How to Rebuild Software RAID 10 in Mountain Lion – Command Line

Posted: February 27th, 2014 | Author: | Filed under: Mac OS X, Mac OS X Server, RAID | No Comments »

Removal

First, replace the disk 😉

Open a terminal session on affected system and run
diskutil appleRAID list
find the UUID for the affected drive and the UUID for theRAID set. Then fill in the blanks below:
sudo diskutil appleRAID remove <drive UUID> <RAID UUID>
For example:
sudo diskutil appleRAID remove EEDD0AD6-C448-48F7-A766-001C65338E99 7010C337-829C-4F08-B6A4-1C8A9E943CBD
Our RAID 10 now only has three disks attached.

Rebuild

First we need to identify the spare disk waiting for us in the system. Use diskutil list to do this. Here’s some example output. See if you can spot the disk that is not like the others.

# diskutil list

/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *119.9 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS ServerHD                118.9 GB   disk0s2
   3:                 Apple_Boot Recovery HD             784.2 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk1
   1:                        EFI                         209.7 MB   disk1s1
   2:                 Apple_RAID                         2.0 TB     disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:                 Apple_RAID                         2.0 TB     disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk3
   1:                        EFI                         209.7 MB   disk3s1
   2:                 Apple_RAID                         2.0 TB     disk3s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk3s3
/dev/disk4
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                                                   *2.0 TB     disk4
/dev/disk5
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Storage                *4.0 TB     disk5
thuja:~ pwladmin$

 

We can see in this list that disk4 has no partition maps and thus is the new disk. We can now add this disk into our degraded raid with:
sudo diskutil appleRAID add member <NewMemberDeviceName> <RAID UUID>
for example
sudo diskutil appleRAID add member disk4 7010C337-829C-4F08-B6A4-1C8A9E943CBD
Your disk is now part of the raid set. If you use diskutil appleRAID list you’ll be able to check the progress of the rebuild.

===============================================================================
Name: Thuja RAID A
Unique ID: 920F03EB-DE44-49AA-9934-0EF53EF032D1
Type: Mirror
Status: Online
Size: 2.0 TB (2000054910976 Bytes)
Rebuild: manual
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 disk1s2 D4BCB349-3255-473B-B586-EAF066C5BD6D Online 2000054910976
1 disk3s2 E01DB36B-CDC4-458C-AC07-507433DCB481 Online 2000054910976
===============================================================================
===============================================================================
Name: Thuja Stripe RAID
Unique ID: 9D9FEE5F-5F04-4051-A0AB-A985DFFAF2A0
Type: Stripe
Status: Online
Size: 4.0 TB (4000109559808 Bytes)
Rebuild: manual
Device Node: disk5
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 -none- 920F03EB-DE44-49AA-9934-0EF53EF032D1 Online 2000054779904
1 -none- 7010C337-829C-4F08-B6A4-1C8A9E943CBD Online 2000054779904
===============================================================================
===============================================================================
Name: Thuja RAID B
Unique ID: 7010C337-829C-4F08-B6A4-1C8A9E943CBD
Type: Mirror
Status: Degraded
Size: 2.0 TB (2000054910976 Bytes)
Rebuild: manual
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 disk2s2 13AFF0CD-77FB-4E14-9A89-A09C01ACA4C4 Online 2000054910976
1 disk4s2 EAE79161-3729-41FB-81A1-97CE878C1E31 1% (Rebuilding)2000054910976
===============================================================================

 


CrashPlan Proe 3.8.2010.2 on Mountain Lion 10.8.5

Posted: February 22nd, 2014 | Author: | Filed under: CrashPlan, Mac OS X | 1 Comment »

I recently had an issue where I could not load the CrashPlan proe server onto a 10.8.5 Mac Mini. The app installed however when I asked for the management interface on port 4280 I was greeted with a URL redirect and a blank white page. I was also getting this from /Library/Logs/PROserver/proserver.startup.err


[02.22.14 11:45:02.159 INFO main temPropertiesLoader.loadSystemProperties] * loading properties from: conf/proserver.properties
com.code42.exception.DebugRuntimeException: Failed to start CPCentralServices.
at com.backup42.app.cpc.CPCentralServices.init(CPCentralServices.java:297)
at com.backup42.controller.CPCentralController.start(CPCentralController.java:65)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.backup42.main.CPServiceManager.invokeAll(CPServiceManager.java:120)
at com.backup42.main.CPServiceManager.start(CPServiceManager.java:89)
at com.backup42.main.CPServer.start(CPServer.java:123)
at com.backup42.main.CPServer.main(CPServer.java:387)
Caused by: java.lang.NumberFormatException: For input string: ""
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at java.lang.Long.parseLong(Long.java:431)
at java.lang.Long.valueOf(Long.java:525)
at com.backup42.server.manage.ServerManager.initializeMyGuid(ServerManager.java:64)
at com.backup42.server.manage.OsXServerManager.initializeGuid(OsXServerManager.java:170)
at com.backup42.server.manage.ServerManagerService.initializeGuid(ServerManagerService.java:568)
at com.backup42.app.cpc.CPCentralServices.init(CPCentralServices.java:159)

The solution was the following:

stop the service launchctl unload /Library/LaunchDaemons/com.crashplan.proserver.plist
edit launchd plist to point to /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Commands/java instead of /usr/bin/java
then rm /Library/CrashPlan/.proserver_identity
start the service and profit!


