Home Forums OS X Server and Client Discussion Open Directory Help us silence slapd with its GSSAPI errors

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • March 14, 2007 at 12:52 pm #368547
    mcnaugha
    Participant

    I haven’t tried 10.4.9 yet… but these errors are logging like mad across all our servers.

    I have frantically tried various keytab edits and princple removal and recreations to no avail. I’m stuck at slapd moaning about the decrypt check failing because I can’t sync the keys it wants me to. Various commands I’ve ran (not in any particular order):

    kadmin.local -q ‘ktrem ldap/FQDN’
    kadmin.local -q ‘delprinc ldap/FQDN’
    kadmin.local -q ‘ank -randkey ldap/FQDN’
    kadmin.local -q ‘ktadd ldap/FQDN

    sudo sso_util configure -r G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK -x -v 1 all
    sudo sso_util configure -r G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK -x -v 1 ldap

    sudo kadmin.local -r G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK -q “addprinc -randkey kadmin/g4server.cardinalnewman.n-lanark.sch.uk@G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK”

    sudo kadmin.local -r G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK -q “addprinc -randkey host/g4server.cardinalnewman.n-lanark.sch.uk@G4SERVER.CARDINALNEWMAN.N-LANARK.SCH.UK”

    Need some slapd and Kerberos expert to help fix this. It should really be Apple’s problem.

    March 14, 2007 at 5:08 pm #368555
    mcnaugha
    Participant

    This is what we’re getting on the one I tried to fix:

    Mar 14 14:48:30 g4server slapd[29001]: SASL [conn=4190] Failure: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)\n

    I know that means the keys are out of sync between the KDC and keytab. Cannot seems to fix.

    This is the initlal message:

    Mar 14 16:32:00 g4server slapd[46]: SASL [conn=9731] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n

    Another message that appears is:

    Mar 14 16:32:00 g4server slapd[46]: SASL [conn=9731] Failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)\n

    Now we’re not talking about the odd log entry of this… we’re talking hundreds if not thousands! We’re seeing it on several High School Tiger Server. They run as ODM and PDC. We’re also seeing major instability with these servers too. It’s very random though. As I’m not used to seeing slapd logging this much I can only think it is related to the instability.

    We are ironically unable to update to 10.4.9 because of another issue I have posted here.

    March 15, 2007 at 3:02 pm #368560
    mcnaugha
    Participant

    Actually it seems these commands do clear the problem… but you need to reboot afterwards for it to take effect:

    sudo kadmin.local -q ‘ktrem ldap/FQDN’
    sudo kadmin.local -q ‘delprinc ldap/FQDN’
    sudo kadmin.local -q ‘ank -randkey ldap/FQDN’
    sudo kadmin.local -q ‘ktadd ldap/FQDN’

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.