OD replication probs with Kerberos

[sunnyape]

We have a 10.6 OD master that is not replicating to another 10.6 Server. Master OD Server was built as self-contained Kerberos realm.Only other ‘gotcha’ is that Master is also using AD plug-in to get user info from AD Domain.

Whole process seemed to go OK, and all replication logs look normal, but changes to the master’s LDAP database are not being passed down to the replica. Another person on this list had a similar issue [url]https://www.afp548.com/forum/viewtopic.php?forum=39&showtopic=25286&highlight=kerberos[/url].

When I look at the LDAP logs of the Replica, I see :

[code]Apr 19 11:24:00 zubat slapd[4627]: SASL [conn=64] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Wrong principal in request (found ldap/[email protected], wanted ldap/[email protected]))
Apr 19 11:24:05 replica slapd[4627]: <= bdb_substring_candidates: (apple-mcxflags) not indexed Apr 19 11:24:16 replica slapd[4627]: slap_client_connect: URI=ldap://master.domain:389 ldap_sasl_interactive_bind_s failed (80) Apr 19 11:24:16 replica slapd[4627]: do_syncrepl: rid=580 retrying [/code] I dumped the kerberos database, recreated and re-kerberized [url]http://www.makemacwork.com/manually-restart-kerberos.htm[/url] but after demoting replica and re-instating, still persists. On both Master, Password Service Error logs show lots of : [code]Apr 19 2010 11:46:14 ValidateReplicaIDRanges: cannot retrieve database header. Apr 19 2010 11:47:13 Registration is finished error: (10, -72000). Apr 19 2010 11:52:11 incorrect digest response[/code] Process of turning second OS X server from standalone to replica goes without any error messages and local KDC server starts with same realm as master. Both Replica and Master have correct DNS and all else seems to be OK. Clients can get LDAP data from either server without issue. Any advice on Kerberos / OD Replication issues with 10.6 server

[sramdeen]

just come across a similar problem. Think I’ve fixed it.

Could you check your opendirectory master and check to see if you have an _ldap_replicator user? You may have to enable the ‘show system users and groups’ in WGM.

Check their record using the inspector. What’s the contents of their ‘AuthenticationAuthority’?

Stu

[aread]

I’m having the same problem, and it seems related to sramdeen’s solution. Our replica works fine when it’s created and then never updates. Our directory server logs contain the following message, repeated every minute or so:
[code]Aug 24 11:44:01 directoryserver slapd[2800]: SASL [conn=1371] Failure: no user in database _ldap_replicator[/code]

On the replica, we get the following logged every minute:
[code]Aug 24 11:46:01 replica slapd[43394]: slap_client_connect: URI=ldap://directoryserver:389 ldap_sasl_interactive_bind_s failed (49)
Aug 24 11:46:01 replica slapd[43394]: do_syncrepl: rid=119 retrying[/code]

It looks like we need a _ldap_replicator user, and I have no idea where to create it or what privileges it would need.

Anyone with a working replication care to post the _ldap_replicator user’s details?

[sramdeen]

I created an _ldap_replicator entry in the passwordserver using mkpassdb: (I already had an _ldap_replicator user in my directory, but no entry in the PWS. If you don’t have either it’ll probably be easier to simply create the user using WGM)

[code]mkpassdb -b -u _ldap_replicator -p
[/code]
Set the password to the string after ‘credentials=’ in the syncrepl section of the file:

/etc/openldap/slapd_macosxserver.conf on the replica. e.g credentials=[b]updater374325646[/b]

find the slot ID of the new user:

[code]mkpassdb -dump
[/code]
e.g

slot 0030: 0x4ac623546b8b4567000000230000001e _ldap_replicator 08/24/2010 01:17:09 PM

take the slot ID and the public key of the PWS (obtained by mkpassdb -key) and create the authenticationauthority string:

;ApplePasswordServer;0x4ac623546b8b4567000000230000001e,1024 35
1424571524061015083254016898004018289433991726500019224615493370856703081327
62268977527666506917565988609023219075646958245279120071535875650486506288522
65148944512550427329967391154478653613168995376976846848073369002239852084735
40100483907088405638187142917101666429343681676619891172551685880553898864097
43 [email protected]:192.168.2.254

Pop that into the AuthenticationAuthority section using the inspector in WGM

[code]slapconfig -stopldapserver
slapconfig -startldapserver[/code]

on both the master and replica
and then monitor the slapd.log on both to see if the error persists. Check replication by creating a new user on the master, deleting a user on the master and editing a user on the master. All actions should immediately propagate to the replica(s)

Stu

[aread]

Thanks very much for the response. Your directions were almost correct for us. Instead of making the _ldap_replicator user on the master and then copying the password to the slapd config file, I had to set up the replica and then use the password from the config file to create the user. Doing it the way Stu suggested resulted in the _ldap_replicator user not authenticating.

Thanks for the help,

Adam

[popak]

Hi,

I start having kind of similar problem with _ldap_replicator user, I have this user in OD master with the same entry for it in the passwordserver in the replica:

on replica I get this error message in the ldap.log:
Mar 28 09:16:34 slapd[7362]: slap_client_connect: URI=ldap://server.example.com:389 ldap_sasl_interactive_bind_s failed (80)
Mar 28 09:16:34 slapd[7362]: do_syncrepl: rid=179 retrying

and on the OD master I get this one:
slapd[2354]: SASL [conn=9730] Failure: response error = 2

When I look at the password service server log, this is the problem:
USER: {0x4c37670f6b8b45670000001a0000001a, _ldap_replicator} is the current user.
Mar 28 2011 09:22:34 AUTH2: {0x4c37670f6b8b45670000001a0000001a, _ldap_replicator} password change required.

So how can I change the password for _ldap_replicator user? and why does it ask me to do that? any help would be appreciated.

[Author]

Posts