morgant's questions

I've got an SMTP relay server that I recently replaced with OS X 10.10 Yosemite running Server.app. It is running as an SMTP-only relay allowing only hosts from the LAN to relay out through it. We do this so that all mail from our subnet is correctly sent from a verified host for our domain for Sender Policy Framework (SPF) and such.

Configuring to relay out was pretty easy. Following Apple's documentation for Disabling Mail services on OS X Server, I did the following:

sudo serveradmin settings mail:global:skip_enable_service_check = yes
sudo serveradmin settings mail:imap:enable_imap = no
sudo serveradmin settings mail:imap:enable_pop = no
sudo serveradmin settings mail:imap:enable_sieve = no
sudo serveradmin stop mail
sudo serveradmin start mail

That ensured that only SMTP is running and remains the case after rebooting or restarting the Mail service. Since the SMTP relay server's hostname is subdomain in the domain it's relaying for, I also had to modify /Library/Server/Mail/Config/postfix/main.cf to remove $myhostname & $mydomain from "mydestination", the resulting line is as follows:

mydestination = localhost.$mydomain, localhost

That also worked, Server.app recognized and retains the change (as verified by running sudo serveradmin settings mail:postfix). The same holds true for tweaks to the mynetworks line to limit which subnets relaying was accepted from.

The problem I'm experiencing is that modifications to the smtpd_pw_server_security_options line (specifically, to remove the LOGIN & PLAIN authentication types) will not stick and revert to the default (which includes the unwanted plaintext auth types) upon starting the Mail service. Apple's documentation on Apple-specific postfix options in Mac OS X Server imply that skipping the LOGIN & PLAIN options should be valid.

I have tried:

1. the aforementioned modifications to smtpd_pw_server_security_options in /Library/Server/Mail/Config/postfix/main.cf
2. As mentioned in the Apple-specific postfix options documentation, running sudo serveradmin settings mail:postfix:smtpd_use_pw_server = no (mail:postfix:smtpd_use_pw_server seems to be an empty dictionary under Yosemite)
3. Running sudo serveradmin settings postfix:smtp_sasl_auth_enable = yes (it defaults to 'no' under Yosemite, so I assume Apple just swapped this option's functionality from the above mail:postfix:smtpd_use_pw_server option)
4. Using serveradmin to delete the login & plain elements from the mail:postfix:smtpd_pw_server_security_options array (e.g. sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = delete), but as Charles Edge mentions in his kyrpted blog post about Removing 'serveradmin settings' Entries in OS X Server, that functionality seems to be broken. And, no these settings aren't mirrored in /Library/Server/Mail/Config/MailServicesOther.plist or any other .plist, so manually modifying those doesn't appear to be an option.

I have gotten plaintext auth disabled temporarily using Server.app by toggling the plaintext authentication setting from a partially selected checkbox (presumably because IMAP is disabled) to a fully deselected checkbox, but it's inconsistent and doesn't stick after restarting the Mail service.

Any suggestions or solutions would be greatly appreciated, with the exception of advising not to use Server.app on OS X. This is for an all-Apple shop which must dog food Apple's products for reasons which I cannot get into here. Naturally, leaving plaintext auth enabled is also not an option for obvious security & PCI DSS compliance reasons.

I've used Mac OS X Server's serveradmin command line interface for Server Admin.app & now Server.app for starting & stopping services, viewing status & settings, and occasionally running what few commands I can find documented on random blogs. There's a lot more that I'd like to do with it, but I can't seem to find a good reference for available commands (e.g. serveradmin command <service>:command = <...>).

The manpage has only a couple examples and, as previously mentioned, I've found a few on various Mac admin blogs, but nothing comprehensive and no mention of how to discover more. Is there a command that will list commands? Are people decompiling the binary and looking for command strings? Or, are people just using what precious few commands have been mentioned by Apple support & engineers?

Okay, I just finished resolving a jumbo frames issue between a few Xserves, a Netgear GSM7224, and a Drobo B800i. It turned out that the Xserves (Mac OS X 10.6.8 Server) and the Drobo B800i accept the MTU in bytes as normally expected (1500-9000), but the Netgear seems to have wanted it including the various ethernet headers/footers(trailers) and I ultimately ended up with the Xserves & Drobo configured with an MTU of 9000 and the Netgear ports set to an MTU of 9216.

I've used the following commands for testing & verifying the MTU between the two Xserves over the Netgear (Note: these are the Mac OS X commands, the Windows & Linux ones differ):

ping -D -s <mtu> <ip_address>

traceroute -F <ip_address> <mtu>

The former's usage is noted in the man page as, "Specify the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data." In testing, I found that to ping -D 1472 <ip_address> was the equivalent of MTU 1500 due to the 8 bytes of ICMP header data plus 20 bytes IP headers (see this and this). That all makes sense.

Now, why is the equivalent command for a 9000 MTU ping -D -s 8164 <ip_address>? I've verified this is the limit before I star getting "sendto: Message too long" errors, but also that 9000 MTU is working correctly as traceroute -F <ip_address> 9000 works and traceroute -F <ip_address> 9001 does not. So, why 8164? I would've expected 8972 (MTU - 28 bytes, just like for 1500 MTU).

Also, why 9216 MTU for the Netgear? I counted 42 bytes for the MAC & ethernet headers (inc. CRC), plus 20 for IP headers (which should eat into the MTU).

I'm really rusty on this math and know I'm just missing something.

I've got a couple of Mac OS X 10.6.8 Server web servers that run a custom AMP255 (Apache 2.x, MySQL 5.x, and PHP 5.x) stack installed using MacPorts. We've got a lot of Mac OS X Server servers and generally install SSL certs via Server Admin and they "just work" in the built-in services, however, these web servers have always had SSL certs installed in a non-standard location and used only for Apache.

Long story short, we're trying to standardize this part of our administration and install certs via Server Admin, but have run into the following issue: when the certs are installed via Server Admin and referenced in our Apache conf files, Apache then prompts for a password upon trying to start. It does not seem to be any password we know, certainly not the admin or keychain passwords! We've added the _www user to the certusers (mainly just to ensure they have the proper access to the private key in /etc/certificates/).

So, with the custom installed certs we have the following files (basically just pasted in from the company we purchase our certs from):

-rw-r--r--   1 root  admin  1395 Apr 10 11:22 *.domain.tld.ca
-rw-r--r--   1 root  admin  1656 Apr 10 11:21 *.domain.tld.cert
-rw-r--r--   1 root  admin  1680 Apr 10 11:22 *.domain.tld.key

And the following in the VirtualHost in /opt/local/apache2/conf/extra/httpd-ssl.conf:

SSLCertificateFile /path/to/certs/*.domain.tld.cert
SSLCertificateKeyFile /path/to/certs/*.domain.tld.key
SSLCACertificateFile /path/to/certs/*.domain.tld.ca

This setup functions normally.

