Home Forums AFP548 Community Open Mike Hi everyone and thanks for making the place a reference for mac os x server

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #367025
    IINDIE
    Participant

    As of late i acquired a nice MacPro with mac os X server 10.4.7 Universal binary….
    everthing checked out fine until port 626 and serialnumberd reared their respective ugly heads.

    1) I have 2 machines running one running the classic server install its own serial number. the other machine running mac os x client. Both have server admin installed in the same version.

    2) on startup and on server warmup serialnumberd does not seem to have a problem then all of the sudden it mentions it fails because of the firewall i setup … Let me remind that serialnumberd open port 626 on UDP looking if you have another machine with the same serial number mucking around… that is not the case here .. however i have setup adress ranges to keep kiddies off my ssh’s back . My home range is allowed all type of traffic as stated in the server admin gui. All other channels are authorized case by case as needed …

    My question would be since serialnumberd creates its own 00001 firewall rule allowing UDP 626 to be opened . there shall be no more need to have a 12307 rule allowing that port to be opened right ? plus since we are running free on a local basis a server admin application within the network range would not meet any firewall problems , correct ?

    then i am getting that log entry into system.log.
    Sep 13 00:03:57 mox servermgrd: servermgr_info: [71] SNCheck(“server serial number”) failed with 5

    ipfw show returns the following

    00001 0 0 allow udp from any 626 to any dst-port 626
    00010 13554 4217091 divert 8668 ip from any to any via en0
    01000 71082 12141714 allow ip from any to any via lo0
    01010 0 0 deny ip from any to 127.0.0.0/8
    01020 0 0 deny ip from 224.0.0.0/4 to any in
    01030 0 0 deny tcp from any to 224.0.0.0/4 in
    12300 11880 4017707 allow tcp from any to any established
    12301 7 420 allow tcp from any to any out
    12302 1786 217833 allow udp from any to any out keep-state
    12303 0 0 allow udp from any to any in frag
    12304 69 4140 allow tcp from any to any dst-port 311
    12305 0 0 allow tcp from any to any dst-port 625
    12306 48 3312 allow icmp from any to any icmptypes 8
    12307 48 3312 allow icmp from any to any icmptypes 0
    12308 0 0 allow igmp from any to any
    12309 6 336 allow icmp from any to any icmptypes 3,4,11,12
    12310 0 0 allow tcp from any to any dst-port 407
    12310 0 0 allow udp from any to any dst-port 407
    12311 0 0 allow tcp from any to any dst-port 427
    12311 4 308 allow udp from any to any dst-port 427
    12312 0 0 allow tcp from any to any dst-port 443
    12313 0 0 allow gre from any to any
    12314 0 0 allow esp from any to any
    12315 0 0 allow tcp from any to any dst-port 53
    12315 57 3596 allow udp from any to any dst-port 53
    12316 0 0 allow tcp from any to any dst-port 53 out keep-state
    12316 0 0 allow udp from any to any dst-port 53 out keep-state
    12317 0 0 allow tcp from any to any dst-port 88
    12317 0 0 allow udp from any to any dst-port 88
    12318 0 0 allow tcp from any to any dst-port 106,3659
    12318 0 0 allow udp from any to any dst-port 106,3659
    12319 0 0 allow tcp from any to any dst-port 110
    12319 0 0 allow udp from any to any dst-port 110
    12320 0 0 allow tcp from any to any dst-port 113
    12321 0 0 allow tcp from any to any dst-port 115
    12322 0 0 allow tcp from any to any dst-port 143
    12323 0 0 allow udp from any to any dst-port 192
    12324 0 0 allow tcp from any to any dst-port 201-208
    12325 0 0 allow tcp from any to any dst-port 993
    12326 0 0 allow tcp from any to any dst-port 995
    12326 0 0 allow udp from any to any dst-port 995
    12327 0 0 allow tcp from any to any dst-port 5222
    12328 0 0 allow tcp from any to any dst-port 5223
    12329 0 0 allow tcp from any to any dst-port 5269
    12330 0 0 allow tcp from any to any dst-port 5190
    12330 0 0 allow udp from any to any dst-port 5190
    12331 156 18563 allow udp from any to any dst-port 5353
    12332 0 0 allow tcp from any to any dst-port 8000-8999
    12333 0 0 allow tcp from any to any dst-port 8080
    12334 0 0 allow tcp from any to any dst-port 9006,8080,8443
    12335 0 0 allow tcp from any to any dst-port 20-21
    12336 0 0 allow udp from any to any dst-port 161
    12337 0 0 allow tcp from any to any dst-port 389
    12338 0 0 allow tcp from any to any dst-port 687
    12339 0 0 allow tcp from any to any dst-port 660
    12340 0 0 allow tcp from any to any dst-port 1085
    12340 0 0 allow udp from any to any dst-port 1085
    12341 0 0 allow icmp from any to any
    12342 0 0 allow tcp from any to any dst-port 80
    12343 0 0 allow tcp from any to any dst-port 123
    12343 0 0 allow udp from any to any dst-port 123
    12344 0 0 allow udp from any to any dst-port 513
    12345 3 315 allow ip from myiprange/28 to any

