Everybody Staze...

Nobody leavz...

  • Home
  • About Me
    • LinkedIn
    • Lab
  • Contact
  • Links
  • Reviews
  • Sitemap
  • Weather
You are here: Home / Archives for AFP

AFP, Kerberos, and 10.6

2010/01/16 By staze

UPDATE: Monday after a scheduled outage, I demoted my OD replicas to standalone (safer this way, I think), then ran `mkpassdb -kerberize` on the OD Master. About 5 minutes later, I had gone from 3500 Kerberos Principals to about 9500 (about 1500 of those are really old entries that I’ll clear out over the summer). I then added the replicas back. At that point, `kinit username` for previously failing users. We shall see.

UPDATE 2: Two days after the above, we have not seen any users having problems logging in. I will be talking to my AppleCare Enterprise friend tomorrow and seeing if he can shed some light on why AFP is trying to use Kerberos even though it’s supposed to only do “Standard” auth. More to come…

UPDATE 3: Well, that was nice while it lasted. Starting this week, on Monday, we started getting 2-3 users per day that couldn’t log in. Restarting AFP is the only way to get them logging in again. So, I’ve been doing that at about 6:45am each morning. So, I’ve got an open case with Apple at this point seeing what they can figure out. So far, it’s completely stumped them. We’ll have to see.

Starting with 10.5.7, I would occasionally see users (a small subset of users) that when they tried to login from a managed client (loginwindow, 10.5.8 client), they would get an error stating “You cannot login at this time because an error occurred”. If you then went to a computer that was unmanaged, and attempted to do a “Go-Connect to Server” and connect to the server over AFP, you would be presented with their home directory, only blank. Trying to connect over SMB would work, and everything was there.

The only way to make AFP work again would be to restart the AFP process. Obviously, this was really annoying, but I never could figure out the cause. Over the course of the summer break, we upgraded to 10.6 server, and didn’t see any instances of it.

Queue Fall term. We started seeing this problem the first week of the term, though slightly different. First, the clients are still 10.5.8 since we have about 36 PPC machines still in use (all G5 iMacs). Affected users would still get “Unable to login at this time because an error occurred”. So, I email a buddy that works for AppleCare Enterprise and forward on some log entries when it happens. Only things he sees are some IPv6 related messages (which is odd, since IPv6 is disabled), and maybe a Kerberos message… which, I don’t think much about at the time. Trying to connect to the server from “Go->Connect to Server” from an unmanaged client over AFP would result in a message saying “You do not have permission for any shares on this server”. Over SMB would result in seeing the shares, but trying to mount them would give you a permission denied error.

So, I go over my notes from the 10.5.x server days, and because it seemed to make things better with 10.5 server, I change AFP’s Authorization from “Any” to “Standard”. No change in results.

I bang my head against this for several days, trying many different options, but really don’t hit upon anything until an unrelated issue, where I am playing with some ACLs, and notice that if I “Deny” “Full Control” on a folder to a certain group, the folder disappears for that group. Not just “No access”, but it full on disappears. Huh. So many the issue is some kind of permissions thing. But, as my friend at AppleCare Enterprise mentions, the Effective Permissions Inspector (http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c2fs28.html) shows the permissions are fine for the user’s home folder. Okay…

So, I dig around some more, and randomly try “kinit” for an affected user. “kinit: Unable to acquire credentials for ‘[email protected]’: Client not found in Kerberos database”. Hmmm. so I try for another affected user… same thing. I try it for all the users I’ve got records for having seen this issue. All are missing kerberos records. Well shit. So, I use kadmin to add a record for one of the users that’s seeing the problem (`kadmin -p admin -q addprinc [email protected]` then type in the admin password, and their password twice). It adds, and after propagating, I can kinit. But, AFP still doesn’t work. Few hours later, I try AFP again, and I am allowed to mount their home, but it’s blank. Holy crap! Back to the 10.5.8 symptom. So obviously I’m getting somewhere. Later that night, I restart AFP, and suddenly the user account works perfectly. Ah ha!