If we use the certs installed via Server Admin, which both Server Admin & Keychain Assistant show as valid, they're installed in /etc/certificates/ as follows:

-rw-r--r--    1 root  wheel      1655 Apr  9 13:44 *.domain.tld.SOMELONGHASH.cert.pem
-rw-r--r--    1 root  wheel      4266 Apr  9 13:44 *.domain.tld.SOMELONGHASH.chain.pem
-rw-r-----    1 root  certusers  3406 Apr  9 13:44 *.domain.tld.SOMELONGHASH.concat.pem
-rw-r-----    1 root  certusers  1751 Apr  9 13:44 *.domain.tld.SOMELONGHASH.key.pem

And if we replace the aforementioned lines in our httpd-ssl.conf with the following:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem

This prompts for the unknown password. I have also tried httpd-ssl.conf configured as follows:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.concat.pem

And as:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCACertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem

We've verified that the certificate is configured to allow all applications access it (in Keychain Assistant). A diff of the /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem & *.domain.tld.key files shows the former is encrypted and the latter is not, so we're assuming that Server Admin/Keychain Assistant is encrypting them for some reason.

I know I can create an unencrypted key file as follows:

sudo openssl rsa -in /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem -out /etc/certificates/*.domain.tld.SOMELONGHASH.key.no_password.pem

But, I can't do that without entering the password. I thought maybe I could export an unencrypted copy of the key from Keychain Admin, but I'm not seeing such an option (not to mention that the .pem options are greyed out in all export options).

Any assistance would be greatly appreciated.

I've got a server running CentOS 5.3 (Final; kernel version 2.6.18) which I need to add a 2nd NIC to, initially temporarily, but eventually permanently. I'm not familiar with installing drivers under Linux and have only used system-config-network-tui and editing config files (we have no version of X installed) to configure the built-in ethernet adapter.

I found a few notes stating that the Apple USB Ethernet adapter works well under Linux. We're an Apple shop, so we have plenty and that'll do for the short term while we track down a better PCI-X ethernet adapter for this server. So, I downloaded & installed (make and make install) the appropriate version of the recommended AX88178 driver (Linux 2.6.38; for "Android 1.x/2.x/3.0, Linux kernel 2.6.14 and later"). After plugging in the Apple USB Ethernet adapter, it does show in the results of lsusb, but does not show in the options when I run system-config-network-tui.

The .ko file that was compiled & installed was "asix.ko" and if I run lsmod | grep asix, I get the following:

asix                   82176  0 
mii                    38849  1 asix

So, does that the kernel module is correctly installed & loaded? Do I need to alias "eth2" ("eth0" is the built-in ethernet and "eth1" is listed in system-config-network-tui as "skge", but is definitely not what I just plugged in) to "asix" in /etc/modules.conf as noted here? What other steps might I be missing?

Of note: I do now see a "dev23116" network interface when I run ifconfig -a that wasn't there before I installed the drivers. Is that the USB ethernet adapter? If so, do I alias that or use that as the interface's device in system-config-network-tui?

Some idiot (one guess as to who) installed a Cisco/Linksys SRW2024P in a 2nd location and forgot to change the IP before doing so. Now it's on a new subnet and I need to control it via console port.

I'm used to controlling Cisco gear through the console port from my Mac using screen or ZTerm and a Tripp Lite (née Keyspan) USB-to-Serial adapter, but have the benefit of being up to my neck in Cisco's blue DB9-to-RJ45 console cables. This Cisco/Linksys switch has a DB-9 male console port and I dug out a female-to-female DB9 serial cable, but I have no idea whether it's a null modem cable or not and it doesn't seem to work using the official serial port settings for the SRW2024P:

Bits per second: 38400
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None

I must admit that I'm usually lucky and what cables I have tend to work, but not this time. Unfortunately, the former admin ditched the box & cables. So, should I need a null modem cable like the Tripp Lite P450-006 Null Modem Gold Cable DB9F/F - 6ft or something else?

I can get all crazy if I have to, but that's a lot of effort for something I could just buy a cable for, esp. since I'd like to keep the correct cable with this switch from now on. Any other ways to get into this that I'm not thinking of?

UPDATE:

I have tried a random serial cable and the aforementioned Tripp Lite null modem cable with my Keyspan USB-to-Serial adapter (both ZTerm and screen), and get nothing, no matter how many times I tap enter/return (okay, I haven't tested all the possibilities there). This is with using the aforementioned serial settings as well as the following (I found both in official documentation):

Bits per second: 115200
Data bits: 8 
Parity: none 
Stop bits: 1
Flow control: none

By connecting directly to the switch via ethernet and changing my IP to the same subnet as the original IP of the switch I can connect via the web interface, but do not have the password. And, no, it's not the default! So, my only option is serial (to perform a password reset, but that doesn't seem to be working in the slightest.

Any further suggestions would be greatly appreciated!

I'm transitioning away from an old tool that initiates an rsync (copying from a local path to a remote path w/SSH hostkeys) via a web form (completely behind a firewall w/multiple authentication layers, not that that's an excuse) hosted on Mac OS X 10.6 Snow Leopard Server. To work around the fact that rsync is run by _www, but the files are owned by someuser (plus the SSH hostkeys are for someuser), the original author made a copy of the rsync binary w/permissions of 4755 & someuser as the owner (so, anyone who runs that copy of rsync has it run as the someuser user). A dirty hack, for sure, but it works (and it was written before Mac OS X even had support for ACLs, so it's at least slightly understandable, though it's still atrocious from a security standpoint).

As my first step in moving away from this solution, I've changed the permissions of those files from 777 (owned by someuser) to 755 (still owned by someuser), then set ACLs for _www to have full access to those files, as follows:

chmod -R +a "_www allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit" /path/to/directory

Unfortunately, while still using the same rsync binary with the set-user-ID-on-execution bit set for someuser, rsync now throws the following error:

building file list ... rsync: link_stat "/path/to/directory/subdir/." failed: Permission denied (13)
done

sent 332 bytes  received 20 bytes  704.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files could not be transferred (code 23) at /SourceCache/rsync/rsync-30/rsync/main.c(717)

If I check the permissions for that directory, they seem correct:

$ ls -ael /path/to/directory/
total 0
drwxr-x---+  3 someuser  admin  102 Jun 23 19:00 .
 0: user:_www allow list,add_file,delete,add_subdirectory,file_inherit,directory_inherit
drwxr-xr-x   8 someuser  admin  272 Jun 23 18:57 ..
drwxr-xr-x+ 17 someuser  admin  578 Jun 23 17:15 subdir
 0: user:_www allow list,add_file,delete,add_subdirectory,file_inherit,directory_inherit

The same is true of a file in the directory:

$ ls -ael /path/to/directory/subdir/file.txt 
-rwxr-xr-x+ 1 someuser  admin  107 Jun 23 17:15 subdir/file.txt
 0: user:_www allow read,write,delete,append

What would cause this permissions error since the files are still owned by the user which the rsync binary runs, plus the _www user should have full ACLs for the directory & files?

