Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dealing with Mac OS X and NetInfo Problems?

Cliff posted more than 10 years ago | from the losing-the-keys-to-your-iBook dept.

Networking (Apple) 89

newkid would like some assistance getting to the core of this issue: "Apple likes to refer to its server software as an industrial-strength server based on Apple's modern OS. However, there are serious flaws in the authentication system (netinfo): I am locked out of four of my remote servers (even root has been disabled, and that is unacceptable), and the instability is well documented here, here and here. I have successfully reinstalled one server and replaced another one with FreeBSD, but I have not decided what to do in the long run. What is your experience? Should I completely forget OS X for my servers and switch to something else? Or should I move to Panther (it uses LDAP instead of NetInfo to control user accounts)? I would like to know about your experience with OS X Server and if your have made the switch to something else." What experiences have you had with NetInfo on your Mac OS X boxes, and do you have any other hints and tips on recovering the NetInfo database in the event that it does develops amnesia?

Sorry! There are no comments related to the filter you selected.

Apple Servers hahahaha (-1, Flamebait)

duffbeer703 (177751) | more than 10 years ago | (#7465489)

Apple makes good PCs and uber-Walkmen, but they aptly demonstrate that they are not a serious server vendor.

If you want funky looking hardware, buy Sun. Otherwise Linux or BSD on commidity equipment is the way to go.

Re:Apple Servers hahahaha (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7465552)

It's "commodity" you moron.

Re:Apple Servers hahahaha (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7469641)

Wow, he was modded as "Flamebait" what a surprise.

Oh well, I guess since he didn't get modded "Troll" that means he was telling the truth you in denial fucks, and you got all flustered and offended and thus modded flamebait in an attempt to help you forget again.

Time to wake up mac fags, your shit "religion" isn't for servers and never will be.

Goob! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7465535)

Lollerskates First post motherbitches! BRUSH YOUR FUCKING HAIR!

Root access disabled by default is a flaw? (5, Insightful)

tiktokfx (699424) | more than 10 years ago | (#7465558)

I don't consider it flawed that root is locked down for anyone who doesn't have direct, real-life access to the machine.

Furthermore (1)

tiktokfx (699424) | more than 10 years ago | (#7465622)

if you're implying that it's unacceptable that root is disable while all others are as well; A) why would you want root to be enabled whether or not NetInfo is functioning? That would necessitate code in authentication unique to root, and would provide a needlessly vulnerable security hole in the operating system. B) servers should not have root accounts enabled remotely in the first place.

Nonsense! (1, Funny)

Anonymous Coward | more than 10 years ago | (#7465992)

Everyone I know uses the following...

login: root
password: password

Why this is good:

1) You never have to ask someone what is the root password...

This avoids having to explain what you did to the server in the first place that requires a root account to fix.

2) Hackers will never guess it...

Come on, everyone knows the password as a password as a joke, no one is seriously going to think its going to be an actually root password somewhere.

Re:Nonsense! (0)

Anonymous Coward | more than 10 years ago | (#7466149)

Of course if "password" is too long, try "sex". hehe, he said "try sex"....

Re:Root access disabled by default is a flaw? (1)

newkid (535229) | more than 10 years ago | (#7470740)

Well, you can not even log on locally. The corruption of netinfo did remove all possible access to the four computers. Don't you think that this is a flaw? I have never seen this on Linux and BSD. If root is enabled, it always works.

Re:Root access disabled by default is a flaw? (1)

SlamMan (221834) | more than 10 years ago | (#7476022)

Single user mode, my good man.

don't use netinfo (4, Insightful)

Anonymous Coward | more than 10 years ago | (#7465628)

wow, complaining about netinfo??? let me tell you my woes with farallon phonenet...

Seriously, netinfo is OBSOLETE the only reason apple held on to it so long is because they were working on bigger, more user-visible things.

Go with LDAP. Ditch Netinfo.

and log in as root when you're at the machine, NOT remotely.

Re:don't use netinfo (1)

Mattbot23 (697986) | more than 10 years ago | (#7471083)

Ditching NetInfo entirely isn't a choice as local accounts in Mac OS X are controlled by NetInfo. I've encountered the same problems with the local.nidb as the original poster but the network.nidb has been extremely reliable for us. While network accounts on Mac OS X.2 Server can be managed via LDAP, the database that supplies the information to LDAP is still the NetInfo database. (I think there may be a Macintosh-based 3rd party solution besides using a non-mac LDAP server but you lose all Apple's shiny admin tools.) Also the translation of data from the NetInfo database to the LDAP protocol has some overhead and slows down network logins as bit. (Panther server is supposed to address this but I haven't had a chance to play with it yet.) Cloning directory servers is also a bit easier with NetInfo.

Aside from a few glitches, I've found NetInfo to be a non-issue.

