? I purchased and it then begand downloading but gave me an error that the file (Lion Server) could not be downloaded. When I went to check on the purchased tab it showed that Lion client was downloading. It downloaded rebooted and attempted to upgrade services but then . . .

     

    I had the same issue with Lion Server installion where I was told that some services had failed to be configured (yellow warning triangle). When I booted into Lion for the first time it had none of my wikis and none of my users!

     

    After a nightmare upgrade from Leopard Server to Snow Leopard Server where my wikis were actually destroyed and I had to manually extract data and rebuild them I took better precautions this time. I had two exact clones of my Server HD on two different drives! I rebooted from one of my cloned drives and I am back in business on Snow Leopard Server.

     

    I will not be upgrading to Lion Server until some resolution of these issues is achieved in later releases. I am afraid this is typical of Server upgrades with Apple for me. Perhaps there is some issue with my installation but all was (and is) working fine under Snow Leopard.

  • jeke Calculating status...

    Since experiencing that OD problem, I restored my server to 10.6.8 from a Time Machine backup. Then, I shut down all client Macs, hooked up a screen, keyboard and mouse to my server and tried the upgrade again.  This time OD upgraded without hickups and 10.7 is working just fine.

     

    Apple is indeed on the case.  Bryan contacted me as well asking for a log from the failed installation.  I'm very impressed with Apple that they do read these forums and work on diagnosing these problems.

  • Dr_AST Calculating status...

    Just upgraded today, unfortunately time machine never worked on 10.6 server for me so I am stuck with the OD migration fault until the engineers at apple come up with a fix, hopefully soon. I guess my log is intact if anyone wants to contact me for the upgrade failure log for OD. Other than that the upgrade seems to have gone ok.

  • D. Hoffmann Calculating status...

    I was taking the tack of installing a clean copy Lion Server on an external drive on my MacBook Pro, while leaving Snow Leopard Server on my Xserve alone. I was then going to copy the settings of all services on the Xserve over to the MacBook Pro. Then I was going to clone the external drive to the OS drive on the Xserve.

     

    I just successfully migrated the DNS settings using the Server Admin 10.7 utility. I had it connect to both the Xserve and the MacBook Pro running Lion Server. I exported the Xserve DNS settings (Server->Export-Service Settings...) to a file on the local desktop and then imported the resulting PList file in the same manner.

     

    This approach has never worked with an Open Directory database. Instead, when I have had to do this sort of thing before, I created an Open Directory Replica on the target server and then promoted it to an Open Directory Master. This preserved all user information in the Open Directory Database.

     

    In the case of my attempted Snow Leopard Server to Lion Server this failed. The Open Directory Setup Assistant running on Lion Server rejects the credentials of the Directory Administrator on the Xserve running Snow Leopard Server.

     

    I subsequently tried archiving the Open Directory database on the Xserve and restoring it from the resulting archive on the Lion Server. This procedure concludes without transferring any users into the Lion Server Open Directory database.

  • 4uIT Calculating status...

    Same here. We have worked all weekend and still no luck. We found that we cannot Log into the "Worgroup Manager" It is refusing to accept our password. Checking it in the Keychain Access List - all is there and the password is correct. Deleted the Keychain and recreated another one - still no luck. Anybody has got any idea. Apple could not help so far...

  • thepod7 Calculating status...

    Is there any fix to this migration issue, I have tried both upgrades and fresh installs of Lion Sever.  Everytime my OD is dead after completion and no users are imported.

  • the_case Level 1 Level 1 (10 points)

    Fix migration?  Not really.  Maybe wait for v10.7.1?

     

     

    Workaround?  Sorta.

     

    I had to use the old Server Admin interface and restore the orignal OD stuff from a backup.  Now, all the information is in there, and accessible from the old Workgroup Manager tool, but don't expect the users or groups show up in the new Server application on the server (except for a split second when you first open it).

  • thepod7 Level 1 Level 1 (0 points)

    I tried your workaround, all my info appears to be there in the open directory however it is not perfect.  Shortnames do not work, I must use the full name for any connection.  This is not a very viable solution for me, as I have several accounts that are used in cron jobs, and this would require me to edit all my scripts.

