[Zeheeba]

I’m currently running a dual 2.8 quad intel xeon server with 306 connections, 206 of which are AFP. This count has been up into the 400s many times. The memory on the box is 4 gigs, and the main store it hosts is 5TB. As long as that 5TB doesn’t get to full, the server runs along fine. The processor load is always negligible.

Hope this helps.

Regards,
Daniel

[Zeheeba]

Thanks for writing back.

If I use the -R argument, it will set the permission on every file folder, but doesn’t do it as inherited from the top level down, they just go in as implicit ACL’s. It would still work the same, just not as clean. I’m probably going to have to go with that due to not wanting to touch 200 different folders with WGM. : )

Regards,
Daniel

[Zeheeba]

Just a follow up to this… I was able to change the user accounts to allow them to pull Kerb tickets after the domain rename and rebind.

To fix this go into netinfo manager, look at the attributes for a AD user account and change everything that references the old domain to the new one, including the super long SID strings under authentication authority. Dont worry about the big number strings, those SIDS wont change with the rename.

Change all those and everything works perfectly. I scripted all this and it worked pretty well. Applescripting Entourage 2k4 to change all its settings was a bit more sketchy, doable, but sketchy.

Hope this will help someone else someday.

Regards,
Daniel

[Zeheeba]

I can verify that this works. I reverted back to the 10.4.10 AD plugin because after updating to 10.4.11, none of my pc’s or macs could connect via SMB, weather the machine was domained or not. Once I rolled it back, everything worked like a charm.

One other note. I use a script to bind my servers. It seems the option that used to be “-SSO” is now “-enableSSO”.

Regards,
Daniel

[Zeheeba]

I’m running into this problem as well for the first time today.

Having to reboot is a shame. Has anyone found a solution to this since May?

Crossing my fingers. : )

Daniel

[Zeheeba]

Thank you Sir. The confirmation is appreciated.

Regards,
Z

[Zeheeba]

I seem to remember something about an entry missing in the /etc/hostconfig file that would make the sharing tab be greyed out.

Check and make sure that the “HOSTNAME=” entry is filled out. I can’t try this right now to test it. If it is there, post your /etc/hostconfig file remvoing company name, etc and I’ll cross reference it.

I know I’ve seen this before, I just hope I’m barking up the right tree.

Regards,
Z

[Zeheeba]

Hey There,

What are you using for Directory Services? Just curious.

Regards,
Z

[Zeheeba]

Howdy Michael,

I know of one way to make sure that the setting to inherit permissions is being saved when being selected in WGM. I used to have this problem on previous versions of OSX server and actually had to hard set it this way.

Open up the “NetInfo Manager” app in the Utilities folder.
Click on Config in middle pane>Then Sharepoints>WiebeTech RAID.

The look what the setting listed next to “afp_use_parent_privs”. If its set to 1 it should be set to inherit. If its set to 0 its not.

This may at least elimnate troubleshooting step by letting you know if the server is properly setting the inherit permission bit.

Good Luck!

Regards,
Z

[Zeheeba]

Double post, I apologize.

[Zeheeba]

Hello again. I’m afraid there is no way to rush the group population that I found.

As for the “Authentication Box” Problem, I believe that I had to set my authentication type to “Standard” in Server Admin/AFP/Settings/Access tab. Why this has to happen I’m not sure, but I think it does solve the problem.

Unfortunately I do not have a server to try it out on at the moment. If it doesn’t work, just change it back and get back to me. I will fidget with one of my servers tomorrow to reproduce the problem if its not solved. : )

Regards,
Z

[Zeheeba]

Hello Grundy.

Check out this thread and see if it helps you out…

here…

As for the groups, it can take a long time (like over 24 hours) to populate groups. Go home and get some sleep and check tomorrow. : )

Hope this helps, let us know.

Z

[Zeheeba]

This was taken care of. Due a rather complex DS structure in our environment at the moment, things are hard to diagnose, so it seemed like a much larger problem.

It turns out the client just hadn’t restarted their machine in about 3 weeks. Funny huh?

Z

[Zeheeba]

Its fixed, thanks for the response. I actually had those settings changed, but didn’t have the proper upload cache folder specified. Once I fixed that, things were golden.

Thanks again!

