Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: sysx
sysx Author
User level: Level 1
27 points

OD Setup Error

After many months or enduring OD issues, I finally decided to bit the bullet and do a fresh install of both Mavericks and Server. After the fresh install, I attempted to re-establish the Open Directory Master from an archived version of OD and it failed. I then tried to install a new Open Directory Master and it repeatally comes up with an error and the following system log messages.


3/29/14 4:45:09.091 PM Console[93563]: Marker - Mar 29, 2014, 4:45:09 PM

3/29/14 4:45:43.388 PM ntpd[98370]: proto: precision = 1.000 usec

3/29/14 4:45:43.389 PM ntpd[98370]: getconfig: Couldn't open </private/etc/ntp_opendirectory.conf>

3/29/14 4:45:51.427 PM slapconfig[98368]: CopyReplicaArray: ldap_search_ext_s in user container for syncrepl returned -1: Can't contact LDAP server

3/29/14 4:45:51.660 PM kdc[98395]: label: SERVER.PRETENDCO.COM

3/29/14 4:45:51.660 PM kdc[98395]: dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi

3/29/14 4:45:51.660 PM kdc[98395]: mkey_file: /var/db/krb5kdc/m_key.SERVER.PRETENDCO.COM

3/29/14 4:45:51.660 PM kdc[98395]: acl_file: /var/db/krb5kdc/acl_file.SERVER.PRETENDCO.COM

3/29/14 4:45:51.669 PM kdc[98395]: label: LKDC:SHA1.35BE45344C90C502740C392599ABDE21445D8961

3/29/14 4:45:51.669 PM kdc[98395]: dbname: od:/Local/Default

3/29/14 4:45:51.669 PM kdc[98395]: mkey_file: /var/db/krb5kdc/m-key

3/29/14 4:45:51.669 PM kdc[98395]: acl_file: /var/db/krb5kdc/kadmind.acl

3/29/14 4:45:51.684 PM kdc[98395]: WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.

3/29/14 4:45:51.739 PM com.apple.launchd[1]: (com.apple.Kerberos.kpasswdd[98396]) Exited: Killed: 9

3/29/14 4:45:51.740 PM com.apple.launchd[1]: (com.apple.Kerberos.kadmind[98397]) Exited: Killed: 9

3/29/14 4:45:51.787 PM kdc[98395]: KDC started

3/29/14 4:45:51.827 PM Server[92071]: An error occurred while configuring PretendCo Server as a directory server:

Error Domain=XSActionErrorDomain Code=78 "Server returned a non-zero status code" UserInfo=0x608001461240 {NSLocalizedDescription=Server returned a non-zero status code}


I thought the issue might be the server certificate, so I deleted and reestablished a self-signed server certificate. Still no joy. Any suggestions as to what I should do next would be greatly appreciated.

Mac mini, OS X Mavericks (10.9.2), OS X Server 3.1.1

Posted on Mar 29, 2014 5:09 PM

Reply
12 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,535 points

Mar 29, 2014 6:46 PM in response to sysx

Many, if not most, OD problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service. Verify that the master's hostname matches its domain name by running the shell command

sudo changeip -checkhostname

The name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

Reply
User profile for user: sysx
sysx Author
User level: Level 1
27 points

Mar 30, 2014 3:28 PM in response to Linc Davis

Thanks for your ideas on this issue.


I tried/verified the following steps:

1. The OD Master Server has a static LAN address (192.168.0.X) - Check

2. The OD Master Server has a working DNS (server.pretendco.com) - Check

3. The OD Master Server DNS server is 127.0.0.1 (only) with a search domain of pretendco.com (DHCP is supplied by LAN router.) - Check

4. Rebuild of Kerberos configuration is a question mark. The link leads me to "OS X Server (Mavericks): After upgrading or migrating, network user cannot be created" and I am not sure if this accomplished what you wanted.

5. The server certificate matches both the common hostname and domain name. It is a self-signed certificate. All office client computers are not using any bindings at the moment. They all were "binded" prior to my upgrade to Mavericks and Server.

6. To be accomplished once I get an OD Master.

7. I have tried rebooting the OD Master Server a number of times.

8. Only one administrator user and no groups on OD Master Server at this time. Server Manager on same machine.

9. Maybe what I did initially could be the issue, as I used a OD Master Archive when I did a fresh install of Server and Mavericks. I have since deleted the OD Master from the Archive and have attempted to start an OD Master from scratch. Starting from scratch (again) could be the only viable option at this point, as I have less than 10 users on the LAN.


Any further thoughts would be greatly appreciated.

Reply
User profile for user: sysx
sysx Author
User level: Level 1
27 points

Mar 31, 2014 7:24 AM in response to Linc Davis

I did step 4 and no OD Master was installed.


I cannot do step 9 until I have a OD Master. I have one administrative user & no groups on this server, and none of the local clients are "binded" to the server.


Please note the following log and the marker indicating this log has a 6 hour time difference to real time. Is that not an issue for Kerberous?


Marker - Mar 30, 2014, 5:18:35 PM

2014-03-31 00:19:11 +0000 Success. Master creation is possible.

2014-03-31 00:19:12 +0000 Success. Master creation is possible.

2014-03-31 00:19:13 +0000 slapconfig -createldapmasterandadmin

2014-03-31 00:19:14 +0000 command: /usr/bin/sntp -s time.apple.com.

2014-03-31 00:19:14 +0000 Success. Master creation is possible.

