Cannot successfully preflight OD replica

Question

Level 1

51 points

Cannot successfully preflight OD replica

Happy Friday!

Environment: Two 2010 MacMini servers running OS X 10.9.1 and Server 3.0.1. Server1 is set up as OD Master which seems to be working fine. I'm trying to set up server2 as a replica. Before I do so, I want to make sure it passes preflight. However, sudo /usr/sbin/slapconfig -preflightreplica xx.xx.xx.2 <directoryadminuser> from the intended replica consistently returns the often-mentioned messages:

2014-01-03 19:40:13 +0000 NSMutableDictionary *_getRootDSE(const char *): rootDSE not found
2014-01-03 19:40:13 +0000 Error: Unable to determine the master's software version.

Both servers are set to allow remote login via ssh for administrators, and based on what I've read, I tried adding the directory administrator to the authorized list on the ODM. No change.

slaconfig -ver output on server1 is:

LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.3

No errors are reported. rootDSE.ldif is present in /etc/openldap.

Other links I've read suggest editing sshd_config to set PubkeyAuthentication to no, and PasswordAuthentication to yes, on both machines. I've done this as well as set PermitRootLogin to yes.

I've watched syslog on both machines while executing the preflight. Nothing useful is printed.

Any suggestions on what I should try next?

Thanks,

Tim

Mac mini, OS X Server

Posted on Jan 3, 2014 12:06 PM

Reply

Answer 1

simonpie

Level 1

43 points

Feb 2, 2017 7:00 PM in response to tim_r_66

I had the same problem between two El Capitan servers. A mac mini trying to connect to my domain master would generate the same message. In the end, I discovered that the firewall was blocking World access to port 625 (Server Admin). I modified pf.conf to allow access from the mac mini and voilà !

Reply

Answer 2

Jan 3, 2014 2:31 PM in response to tim_r_66

Hi

A key component of getting an OD Master and Replica working correctly is . . . time. Make sure all servers in the environment are using the same ntp server. What I usually do is 'point' the OD Master to an internet based service or, if available, a Windows server and define the OD Master as the NTP server for the proposed replica.

HTH?

Tony

Reply

Answer 3

tim_r_66 Author

Level 1

51 points

Jan 4, 2014 3:41 PM in response to Antonio Rocco

Thanks Tony,

I checked the time and they were initially off by 3 mins even though they were both pointing to an external time server. When I started adjusting settings on ODR, and pointed it to ODM, I confimed they times matched. Same result when I run the preflight: rootDSE not found and cannot determin ODM's software version.

Tim

Reply

Answer 4

Jan 15, 2014 11:58 AM in response to tim_r_66

Has anyone seen a proper resoultion to this problem? I have been trying to fix this issue for weeks. I even performed a clean install of 10.9 on both servers and created open directory from scratch and can still not replicate.

-DNS is perfect (Forward and Reverse resolves fine across both)

-NTP on both are connected to the same server and exactly the same time

-Can ssh into and from each server (with root and local administrator account)

Command:

sudo slapconfig -preflightreplica X.X.X.X diradmin
Result:

2014-01-15 19:55:16 +0000 NSMutableDictionary *_getRootDSE(const char *): rootDSE not found

2014-01-15 19:55:16 +0000 Error: Unable to determine the master's software version.

Command:

slapconfig -createreplica HOSTNAME diradmin

Result:
2014-01-15 19:56:18 +0000 slapconfig -createreplica

diradmin's Password:

2014-01-15 19:56:32 +0000 Error Unable to authenticate to HOSTNAME: Session can't be opened because daemon refused the connection. (error = 77)

2014-01-15 19:56:32 +0000 Not creating replica due to preflight failure.

2014-01-15 19:56:32 +0000 Not creating replica due to preflight failure. (error = 77)

Reply

Answer 5

Jan 15, 2014 11:16 PM in response to Knightworks

Yes I have exactly same issue. Verifed DNS, NTP, and SSH and I'm having the same preflight error.

Reply

Answer 6

xelphor

Level 1

14 points

Jan 31, 2014 12:35 PM in response to tim_r_66

Tim, I see you've been messing around with Kerboros recently. Have you figured this out yet? In the same boat after updating 4 servers to Mavericks. Did all the same stuff you did, getting the same preflight errors. Contacted Apple Enterprise today and they had no ideas at all. Thx.

Reply

Answer 7

tim_r_66 Author

Level 1

51 points

Jan 31, 2014 2:18 PM in response to xelphor

xelphor,

My breakthrough today has enabled me to use Kerberos for mail/notes which is a big change. I accomplished this by switching to authenticated vice anonymous binding. This did not solve my problem with preflighting but I have not gone back yet to try the ideas from krypted.com. I'll probably test that later tonight or tomorrow.

Tim

Reply

Answer 8

tim_r_66 Author

Level 1

51 points

Jan 31, 2014 3:51 PM in response to tim_r_66

xelphor,

Sorry, I posted the incorrect link. The steps I had found somewhere (I cannot find the right link now) are to edit the /etc/sshd_conf on both the ODM and the intended replica:

Master:

Authentication: 
PermitRootLogin yes 

PasswordAuthentication yes 
PubkeyAuthentication no

Replica:

PasswordAuthentication yes 
PubkeyAuthentication no

I recall someone also wrote you may need to add Directory Admin to the list of authorized ssh users.

Unfortunately, I thought there was another step too.

I just tried this on my system and it did not work. However, I currently have server2 bound to server1 which may be the reason. However, the errors were the same.

Tim

Reply

Answer 9

Feb 20, 2014 5:57 AM in response to Knightworks

Ok fixed my issue using the following steps:

On both the master and replica (back to basics here):
sudo slapconfig -destroyldapserver
sudo slapconifg -setstandalone

Now we use the magic triangle with active directory so in order for it to work well with active directory we had to first join the master and replica to the active directory domain and kerberize services from active directory realm first using the following command on the master:

sudo /usr/sbin/dsconfigad -enablesso -localuser localadminuser

Than I recreated the Master and added the replica from the master using FQDN and everything seems to be working. Fingers crossed!

Reply

Answer 10

xelphor

Level 1

14 points

Feb 20, 2014 7:59 AM in response to Knightworks

Thanks guys. I've been pinging back and forth with Apple Enterprise for the past month with absolutely no luck. OSX 10.9 Mavericks completely broke a functional OD environment with 3 replicas and a master. Unfortunately (as it always seems) I'm going to have to take matters into my own hands and try and fix it myself. Going to utilize this info and will report back. I have a hunch I may need to issue a complete destroy and start all over from scratch. Thanks Apple!

Reply

Answer 11

tim_r_66 Author

Level 1

51 points

Feb 20, 2014 2:20 PM in response to xelphor

I'll be looking to hear your results. I've destroyed and recreated the ODM too many times to count and probably won't do it again unless I'm extremely confident it will solve the problem. Probably would take Apple pushing an update that says they fixed problems with OD.

While I haven't come up with anything that makes me 100% certain it is a bug, I've done enough rebuilds to be confident it isn't something obvious I am doing, so doing it again would fall into the category of insanity. :-~

I have seen a couple people who have said they fixed the problem but I believe both of them were fixed with magic triangle configurations.

Tim

Reply