Re:don't use netinfo (1)

tyrione (134248) | more than 10 years ago | (#7475757)

Incorrect statements.

LDAP by design does not serve the same criteria that NetInfo serves.

The error is in Network Design, not NetInfo.

Netinfo has been maturing over 14 years. One of the consistent flaws people labeled on NetInfo was they wanted NetInfo to provide functionality that it did not provide; hence it's an issue with design and one needs to determine what they are attempting to do is best served by Netinfo or by another Networking Service.

Most issues regardless of it being LDAP or Netinfo or take your pick service are due to Network Design flaws first and actual functionality bugs in the software second.

Re:don't use netinfo (1)

Mattbot23 (697986) | more than 10 years ago | (#7476988)

LDAP on Mac OS X 10.2 does use the NetInfo database. Addition schema gets added to LDAP to accomedate the NetInfo data. Open NetInfo Manager on the client side and go to the parent and lo! still NetInfo. LDAP is just the messenger. I'm not sure about Panther but I believe it does this as well. LDAP isn't married to one database, it could use MySQL forinstance.

% sudo cat /etc/openldap/slapd.conf

# slapd.conf file for NetInfo bridge

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/apple.schema
pidfile /var/run/
argsfile /var/run/slapd.args
allows bind_v2
schemacheck off

database netinfo
suffix ""
datasource /var/db/netinfo/network.nidb
include /etc/openldap/schema/netinfo.schema

Q: Should my OS be up to date? (4, Funny)

mithras the prophet (579978) | more than 10 years ago | (#7465630)

A: Yes.

One of the best features about the Netinfo system (3, Insightful)

gsdali (707124) | more than 10 years ago | (#7465637)

is that the Root account is disabled by default and you are encouraged to keep it that way. I can't shed much light on your problem except to say that Panther moving to LDAP is a good thing from the point of view of admin, maybe that is the way to go.

Re:One of the best features about the Netinfo syst (2, Informative)

sld126 (667783) | more than 10 years ago | (#7466196)

Root is disabled by default on Client. It is enabled by default on Server, which is the version he was asking about.


flame on. (4, Informative)

seann (307009) | more than 10 years ago | (#7465664)

evil weblog []
"DirectoryService: NetInfo connection failed for server"

"The solution was to restore the Netinfo database."

NO. the solution is to turn off "Net Info" in the Directory Access program located within /Applications/Utilities folder.
If you are trying to athunticate to a non-existing netinfo daemon in your domain, your going to get problems.

Turning off that option relieves the problems hinted at in this link. Please sirs, try this instead of blowing away your net info database, When I first got my powerbook 12" I had this same problem. I realized later on that I clicked "Net Info" in the Directory Access program, and it was trying to auth to a non-existant server.

Re:flame on. (1)

self assembled struc (62483) | more than 10 years ago | (#7467103)

well actually, no.

by default os x stores it's machine specific information in a netinfo database. this is the way that NeXTSTEP did it.

But you can set the mode your OS X machine uses for it's information stores. Directory Access tells the machine where to look for the information, ie in BSD Flatfiles or other locations.

What's happening here is that his NetInfo database is getting hosed (since your os x machine runs this by default. hence the address for it)

Re:flame on. (4, Informative)

trouser (149900) | more than 10 years ago | (#7470128)

OSX does use Netinfo by default for local login but the previous poster is quite correct in saying the Netinfo should not be selected in the Directory Access utility. This checkbox is for enabling authentication using a remote Netinfo server and can cause authentication problems including fantastically long timeouts with no on-screen error message when logging in.

I use LDAP authentication through OpenLDAP on a Linux box with local Netinfo as a fall back for a local admin account. It's been pretty flakey with previous versions of OSX, mainly authentication failures first thing in the morning on machines that have been left asleep at the login prompt over night. Directory Access used to have a lot of trouble working out what to do with itself when the machine woke up. Authentication failed but the Linux server logs tended to suggest that the LDAP requests weren't being made. Anyway, it all seems to work reliably as of 10.3

Re:flame on. (1)

seann (307009) | more than 10 years ago | (#7480309)

true story.

rock on.

OMG A TROLL POST (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7465709)

I can't believe it - EVERYONE knows that there are NO PROBLEMS WHATSOEVER with APPLE computers and SOFTWARE.

The original poster is OBVIOUSLY a LIAR and is simply TROLLING. [fingers in ears] la la la not listening....

Ok marks out of ten for Mac Zealot ?


dnahelix (598670) | more than 10 years ago | (#7467763)

I think was more of a joke than flamebait, i.e. obvious sarcasm.

Easy fix. (0)

Anonymous Coward | more than 10 years ago | (#7465751)

1. boot into single user mode
2. work on the netinfo database from there.
3. reboot

yes, this is least optimal (most pessimum, even) but it'll get you back working again.

