Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Keychain Error on Open Directory Backup

Hello,

I have an XServe running open directory among other things. We recently suffered kerberos corruption on our main server and so promoted the replica database on this XServe to be the open directory master. No problems there, everything works great. We wanted to backup the open directory config and tried to do so with Server Admin's GUI. The progress bar progresses like everything is fine but no disk image is created. I ran slapconfig -backupdb from the command line to have some output and received the following (notice second to last line).

od1:/ gfiumara$ sudo slapconfig -backupdb /ODBACKUP/odbackup06082008.dmg
Password:
Enter archive password:
1 Backing up LDAP database
popen: /usr/sbin/slapcat -l /tmp/slapconfig backupstage87412HI47Wm/backup.ldif, "r"
popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig backup_stage87412HI47Wm/DBCONFIG, "r"
popen: /bin/cp -r /etc/openldap /tmp/slapconfig backupstage87412HI47Wm/, "r"
2 Backing up password server database
popen: /usr/sbin/mkpassdb -backupdb /tmp/slapconfig backup_stage87412HI47Wm/passwordserverbackup/ > /dev/null, "r"
cp: /var/db/authserver/additional-data: No such file or directory
popen: /bin/cp -r /Library/Preferences/com.apple.passwordserver.plist /tmp/slapconfig backupstage87412HI47Wm/, "r"
popen: /usr/sbin/mkpassdb -list > /tmp/slapconfig backupstage87412HI47Wm/sasl-plugin-list, "r"
popen: /bin/hostname > /tmp/slapconfig backupstage87412HI47Wm/hostname, "r"
3 Backing up Kerberos database
popen: /usr/sbin/kdb5_util -r LKDC:SHA1.E7F44F7D6663E798C6F17DE2C0AD6FE9261BFCD0 dump > /tmp/slapconfig backupstage87412HI47Wm/kdb5dump.LKDC:SHA1.E7F44F7D6663E798C6F17DE2C0AD6FE9261BFCD0.bak , "r"
popen: /usr/sbin/kdb5_util -r RETRIEVERWEEKLY.COM dump > /tmp/slapconfig backupstage87412HI47Wm/kdb5dump.RETRIEVERWEEKLY.COM.bak, "r"
popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig backup_stage87412HI47Wm/localodkrb5realm, "r"
popen: /usr/sbin/sso_util info -pr /Local/Default > /tmp/slapconfig backup_stage87412HI47Wm/localkrb5realm, "r"
popen: /usr/bin/tar czpf /tmp/slapconfig backupstage87412HI47Wm/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/kadm5.acl /var/db/krb5kdc/kadm5.keytab /var/db/krb5kdc/.k5.* /Library/Preferences/edu.mit.Kerberos /etc/krb5.keytab , "r"
/usr/bin/tar: Removing leading `/' from member names
popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig backupstage87412HI47Wm/KerberosKDC.plist, "r"
4 Backing up configuration files
popen: /bin/cp /System/Library/LaunchDaemons/com.apple.PasswordService.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp /System/Library/LaunchDaemons/org.openldap.slapd.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp /System/Library/LaunchDaemons/org.openldap.slurpd.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp /System/Library/LaunchDaemons/com.apple.kdcmond.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp /System/Library/LaunchDaemons/edu.mit.kadmind.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp /System/Library/LaunchDaemons/smbd.plist /tmp/slapconfig backupstage87412HI47Wm/LaunchDaemons/, "r"
popen: /bin/cp -r /Library/Preferences/DirectoryService /tmp/slapconfig backupstage87412HI47Wm/, "r"
5 Backing up local directory database
popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig backupstage87412HI47Wm/, "r"
popen: /usr/bin/sw_vers > /tmp/slapconfig backupstage87412HI47Wm/version.txt, "r"
popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig backupstage87412HI47Wm/, "r"
popen: /usr/bin/tar czpf /tmp/slapconfig backupstage87412HI47Wm/shadowbackup.tar.gz /var/db/shadow, "r"
/usr/bin/tar: Removing leading `/' from member names
popen: /usr/bin/tar czpf /tmp/slapconfig backupstage87412HI47Wm/sambabackup.tar.gz /var/db/samba /etc/smb.conf, "r"
/usr/bin/tar: Removing leading `/' from member names
Error in backing up keychain -25300
Removed directory at path /tmp/slapconfig backupstage87412HI47Wm.

Everything appears to be fine until "Error in backing up keychain -25300" where the backup process aborts and cleans up after itself.

Any ideas what this error means and/or how to resolve it? Thank you!

MacBook Pro 15", Mac OS X (10.5.3)

Posted on Jun 8, 2008 12:57 PM

Reply
10 replies

Aug 30, 2008 5:12 PM in response to Greg Fiumara

Hi

It looks like whatever caused the Kerberos corruption has been pretty thorough.

As I see it slapcat is backing up the LDAP database OK but can't find the associated KDC password database and is resorting to backing up the Local Key Distribution Center's (LKDC) password database instead:

popen: /usr/sbin/kdb5_util -r LKDC:SHA1.E7F44F7D6663E798C6F17DE2C0AD6FE9261BFCD0 dump

I could be wrong but it seems to me its going to fail because they don't and can't ever match. If you've managed to save your users and groups then at least that's something. Passwords can always be re-instated later on using a password policy or girding yourself to type them all in again.

Even if you managed to restore a damaged password database you may be in for a rough ride. This would also be true for a damaged LDAP database and Password Policy. It pays to make frequent backups of the LDAP database as well as exporting users and groups.

Hope this helps, Tony

Oct 19, 2008 7:12 AM in response to Antonio Rocco

Thanks for the information. As you have probably guessed, we have had several other OD problems but nothing that we couldn't overcome. This server had been moved back and forth from a master to a replica with different host names/IPs over the past several years. Finally getting fed up with the way things were going, I exported the user list and made all users reset their passwords on a fresh 10.5 install.

