Hello,

I'm currently running into some LDAP-related troubles, I was hoping maybe you could help me out...

I'm getting this strange error while trying to create a replica for my LDAP-server.
When looking in de slapconfig-log on the "wannebee"-replica, It seems like there's an error occuring while trying to replicate the OD Password server (in advance, starting up the replica itself, and Kerberos seems to go fine).

full log:
nothing found to load
2005-12-14 10:40:47 +0100 - slapconfig -setstandalone
2005-12-14 10:40:48 +0100 - slapconfig -setmacosxodpolicy
2005-12-14 10:41:22 +0100 - slapconfig -createreplica
2005-12-14 10:41:22 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -checkmaster diradmin 0 3 3
2005-12-14 10:41:22 +0100 - slapconfig -setmacosxodpolicy

2005-12-14 10:41:41 +0100 - command: /usr/sbin/sso_util remove -k -d -s -c -n -v 1
2005-12-14 10:41:51 +0100 - sso_util command output:
shutting down kadmind
kadmind shut down
shutting down kdc
No such process
No such process
kdc shut down
removing kdc database files
2005-12-14 10:41:51 +0100 - Stopping LDAP server (slapd)
2005-12-14 10:41:51 +0100 - Stopping LDAP replicator (slurpd)
2005-12-14 10:41:51 +0100 - Removed file at path /etc/openldap/slapd.conf.
2005-12-14 10:41:51 +0100 - Copied file from /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf.
2005-12-14 10:41:51 +0100 - command: /usr/sbin/NeST -pwsstandalone
2005-12-14 10:41:56 +0100 - NeST command output:
No such process
nothing found to load

nothing found to load
2005-12-14 10:41:56 +0100 - 2 Stopping master LDAP server
2005-12-14 10:41:56 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -stopldapserver
2005-12-14 10:41:59 +0100 - 3 Updating master configuration
2005-12-14 10:41:59 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -addreplica 10.0.0.229
2005-12-14 10:42:01 +0100 - command: ssh root@ldap.idewe.be /usr/bin/db_recover -h /var/db/openldap/openldap-data
2005-12-14 10:42:03 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapcat -l /var/db/openldap/openldap-data/backup.ldif
2005-12-14 10:42:06 +0100 - 4 Restarting master LDAP server
2005-12-14 10:42:06 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -startldapserver
2005-12-14 10:42:09 +0100 - 5 Updating local replica configuration
2005-12-14 10:42:09 +0100 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
2005-12-14 10:42:09 +0100 - 6 Copying master database to new replica
2005-12-14 10:42:09 +0100 - Removed directory at path /var/db/openldap/openldap-data.
2005-12-14 10:42:09 +0100 - command: scp root@ldap.idewe.be:/var/db/openldap/openldap-data/backup.ldif /var/db/openldap/openldap-data/
2005-12-14 10:42:41 +0100 - command: scp root@ldap.idewe.be:/etc/openldap/schema /etc/openldap/
2005-12-14 10:42:49 +0100 - command: /usr/sbin/slapadd -c -l /var/db/openldap/openldap-data/backup.ldif
2005-12-14 10:42:51 +0100 - 7 Starting new replica
2005-12-14 10:42:52 +0100 - Starting LDAP server (slapd)
2005-12-14 10:42:53 +0100 - 8 Starting replicator on master server
2005-12-14 10:42:53 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -startreplicator
2005-12-14 10:42:56 +0100 - Configuring Kerberos server, realm is LDAP.IDEWE.BE
2005-12-14 10:42:56 +0100 - command: scp root@ldap.idewe.be:/var/db/krb5kdc/.k5.LDAP.IDEWE.BE /var/db/krb5kdc/
2005-12-14 10:42:58 +0100 - command: scp root@ldap.idewe.be:/var/db/krb5kdc/kadm5.acl /var/db/krb5kdc/
2005-12-14 10:43:00 +0100 - command: scp root@ldap.idewe.be:/var/db/krb5kdc/kadm5.keytab /var/db/krb5kdc/
2005-12-14 10:43:02 +0100 - command: scp root@ldap.idewe.be:/var/db/krb5kdc/kdc.conf /var/db/krb5kdc/
2005-12-14 10:43:04 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/kdb5_util dump - K/M@LDAP.IDEWE.BE
2005-12-14 10:43:06 +0100 - command: /usr/sbin/kdb5_util load /var/db/krb5kdc/initial.dump
2005-12-14 10:43:06 +0100 - Removed file at path /var/db/krb5kdc/initial.dump.
2005-12-14 10:43:06 +0100 - 9 Enabling password server replication
2005-12-14 10:43:06 +0100 - command: /usr/sbin/NeST -setupreplica ldap.idewe.be diradmin ****
2005-12-14 10:43:07 +0100 - NeST command output:
GetReplicaSetup = -14103
2005-12-14 10:43:07 +0100 - NeST command failed with status 255
2005-12-14 10:43:07 +0100 - Removing replica due to an error adding a Password Server replica.
2005-12-14 10:43:07 +0100 - command: ssh root@ldap.idewe.be /usr/sbin/slapconfig -removereplica 10.0.0.229
2005-12-14 10:43:09 +0100 - command: /usr/sbin/sso_util remove -k -d -s -c -n -v 1
2005-12-14 10:43:19 +0100 - sso_util command output:
shutting down kadmind
kadmind shut down
shutting down kdc
No such process
No such process
kdc shut down
removing kdc database files
2005-12-14 10:43:20 +0100 - Stopping LDAP server (slapd)
2005-12-14 10:43:21 +0100 - Stopping LDAP replicator (slurpd)
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/__db.001.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/__db.002.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/__db.003.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/__db.004.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/__db.005.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2005-12-14 10:43:21 +0100 - Removed file at path /etc/openldap/slapd_macosxserver.conf.
2005-12-14 10:43:21 +0100 - Removed file at path /etc/openldap/slapd.conf.
2005-12-14 10:43:21 +0100 - Copied file from /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf.
2005-12-14 10:43:21 +0100 - command: /usr/sbin/NeST -pwsstandalone
2005-12-14 10:43:24 +0100 - NeST command output:
No such process
nothing found to load