Update: It seems like it's an ACL issue as running sudo -u _www ls -ael /path/to/directory/ results in "permission denied" errors as well:

ls: .: Permission denied
ls: ..: Permission denied
ls: subdir: Permission denied`

So, what's wrong with the ACLs I've set?

I'm configuring a Drobo on a Mac OS X 10.5 Leopard Server file server and am trying to configure email notifications. Unfortunately, when doing so, both our primary mail server and the local Mail service on the server throw a "502 5.5.2 Error: command not recognized" error when attempting to send the test message.

Both our primary mail server and the local Mail service on the file server are Mac OS X 10.5 Leopard Server and so are postfix-based. The primary mail server is set to allow relaying from the local network and the local Mail service is set to only allow relaying from 127.0.0.0/8 and it's IP address and to relay through our primary mail server. This has all worked well for years until now.

Drobo Dashboard's Email Settings cannot send through either the primary mail server or localhost without authentication without getting the aforementioned error, although all our other scripts on the server continue to send email normally.

I've set debug_peer_level = 3 & debug_peer_list = 127.0.0.1 in /etc/postfix/main.cf on the file server. When attempting to send the test message from Drobo Dashboard, I get the following debug info in /var/log/mail.log:

May 10 13:32:58 eeg postfix/smtpd[7320]: connect from localhost[127.0.0.1]
May 10 13:32:58 eeg postfix/smtpd[7320]: match_hostname: localhost ~? 127.0.0.0/8
May 10 13:32:58 eeg postfix/smtpd[7320]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 220 host.domain.tld ESMTP Postfix
May 10 13:32:58 eeg postfix/smtpd[7320]: watchdog_pat: 0x109998
May 10 13:32:58 eeg postfix/smtpd[7320]: vstream_fflush_some: fd 9 flush 36
May 10 13:32:58 eeg postfix/smtpd[7320]: vstream_buf_get_ready: fd 9 got 23
May 10 13:32:58 eeg postfix/smtpd[7320]: < localhost[127.0.0.1]: EHLO host.domain.tld
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-host.domain.tld
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-PIPELINING
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-SIZE
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-VRFY
May 10 13:32:58 eeg postfix/smtpd[7320]: match_list_match: localhost: no match
May 10 13:32:58 eeg postfix/smtpd[7320]: match_list_match: 127.0.0.1: no match
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-ETRN
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250-8BITMIME
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 250 DSN
May 10 13:32:58 eeg postfix/smtpd[7320]: watchdog_pat: 0x109998
May 10 13:32:58 eeg postfix/smtpd[7320]: vstream_fflush_some: fd 9 flush 116
May 10 13:32:58 eeg postfix/smtpd[7320]: vstream_buf_get_ready: fd 9 got 10
May 10 13:32:58 eeg postfix/smtpd[7320]: < localhost[127.0.0.1]: STARTTLS
May 10 13:32:58 eeg postfix/smtpd[7320]: > localhost[127.0.0.1]: 502 5.5.1 Error: command not implemented
May 10 13:32:58 eeg postfix/smtpd[7320]: watchdog_pat: 0x109998
May 10 13:32:58 eeg postfix/smtpd[7320]: vstream_fflush_some: fd 9 flush 42

Is it the 'STARTTLS' command that's not implemented? Any thoughts on why this fails on both our mail servers while other software doesn't have issues?

We have a Mac OS X 10.5 Leopard Server mail server that recently started getting issues with IMAP mailboxes having "invalid format[s]" this weekend. It turned out that there were some bad block counts on the volume housing IMAP data and the issue has not resurfaced after repairing the volume and the afflicted mailboxes. However, a new issue that is persisting is frequently crashing imaps processes and ever increasing db4 "lockers" errors like the following:

Apr 13 17:01:12 host lmtpunix[31509]: DBERROR db4: 1134 lockers

The errors for the crashing imaps processes from /var/log/system.log are as follows:

Apr 12 13:43:10 host imaps[11792]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication
Apr 12 13:43:12 host imaps[11792]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication
Apr 12 13:43:13 host imaps[11792]: login: pool-72-92-XXX-XXX.burl.east.myfairpoint.net [72.92.XXX.XXX] user3 CRAM-MD5+TLS User logged in
Apr 12 13:43:15 host ReportCrash[14362]: Formulating crash report for process imapd[11792]
Apr 12 13:43:15 host master[94896]: process 11792 exited, signaled to death by 11
Apr 12 13:43:15 host ReportCrash[14362]: Saved crashreport to /Library/Logs/CrashReporter/imapd_2011-04-12-134315_host.crash using uid: 0 gid: 0, euid: 0 egid: 0

And the following from /var/log/mailaccess.log:

Apr 12 13:43:10 host imaps[11792]: accepted connection
Apr 12 13:43:10 host imaps[11792]: mydelete: starting txn 2147495107
Apr 12 13:43:10 host imaps[11792]: mydelete: committing txn 2147495107
Apr 12 13:43:10 host imaps[11792]: mystore: starting txn 2147495108
Apr 12 13:43:10 host imaps[11792]: mystore: committing txn 2147495108
Apr 12 13:43:10 host imaps[11792]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication
Apr 12 13:43:12 host imaps[11792]: accepted connection
Apr 12 13:43:12 host imaps[11792]: mydelete: starting txn 2147495112
Apr 12 13:43:12 host imaps[11792]: mydelete: committing txn 2147495112
Apr 12 13:43:12 host imaps[11792]: mystore: starting txn 2147495113
Apr 12 13:43:12 host imaps[11792]: mystore: committing txn 2147495113
Apr 12 13:43:12 host imaps[11792]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication
Apr 12 13:43:12 host imaps[11792]: AOD: user options: no lookup required for: user3
Apr 12 13:43:13 host imaps[11792]: login: pool-72-92-XXX-XXX.burl.east.myfairpoint.net [72.92.149.161] user3 CRAM-MD5+TLS User logged in
Apr 12 13:43:13 host imaps[11792]: quota set to "unlimited" for mailbox user.user3
Apr 12 13:43:13 host imaps[11792]: open: user user3 opened Other Users/listmaster
Apr 12 13:43:15 host master[94896]: process 11792 exited, signaled to death by 11
Apr 12 13:43:15 host master[94896]: service imaps pid 11792 in BUSY state: terminated abnormally
Apr 12 13:43:15 host master[94896]: process 11792 exited, signaled to death by 11
Apr 12 13:43:15 host master[94896]: service imaps pid 11792 in BUSY state: terminated abnormally

The crash reports are all like the following:

Process:         imapd [39069]
Path:            /usr/bin/cyrus/bin/imapd
Identifier:      imapd
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  master [38605]