    And i found this into /Library/Logs/SerialNumberSupport.log

    Wed Sep 13 01:36:12 2006: LOGERR: The local firewall has more than one rule #1! Assuming (UDP 626) blocked.
    Wed Sep 13 01:40:18 2006: LOGERR: Local firewall NO LONGER has our port (UDP 626) blocked.

    Great news ….. daemon i did not put that rule in thanks , you did .
    Merry Xmass no other rule on port 626 is being applied either.

    Is there any way to make the poor thing see reason and having it not assuming the port is being blocked whereas it is wide open ? my guess would be that the daemon seeing there might be something related to its port somewhere ends up sawing the branch on which he sits .

    Any enlightment would be more than welcome on the subject ….

    #367093
    Anonymous
    Guest

    I just recieve a call from apple, It seems that is a macpro problem.

    #367099
    Anonymous
    Guest

    I think it may be more of a MacIntel problem. I just had the same problem with OSX Server 10.4.7 on a new Mac Mini.

    My Firewall config has port 626 udp open on all locations. If I turn FW on, Server Admin stopes working..

    Sep 23 23:21:54 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Disabled firewall
    Sep 23 23:21:55 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Flushed rules
    Sep 23 23:21:56 server servermgrd: servermgr_ipfilter:ipfw config:Notice:Enabled firewall
    Sep 23 23:24:09 server servermgrd: servermgr_info: [49] SNCheck(“SERAIL NUMBER DELETED…”) failed with 5 (: )\n

    Seems like thee serial number checking part slipped past the QA team. The entire serial number is echoed into syslog(which is World Readable), and the devloper didn’t even hide his “new line” escape…

    This problem goes away when I turn off the FW all togeather. I hope Apple can post a patch promptly…

    #367100
    Anonymous
    Guest

    To follow up, seems like the programmer in charge of the verification process may have struggled more than we imagined…

    Sun Sep 24 00:06:08 2006: LOGERR: The local firewall has more than one rule #1! Assuming (UDP 626) blocked.

    server:/var/log root# ipfw list |grep 001
    00001 allow udp from any 626 to any dst-port 626
    server:/var/log root#

    Hmm, seems like there is only one rule #1?

    #367119
    Anonymous
    Guest

    Apple is working on a patch for the intel version of serialnumberd…

    #367142
    Anonymous
    Guest

    Not a silver bullet but it seems to work ok so far.

    http://forums.macosxhints.com/showthread.php?t=60499

    It is only a temporary fix but i would advise to wait for the upcoming update which shall be due anytime soon.

    Best regards,
    Mischief Managed ,
    IINDIE

    #367158
    IINDIE
    Participant

    ❗ Well 10.4.8 does not seem to solve the problem …

    I am making a fresh new install to check though … more news incoming after install and tests but the note coming with the update did not show a thing about serialnumberd being corrected …

    #367159
    IINDIE
    Participant

    😯
    Can we say confusing ??? ok full workaround found though i dont think you will like it any better than i do … i stated of course some DMZ (demilitarized zone) , (people i know and i fully trusts ip ranges ,my main site etc) … and Serialnumberd acted back up after the update to 10.4.8 .

    Being a stubborn fellow (not to mention sleepless) … i decided to create a dummy dmz with every port open to my server i would take the time to get each port open… nothing bad happenned and serialnumberd did not react . Now i modified that same zone asking my server to accept all connections whatsoever to this zone. and it acted back up again …

    So if you need some ip zones being allowed to accept everything i would still suggest to use my little workaround mentionned above (yep thats crazy) , i shall be giving a call to Apple support Euroside to mention we are not done yet with serialnumberd.

    Have a nice weekend everyone.
    IINDIE

    #367310
    IINDIE
    Participant

    Issue solved with mac os x server 10.4.8 update …. at long last.

    #367572
    vcoleman
    Participant

    I’m a 2-week old OS X Server convert from the Linux world. I’ve been trying to get around the “626 serverAdmin konks out” problem. I’ve tried all the suggestions above and others floating around but have been unable to make it go away. After spending so much time on this problem I’m ready to give up on serverAdmin and just monkey with files directly….

    Any thoughts on when this will be fixed or novel workarounds?

    #367573
    vcoleman
    Participant

    Just talked to Apple. They gave me a different serial number that “doesn’t check” but expires on Feb-28. They expect to have the problem resolved before then with an update…

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.

Comments are closed