Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

OD Master Kerberos is stopped

Just upgraded from 10.6.8 to 10.7.2. Was going well until I accidently used Directory Util to bind to OD (got confused about where things were and what I was actually clicking on, quite embarrasing really)


Now, as per the title, I'm unable to open the OD node on my OD Master in Workgroup Manager (The node /LDAPv3/127.0.0.1 couldn’t be opened because an unexpected error of type -14006 occurred.), or indeed log on using any accounts stored in OD.


In Server Admin\Open Directory, Kerberos marked as stopped.


In the Kerberos Server Logs I see the following:


2011-11-26T10:01:28 label: OSXSERVER.PRIVATE

2011-11-26T10:01:36 dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi

2011-11-26T10:01:43 mkey_file: /var/db/krb5kdc/m_key.OSXSERVER.PRIVATE

2011-11-26T10:01:43 acl_file: /var/db/krb5kdc/acl_file.OSXSERVER.PRIVATE

2011-11-26T10:01:46 label: LKDC:SHA1.4AFF64EDFC760474C4AF1B5E024CD5C384C40DD5

2011-11-26T10:01:46 dbname: od:/Local/Default

2011-11-26T10:01:46 mkey_file: /var/db/krb5kdc/m-key

2011-11-26T10:01:46 acl_file: /var/db/krb5kdc/kadmind.acl

2011-11-26T10:01:46 WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.

2011-11-26T10:01:46 listening on IPv6::: port 88/udp

2011-11-26T10:01:46 FAILED listening on IPv4:0.0.0.0 port 88/udp

2011-11-26T10:01:46 listening on IPv6::: port 88/tcp

2011-11-26T10:01:46 FAILED listening on IPv4:0.0.0.0 port 88/tcp

2011-11-26T10:01:46 FAILED listening on IPv6::: port 88/udp

2011-11-26T10:01:46 listening on IPv4:0.0.0.0 port 88/udp

2011-11-26T10:01:47 FAILED listening on IPv6::: port 88/tcp

2011-11-26T10:01:47 listening on IPv4:0.0.0.0 port 88/tcp

2011-11-26T10:01:47 KDC started

2011-11-26T10:02:10 label: default

2011-11-26T10:02:10 dbname: od:/Local/Default

2011-11-26T10:02:11 mkey_file: /var/db/krb5kdc/m-key

2011-11-26T10:02:11 acl_file: /var/db/krb5kdc/kadmind.acl

...


2011-11-26T10:02:23 Server not found in database: host/osxserver.private@OSXSERVER.PRIVATE: no such entry found in hdb



I have wiki's and blogs that are linked to OD accounts so this is quite a problem.

I'm guessing that what I need to do (other than roll the whole thing back to 10.6) is to completely reset the Kerberization of the OD Master. However I understand that the kerberos implementation has completely changed since 10.6 making most of the existing guidance obsolete.


Any help would be greatly appreciated!

Nick

Mac OS X (10.7.2)

Posted on Nov 26, 2011 3:14 AM

Reply
6 replies

Dec 1, 2011 5:36 AM in response to nbt_11

Kerberos requires your DNS setup be fully working. The messages you posted imply that you have setup an internal DNS zone of 'private'.


While technically not illegal, a single level domain name of private is unusual, more typically a domain name would be have two or three levels, e.g. example.private, example.com, example.co.uk


Could you first confirm whether you did chose to use a domain name of 'private'. If you did not then your server has lost contact with its DNS setup and we will look in to that. If you did choose private can I recommend you switch to a more traditional type of domain name.


It is not compulsory, but a lot of people chose to use the same domain name internally as they do externally. This has advantages and disadvantages but for most sites works out easiest in the long run.

Dec 1, 2011 11:31 PM in response to John Lockwood

Hi John,


The domain name is indeed single lable. Not sure why I did that. It was a while ago.


osxserver:~ ladmin$ dig osxserver.private


DNS seens to be fine:


; <<>> DiG 9.7.3-P3 <<>> osxserver.private

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21633

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0



;; QUESTION SECTION:

;osxserver.private. IN A



;; ANSWER SECTION:

osxserver.private. 10800 IN A 192.168.0.101



;; AUTHORITY SECTION:

private. 10800 IN NS osxserver.private.