nothing found to load



Looking at the master, I've found an ApplePasswordServer.Error.log file (in /Library/Logs/Passwordservice), only containing the following line:
Date/time Listener exception error:-1.

That doesn't quite clear things up, does it :-)
Can't figure out what exactly seems to be the problem.

Do you guys have any idea what might do the trick?
It happens on several machines, clean install, DNS correctly working...all on 10.4.3

Thank's in advance

we had the same issue a few days ago while trying to repair an odd kerberos issue.

we noticed that the file : /var/db/authserver/authserverreplicas had a size to 0 on the master.

--------------------------------------------------------------------------------
assuming

FQDN : foo.bar.com
IP : 192.168.1.250
REALM : FOO.BAR.COM

--------------------------------------------------------------------------------
the solution applied was to remove ervery kind of kerberos information on the master with :

sudo rm -f /var/db/krb5kdc/*
sudo rm -f /var/db/krb5kdc/.k5.FOO.BAR.COM
sudo rm -f /Library/Preferences/edu.mit.Kerberos
sudo rm -f /etc/krb5.keytab

sudo scutil --set HostName foo.bar.com

dscl localhost

> cd /LDAPv3/127.0.0.1/Config/
/LDAPv3/127.0.0.1/Config > auth
Password:

/LDAPv3/127.0.0.1/Config> delete KerberosClient
/LDAPv3/127.0.0.1/Config> delete KerberosKDC


sudo reboot

Then, kerberize the server again with :

kerberosautoconfig -r FOO.BAR.COM -m foo.bar.com

kdcsetup -f /LDAPv3/127.0.0.1 -w -a admin -p ***** FOO.BAR.COM

sso_util configure -r FOO.BAR.COM -a admin -p ***** all
sso_util configure -r FOO.BAR.COM -a admin -p ***** ldap

mkpassdb -kerberize

--------------------------------------------------------------------------------
Verify your job :