Re:Easy fix. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7465923)

> 2. work on the netinfo database from there.

And just how do you expect to work on the database? single user mode is a text only console, moron. Netinfo is a GUI app.

Just one of the reasons all servers should be console based only from the beginning.

Re:Easy fix. (1)

jeffasselin (566598) | more than 10 years ago | (#7471224)

No. *Netinfo Manager* is a GUI app, but far from the only way to actually work on the netinfo database, which is really files on a hard drive (what a novel concept!) which you can manipulate using command-line tools such as nicl, niutil, etc. So far, I've found almost nothing on Mac OS X which I can't do from the command-line, either with Terminal or logged in >console mode. Even in single-user mode, if you start up the services, you have access to pretty much anything.

Next time you're trolling, at least research your trolls.

Re:Easy fix. (1)

sld126 (667783) | more than 10 years ago | (#7466235)

You forgot:

2a. Profit!

is this a troll? (4, Insightful)

KH (28388) | more than 10 years ago | (#7465758)

I don't want to be overtly critical, but the question does not make much sense.

Several questions:

What are those remote servers? Why does one need to have access to four servers? Are they X serve or just regular Macs that share files? If the former was the case, they should be running OS X Server, which I am not very familiar, but I doubt that four of them got Netinfo database corrupted.

Regardless of X-Serve or regular Mac, it does not seem very likely that one can install FreeBSD on them. Is there a FreeBSD distribution for PowerMacs? The last time I checked, OpenBSD was available, but not FreeBSD.

Also, if the problem was Netinfo, why he didn't just restore the corrupted Netinfo database, as described in the linked documents?

Why is root being disabled a problem? If one has a physical access to the machines, (s)he can always cmd+s to boot into the single user mode. sudo sh should work, too.

Overall, the post does not make much sense, does it? At least I'm a bit confused.

Re:is this a troll? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7465820)

STFU you fucking IDIOT and accecpt the fucking FACT that there are problems with Apple software.

Re:is this a troll? (0)

Anonymous Coward | more than 10 years ago | (#7468017)

AC/Troll, there are problems with Apple Software. This is not one of them. The person asking the question may be a competant admin in other respects, but he clearly doesn't know very much about simple OS X admin. No one worth his salt who depends on Netinfo (or NIS or LDAP for that matter) doesn't back up the db's, and know how to restore them in an emergency. No such admin would be ignorant of all the myriad options for restoring passwords. No such admin would be ignorant of all the myriad alternatives to netinfo on the same box.

Also, I'd like to point out that providing three links to how to fix a corrupt netinfo db does not mean that the problem is widespread, or that the corruption isn't the fault of the admin (c'mon, FOUR of his remote servers, what is this guy doing?) Careless and ignorant admins hose their systems all the time... it doesn't matter what the technology we talk about... hell even careful ones do it sometimes. He just pointed to fixes, not to documentation of a widespread problem. Go to google and find three links to fixing mysql or postgres and tell me that there are widespread problems with either technology..... you'll find hundreds of links, and it just means shit happens and there is a way out.

Re:Well, you would be confused. . . (0)

Anonymous Coward | more than 10 years ago | (#7465895)

Considering you didn't read the article very carefully.

It explicitly says that the sytems are running OS X Server.

It also says _remote_ root login.

While we're at it, is booting to singleuser mode every time you need to do something as root really a good option? I mean, my boss would have my head if I had to (from the user's perspective) bring down the servers every time I needed to add a user or summat.

Re:Well, you would be confused. . . (1)

valkraider (611225) | more than 10 years ago | (#7466125)

Why would you need to bring down the server to add a user? The "single user mode" would only be used to FIX SERIOUS PROBLEMS. Once fixed, everything should work as advertised. Right?

Re:Well, you would be confused. . . (1)

SlamMan (221834) | more than 10 years ago | (#7476039)

right. single user mode would be what you do to fix your corrupted Netinfo databse, not to add a use.

Re:Well, you would be confused. . . (0)

Anonymous Coward | more than 10 years ago | (#7468127)

While we're at it, is booting to singleuser mode every time you need to do something as root really a good option?

Can you be serious? Do you really thing single-user mode is the only way to run as root on ANY unix distro? Ever hear of 'sudo' ? What the hell are you doing on this site if you can write that sentence with a straight face? Or are you just being as obtuse as the original poster? He's hosing his own machines out of ignorance, and blaming it on netinfo. One or two I would believe, but FOUR? He should take time to learn how to run the thing or stick to what he knows, but pointing to three articles on solutions to what you do when the db gets corrupt (How? Admin error or software error? the articles don't mention this.... how can it be proof of a widespread problem?)

Re:Well, you would be confused. . . (0)

Anonymous Coward | more than 10 years ago | (#7471092)

Umm. . . read first comment. The root comment mentioned booting into singleuser mode as a way of getting around not being able to log in as root.