;; Query time: 2 msec

;; SERVER: 192.168.0.101#53(192.168.0.101)

;; WHEN: Fri Dec 2 07:16:31 2011

;; MSG SIZE rcvd: 65


192.168.0.101 is my server's ip address.

Forwarders are set up in Server Admin-DNS-Settings.


I'm happy to change the Domain name, though I'm not sure how, or what effect this will have on OD and Kerberos in their current not-working state. I'm not a fan of using the same name space as the external domain, but a second level to private or perhaps moving to .internal (which appears in much MS Documentation) would be best.

Dec 2, 2011 2:35 AM in response to nbt_11

Have you tested your DNS setup by doing the following on the server? I also presume you tried rebooting.


sudo changeip -checkhostname


While it is less likely to occur to a previously working setup, another common mistake is to have the OD Server itself looking to the wrong DNS Server, it needs to look at your internal DNS server which in your case is handling the private domain, if the OD server is the DNS server then this means you should use 127.0.0.1 as the DNS server address in System Preferences on the server.


Your clients on the network should use the real IP address of your internal DNS server, not your ISP or other DNS server.


If I was upgrading a server to 10.7 I would 'archive' the OD databases using Server Admin. I would then do the upgrade which might well result in effectively a 'new' server. I would then restore and specifically merge (not replace) the OD backup.

Dec 3, 2011 2:14 AM in response to John Lockwood

Hi John,


Yes, I've tried rebooting the server 🙂



osxserver:~ ladmin$ sudo changeip -checkhostname


Primary address = 192.168.0.101


Current HostName = osxserver.private

DNS HostName = osxserver.private


The names match. There is nothing to change.

dirserv:success = "success"



DNS servers in Sytem Preferences currently point to 192.168.0.101 (which is the the server's own IP) I've generally never had a problem with this arrangement but I can change it to 127.0.0.1 if that might eliminate potential issues that could trip this up.


osxserver:~ ladmin$ scutil --dns

DNS configuration


resolver #1

nameserver[0] : 192.168.0.101


resolver #2

domain : {myMobileMeAccountname}.members.mac.com

options : pdns

timeout : 5

order : 150000


resolver #3

domain : local

options : mdns

timeout : 5

order : 300000


resolver #4

domain : 254.169.in-addr.arpa

options : mdns

timeout : 5

order : 300200


resolver #5

domain : 8.e.f.ip6.arpa

options : mdns

timeout : 5

order : 300400


resolver #6

domain : 9.e.f.ip6.arpa

options : mdns

timeout : 5

order : 300600


resolver #7

domain : a.e.f.ip6.arpa

options : mdns

timeout : 5

order : 300800


resolver #8

domain : b.e.f.ip6.arpa

options : mdns

timeout : 5

order : 301000


DNS configuration (for scoped queries)


resolver #1

nameserver[0] : 192.168.0.101

if_index : 4 (en0)

flags : Scoped



In the context of what I was trying and how the server is being used, I took a CarbonCopyClone of the machine from which I should be able to roll back to 10.6. However as the upgrade was a success and OD was working I'm keen to learn how to fix the system from the position it is in now. I have noticed that there is a promising looking set of folders in the root '/Previous System/var/'.


I should also mention this is a private test and development server - I'm a lot more careful with production systems. But it would be good to be able to get OD/Kerberos working again without a full rebuild as moving wiki server data can be painful.

Dec 5, 2011 2:10 AM in response to nbt_11

As you have a previous clone and as this is a test system, if I was in the same position what I would be doing next is -


  • Making a new empty 10.7 OD system, you can do this in-situ by converting to standalone and then making a new master
  • Making sure that works including Kerberos
  • Then using an OD archive of the 10.6 system and restoring it in to the new 10.7 OD and telling it to merge


If you don't currently have an uptodate archive of the 10.6 OD, you can boot the clone and make one.

OD Master Kerberos is stopped

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.