Just this last weekend, I upgraded our primary systems from 10.5.8 Server to 10.6.2 Server, and the Xsan to 2.2.1 from 2.1.1. All and all, everything went well, though there’s been an odd issue that arose.
Since the update, I’ve seen something like the following error every 2 hours on the 10.6 machines: “Dec 25 14:03:26 server DirectoryService[29]: Misconfiguration detected in hash ‘Global GID’ – see /Library/Logs/DirectoryService/DirectoryService.error.log for details”
You look in DirectoryService.error.log, and you find:
2009-12-25 14:03:26 PST - T[0x0000000104781000] - Group 'wheel' (/LDAPv3/od.example.com) - ID 0 - UUID 9E733C05-88DE-4F83-9E09-038A887F1327 - SID S-1-5-21-4096-2147483678-1391576524-1001
2009-12-25 14:03:26 PST - T[0x0000000104781000] - Group 'wheel' (/Local/Default) - ID 0 - UUID ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000 - SID S-1-5-21-4171259825-3059450906-1974363594-1001
This error is there for several system level groups: daemon, kmem, sys, wheel, etc. Basically, the OD clients are all complaining that there is a conflict between the local group “wheel”, and the “wheel” that exists in the directory. These accounts, seemingly, shouldn’t exist within the directory, as they’re local accounts that exist on all the OD clients.
So, at this point, I think I’m safe removing them from the directory at this point. Looking at an ldif dump of the directory, it shoes these groups were created in 2003, when I upgraded the directory server from 10.2 to 10.3 (Netinfo to LDAP).
All told, there are probably 15 of these groups. They all conflict with other groups on the local directories, or are antiquated and don’t need to exist on the directory.
UPDATE: I successfully removed all of these groups, and it seem to have resolved the error messages, and had no ill effects. So, if you’re getting a bunch of the above errors, check to make sure you don’t have some weird group sitting on your directory that’s conflicting with a local system group. In general, all the groups you create should start with UID 1000 or above. There are only a few that are supposed to exist on the directory (admin, staff, domainadmins, domaincomputers, domainusers… I think that’s it).
Good luck, and hopefully post again shortly after the new year and students return from vacation.