Friday, June 03, 2011

Archiving/Backing up Snow Leopard Server's Open Directory fails silently

Technical post ahead

Six hours of my life. That's about how much time I spent chasing this solution.


My Goal

Automatically back up my OS X 10.6 Snow Leopard Server's Open Directory database weekly, using launchd.


The Problem

I found an excellent script that does exactly what I needed. But when I ran it and looked at the backup folder it created, I noticed the OD archive didn't exist. At first I thought this was a Leopard vs Snow Leopard issue (the directions were a couple years old), but then after I tried archiving through the Server Admin GUI, I found the archive still wasn't created (even though no error gets presented to the user).


Problem-Solving

Googling somehow lead me to this command line:

sudo slapconfig -backupdb /path/to/backup

which as far as I can tell, is what the Server Admin.app GUI (and also serveradmin CLI used in the awesome script) call under the hood.

Well that still failed with this error (which also appears in the /Library/Logs/slapconfig.log file)

Error in backing up keychain -25300
Error: Unable to create archive image as keychain could not be read


It was another clue to the puzzle, but not a solution.

I found this page: http://armagons-isles.blogspot.com/2009/03/od-archive-fails-due-to-keychain-25300.html and tried some of the steps he suggested. My com.apple.opendirectory keychain item wasn't missing, though, so instead I tried renaming it, creating a new one with identical settings, no-go.

Found this page, built a test server (twice!) exactly like my production server, tried copying the keychain item over but couldn't get the system keychain unlocked.

Finally went back to Armagon's Isles site and re-read some of the comments, remembering there were other ideas there I hadn't fully tried. A combination of these two solved the problem for me:


MAY 17, 2010 7:39 AM
Anonymous said...
Same issue, finally resolved. In 10.6.3 I got the same problem as listed above. All efforts to use the above directions failed. After much mind bending, I realized that the server was referring to itself as "blankety-blank.local" in the Server Admin and "blankety-blank.blah.com" in the LDAP reference. Poking into the com.apple.opendirectory keychain showed that it was pointed to the blah.com$ name in Account Name, not the .local$. I changed the Account Name to point to .local$, allowed all programs access, fired it up, and BAM, worked as expected. Yay.

MAY 18, 2010 1:47 PM
Thomas Orona said...
My server already had the keychain entry and was already set to allow all programs.
I ran hostname and compared entries. In my case the case was wrong in the keychain entry.
hostname: SERVERone.company.com
keychain: serverone.company.com
Once i changed the keychain to SERVERone.company.com everything worked.


The Solution

In Terminal I ran hostname and confirmed my server is named with a capital letter, so I needed to rename the keychain item's Account from servername.domain.com$ to Servername.local$. Then I ran the sudo slapconfig -backupdb /path/to/backup line and IT WORKED!!! Now I'm documenting it all in case this can help anyone else.

Of course, it'll probably all change when Lion lands. Now to go pack for WWDC :)

2 comments:

Anonymous said...

I just experienced this issue except with the GUI backup under Server Admin. The solution you found totally worked. Thanks very much for documenting it :)

Unknown said...

This worked for me but only fixed the GUI method, not command line. Thanks!