Re:is this a troll? (2, Informative)

CodeBSD (631966) | more than 10 years ago | (#7465940)

The last time I checked, OpenBSD was available, but not FreeBSD.
There is a FreeBSD PPC distro, but it only boots into single user mode as of now....

Re:is this a troll? (2, Insightful)

Elwood P Dowd (16933) | more than 10 years ago | (#7466585)

If he's replaced it with FreeBSD, he was probably running Darwin on x86, not Mac OS X Server.

Re:is this a troll? (1)

code shady (637051) | more than 10 years ago | (#7473737)

Seriously. According to this [] freebsd on ppc will only "boot(s) almost to the point of reaching single-user mode."

Re:is this a troll? (1)

Phroggy (441) | more than 10 years ago | (#7477073)

If he's replaced it with FreeBSD, he was probably running Darwin on x86, not Mac OS X Server.

No, contrary to popular opinion, it's not easy to confuse the two. I'm sure he meant he replaced the machine with a PC running FreeBSD.

Re:is this a troll? (1)

Elwood P Dowd (16933) | more than 10 years ago | (#7477418)

Oh, I know. I think he intentionally conflated the two.

Re:is this a troll? (1)

roblaird (633935) | more than 10 years ago | (#7467038)

He probably meant that he replaced the entire machine with one running FreeBSD.

Re:is this a troll? (1)

jeffasselin (566598) | more than 10 years ago | (#7471252)

I thought it was a troll when I read it too. I've encountered problems with a corrupted Netinfo database maybe two or three times in the last couple years working as a Mac technician, and the automatic backup always solves the issue if no backup was made previously.

As for remote root login, you can't ssh in as root, but it's not a problem, as you can easily ssh in as an admin and then run "sudo -s -H" to authenticate as root. I do that all the time.

Go with Panther and LDAP... (3, Funny)

zulux (112259) | more than 10 years ago | (#7465769)

NetInfo is beleaguered.

Boot from CD to change root access (5, Insightful)

Kalak (260968) | more than 10 years ago | (#7465813)

If you've locked yourself out of root, you can boot from the System install CD. In the menu, IIRC, as son as you start the install process, you can select "Reset Password" utility. This is assuming that your NetInfo database is not corrupted. If it *is* corrupted, you can still get to data on the drives via single user mode (Command-S) on startup, to backup your data.

You can also re-install with the option of creating a new NetInfo database, or follow the instructions indicated in the linked articles you cite for similar results.

The fact that you have options already cited makes me think this article sounds more like a troll than anything else. If this were Windows and the Registry was gone, you'd be FUBAR as well. If your /etc/ directory was gone in *nix, you'd be FUBAR. The possibility for recovering from such a corruption is a matter of good backups and system administration and not the fault of the OS in this case. A corrupted NetInfo database is merely the way that Darwin shows this as a problem that you keep backups to avoid.

Also, there is a manner (I forget what it is now) to get Jaguar (and I assume Panther) to read the /etc flat files instead of NetInfo. It was implimented as a complaint who preferr flat files to NetInfo (I'm one of them).

Poor backups is not a reason for you to examine if this is a OS up to par. If there were no way to backup the NetInfo database, then you'd have a great case for this argument. There is, and you should be restoring from that database if you need it for server info.

Re:Boot from CD to change root access (2, Informative)

Dixie_Flatline (5077) | more than 10 years ago | (#7467770)

Many things in Panther use flat files before NetInfo. If you want to check, do a 'lookupd -configuration'. 'man lookupd' will tell you how to change the lookup order, I believe. Don't forget to do a 'lookupd -flushcache' after you're done.

Re:Boot from CD to change root access (1)

Mattbot23 (697986) | more than 10 years ago | (#7471046)

Fun Bonus Tip!

Requires: Access to NetInfo network admin account and a NetInfo server broadcasting on DHCP.

Macs ship with Directory Access set up to automatically look for NetInfo DHCP server and also have their root account disabled with no password. You can log in directly to such computers with the network admin account , enable root and set the password without using a boot disk.

Lesson: Alway set a password for your root account, even if you never plan on using it. Turn off NetInfo in Directory Access if you don't need it. It will speed up start-up as well.

Re:Boot from CD to change root access (1)

Mattbot23 (697986) | more than 10 years ago | (#7471102)

Errata: I could be wrong as to whether it is NetInfo or LDAP that's on by default but the end result is the same. So turn off LDAP too in Directory Access if you don't need it.

Re:Boot from CD to change root access (1)

prockcore (543967) | more than 10 years ago | (#7472132)

If your /etc/ directory was gone in *nix, you'd be FUBAR.

Nonsense.. you can boot into single user mode, which doesn't require /etc to be present.

You can delete everything except for stuff in /sbin and still be able to log in locally.