Date/Time:       2011-04-13 18:25:24.068 -0400
OS Version:      Mac OS X Server 10.5.7 (9J61)
Report Version:  6
Anonymous UUID:  223C4DD1-2AE2-4381-8A28-DEB9082281A8

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000077a0ca64
Crashed Thread:  0

Thread 0 Crashed:
0   imapd                               0x0003090c process_records + 588
1   imapd                               0x00031362 mailbox_expunge + 2146
2   imapd                               0x00006fde cmd_close + 179
3   imapd                               0x00018cf8 cmdloop + 2940
4   imapd                               0x0001c1b7 service_main + 1498
5   imapd                               0x00002e73 main + 3502
6   imapd                               0x00002006 start + 54

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x61766970  ebx: 0x000306cb  ecx: 0x00000008  edx: 0x77a0ca64
  edi: 0x00bfffa4  esi: 0x162a5fa4  ebp: 0xbfffad48  esp: 0xbfffac90
   ss: 0x0000001f  efl: 0x00010202  eip: 0x0003090c   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
  cr2: 0x77a0ca64

Yes, they all crash in process_records in mailbox_expunge.

I'm not really seeing any other errors in the logs, at least that seem to be related to the crashed processes in any way or are innocuous like SQUAT failed to open index file and IOERROR: fstating sieve script /usr/sieve/u/user/defaultbc: No such file or directory.

I must admit, I have not rebuilt the Other Users/listmaster mailbox nor the user3 mailbox yet. It's not always the same user.

We do have some users that have found that sent email is not getting saved to their 'Sent Messages' mailbox and hasn't been since the date of the original issue. Rebuilding their mailbox (currently using sudo mailbfr -m username as it does some extra permissions fixed in addition to the sudo /usr/bin/cyrus/bin/reconstruct -r user/username that I'd normally run) seems to allow newly sent email to be saved to it, but I'm having trouble finding a correlation between that issue and this one (or any other errors in the logs).

Any suggestions would be greatly appreciated. Is is really crashing trying to delete messages? Should I just rebuild all users' mailboxes individually? I really do not want to rebuild the Cyrus database in its entirety and lose all flagged/read status for all messages.

We've got a linux server running sendmail that relays email through our primary mail server, but ever since a change of DNS servers last week, it's been timing out connecting to our mail server. Upon further investigation, /var/log/maillog shows lines like the following, incl. the incorrect IP address for the mail server:

Apr  4 15:37:32 yip sendmail[20583]: p34JVgLE020540: to=<[email protected]>, ctladdr=<[email protected]> (0/0), delay=00:05:50, xdelay=00:02:00, mailer=esmtp, pri=258071, relay=mailserver.domain.tld. [xxx.xxx.xxx.xxx], dsn=4.0.0, stat=Deferred: Connection timed out with mailserver.domain.tld.

Now, we had updated the linux server's DNS servers last week along with the migration by editing /etc/resolv.conf. Running dig mailserver.domain.tld, host mailserver.domain.tld, or nslookup mailserver.domain.tld on the linux server all result in the correct IP address being returned. Where could sendmail be getting/caching the incorrect IP address and how can I resolve that issue?

I've got a Mac OS X 10.6.4 Snow Leopard Server file server (AFP) which has been running out of storage space on the boot volume for the past few weeks. It takes about two days for the remaining 42GB on the 80GB boot volume to be eaten up, even though a sudo du -chsx -I dev / still shows only 29GB used.

I've run into this in the past w/a Linux server who's Apache logs were deleted after N days, but the log was still kept open by Apache, causing the storage to not be freed. I had been able to track it down relatively easily in that case w/a sudo lsof, but I'm not easily finding the culprit in this case (being a file server, there are a ton of open files and sockets). How can I sort lsof output by file size (and show sized in a human friendly format) so I can find the culprit?

The server has 3GB of RAM. After being up 4hrs, Activity Monitor shows 700MB free, 1.5GB inactive, and 200GB of VM. mds has the largest VM usage at 1.8GB, AppleFileServer in 2nd place w/500MB, and everything else is using 10MB-75MB of VM. That said, /private/var/vm is only 128MB.

Rebooting the system clears the issue, hence my belief that it's free storage space that's still being held open by some process or processes.

Any other hypothesis, suggestions, etc., greatly appreciated.

I've got a five-drive RAID-5 set (with a sixth hot spare) in an Xserve RAID running the 1.5/1.50f firmware. One of the drives in the RAID-5 set has an amber/orange status light on and has been getting occasional errors like to following:

Timestamp:  11/10/10 10:34:53 AM
Priority:   Warning
Controller: Upper Controller
Type:   112
Event ID:   1000
Event:  Disk 5 Reported An Error. COMMAND:0x35 ERROR:0x10 STATUS:0x51 LBA:0x19B80
Description:    The drive reported an ATA error. This is a failure in the communication from the RAID Controller to the drive.

I have double checked the drives in RAID Admin and, as the drive is only in a warning state, the hot spare has not been pulled into the RAID set yet. As this is an old drive, I'd like to replace that particular drive first. I have a current, full backup of the data, but want to make sure I understand the process correctly.

I understand the "Installing or Replacing an Apple Drive Module" section of http://manuals.info.apple.com/en/XserveRAID_UserGuide.PDF, but it and RAID Admin's built-in help don't describe what will happen when replacing a drive in a RAID set that has a hot spare. When I pull out the drive and replace it, will it correctly use the newly inserted drive or will it use the hot spare? If it uses the hot spare, will the hot spare revert back to a hot spare once the new drive is inserted or will it permanently become a member of the RAID set and need to be moved to the original drive's slot? Or, should I just pull out the hot spare, pull out the failing drive, and pop the hot spare into the failing drive's slot?

I have have three locations with an OD Master in our primary location and OD Replicas in each off-site location. I've always bound clients to our OD Master because the Open Directory Admin documentation says:

"The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica."

However, will the clients pick the nearest replica in general (for faster responses) or only in the event of a failure of the OD Master?

We recently had an employee bind some clients in the 3rd location to the local OD Replica. When that server went down (Snow Leopard Server), the local workstations (Snow Leopard) had auth issues, so does the plug-in it not look up the replica tree, but only down?

I think, back in the 10.3 or 10.4 days, one could bind a client to both the OD Master and the OD Replica and then set the preferred search order, but I have a vague recollection that clients (in 10.5 maybe) would complain if it was already bound to a server in the same replica tree. Am I remembering correctly or would that be the correct way to configure clients in our other locations?

The 2nd & 3rd locations are over point-to-point T1s and VPNs, so I'd really like to have our Open Directory setup correct and optimized.

I've got a Mac OS X 10.6 Snow Leopard Server Open Directory Master with a user who's getting Mobility & Application managed preferences from a group (the only group they're a member of). The workstation is also running Mac OS X 10.6 Snow Leopard, when the user logs in and tries to run our primary application which they're explicitly allowed to run (via the group's preferences), it says "You don't have permission to use the application 'Blah'".

