Everybody Staze…

I finally got svn working. So the “Code” tab on the title bar now works.

This is mainly thanks to this article on Apple’s developer website. It doesn’t seem to have any wrong data, even though it’s for 10.5.

I’ve updated the few links on my site, as well as the InstallRRD script I posted yesterday to reflect the change in location for these files.

Now if I could just get a resume posted, all the above links work be “valid”. Maybe in a week or two.

Wanting to get some info on mail traffic on our mail server, I wanted to get mailgraph installed and functioning on our server. While there are a few sources of info on the web on getting RRDTool installed in 10.6, one of them only deals with RRDTool 1.2, and the other is in Japanese, though it does cover RRDTool 1.4.2.

While I thought I would take the time to write up an article on how to install RRDTool 1.4.2 on 10.6, I lost interest somewhat, so I’ve just made up a basic script to install it for you. The only requirement is to install Xcode 3.2.1, and you’ll want to `sudo su -` before running the script. It will make a src directory in whatever path you run it in, download all the source, and compile it. It will log all the output to a file “build.log” in your current directory. By default, it installs everything in /usr/local. If you want to change that, you’ll need to modify the first few lines in the script.

Feel free to use, and if you want to see what it’s doing, just take a look at the script.

RRDTool install script: here

Good luck!

Not sure if anyone knows, but previous to now, my server hosting this site was a Powerbook G4, 1.67ghz, with 2GB of ram, and an 80GB HD.

It ran 10.5 Server, and all and all, ran it pretty well. I was using Marc Liyanage’s PHP build (http://www.entropy.ch/software/macosx/PHP/), and that worked fairly well. Though, the 5.3.0 install was kinda odd. This computer also served as my weather station machine, file server, power monitor, etc.

Anyway, it worked, but it was rather slow to do any real crunching on (like elaborate SQL queries, etc). Or for that matter, running mod_deflate on my site. And while it’s power usage was pretty low, and it had a built-in UPS (it’s battery) it wasn’t as good as it could be. Also, had to add Cardbus USB card to add additional ports, and making any kind of timelapse movies from my webcam images was out of the question. So, it worked, but it was pretty loaded (load averaged about 20-40%).

So, all that in mind, Tara and I have been selling random crap on eBay the last few weeks, and managed to build up enough between that,

and me cashing out some vacation from work, to buy a brand new Mac Mini Server (also traded in my old personal powerbook for some store credit).

All and all, it’s sweet. It’s significantly faster, smaller, uses less power, and is more apt to be a server than an old powerbook. =) Sure, the picture to the left makes it look pretty messy (power supply, Keyspan USB-Serial adapter, serial cable from that to weather station), usb cable to webcam, usb cable to TED, firewire to Drobo), but I’m going to clean that up and put it all up on shelves above my desk. And yeah, the pictures in the background are of me as a kid.

Load average on the new system, about 2-4%. Not to mention, the RAM doubling in the new system (with the actual potential to go to 8GB at some point in the future. And being able to run 10.6 server, and I would imagine, 10.7 server as well (whenever it ships). It’s a speedy machine. I RAID1′d the two drives, so I’m not nearly as worried about a drive crashing at this point.

And since I never really talked about it, the Drobo is pretty nice as well. It’s not as fast as it could be, but that’s really not much of an issue. It’s mainly for storing media that we watch on the PS3, or laptops. So it’s doesn’t need to be a rocket, it just needs to work, and be reliable. Right now I’ve got two WD15EADS drives (1.5TB “Green” drives). They’re pretty nice, though I worry about the head parking overly aggressively. As you can see, it’s about 70% full, so I’ll probably buy another drive in the nearish future which will give me 3TB of storage. Not too bad given my homegrown only had 1TB. I’ll do more of a write up on the Drobo in the next week or two. I wanted to wait to write it up until I got the new server, as it acted kinda odd sometimes when it was hooked to the old Powerbook.

Here’s to a new week.

UPDATE: Monday after a scheduled outage, I demoted my OD replicas to standalone (safer this way, I think), then ran `mkpassdb -kerberize` on the OD Master. About 5 minutes later, I had gone from 3500 Kerberos Principals to about 9500 (about 1500 of those are really old entries that I’ll clear out over the summer). I then added the replicas back. At that point, `kinit username` for previously failing users. We shall see.

UPDATE 2: Two days after the above, we have not seen any users having problems logging in. I will be talking to my AppleCare Enterprise friend tomorrow and seeing if he can shed some light on why AFP is trying to use Kerberos even though it’s supposed to only do “Standard” auth. More to come…

UPDATE 3: Well, that was nice while it lasted. Starting this week, on Monday, we started getting 2-3 users per day that couldn’t log in. Restarting AFP is the only way to get them logging in again. So, I’ve been doing that at about 6:45am each morning. So, I’ve got an open case with Apple at this point seeing what they can figure out. So far, it’s completely stumped them. We’ll have to see.

Starting with 10.5.7, I would occasionally see users (a small subset of users) that when they tried to login from a managed client (loginwindow, 10.5.8 client), they would get an error stating “You cannot login at this time because an error occurred”. If you then went to a computer that was unmanaged, and attempted to do a “Go-Connect to Server” and connect to the server over AFP, you would be presented with their home directory, only blank. Trying to connect over SMB would work, and everything was there.

The only way to make AFP work again would be to restart the AFP process. Obviously, this was really annoying, but I never could figure out the cause. Over the course of the summer break, we upgraded to 10.6 server, and didn’t see any instances of it.

