Hi, I am fairly new to Open Directory, though I am somewhat familiar
with OpenLDAP and quite familiar with *nix.
Tonight (or more accurately, last night) I tried doing something I
thought was simple, and ended up taking down our entire network.
I promoted an existing OS X Server (10.4.11 G5 xserve) machine to be
an LDAP replica. Doing this caused the Master (10.4.10 intel xserve)
to cease authenticating users (as well as the replica).
Both forward and reverse DNS is set up correctly (I get the FQDN).
On the replica under Open Directory, everything appears fine
(lookupd, netinfod (local only), slapd, Passwd Server and Kerberos
are all running). Same on the master.
I have tried demoting the replica to stand alone (and back), and
have rebooted both machined multiple times (you never know).
In the logs I see various things...
/var/log/slapd.log:
<datestamp, hostname> slapd[pid]: SASL [conn=XXXX] Failure: no user
in database\n
This is repeated many times.
/Library/Logs/PasswordService/ApplePasswordServer.Server.log
Jul 23 2008 05:13:00 QUIT: {0x47e674c46fbb3a88000001bd0000020d,
admin} disconnected.
Jul 23 2008 05:13:19 AUTH2: {0x47e6ef413f43d7cf000001be000001b9,
user2} password change required.
Jul 23 2008 05:13:19 KERBEROS-LOGIN-CHECK: policy violation (-7) for
user {0x47e6ef413f43d7cf000001be000001b9, user2}
Jul 23 2008 05:13:19 QUIT: {no user} disconnected.
Jul 23 2008 05:13:20 KERBEROS-LOGIN-CHECK: user
{0x47e6ef413f43d7cf000001be000001b9, user2} authentication failed.
Jul 23 2008 05:13:20 QUIT: {no user} disconnected.
Jul 23 2008 05:13:20 RSAVALIDATE: success.
Jul 23 2008 05:13:20 USER: {0x47e6ef413f43d7cf000001be000001b9,
user2} is the current user.
Jul 23 2008 05:13:20 AUTH2: {0x47e6ef413f43d7cf000001be000001b9,
user2} password change required.
Jul 23 2008 05:13:20 QUIT: {0x47e6ef413f43d7cf000001be000001b9,
user2} disconnected.
Jul 23 2008 05:13:32 RSAVALIDATE: success.
Jul 23 2008 05:13:32 USER: {0x45dbc06315f4d71c0000009a0000009a,
user1} is the current user.
Jul 23 2008 05:13:32 AUTH2: {0x45dbc06315f4d71c0000009a0000009a,
user1} CRAM-MD5 authentication succeeded.
Jul 23 2008 05:13:32 QUIT: {0x45dbc06315f4d71c0000009a0000009a,
user1} disconnected.
Jul 23 2008 05:13:47 KERBEROS-LOGIN-CHECK: no principal (host1@FQDN)
Jul 23 2008 05:13:47 QUIT: {no user} disconnected.
Jul 23 2008 05:14:02 AUTH2: {0x46cb3be4038c62130000015500000155,
host2} password change required.
Jul 23 2008 05:14:02 KERBEROS-LOGIN-CHECK: policy violation (-7) for
user {0x46cb3be4038c62130000015500000155, host2}
Jul 23 2008 05:14:02 QUIT: {no user} disconnected.
Jul 23 2008 05:14:03 KERBEROS-LOGIN-CHECK: user
{0x46cb3be4038c62130000015500000155, host2} authentication failed.
Jul 23 2008 05:14:03 QUIT: {no user} disconnected.
Jul 23 2008 05:14:03 RSAVALIDATE: success.
Jul 23 2008 05:14:03 USER: {0x46cb3be4038c62130000015500000155,
host2} is the current user.
Jul 23 2008 05:14:03 AUTH2: {0x46cb3be4038c62130000015500000155,
host2} password change required.
Jul 23 2008 05:14:03 QUIT: {0x46cb3be4038c62130000015500000155,
host2} disconnected.