Now, the application is added to the group's list of always allowed applications, unsigned (so a minor difference in application version or file contents shouldn't disallow it). It even lives in a subdirectory of /Applications which is in the list of folders to allow applications.

I've run into this when logging this user into new workstations and the following usually works:

1. Log them out
2. Remove the following files from their mobile home folder on the workstation: /Library/Managed\ Preferences/, ~/.FileSync, ~/Library/Preferences/com.apple.finder.plist, and ~/Library/Preferences/com.apple.MCX.plist.
3. Remove the following files from their network home folder on the server: ~/.FileSync, ~/Library/Preferences/com.apple.finder.plist, and ~/Library/Preferences/com.apple.MCX.plist.
4. Log them back in on the workstation.

However, this no longer resolves the issue.

Their Home Sync preferences are set (on the group) to sync ~, but not the following files (manually, at login, and at logout... no background sync here):

• ~/.SymAVQSFile
• ~/NAVMac800QSFile
• ~/Library
• ~/.FileSync
• ~/.account

Their Preferences Sync preferences are set (also on the group) to sync ~/Library & ~/Documents/Microsoft User Data, but not the following files (also manually, at login, and at logout... no background sync):

• ~/.SymAVQSFile
• ~/.Trash
• ~/.Trashes
• ~/Documents/Microsoft User Data/Entourage Temp
• ~/Library/Application Support/SyncServices
• ~/Library/Application Support/MobileSync
• ~/Library/Caches
• ~/Library/Calendars/Calendar Cache
• ~/Library/Logs
• ~/Library/Mail/AvailableFeeds
• ~/Library/Mail/Envelope Index
• ~/Library/Preferences/Macromedia/
• ~/Library/Printers
• ~/Library/PubSub/Database
• ~/Library/PubSub/Downloads
• ~/Library/PubSub/Feeds
• ~/Library/Safari/Icons.db
• ~/Library/Safari/HistoryIndex.sk
• ~/Library/iTunes/iPhone Software Updates
• IMAP-*
• Exchange-*
• EWS-*
• Mac-*
• ~/Library/Preferences/ByHost
• ~/Library/Preferences/com.apple.dock.plist
• ~/Library/Preferences/com.apple.sitebarlists.plist
• ~/Library/Application Support/4D
• ~/Library/Preferences/com.apple.MCX.plist
• ~/.FileSync
• ~/.account

Even with ~/Library/Preferences/com.apple.MCX.plist prevented from syncing during a Preferences Sync, it still seems to show up in the network home on the server frequently.

Are there any other files other than ~/Library/Preferences/com.apple.MCX.plist that contain application Managed Preferences that might be causing this one app to be showing up as not allowed? Any ideas on how ~/Library/Preferences/com.apple.MCX.plist keeps getting sync'd back up the network home folder on the server?

Update: I thought I had found a workaround this morning, but it also seemed to be extremely temporary. Basically, loking at /Library/Managed\ Preferences/[shortname]/com.apple.applicationaccess.new.plist I discovered that it didn't have an entry for the application in question, but /Library/Managed\ Preferences/[shortname]/complete.plist did. Naturally, I deleted com.apple.applicationaccess.new.plist, logged in again, and it worked... on one workstation. It failed on others, and after logging out & back in a couple more times it started failing on all of them again, even after further deletions of com.apple.applicationaccess.new.plist. Oddly, com.apple.applicationaccess.new.plist & complete.plist do both contain an entry for the application in question now, but it still says it's not allowed.

Further Update: Okay, so I now have a reproducible workaround which seems to be required after every reboot of the workstation:

1. Log in as the user (you'll discover you cannot launch the application in question).
2. Fast User Switch to the local admin account on the workstation (we always have one on every machine).
3. From that local admin account, run sudo mcxrefresh -n 'shortname' (logging out and back in as the user in question will not work).
4. Fast User Switch back to the user (you'll still not be allowed to run the application).
5. Log the user out and back in (you'll now be able to run the application in question.)
6. Fast User Switch back to the local admin account, log it out, and log back in as the user in question.

If you do all that exactly as described it'll keep working through log out & log back in, but NOT through a reboot. If, after a reboot, you try something like logging in as the local admin account, running sudo mcxrefresh -n 'shortname', logging out, then logging in as the user in question, it will NOT work.

Yet Another Update We don't have any computer groups in our Open Directory, so it shouldn't be getting any conflicting settings from there. I ran sudo mcxquery -format xml -user shortname -group groupname before & after performing the aforementioned process to allow the application in question to be run and the results were identical (saved the result to files & diff'd... I'm not just guessing here).

One Step Forward, Half a Step Back: When the Mac OS X 10.6.5 Server update was released, we upgraded our Open Directory Master to it as the changes included the following managed preferences fixes which I hoped might address this issue:

• Addresses an issue that could prevent managed preferences from being applied when a user logs in on a workstation that has been idle.
• Fixes an issue that could prevent administrators from bypassing client management settings on a workstation.

This seemed to improve the situation slightly. The application in question now usually launches without error. If, and when it does launch with the "You don't have permission to use the application" error, logging the user out and back in seems to correct it.

That said, we've since had to add a couple of applications to the user's ~/Applications/ directory and those are still prevented from launching. The workstations are running Mac OS X 10.6.4, the OD Master (which the workstations are bound to) is running Mac OS 10.6.5 Server (although there are two OD Replicas still running 10.6.4 Server), and we're using Workgroup Manager 10.6.3 (which is included with the Server Admin Tools 10.6.5 upgrade) to add the applications (unsigned, as always). This time, I've caught the following in /var/log/system.log when attempting to launch one of the allowed applications from ~/Applications:

Dec 22 17:36:24 hostname parentalcontrolsd[43221]: -[ActivityTracker checkApp:csFlags:] [954:username] -- *** Incoming app appears to be masquerading as white listed app and failed signature validation: /Users/username/Applications/FileMaker Pro 5.5/FileMaker Pro.app/Contents/MacOS/FileMaker Pro. Note: This may be a valid app of a different version than what was whitelisted (on a different volume?)
Dec 22 17:36:24 hostname [0x0-0xa42a42].com.filemaker.filemakerpro[43304]: launch of /Users/username/Applications/FileMaker Pro 5.5/FileMaker Pro.app/Contents/MacOS/FileMaker Pro was blocked
Dec 22 17:36:24 hostname com.apple.launchd.peruser.1340[6375] ([0x0-0xa42a42].com.filemaker.filemakerpro[43304]): Exited with exit code: 255
Dec 22 17:36:24 hostname parentalcontrolsd[43221]: -[ActivityTracker(Private) _removeAppFromWhiteList:] [1362:username] -- *** Couldn't find local user record

Running sudo mcxquery -format xml -user username -group groupname includes the following entry for FileMaker Pro 5.5 (and appears to include a full integration of the user's application whitelist & group's application whitelist):

<dict>
    <key>bundleID</key>
    <string>com.filemaker.filemakerpro</string>
    <key>displayName</key>
    <string>FileMaker Pro</string>
</dict>

Note the lack of <key>appID</key><data> ... </data> which seems to specify a signed application. While whitelisted directories also appear to be correctly listed in the results, they too do not actually allow the applications to be run either.

