I recently set up a Mac OS X 10.6 Server, and to my surprise, out of the blue, encountered my old friend the Workgroup Manager lockout problem. Only, it wasn’t the same problem. The notable error message was in /var/log/slapd.log:
Aug 28 17:10:01 newserver slapd: SASL [conn=177] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request (found ldap/oldserver.netmojo.ca@NEWSERVER.NETMOJO.CA, wanted ldap/newserver.netmojo.ca@NEWSERVER.NETMOJO.CA))
The problem stemmed from an earlier (misguided) attempt to set up this new 10.6 Server (“newserver”), as an OD replica of a 10.5 Server (“oldserver”). It turns out that when you select “Setup an open directory replica” in Server Admin, it alters this file:
This file is used by OpenLDAP to determine which server the current server is a replica of. When I changed the OpenDirectory role back to Master, Server Admin failed to update the rootDSE file to reflect the fact that it is no longer a replica (actually, it never quite was). Replacing “oldserver” with “newserver” — adding the proper local server name and kerberos realm to this file — and then rebooting the server, fixed the problem.