/var/log/krb5kdc/kadmin.log
Jul 23 01:55:34 FQDN kadmin.local[4060](info): No dictionary file
specified, continuing without one.
Jul 23 01:55:40 FQDN kadmin.local[4068](info): No dictionary file
specified, continuing without one.
Jul 23 01:55:53 FQDN kadmin.local[4081](info): No dictionary file
specified, continuing without one.
Jul 23 01:55:59 FQDN kadmin.local[4088](info): No dictionary file
specified, continuing without one.
Jul 23 03:13:40 FQDN kadmin.local[6054](info): No dictionary file
specified, continuing without one.
Jul 23 03:48:48 FQDN kadmin.local[8694](info): No dictionary file
specified, continuing without one.
/var/log/krb5kdc/kdc.log
Jul 23 05:13:19 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.11: NEEDED_PREAUTH: host3@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:13:20 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.11: CHECK_PWS_ACCT: host3@FQDN for krbtgt/
FQDN@FQDN, Cannot allocate memory
Jul 23 05:13:47 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.204.111: CLIENT_NOT_FOUND: host1@FQDN for krbtgt/
FQDN@FQDN, Client not found in Kerberos database
Jul 23 05:14:02 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.204.108: NEEDED_PREAUTH: host2@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:14:03 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.204.108: CHECK_PWS_ACCT: host2@FQDN for krbtgt/
FQDN@FQDN, Cannot allocate memory
Jul 23 05:15:28 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.200: NEEDED_PREAUTH: host3@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:29 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.200: CHECK_PWS_ACCT: host3@FQDN for krbtgt/
FQDN@FQDN, Cannot allocate memory
Jul 23 05:15:29 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.7: NEEDED_PREAUTH: admin@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:29 FQDN krb5kdc[231](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.7: PREAUTH_FAILED: admin@FQDN for krbtgt/
FQDN@FQDN, Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.7: NEEDED_PREAUTH: admin@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:30 FQDN krb5kdc[231](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jul 23 05:15:30 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.7: PREAUTH_FAILED: admin@FQDN for krbtgt/
FQDN@FQDN, Decrypt integrity check failed
Jul 23 05:15:49 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.11: NEEDED_PREAUTH: host3@FQDN for krbtgt/
FQDN@FQDN, Additional pre-authentication required
Jul 23 05:15:49 FQDN krb5kdc[231](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.240.11: CHECK_PWS_ACCT: host3@FQDN for krbtgt/
FQDN@FQDN, Cannot allocate memory
/Library/Logs/PasswordService/ApplePasswordServer.Replication.log
Jul 23 2008 05:15:42 Connecting to 192.168.240.7, synchronizing all
records since 07/23/2008 05:15:36 AM
Jul 23 2008 05:15:42 The remote replica list has 1 parent and 1
replica.
Jul 23 2008 05:15:42 Updating the list of replicas. There is 1
parent and 1 replica in the list.
Jul 23 2008 05:15:42 syncfile: /var/db/authserver/
apsSyncFi1216815342.627308
Jul 23 2008 05:15:42 sent 6 records, accepted 0, superceded 0
Jul 23 2008 05:15:42 No Kerberos records to update
Jul 23 2008 05:15:42 DoSync: the next replication will occur on
07/23/2008 at 05:20:00 AM
Jul 23 2008 05:15:48 No Kerberos records to update
Jul 23 2008 05:15:48 Updated 0 records, rejected 6 from Replica1
I have tried google (going on 8 hrs now). Specifically these
threads...
http://discussions.apple.com/thread.jspa?messageID=1817763
http://www.afp548.com/forum/viewtopic.php?forum=18&showtopic=16012
http://www.afp548.com/forum/viewtopic.php?forum=39&showtopic=11116
http://www.afp548.com/forum/viewtopic.php?forum=39&showtopic=11693
And I think I have read 3/4 of the Open_Directory_v10.4 PDF.
If anyone has any suggestions, I would love to hear them.
thanks
shawn
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
