[alternapop]

there was a “too many open files” error.

googling “launchctl limit maxfiles” provided the solution.

running either of these two commands shows the default limit of 256:

ulimit -a
launchctl limit

i created a new file (/etc/launchd.conf) with only this line within it:

limit maxfiles 4096 unlimited

then ran:

launchctl limit maxfiles 4096 unlimited

the 4096 number is just a starting point for me. it could possibly be smaller or higher but i haven’t tested any performance improvements/issues yet.

[alternapop]

[QUOTE][u]Quote by: premiermac[/u][p]What’s in the logs? Generally apache is pretty good about pinpointing the problem if you read the logs.[/p][/QUOTE]

the logs haven’t been helpful yet.

it’s acting like there is some sort of hard limit of 34 enabled domains. if i disable a currently working domain and enable the new (35th) one that isn’t working, it starts working. once i enable a 35th domain, it stops working.

[alternapop]

[QUOTE][u]Quote by: alternapop[/u][p]
WorkGroup Manager > Preferences > Login > Access > Always > Access Control List

[/p][/QUOTE]

If I add the AD group to the Access Control List section here it works… but not if I add the AD group to the OD group, and add the OD group.

Is this just the way it works or might I have something else configured incorrectly?

I thought that this was supposed to work based on reading the AD/OD documentation from Bombich.

[alternapop]

it looks like this does work but i had to reboot the machine for it to show up in the Directory Utility gui.

what command can i use to flush this without rebooting?

thanks!

[alternapop]

sudo hostname server1.example.edu

[alternapop]

After posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I’ve finally figured out the cause of this issue or at least part of the cause.

Within ‘Server Admin’, select “Open Directory”,
under: Settings > Policy > Binding

there are six check boxes under “Security”… for testing kerberos, I have been checking the first four boxes, which are:

1. disable clear text passwords
2. digitally sign all packets (requires Kerberos)
3. encrypt all packets (requires ssl or kerberos)
4. block man-in-the-middle attackes (requires kerberos)

through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.

referring to the numbers above (1 through 4)…
2 or 4 by themselves fails
1 and 3 together fails

I haven’t gone beyond that for testing and don’t know what other combinations works or fails.

I don’t know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.

I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?

[alternapop]

[QUOTE][u]Quote by: MacTroll[/u][p]The PWS database is where your diradmin’s password is actually stored. So it’s good that a hash exists there.

You could use mkpassdb to reset that password, just to see if that’s the issue.

Although this is really beginning to smell like you have something deeper going on.[/p][/QUOTE]

there are other post regarding this problem on the apple forums. no apparent fix that i know of. i just wonder what exactly is causing this for some users and not for others. procedure error? environment?

[alternapop]

[QUOTE][u]Quote by: MacTroll[/u][p]Ahhhh, that makes so much more sense.

I had at first thought you had just pulled any random user out of LDAP, and not the directory admin. 😀

mkpassdb -dump | grep diradmin

swapping in your local diradmin account.

That’s the password hash that authenticates the diradmin user. So… you’re looking to make sure that this lines up with the first bit of the authAuthority. Then you can use mkpassdb to actually reset that particular hash.[/p][/QUOTE]

the two hashes are identical.
i’ve never used mkpassdb before. what exactly am i doing with this?
thanks!

[alternapop]

[QUOTE][u]Quote by: MacTroll[/u][p]You used a different shortname than diradmin?

So were you able to get the diradmin user record back?[/p][/QUOTE]

yes, i didn’t use “diradmin”, i used something like “abcdiradmin” so it’s not easy to guess. i believe one of the speakers at macworld this year suggested not using diradmin for security reasons.

i’m pretty sure i used “diradmin” specifically last month when testing OD and it too failed to authenticate after a certain time frame…. so i don’t think that alone is the issue.

running your previous terminal command and replacing “diradmin” with “abcdiradmin” returned the previous data from my last post.

[alternapop]

[QUOTE][u]Quote by: MacTroll[/u][p]dscl localhost read /Search/Users/diradmin[/p][/QUOTE]

——————
it returns the following text. nothing stands out to me as an obvious problem.
i used a different shortname other than diradmin but i’ve changed it, along with any other revealing info in the following text.