K, so I get a list of all the kerberos principals on the server, ~3500. Hmm… given we have about 7600 users in the OD, that seems like a problem. But, after looking at most of the users that are seeing this, I find they’re all older user accounts. Meaning they were created when the OD Master was an older machine (G4 Xserve, or an old Quicksilver) running 10.3.9 or 10.4.x (depending on how old the accounts were). All the newer accounts seem to have Kerberos records. But, when we upgraded to 10.6 Server on the OD from 10.5, it seems ALL accounts got an attribute added that says “altSecurityIdentities: Kerberos:[email protected]”. Hmm… I guess I could see this causing an issue.

So the question, other than “why do these users not have kerberos principals?” is “Why is AFP using Kerberos if it’s authorization is set to Standard?” This seems like a bug, or there’s something going on I’m not understanding. Obviously it seems the auth system in SMB changed a bit too between 10.5 and 10.6, since it used to behave differently.

Either way, I’ll be running “mkpassdb -kerberize” on the OD Master on Monday during our systems outage (there is a scheduled, 2 hour, power outage to test power resiliency on campus) (I already ran a test case on a test OD master, and it did add kerberos entries for all the users. So, that’s nice). This should hopefully resolve this issue permanently. I will update this post once I’ve kerberized all users, and things work, and I’ll update again later next week once I know whether or not it resolved the issue. I’m also expecting some info back from my friend about why this might be happening with AFP.

One thing I will say… this has really got me looking at Kerberos. Previous to this, I didn’t really use it at all on our systems. But since playing with it, it seems pretty damn cool. =)

Well, more in a few days.

Filed Under: Sys Admin Tagged With: 10.6, AFP, Kerberos, mkpassdb, Open Directory

Monday’s update

2009/07/06 By staze

So, been a few days, lots to update on.

We got the replacement drive a day late, but luckily, there were no problems. Put the new drive in, and it got marked as a spare. Kinda wish the Xserve RAID behaved like the Promises, in that the new drive would be rebuilt and the original spare would go back to being a spare, but, no big deal.

We ordered some hardware late last week. Mainly a new power supply for one server, and a new Xserve. Should be a lot of fun to play with. The Xserve has a Geforce GT120 in it, so stuff that uses OpenCL or CUDA should be able to take advantage of it. I’m looking forward to running BOINC on it when it comes in. =)

Thursday was a short day, as I got off early and headed to Walla Walla, WA for the long weekend of the 4th. We were there until Sunday. Long, hot, weekend with Tara’s family. Was nice, though kinda missed a couple of her cousins not showing up. The drive is really frickin’ long (about 350 miles), but it’s pretty. The Columbia River Gorge is, I think, one of the most beautiful places on earth. And although a lot of people seem to dislike the Windmills, I love them. They’re really “other worldly”, and graceful. Plus, they’re not polluting. There’s a coal plant out on that end of the state, and I really would love to see it removed/shutdown once there are windmills there to replace it.

Overall, good weekend.

Back at work today, it’s been fairly boring. Summer is rather slow this year. But, it’s letting us get some stuff done. I really am needed to code up some more stuff, and I’m slowly working myself out of a coders block. I just imported my car gas log into MySQL so I can update the average mileage on my site, as well as do some more nifty google API graphing. But, that’s a bit down the road. I’m really hoping I can make a nifty page for adding fuel tanks via my iPhone while I’m on the road. We’ll have to see. It’s been a long time since I’ve done any real MySQL work, but I’m relearning, and picking up new stuff this time. Hopefully there’ll be something on the sidebar pretty soon (probably tomorrow).

For work coding, I need to get quotas going… but that means I need to get something setup to email all the over quota people telling them they need to get stuff off the system. All and all, about 210 people (out of 1600) use about 50% of the space on our system (enforcing quotas for those users would free up 3TB of storage. About 6TB total is used right now).

