[smithsm]

I was able to put together a set of instructions that work for
upgrading to php 5.2.11 on OS X Server 10.5.8 v1.1

Here they are

I used a combination of the following:
Alexandrides (alex) Athanasios topic desk
os x server instructions (for php 5.2.10)
“Updating_PHP5_on_OS_X_Server_10_5_Leopard.rtf”
with 5.2.11 specific instructions here
http://www.malisphoto.com/tips/php-on-os-x.html
along with some help from here
http://www.bill.eccles.net/bills_words/2008/12/libiconv-madness.html

————–
some directory to put sources in

$ mkdir -p /install/source
$ cd /install/source

——– MySQL client
to see manual download go to http://www.opensource.apple.com/release/mac-os-x-1058/
search for mysql

$ curl -O http://www.opensource.apple.com/other/MySQL-45.binaries.tar.gz

$ tar xzpf MySQL-45.binaries.tar.gz
$ cd MySQL-45.binaries

I think the MySQL-45 contains both mysql 4 and mysql 5 not mysql 4.5

$ tar xzf MySQL-45.root.tar.gz

make sure /usr/include and /usr/lib exist if not then create them with
sudo mkdir -p /usr/include

sudo mkdir -p /usr/lib

$ sudo cp -r usr/include/mysql /usr/include/
$ sudo cp -r usr/lib/mysql /usr/lib/
$ sudo cp -r usr/bin/mysql_config /usr/bin/mysql_config

—– add libiconv in /usr/local/lib but leave Apple’s in /usr/lib

download
http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz
copy to
/install/source

$ cd /usr/local

$ pwd
/usr/local
$ ls
bin

$ sudo mkdir -p src
$ sudo mkdir -p lib
$ ls
bin lib src
$ cd /usr/local/src

$ sudo tar -xvzpf /install/source/libiconv-1.13.1.tar.gz
$ cd /usr/local/src/libiconv-1.13.1

$ sudo -s

MACOSX_DEPLOYMENT_TARGET=10.5 \
CFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe -no-cpp-precomp” \
CCFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe” \
CXXFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe” \
LDFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -bind_at_load” \
./configure

# exit
$ sudo make

$ sudo make install

————— php

$ curl -O http://us2.php.net/distributions/php-5.2.11.tar.gz

$ tar xzpf php-5.2.11.tar.gz

$ cd /install/source/php-5.2.11

$ sh

$ CFLAGS=-DBIND_8_COMPAT
$ export CFLAGS

What is that for
http://php.net/manual/en/install.macosx.php
The -DBIND_8_COMPAT=1 gets you over a problem in the DNS files because MacOS X has definitions for Bind9 and PHP expects Bind8 definitions. -DEAPI is needed if you build it for Apache 1.3.31. -O3 enables the gcc optimizer.

But that if for an old version of PHP so maybe no longer needed but will keep it

MACOSX_DEPLOYMENT_TARGET=10.5 \
CFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe -no-cpp-precomp” \
CCFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe” \
CXXFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -g -Os -pipe” \
LDFLAGS=”-arch ppc -arch ppc64 -arch i386 -arch x86_64 -bind_at_load” \
./configure \
–prefix=/usr \
–mandir=/usr/share/man \
–infodir=/usr/share/info \
–with-apxs2=/usr/sbin/apxs \
–with-ldap=/usr \
–with-kerberos=/usr \
–enable-cli \
–with-zlib-dir=/usr \
–enable-exif \
–enable-ftp \
–enable-mbstring \
–enable-mbregex \
–enable-sockets \
–with-iodbc=/usr \
–with-curl=/usr \
–with-config-file-path=/etc \
–sysconfdir=/private/etc \
–with-mysql-sock=/var/mysql \
–with-mysqli=/usr/bin/mysql_config \
–with-mysql=/usr \
–with-openssl \
–with-xmlrpc \
–with-xsl=/usr \
–without-pear

—————–
Now have to patch makefile

http://www.malisphoto.com/tips/php-on-os-x.html

# Patch the make file per http://bugs.php.net/bug.php?id=48195
# Need to do this only on 64-bit builds
nano Makefile
# Change the line ….
$(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so
# to …
$(CC) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(MH_BUNDLE_FLAGS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

————

$ make

$ make test

$ sudo make install

$ sudo apachectl graceful

$ exit

$ /usr/bin/php -v
PHP 5.2.11 (cli) (built: Oct 14 2009 15:19:32)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

$ /usr/bin/php -i

Create a file called info.php with the following contents:

[smithsm]

I used an application to delete system caches and this allowed the update to work. (can’t give the name of the application as it thinks this post is spam if I do.

Usually do this but overlooked it this time.

[smithsm]

I checked the install.log and its diverting mail.app to /var/run/donotinstall
So for some reason it things its not supposed to install it.

Any idea how to fix it or force it to install?