cat /Library/Preferences/edu.mit.Kerberos

# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : Self Generated
# generation_id : 0
[libdefaults]
default_realm = FOO.BAR.COM
[realms]
FOO.BAR.COM = {
kdc = foo.bar.com
admin_server = foo.bar.com
}
[domain_realm]
.bar.com = FOO.BAR.COM
bar.com = FOO.BAR.COM

ktutil

ktutil: rkt /var/db/krb5kdc/kadm5.keytab
ktutil: list

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 kadmin/admin@FOO.BAR.COM
2 3 kadmin/admin@FOO.BAR.COM
3 3 kadmin/admin@FOO.BAR.COM
4 3 kadmin/changepw@FOO.BAR.COM
5 3 kadmin/changepw@FOO.BAR.COM
6 3 kadmin/changepw@FOO.BAR.COM

klist -ke

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 xgrid/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 xgrid/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 xgrid/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 vpn/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 vpn/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 vpn/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 ipp/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 ipp/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 ipp/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 XMPP/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 XMPP/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 XMPP/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 host/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 host/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 host/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 smtp/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 smtp/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 smtp/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 http/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 http/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 http/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 HTTP/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 HTTP/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 HTTP/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 pop/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 pop/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 pop/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 imap/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 imap/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 imap/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 ftp/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 ftp/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 ftp/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)
3 afpserver/foo.bar.com@FOO.BAR.COM (Triple DES cbc mode with HMAC/sha1)
3 afpserver/foo.bar.com@FOO.BAR.COM (ArcFour with HMAC/md5)
3 afpserver/foo.bar.com@FOO.BAR.COM (DES cbc mode with CRC-32)


kinit admin
Please enter the password for admin@FOO.BAR.COM:
klist -5

Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: admin@FOO.BAR.COM

Valid Starting Expires Service Principal
11/21/05 21:29:28 11/22/05 07:29:28 krbtgt/FOO.BAR.COM@FOO.BAR.COM
renew until 11/28/05 21:29:28


--------------------------------------------------------------------------------
Verify your job :

make a new replica with SA, it should work.

I'm running into this same problem at the moment, and the fix above doesn't work.

I'm not sure why it would anyway, destroying and creating the Kerb config won't touch the authserver config.

I don't have authserverreplicas at all as a file, and I can't seem to construct it by hand either...

ok, after chatting to mactroll, he's given me a solution.

If you don't have any existing replicas, this will work fine. I imagine that if you do have existing replicas, you'd probably want to tear them down first.

trash the authserverreplica* files in /var/db/authserver (well really, you should probably back them up first)
kill -9 the PasswordService process.

It will start up again, and create the authserverreplica file, just listing the primary PWS itself as a replica.

Then I was able to create replicas happily enough.

During the summer our school district installed 4 10.4.servers, one as an OD master and 3 as replicas, the servers were divided between two schools. The school where the replicas resided started having issues with user logons and computers freezing. This past week the school got so bad in WGM that we had to reinstall 10.4.3 on 2 servers. We divided up the schools so that each has it's own OD master, it is a hassle to manage 2 databases. Then we upgraded one server to an master but the other server will not become a replica. The replication process seems to go thru then the server reverts back to a standalone, the logs state the replica is denied and there is password service error. This is on new clean installs. We tried the fix on the kill password service and deleting the authreplicas file but that did not work.
We are still working on fixing this mess.

If anyone has any other suggestions it would be appreciated. It would be nice if the OS worked like it should.

If anyone has a reply for psantiago email me to psantiago@rih.org. Thanks

Running into the same problem ...

I've deleted the replicas (have only one replication server) and tried again.
Now I'm getting a different error number (78) for the NeST command. The password server error log claims to not to be able to reach the client.
This is surprising, as I can ping, ssh, scp, run Server Admin, etc and netstat on the server shows that the route is properly setup. Can it be, that the replicator software has problems when both nics are in use?

I have one (the built in one) set up as connected to the internet (the default gateway is there), the other connected to an intranet, which is served by the server via NAT. The client also has two connections, one to the internet, the other to the same intranet. Hmm, maybe I have to use the internet connections?

Robert (robert.frank@unibas.ch)