Once I get them under control, I might even be able to do some type of backups of user data *shock*. Really not sure about that though.

On the AFP front, I’ll say that the current attempt to address the issue seems to be working. AFP has been running successfully for over 5 days now, and today we had about 45 users logged in (which is, I think, the highest usage this summer). I’m going to see if we can get a few users using Mail.app tomorrow to increase the load on the system, and see if that tickles any bugs.

I hope to add more plants to my list in the next few days. So far I’ve only added the one that I remember specifically where I got, etc.

Alright, that’s it for tonight. More later this week.

Filed Under: Sys Admin, Travel, Work Tagged With: 4th of July, AFP, BOINC, MySQL, quotas, Xserve, Xserve RAID

Goings on

2009/06/07 By staze

This weekend has been pretty good, and pleasantly (un)eventful. Got the yards mowed, pruned front tree (we call it “the ugly tree” because it leafs out late, drops leaves early, and has little leaflets that don’t rake up because they’re too small), a Gleditsia triacanthos inermis, or Thornless Honey Locust. The interesting thing is, this year is the first time the tree has flowered since we’ve lived here. So, it must be healthier than it has been. We’ll see if it sets any fruit. =/

I also planted some Glycine Max, or Edamame (variety Misono Green) in a raised bed. I planted 6 plants, hopefully I’ll get some nice Edamame out of it. =) I’d love to try making Tofu. Here’s some info on growing beans in the Valley: OSU Extension.

Work has wound down at this point. At the J-School, most projects are due dead week, and there are few finals. So, most students will be gone next week. Which means I should be able to start on my summer projects. I’ll probably start building a new image from scratch starting tomorrow.

Progress with AppleCare has kinda stalled. I ran some software they wanted, and got them more info. At this point, sounds like a 10.5 fix is unlikely. Hopefully we’ll see a fix in 10.6, but they can’t tell me one way or the other given Apple’s rather over zealous policies given unreleased products. We’ll see what happens. At this point, I’m looking at implementing NFS home directories as a short term “stop gap”. We’ll see how that goes… right now, I can’t get it to work at all.

Tomorrow is the WWDC keynote. My boss is betting we’ll see the new iPhone, the 3.0 iPhone OS, and possibly even 10.6 (or rather, a release date for 10.6). The rumor sites are saying a new beta build will be released to attendees… perhaps the last before GM. Who knows… I’d love to update to a new phone, since mine has been really laggy the past few weeks… but, I’m hoping 3.0 will help with that. I think the 2.x OS could use some help with memory reclamation after exiting an App. =/

The weather here is supposed to be fairly mild the next week. I’m hoping to get a bunch of yard work done before it warms up again. I’ve been trying to the last 2 years to remove the Morning Glory (Convolvulus sepium) from the yard. From reading online, it sounds like it’s nearly impossible. You just have to continually remove it. Unfortunately, it sounds like it’s pretty efficient at food storage, so just a few leaves can replenish food stores.

This is a pretty good PDF on Invasive Plants in the Willamette Valley: Remove Invasive Plants.

More later… maybe once I have some progress on NFS Home directories at work I’ll post again.

Filed Under: Gardening, Home Ownership, Work Tagged With: 10.6, AFP, AppleCare, Convolvulus sepium, Edamame, Gleditsia triacanthos inermis, Glycine Max, iPhone, Morning Glory, NFS, Snow Leopard, Thornless Honey Locust, Tofu, WWDC

Next Page »

Weather

Categories / Archives

  • Apple
  • Coding
  • Electronics
  • Energy
  • Home Ownership
  • Miscellany
  • Politics
  • Prius
  • Sys Admin
  • Travel
  • Uncategorized
  • Work
  • June 2026
  • April 2026
  • August 2025
  • April 2025
  • January 2024
  • February 2021
  • July 2020
  • January 2020
  • April 2019
  • March 2018
  • February 2018
  • June 2017

Copyright © 2026 · Staze On Genesis Framework · WordPress · Log in