LDAP Errors

[kraytech]

I am getting a lot of errors in the LDAP logs, and I can’t seem to figure out why. I am new to the server stuff, and learning a system that was pieced together. Can anybody shed some light on these errors?

Feb 8 12:00:38 server slapd[46]: SASL [conn=86077] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n
Feb 8 12:00:39 server slapd[46]: <= bdb_equality_candidates: (sambaSID) index_param failed (18)\n Feb 8 12:00:39 server slapd[46]: <= bdb_equality_candidates: (sambaSID) index_param failed (18)\n Feb 8 12:00:56 server slapd[46]: SASL [conn=86083] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:00:57 server slapd[46]: SASL [conn=86087] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:00:58 server slapd[46]: SASL [conn=86091] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:01:01 server slapd[46]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)\n Feb 8 12:03:48 server slapd[46]: SASL [conn=86106] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:18 server slapd[46]: SASL [conn=86131] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:19 server slapd[46]: SASL [conn=86135] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:19 server slapd[46]: SASL [conn=86139] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:20 server slapd[46]: SASL [conn=86143] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:32 server slapd[46]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)\n Feb 8 12:08:32 server slapd[46]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)\n Feb 8 12:08:53 server slapd[46]: SASL [conn=86150] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:54 server slapd[46]: SASL [conn=86154] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:08:54 server slapd[46]: SASL [conn=86156] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:11:38 server slapd[46]: SASL [conn=86175] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:11:39 server slapd[46]: SASL [conn=86179] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:13:08 server slapd[46]: connection_read(22): no connection!\n Feb 8 12:15:32 server slapd[46]: connection_read(28): no connection!\n Feb 8 12:23:32 server slapd[46]: SASL [conn=86249] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:23:33 server slapd[46]: SASL [conn=86253] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:23:35 server slapd[46]: SASL [conn=86257] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)\n Feb 8 12:30:37 server slapd[46]: connection_read(28): no connection!\n

[eb0vine]

Funny that I came across your post just now. I think that I fixed this problem < 7 minutes ago. As it says, some principal is not present in the kerberos keyfile. Unfortunately I couldn't find the right debug flags that actually told me what it was looking for. Run the following and ensure that you have principals named "ldap" and any other service that may run. $ sudo kinit
…
$ sudo kadmin.local -q listprincs

I had the necessary princs listed, and the only svc that was actively ‘pinging’ my krb instance was Workgroup Manager (which was in read-only mode, for some reason). I disabled and reenabled the ‘Enable SSL’ and that cleared up the problem. This makes very little sense to me, as the Workgroup Manager would not have been able to complete a connection if there were SSL problems… much less cause slapd to dump that GSSAPI error.

I’ve noticed that many, many issues stem from invalid or expired certs.. it’s just never easy to tell that they are the problem.

If anyone has more info on this issue, I’d be estatic to hear about it. I was fairly methodical in changing one variable at a time, however my conclusion isn’t quite clear.

– eb

[kraytech]

Most things are working OK. However, we are having issues with the shares on that machine, and the fact that the server no longer shows up on the network. If you try and access the clients share on that server using afp://clients sometimes it will work, the rest of the time you get an error about the wrong username or password. Using kdestroy fixes it on some computers temporarily, but the problem usually persists later.
Same with our FTP, you can usually log in the first time, but after that, you get a password error and I end up having to delete and restore the account to get it working again.

Because of the password errors, and the kdestroy semi-fix, I fully believe this is a Kerberos issue on that machine. It is also our email server, but we have had no login problems to it, which is a very good thing (Though I am investigating an issue where one persons emails are not getting delivered sometimes to the system).

I am just learning the server side of everything here, so I am not sure about some things. I am working on it though hehe.

Thanks for the info on these particular errors. I will see if this remedies some of that as well.

[mcnaugha]

I’m seeing this all over the place in a large education district where every server has over 1000 users. Should we be concerned Joel? Anything we can do to rectify?

These schools have around 200 Macs and sometimes as many as 200 PCs hanging off the Mac server.

Multiple servers are falling over several times a week or day. One school seems to have stabilised when we switched from Dual 1.25GHz G4s to Mac Pro hardware. Are these old G4s being tasked too much?

Thanks!
A.

[Author]

Posts