I recently moved a few Open Directory Servers from 10.5.8 to Snow Leopard, and an running into a puzzling problem. For the OD Master, I did a clean erase and install. Set up DNS, (forward, and reverse FQDN verified) and promoted the machine to an OD Master. I then did a restore in Server Admin from a dmg archive made from my 10.5.8 system. In short order the machine was up and running, and no problems were present.

The issue came when I set up an OD Replica. The replica creation went smoothly, and the resulting server had the LDAP, Password Server, and Kerberos running. Checked the logs, and all looked good. Being a little OCD I shut down the Master to verify that clients could still authenticate via the replica, and no dice.

Did some digging. Verified all the obvious things. DNS is working from the replica, and all clients while the master is offline (the replica hosts a slave zone). Used tcpdump to watch and make sure that clients were actually talking to the replica while the master was down, and knew where to go, and they were. They just won’t authenticate to mail, web, login window, etc. You can however get a Kerberos ticket with the master offline.

I traced it down to an error in the slapd.log. Apparently the replica is mixed up about it’s principal in requests:

Sep 14 21:09:50 replica slapd[1082]: SASL [conn=388] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request (found ldap/[email protected], wanted ldap/[email protected]))

I’m sure I can fix this problem by simply creating a fresh Directory and importing records in WorkGroup manager, but I’d really like to know what the problem is for my own understanding… unless it’s just a “corrupt db”… who knows kind of thing.

Thanks guys.