Re:Boot from CD to change root access (1)

Kalak (260968) | more than 10 years ago | (#7473696)

You could boot (you could do the same with single user mode w/o NetInfo), but without backups you'd be fubar, You could only grab the data that's left and reinstall. If this machine had backups NetInfo's database would be backed up as well, and so this would be a non-issue. Comes back up to the great rule of sysadmin - you can never have too many backups.

Restore CD (0, Redundant)

dthable (163749) | more than 10 years ago | (#7465819)

Never used OS X server, but does the install CD allow you to reset the root password? Yeah, you'll have to go to the server to reset the password, but sounds better that reinstalling.

Re:Restore CD (0)

Anonymous Coward | more than 10 years ago | (#7471259)

Wow, gave him a redundant because the post above was the same and they were all of, hmm, NO MINUTES APART.

That's a little harsh. "You didn't check the page 10 seconds before submitting to make sure your post wasn't already covered!"

I wonder if anyone else READS the comment headers...

Re:Restore CD (1)

dthable (163749) | more than 10 years ago | (#7504384)

We have headers on the comments?

Maybe Apple knows? (3, Insightful)

Bastian (66383) | more than 10 years ago | (#7465841)

Have you asked Apple yet?

Slashdot probably isn't really the best forum for questions about OS X Server. It's not something people really need to buy for home use. Few businesses I know of run OS X servers. And most importantly, it is quite definitely not GNU/Linux.

Also, are you sure having remote root access is a bug and not a feature? It's a huge huge security risk, esp. for a business setting.

Re:Maybe Apple knows? (3, Informative)

gsdali (707124) | more than 10 years ago | (#7465953)

Not that slashdot should be a purely GNU/Linux preserve. There are better place to ask this question though; Mac OS X Hints Forums [] and Mac Fixit Forums [] spring to mind.

Now this I call flamebait, and I'll bite the apple (0)

Anonymous Coward | more than 10 years ago | (#7481585)

It would seem to me that the Apple section at slashdot is the perfect place to discuss Apple things on slashdot...

Maybe I'm wrong and it's all about eating fruit while compiling your GNU software?

If only you could mod articles -1 Flamebait (4, Interesting)

RalphBNumbers (655475) | more than 10 years ago | (#7465877)

This newkid managed to find all of 3 people out of millions of mac users who have had their netinfo database corrupted. All of which were fairly easily repaired, all of which managed to write constructive articles. (and at least one of which explicitly said they thought it was because of a pseudo-brownout while writing to disk, not some flaw in apple's software)

And now newkid claims he's having the same problem on 4 servers at once (of which I'm somewhat dubious), and writes this flamebait article, implying that Apple's OS is horribly flawed.

He then goes on to ask for the info he could have just read out of those 3 pages he linked to as documentation of his "serious flaws"; these problems are very rare, and fairly easily repaired by someone moderately cluefull.

Re:If only you could mod articles -1 Flamebait (3, Funny)

Otter (3800) | more than 10 years ago | (#7466386)

And now newkid claims he's having the same problem on 4 servers at once (of which I'm somewhat dubious)...

...and claims to have subsequently installed FreeBSD on one of those Macs!

Re:If only you could mod articles -1 Flamebait (1)

skahshah (603640) | more than 10 years ago | (#7467183)

To speak the truth, he never claimed that. he just said he replaced one server by FreeBSD, what could well mean taht he replaced one server by a box running FreeBSD?

Re:If only you could mod articles -1 Flamebait (1)

commodoresloat (172735) | more than 10 years ago | (#7471797)

And now newkid claims he's having the same problem on 4 servers at once

Those are just the servers at his freelance gig, where he's busy trying to copy a 17M file....

Dear Cliff, (4, Informative)

reiggin (646111) | more than 10 years ago | (#7465894)

Would you please stop turning into a hints, tricks, and tips forum? You're 2 for 2 right now. This is "News for Nerds" not "Nerds helping Non-nerds."


Re:Dear Cliff, (0, Flamebait)

DAldredge (2353) | more than 10 years ago | (#7466089)

I thought that was News that makes Apple look good? After all the mods in this section are just a LITTLE easy on the downmods when anyone says anything remotely critical of Apple.

Re:Dear Cliff, (3, Funny)

valkraider (611225) | more than 10 years ago | (#7470124)

Mod parent down. ;)

Re:Dear Cliff, (2, Informative)

Midnight Thunder (17205) | more than 10 years ago | (#7466126)

That's the feeling I got. The best place to ask such questions is [] or even on one of the mailing lists at [] . On the other hand the guy did get some informed view points on why what he is asking, is likley to be a security issue.

Re:Dear Cliff, (1)

newkid (535229) | more than 10 years ago | (#7470761)

This was not about tips on Apple. This was about Unix stability: what is your experience with the stability of authentication systems on BSD or Linux?