  • the_case Level 1 Level 1 (10 points)

    hrm... Bummer.

     

    Short names work for me for some reason - but I couldn't even start to explain why they do or do not (as in your case).

     

    I was hoping the 10.7.1 update would solve some of these issues... alas, it did not.

  • thb14 Calculating status...

    Any solution yet? I have the same problems.

  • thepod7 Level 1 Level 1 (0 points)

    To those that have been contacted by apple about this Open Directory issue, did they offer any incite to a work around or eta for a fix?

     

    Today, I decided to give a fresh install of 10.7.1 with migration and an upgrade from 10.6.8 to 10.7.1, however both failed in similar fashion.  Even worse using the upgrade process this time completely killed my DNS and wouldn't even let me try and set up an Open Directory Master.

  • Dr_AST Level 1 Level 1 (10 points)

    Looks like 10.7.2 has work done in the following areas:

    Directory integration and OpenLDAPConfig

     

    Hopefully this will address the problem.

  • Kimbakat Calculating status...

    when I go in and setup the Directory Admininstrator to generate a password.. I get this.

     

    "This computer's host name is invalid.

     

    The host name does not resolve to any configured address of this computer. Please ensure the host name is correct."

  • Kimbakat Level 1 Level 1 (65 points)

    It's already May 2012...and the directory issue still is happening. I'm having Profile Management configuration issues. When I click Configure..it stalls while Reading the settings...wheel just spins while "Reading settings" It won't accept a self signed certificate AND when I try to create a replica directory...the spinning wheel spins and never finishes in the "verifying" state. Wheel just keeps splinning.

  • Driver28 Calculating status...

    Hi!

    Just wanted to chip in on this subject, thougt don't get your hopes up, cause I don't have a solution.

     

    We're now on 10.7.4 and still the same issue! I've heard that this actually has worked for some . But I'm stuck too. some input:

     

    When restoring an OD backup using the GUI, no errors are shown. you end up with a diradmin account you can't log in to even though you know the password is correct, since you have used it on your old server for years. exporting from old server and restoring to new server, this password is no more.... No OD users show up in Server.app or just momentarily then open ing the app. Same thing with groups.

     

    In WGM, all users are visible and manageable too, provided you BEFORE exporting the OD db assigned another account FULL rights on the Directory. Then this user can be used to manage users and groups in WGM, because the password remain the same?!?!

     

     

    Still no users in Server.app though . haven't tried Profile Manager or if accounts and groups show up there...

     

    When restoring the OD db using slapconfig -restoredb <path-to-db> you see more what's happening. Every time the same event happens:

    2012-07-03 11:44:18 +0000 Configuring Kerberos server, realm is DIRECTORY.DOMAIN.COM

    2012-07-03 11:44:18 +0000 command: /usr/sbin/kdcsetup -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -w -a directory.pool.se$ -p **** -v 1 DIRECTORY.DOMAIN.COM

    2012-07-03 11:44:19 +0000 Contacting the Directory Server

    Authenticating to the Directory Server

    Creating Kerberos directory

    Creating KDC Config File

    Creating Kerberos Database

    Creating new random master key

    createInitialPrincipal: Changing password failed: 10001CreateKDCDatabase: error creating initial princ for krbtgt: 10001

    Could not create KDC Database: 78Failed to configure error = 78

    _createKerberosMaster: kdcsetup failed with code 78

    2012-07-03 11:44:19 +0000 Error creating KDC

     

    I think this is the reason for it all, the botched credentials that seemingly cannot be changed anywhere, which Server.app uses to see the directory users and groups. Remember, when creating the OD master, you put in credentials for diradmin, and it get overwritten on restore, but with what a heck what, and how do we change it?

     

    As I said before, I managed to administer directory users through WGM and another user with full privs on the directory, but still I cannot change the diradmin user's password giving an error about permissions. Deleting the account, recreating it wiht the same user id, 1000, and old password doesn't change a thing unfortunately.....I suspect the GUID of the account is different.

     

    Anyhow, maybe this sum up of my findings might point some of you in the right direction to solve this issue for us?

     

    Hope I made some sense in my ramblings since I'm not a native English speaker....

     

    Looking forward to your take on this!

     

    /Hasse

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.