I recently set up a Mac OS X 10.6 Server, and to my surprise, out of the blue, encountered my old friend the Workgroup Manager lockout problem. Only, it wasn’t the same problem. The notable error message was in /var/log/slapd.log:


Aug 28 17:10:01 newserver slapd[54]: SASL [conn=177] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request (found ldap/oldserver.netmojo.ca@NEWSERVER.NETMOJO.CA, wanted ldap/newserver.netmojo.ca@NEWSERVER.NETMOJO.CA))


The problem stemmed from an earlier (misguided) attempt to set up this new 10.6 Server (“newserver”), as an OD replica of a 10.5 Server (“oldserver”). It turns out that when you select “Setup an open directory replica” in Server Admin, it alters this file:

/etc/openldap/rootDSE.ldif:

dn:
dnsHostName: oldserver.netmojo.ca
krbName: ldap/oldserver.netmojo.ca@OLDSERVER.NETMOJO.CA


This file is used by OpenLDAP to determine which server the current server is a replica of. When I changed the OpenDirectory role back to Master, Server Admin failed to update the rootDSE file to reflect the fact that it is no longer a replica (actually, it never quite was). Replacing “oldserver” with “newserver” — adding the proper local server name and kerberos realm to this file — and then rebooting the server, fixed the problem.

Using signed SSL certificates in Mac OS X Server 10.5 is a bit of a black art. In this article I describe how it’s done. Some services, such as the web service, work fine with signed certificates by default. However, the iChat (jabber), iCal (caldav), Mail (postfix/cyrus), and possibly other services do not work properly without some additional work on the command line (“Terminal”).

The problem in OS X Server 10.5 is that the System Admin app fails to provide decrypted private keys, and points some services to a certificate that doesn’t work for that service. The result is that those services will fail to allow connections over SSL.

I will describe how to fix the Mail, iChat and iCal services. The solution is basically the same for them all: decrypt the private key and replace the encrypted version in the combined certificate-key file, then update the service’s settings to use the proper certificate.

(more…)

I sat down at my computer yesterday morning with a hot cup of coffee, looking forward to the day’s work. Part of that work was to order a new Xserve for a video streaming project that I’m working on. You can imagine my surprise to discover Apple’s announcement:

Apple is transitioning away from Xserve. Xserve will be available for order through January 31, 2011… Apple offers two server solutions as an alternative to Xserve. Combine Mac OS X Server with a Mac Pro or Mac mini system…

As I read the 10-page document, and scoured the ‘net for the rest of the morning, desperately seeking more information about the development, my coffee went cold.

(more…)

For the past few years I’ve suffered this seemingly random problem when connecting to a Solaris or Mac OS X server via SSH: the connection would take forever to negotiate. It would connect, exchange keys, but then pause for up to a minute, plus or minus eternity, before proceeding with authentication. I finally took some time to figure out how to make it go away. Here’s what I did.

(more…)