Can't Administer Lion Server

Question

Level 1

5 points

Can't Administer Lion Server

I have been having a problem with one of the Lion servers I support which is I cannot use either of the GUI tools to administer it. This does not appear to be the problem others have had with Lion where the servermgrd process isn't running. For example:

acropolis:~ ladmin$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.servermgrd.plist

Password:

bind(): Address already in use

com.apple.servermgrd: Already loaded

Instead this seems to be that the login information I supply to either the Server app or the Server Admin app is being applied against the wrong directory so the user isn't being authenticated so the apps cannot connect. It is also possible I simply have this server mis-configured but now I am stuck. Unless there is something I can do from the command line to fix I can't fix it. This is a mission critical server so any restarts etc. have had to wait for scheduled maintenance windows.

This machine is an Xserve running Lion 10.7.5. It hosts DHCP, DNS, AFP shares, as well as being an OD Master. However, it is importing users and groups from our old OD Master (running 10.6.8) for the time being. This arrangement worked OK for several months. I have been looking for a large window where everything could basically be disrupted while the old Snow Leopard server is decommissioned and the user accounts are set up on the Lion server. Kerberos is suspect here too since the realm is still tied to the old server (but I haven't seen any errors related to kerberos). Below are some of the clues I think I've found.

It seems that when I try and connect either of the Server apps it tries the "local LDAP node" which I thought would be /Local/Default but instead I think its trying to authenticate against /LDAPv3/127.0.0.1 which doesn't have any of the local users.

10/2/12 1:58:09.493 PM servermgrd: servermgr_accounts: got error 5000 trying to auth to local LDAP node

I see errors related to the GlobalGID as well as the GroupName. Is this because of the groups being imported from the old OD Master?

10/2/12 1:02:51.209 PM opendirectoryd: Misconfiguration detected in hash 'GlobalGID' - see /var/log/opendirectoryd.log for details

10/2/12 1:02:51.234 PM opendirectoryd: Misconfiguration detected in hash 'GlobalGID' - see /var/log/opendirectoryd.log for details

10/2/12 10:20:51.710 AM opendirectoryd: Misconfiguration detected in hash 'GroupName' - see /var/log/opendirectoryd.log for details

10/2/12 10:20:51.728 AM opendirectoryd: Misconfiguration detected in hash 'GroupName' - see /var/log/opendirectoryd.log for details

When I look through /var/log/opendirectoryd.log I find entries like this that repeat over and over:

2012-09-28 23:25:37.189 PDT - Module: SystemCache - Misconfiguration detected in hash 'GroupName':

So I am really stuck and any clues or guidance would be really helpful.

Message was edited by: atomicboy

Posted on Oct 2, 2012 3:07 PM

Reply

Answer 1

atomicboy Author

Level 1

5 points

Oct 3, 2012 8:40 PM in response to atomicboy

A few more relevant log entries from system.log.

10/3/12 8:34:47.926 PM Server Admin: Could not find image named 'Previous'.

10/3/12 8:36:33.355 PM Server Admin: doClickAltImage: <MyExtendedOutlineView: 0x7fc3e469dc40>

10/3/12 8:36:44.634 PM servermgrd: servermgr_accounts: got error 5000 trying to auth to local LDAP node

10/3/12 8:37:45.873 PM servermgrd: servermgr_accounts: got error 5000 trying to auth to local LDAP node

10/3/12 8:37:45.944 PM servermgrd: servermgr_ipfilter:ipfw config:Notice:Flushed IPv4 rules

10/3/12 8:37:46.026 PM servermgrd: servermgr_ipfilter:ipfw config:Notice:Flushed IPv6 rules

Reply

Answer 2

Oct 3, 2012 9:02 PM in response to atomicboy

It authenticates to all bound nodes. Do you get the same error when trying to make changes via DSCL or other command tool? Have you tried resetting the password for the directory admin account? http://support.apple.com/kb/HT1194?viewlocale=en_US&locale=en_US

Reply

Answer 3

atomicboy Author

Level 1

5 points

Oct 5, 2012 1:36 PM in response to JaimeMagiera

Thanks but your suggestion hasn't helped. I was able to successfully change the Directory Admin account password as a test using the DSCL method but I still cannot authenticate as the Local Admin or Directory Admin when using the Server or Server Admin apps. I cannot authenticate using the Directory Utility using the Directory Admin account.

Library/Logs/PasswordService/ApplePasswordServer.Server.log

Oct 5 2012 11:50:26 237754us CHANGEPASS: {, } changed password for user {0x21459blahblahblahblahblahblahblah, diradmin}

/Library/Logs/PasswordService/ApplePasswordServer.Server.log

Oct 5 2012 11:51:08 482612us GETPOLICY: user {0x21459blahblahblahblahblahblahblah, diradmin}.

Oct 5 2012 11:51:08 465197us GETPOLICY: user {0x21459blahblahblahblahblahblahblah, diradmin}.

/var/log/krb5kdc/kdc.log

2012-10-05T11:51:08 Failed to decrypt PA-DATA -- diradmin@MYLIONSERV.STAHANCYK.COM

2012-10-05T11:51:08 AS-REQ diradmin@MYLIONSERV.STAHANCYK.COM from 127.0.0.1:62912 for krbtgt/MYLIONSERV.STAHANCYK.COM@MYLIONSERV.STAHANCYK.COM

2012-10-05T11:51:08 No preauth found, returning PREAUTH-REQUIRED -- diradmin@MYLIONSERV.STAHANCYK.COM

2012-10-05T11:51:08 AS-REQ diradmin@MYLIONSERV.STAHANCYK.COM from 127.0.0.1:51879 for krbtgt/MYLIONSERV.STAHANCYK.COM@MYLIONSERV.STAHANCYK.COM

Reply