2014-03-31 00:19:14 +0000 Starting LDAP server (slapd)

2014-03-31 00:19:14 +0000 slapd started

2014-03-31 00:19:14 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-03-31 00:19:16 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

2014-03-31 00:19:16 +0000 Stopping LDAP server (slapd)

2014-03-31 00:19:20 +0000 Starting LDAP server (slapd)

2014-03-31 00:19:20 +0000 slapd started

2014-03-31 00:19:20 +0000 Save of LDAP configuration failed with error 10000

2014-03-31 00:19:20 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-03-31 00:19:20 +0000 adding new entry "olcOverlay=unique,olcDatabase=bdb,cn=config" adding new entry "olcOverlay=dynid,olcDatabase=bdb,cn=config"

adding new entry "olcOverlay=dynid,olcDatabase=bdb,cn=config" adding new entry "olcOverlay=nestedgroup,olcDatabase=bdb,cn=config"

adding new entry "olcOverlay=odusers,olcDatabase={-1}frontend,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase=bdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase=bdb,cn=config"

2014-03-31 00:19:20 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-03-31 00:19:20 +0000 adding new entry "cn=customSchema,cn=schema,cn=config"

2014-03-31 00:19:20 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-03-31 00:19:20 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID

2014-03-31 00:19:20 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2014-03-31 00:19:20 +0000 Configuring Kerberos server, realm is SERVER.PRETENDCO.COM

2014-03-31 00:19:20 +0000 command: /usr/sbin/kdcsetup -a diradmin -v 1 SERVER.PRETENDCO.COM

2014-03-31 00:19:20 +0000 Opening ldapi connection to the LDAP user data

Opening ldapi connection to the LDAP auth data

Creating KDC for OD Master

Creating Kerberos directory

Creating KDC Config File

_writeKDCConfigFile: Unable to write KDC config file: Operation not permitted (1)

Failed to create KDC on OD master

2014-03-31 00:19:20 +0000 int32_t _createKerberosMaster(NSString *, NSString *, const char *, BOOL, BOOL, NSString *): kdcsetup failed with code 255

2014-03-31 00:19:20 +0000 int32_t _createLDAPMaster(const char *, const char *, const char *, BOOL, const char *, const char *, BOOL, const char *, const char *, const char *, const char *): Unable to configure KDC: 255

2014-03-31 00:19:20 +0000 Logging slapd container data to /var/run/slapconfig_error_1396225160

2014-03-31 00:19:20 +0000 Stopping LDAP server (slapd)

2014-03-31 00:19:21 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1396225160/user.ldif

2014-03-31 00:19:21 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1396225160/authdata.ldif

Reply
User profile for user: sysx
sysx Author
User level: Level 1
27 points

Apr 1, 2014 3:32 PM in response to Linc Davis

Still no OD. Got following in the System Log:


4/1/14 3:21:26.863 PM kdc[52597]: WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.

4/1/14 3:21:26.904 PM com.apple.launchd[1]: (com.apple.Kerberos.kpasswdd[52598]) Exited: Killed: 9

4/1/14 3:21:26.904 PM com.apple.launchd[1]: (com.apple.Kerberos.kpasswdd) Throttling respawn: Will start in 10 seconds

4/1/14 3:21:26.904 PM com.apple.launchd[1]: (com.apple.Kerberos.kadmind[52599]) Exited: Killed: 9

4/1/14 3:21:26.989 PM Server[52468]: An error occurred while configuring PretendCo Server as a directory server:

Error Domain=XSActionErrorDomain Code=78 "Server returned a non-zero status code" UserInfo=0x600000a671c0 {NSLocalizedDescription=Server returned a non-zero status code}

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,535 points

Apr 1, 2014 3:55 PM in response to sysx

I find it hard to understand how you could be having all these weird problems with a freshly installed system. If you are having them, then everybody should be, and that's not the case. There's some missing information here, and I don't know what it is. You may need to have someone qualified come to your site and set this up for you.

Reply
User profile for user: sysx
sysx Author
User level: Level 1
27 points

Apr 1, 2014 4:08 PM in response to Linc Davis

Thanks Linc,


I have an ACTC 10.8 certification, but not a lot of experience with a deployed server. I am going to try a fresh install from ground zero, as these issues have been growing since I first upgraded from Snow Leopard Server. I do appreciate your help. I think one of the issues may have been, I tried to use an OD archive out of the box rather than going totally fresh install. Thanks again.

Reply
User profile for user: sysx
sysx Author
User level: Level 1
27 points

Apr 4, 2014 5:23 PM in response to Linc Davis

Linc,


I just completed a new(er) fresh install of Mavericks (10.9.2) and the Server (3.1.1) and completed a setup for Open Directory on the first try. The only thing I did not do was attempt to restore Open Directory from an archived version. The version I originally archived must have been corrupted in some way and causing all my prior issues. Thanks for all the help and I gave you credit for solving my problem.

Reply
User profile for user: Ivan Robertovich
Ivan Robertovich
User level: Level 1
48 points

Apr 16, 2015 6:16 AM in response to Linc Davis

I want to reply that I found this thread because I have the EXACT same errors.


even down to this test:

sudo /usr/libexec/slapd -Tt

gives me:

552fb53f could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2)

slaptest: bad configuration file!


I also have the log entry complaining about KDC key missing being bad for interoperability.

WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability


Apparently, this issue isn't a weird, or there is a number of us that got this bug during updates.

Reply

OD Setup Error

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up