What is going on here?! Where else should I be looking?

We recently upgraded our Open Directory Master & Replica to Mac OS X 10.6.4 Snow Leopard Server. We had a mismatched server FQDN & LDAP Search Base/Kerberos Realm, so we exported all users & groups, created the new Open Directory Master w/matching FQDN & Search Base/Realm, reimported users & groups, and re-bound all servers & workstations to the new OD Master.

At the same time as all of this, we upgraded our iCal/CalDAV server to Mac OS X 10.6.4 Snow Leopard Server. Ever since doing so, we've seen the following issues with our iCal/CalDAV server and iCal clients on both Mac OS X 10.5 Leopard & Mac OS X 10.6:

• If a user attempts to move or delete an event (single or repeating) that was created prior to the upgrade to 10.6 Server, they get the following error:

  Access to "blah" in "blah" in account "blah" is not permitted.

  The server responded: "HTTP/1.1 403 Forbidden" to operation CalDAVWriteEntityQueueableOperation.

• New users added to the directory get the following error when attempting to add their account to in iCal's preferences:

  The user "blah" has no configured pricipals.

  Confirm with your network administrator that your account has at least one CalDAV principal configured.

Interestingly, we've since discovered that users seem to be able to delete individual events from an old repeating event without error, but that's a massive amount of work to get rid of a repeating event.

I will note that we have not yet added an SRV record in DNS as instructed on page 19 of iCal_Server_Admin_v10.6.pdf.

Further Investigation:

In this particular case, a user is attempting to decline repeating events created prior to the upgrade to Snow Leopard Server. Granting the user full write access with sudo calendarserver_manage_principals --add-write-proxy users:user1 users:user2 (which did work) doesn't allow deletion of the events. Still get the usual error:

Access to "blah blah" in "blah blah" in account "blah blah" is not permitted.

The server responded:
"HTTP/1.1 403 Forbidden"
to operation CalDAVWriteEntityQueueableOperation.

The error that shows up in /var/log/caldavd/error.log on the iCal Server when attempting to delete one of the events is:

2011-03-17 15:14:30-0400 [-] [caldav-8009] [PooledMemCacheProtocol,client] [twistedcaldav.extensions#info] PUT /calendars/__uids__/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/calendar/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.ics HTTP/1.1 2011-03-17 15:14:30-0400 [-] [caldav-8009] [PooledMemCacheProtocol,client] [twistedcaldav.scheduling.implicit#error] Cannot change ORGANIZER: UID:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

And the error in /var/log/system.log on the client is:

Mar 17 15:14:30 192-168-21-169-dhcp iCal[33509]: CalDAV CalDAVWriteEntityQueueableOperation failed: status 'HTTP/1.1 403 Forbidden' request:\n\nBEGIN:VCALENDAR^M\nVERSION:2.0^M\nPRODID:-//Apple Inc.//iCal 3.0//EN^M\nCALSCALE:GREGORIAN^M\nBEGIN:VTIMEZONE^M\nTZID:US/Eastern^M\nBEGIN:DAYLIGHT^M\nTZOFFSETFROM:-0500^M\nTZOFFSETTO:-0400^M\nDTSTART:20070311T020000^M\nRRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU^M\nTZNAME:EDT^M\nEND:DAYLIGHT^M\nBEGIN:STANDARD^M\nTZOFFSETFROM:-0400^M\nTZOFFSETTO:-0500^M\nDTSTART:20071104T020000^M\nRRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU^M\nTZNAME:EST^M\nEND:STANDARD^M\nEND:VTIMEZONE^M\nBEGIN:VEVENT^M\nSEQUENCE:5^M\nDTSTART;TZID=US/Eastern:20090117T094500^M\nDTSTAMP:20081227T143043Z^M\nSUMMARY:blah blah^M\nATTENDEE;CN="First Last";CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT:urn:uuid^M\n :XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX^M\nATTENDEE;CN="First Last";CUTYPE=INDIVIDUAL;PARTSTAT=ACCEPTED:mailto:user@d^M\n omain.tld^M\nEXDATE;TZID=US/Eastern:20110319T094500^M\nDTEND;TZID=US/Eastern:20090117T183000^M\nRRULE:FREQ=WEEKLY;INTERVAL=1^M\nTRANSP:OPAQUE^M\nUID:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX^M\nORGANIZER;CN="First Last":mailto:[email protected]^M\nX-WR-ITIPSTATUSML:UNCLEAN^M\nCREATED:20110317T191348Z^M\nEND:VEVENT^M\nEND:VCALENDAR^M\n\n\n... response:\nHTTP/1.1 403 Forbidden^M\nDate: Thu, 17 Mar 2011 19:14:30 GMT^M\nDav: 1, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-availability, inbox-availability, calendar-proxy, calendarserver-private-events, calendarserver-private-comments, calendarserver-principal-property-search^M\nContent-Type: text/xml^M\nContent-Length: 134^M\nServer: Twisted/8.2.0 TwistedWeb/8.2.0 TwistedCalDAV/2.5 (iCal Server v12.56.21)^M\n^M\n<?xml version='1.0' encoding='UTF-8'?><error xmlns='DAV:'>^M\n  <valid-attendee-change xmlns='urn:ietf:params:xml:ns:caldav'/>^M\n</error>

One thing I have noticed, and I'm not sure if this has any real effect is that in many of these pre-Snow Leopard Server migration events, the ORGANIZER is specified like the following:

ORGANIZER;CN=First Last:mailto:[email protected]

But newer ones are more like one of the two following:

ORGANIZER;CN=First Last;[email protected];SCHEDULE-STATUS=1

ORGANIZER;CN=First Last;[email protected]:urn:uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

iCal_Server_Admin_v10.6.pdf notes that the ".db.sqlite" files are completely disposable, they're merely a performance cache and are re-built on the fly, so are safe to delete. I did delete the one for the organizer's calendars and it took longer to process the attempted event delete while it rebuilt the database, but still errored out in the end.

FWIW the error is thrown by this code:

https://trac.calendarserver.org/browser/CalendarServer/trunk/twistedcaldav/scheduling/implicit.py

Any further suggestions? I see lots of questions about this in my Google searches, but not solutions and this is a widespread problem on our iCal Server. Now, we mostly try to get users to ignore them (hence the amount of time this question has been open), but every now and then I dig in deeper trying to find the culprit and/or solution.

