Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Big OD Problems

Hi, I am fairly new to Open Directory, though I am somewhat familiar with OpenLDAP and quite familiar with *nix.

Tonight (or more accurately, last night) I tried doing something I thought was simple, and ended up taking down our entire network.

I promoted an existing OS X Server (10.4.11 G5 xserve) machine to be an LDAP replica. Doing this caused the Master (10.4.10 intel xserve) to cease authenticating users (as well as the replica).

Both forward and reverse DNS is set up correctly (I get the FQDN). On the replica under Open Directory, everything appears fine (lookupd, netinfod (local only), slapd, Passwd Server and Kerberos are all running). Same on the master.

I have tried demoting the replica to stand alone (and back), and have rebooted both machined multiple times (you never know).

In the logs I see various things...

/var/log/slapd.log:

<datestamp, hostname> slapd[pid]: SASL [conn=XXXX] Failure: no user in database\n

This is repeated many times.


/Library/Logs/PasswordService/ApplePasswordServer.Server.log

Jul 23 2008 05:13:00 QUIT: {0x47e674c46fbb3a88000001bd0000020d, admin} disconnected.
Jul 23 2008 05:13:19 AUTH2: {0x47e6ef413f43d7cf000001be000001b9, user2} password change required.
Jul 23 2008 05:13:19 KERBEROS-LOGIN-CHECK: policy violation (-7) for user {0x47e6ef413f43d7cf000001be000001b9, user2}
Jul 23 2008 05:13:19 QUIT: {no user} disconnected.
Jul 23 2008 05:13:20 KERBEROS-LOGIN-CHECK: user {0x47e6ef413f43d7cf000001be000001b9, user2} authentication failed.
Jul 23 2008 05:13:20 QUIT: {no user} disconnected.
Jul 23 2008 05:13:20 RSAVALIDATE: success.
Jul 23 2008 05:13:20 USER: {0x47e6ef413f43d7cf000001be000001b9, user2} is the current user.
Jul 23 2008 05:13:20 AUTH2: {0x47e6ef413f43d7cf000001be000001b9, user2} password change required.
Jul 23 2008 05:13:20 QUIT: {0x47e6ef413f43d7cf000001be000001b9, user2} disconnected.
Jul 23 2008 05:13:32 RSAVALIDATE: success.
Jul 23 2008 05:13:32 USER: {0x45dbc06315f4d71c0000009a0000009a, user1} is the current user.
Jul 23 2008 05:13:32 AUTH2: {0x45dbc06315f4d71c0000009a0000009a, user1} CRAM-MD5 authentication succeeded.
Jul 23 2008 05:13:32 QUIT: {0x45dbc06315f4d71c0000009a0000009a, user1} disconnected.
Jul 23 2008 05:13:47 KERBEROS-LOGIN-CHECK: no principal (host1@FQDN)
Jul 23 2008 05:13:47 QUIT: {no user} disconnected.
Jul 23 2008 05:14:02 AUTH2: {0x46cb3be4038c62130000015500000155, host2} password change required.
Jul 23 2008 05:14:02 KERBEROS-LOGIN-CHECK: policy violation (-7) for user {0x46cb3be4038c62130000015500000155, host2}
Jul 23 2008 05:14:02 QUIT: {no user} disconnected.
Jul 23 2008 05:14:03 KERBEROS-LOGIN-CHECK: user {0x46cb3be4038c62130000015500000155, host2} authentication failed.
Jul 23 2008 05:14:03 QUIT: {no user} disconnected.
Jul 23 2008 05:14:03 RSAVALIDATE: success.
Jul 23 2008 05:14:03 USER: {0x46cb3be4038c62130000015500000155, host2} is the current user.
Jul 23 2008 05:14:03 AUTH2: {0x46cb3be4038c62130000015500000155, host2} password change required.
Jul 23 2008 05:14:03 QUIT: {0x46cb3be4038c62130000015500000155, host2} disconnected.


