Open Directory server on two Private IP addresses - acting slow

Similar Messages

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• Changing the Name of an Open Directory Server while preserving users, etc.

  Hi Everyone,
  Not an emergency - but I have been wrestling with this dilemma for almost a year now.
  The good news is nothing has to be done right away. But I will ultimately need a solution.
  We have inherited a server system at a traditional elementary school from a previous IT person who was immature to say the least.
  When he set up the server system, he named the open directory server something that, while innocuous is inappropriate for a school setting.  I am sure he thought it was clever and cheeky at the time. But a few years later it is simply unprofessional. And we are being expected to ultimately be able to change it so something like "XXXdirectory.domainname.edu" The more it hangs around - the longer it looks like we did this and it makes us look unprofessional.
  So here is my dilemma. 
  This is an OD Master with iCal and network homes attached to it. It also runs DNS.
  I would like to set up a new server and name it "xxxdirectory.schooldomainname.edu"
  Setting up the new server is easy and getting all the client machines to bind to it - no problem.
  The problem is how to migrate all the users to the new server.  It seems a restore wont work because if the new server is named differently, the restore will fail. I also can't do a server migration because the stupid name migrates to the new server.
  My old server is 10.5.8 Server.  The new one is 10.7.1 Server . But could be 10.6.8 Server if need be. 
  The main problem is how do I get all the accounts onto a new server with a new OD master name?
  I don't mind command line stuff. So throw whatever you got at me.
  Thanks in advance for your help everyone.  Don't worry - I won't be a pain in the butt or argue.  I just need some good solid guidance, even if it is a "Not possible" answer - at least I have something to tell the administration when they want to know why we can't change the OD Master name from mcnugget.schoolname.edu.
  Please let me know if you need more details.  I am happy to provide.
  Thanks again.
  Tony

  If you don't mind resetting everybodies password then you can export the users and groups and wipe the server for a clean install or turn it into a standalone server then back into od master  then import the users and groups.

• Wrong UID from open directory server

  I have a problem with a mac OSX server
  I have an open directory server A, that shares all users to every other server i have.
  I then have 2 mac OSX servers B and C, that it set up to allow network users. I can easily login with a open directory user, on both servers, but I have a problem. on server B it says the users user id is 1050, which is correct. On server C it says that the same users user id is 1000, which is wrong. Both server set ups are identical, as far as I know. On the Open Directory server A the users id for the user is also 1050, in case that is relevant.
  I have checked if server C has a local user with the same name, but htat is not the case.
  Any idea what might have caused this problem?

  bump

• 10.3.9 clients not working with 10.4.9 open directory server

  I have a 10.4.9 server running open directory and managing about 20 10.4.9 clients. I am trying to have it manage our remaining 10.3.9 clients, but for whatever reason, I cannot seem to get the 10.3 clients to "attach" to the server.
  I have the 10.3 clients set up in a computer list on the server, and in directory access I have it set to "get ldap mappings from server". At one point, it was suggested to me that I have the clients "get ldap mappings from open directory server". I tried this, and manually set the search base suffix. My search base suffix was "dc=example,dc=local". I even tried doing "cn=config,dc=example,dc=local" (where in both cases example.local was replaced with my real DNS name). Any suggestions on what else I could try to get this to work?

  That's the odd thing though. I've done this with 10.4 no problem. Settings always worked. For some reason though, even though the clients are able to login using a network user, none of the preference settings sync.
  For example - I always put a loginwindow message on as a sort of "test" to see if preferences are being set. If that works, then I rarely have a problem. No matter what I do, though, I cannot get the loginwindow message to display on the 10.3 clients. It works really well on 10.4, but not at all on 10.3. I've tried this on multiple 10.3 machines, as well, (and they're both based on different system images) but it still doesn't work. When I get back to work on Friday, I'll have to see if preferences will work for network users; that's the one thing I haven't tried.
  Other than dumping the directoryaccess preferences, is there another preference setting that could be dumped on the client that may make it grab prefs from the server?

• How to promote my OSX10.6.8 replica server to Open Directory server

  My Open Directory Server crash and i would like to promote my replica Server to Open Directory.  can you tell me how to do this.

  Hello Dave,
  Check out the steps quoted below to promote your replica to the Open Directory master.
  Provide Open Directory service
  https://help.apple.com/advancedserveradmin/mac/3.1/#apdD1F7D8CA-CF07-40CE-B2D4-8 E3ACF4BCA40
  Promote a replica to Open Directory master
  If an Open Directory master fails and you can’t recover it from a backup, you can promote a replica to be a master. The new master (promoted replica) uses the directory and authentication databases of the replica.
  Select Open Directory in the sidebar.
  Click Servers.
  Select a replica to promote, then choose Promote Replica to Master from the Action pop-up menu (looks like a gear).
  Enter the directory administrator name and password.
  If you archived Open Directory data with certificate authority keys, you can restore them by entering the Open Directory archive location or clicking choose to locate the archive.
  Click Next.
  Enter the user name and password for the replica that’s being promoted, then click Connect.
  Regards,
  -Norm G.