Queue Fall term. We started seeing this problem the first week of the term, though slightly different. First, the clients are still 10.5.8 since we have about 36 PPC machines still in use (all G5 iMacs). Affected users would still get “Unable to login at this time because an error occurred”. So, I email a buddy that works for AppleCare Enterprise and forward on some log entries when it happens. Only things he sees are some IPv6 related messages (which is odd, since IPv6 is disabled), and maybe a Kerberos message… which, I don’t think much about at the time. Trying to connect to the server from “Go->Connect to Server” from an unmanaged client over AFP would result in a message saying “You do not have permission for any shares on this server”. Over SMB would result in seeing the shares, but trying to mount them would give you a permission denied error.

So, I go over my notes from the 10.5.x server days, and because it seemed to make things better with 10.5 server, I change AFP’s Authorization from “Any” to “Standard”. No change in results.

I bang my head against this for several days, trying many different options, but really don’t hit upon anything until an unrelated issue, where I am playing with some ACLs, and notice that if I “Deny” “Full Control” on a folder to a certain group, the folder disappears for that group. Not just “No access”, but it full on disappears. Huh. So many the issue is some kind of permissions thing. But, as my friend at AppleCare Enterprise mentions, the Effective Permissions Inspector (http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c2fs28.html) shows the permissions are fine for the user’s home folder. Okay…

So, I dig around some more, and randomly try “kinit” for an affected user. “kinit: Unable to acquire credentials for ‘user@REALM.EXAMPLE.COM’: Client not found in Kerberos database”. Hmmm. so I try for another affected user… same thing. I try it for all the users I’ve got records for having seen this issue. All are missing kerberos records. Well shit. So, I use kadmin to add a record for one of the users that’s seeing the problem (`kadmin -p admin -q addprinc user@REALM.EXAMPLE.COM` then type in the admin password, and their password twice). It adds, and after propagating, I can kinit. But, AFP still doesn’t work. Few hours later, I try AFP again, and I am allowed to mount their home, but it’s blank. Holy crap! Back to the 10.5.8 symptom. So obviously I’m getting somewhere. Later that night, I restart AFP, and suddenly the user account works perfectly. Ah ha!

K, so I get a list of all the kerberos principals on the server, ~3500. Hmm… given we have about 7600 users in the OD, that seems like a problem. But, after looking at most of the users that are seeing this, I find they’re all older user accounts. Meaning they were created when the OD Master was an older machine (G4 Xserve, or an old Quicksilver) running 10.3.9 or 10.4.x (depending on how old the accounts were). All the newer accounts seem to have Kerberos records. But, when we upgraded to 10.6 Server on the OD from 10.5, it seems ALL accounts got an attribute added that says “altSecurityIdentities: Kerberos:user@REALM.EXAMPLE.COM”. Hmm… I guess I could see this causing an issue.

So the question, other than “why do these users not have kerberos principals?” is “Why is AFP using Kerberos if it’s authorization is set to Standard?” This seems like a bug, or there’s something going on I’m not understanding. Obviously it seems the auth system in SMB changed a bit too between 10.5 and 10.6, since it used to behave differently.

Either way, I’ll be running “mkpassdb -kerberize” on the OD Master on Monday during our systems outage (there is a scheduled, 2 hour, power outage to test power resiliency on campus) (I already ran a test case on a test OD master, and it did add kerberos entries for all the users. So, that’s nice). This should hopefully resolve this issue permanently. I will update this post once I’ve kerberized all users, and things work, and I’ll update again later next week once I know whether or not it resolved the issue. I’m also expecting some info back from my friend about why this might be happening with AFP.

One thing I will say… this has really got me looking at Kerberos. Previous to this, I didn’t really use it at all on our systems. But since playing with it, it seems pretty damn cool. =)

Well, more in a few days.

UPDATE: So there was one more issue going on with this. After re-reading all the Xsan 2.2 documentation, it indicates that the primary MDC should be either a replica, or the Master OD server. In my setup, the backup MDC is the Master, but the Primary MDC is only “Connected”. Apparently this doesn’t work right. So, I made the Primary a replica, and everything now works. So, while the below is true, I’d make sure the above is also true if you’re running Xsan.

So, as I talked talked about earlier, we recently updated to 10.6 server, and along with that, Xsan 2.2.1. Since then, we’d been seeing odd ACEs (Access Control Entries) on folders that are on the Xsan, on the 10.6 Servers (the 10.5 Server saw everything just fine). But, the 10.6 Servers would see many of the ACEs as FFFFEEEE-DDDD-CCCC-BBBB-AAAA82xxxxxx (where xxxxxx is a hex equivalent of something (seemingly not the user/group id).

Removing and reapplying the ACLs wouldn’t help. Some of the ACLs would show fine, but some no matter what would show up as the above. So obviously there is an issue with the client looking up the user/group associated with that ACL (yet 10.5 works).

The solution came to me a few days ago. As I said previously, our Open Directory server has been around for a while. It started life as a 10.1 or 10.2 server, and has been upgraded since that point to 10.6 now. Any several of the groups/users have stayed the same on this system since then. Which relates to some issues I had a while back with iCal server not working for our older users. Accounts/Groups back in the 10.2 days didn’t have a UUID created and assigned to them. I fixed this for the user accounts about 10 months ago with a script that generates UUIDs and adds them to the user record. But at the time, I didn’t think of it about the groups. Now I wish I had. Once I added GeneratedUIDs to the groups that didn’t have them, and then removed and re-added the ACEs, everything seems to have worked. We still have a couple that don’t resolve right visually, but access to the files seems to work fine, so no clue why that’s happening.

All and all, kind of an annoying issue. Apple really should have their upgrade from 10.x to 10.x check for users/groups that don’t have GeneratedUIDs add them to the record, since some people have thousands of users, and have been upgrading since the days before LDAP (NetInfo is what used to hold directory info).

Ah well. So, anyone having a similar issue, check the inspector in WGM for a GeneratedUID for the group/user in question. My script linked above should easily be able to be modified to add GUIDs for groups as well.