alexisd78

Q: OpenDirectory replication

We have a legacy Mountain Lion Server and I'm trying to create a replica of the OpenDirectory for authentication purposes.

I tried to create the replica using the Server App and it fails saying complaining about a network error. So i opted to try and create the replica using the CLI in order to get better visibility and this is what happens:

 

silvermoon:~ sysadmin$ sudo slapconfig -createreplica ***HOSTNAME*** adelgado

2014-09-08 22:47:07 +0000 slapconfig -createreplica

adelgado's Password:

2014-09-08 22:47:11 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/ldap://***HOSTNAME*** -p

2014-09-08 22:47:12 +0000 1 Creating computer record for replica

2014-09-08 22:47:18 +0000 command: /usr/sbin/slapconfig -delkeychain /LDAPv3/127.0.0.1 ***HOSTNAME***$

2014-09-08 22:47:18 +0000 Added computer password to keychain

2014-09-08 22:47:18 +0000 2 Creating ldap replicator user

2014-09-08 22:47:18 +0000 _ldap_replicator exists from previous replica - migrating

2014-09-08 22:47:18 +0000 NSString *_getReplicatorPasswordWithNode(ODNode *): no syncrepl attribute found in results

2014-09-08 22:47:18 +0000 Unable to get replicator password, recreating replicator

2014-09-08 22:47:29 +0000 ServerID for this replica 19

2014-09-08 22:47:30 +0000 command: /usr/bin/sntp -s time.apple.com.

2014-09-08 22:47:30 +0000 3 Updating local replica configuration

2014-09-08 22:47:30 +0000 4 Gathering replication data from the master

2014-09-08 22:47:30 +0000 5 Copying master database to new replica

2014-09-08 22:47:30 +0000 Removed directory at path /var/db/openldap/openldap-data.

2014-09-08 22:47:31 +0000 Starting LDAP server (slapd)

2014-09-08 22:47:31 +0000 Waiting for slapd to start

2014-09-08 22:47:33 +0000 slapd started

2014-09-08 22:47:33 +0000 Stopping LDAP server (slapd)

2014-09-08 22:47:37 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

2014-09-08 22:47:38 +0000 command: /usr/sbin/slapadd -c -w -l /var/db/openldap/openldap-data/backup.ldif

2014-09-08 22:47:38 +0000 command: /usr/sbin/slapadd -c -w -b cn=authdata -l /var/db/openldap/authdata/authdata.ldif

2014-09-08 22:47:39 +0000

2014-09-08 22:47:39 +0000 540e320a slapd is running in import mode - only use if importing large data

  540e320a bdb_monitor_db_open: monitoring disabled; configure monitor database to enable

2014-09-08 22:47:39 +0000 6 Starting new replica

2014-09-08 22:47:39 +0000 Starting LDAP server (slapd)

2014-09-08 22:47:39 +0000 Waiting for slapd to start

2014-09-08 22:47:39 +0000 slapd started

2014-09-08 22:47:39 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-09-08 22:47:39 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID

2014-09-08 22:47:39 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-09-08 22:47:39 +0000 Starting password server

2014-09-08 22:47:40 +0000 7 Enabling local Kerberos server

2014-09-08 22:47:40 +0000 Configuring Kerberos server, realm is ***HOSTNAME***

2014-09-08 22:47:40 +0000 command: /usr/sbin/sso_util configure -x -k -r ***HOSTNAME*** -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a adelgado -p **** -v 1 all

2014-09-08 22:47:40 +0000 int32_t _createLDAPReplica(const char *, const char *, const char *, const char *): sso_util configure failed 1.  stdout = {  } stderr = { Creating the service list

  Creating the keytab file

  }

2014-09-08 22:47:40 +0000 No ldap principal found, skipping rootDSE population

2014-09-08 22:47:41 +0000 8 Enabling syncprov overlay on the replica

2014-09-08 22:47:41 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config objectClass=olcSyncProvConfig dn

2014-09-08 22:47:41 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-09-08 22:47:41 +0000 adding new entry "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config"

2014-09-08 22:47:41 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-09-08 22:47:41 +0000 adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"

2014-09-08 22:47:41 +0000 9 Adding replica to master

2014-09-08 22:47:41 +0000 int _addLDAPReplicaWithNode(ODNode *, NSDictionary *, const char *, const char *, const char *): Cannot retrieve parent ServerID for (chuckanut.intra.peaksystems.com), exiting

2014-09-08 22:47:41 +0000 Unable to add Replica to parent/master

2014-09-08 22:47:41 +0000 Unable to add Replica to parent/master (error = 73)

2014-09-08 22:47:41 +0000 Deleting Cert Authority related data

2014-09-08 22:47:41 +0000 No intCAIdentity, not removing int CA from keychain

2014-09-08 22:47:41 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist

2014-09-08 22:47:41 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist

2014-09-08 22:47:41 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist

2014-09-08 22:47:41 +0000 Updating ldapreplicas on primary master

2014-09-08 22:47:42 +0000 Removing self from the database

2014-09-08 22:47:43 +0000 Warning: An error occurred while re-enabling GSSAPI.

