As of late i acquired a nice MacPro with mac os X server 10.4.7 Universal binary….
everthing checked out fine until port 626 and serialnumberd reared their respective ugly heads.
1) I have 2 machines running one running the classic server install its own serial number. the other machine running mac os x client. Both have server admin installed in the same version.
2) on startup and on server warmup serialnumberd does not seem to have a problem then all of the sudden it mentions it fails because of the firewall i setup … Let me remind that serialnumberd open port 626 on UDP looking if you have another machine with the same serial number mucking around… that is not the case here .. however i have setup adress ranges to keep kiddies off my ssh’s back . My home range is allowed all type of traffic as stated in the server admin gui. All other channels are authorized case by case as needed …
My question would be since serialnumberd creates its own 00001 firewall rule allowing UDP 626 to be opened . there shall be no more need to have a 12307 rule allowing that port to be opened right ? plus since we are running free on a local basis a server admin application within the network range would not meet any firewall problems , correct ?
then i am getting that log entry into system.log.
Sep 13 00:03:57 mox servermgrd: servermgr_info: [71] SNCheck(“server serial number”) failed with 5
ipfw show returns the following
00001 0 0 allow udp from any 626 to any dst-port 626
00010 13554 4217091 divert 8668 ip from any to any via en0
01000 71082 12141714 allow ip from any to any via lo0
01010 0 0 deny ip from any to 127.0.0.0/8
01020 0 0 deny ip from 224.0.0.0/4 to any in
01030 0 0 deny tcp from any to 224.0.0.0/4 in
12300 11880 4017707 allow tcp from any to any established
12301 7 420 allow tcp from any to any out
12302 1786 217833 allow udp from any to any out keep-state
12303 0 0 allow udp from any to any in frag
12304 69 4140 allow tcp from any to any dst-port 311
12305 0 0 allow tcp from any to any dst-port 625
12306 48 3312 allow icmp from any to any icmptypes 8
12307 48 3312 allow icmp from any to any icmptypes 0
12308 0 0 allow igmp from any to any
12309 6 336 allow icmp from any to any icmptypes 3,4,11,12
12310 0 0 allow tcp from any to any dst-port 407
12310 0 0 allow udp from any to any dst-port 407
12311 0 0 allow tcp from any to any dst-port 427
12311 4 308 allow udp from any to any dst-port 427
12312 0 0 allow tcp from any to any dst-port 443
12313 0 0 allow gre from any to any
12314 0 0 allow esp from any to any
12315 0 0 allow tcp from any to any dst-port 53
12315 57 3596 allow udp from any to any dst-port 53
12316 0 0 allow tcp from any to any dst-port 53 out keep-state
12316 0 0 allow udp from any to any dst-port 53 out keep-state
12317 0 0 allow tcp from any to any dst-port 88
12317 0 0 allow udp from any to any dst-port 88
12318 0 0 allow tcp from any to any dst-port 106,3659
12318 0 0 allow udp from any to any dst-port 106,3659
12319 0 0 allow tcp from any to any dst-port 110
12319 0 0 allow udp from any to any dst-port 110
12320 0 0 allow tcp from any to any dst-port 113
12321 0 0 allow tcp from any to any dst-port 115
12322 0 0 allow tcp from any to any dst-port 143
12323 0 0 allow udp from any to any dst-port 192
12324 0 0 allow tcp from any to any dst-port 201-208
12325 0 0 allow tcp from any to any dst-port 993
12326 0 0 allow tcp from any to any dst-port 995
12326 0 0 allow udp from any to any dst-port 995
12327 0 0 allow tcp from any to any dst-port 5222
12328 0 0 allow tcp from any to any dst-port 5223
12329 0 0 allow tcp from any to any dst-port 5269
12330 0 0 allow tcp from any to any dst-port 5190
12330 0 0 allow udp from any to any dst-port 5190
12331 156 18563 allow udp from any to any dst-port 5353
12332 0 0 allow tcp from any to any dst-port 8000-8999
12333 0 0 allow tcp from any to any dst-port 8080
12334 0 0 allow tcp from any to any dst-port 9006,8080,8443
