[gw1500se]

Perhaps I am misunderstanding but I don’t see what Keychain Minder does that is any different then Apple’s keychain access and the change password fuction.

The crux of the problem is that every time users change their login password all the applications that are autostarted can’t access the keychain and half the user’s dock is bouncing, throwing up password and error windows, creating a mess for the user.

Whether Apple is wants to spend the resources making their single signon feature really work is one thing. However, arguments about not implementing a solution for security reasons is another. It seems to me every argument, in that area presented here, should be up to the systems admin as an option rather then being decided by a one-size-fits-all disinterested opinion, even that of Apple.

As such an admin the security concerns expressed are not applicable in my environment. The risks of users not changing passwords is much greater then the risks associated with sync’ing keychains, in my opinion. Indeed, there is no risk in this environment. If I want a users password I just ask or change it myself. If the din continues about this much longer with no relief in sight, I doubt I can continue to convince management we need to keep changing passwords.

[gw1500se]

Nevermind. This is apparently a problem with the application itself. There is some incompatability with afp from a 10.4 server. If I serve it out as an smb share, it works.

[gw1500se]

Thanks but no joy. It still shows as a Classic Application. Another discovery is that it shows up corrrectly and works (even with 644) for the user that copied it onto the share. Even after a ‘chown admin’ is done.

[gw1500se]

Thanks. Server.

[gw1500se]

Thanks for the reference. The only thing I found was mention of changing the ownership of the mysql/data directory. That was already done in my case. Were you thinking of something else or was that it?

[gw1500se]

You’re having the same problem as me. Except we have yet to get it to work on 10.4. See: https://www.afp548.com/eBBS/viewtopic.php?forum=39&showtopic=9267

I have an open issue with Apple on this. If you have a test client, try doing an erase install and see if that fixes it. If it does then it is a good bet we have the same problem but for idfferent reasons.

[gw1500se]

Kerberos should be built automagically. If not then it is most likely a DNS problem. Make sure your DNS is working properly then demote the replica to a standalone server (restart to be safe) then promote it to a replica again. As far as I can tell trying to manually build the slave KDC on OS X is an exercise in futility.

[gw1500se]

I got it figured out. The answer is yes the Kerberosv5 keys need to be changed as well. Also omitted from the article is that the kerberos realm needed to be edited. The trick is that the ldif format is such that the keys are seperated by new line characters into fixed 78 character lines. Unfortunately, there is no easy way to find/replace them because the breaks depend on the length of the user’s name. I had to brute force edit each user’s entry to get the new keys in it. Once that was done the imported files and kerberizing worked fine.

[gw1500se]

Thanks. That was bascially where I am headed but rather then mounting a RAID I will be mounting a SAN, which is on an XRAID. However, I have another problem with XSAN. It seems it takes 20 mintues or more to mount the volume after a restart. I’m calling apple on this one.

[gw1500se]

Thanks. That was the info I was looking for. Not supporting something and it actually not working are not quite the same thing. Thanks for the advisory and we will be doing lots (with crossed fingers) of extra testing to make sure it works. Unfortuantely, we don’t have the machines to let the backup server sit idle. It does need to be on the network. The plan is to just change the IP address on the backup server. However, unless both machines have access to the same mail database users will be missing mail as the server is switched back and forth (thus the reason we hope to use our SAN. Our business depends heavily on email.

[gw1500se]

Got it! The Xraid logical volume must be partitioned using Disk Utility ‘Free Space’ rather then the default ‘OS Mac Journaled (Extended)’.

[gw1500se]

Even with the switch in the host sees, and has mounted, the Xraid. It is Xsan admin that does not see the LUNs.

[gw1500se]

Thanks for the reply. It is difficult to diagnose this type thing when one doesn’t know what to expect. In any case your suggestion did not seem to help (I could find nothing in any of the documentation about it, how do you find this stuff out?). Is there something else I should be setting on the Emulex (355) other then the Smartports to what you said? What about the zone stuff? I’m pretty much clueless here with just the Apple and Emulex documentation.

[gw1500se]

That was not what I wanted to hear but thanks. It seems it is just as useless with Tiger as Panther.

[gw1500se]

Thanks for the reply. It looks to me like that is mostly for Wi-Fi and overkill for what I need.

I found something called Radiator which looks a little closer. Does anyone have any experience with that?

[Author]

Posts