Tips May 28, 2008 at 8:46 pm

10.5.3 Server: Did they fix it yet?

Today marks the release of 10.5.3 Client and Server. There have been a few nasty bugs in Leopard Server that have given us a headache or two. The primary being being the Directory Services issue with AFP connections. The other one I wrote about awhile ago was in Server Admin and creating DNS records. According to the release notes these bugs and more are eradicated. As well as AD binding issues, DHCP, Software Update Server, Password changes and augment directory records. You can read about it in detail here and download the combo updater to boot:

 Please post comments back to see if you 10.5 Server annoyances are gone. I know I have quite a few things to test this week.

(Ed. Note. One of our favorite additions in 10.5.3 is the ability to create augment records in WGM now. So all you advanced server config users rejoice!)

No Comments

  • Fixed my CoreServices bug. It seems to have fixed my slowness with authentications on the client (I have OD, not AD.) It fixed some DNS/Server Admin annoyances. We’ll see what else it fixed tomorrow.

    It apparently broke mailman/Server Admin. I can manually start it, though.

  • Still can’t authenticate across child domains. Had to do a bit of begging (actually surprisingly little begging) with the windows admins to bind into the top level domain. I’m completely lost why Apple’s not been more aggressive with this bug.

  • I upgraded my Mini server at home this morning and it broke my mail config such that services wouldn’t start automatically after reboot. In the log it was complaining about incorrect permissions on /var/spool/postfix/pid/ so i removed that but still no dice. In the end I got it going by using launchctl to manually start clam & amavisd and restarting postfix – but now it appears that the connection with the local directory service is broken as all mail is rejected with ‘user unknown’ – so it looks like i have more work to do this evening when i get home. Not a seamless upgrade to the mail service then. (my config is nothing weird either, very basic just about out-of-the-box setup)

    As it’s just my home server for my own use i’m not too concerned – but i worry about my work Xserve and the hundreds of users i have screaming at me to get our friend the AppleFileServer bug fixed – i’m not sure whether to upgrade now (it couldn’t be any worse, could it?) or wait and see… hmmmm…

    • Update: looks like changes to postfix config is what did it.. specifically the addition of reject_unknown_recipient_domain to the smtpd_recipient_restrictions parameter. Removed that and the mail is accepted again.. I’m going to do a bit more digging to try and find out why – i’m not using virtual domain hosting (yet) but i had already tried putting a fully-qualified email address into my record in WGM which i thought would’ve meant the mail was accepted. ah don’t you love working it out as you go along.

      (I’ve only just got Leopard mail services running in the last couple of weeks on my home server and at a client.. I’m working on an article about my experiences coming from years of Linux/sendmail experience to being an OSX/Postfix newbie 🙂

  • Just did the updates on my Leopard test server and client with Mobile Homedirectory. Syncing goes not good….it went back in time…..

  • YES !!! AFP works now as expected from AFP. This is a huge improvement. At least !

  • As usual, however, Apple broke my PHP installation, which is nothing more than PHP+GD. Preserve your sanity and backup your php goodies:

    sudo cp /usr/libexec/apache2/ /usr/libexec/apache2/
    sudo cp /usr/bin/php /usr/bin/php.old

    so you can restore them.

    What torques me off the worst is that the release notes mention nothing about screwing around with the PHP installation. Anybody know if it’s 5.2.6 that gets installed or not? (I didn’t bother to check. I was seeing red at the time and just needed to get it back up and running.)

  • Preliminary testing with client indicates that AD integration took a step backward from 10.5.2. While I can bind/create machine account in specified OU, Directory Utilty indicates AD directory node not responding. Both dscl and id commands confirm lack of AD integration. I’m thinking my testing with server will be similar. I’m really hoping for feedback that will demonstrate a configuration error on my end. Not getting good vibes from 10.5.3.

    • I can confirm this as I had a bug report in with the seeds for this same issue here. Glad to hear it wasn’t just me.

      I’ve done tonnes of troubleshooting and log reading and I’m seeing something about kerberosClient configurations missing. The strange thing is I can usually do a kinit or user the to get kerberos tickets, and can often even use id to identify an AD user, but I can’t use DSCL and I can’t login as an AD user. It’s intermittent though – some machines work fine, others don’t. Sometimes an unbind/rebind will do the trick. And sometimes a machine will work to start with, but then stop working. I’m also seeing errors about an inability to preauthenticate the computer.

      Hopefully this can get resolved soon (although I for one am starting to lose faith – this is serious stuff to be broken).

