OD archive failing to create archive

[maximumjack]

hi,

I have an OS X 10.5.5 Xserve G5 that is set up in a Magic Triangle configuration. The OD database is almost entirely made up of computer records for MCX management. The server is working well and doing it’s job with the exception of one thing (to my knowledge):
When I try to archive my OD database, it is fails to create the archive.
As I watch the slapconfig logs I see it go through 5 out of the 6 steps that a working archive goes through (1 – Backing up LDAP database, 2 – backing up password server database, 3 – Backing up Kerberos database, 4 – Backing up configuration files, 5 – Backing up local directory database, 6 – Creating archive), however it errors out at the end of step 5 with the following error message:
Error in backing up keychain -25300

any ideas on how I go about fixing this or what I should start investigating first? I have run Keychain First Aid verification on the diradmin account as well as my account and they both pass.

thanks in advance

paul

[warrens]

I have the same problem with the same error. What I’ve found so far:

Using a test server I recreated the error. On the test server the system keychain had a password entry for com.apple.opendirectory with account name of servername.local$ and a password not used on the machine for diradmin or root account. The production server has no such entry. Deleting the keychain from the test server reproduces the error. Note, the test server was setup in the .local domain.

Looking at a successful archive from the test server there is a file at the top level of the sparse image called keychain, inside the file is a string consisting of the password from com.apple.opendirectory only.

It would seem that recreating the keychain entry would solve the problem, but the password in the keychain item (on both the test and production) is not one that’s been used on the server. We’ve discussed using the one in the last successful production server OD archive, but we are not inclined to live test on our OD master. Pending any explanation of how the keychain entry is created and specifically what for, I’ll image the server and test in the off hours later this week.

Information on the error was found on Apple’s Developer site:

http://developer.apple.com/documentation/Security/Reference/keychainservices/Reference/reference.html

errSecItemNotFound –25300
The item cannot be found.
Available in Mac OS X v10.2 and later.

[warrens]

Attempted to recreate keychain item last night, using a password string from a previous archive. The archive process again failed but this time with –25308 (Interaction with the Security Server is not allowed.) I tried the full DNS name and the .local name, both producing the same error.

From the error I am guessing that the string is wrong or since our diradmin password has changed around the time of the last successful archive creation that the two are linked- the keychain item may relate to the diradmin password. I was too tired to realize this at the time, but I will be testing this.

[warrens]

Attempted to force a change in the Open Directory keychain item on a test server:

Changed passwords for diradmin and root. No modification of keychain.

Deleted out default cert, Created new cert, configured it for us in LDAP. this created keychain item for the cert’s pass-phrase but no modification on OD keychain occurred.

Would very much like to know under what circumstances the OD keychain is created or modified….

[warrens]

I’ve had some luck restoring archive functionality though I have yet to get a full understanding of the keychain item and the circumstances of it’s creation:

Built test server of OD master, same IP, name, version.

Pulled and an archive previous to the occurrence of the problem.

Restored the archive to the test master.

Opened Keychain Access, exported system keychain after confirming existence of com.apple.opendirectory entry.

Moved exported keychain to OD master, imported under a unique name.

Copied com.apple.opendirectory entry and pasted it into system keychain.

Archives now completed successfully.

Currently working under the assumption that the keychain item is machine related, perhaps to the OD masters machine record’s passwordplus field.

[Armagon]

We had a similar issue, and I figured out a couple of things about it and put up a blog post.

I’d throw you a link, but the bulletin board thinks I am spamming. (Sigh). Do a search for “Armagon’s Isles Keychain Error”

[Author]

Posts