[smithsm]

Looks like a cron or launchd script is the only way that works since ACLs are not inherited by GUI applications. ACLs are only inherited by shell apps and the Finder. Which means that I can get any kind of ownership and permissions inside the shared folder.

I set up a local directory to test out the ACL approach

$ chmod +a “group:admin allow read,write,delete,append,execute,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit” test

I made admin the owner and group for the test directory

drwxrwxr-x+ 15 admin admin 510 Apr 15 15:35 test

my bash shell umask is 002
I removed the umask from /etc/launchd.conf so the default system umask for gui apps is 022 which means group has no write permissions

Anything (file or directory) I create inside test using a shell command has group of admin and inherits the ACL from test so admin has write permissions

Folders created by finder inherit the ACL. So far so good. Files drag and dropped into the directory by Finder will at least inherit group from the directory
but won’t inherit the ACL (expected).

What suprised me is that files created by some Apple GUI apps do not necessarily inherit the ACL. The Apple GUI apps Text Edit and Preview for example. Not only do they not inherit the ACL, they don’t even inherit the group from the directory’s group.

So for example if I am logged in under my personal account samuel with primary group staff but samuel is also an admin user (so is a member of group admin)
Any files I create in the test directory with apple test edit or preview (using save as) have permissions rwxr-xr-x and the owner:group is samuel:admin despite the fact that the group for the directory is admin and despite the ACL. This means that other admins cannot edit the file without explicitly sudoing or changing the permissions.

If I set the global umask in launchd.conf then at least the file has group write permissions set but the group is staff not admin.

Safari Downloads do inherit both the ACL and the group from the directory. BBEdit files created by save as also inherit the group and ACL.

Because some Apple GUI apps don’t inherit ACLs, there is no elegant way to ensure that files created in a shared directory amoungst users in the admin group can be writable by admin using only ACL’s without the global umask.

If the ~/.launchd.conf wasn’t broken in Leopard then at least one could set umask for gui apps on a user by user basis instead of globally.

Did I miss something?

[smithsm]

The problem with rsync is that it only copies one way, it doesn’t do 2 way synchronization.

I will try the ACL for admin to do everything.

I guess the answer to my last question is that there is no way to set a default owner in Leopard only the group can be defaulted?

[smithsm]

I have a shared directory with a local copy on my machine and another copy on an AFP server. The problem arises when I synchronize the directory with a copy on an AFP Server. The synchronize program runs as root and so whenever it creates files on the local copy it gets owner of root. Which means I can’t change them unless I sudo or manually chown. If the owner defaulted to admin I wouldn’t have to give default write permissions to group.

I finally figured out that in Leopard I can set default write permission using the global umask of 002 using launchd.conf (since NSUmask no longer works) so that new directories and files have group write permissions by default. I can therefore give admin default write privilieges to the directory but I am concerned about loosening up permissions on everything in my system to group write using launchd.conf. If I could force owner to be admin then I wouldn’t have to allow group write permissions everywhere.

I suppose using ACLs with inheritance that I can give default give group write permissions to new files in a given set of directories only, so that would be an alternative. Which means I wouldn’t need to default ownership, but it would be nice to know, nonetheless, if only for the sake of curiosity. I couldn’t find any hints anywhere that showed how to do it for Leopard so I figured if anyone knew how to do it this forum would.

Also this does not help when moving in files created somewhere else. I suppose there is no way to automagically default change the owner or even group of a file moved into a directory.

[smithsm]

I got it working!
Your comment about the KDC not being able to talk back to the password server gave me a clue as to what was
might be the problem.

I use EIMS for the mail server and EIMS also defaults to using port 106 for its password server. Tiger server lists two different
ports for its password server in its preferences file, 3659 and 106.
The EIMS docs say to remove the conflict by disabling port 106 for tiger server by deleting its entry from /library/preferences/com.apple.passwordserver.plist . It says that this does no harm as tiger server uses the other port.
Apparently this changed with one of the recent updates to Tiger server.
When I reenabled port 106 and rebooted, kerberos started working.
In the past Kerberos worked with port 106 disabled.

So it appears that Kerberos on tiger server uses port 106 to talk to the password server while everything else uses the standard
port 3659.

I will notify EIMS developer to fix his documentation.
I just had to set EIMS’s password server to use a different port.

[smithsm]

>>>So… Kerberos is failing for all network users? Is it working for anyone? Does it fail a kinit done from the server itself?

it fails for all users including kinit done from the server.

So there is supposed to be a CHECK_PWS_ACCT in the list of principles?

[smithsm]

kinit [email protected]
Please enter the password for [email protected]:
Kerberos Login Failed: Generic error (see e-text)

This topic should be combined with my other one on network users can’t login.

[smithsm]

>>- I’m not quite sure what Kerberos issue you’re still seeing? Do you have an actual Kerberos failure, or are you just looking at noise in the logs?

When I use the Kerberos utility on a client machine to try to create a new ticket for a network user I get
“Kerberos login failed: Generic Error (see e-text)”

The kdc log on the server produces the following entry as a result.

Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

I get same error whenever a network user logs in.
The only tickets in /library/preferences such as edu.mit.Kerberos.1HEenXabeZGsK0LVFUVcl are old (dating from when kerberos used to work)

Is there some other way to verify that its not working?

My ServerAdmin AFP->Access setting for authentication is Any Method and I have Enable Guest Access, Enable secure connections and Enabled administrator to masquerade…, all checked. So I beleive this allows network users to log in even if
kerberos is not working.

In ServerAdmin OpenDirectory->Overview Lookupd is running, Netinfod is local only, slapd is running, password server is running, Kerberos is running.

the
edu.mit.Kerberos file looks fine to me
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : /LDAPv3/server.private
# generation_id : 1855478373
[libdefaults]
default_realm = SERVER.PRIVATE
[realms]
SERVER.PRIVATE = {
kdc = server.private
admin_server = server.private
}
[domain_realm]
private = SERVER.PRIVATE
.private = SERVER.PRIVATE

When I listprincs on the server it looks fine to me.

server:admin$ sudo kadmin.local
Password:
Authenticating as principal root/[email protected] with password.
kadmin.local: listprincs
HTTP/[email protected]
K/[email protected]
XMPP/[email protected]
[email protected]
afpserver/[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ftp/[email protected]
[email protected]
host/[email protected]
http/[email protected]
imap/[email protected]
ipp/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
ldap/[email protected]
[email protected]
pop/[email protected]
[email protected]
[email protected]
[email protected]
smtp/[email protected]
vpn/[email protected]
[email protected]
xgrid/[email protected]

server:admin$ sudo klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
—- —————– ——————————————————–
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]

[smithsm]

Yes one client machine that isn’t allowing network logins. More interesting, one use with portable home directory can login when
disconnected from network. Then when logging out while connected the logout sync works and an entry shows up in the password server log on the server. So somehow password server was broken for logins but not logouts.

I finally gave up and did a clean install on the client machine (took all weekend) because it was a development machine with all kinds of applications on it. This fixed the problem with network user login but not the kerberos problem.

there is an app note “Kerberos authentication services man not successfully start” that says to use slapconfig and sso_util to get kerberos running. Whill this resync the kerberos passwork database with the opendirectory?

question why once a client network user is logged in does every admin authorization access the server? Every time
a network user with portable home directory and admin priviledges makes a configuration change, it hits the password server
on the server instead of using local authorization. Seems unneccessary and fragile?

[smithsm]

I looked at the Password Server Log and KDC log and there is something odd going on.
For computers where network login works I get the following in the Password Server Log each time a user authenticates

Aug 11 2007 09:22:04 RSAVALIDATE: success.
Aug 11 2007 09:22:04 AUTH2: {0x442c2aba5be330330000000d0000000d, alison} DIGEST-MD5 authentication succeeded.
Aug 11 2007 09:22:04 QUIT: {0x442c2aba5be330330000000d0000000d, alison} disconnected.
Aug 11 2007 09:24:37 RSAVALIDATE: success.

I also get the following in the KDC log but not everytime

Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

So it appears that Kerberos is not working but network users can still log in. However Kerberos was working vering recently as there
are expired tickets saved in preferences

FOR THE COMPUTER WHERE NETWORK Login does not work I do not get any entries in either the passwork server or kdc log
for failed attempts to login. So it appears that it is not accessing the password server correctly.
How do I debug this or fix it?

[smithsm]

After some trial and error I was able to find a work around.
Disabling attribute caching worked. This is done using the “noac” nfs option.

#These two worked on tiger 10.4.3
exec -c “console=ttyAM0,115200 ip=10.0.2.155:10.0.2.150:10.0.2.1:255.255.255.0:ts7250 nfsroot=10.0.2.150:/Data/nfsroot,noac”

#fstab entry
10.0.2.150:/Data/nfsroot/ / nfs noac,noauto 0 0

Noteworthy is the fact that if I disable attribute caching and enable sync and dirsync that it doesn’t work, that is, if use noac,sync,dirsync then does not work. Seems that 10.4.3 nfs is fragile.

[smithsm]

I couldn’t really grok what information tcpdump gave me so I tried ethereal.

In ethereal, when a.out ends up with execute permissions, there is a SETATTR call and Repy that enables owner execute permissions. When it doesn’t work there is not SETATTR that I can see. It occurrs about 6 packets after a.out is written. In every case it appears that a.out is written correctly. The file size is the same. I also did a dump with 10.3.9.
Interestingly the process of gcc foo.c takes about 800 nfs packets in 10.4.3 and only about 500 in 10.3.9. The SETATTR is there in 10.3.9

So why is the SETATTR not always occurring in 10.4.3?

[smithsm]

How do I determine if chmod is being called when running gcc?
I don’t know how to even observe what is going on.

[Author]

Posts