      ACSA, ACTC and Hardware Certs

    • For whatever it’s worth, if anyone wants to reference the open bug I have, it’s bug # 5931934

      ACSA, ACTC and Hardware Certs

    • I was able to do a bit of testing on my simple test AD domain at home (virtualized W2K3 on Mac mini). I was able to bind and verify successful status using id and dscl. I did not experience the consistent problem I see at work (both client and server).

      Differences? Work domain is one very large domain, many DC’s (W2K3/W2K mix). Home domain is one tiny W2K3 DC/Domain. Time skew, DNS look great both at home and work. Account used to join is a Domain Admin at both locations, security on OU looks similar. Looking into Domain Security differences, if any.

      Thoughts? I’m trying to work with support (somewhat different case), but really not feeling the love. I wish there was a legit place to discuss seed releases (AppleSeed?), as I’m not sure that engineering is listening. Sorry to rant a bit.

      • Just a brief status update. On the (large) work domain, I was able to update two 10.5.2 AD bound Macs (1 client, 1 server) to 10.5.3 and they maintained their integration with AD. I’ll be interested in their behavior over time. Haven’t tested unbinding/rebinding at this time (worried about this).

        So, one of the primary issues that I am experiencing on the work domain is the the inability to successfully bind fresh 10.5.3 installs, both client and server. I have tried what I believe to be most/all variations of tick boxes, processes (i.e. cli dsconfigad, pre-staging machine account, etc). Only machines previously bound appear to maintain their successfully integrated state.

        Here’s one other issue that we have been experiencing that I haven’t been able to test yet with 10.5.3. Server is in magic/golden triangle configuration, works well for awhile, then AFP becomes dysfunctional in relation to AD accounts (local and OD Master accounts continue to work). SMB continues to work with AD accounts during this period of AFP/AD depression. I have been successful with the following work-arounds: stop/starting AFP, killall Directory Service, rebooting the server, and also on occasion needing to unbind/rebind to AD. Again, this has been with 10.5.2.


        • I wanted to make a quick comment relating to the issue with binding 10.5.3 and my work domain. I have had assistance in determining that disabling packet signing and encryption (dsconfigad -) prior to binding resolves this issue. Evidently some changes were made in 10.5.3 around the area of packet signing and/or encryption. Were still at the early stages regarding this discovery so I don’t have much more information. That said, this will allow me to test the 10.5.3 server update in relation to the AD/AFP issue we have been experiencing with 10.5.2 server.


  • Since I’m quick to complain when Apple breaks something or doesn’t fix a bug, I should also note that they DID fix the issue with the AD plugin not cacheing group members – that now works, so I don’t lose all my MCX settings when I take a computer off the network. At least to a point – it caches members of an AD group, but not members of a group within a group, but at least it’s useable now, which it wasn’t in 10.5.2.

    ACSA, ACTC and Hardware Certs

  • Applying the ComboUpdate to a very young and clean (not yet deployed) dual xeon server had it froze during the reboot(s).

    Even the LOM interface was not responding (and the server saw in a remote location:(
    – It had the spinning (grey) wheel of death.

    Still looking forward to the testresults of AFP+OD master combo…

  • Leopard server must be the worst version ever released. I dont think this OS will be ready before 10.5.6. NOTHING works properly. Tiger Server is a breeze compared to the Leopard catastrophe!

  • Well I don’t see where you can augment records in WGM with 10.5.3… updated it don’t see how you can do it. I did see they fixed augmented records with Server Preferences so you can have it auto augment users from an AD group. It runs like every 30min or so and delete users deleted from the AD group, so it cleans up after it self… not sure what process it is or what it uses.

    I see the release notes… but I don’t see how to do it… anyone else?


  • Augment record import is super sweet. Just wish they had put a gui section to edit the home directory attribute. We cannot edit the UNC path for our users and I was looking forward to an easy way to use augment records to bridge this gap.


  • I completely agree with the poster that said this is the worst Apple OS release ever. 10.4 had its fair share of bugs, but at least it didn’t pretend to be something it wasn’t (except for with regards to AD support which broke continuously). 10.5 makes so many false promises that I honestly consider it to be more of an Alpha release than even Beta. I don’t know how many people here are WDC members that tested 10.5 when it was in development, but what they were calling Beta was more of a pre-testing product (huge chunks of programs were missing up until the final months before release).

    • You forgot about 10.0, the release so bad that they gave 10.1 away for free.
      You also forgot about System 7.5.x- the releases would crash on a more frequent than daily basis. Not just a process, but the whole machine.

