[mkalien]

Hopefully Joel has a solution for recreating the root user 😀

But if not, did you ever make an archive using Server Admin (under Open Directory and then the Archive section)? That would obviously be the easiest way to restore your OD user & group information. Apart from that, you’d need to have a deeper understanding of openldap and password server.

I think you could get your ldap database copied to a new install by setting up the new one the exact same way (i.e. same domain and same root user password). Then, for the openldap database, you can copy the contents or /var/db/openldap/openldap-data and then run “db_recover -c -h /var/db/openldap/openldap-data” This took quite a long time for my database, but it got me up and running again. I’ve only tried this twice so I’m not sure if there are side effects to this process that I just haven’t seen yet.

Ok, so even if that worked you wouldn’t have any passwords for your users (assuming you were using OD Passwords and not crypt). I have no idea how to backup the password server database without the use of the “mkpassdb -dump” command. I noticed that the man page for mkpassdb has “mkpassdb -backupdb path” under the synopsis but there’s no details on whether “path” means path to the database you want to backup or path to the location of where to save the backup.

[mkalien]

Ditto.

All of our nightly data dumps are handled via dsimport and ldapmodify. ldapmodify is very quick and easy to use once you understand ldif file syntax and your directory’s schema.

[mkalien]

I just love answering my own questions! 😉

So I found out that Apple now packages standard bdb tools with OS X Server. I sort of knew this already but I didn’t know how to use them or what they did. Looking closer, there’s a command called db_archive that will tell you which log files are no longer active. You can use this to automatically delete log files that aren’t needed or you can get a list of which ones are required for catastrophic failures. There are several good options here. Considering I don’t use the archive feature in WGM (I just backup the password server db and rely on replicas for the ldap information) I may start taking snapshots of the bdb files and archiving to the non-active log files to another volume so I can still use it for future db_recover commands as needed.

If anyone has good references for OD backup and maintenance best practices I could probably use a good refresher. It must be scriptable though. Also, if anyone can point me to more information on what each of the files in /var/db/openldap/openldap-data are and how they are used, please post them. I wish Apple provided more documentation on bdb. Even the technician I got through one of my escalated incidents using the Server Software Support: Select agreement said he hadn’t ever used the bdb tools included with OSXS.

[mkalien]

1. If you don’t want them to have shell access at all, then change their default user shell for each user on the ldap server.
— or —
2. If you want the users to have some shell access but just not on the file server, use Server Admin to specify the service access for SSH on the file server. Obviously this will keep the users from using SFTP, but since you titled the post AFP and LDAP I’m hoping you weren’t counting on SFTP access and no shell access. You can do that, but not without some extra work.

[mkalien]

I think I found some of the answers. I noticed there was a ~/Library/Mirrors directory. I think .Mac users are already aware of this directory because the only information I could find on it was from macosxhints.com. Anyway, I renamed the folder, forced a few more mobility preferences from WGM and restarted my powerbook. It’s syncing again.

Anyone know of any documentation on the following files?
~/Library/Mirrors
~/Library/Preferences/com.apple.MirrorAgent.plist
~/Library/Preferences/com.apple.homeSync.plist
~/Library/Preferences/com.apple.syncservices.ConflictResolver.plist

If I needed to fix some professor’s mobile user account, would trashing all the above preferences and restarting the machine clear out any damage he might have done?

[mkalien]

Is this what you’re talking about?

2005-08-29 15:59:50 -0700 – NeST command failed with status 255
2005-08-29 15:59:50 -0700 – Removing replica due to an error adding a Password Server replica.

This is what I had happen once. I had to remove almost all of the replica-related files and then try adding the replica again.

Here is what Apple told me. DO NOT FOLLOW THESE STEPS WITHOUT KNOWLEDGE OF WHAT THEY DO!! This advice was given to me based on my explanation of the problem and log files.

———-
Steps to change the replicas back to Stand Alone and clean up the
databases.

If you never had any replicas, skip to “Steps to rebuild the PWS
database on the master” below.

1. Change the role of the replica back to Stand Alone
2. Check in Workgroup Manager on the old replica and make sure there
are no Local users with Open Directory password types. The admin may
have been set to use OD passwords. Change any with OD passwords to
use Shadow passwords.

3. Make sure you have a directory admin that does not have the same
short name or UID of the local admin. If you don’t, create a new
admin in the Ldap doamin to be used as the directory admin when
creating replicas.

3. Run these commands as root on the replica, ignore the messages “No
such process – nothing found to load” after the NeST command

NeST -stoppasswordserver
mv /var/db/authserver /var/db/authserver.old
mv /var/db/krb5kdc /var/db/krb5kdc.old
mv /etc/krb5.keytab /etc/krb5.keytab.old
mv /Library/Preferences/edu.mit.Kerberos /Library/Preferences/
edu.mit.Kerberos.old

4. On the master, use WGM inspector mode.
Go to the Target, and select Config from the popup menu

Remove any passwordserver_XXXXX records
In the passwordserver record, remove any references to the replica in
the PasswordServerList. Select the PasswordServerList, click Edit,
remove the text (see below for text example), click Ok and Save.