I've got a Mac Pro running Mac OS X 10.6.4 Snow Leopard Server and it's recently started getting numerous 'kNetworkError's in Server Admin.app when viewing services. It's acting as a gateway w/NAT and has been so for quite some time.

There is one glaring issue, bootpd crashes all the time with the following errors in `/var/log/system.log/:

Aug 12 16:54:59 servername bootpd[3572]: server starting
Aug 12 16:54:59 servername bootpd[3572]: server name servername.domain.tld
Aug 12 16:54:59 servername bootpd[3572]: interface en0: ip 10.0.1.9 mask 255.255.255.0
Aug 12 16:54:59 servername bootpd[3572]: bsdpd: re-reading configuration
Aug 12 16:54:59 servername bootpd[3572]: bsdpd: shadow file size will be set to 48 megabytes
Aug 12 16:54:59 servername bootpd[3572]: bsdpd: age time 00:15:00
Aug 12 16:54:59 servername bootpd[3572]: [3572] detected buffer overflow
Aug 12 16:54:59 servername com.apple.launchd[1] (com.apple.bootpd[3572]): Job appears to have crashed: Abort trap
Aug 12 16:54:59 servername com.apple.ReportCrash.Root[3571]: 2010-08-12 16:54:59.828 ReportCrash[3571:2807] Saved crash report for bootpd[3572] version ??? (???) to /Library/Logs/DiagnosticReports/bootpd_2010-08-12-165459_localhost.crash

It is correctly configured to serve DHCP through en1 (not en0), the "LAN" port. This happens even with no hardware (even switches) connected to the "LAN" port. There are no DHCP clients listed. Oddly, the "Overview" shows 1 static map, but nothing is listed under "Static Maps" and there are no "Computers" in Open Directory. /var/db/dhcp_leases is empty.

/Library/Logs/DiagnosticReports/bootpd_2010-08-12-165459_localhost.crash is as follows:

Process:         bootpd [3572]
Path:            /usr/libexec/bootpd
Identifier:      bootpd
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  launchd [1]

Date/Time:       2010-08-12 16:54:59.713 -0400
OS Version:      Mac OS X Server 10.6.4 (10F569)
Report Version:  6

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Application Specific Information:
__abort() called

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib                   0x00007fff803c13d6 __kill + 10
1   libSystem.B.dylib                   0x00007fff80461913 __abort + 103
2   libSystem.B.dylib                   0x00007fff80456157 mach_msg_receive + 0
3   libSystem.B.dylib                   0x00007fff803b92cf __strncpy_chk + 14
4   bootpd                              0x0000000100014e5d PLCache_read + 782
5   bootpd                              0x0000000100004a3d BSDPClients_init + 68
6   bootpd                              0x00000001000053b5 bsdp_init + 2396
7   bootpd                              0x000000010000200b S_update_services + 1228
8   bootpd                              0x0000000100002344 S_server_loop + 571
9   bootpd                              0x0000000100003963 main + 1766
10  bootpd                              0x0000000100000984 start + 52

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x00007fff5fbfe220  rcx: 0x00007fff5fbfe218  rdx: 0x0000000000000000
  rdi: 0x0000000000000df4  rsi: 0x0000000000000006  rbp: 0x00007fff5fbfe240  rsp: 0x00007fff5fbfe218
   r8: 0x0000000000000001   r9: 0x0000000100114280  r10: 0x00007fff803bd412  r11: 0xffffff80002e1680
  r12: 0xffffffffffffffff  r13: 0x00007fff5fbfe330  r14: 0x00007fff5fbfe33b  r15: 0x00007fff7009bec0
  rip: 0x00007fff803c13d6  rfl: 0x0000000000000202  cr2: 0x000000010004c000

Any thoughts or suggestions as to resolving this?

Years ago I put together the following expect script to perform Open Directory backups under Tiger Server and it's worked well under Leopard Server as well:

#!/usr/bin/expect -f

set date [timestamp -format "%Y-%m-%d"]
set archive_path "path/to/you/backup/dir"
set archive_password "password"
set archive_name "opendirectory_backup"

spawn /usr/sbin/slapconfig -backupdb $archive_path/$archive_name-$date
expect "Enter archive password"
send "$archive_password\r"
expect eof

It's one of the few scripts that still lives in root's crontab as opposed to having a launchd plist. It's rwx by root only for obvious security reasons.

Now, the problem is I upgraded my Open Directory Master to Mac OS X 10.6.4 Snow Leopard Server a couple weeks ago and it hasn't worked since... when run by cron. If I log in as the root user and run it manually it works correctly and creates the resulting encrypted disk image. When run by cron, it goes through the full motions (incl. output in /Library/Logs/slapconfig.log that matches that of when it's run manually), but the disk image file is never created. However, in `/var/log/system.log/ I see the following output:

Jul 23 03:00:08 servername hdiejectd[93114]: running
Jul 23 03:00:11 servername diskimages-helper[93111]: -frameworkCallbackWithDictionary: threw exception calling home.
Jul 23 03:00:11 servername diskimages-helper[93111]: threw exception reporting results back to framework.
Jul 23 03:00:21 servername hdiejectd[93114]: quitCheck: calling exit(0)

When run manually, that output is as follows (no diskimages-helper exceptions):

Jul 23 14:29:27 servername hdiejectd[7776]: running
Jul 23 14:29:40 servername hdiejectd[7776]: quitCheck: calling exit(0)

In both cases there is no user logged in via the GUI. I have a couple friends who're running the same script on their OD Masters and it also no longer runs via cron since upgrading to Snow Leopard Server.

I recall some issues with Mac OS X's command line disk image tools that required keychain access, but I don't recall the specifics. Did something related to that get more strict in Snow Leopard Server?

Any ideas or suggestions?

I'm migrating some infrastructure from multiple servers hosting specific sites to a load-balancing architecture using HAProxy 1.3.15.7 on OpenBSD 4.6 macppc. Naturally, I'm starting with configuring content switching for the current setup (specific sites on specific servers) and my /etc/haproxy/haproxy.cfg is as follows:

global
    log 127.0.0.1   local0
    log 127.0.0.1   local1 notice
    #log loghost    local0 info
    maxconn 1024
    chroot /var/haproxy
    uid 604
    gid 604
    daemon
    #debug
    #quiet
    pidfile /var/run/haproxy.pid