      10.5 has more warts than 10.4, that’s for sure. However, it is by no means Apple’s worst OS to date. And I am _very_ happy with 10.5.3 client and server, despite the couple of bug reports I have submitted.

  • Updated Thursday night to 10.5.3, on a clean, freshly installed copy of Leopard Server. Downloaded fine, then clicked Install. However wouldn;t accept my administrative username and password. Tried 3 times, then it started installing and optimising etc. Upon reboot, loss of consciousness. Dead, no repsonse. No network, No SSH, No VNC, No Server Admin, or Server Tools. Had to drive to datacentre to manually reboot. LOM seems to be fine now, still looking at logs though. Dodgey as update.

  • I was able to get the auto update to work in WorkGroup mode and System Preferences but not in Advanced Mode. Still trying to find the process that runs every hour or so to update the records….


  • Server Admin running on client systems had a bug in which SUS updates would show the wrong description if the list was re-sorted. This is now fixed in 10.5.3.

    I can now log in locally to a 10.5 server with an AD account, it was grabbing the wrong DC’s before. I can also now auth via AFP as an AD user (probably related my previous problem).

    Patrick Gallagher
    ACSA, RHCT, A+, Network+

  • Fixed: 10.5.3 Server upgrade seems to have fixed kerberos sso SMB volume mounting for 10.5 servers that are bound to AD.

    Did not fix: Netboot service light in Server Admin turns silver upon booting netboot clients. This has been a problem since 10.4, 10.3. was fine – go figure. Have to still resort to cli for netboot administration.

  • While the WGM Augment Record creator is an improvement, many things are still broken. It seems like large AD groups still cause it grief (issues with Ranged results maybe?) If I search by name I cannot find my id in AD (60,000 users), but if I search by UID it finds it. (‘id’ and ‘dscl’ find it okay). Trying to add augments for a large group does nothing — though this seems to happen even for medium sized groups (i.e. not ranged —
    I had one server which hung during the upgrade, it rebooted into an odd state, but was able to complete the upgrade and appears to be okay.

  • After my update to 10.5.3 (server), I’ve experienced a number of annoying new issues.

    First my user (open dir) will no longer authenticate, other users will auth so it is very curious.

    And I’m getting PRNG not seeded error for all users outbound ssh attempts, and no inbound ssh attempts work either.

    It feels like my Open directory db has been fouled, but also my local root passwd was also fouled and set to the same as local admin user.

    trying reinstall now. fingers crossed.

  • when any windows user try to connect to file server (mac os 10.5.2) it doesn’t authenticate.
    at first i thought they’ve forget or badly enter their password, when i asked users to come and change password (that meet the password policy), it gives the same result, authentication refused.
    to solve it, i ought to put a simple password “abc” or “123” then asked user to put the old password… the surprise that it now works… it was fun to ask everybody to pass by to see old co-workers 🙂

    • it might work in other case may be, but not with me. I applied these commands, and unfortunately all windows users can’t log again.. I should ask them to pass again to retype their password or, simply restoring the last backup tape..
      I’ve chosen the last, am not free for receiving guest that day

      thanks any way.. 🙂

  • I’m having trouble with my printers not getting properly distributed via MCX.
    Apparently a lot of people are.
    Old printers not getting deleted, new printers not appearing, changes not getting updated, etc.

    It might be time to blow it away and try a fresh install again. I’m getting pretty sick of doing that though.

  • There was a bug that prevented Podcast Producer from posting to Wiki Server blogs if you were using AD accounts. This was fixed. In all, 10.5.3 is the first usable version of Leopard Server for us.

  • I’m having a huge headache with inherited POSIX permissions for share points (AFP and SMB!). Setting inherited POSIX permissions seems to be totally ignored by the server, regardless how they were set (vie GUI with Server Admin 10.5.2, or via CLI with sharing).

    Talking to a Apple Tech on the hotline cleared this problem up a little:

    In OS X Server 10.5.3 ACLs are activated by default. What’s worse: they cannot be turned of – at least not with Server Admin 10.5.3, in which this option has been deactivated! The Apple Tech claimed that Server Admin 10.5.2 still provides the option, and that it should still work. However, support for inherited POSIX permissions will be faded out and not return in subsequent versions of OS X server. Given that ACLs seem to be buggy for SMB users (as reported in an earlier post) this is not good news for simple collaborative file sharing setups.

  • Hhhhhmmm…. I’m not sure but this may help explain some of the ACL / SMB problems:

    “The smb.conf file is updated to include the line “acl check permissions = no” in order to provide expected permissions behavior for Windows clients connecting to the SMB service.”

    quoted from

Leave a reply

You must be logged in to post a comment.