User profile for user: fkick1
fkick1 Author
User level: Level 1
110 points

Unable to create open directory replica after Yosemite Upgrade

Hi all,


After updating both our OD server and replica servers to Yosemite and Server 4 (which worked great under 10.9), I'm unable to add the replica server. Both machines are running 10.10.1 and Server 4, and DNS appears to setup properly on the OD server (which is serving DNS to the machine intended as a replica). I simply get the message below when I try to add the machine as a replica from the "replica machine":

User uploaded file

Checking the slapconfig.log file I get the below (example has been substituted for our actual domain name):

2015-01-06 17:20:54 +0000 slapconfig -createreplica

2015-01-06 17:20:55 +0000 Warning: An error occurred while disabling GSSAPI binding.

2015-01-06 17:20:55 +0000 1 Creating computer record for replica

2015-01-06 17:21:00 +0000 command: /usr/sbin/slapconfig -delkeychain /LDAPv3/127.0.0.1 fm-server.example.com$

2015-01-06 17:21:00 +0000 slapconfig -delkeychain

2015-01-06 17:21:00 +0000 Added computer password to keychain

2015-01-06 17:21:00 +0000 Adding ldap and host service principals

2015-01-06 17:21:01 +0000 2 Creating ldap replicator user

2015-01-06 17:21:01 +0000 _ldap_replicator exists from previous replica - migrating

2015-01-06 17:21:01 +0000 NSString *_getReplicatorPasswordWithNode(ODNode *): no syncrepl attribute found in results

2015-01-06 17:21:01 +0000 Unable to get replicator password, recreating replicator

2015-01-06 17:21:01 +0000 int _createReplicatorWithNode(ODNode *, NSDictionary *): changePassword: changePassword: 5402 (Password change failed because password does not meet minimum quality requirements.)

2015-01-06 17:21:01 +0000 Unable to create replicator user

2015-01-06 17:21:01 +0000 Unable to create replicator user (error = 69)

2015-01-06 17:21:01 +0000 CopyReplicaArray: ldap_search_ext_s failed

2015-01-06 17:21:01 +0000 Error retrieving replica array

2015-01-06 17:21:01 +0000 Deleting Cert Authority related data

2015-01-06 17:21:01 +0000 OPENDIRECTORY_ROOT_CA_IDENTITY not found, unable to determine rootCA name from OPENDIRECTORY_ROOT_CA_CERTIFICATE, defaulting to configured value of (null)

2015-01-06 17:21:01 +0000 No intCAIdentity, not removing int CA from keychain

2015-01-06 17:21:01 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist

2015-01-06 17:21:01 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist

2015-01-06 17:21:01 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist

2015-01-06 17:21:01 +0000 Stopping LDAP server (slapd)

2015-01-06 17:21:01 +0000 Stopping password server

2015-01-06 17:21:01 +0000 Removed all service principals from keytab for realm FM-SERVER.EXAMPLE.COM

2015-01-06 17:21:04 +0000 Stopping password server

2015-01-06 17:21:04 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

We are using a standard Go Daddy SSL certificate on the OD server.


If I try to add the replica from the OD server itself, I get the following message (172.16.2.100 is the internal IP of the intended replica server):

User uploaded file


I've blow away the Server App and the server folder on the replica unit, as well as run the slapconfig -destoryldapserver command on the replica.


Any one have any suggestions? Appreciate the help! Thanks!

Mac mini, OS X Yosemite (10.10.1)

Posted on Jan 6, 2015 10:01 AM

Reply
10 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Jan 6, 2015 7:41 PM in response to fkick1

You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

Check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

Reply
User profile for user: fkick1
fkick1 Author
User level: Level 1
110 points

Jan 7, 2015 9:49 AM in response to Linc Davis

Hi Linc,


Thanks for the feedback, unfortunately DNS checks out and so does the certificate. I'm still unable to generate the replica. All was working perfectly until the yosemite update. I also ran the server update from last night on both machines hoping for a fix, and no luck. Any other suggestions aside form wiping the whole system and attempting to start from scratch?


Thanks!