2014-09-08 22:47:44 +0000 Stopping LDAP server (slapd)

2014-09-08 22:47:48 +0000 Stopping password server

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-company.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-computers.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/apple-realname.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/c.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/departmentNumber.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/l.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/mobile.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/postalCode.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/st.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/street.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/telephoneNumber.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.001.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.002.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.003.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.004.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.005.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/__db.006.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/alock.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/authdata.ldif.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.

2014-09-08 22:47:48 +0000 Removed directory at path /var/db/openldap/authdata.

2014-09-08 22:47:48 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.

2014-09-08 22:47:48 +0000 Removed file at path /etc/openldap/slapd.conf.

2014-09-08 22:47:48 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.

2014-09-08 22:47:48 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.

2014-09-08 22:47:48 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.

2014-09-08 22:47:48 +0000 Removed directory at path /etc/openldap/slapd.d.

2014-09-08 22:47:48 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.

2014-09-08 22:47:48 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.

2014-09-08 22:47:48 +0000 Removed directory at path /etc/openldap/slapd.d.backup.

2014-09-08 22:47:48 +0000 Stopping password server

2014-09-08 22:47:48 +0000 Removed file at path /etc/ntp_opendirectory.conf.

2014-09-08 22:47:48 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

Mac mini, OS X Mountain Lion (10.8.5)

Posted on Sep 8, 2014 4:06 PM

Close

Q: OpenDirectory replication

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Sep 8, 2014 6:41 PM in response to alexisd78
    Level 10 (207,995 points)
    Applications
    Sep 8, 2014 6:41 PM in response to alexisd78
  • by alexisd78,

    alexisd78 alexisd78 Sep 8, 2014 6:54 PM in response to Linc Davis
    Level 1 (0 points)
    Sep 8, 2014 6:54 PM in response to Linc Davis

    As stated on the original post both servers are Mountain Lion, not Mavericks. And I tried the CLI solution because replication failed using the server add

  • by Linc Davis,

    Linc Davis Linc Davis Sep 8, 2014 7:08 PM in response to alexisd78
    Level 10 (207,995 points)
    Applications
    Sep 8, 2014 7:08 PM in response to alexisd78

    Have you enabled remote administration on the replica candidate?

  • by alexisd78,

    alexisd78 alexisd78 Sep 8, 2014 7:48 PM in response to Linc Davis
    Level 1 (0 points)
    Sep 8, 2014 7:48 PM in response to Linc Davis

    Yup, it's enabled on both the replica and the master.

     

    I'm thinking the problem has to do with kerberos because of this:

     

    2014-09-08 22:47:40 +0000 command: /usr/sbin/sso_util configure -x -k -r ***HOSTNAME*** -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a adelgado -p **** -v 1 all

    2014-09-08 22:47:40 +0000 int32_t _createLDAPReplica(const char *, const char *, const char *, const char *): sso_util configure failed 1.  stdout = {  } stderr = { Creating the service list

      Creating the keytab file

      }

    2014-09-08 22:47:40 +0000 No ldap principal found, skipping rootDSE population

  • by Linc Davis,

    Linc Davis Linc Davis Sep 8, 2014 8:27 PM in response to alexisd78
    Level 10 (207,995 points)
    Applications
    Sep 8, 2014 8:27 PM in response to alexisd78

    Follow these instructions to rebuild the Kerberos configuration on the master.

  • by alexisd78,

    alexisd78 alexisd78 Sep 11, 2014 10:03 AM in response to Linc Davis
    Level 1 (0 points)
    Sep 11, 2014 10:03 AM in response to Linc Davis

    tried that, also tried running the kerberos config again and tried again and it's still not working :S

     

    [hostname]:certificates admin$ kdcsetup -v 2  -a diradmin -p ****** [HOSTNAME]

    Must be root to run kdcsetup

    [hostname]:certificates admin$ sudo !!

    sudo kdcsetup -v 2  -a diradmin -p ****** [HOSTNAME]

    Password:

    Opening ldapi connection to the LDAP user data

    Opening ldapi connection to the LDAP auth data

    Creating KDC for OD Master

    Creating Kerberos directory

    Creating KDC Config File

    Creating Kerberos ACL file

    Adding KDC config data to the KerberosKDC config record

    Adding KDC config data to the KerberosClient config record

    Creating KDC database

    Creating new random master key

    Creating Kerberos principal for 'diradmin'

    Creating Kerberos auth authority for 'diradmin'

    Adding kerberos auth authority to user diradmin

    Creating Kerberos alt security identity for 'diradmin'

    Adding kerberos alt security identity to user diradmin

    Successfully created KDC for OD Master

  • by Linc Davis,

    Linc Davis Linc Davis Sep 12, 2014 9:12 PM in response to alexisd78
    Level 10 (207,995 points)
    Applications
    Sep 12, 2014 9:12 PM in response to alexisd78

    Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

    1. The OD master must have a static IP address on the local network, not a dynamic address.

    2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

    4. Follow these instructions to rebuild the Kerberos configuration on the master.

    5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

    6. Disable any internal firewalls in use, including third-party "security" software.

    7. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.