Z

[Zeheeba]

Alrighty, its update time. I have been doing a lot of logging and research into this. Here is the standard important stuff on a bind that comes out in the DS debug log:

 ADPlugin:    Doing CheckServerRecords......
 ADPlugin:       company.com - Start checking servers for site "any"
 ADPlugin:          Total Servers "any" LDAP - 3, Kerberos - 3, kPasswd - 3
 ADPlugin:             Server #1 picked - "dc02.company.com"
 ADPlugin:             Server #2 picked - "dc03.company.com"
 ADPlugin:       Got rootDSE for server dc03.company.com to determine forest
 ADPlugin:       Determined Forest of company.com from Domain Controller dc03.company.com
 ADPlugin:       Found Default Domain company.com
 ADPlugin:       Global Catalogs - Start checking servers for site "any"
 ADPlugin:          Total Servers "any" LDAP - 2, Kerberos - 3, kPasswd - 3
 ADPlugin:             Server #1 picked - "dc03.company.com"
 ADPlugin:             Server #2 picked - "dc01.company.com"
 ADPlugin:       Found Forest Domain GC company.com
 ADPlugin:    Something wrong, unable to determine domain information from Config container......
 ADPlugin:    Finished CheckServerRecords......
 ADPlugin:       Created KerberosClient record Generation ID 158597214
 ADPlugin:    Rebuilt Kerberos File
 ADPlugin: Calling CloseDirNode
 ADPlugin: Calling OpenDirNode
 ADPlugin: Calling CustomCall
 ADPlugin:    Doing CheckServerRecords......
 ADPlugin:          Good credentials for [email protected]
 ADPlugin:          No existing connection in connection mgr for user@[email protected]:389
 ADPlugin:          Secure BIND Session with server dc02.company.com:389
 ADPlugin:          Read Context information from server for configurationNamingContext of CN=Configuration,DC=company,DC=com
 ADPlugin:      Processing Site Search with found IP
 ADPlugin:         Site found of - Main-site
 ADPlugin:          Returning connection to pool for domain company.com with dsStatus 0.
 ADPlugin:       company.com - Start checking servers for site "Main-site"
 ADPlugin:          Total Servers "Main-site" LDAP - 3, Kerberos - 3, kPasswd - 3
 ADPlugin:             Server #1 picked - "dc02.company.com"
 ADPlugin:             Server #2 picked - "dc01.company.com"
 ADPlugin:       Got rootDSE for server dc01.company.com to determine forest
 ADPlugin:       Determined Forest of company.com from Domain Controller dc01.company.com
 ADPlugin:       Found Default Domain company.com
 ADPlugin:       Global Catalogs - Start checking servers for site "Main-site"
 ADPlugin:          Total Servers "Main-site" LDAP - 2, Kerberos - 3, kPasswd - 3
 ADPlugin:             Server #1 picked - "dc01.company.com"
 ADPlugin:             Server #2 picked - "dc03.company.com"
 ADPlugin:       Found Forest Domain GC company.com
 ADPlugin:          Good credentials for [email protected]
 ADPlugin:          Retrieved existing connection from connection mgr [email protected]@company.com:389
 ADPlugin:          Read Context information from server for configurationNamingContext of CN=Configuration,DC=company,DC=com
 ADPlugin:          Returning connection to pool for domain company.com with dsStatus 0.
 ADPlugin:    Finished CheckServerRecords......

You can see during this binding portion that it looks for the defined servers for the “any” site and the “Main-site” site. The selected servers for the “any” domain have dc03 included a lot, but the “Main-site” shows the correct servers with dc03 only included as a GC. We are assuming this is happening becasue the plugin is looking for 2 GC’s, and there are only 2 available, one of them being dc03.

These results change often for the “any” section when repeating the bind process, but remain reliable for the “Main-site” section. This would mean to me that the ADPlugin indeed can read the information on sites and interpret it correctly.

Since the server information for the “Main-site” site is correct but logins are still failing randomly beecasue the server is looking at dc03 would at least make it appear that when it comes time for authentication, the sites are not being respected.

There is the one issue of the line that reads “Something wrong, unable to determine domain information from Config container……”. I have no idea what this error means. Any idea MacTroll?

I will let you know if I come up with anything else.

PS- Is there a way to keep DirectoryService Debug on through restart?

[Author]

Posts