Reply
User profile for user: fkick1
fkick1 Author
User level: Level 1
110 points

Jan 7, 2015 2:12 PM in response to fkick1

Hi Linc,


The replica has a function self signed and the master is using an SSL from Go Daddy


I had a few minutes so I decided to wipe the replica again and set it up as a temporary master. I then installed server on another Yosemite machine to see if I could set it to replicate the temporary master. I get the same issues that I had with the original replica going to the original master. Has anyone had success with getting yosemite to create a replica?

Reply
User profile for user: fkick1
fkick1 Author
User level: Level 1
110 points

Jan 7, 2015 4:48 PM in response to Linc Davis

Unfortunately even setting the Open Directory SSL to "none" in the server app doesn't seem to resolve the issue. It's still looking for an OPENDIRECTORY ROOT CA IDENTITY, that it doesn't seem to be finding.


2015-01-08 00:26:06 +0000 slapconfig -createreplica

2015-01-08 00:26:06 +0000 Warning: An error occurred while disabling GSSAPI binding.

2015-01-08 00:26:06 +0000 1 Creating computer record for replica

2015-01-08 00:26:12 +0000 command: /usr/sbin/slapconfig -delkeychain /LDAPv3/127.0.0.1 fmserver.example.com$

2015-01-08 00:26:12 +0000 slapconfig -delkeychain

2015-01-08 00:26:12 +0000 Added computer password to keychain

2015-01-08 00:26:12 +0000 Adding ldap and host service principals

2015-01-08 00:26:12 +0000 2 Creating ldap replicator user

2015-01-08 00:26:12 +0000 _ldap_replicator exists from previous replica - migrating

2015-01-08 00:26:12 +0000 NSString *_getReplicatorPasswordWithNode(ODNode *): no syncrepl attribute found in results

2015-01-08 00:26:12 +0000 Unable to get replicator password, recreating replicator

2015-01-08 00:26:12 +0000 int _createReplicatorWithNode(ODNode *, NSDictionary *): changePassword: changePassword: 5402 (Password change failed because password does not meet minimum quality requirements.)

2015-01-08 00:26:12 +0000 Unable to create replicator user

2015-01-08 00:26:12 +0000 Unable to create replicator user (error = 69)

2015-01-08 00:26:12 +0000 CopyReplicaArray: ldap_search_ext_s failed

2015-01-08 00:26:12 +0000 Error retrieving replica array

2015-01-08 00:26:12 +0000 Deleting Cert Authority related data

2015-01-08 00:26:12 +0000 OPENDIRECTORY_ROOT_CA_IDENTITY not found, unable to determine rootCA name from OPENDIRECTORY_ROOT_CA_CERTIFICATE, defaulting to configured value of (null)

2015-01-08 00:26:12 +0000 No intCAIdentity, not removing int CA from keychain

2015-01-08 00:26:12 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist

2015-01-08 00:26:12 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist

2015-01-08 00:26:12 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist

2015-01-08 00:26:12 +0000 Stopping LDAP server (slapd)

2015-01-08 00:26:12 +0000 Stopping password server

2015-01-08 00:26:12 +0000 Removed all service principals from keytab for realm FMSERVER.TGROUPMAIL.COM

2015-01-08 00:26:15 +0000 Stopping password server

2015-01-08 00:26:15 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.


Also SSL is not enabled in the Directory Utility

User uploaded file


Should there be another place I need to check to disable SSL? Both machines are on the internal network, so it's not needed.

Reply
User profile for user: mbresink
mbresink
User level: Level 1
54 points

Jan 9, 2015 6:39 AM in response to fkick1

So it turns out that our two problems may not have been identical although the message "The certificate for this server is invalid" was the same.


I could resolve the problem as follows:

1) Use Server.app to open a remote administration session from master to replica.

2) Server will complain that it doesn't trust the self-signed certificate "com.apple.servermgrd" of the replica. Now change the security policy on the master to trust this certificate.

3) Disconnect the remote administration session.

4) Retry to create the replica from the master. This will now succeed.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unable to create open directory replica after Yosemite Upgrade

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up