Open Directory fails to migrate with Lion Server upgrade

Since experiencing that OD problem, I restored my server to 10.6.8 from a Time Machine backup. Then, I shut down all client Macs, hooked up a screen, keyboard and mouse to my server and tried the upgrade again. This time OD upgraded without hickups and 10.7 is working just fine.

Apple is indeed on the case. Bryan contacted me as well asking for a log from the failed installation. I'm very impressed with Apple that they do read these forums and work on diagnosing these problems.

Just upgraded today, unfortunately time machine never worked on 10.6 server for me so I am stuck with the OD migration fault until the engineers at apple come up with a fix, hopefully soon. I guess my log is intact if anyone wants to contact me for the upgrade failure log for OD. Other than that the upgrade seems to have gone ok.

I was taking the tack of installing a clean copy Lion Server on an external drive on my MacBook Pro, while leaving Snow Leopard Server on my Xserve alone. I was then going to copy the settings of all services on the Xserve over to the MacBook Pro. Then I was going to clone the external drive to the OS drive on the Xserve.

I just successfully migrated the DNS settings using the Server Admin 10.7 utility. I had it connect to both the Xserve and the MacBook Pro running Lion Server. I exported the Xserve DNS settings (Server->Export-Service Settings...) to a file on the local desktop and then imported the resulting PList file in the same manner.

This approach has never worked with an Open Directory database. Instead, when I have had to do this sort of thing before, I created an Open Directory Replica on the target server and then promoted it to an Open Directory Master. This preserved all user information in the Open Directory Database.

In the case of my attempted Snow Leopard Server to Lion Server this failed. The Open Directory Setup Assistant running on Lion Server rejects the credentials of the Directory Administrator on the Xserve running Snow Leopard Server.

I subsequently tried archiving the Open Directory database on the Xserve and restoring it from the resulting archive on the Lion Server. This procedure concludes without transferring any users into the Lion Server Open Directory database.

Same here. We have worked all weekend and still no luck. We found that we cannot Log into the "Worgroup Manager" It is refusing to accept our password. Checking it in the Keychain Access List - all is there and the password is correct. Deleted the Keychain and recreated another one - still no luck. Anybody has got any idea. Apple could not help so far...

Is there any fix to this migration issue, I have tried both upgrades and fresh installs of Lion Sever. Everytime my OD is dead after completion and no users are imported.

Fix migration? Not really. Maybe wait for v10.7.1?

Workaround? Sorta.

I had to use the old Server Admin interface and restore the orignal OD stuff from a backup. Now, all the information is in there, and accessible from the old Workgroup Manager tool, but don't expect the users or groups show up in the new Server application on the server (except for a split second when you first open it).

I tried your workaround, all my info appears to be there in the open directory however it is not perfect. Shortnames do not work, I must use the full name for any connection. This is not a very viable solution for me, as I have several accounts that are used in cron jobs, and this would require me to edit all my scripts.

hrm... Bummer.

Short names work for me for some reason - but I couldn't even start to explain why they do or do not (as in your case).

I was hoping the 10.7.1 update would solve some of these issues... alas, it did not.

Any solution yet? I have the same problems.

To those that have been contacted by apple about this Open Directory issue, did they offer any incite to a work around or eta for a fix?

Today, I decided to give a fresh install of 10.7.1 with migration and an upgrade from 10.6.8 to 10.7.1, however both failed in similar fashion. Even worse using the upgrade process this time completely killed my DNS and wouldn't even let me try and set up an Open Directory Master.

Looks like 10.7.2 has work done in the following areas:

Directory integration and OpenLDAPConfig

Hopefully this will address the problem.

when I go in and setup the Directory Admininstrator to generate a password.. I get this.

"This computer's host name is invalid.

The host name does not resolve to any configured address of this computer. Please ensure the host name is correct."

It's already May 2012...and the directory issue still is happening. I'm having Profile Management configuration issues. When I click Configure..it stalls while Reading the settings...wheel just spins while "Reading settings" It won't accept a self signed certificate AND when I try to create a replica directory...the spinning wheel spins and never finishes in the "verifying" state. Wheel just keeps splinning.

Hi!

Just wanted to chip in on this subject, thougt don't get your hopes up, cause I don't have a solution.

We're now on 10.7.4 and still the same issue! I've heard that this actually has worked for some 🙂. But I'm stuck too. some input:

When restoring an OD backup using the GUI, no errors are shown. you end up with a diradmin account you can't log in to even though you know the password is correct, since you have used it on your old server for years. exporting from old server and restoring to new server, this password is no more.... No OD users show up in Server.app or just momentarily then open ing the app. Same thing with groups.

In WGM, all users are visible and manageable too, provided you BEFORE exporting the OD db assigned another account FULL rights on the Directory. Then this user can be used to manage users and groups in WGM, because the password remain the same?!?!

Still no users in Server.app though 😟. haven't tried Profile Manager or if accounts and groups show up there...

When restoring the OD db using slapconfig -restoredb <path-to-db> you see more what's happening. Every time the same event happens:

2012-07-03 11:44:18 +0000 Configuring Kerberos server, realm is DIRECTORY.DOMAIN.COM

2012-07-03 11:44:18 +0000 command: /usr/sbin/kdcsetup -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -w -a directory.pool.se$ -p **** -v 1 DIRECTORY.DOMAIN.COM

2012-07-03 11:44:19 +0000 Contacting the Directory Server

Authenticating to the Directory Server

Creating Kerberos directory

Creating KDC Config File

Creating Kerberos Database

Creating new random master key

createInitialPrincipal: Changing password failed: 10001CreateKDCDatabase: error creating initial princ for krbtgt: 10001

Could not create KDC Database: 78Failed to configure error = 78

_createKerberosMaster: kdcsetup failed with code 78

2012-07-03 11:44:19 +0000 Error creating KDC

I think this is the reason for it all, the botched credentials that seemingly cannot be changed anywhere, which Server.app uses to see the directory users and groups. Remember, when creating the OD master, you put in credentials for diradmin, and it get overwritten on restore, but with what a heck what, and how do we change it?

As I said before, I managed to administer directory users through WGM and another user with full privs on the directory, but still I cannot change the diradmin user's password giving an error about permissions. Deleting the account, recreating it wiht the same user id, 1000, and old password doesn't change a thing unfortunately.....I suspect the GUID of the account is different.

Anyhow, maybe this sum up of my findings might point some of you in the right direction to solve this issue for us?

Hope I made some sense in my ramblings since I'm not a native English speaker....

Looking forward to your take on this!

/Hasse