FUD, its all FUD you hear (1, Funny)

wcb4 (75520) | more than 10 years ago | (#7465937)

Everyone knows that as a server OS, MacOSX, linux, unix, AIX, xxxx, TRS-DOS are all perfect and windows is the only server OS in the world that sucks or has any problems at all. Problems with Mac OSX Server? What are you, a Pro Microsoft Troll or something?

Good resource (5, Informative)

sld126 (667783) | more than 10 years ago | (#7466099)

Especially for 10.2 servers:

and specifically to your question: etinfobacku p.html

mmmmm.... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7466137)

Dear Slashdot,

I'm having trouble picking my nose. Please help.

yours, Mr. Lazy

Panther DOES use NetInfo (1)

Bytesmiths (718827) | more than 10 years ago | (#7466242)

"should I move to Panther (it uses LDAP instead of NetInfo to control user accounts)?"

I have yet to see this challenged, but my version of Panther uses NetInfo for user accounts, as it should.

NetInfo is great! I don't understand all the belly-acheing.

Re:Panther DOES use NetInfo (3, Informative)

sld126 (667783) | more than 10 years ago | (#7466280)

Local accounts are handled with NetInfo.

Network accessible accounts are handled with LDAP.

Hmmm (1)

midifarm (666278) | more than 10 years ago | (#7466256)

I've never experienced any problems at all with OSX Server, but then again my needs are on a small scale compared to a fortune 500 company. Peace

Instructions to switch to LDAP (1)

Bazzargh (39195) | more than 10 years ago | (#7466272)

can be found here [] .

Or here.... (1)

sld126 (667783) | more than 10 years ago | (#7466468)

Look at configuring lookupd (0, Flamebait)

Anonymous Coward | more than 10 years ago | (#7467157)

When darwin looks for a password it calls lookupd and not netinfo. lookupd in turn calls netinfo. On my machines I have configured lookupd to mainly look at the cache first, flat files second and then netinfo.

What is the advantage of netinfo besides having a tree of netinfo servers? It seems to be more of a problem than it is worth.

There are several other things besides netinfo that make the mac not industrial strength. Several of the command line equivalents (installer, softwareupdate) crash forcing you to use the GUI version. Not being able to export two directories on the same filesystem with different options. Flaky automount that still creates symbolic links instead of mounting directly... I could go on and on...

Dude just install Debian on those puppies...! (0)

Anonymous Coward | more than 10 years ago | (#7467823)

It will solve all your problems and you won't have to fork money out to Apple$ to get an OS with a good authentication system.

I have spoken.

lookupd (0)

Anonymous Coward | more than 10 years ago | (#7467918)

When darwin looks for a password it calls lookupd and not netinfo. lookupd in turn calls netinfo. On my machines I have configured lookupd to mainly look at the cache first, flat files second and then netinfo.

Check your permissions (1)

Randym (25779) | more than 10 years ago | (#7469462)

I'm running 10.2.4 and, by chance, I happened to run Check permissions (under Disk Utility) last night. I noticed one of the incorrect permissions settings was under Netinfo. I repaired it. You might want to try checking your permissions just to be on the safe side.

NetInfo ? (1)

Hi Larry! (553285) | more than 10 years ago | (#7469599)

Anybody kind enough to tell me what is NetInfo.

Netinfo is... (0)

Anonymous Coward | more than 10 years ago | (#7469701)

A piece of crap. A wee bit like Mac OS 9.x ...

Understand now?

freebsd??? (0)

Anonymous Coward | more than 10 years ago | (#7469774)

FreeBSD/PowerPC currently boots almost to the point of reaching single-user mode check this out at here [] you run a server on this???

raise your hand ... (1)

valmont (3573) | more than 10 years ago | (#7470079)

... if you think newkid should not be using computers?

*raises hand*.

All articles newkid pointed out mentioned this "issue" as trivial and/or easily fixable, don't seem to be directly related, all appear to have been found by doing a google search for netinfo, and do not make his little issue a "well documented fact". I can also google for just about any type of computing issue and dig out hundreds of articles on any particular subject.

There are, furthermore, many ways one can corrupt a hard drive, that could affect just about any file on it, this holds true regardless of which platform you're on, and usually has to do with a filesystem's strength. I hear journaling, which becomes enabled in Panther, while lying dormant in Jaguar, tends to avert such file corruption issues. In any case periodic filesystem checks should always be run. Mac OS X knows to perform those at reboot time, when it's been a while since the last one. Servers are most likely a different story due to required uptime. This is why systems administrators who have a clue do plan downtime for such maintenance and health-monitoring tasks and have redundant systems to guarantee uptime.

Oh yeah and not allowing a root user to log-in remotely is hardly a bug or a flaw.