/var/log/krb5kdc/kadmin.log

Jul 23 01:55:34 FQDN kadmin.local[4060](info): No dictionary file specified, continuing without one.
Jul 23 01:55:40 FQDN kadmin.local[4068](info): No dictionary file specified, continuing without one.
Jul 23 01:55:53 FQDN kadmin.local[4081](info): No dictionary file specified, continuing without one.
Jul 23 01:55:59 FQDN kadmin.local[4088](info): No dictionary file specified, continuing without one.
Jul 23 03:13:40 FQDN kadmin.local[6054](info): No dictionary file specified, continuing without one.
Jul 23 03:48:48 FQDN kadmin.local[8694](info): No dictionary file specified, continuing without one.

/var/log/krb5kdc/kdc.log

Jul 23 05:13:19 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.11: NEEDED_PREAUTH: host3@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:13:20 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.11: CHECK_PWS_ACCT: host3@FQDN for krbtgt/FQDN@FQDN, Cannot allocate memory
Jul 23 05:13:47 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.204.111: CLIENT_NOT_FOUND: host1@FQDN for krbtgt/FQDN@FQDN, Client not found in Kerberos database
Jul 23 05:14:02 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.204.108: NEEDED_PREAUTH: host2@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:14:03 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.204.108: CHECK_PWS_ACCT: host2@FQDN for krbtgt/FQDN@FQDN, Cannot allocate memory
Jul 23 05:15:28 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.200: NEEDED_PREAUTH: host3@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:29 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.200: CHECK_PWS_ACCT: host3@FQDN for krbtgt/FQDN@FQDN, Cannot allocate memory
Jul 23 05:15:29 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.7: NEEDED_PREAUTH: admin@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:29 FQDN krb5kdc[231](info): preauth (timestamp) verify failure: Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.7: PREAUTH_FAILED: admin@FQDN for krbtgt/FQDN@FQDN, Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.7: NEEDED_PREAUTH: admin@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:30 FQDN krb5kdc[231](info): preauth (timestamp) verify failure: Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.7: PREAUTH_FAILED: admin@FQDN for krbtgt/FQDN@FQDN, Decrypt integrity check failed
Jul 23 05:15:49 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.11: NEEDED_PREAUTH: host3@FQDN for krbtgt/FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:49 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.240.11: CHECK_PWS_ACCT: host3@FQDN for krbtgt/FQDN@FQDN, Cannot allocate memory

/Library/Logs/PasswordService/ApplePasswordServer.Replication.log

Jul 23 2008 05:15:42 Connecting to 192.168.240.7, synchronizing all records since 07/23/2008 05:15:36 AM
Jul 23 2008 05:15:42 The remote replica list has 1 parent and 1 replica.
Jul 23 2008 05:15:42 Updating the list of replicas. There is 1 parent and 1 replica in the list.
Jul 23 2008 05:15:42 syncfile: /var/db/authserver/apsSyncFi1216815342.627308
Jul 23 2008 05:15:42 sent 6 records, accepted 0, superceded 0
Jul 23 2008 05:15:42 No Kerberos records to update
Jul 23 2008 05:15:42 DoSync: the next replication will occur on 07/23/2008 at 05:20:00 AM
Jul 23 2008 05:15:48 No Kerberos records to update
Jul 23 2008 05:15:48 Updated 0 records, rejected 6 from Replica1


I have tried google (going on 8 hrs now). Specifically these threads...

http://discussions.apple.com/thread.jspa?messageID=1817763

http://www.afp548.com/forum/viewtopic.php?forum=18&showtopic=16012

http://www.afp548.com/forum/viewtopic.php?forum=39&showtopic=11116

http://www.afp548.com/forum/viewtopic.php?forum=39&showtopic=11693

And I think I have read 3/4 of the Open_Directory_v10.4 PDF.

If anyone has any suggestions, I would love to hear them.

thanks
shawn
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.