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  redispatch
    retries 3
    maxconn 2000
    contimeout      5000
    clitimeout      50000
    srvtimeout      50000
    stats enable
    stats auth user:pass

frontend http_proxy *:80
    # check to see which domain the reguest is for
    acl host_tld.domain.sub1 hdr_end(host) sub1.domain.tld
    acl host_tld.domain.sub2 hdr_end(host) sub2.domain.tld
    # send to the correct server
    use_backend server2 if host_tld.domain.sub1 or host_tld.domain.sub2
    default_backend server1

backend server1
    server httpd_server1 192.168.1.3:80

backend server2
    server httpd_server2 192.168.1.4:80

The goal is for all domains to be served by server1 except for domains sub1.domain.tld & sub2.domain.tld which should be dished out by server2 instead. However, when I try to start HAProxy, I get the following errors:

parsing /etc/haproxy/haproxy.cfg : backend 'server2' has no dispatch address and is not in transparent or balance mode.
parsing /etc/haproxy/haproxy.cfg : backend 'server1' has no dispatch address and is not in transparent or balance mode.
Errors found in configuration file, aborting.
Error reading configuration file : /etc/haproxy/haproxy.cfg

I've looked at the examples listed in the HAProxy 1.3 documentation and http://upstre.am/2008/01/09/using-haproxy-with-multiple-backends-aka-content-switching/, but don't see where I've gone wrong. None of the examples seem to require either option transparent nor a balance mode. Also, the documentation for the dispatch option is curiously omitted from the 1.3 documentation, but I doubt it would be helpful in my troubleshooting anyway.

Where have I gone wrong?

I've got a site that was hosted on a linux el cheapo hosting service that I'm migrating to my Mac OS X 10.5 Leopard Server server running Apache 2.2.8 & PHP 5.2.5 w/rewrite_module enabled and AllowOverride All, but I'm running into an issue with the following lines in the .htaccess file:

RewriteEngine On
#RewriteRule ^view/([^/\.]+)/?$ /view.php?item=$1 [L]
#RewriteRule ^order/([^/\.]+)/?$ /order.php?item=$1 [L]
RewriteRule ^category/([^/\.]+)/?$ /category.php?category=$1 [L]

As you can see, I've commented out the RewriteRule directives for /view/ and /order/, so I'm only dealing with /category/. When I attempt to load http://domain.tld/category/2/ it runs category.php (I've added debug code to confirm), but $_SERVER['REQUEST_URI'] comes through as /category/2/ and $_GET['category'] comes through as empty.

I'm usually fine with troubleshooting .htaccess files and mod_rewrite directives, but this one's got me stumped for some reason.

Update: I followed Josh's suggestion and here's the what's dumped to mod_rewrite.log when I try to access http://domain.tld/category/2/:

65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (2) init rewrite engine with requested uri /category/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (3) applying pattern '.*' to uri '/category/13'
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (1) pass through /category/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6aa98/subreq] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] add path info postfix: /Library/WebServer/Documents/tld.domain.www/category.php -> /Library/WebServer/Documents/tld.domain.www/category.php/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6aa98/subreq] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] strip per-dir prefix: /Library/WebServer/Documents/tld.domain.www/category.php/13 -> category.php/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6aa98/subreq] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] applying pattern '^category/([^/\.]+)/?$' to uri 'category.php/13'
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6aa98/subreq] (1) [perdir /Library/WebServer/Documents/tld.domain.www/] pass through /Library/WebServer/Documents/tld.domain.www/category.php
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] add path info postfix: /Library/WebServer/Documents/tld.domain.www/category.php -> /Library/WebServer/Documents/tld.domain.www/category.php/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] strip per-dir prefix: /Library/WebServer/Documents/tld.domain.www/category.php/13 -> category.php/13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] applying pattern '^category/([^/\.]+)/?$' to uri 'category.php/13'
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b5ea98/initial] (1) [perdir /Library/WebServer/Documents/tld.domain.www/] pass through /Library/WebServer/Documents/tld.domain.www/category.php
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (2) init rewrite engine with requested uri /13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (3) applying pattern '.*' to uri '/13'
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (1) pass through /13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] strip per-dir prefix: /Library/WebServer/Documents/tld.domain.www/13 -> 13
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (3) [perdir /Library/WebServer/Documents/tld.domain.www/] applying pattern '^category/([^/\.]+)/?$' to uri '13'
65.19.81.253 - - [22/Oct/2009:17:31:53 --0400] [domain.tld/sid#100aae0b0][rid#100b6ea98/subreq] (1) [perdir /Library/WebServer/Documents/tld.domain.www/] pass through /Library/WebServer/Documents/tld.domain.www/13

I'm trying to set up SSH host keys from our Mac OS X 10.5 Leopard Server-based central backup server to our two Linux servers running Fedora 10 and CentOS 5.2. The process we usually take works and puts the key in ~/.ssh/authorized_keys, but it still prompts for the password.

I'm not the regular admin of these boxes and I understand the default is probably to have SSH host keys disabled. How do enable SSH host keys?

Update: I had already uncommented 'PubkeyAuthentication yes' in /etc/ssh/ssd_config and ran service restart sshd, but that didn't work. Uncommented all three lines ('RSAAuthentication', 'PubkeyAuthentication', and 'AuthorizedKeysFile'), corrected permissions on ~/.ssh and tried again. Still no love.

When I run ssh -v user@host I get the following before it prompts for a password and after some GSS errors:

debug1: Next authentication method: publickey
debug1: Trying private key: /Users/shortname/.ssh/identity
debug1: Trying private key: /Users/shortname/.ssh/id_rsa
debug1: Trying private key: /Users/shortname/.ssh/id_dsa
debug1: Next authentication method: password

Further suggestions?

Another Update: Permissions on ~/ and ~/.ssh/ are 700.

The command I've been running to create the host key is as follows:

cat /blah/ssh_keys_for_shortname/id_dsa.pub | ssh -l shortname -o stricthostkeychecking=no -i /blah/ssh_keys_for_shortname/id_dsa host.domain.tld 'cat - >> ~/.ssh/authorized_keys'

And when attempting to connect I use:

ssh --verbose -l shortname -o stricthostkeychecking=no -i /blah/ssh_keys_for_shortname/id_dsa host.domain.tld

So, obviously we're using DSA keys. I've tried renaming ~/.ssh/authorized_keys2, but that doesn't help.

I'd love to store the keys in their default locations instead of /blah/ssh_keys_for_shortname/, but it's out of my control.

When I watch /var/log/audit/audit.log and try to connect, I get the following:

type=CRED_DISP msg=audit(1249426114.642:128): user pid=10589 uid=0 auid=501 ses=14 msg='op=PAM:setcred acct="shortname" exe="/usr/sbin/sshd" (hostname=host.domain.tld, addr=192.168.1.149, terminal=ssh res=success)'
type=USER_END msg=audit(1249426114.647:129): user pid=10589 uid=0 auid=501 ses=14 msg='op=PAM:session_close acct="shortname" exe="/usr/sbin/sshd" (hostname=host.domain.tld, addr=192.168.1.149, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1249426129.524:130): user pid=10633 uid=0 auid=4294967295 ses=4294967295 msg='acct="shortname": exe="/usr/sbin/sshd" (hostname=?, addr=192.168.1.149, terminal=sshd res=failed)'

Suggestions?