Yah yah, we've heard it before (2, Funny)

FozzTexx (186554) | more than 10 years ago | (#7470333)

Mark Crispin, is that you? This sounds just like comments that were littered all over years ago. Yah yah, we know you hate NetInfo just because you weren't the one to invent it.

Mixed experiences w/Netinfo (1)

phch (398574) | more than 10 years ago | (#7470467)

We run a lab with 5 XServes running OS X Server (10.2). On the one hand, Netinfo has been a convenient way of sharing user accounts across the XServes. We store user accounts, NFS exports, and DHCP configuration information in the head node and it seems to work ok. DNS stuff is configured with traditional BIND text files.

On the other hand, twice during configuration we managed to corrupt the root Netinfo database on the head node. Once we were able to recover from a backup; the other time we corrupted it so badly that we could no longer log into the machine and had to reboot into single user mode and do some nontrivial recovery.

Granted, we ran into trouble mainly because we were doing everything from the command line and weren't very experienced with the Netinfo database structure. Still, it would have been easier to recover from our mistakes if the configuration information were stored in some plain text or XML format. Now that things are up and running, Netinfo hasn't been a problem. I think that using Netinfo to share user account information has been fairly easy, easier than setting up LDAP, although that's probably changed since Panther has been released.

One other note is that encrypted passwords are visible in our root Netinfo database to the outside world. This has changed since Panther, or so I understand.

Re:Mixed experiences w/Netinfo (2, Informative)

moof1138 (215921) | more than 10 years ago | (#7470693)

If you are using 10.2 Server you do not need to have your network user's password hashes visible to anyone. All you need to do is use the Password Server that comes with X Server. In the ODA if you select 'This Server will provide authentication for other systems' or something much like that, then it will be enabled. Once you enable it and set users from Basic authentication to the Password Server, the password field of their user record becomes '********'. With 10.3 the Password Server can still be used the same way, but it can also morph into the back end of the new KDC.

Note that in 10.2 you can export your users from WGM as an XML file which can serve as a backup if the parent NIDB get hosed, but if you are using the password server you need to also back up the password server database.

Are you really using NetInfo correctly? (4, Informative)

plsuh (129598) | more than 10 years ago | (#7470492)

Not to minimize your difficulties, but Apple runs NetInfo internally at a very large scale. In the NeXT days NetInfo was used for large-scale deployments and was quite stable.

Any Mac OS X or X Server machine has a local NetInfo database, stored in /var/db/netinfo/local.nidb/. It serves as the local directory services store for user and configuration information for that machine only. In addition, a Mac OS X Server that is acting as a NetInfo master or LDAP server will contain at least one other NetInfo database usually named "network". This is stored at /var/db/netinfo/network.nidb/. It is used to provide user and service information for a larger network of machines.

Clients can connect via the native NetInfo protocol which is based on the SunRPC portmapper, or via LDAP. In either case the data are taken from the network.nidb data store.

The fact that you were "locked out" of four of your servers is very unusual. To properly diagnose this, more information is required. Which one (if any) of these four servers was a directory service server for the group. Was that one acting as an Open Directory password server? What measures did you undertake to re-gain access once the problem was detected?

By the way, Panther still uses NetInfo as a local directory services store. Passwords are no longer stored as crypt hashes -- they are instead stored as shadowed MD5 hashes in a separate location.

Technical Training and Certification
Apple Computer
psuh at apple dot com

Security hole: remote netinfo in OS X 10.2 server (2, Informative)

Permission Denied (551645) | more than 10 years ago | (#7471796)

You are using netinfo on MacOS X Server 10.2 to authenticate clients remotely. This is a bad idea; anyone on a network served by your netinfo server can obtain the password hashes on all accounts and then run a cracker against them. Basically, this is like broadcasting your password file to the world.

To demonstrate: on any of your clients, type "niutil -readprop -t server_ip/network /users/username/passwd"
Substitute "username" with any username or read all the usernames. Hell, I'll script it for you:

niutil -list -t $IP/$DB /users | while read i u
echo -n $u:
niutil -readprop -t $IP/$DB /users/$u

The hashes are encrypted using the standard Unix crypt(3). You can then massage them into some format that Crack can read and let it go. Remember, any user with access to your network can do this.

I really thought it was quite irresponsible of Apple to release this software and recommend this configuration to users. It took them a good long time to fix it.

Panther (client) finally fixed this. You'll note that passwords are no longer stored in netinfo, but netinfo rather references a "guid" which in turn references a file that stores the password, readable only by root. This means that standalone Macs no longer give all users access to all password hashes. I understand netinfo will finally be fully deprecated in 10.3 server.