• Command-Line Remove Open Directory Server

  What is the terminal command to remove an Open Directory server?

  On LDAP server open the Terminal and run this:
  +sudo slapconfig -destroyldapserver+
  *man slapconfig* will give you more interesting options

• Three new groups in Open Directory Server

  I noticed that my Open Directory server has three new groups in WGM,OD Users, OD Administators and com.apple.limited_admin. Should I treat these as I treated the other groups by assigning them members and group folders? I also noticed that now I have a System Administrator and a Directory Adminstrator, does that sound right? Should I keep both? Thanks

  Ok, thanks, I had forgoten the "show system records" trick.
  For the guest user, I don't see it in dscl.
  So I suppose it's not a user, just an "anonymous" authentication option in the sharing preferences.
  It's a bit like "others" in the posix rights permissions : User, group, other. User and group are existing and named, other are not named, it's just anybody that is not the named user and not a member of the named group.
  To keep things understandable, you should use an other name if you wish to configure a "guest user"
  You can manage the "enable guest account" option from WGM if you select a computergroup, in the preferences pane / login / options.
  Hope it helps
  Nicolas

• 10.7.5 client shows open directory server not responding

  Hello,
  I am just starting to learn to use OS X Server.  I have created an Open Directory Master and want to connect my various Mac's around the home to.  My iMac is currently running 10.7.5 client and have tried to add the server as a Network Account Server  - re: below, but it shows it is not responding.
  As I am a real novice, have I missed something and how do I get this to work?
  Thanks,
  Nick

  You are likely having issues because you are not using DNS correctly.  The name "CowShed.local" is a bonjour name.  In order to properly use Open Directory you need DNS set up internally.  The reason is that the Kerberos component of Open Directory is very dependent on DNS.
  Generally, I would discourage the use of bogus top level domain.  However, since you say this is for home use, you can likely get away with the use of one (mac.leedern.int, mac.leederm.private, etc).  However, if you do, then you will not be able to use hosted services (mail, calendar, contacts, etc) transparently between the home and external networks (names will not route).
  If you own a domain name, you can use it internally and setup your DNS on the server.  Then distribute the servers's LAN IP address to all clients as the first DNS server.  This way, all your client devices can resolve the server's host name while on the LAN.
  Your journey starts at DNS.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Open Directory Server appears as /LDAPv3/127.0.0.1, not as /LDAPv3/FQDN

  I am running Mac OS X Server 10.4.7 and when I setup my Open Directory Master it shows in Directory Access Utility and Workgroup Manager as /LDAPv3/127.0.0.1.
  This not make sense since a nslookup anwers correctly for IP address and Hostname. So, I think it would shows as /LDAPv3/FQDN
  If I change the field "Server Name or IP Address" in LDAPv3 section of Directory Access Utility to the FDQN, Workgroup Manager shows /LDAPv3/FQDN and works perfectly, but if I try to create an Open Directory Replica in another server, I receive a message "Unable to Authenticate on Server as Directory Admin"

  Thanks for your answer Ralph!
  Really I get my other server promoted to an OD Replica when my OD Master appears as /LDAPv3/127.0.0.1, but I was in doubt about this when I go to the Replica's WGM Sharing pane to set User's folder as an Automount Point in /LDAPv3 Directory because it shows as /LDAPv3/127.0.0.1
  Maybe I am wrong, but in the Replica's server this will point to the localhost directory. This assumption is correct?

• Unable to replicate Open Directory server

  I have a Master OD server that is currently being replicated to an offsite OD.
  But im looking to run a dedicated Mini for the offsite, but i cannot get the new mini to replicate.
  The slapconf log says the credentials are invalid. and exits with error code=69
  I have reset the directory admin password. made sure the network settings were all correct and the hostname and DNS name are correct.
  the OS and server versions are identical between the 2 servers.
  Anyone have any thoughts???

