[dptech]

Okay, I figured something out. Not sure of the cause, but aformentioned error message happens when the ssl certs don’t match up. Somehow they get changed on my setup from DEFAULT to CUSTOM. The OD master doesn’t like this and spits out the ssh error.

The SSL cert info is found in the Open Directory/Protocols portion of the Server Admin gui.

[dptech]

I’m sorry it’s taken me so long to get back to this. School just started and things have been hectic around here. We’re running a single OD master and 9 replicas to handle about 3500 logins. Fortunately for us, I think we only have about 2000 computers so not everyone will ever be logged in at once.

We had the problem everyone else was having and I made several changes at once, (i know bad sys admin practice, but I was desperate and under a deadline) so I have no idea what fixed the issue. I did the following:
1. Verified that all of my ODR’s had valid dns entries (one didn’t)
2. Generated a new SID and copy pasted the new SID in the CIFSServer plist file.
3. I ensured that the ssl cert was correct on the master and all the replicas (again one case where a replica had changed from default to custom or some such thing)
4. Verified that I could login as diradmin via ssh to all the ODR’s (in one case the known_hosts file was wrong)
5. I REBOOTED everything. Our apple engineer told us that it takes around 300 seconds for the ODR’s to catch up with the master. I’ve found this to be only somewhat true, I come from a linux background and the idea of rebooting servers irks me to no end, but it seems to help with Xserve. (no idea why)

I hope this helps, I’d like to work this thread until we get documentation on exactly what will fix the broken replica issue. Apple told me I was running the wrong software versions (they were all the same)

[dptech]

I just solved this the other day, unfortunately, i don’t remember what i did. I would be happy to show you our ODM configuration if you think it would help you. We have one ODM and 8 replicas, they worked fine all summer and then one failed, when I tried to make it a replica I got the errors mentioned in previous posts and our apple rep was zero help.

Please let me know if config files etc would be helpful and i will post them here.

[dptech]

Has anyone made progress on this yet?
My ODM / PDC was working and I was able to attach windows boxes using the diradmin account and then this: check_ntlm_password: authentication for user [diradmin] -> [diradmin] -> [diradmin] succeeded
[2007/08/23 14:08:17, 2] /SourceCache/samba/samba-100.9/samba/source/lib/module.c:do_smb_load_module(63)
Module ‘/usr/lib/samba/vfs/darwin_acls.so’ loaded
[2007/08/23 14:08:17, 2] /SourceCache/samba/samba-100.9/samba/source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
Returning domain sid for domain SSD -> S-1-5-21-1372755496-2984317980-2510722169
[2007/08/23 14:08:17, 0] pdb_ods.c:odssam_getsampwnam(2329)
odssam_getsampwnam: [0]get_sam_record_attributes dsRecTypeStandard:Computers no account for ‘rm111-27$’!
kDSStdAuthNewUser FAILED for account “computer-name” (-14090) 🙁
[-14090]AuthNewUser
[0]dsDeleteRecord
[2007/08/23 14:08:17, 0] pdb_ods.c:odssam_getsampwnam(2329)
odssam_getsampwnam: [0]get_sam_record_attributes dsRecTypeStandard:Computers no account for ‘computer-name$’!

Was hoping this was a simple SID issue, but it would appear that it’s not. I’m also getting

[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/rpc_server/srv_samr.c:api_samr_set_userinfo(786)
api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.
[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/libsmb/smbencrypt.c:decode_pw_buffer(539)
decode_pw_buffer: incorrect password length (-1997745557).
[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/libsmb/smbencrypt.c:decode_pw_buffer(540)
decode_pw_buffer: check that ‘encrypt passwords = yes’

Does anyone know anything further on this?

TIA,
dave

[Author]

Posts