12335 0 0 allow tcp from any to any dst-port 20-21
12336 0 0 allow udp from any to any dst-port 161
12337 0 0 allow tcp from any to any dst-port 389
12338 0 0 allow tcp from any to any dst-port 687
12339 0 0 allow tcp from any to any dst-port 660
12340 0 0 allow tcp from any to any dst-port 1085
12340 0 0 allow udp from any to any dst-port 1085
12341 0 0 allow icmp from any to any
12342 0 0 allow tcp from any to any dst-port 80
12343 0 0 allow tcp from any to any dst-port 123
12343 0 0 allow udp from any to any dst-port 123
12344 0 0 allow udp from any to any dst-port 513
12345 3 315 allow ip from myiprange/28 to any
And i found this into /Library/Logs/SerialNumberSupport.log
Wed Sep 13 01:36:12 2006: LOGERR: The local firewall has more than one rule #1! Assuming (UDP 626) blocked.
Wed Sep 13 01:40:18 2006: LOGERR: Local firewall NO LONGER has our port (UDP 626) blocked.
Great news ….. daemon i did not put that rule in thanks , you did .
Merry Xmass no other rule on port 626 is being applied either.
Is there any way to make the poor thing see reason and having it not assuming the port is being blocked whereas it is wide open ? my guess would be that the daemon seeing there might be something related to its port somewhere ends up sawing the branch on which he sits .
Any enlightment would be more than welcome on the subject ….
I think it may be more of a MacIntel problem. I just had the same problem with OSX Server 10.4.7 on a new Mac Mini.
My Firewall config has port 626 udp open on all locations. If I turn FW on, Server Admin stopes working..
Sep 23 23:21:54 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Disabled firewall
Sep 23 23:21:55 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Flushed rules
Sep 23 23:21:56 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Enabled firewall
Sep 23 23:24:09 server servermgrd: servermgr_info: [49] SNCheck(“SERAIL NUMBER DELETED…”) failed with 5 (: )\n
Seems like thee serial number checking part slipped past the QA team. The entire serial number is echoed into syslog(which is World Readable), and the devloper didn’t even hide his “new line” escape…
This problem goes away when I turn off the FW all togeather. I hope Apple can post a patch promptly…
❗ Well 10.4.8 does not seem to solve the problem …
I am making a fresh new install to check though … more news incoming after install and tests but the note coming with the update did not show a thing about serialnumberd being corrected …
😯
Can we say confusing ??? ok full workaround found though i dont think you will like it any better than i do … i stated of course some DMZ (demilitarized zone) , (people i know and i fully trusts ip ranges ,my main site etc) … and Serialnumberd acted back up after the update to 10.4.8 .
Being a stubborn fellow (not to mention sleepless) … i decided to create a dummy dmz with every port open to my server i would take the time to get each port open… nothing bad happenned and serialnumberd did not react . Now i modified that same zone asking my server to accept all connections whatsoever to this zone. and it acted back up again …
So if you need some ip zones being allowed to accept everything i would still suggest to use my little workaround mentionned above (yep thats crazy) , i shall be giving a call to Apple support Euroside to mention we are not done yet with serialnumberd.
I’m a 2-week old OS X Server convert from the Linux world. I’ve been trying to get around the “626 serverAdmin konks out” problem. I’ve tried all the suggestions above and others floating around but have been unable to make it go away. After spending so much time on this problem I’m ready to give up on serverAdmin and just monkey with files directly….
Any thoughts on when this will be fixed or novel workarounds?
Just talked to Apple. They gave me a different serial number that “doesn’t check” but expires on Feb-28. They expect to have the problem resolved before then with an update…
Comments are closed