  Can't Create Replica in Open Directory
  Failed to setup Open Directory Replica.
  Still not possible to create OD Replic under Lion Server

• Leopard and panther open directory server hate each other

  So I got Leopard the first day but didn't install it till a week later 'coz I was working on a Final Cut project. When I was ready to install I saw all these problems people are having and decided to backup all my user files before I do it which I've never done before (what can you say, I trust Apple engineers!) Anyway, after an upgrade install I found that my PowerMac Dual 2.7GHz G5 with 3.5GB of RAM was slow, very slow, crawling slow. Every button I pressed, every app I tried to open, every response seemed it'd take at least 5 mins and Activity Monitor showed that those apps I was trying to interact with were not responding but if I was patient enough to wait, most of them would eventually come around.
  After a whole night searching the Apple forum and googling, I couldn't find any solution. So I decided to wipe the hard disk clean and do a clean installation. Amazingly everything worked just as they should and installation only took like 15 mins or so. After I finished installing all my usual apps back into my PowerMac I was, again, busy working on another Final Cut project. And finally that project was concluded so I can look at my new Leopard installation and see if I've missed anything after the clean installation. I found out that I forgot to add my office LDAP server information into the Directory Access and I went ahead and added it.
  I was distracted by something else after I added the LDAP info and an hour or so later when I restart my PowerMac, it started to act weird and crawling slow again, just like when I first did the upgrade installation. I totally forgot what I did to make it slow and I was super worry. After like 2 hours of ghost hunting in my PowerMac, I decided to let it sleep for the night and try to figure it out in the morning. On my way home I finally remembered what I did to make it slow! It's the LDAP info!!!! That's the only system related thing I added since before I did the last Final Cut project.
  I searched the Apple forum again last night to see if anyone has the same or related problem but I couldn't find anything close. I came to work this morning and decided to test my finding. The PowerMac was still super slow and I figured if it's directory access related, then if I unplug the network cable, my Mac should be smart enough to understand that there is no point in searching for a directory and simply gives up. I unplug the cable and my Mac is up and running smoothly again. I opened the Directory Access app and delete the LDAP entry, restart the Mac, plug the network cable back in and everything is fine now!
  I believe the problem is more on my Panther (10.3.9) server (ok fine! we are cheap, we didn't think a Tiger server was worth it! was I wrong!) than on the Leopard itself and that's why I couldn't find anything related on the forum. Is the Panther server LDAP module faulty to begin with that caused the problem? I don't know. I just know that Leopard does not play well with Panther's Open Directory service.

  I've convinced myself that all the problems which I'm experiencing with failures to mount, disappearing CD/DVD drives are nothing to do with Windows XP because all my problems are occurring under Windows 2000 (on different computers). Looks like Apple have taken a leaf out of Microsoft's rule book (put the product out in the market before it's ready and let the punters do all the hard work finding and fixing the bugs).

• Brand new Open Directory server not authenticating 10.9, 3.3.2

  I'm hoping somebody here has ran into this as it's driving me up a wall.
  I'm on a completely clean install of OS X Mavericks, with the installation from the App Store.
  On top of that, a completely clean install of Server.app 3.2.2 is installed.
  This server has a FQDN, and when I check to see if the hostname resolves in DNS, it totally does. DNS is not turned on as a service, but DNS server settings are correct and the server can hit the outside internet just fine.
  So my steps are as follows: Install Mavericks, clean onto a new partition. Update with all patches. Set Static IP. Install Server 3.2.2 which installs without error. Check hostname settings. All good there. Verify permissions. Create OD Master. I cannot get a single newly created with Server.app Local Network user to log in, even with home folders all 100% local to the client machine. I've unbound and rebound the client machine. I've restarted everything. Nothing.
  When attempting to log in, if I set it to reset password at next login, the prompt to reset the password will appear. I know at least initial auth is taking place, or I wouldn't be getting a password reset screen. After attempting to reset the password, neither the original temporary nor reset password will work. Users cannot log in.
  Here are the errors generated, with my info edited out:
  Jan 14 17:49:35 server slapd[111]: passwd_extop: (null) changed password for uid=test,cn=users,dc=controller,dc=domain,dc=edu
  Jan 14 17:49:35 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:35 server slapd[111]: conn=1181 op=3: attribute "entryCSN" index delete failure
  Jan 14 17:49:41 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:41 server slapd[111]: conn=1197 op=3: attribute "entryCSN" index delete failure
  I understand this is common for users upgrading from 10.6.8 but this is completely clean. I'm not usually administering an OS X server; I'm completely lost.
  Have tried: Recreating master, rekerberizing
  Using scutil and host to verify the DNS on the server works perfectly. Am I missing something small with DNS? We are a fairly large org with DNS not being provided by this server. If you think a different log file would help, please let me know which one.

  What do you get from this:
  sudo /usr/libexec/slapd -Tt
  Anything in /Library/Logs/slapconfig.log?
  Also, have you tried the suggestion here:
  Open Directory - Local Network User/Group - GONE

• Open Directory: After enabling of SSL encryption the Open Directory server is not reachable anymore! What's wrong?

  After enabling of SSL encrypton on LDAP I can't connect anymore to the LDAB. I think the Lions Server supports now the SSL encrypton for Open Directory.

  .....