Restoring Open Directory from Time Machine on Mountain Lion
Erik Posted on
Thursday, June 20, 2013 at 8:00PM I just ran across an ugly situation where my Open Directory account went bad and was refusing to login to any services.
I was seeing these repeated errors in the System log :
Jun 20 18:40:51 www.infrageeks.com PasswordService[168]: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for d24bd7b0-d8a7-11e1-ad93-000c29b10837
Jun 20 18:40:51 www.infrageeks.com log[3195]: auth: Error: od(erik,192.168.2.222): Credential operation failed because an invalid parameter was provided.
Jun 20 18:40:51 www.infrageeks.com log[3195]: auth: Error: od(erik,192.168.2.222): authentication failed for user=erik, method=CRAM-MD5
And the Password Service log was full of: Jun 20 2013 16:25:24 74348us USER: {0xd24bd7b0d8a711e1ad93000c29b10837} bad ID.
Which were all of my various devices trying to catch up on mail.
So the obvious thing to do is restore Open Directory. But I know that I had made a number of changes since the last archive operation (yes, bad me) so I needed another way to get this back up and running quickly.
I do backup the server using Time Machine, SuperDuper and zfs snapshots, so I could easily do a full rollback to a previous point in time, but I would also lose whatever mail had arrived in the meantime. And the problem is so specific, I should be able to fix it by restoring just the Open Directory data.
So here’s how to restore your Open Directory from a Time Machine backup. Some steps can be accomplished different ways, but this is probably overall the easiest way.
- On the server, go to the Time Machine menu item and select enter Time Machine. This will mount your Time Machine disk image automatically.
- On another machine open up an ssh session as an administrator (or you can mount the Time Machine backup image manually and do this locally)
- sudo bash to get a root shell (the Open Directory files are not accessible to a regular admin account)
- Stop the Open Directory Service with “serveradmin stop dirserv”
- cd to /Volumes/Time Machine Backups/Backups.backupdb/servername
- Here you will find a list of directories with the Time Machine backup sessions. Find one that is just before OD started going south and cd into it and descend to :
- /Volumes/Time Machine Backups/Backups.backupdb/servername/date/servername/private/var/db
- Then sync the data from the backup onto the source disk with :
- rsync -av openldap/ /private/var/db/openldap/
- Start the Open Directory Service with “serveradmin start dirserv”
You should be back in business.


Reader Comments (6)
Followed this process when OD was throwing
unable to open the requested node 14006
Worked great.
Thanks!
Life saver Thanks for the right up. I knew the openldap archive was somewhere just didn't know where in the TM backup!
You saved my tail. Thank you very much for posting this.
Works on 10.10 to.
Many thanks...
You saved my life. It worked perfectly and saved me oh so much work. I owe you a rootbeer if we ever meet :)
Thanks for posting. I was having this error:
PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for ...
I was unable to stop the Open Directory Service with “serveradmin stop dirserv”. Luckily I did make a backup in 10.7 its "Server Admin".app.