Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Fridgemagnet
Fridgemagnet Author
User level: Level 1
25 points

Trouble setting up OD Replica

Hi there,

I've enabled ssh on both my OD master and intended replica, both are running the same version of the operating system 10.5.7.

When I try to create the replica I get the message:

"This server has not been configured as an Open Directory Replica. Error has Occurred! Error value = 1077"


The server logs on the OD master say:

7/27/09 2:56:23 PM com.apple.SecurityServer[37] checkpw() returned -2; failed to authenticate user root (uid 0).
7/27/09 2:56:23 PM com.apple.SecurityServer[37] Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
7/27/09 2:56:23 PM sshd[1406] error: PAM: Authentication failure for root from myreplicaserver
7/27/09 2:56:26 PM emond[75] Host at myreplicaserver will be blocked for at least 15.00 minutes
7/27/09 2:58:37 PM com.apple.launchd[1] (0x10d920.sshd[1511]) Could not setup Mach task special port 9: (os/kern) no access


Any help would be much appreciated.

Thanks!

Mac OS X (10.5.6)

Posted on Jul 27, 2009 7:45 AM

Reply
9 replies
User profile for user: Fridgemagnet
Fridgemagnet Author
User level: Level 1
25 points

Jul 27, 2009 11:01 AM in response to rkovelman

Hmm, ok

The FQDN on the master is ok "no change is necessary" but the server I've been attempting to use as a replica has a different hostname to the DNS name.

However, I've attempted to use another server as the replica, same OS (10.5.7) however the server is PPC (The OD master is Intel). I get the exactly the same failure error (1077).

Firewalls are disabled on all.

I have another server arriving soon that I will configure as the OD master and I'm hoping to use the present master as the replica. Just testing things out.

I'm in an AD integrated environment and the servers aren't using their own DNS, would that make a difference?

Thanks muchly!
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

Jul 27, 2009 2:58 PM in response to Fridgemagnet

Hi

+"I'm in an AD integrated environment"+

If this is a 'classic' AD-OD Integrated environment I'm guessing this means Kerberos is stopped on the OD Master? I can't see how you can set up a Replica when it can't read the information it needs for the Realm? This is because the Realm is not with your OD it's with the AD.

You would not use the same hostnames for Replicas and Masters. That would be confusing and could potentially cause problems.

It does not matter where DNS is. As long as it's somewhere on the same network and configured and working correctly on both pointers is all that's required

It should not matter what architecture the servers are. As long as they are exactly the same version is all that's required along with ssh and a fully functioning Kerberos Realm that the OD Master is the KDC of. And of course fully working DNS. If any of these four things are not quite right things will struggle.

Tony
Reply
User profile for user: Fridgemagnet
Fridgemagnet Author
User level: Level 1
25 points

Jul 27, 2009 9:31 PM in response to Antonio Rocco

I see, yes you're correct, Kerberos is stopped. So you can't use replicas when you're in a 'golden triangle' situation? Is that true? I wasn't able to find any information stating that this wasn't possible in the server documentation.

If this is so, how do institutions that need AD integration deal with server redundancy issues?

Thanks!
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

Jul 27, 2009 10:52 PM in response to Fridgemagnet

Hi

+"So you can't use replicas when you're in a 'golden triangle' situation? Is that true?"+

I'm not saying this. Successful Replica Promotion will stall or struggle if the the Replicated Server is not an OD Master. According to the documentation an OD Master means a fully functioning LDAP Database, Password Service and Kerberos. Just as in the other requirements (I forgot to mention time synchronization) if either of those three initial things are not happening then I can't see how successful Replica Promotion can take place?

+"I wasn't able to find any information stating that this wasn't possible in the server documentation"+

It all depends on how you look at it? I see the documentation stating what is possible. Open Directory Admin Manual 3rd Edition page 60 onwards.

+"If this is so, how do institutions that need AD integration deal with server redundancy issues?"+

Hardware redundancy can be easily achieved depending on budget. Mirrored Drives, UPS etc. I have not personally tried this but have you tried simply binding/joining the second server to the shared directories? It should be able to read both nodes OK either simultaneously or separately. If the Master fails simply promote the second server accordingly. Export Groups/Computer Lists from the LDAP node once these have been configured. These can be easily re-imported elsewhere. MCX Settings should be retained using this method.

However the above could have nothing to do with the problem you're seeing? Your initial post shows log entries for sshd. Double-check and make sure you've not changed this in any way or if you've applied a SACL for ssh.

Tony
Reply
User profile for user: Fridgemagnet
Fridgemagnet Author
User level: Level 1
25 points

Jul 28, 2009 12:02 AM in response to Antonio Rocco

Yes I see your point, the documentation doesn't say that you 'can' do it either. I'd just assumed it would work simply because I'd assumed large institutions would need such a thing if they were to use AD authentication.

So are you saying I should set up the secondary server to be "connected to a Directory System"? I already physically mirror the startup drive of the existing OD master, I'm looking for a way to provide redundancy without downtime in the event of a failure on the master.

If it's not possible to do such a thing what is the best way to use the second server?

Thanks for your help.
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

Jul 28, 2009 9:56 AM in response to Fridgemagnet

Hi

+"So are you saying I should set up the secondary server to be "connected to a Directory System?"+

You could do this if you wanted to?

I have not tried this but you could treat the secondary server the same as the first? Yes I mean bind to AD, Promote to OD Master (no kerberos) and replicate what's on the first master manually. Just don't enable anything. If the first Master dies simply enable what you need. Join mac clients to both servers making sure the secondary server is the last in the list.

You could forget the AD completely to begin with and build the OD Master/Replica pair normally. Once you're happy you could use sso_util destroy (man sso_util) from the command line to remove Kerberos on both. Bind them both to your DC afterward. I really have no idea whether this will work as all the AD-OD integrations I've done (and I've done hundreds) have never required or needed a secondary mac server.

+". . . what is the best way to use the second server?"+

Good question. Apart from enforcing Mac-style GPOs what else is the other server doing/providing? If there are not more than a handful of services then perhaps you have a redundant server on your hands doing nothing. Unless you can think of another use for it?

I'm not telling you what to do but IMHO it really is not safe to make assumptions regarding not only Servers etc but pretty much anything else. Just some friendly advice that's all.

Tony
Reply

Trouble setting up OD Replica

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up