5. Go to Config / ldapreplicas -> LDAPReadReplicas if there is more
the one, open it up, see if the replicas ip addresss is listed. If it
is select it and press “delete” on the keyboard (Don’t click the
Delete Icon, this would delete the “ldapreplica” record. Click Save.

6. Then remove the replica from the /var/db/authserver/
authserverreplicas, the text is the same as above.

A replica entry will look like this, find the entry with the
ipaddress that matches your replica

EntryModDate
2005-08-15T21:15:52Z
IDRangeBegin
0x00000000000000000000000000000209
IDRangeEnd
0x000000000000000000000000000003fd
IP
192.192.255.227
LastSyncFailedAttempt
2005-08-15T21:15:03Z
ReplicaName
Replica1
ReplicaStatus
PermissionDenied
SASLRealm
replicahostname
SyncInterval
86400


If there are no remaining replicas you can remove this line too

Replicas

7. On the master Kill PasswordService so the replica remove takes effect

# killall -9 PasswordService

It will restart on it’s own

8. Make sure the /var/db/authserver/authserverreplicas file is
correct and not empty.

# more /var/db/authserver/authserverreplicas

If the is a problem use the /var/db/authserver.old/authserverreplicas
file and make the correction again and killall -9 PasswordService
again. Recheck.

[mkalien]

Right…kerberos! grrr…

OK, so if both fs1 and fs2 are connected to a Directory and I join them to the Kerberos REALM, they will have principals like afp/fs1.university.edu@MYREALM or SMB/fs2.university.edu@MYREALM right? That means a client asking for afp/fileserver.university.edu@MYREALM won’t match a principal and thus revert to using standard authentication methods?

[mkalien]

So….any rumors on next OSXS update? My OD Master has been averaging 50% CPU usage for over a week.

[mkalien]

So the obvious answer was no. Considering the attribute was called Program ARGUMENTS I should have known but I wasn’t sure. Has anyone run across any in depth tutorials on launchd plists?

[mkalien]

Someone also pointed me to rssh which is a restricted shell. It installed very easiliy (just make sure to specify the path to scp and sftp which I found in /usr/bin and edit the .conf file) and seems to work. It can restrict user’s to scp and/or sftp only. If they try to ssh into the box they get a message saying they are restricted to rssh and can’t do anything and then it logs them out. I like the idea, but perhaps combined with chroot I can restrict them to sftp and scp AND to only browse the Users directory.

I haven’t made a final decision, but I’m liking rssh (with or without chroot) or using pureftpd over SSL.

[mkalien]

What about FTP using SSL (FTPS)? Does OS X Server support that? If it does, it seems like I could firewall the standard FTP port to force users into FTPS.

[mkalien]

You need to enable quotas for the volume that stores your user data and then assign quotas to each of your users.

To enable quotas for the volume, I find it easiest to use Workgroup Manager (WGM). Here are instructions taken from OSXS 10.4.2 but it should be very similar to previous versions:
1. log in to your server as an administrator
2. go to the “Sharing” section
3. Click on “All” instead of “Share Points”
4. Navigate to the root of your volume and click on it
5. From the “General” tab on the right you should be able to select “Enable disk quotas on this volume” (don’t forget to save)

To set your disk quotas for your users, go to the Accounts section of WGM. Select one or all of your users at once. Click on the “Home” tab, select a home directory location, add the disk quota value, and click save.

I believe there’s some php code you can downlaod from this site that will display the quota files created by the terminal command: repquota.

[mkalien]

[QUOTE BY= MacTroll] /Library/Logs/slapconfig.log

Or just use “slapconfig” from the CLI to create the replica.[/QUOTE]

So I’m not able to create a replica to a 10.4.2 OD Master. I was trying from the Server Admin GUI, but had no luck. I changed my replica-to-be to stand alone, then to replica and it always ended up back at stand alone. I tried a fresh Tiger server install on another xserve but had the same problem. I saw your tip and tried running slapconfig -createreplica . I wasn’t sure if “no such process” was normal for the slapd and slurpd calls and it seems to revert itself after attempting to set password server replication.

Any help? (Preferrably other than frap and reinstall the master?) I will attempt to reinstall OS X Server on the replica again and try the command line.

Here’s the output:

Root Password For Master LDAP Server:
diradmin’s Password:
command: ssh [email protected] /usr/sbin/slapconfig -checkmaster diradmin 0 3 3
Warning: Permanently added ‘10.6.2.11’ (RSA) to the list of known hosts.
diradmin’s Password:
1 Destroying local LDAP server
command: /usr/sbin/sso_util remove -k -d -s -c -n -v 1
sso_util command output:
shutting down kadmind
kadmind shut down
shutting down kdc
No such process
No such process
kdc shut down
removing kdc database files
Stopping LDAP server (slapd)
No such process
nothing found to load
Stopping LDAP replicator (slurpd)
No such process
nothing found to load
Removed file at path /etc/openldap/slapd.conf.
Copied file from /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf.
command: /usr/sbin/NeST -pwsstandalone
NeST command output:
No such process
nothing found to load

nothing found to load
2 Stopping master LDAP server
command: ssh [email protected] /usr/sbin/slapconfig -stopldapserver
Warning: Permanently added ‘10.6.2.11’ (RSA) to the list of known hosts.
Stopping LDAP server (slapd)
nothing found to load
Stopping LDAP replicator (slurpd)
No such process
nothing found to load
3 Updating master configuration
command: ssh [email protected] /usr/sbin/slapconfig -addreplica 10.6.2.12
command: ssh [email protected] /usr/bin/db_recover -h /var/db/openldap/openldap-data
command: ssh [email protected] /usr/sbin/slapcat -l /var/db/openldap/openldap-data/backup.ldif
4 Restarting master LDAP server
command: ssh [email protected] /usr/sbin/slapconfig -startldapserver
Starting LDAP server (slapd)
No such process
5 Updating local replica configuration
Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
6 Copying master database to new replica
Removed directory at path /var/db/openldap/openldap-data.
command: scp [email protected]:/var/db/openldap/openldap-data/backup.ldif /var/db/openldap/openldap-data/
command: scp [email protected]:/etc/openldap/schema /etc/openldap/
command: /usr/sbin/slapadd -c -l /var/db/openldap/openldap-data/backup.ldif
7 Starting new replica
Starting LDAP server (slapd)
No such process
8 Starting replicator on master server
command: ssh [email protected] /usr/sbin/slapconfig -startreplicator
Starting LDAP replicator (slurpd)
No such process
Configuring Kerberos server, realm is LDAP.BIOLA.EDU
command: scp [email protected]:/var/db/krb5kdc/.k5.LDAP.BIOLA.EDU /var/db/krb5kdc/
command: scp [email protected]:/var/db/krb5kdc/kadm5.acl /var/db/krb5kdc/
command: scp [email protected]:/var/db/krb5kdc/kadm5.keytab /var/db/krb5kdc/
command: scp [email protected]:/var/db/krb5kdc/kdc.conf /var/db/krb5kdc/
command: ssh [email protected] /usr/sbin/kdb5_util dump – K/[email protected]
command: /usr/sbin/kdb5_util load /var/db/krb5kdc/initial.dump
Removed file at path /var/db/krb5kdc/initial.dump.
9 Enabling password server replication
command: /usr/sbin/NeST -setupreplica 10.6.2.11 diradmin ****
NeST command output:
GetReplicaSetup = -14103
NeST command failed with status 255
Removing replica due to an error adding a Password Server replica.
command: ssh [email protected] /usr/sbin/slapconfig -removereplica 10.6.2.12
Stopping LDAP replicator (slurpd)
nothing found to load
Stopping LDAP server (slapd)
nothing found to load
Starting LDAP server (slapd)
No such process
Removed file at path /var/db/openldap/openldap-slurp/replication.log.
Removed file at path /var/db/openldap/openldap-slurp/replication.log.lock.
command: /usr/sbin/sso_util remove -k -d -s -c -n -v 1
sso_util command output:
shutting down kadmind
kadmind shut down
shutting down kdc
No such process
No such process
kdc shut down
removing kdc database files
Stopping LDAP server (slapd)
nothing found to load
Stopping LDAP replicator (slurpd)
No such process
nothing found to load
Removed file at path /var/db/openldap/openldap-data/__db.001.
Removed file at path /var/db/openldap/openldap-data/__db.002.
Removed file at path /var/db/openldap/openldap-data/__db.003.
Removed file at path /var/db/openldap/openldap-data/__db.004.
Removed file at path /var/db/openldap/openldap-data/__db.005.
Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
Removed file at path /var/db/openldap/openldap-data/cn.bdb.
Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
Removed file at path /var/db/openldap/openldap-data/ou.bdb.
Removed file at path /var/db/openldap/openldap-data/sn.bdb.
Removed file at path /var/db/openldap/openldap-data/uid.bdb.
Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
Removed file at path /etc/openldap/slapd_macosxserver.conf.
Removed file at path /etc/openldap/slapd.conf.
Copied file from /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf.
command: /usr/sbin/NeST -pwsstandalone
NeST command output:
No such process
nothing found to load

nothing found to load

[mkalien]

They are “smaller” applications. I could be wrong, but from everything I’ve looked at they only seem to map user attributes to the application for roles/permissions. So far, I’ve found Webhelpdesk, Blue socket (wireless authentication), and pgina seem to work this way.

In a sense it doesn’t matter too much, when we move our PCs off of pgina and over to AD, this won’t be an issue. If we get Cisco’s ACS (I think that’s the name) up, we won’t need Blue Socket.

I just wondered what best practice was.

[mkalien]

[QUOTE BY= sphns]When a client is started, it just ‘jumps in’ wherever the stream is and starts restoring from that point, wrapping around until it gets all the blocks of the disk image file.[/QUOTE]

Thanks. Did I just miss this information? I didn’t find it in the man pages. Where do you look for more asr documentation?

[Author]

Posts