You also asked if anyone has had other problems with MacOS X Server: I would strongly recommend against their mail server software. It does finally store messages as discrete files on the filesystem, so some munging can be fixed, but message flags are still stored in some opaque binary format that tends to get corrupted. In fact, whenever 10.2 server goes down ungracefully, all flags on messages are corrupted on our mail server, and thousands of deleted (and purged) messages re-appear in all the inboxes. The particular machine is on a UPS, so this doesn't happen very often, but it happens whenever the machine is purposefully rebooted without first explicitly stopping the mail server.

The good thing about 10.2 server is that it stores the passwords using standard DES crypt(), which makes migrating from it very easy. A shell script like the one above can produce a password file readable by most any *nix flavor. 10.3 uses some bizaare format that I can't readily identify. Since a lot of the most important bits of MacOS are closed-source, you may have a very difficult time migrating away from 10.3 server if it uses something akin to the 10.3 client hashes (options are making all users create new passwords or spending lots of time reverse-engineering the hash and writing an equivalent pam module for another OS (I'm assumming this new hashing stuff is not in Darwin, as most things in MacOS where I needed the code were not in Darwin - but I haven't checked for this)).

Anyway, your best bet is to drop netinfo and start using LDAP. MacOS X (client and server) uses OpenLDAP, which doesn't have these security issues, is easy to migrate onto other OSes, and is open source (with no modifications that I can identify), so you at least have the ability to fix your own problems if you're not scared of some coding. For example, the OpenLDAP version that ships with MacOS X 10.2 has a bug in that TLS_CACERTDIR directive does not work. I was able to identify and work around this since I had access to the code.

NetInfo stability Issues (1)

hinsons (724168) | more than 10 years ago | (#7473908)

In regard to the original article's issue, most of the NetInfo timeout issues that I have ever seen relate to the the NetInfo server being configured to gather information from a NetInfo parent. If no valid NetInfo parent exists the issues that the poster described will occur. I have resolved all of these issues by one of two solutions. The first as a previous respondent indicated was to turn off the option for the comptuer ( client or server ) to look for directory information in NetInfo. The second is to remove the 'serves' property under the the NetInfo path /machines/broadcasthost. Removing this property will prevent the NetInfo server from looking for a parent. In the Mac OS X server install that I have, there was an empty network NetInfo database. The serves property pointed to it ( with the NI path ../network ) as the the value on the 'serves' property. So removing the property will prevent the NetInfo database from continuing to look for a parent which either does not exist or is blank.
Many thanks go to ( now ) and the FAQ with answers from Mark Majka ( sp ? ) for answering this question for me.
I would agree that details on how NetInfo works exactly are very scant from Apple. And in answer to my NetInfo questions from an 'Apple Systems Engineer' was 'it just works'.
I would also recommend looking around for old NeXT NetInfo documents, as I have found a lot of useful information regarding the setup of NetInfo from them.

It's all about the #s (1)

customjake (662717) | more than 10 years ago | (#7475427)

I saw this corrupted netinfo database problem right after installing jaguar the day it came out. i don't think the problem persisted past 10.2.2

As for LDAP, i think it is probably more used and thus there is more literature on it's setup and use. I think it is probably ahead of Netinfo for the majority of users and will likely stay there in the near future.

I do see some excellent potential in Netinfo, as i am one of those freaks who tweaks netinfo to get it to do things it was never intended for. I manage Several OSX servers from home without issue.

For Serious Network Design using OS X (1)

tyrione (134248) | more than 10 years ago | (#7475862)

Please take the Networking Courseware offered by Apple Professional Services. Its crammed with documentation and hands on approaches to solving your woes.

I asked the folks when I had to support Openstep/NeXTStep why we never published for sale a library on these, besides NeXTAnswers which myself and others maintained and well it was more of a resource constraint than lack of demand.

If the demand for a professional publication volume set is there Professional Services will publish the works, but the demand has to be there.

It's taken years for WebObjects to get third party books worth a crap and there are NetInfo gurus in this world(me not one of them) who could clear the airwaves.

If the demand is strong they will publish those needs.

Contact Apple and set up a petition for them to not just offer indepth documentation within the Training courseware.

I still have my docs from Openstep when I worked there. Netinfo takes a bit to grasp especially with the Master Netinfo Server/Clone Server design but let's just say if you had this reference materials updated for todays Networking Services this article would be about bragging how useful Netinfo is versus it being a pain in the rear.

Sincerly Yours,

Marc J. Driftmeyer

Huh??? Like a Rock! (0)

Anonymous Coward | more than 10 years ago | (#7476517)

What are talking about? We have Sever 10.2 on a dual 400mhz G4/1gig of ram and about 1TB of harddrives on firewire/ATA drives. We have about 20 users aday and move about 20-40 gigs of data per day. All users use directory access logins, AFP, FTP, SSH, Samba, and NTFS access. 9 months so-far, no-crashes, no-reboots, no-problems. Dude, stop tweaking with the system! Just install, setup, and run!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?