Picoscope

Q: GSSAPI miscellaneous error - server not found?

In my effort to eliminate frequent "rainbow beachball of doom" for my users since upgrading to 10.8.5, I've been tracking down and eliminating several config errors on my server. I'm down to just a couple now and here's one I haven't been able to get to the source of that appears to be causing a few hangs (Note that in all places where my server is mentioned, I've substituted "fqdn.myserver" for the actual fqdn):

 

GSSAPI Error:  Miscellaneous failure (see text (Server (ldap/<fqdn.myserver.lowercase@FQDN.MYSERVER.UPPERCASE) unknown while looking up 'ldap/fqdn.myserver.lowercase@FQDN.MYSERVER.UPPERCASE' (cached result, timeout in 1200 sec) (negative cache))

Possibly related: check out the results of nslookup from a client machine:

 

pauls-laptop:~ paul$ nslookup fqdn.myserver.net

Server:        10.23.0.7

Address:    10.23.0.7#53

 

Name:    fqdn.myserver.net

Address: 10.23.0.7

 

pauls-laptop:~ paul$ nslookup -type=NS fqdn.myserver.net

Server:        10.23.0.7

Address:    10.23.0.7#53

 

*** Can't find fqdn.myserver.net: No answer

 

Two things: first, I note that the IP address of my server is being returned as the server name. Also, even though my server correctly handles DNS queries both forward and reverse, and I've created NS records for my name server AND

sudo changeip -checkhostname

 

returns correct results at the server, nslookup still can't find the NS record... Perhaps I'm misusing nslookup though - I don't have much experience with that tool.

 

Thoughts anyone?

MAC MINI SERVER (LATE 2012), OS X Server, 10.8.5

Posted on Aug 5, 2014 1:48 PM

Close

Q: GSSAPI miscellaneous error - server not found?

  • All replies
  • Helpful answers

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Aug 5, 2014 6:23 PM in response to Picoscope
    Level 10 (207,963 points)
    Applications
    Aug 5, 2014 6:23 PM in response to Picoscope

    Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

    1. The OD master must have a static IP address on the local network, not a dynamic address.

    2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

    4. Follow these instructions to rebuild the Kerberos configuration on the master.

    5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

    6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

    7. Reboot the master and the clients.

    8. Don't log in to the server with a network user's account.

    9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

  • by Picoscope,Solvedanswer

    Picoscope Picoscope Aug 6, 2014 10:29 AM in response to Linc Davis
    Level 1 (14 points)
    Servers Enterprise
    Aug 6, 2014 10:29 AM in response to Linc Davis

    Linc to the rescue, again. Thanks much. I'll check these out in order over the next few days and let you know what I find. Here's what I know so far:

     

    1. OD Master does have a unique static IP.

     

    2. NB I'm using Server 2.2.1 (169) managing a 10.8.5 server (incorrect listing on my account, which I corrected after this post), so the available screens and options are somewhat different from what you've described. Any idea where in this version I would access the "the Accessing your Server" sheet?

     

    For what it's worth, changeip -checkhostname returns:

    The names match. There is nothing to change.

    dirserv:success = "success"

     

    3. I set the primary DNS server for the server itself to 127.0.0.1 via the network connections prefs in System Preferences. Previously it had been set to the primary static address . Most of our clients are assigned statically and bound to the OD. We have been using a secondary local server as a backup local DNS service (forwarders only) so clients can still access external sites when we take our main down for maintenance. Consequently we've populated the DNS settings of those clients with both addresses. I'll work on cleaning those up over the next couple of days.

     

    4. This step looks highly likely to be the magic bullet. In the last year we've both upgraded from 10.6.8 to 10.7 to 10.8.5 and migrated from an XServe to a mini. It seems likely to me that our Kerberos records need to be updated.  I plan to run this step tonight after I do a little more research to make sure I know exactly what those commands are going to do.

     

    5. Another likely culprit. We are using a wildcard cert that covers our whole domain, likely we'll need to replace this with one that's specific to this server. I'll check into this if step 4 doesn't clear things up.

     

    6. Probably not needed, as we used the FQDN in all of our binds anyway - but if need be we can redo this.

     

    7. Never a bad idea.

     

    8. We never do this.

     

    9. Long ago and far away (in my 10.3 days) I've had to do this. Glad that's a last resort and hope it doesn't come to that.

     

    Thanks again, Linc.

     

    -Paul

     

    PS - A little tidbit for you: one of the many errors I've run down in the last week was:

    collabpp[88328]: CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile.

     

    As some posters have noted, this directory technically does not exist (at least not as of 10.8.5) - but admins who actually look in /var will find a directory that *looks* like it's supposed to be the teamsserver home directory - but it's misspelled: teamserver (note the single "s"). This buggered me for quite a while trying to fix it with -chown and Workgroup Manager - until I took a good look at the directory. Easy to see how Apple developers might have overlooked that one.

     

    Cheers!

  • by Picoscope,

    Picoscope Picoscope Aug 6, 2014 12:15 PM in response to Picoscope
    Level 1 (14 points)
    Servers Enterprise
    Aug 6, 2014 12:15 PM in response to Picoscope

    Whoops - correction: I just found out from my partner-in-crime that he actually set up full replication for our second DNS server - so not just forwarders after all.

  • by Picoscope,

    Picoscope Picoscope Aug 8, 2014 10:53 AM in response to Linc Davis
    Level 1 (14 points)
    Servers Enterprise
    Aug 8, 2014 10:53 AM in response to Linc Davis

    Hey Linc,

     

    Well done and thanks a ton! Re-kerberizing and adding a specific cert for our server last night appears to have done the trick. As near as I can tell, the GSSAPI errors have vanished, though I'll keep an eye out today.

     

    On a related note - I'm also trying to resolve what I think is a related error (was happening before we took the above steps and is still happening now):

    Aug  6 09:38:50 fqdn.myserver.net servermgrd[127]: servermgr_accounts: got error 5000 trying to auth to local LDAP node

    Trying to resolve, I attempted to change the password for the diradmin account using the instructions here: OS X Server: How to reset the Open Directory administrator password in Mavericks

     

    And got the following:

     

    Result: Strong(er) authentication required (8)

    Additional info: only authenticated users may change passwords

    Any thoughts?

  • by Picoscope,Helpful

    Picoscope Picoscope Aug 8, 2014 11:32 PM in response to Picoscope
    Level 1 (14 points)
    Servers Enterprise
    Aug 8, 2014 11:32 PM in response to Picoscope

    Ah! I think I found the solution to the error 5000 message here:

     

    Re: Server.app Users add button is disabled

     

    (See the post by Peter Jurg2)

     

    I'm getting close to an error-free server :-).