thanks

——————
clsopendirectory:~ isunit$ dscl localhost read /Search/Users/diradmin
dsAttrTypeNative:apple-generateduid: CD0BE9F1-B5B6-4FD4-AAEF-5B25BB158170
dsAttrTypeNative:authAuthority:
;ApplePasswordServer;0x47b1dde46b8b45670000000200000002,1024 35 13471747669994901427990051441621928930464366334988402441847486241250835528716529262188416797369764989724490493898419832705432105738330330415602044633490619874379403336254328581640475796657113805006318536936308859604069390925387441253557232949048000133953793586198583526155106002373353676643849697222856271 [email protected]:169.123.123.123
dsAttrTypeNative:cn:
Directory Administrator
dsAttrTypeNative:gidNumber: 20
dsAttrTypeNative:givenName: Directory
dsAttrTypeNative:homeDirectory: /Users/diradmin
dsAttrTypeNative:loginShell: /bin/bash
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensibleObject organizationalPerson top person
dsAttrTypeNative:sn: Administrator
dsAttrTypeNative:uid: diradmin
dsAttrTypeNative:uidNumber: 1000
dsAttrTypeNative:userPassword: ********
AppleMetaNodeLocation: /LDAPv3/127.0.0.1
AuthenticationAuthority:
;ApplePasswordServer;0x47b1dde46b8b45670000000200000002,1024 35 13471747669994901427990051441621928930464366334988402441847486241250835528716529262188416797369764989724490493898419832705432105738330330415602044633490619874379403336254328581640475796657113805006318536936308859604069390925387441253557232949048000133953793586198583526155106002373353676643849697222856271 [email protected]:169.123.123.123
FirstName: Directory
GeneratedUID: CD0BE9F1-B5B6-4FD4-AAEF-5B25BB158170
LastName: Administrator
NFSHomeDirectory: /Users/diradmin
Password: ********
PrimaryGroupID: 20
RealName:
Directory Administrator
RecordName:
diradmin
Directory Administrator
RecordType: dsRecTypeStandard:Users
UniqueID: 1000
UserShell: /bin/bash

[alternapop]

[QUOTE][u]Quote by: MacTroll[/u][p]Are you able to login to other services as this user?

What do the logs say?[/p][/QUOTE]

i can successfully change the diradmin account’s password via the Terminal with “passwd diradmin” and it accepts the “old password”. going back to WGM, it still won’t accept the password.

via System Preferences, clicking on the lock to authenticate, it accepts the diradmin acct and password.

i can’t find any entries in any logs pertaining to this but it’s possible i’m not looking in the right log file.

this shows up every 30 seconds in system.log but i don’t know that it’s related:

“Feb 14 14:07:52 xxxopendirectory servermgrd[45]: –Module servermgr_xserve’s response has retain count of 1.”

via the Terminal, is there a command where i can add a new user and have that user be a new diradmin account (named differently of course) to see if WGM accepts that acct?

thanks!

[alternapop]

[QUOTE][u]Quote by: macshome[/u][p]Not sure about the slides since that wasn’t one of our sessions.

plutil is for plist validation and format transformation.[/p][/QUOTE]

thanks for your reply. i thought the speaker mentioned that the slides would be available on afp548.

i may have misunderstood the speaker, but my understanding was that he said “there is a problem with afp file sharing with leopard server and you have to run this plutil command for it to work”. if this is true, i’m looking for the exact command with the details.
thanks!

[alternapop]

This is partially solved. I reinstalled the OS on the server. Binding to AD from the server is working now. Thanks to a fellow colleague for help with figuring out that even though Directory Utility showed that the server was bound to AD, it wasn’t a valid bind. I think it was either due to maybe letting the server initialize with a dynamic ip when I installed the OS the first time or a discrepancy with the names in AD and and NETBIOS.

—————-
. opendirectory:~ admin$ sudo klist –ke
Password:
klist: No Kerberos 5 tickets in credentials cache
opendirectory:~ admin$ sudo net ads info
LDAP server: xx.xx.xx.xx
LDAP server name: xx.xx.xx.xxx.xxx
Realm: xx.xx.xxx.xxx
Bind Path: dc=xxx,dc=xx,dc=xxx,dc=xxx
LDAP port: 389
Server time: Wed, 23 Jan 2008 10:23:31 PST
KDC server: xx.xx.xx.xx
Server time offset: 0
opendirectory:~ admin$ sudo net ads testjoin
Join is OK
—————-

now, if i force AFP to use Kerberos, it fails. i believe they mentioned something about running the command, ‘plutil’ at macworld. what exactly is this command’s syntax? and what does it do?

thanks!

[alternapop]

this still isn’t working for me. i attended the macword Directory Services 1, 2 and 3 classes.

within my leopard server, everyone has access to all services

there is a line for afp within krb5.keytab on the server with my server’s dns name… the krb5.keytab on the client shows as a bunch of seemingly random numbers, “afpserver2LKDC:SHA1.xxxx…”

i tried running “sudo dsconfigad -enableSSO” on the server

the lecturers mentioned a ‘plutil’ command but i don’t remember when this is necessary or how to run it.

would greatly appreciate any assistance!
thanks,
chris

[alternapop]

my edu.mit.Kerberos file list the appropriate domains/realms and contains about 10 of them for our campus.

if i run “sudo sso_util info -g”, on the client, it returns “UDPxxxxxxUDS.xxxx.EDU”

running “host UDPxxxxxxUDS.xxxx.EDU” on that domain name returns the IP of the client i’m running these commands on.

is that right?

[Author]

Posts