I do believe your post is correct though, with the two KDC DBs being mixed up, which probably resulted from an unnoticed problem during a master/replica or IP switch.

Nov 18, 2008 6:56 AM in response to Greg Fiumara

wow, thread started in 2005 and still no solutions!

I'm also having this problem after migrating open directory master to new machine by setting up replication agreement, then promoting new new machine replica to opendir master.

Now I can't archive opendir, I also get 'Error in backing up keychain -25300'. Can someone help troubleshoot?

Here's the full log:
2008-11-18 09:55:08 -0500 - slapconfig -backupdb
2008-11-18 09:55:08 -0500 - 1 Backing up LDAP database
2008-11-18 09:55:08 -0500 - popen: /usr/sbin/slapcat -l /tmp/slapconfig backupstage24846OdnA2a/backup.ldif, "r"
2008-11-18 09:55:12 -0500 - popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig backup_stage24846OdnA2a/DBCONFIG, "r"
2008-11-18 09:55:12 -0500 - popen: /bin/cp -r /etc/openldap /tmp/slapconfig backupstage24846OdnA2a/, "r"
2008-11-18 09:55:12 -0500 - 2 Backing up password server database
2008-11-18 09:55:12 -0500 - popen: /usr/sbin/mkpassdb -backupdb /tmp/slapconfig backup_stage24846OdnA2a/passwordserverbackup/ > /dev/null, "r"
2008-11-18 09:55:13 -0500 - popen: /bin/cp -r /Library/Preferences/com.apple.passwordserver.plist /tmp/slapconfig backupstage24846OdnA2a/, "r"
2008-11-18 09:55:13 -0500 - popen: /usr/sbin/mkpassdb -list > /tmp/slapconfig backupstage24846OdnA2a/sasl-plugin-list, "r"
2008-11-18 09:55:13 -0500 - popen: /bin/hostname > /tmp/slapconfig backupstage24846OdnA2a/hostname, "r"
2008-11-18 09:55:14 -0500 - 3 Backing up Kerberos database
2008-11-18 09:55:14 -0500 - popen: /usr/sbin/kdb5_util -r LKDC:SHA1.CBB1F0104C4DA5510E1E4033BA7A42927CE634E1 dump > /tmp/slapconfig backupstage24846OdnA2a/kdb5dump.LKDC:SHA1.CBB1F0104C4DA5510E1E4033BA7A42927CE634E1.bak , "r"
2008-11-18 09:55:14 -0500 - popen: /usr/sbin/kdb5_util -r MAC.SHERIDANC.CA dump > /tmp/slapconfig backupstage24846OdnA2a/kdb5dump.MAC.SHERIDANC.CA.bak, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig backup_stage24846OdnA2a/localodkrb5realm, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/sbin/sso_util info -pr /Local/Default > /tmp/slapconfig backup_stage24846OdnA2a/localkrb5realm, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/bin/tar czpf /tmp/slapconfig backupstage24846OdnA2a/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/kadm5.acl /var/db/krb5kdc/kadm5.keytab /var/db/krb5kdc/.k5.* /Library/Preferences/edu.mit.Kerberos /etc/krb5.keytab , "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig backupstage24846OdnA2a/KerberosKDC.plist, "r"
2008-11-18 09:55:15 -0500 - 4 Backing up configuration files
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/com.apple.PasswordService.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/org.openldap.slapd.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/org.openldap.slurpd.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/com.apple.kdcmond.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/edu.mit.kadmind.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp /System/Library/LaunchDaemons/smbd.plist /tmp/slapconfig backupstage24846OdnA2a/LaunchDaemons/, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp -r /Library/Preferences/DirectoryService /tmp/slapconfig backupstage24846OdnA2a/, "r"
2008-11-18 09:55:15 -0500 - 5 Backing up local directory database
2008-11-18 09:55:15 -0500 - popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig backupstage24846OdnA2a/, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/bin/sw_vers > /tmp/slapconfig backupstage24846OdnA2a/version.txt, "r"
2008-11-18 09:55:15 -0500 - popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig backupstage24846OdnA2a/, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/bin/tar czpf /tmp/slapconfig backupstage24846OdnA2a/shadowbackup.tar.gz /var/db/shadow, "r"
2008-11-18 09:55:15 -0500 - popen: /usr/bin/tar czpf /tmp/slapconfig backupstage24846OdnA2a/sambabackup.tar.gz /var/db/samba /etc/smb.conf, "r"
2008-11-18 09:55:15 -0500 - Error in backing up keychain -25300
2008-11-18 09:55:15 -0500 - Removed directory at path /tmp/slapconfig backupstage24846OdnA2a.

Dec 1, 2008 6:29 AM in response to Greg Fiumara

Hi,

I have been experiencing the same issue.
I have a 10.5.5 Xserve that is bound to Active Directory and is an Open Directory Master (Golden Triangle setup). When trying to archive the OD database I am also seeing it fail on step 5 (Error in backing up keychain -25300).
I have set up a second server with the same sort of config (golden triangle) and can run the archive from Server Admin GUI successfully. When looking at the slapconfig.log on both machines they look pretty much identical apart from where the first one fails.
Does anyone know which keychain is being backed up as part of the archive process? When I look at the keychain file from the successful archive sparseimage it does not give any hint as to which user account it came from ( in fact the entire contents of the keychain file are" QCVNBL:VI@a6715" where "a6715" is the name of the server).
I'd really not like to demote the server and promote it if at all necessary, so any more hints/guidance would be greatly appreciated.

Keychain Error on Open Directory Backup

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.