Abandoning the Mac

Posted: February 2nd, 2014 | Author: | Filed under: Blog, Mac OS X | No Comments »

Unitron_Mac512_System_s1I still remember the day I bought my first Mac, it was the Macintosh IIFX. It had an 68030 processor with 24MB of memory and 100MB SCSI hard drive. If you know anything about 68k machines, you should this the Spruce Goose of hardware. The machine originally had a price tag of $11,000 but I got mine for $30. P.C. Place in Surrey BC was having a sidewalk sale in the late 90’s and they were stacked on a skid about 6 units high. As urgently as a girl getting her first period, I rushed home completely beside myself with anticipation. Mac, check… ADB keyboard, check…. ADB mouse, check… Mac compatible monitor adapter, uh… uhhhh… what the heck is this video port? This isn’t VGA.

One angry bike ride later I had my Mac compatible VGA adapter, you remember them: the one with the dip switches and the two parrots on it. I plugged it in, turned it on, and was greeted by what I now call the Sound of Failure. After about a day on this machine, I got TCP/IP up and running on a hacked version of System 7.5.5 that I got off a buddy’s Hotline server. Yeah, that’s right, Hotline. Deal with it. The only other computer I had was a Windows 95 box that I used to download Apple floppy images. Hey, who remembers booting off floppy? Oh hey Andrew!

Those were the glory days, when getting a Mac was a special privilege. Ownership instantly baptized you into this world of insanity where people congregated just to boast about the superiority of their chosen platform. It meant you were a bit of a hacker, trying to squeeze as much as you could out of an old machine, mostly due to the superior case design, upgradability, and stability of OS 7-9. RIP. G3 upgrade for my 6400/180 603e? Yes please!

Today things are different. Apple has abandoned their professional customers, reduced the value of their product to commodity status, and all but destroyed the sub-culture that existed. Most MUGs are dead, with members taking to a recollection of better days more often than they experience new ones. Those die hard faithfuls struggled for Apple when they were dying, we celebrated them when they arose from the ashes, we promoted them and helped achieve relevant market footprint by proselytizing their almost evangelical status. However, in the end Apple abandoned us, they give us shittier tools with every revision, mediocre hardware often built on last years advances, and $29.99 server software that is promoted by a K-Mart style blue light.

The revolution is over. Communism won, and we cheered for it.


Mavericks 10.9 Mail.app solution for Gmail Accounts

Posted: December 28th, 2013 | Author: | Filed under: Mac OS X, Mail | Tags: , , , , | 1 Comment »

44390187-1It’s not you mail.app, it’s me. I swear. You’re great, you’ve been great, you always will be… great. But I’ve grown I need a mail client that can sort mail and sync the changes accurately, I need a client that doesn’t try to give my email a face lift. I didn’t needed you to be pretty, I didn’t need you to impress my friends, I just wanted you to work with me, for me, usefully. But now we’ve alas grown apart, drifting silently away from each other like two rafts in different currents on the ocean. Perhaps we’ll meet again, perhaps not, regardless I just want you to know that I’m happy and I’ve found a client that works for me.

Mail.app has been dumped on my computer, it has simply too unreliable to work with my daily bread and butter email, I find it slow, clunky, and unreliable. It fails on any sort of message management on a Gmail account, as well as quickly finding contacts from my address book. I’ve moved on to Mozilla Thunderbird, it’s way way faster, easily rivals Apple’s Mail.app program and is leaps and bounds ahead of the pack for functionality. All the clients listed here were tried, and all either didn’t hit the mark or failed.

http://www.macworld.com/article/2058525/ditch-maverickss-mail-other-email-apps-you-can-try.html


Authenticate APC Smart-UPS against RADIUS on Mac OS X Server 10.8 Mountain Lion

Posted: April 1st, 2013 | Author: | Filed under: Mac OS X, Mac OS X Server, RADIUS, UPS | No Comments »

800px-JGSDF_Type60_APCThis is a follow up to my previous post on Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

To get the APC talking with our OS X box we need to first allow the APC to communicate with RADIUS over IP. On your Mac OS X server with RADIUS run the following command.

radiusconfig -addclient <APC-IP> <short-name> other

You’ll be asked to input a key, you’ll need this later on. You can man this command to get more details

Then add the following APC attributes and values to the RADIUS dictionary /etc/raddb/dictionary

VENDOR APC 318

BEGIN-VENDOR APC

ATTRIBUTE APC-Service-Type 1 integer
ATTRIBUTE APC-Outlets 2 string
ATTRIBUTE APC-Perms 3 string
ATTRIBUTE APC-Username 4 string
ATTRIBUTE APC-Contact 5 string
ATTRIBUTE APC-ACCPX-Doors 6 string
ATTRIBUTE APC-ACCPX-Status 7 string
ATTRIBUTE APC-ACCPX-Access1 8 string
ATTRIBUTE APC-ACCPX-Access2 9 string
ATTRIBUTE APC-ACCPX-Access3 10 string
ATTRIBUTE APC-ACCPX-Access4 11 string
ATTRIBUTE APC-ACCPX-Access5 12 string
ATTRIBUTE APC-ACCPX-Access6 13 string
ATTRIBUTE APC-ACCPX-Access7 14 string

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
VALUE APC-Service-Type Outlet 4
VALUE APC-Service-Type Card 5

END-VENDOR APC

By default, RADIUS will authenticate APC users as ReadOnly, however I want a particular user to have administrative access. To do this we’ll need to configure RADIUS to send the admin access value back to the APC for the user we specify. We do the following if our RADIUS server is running on an OD master or replica.

/etc/raddb/users

<username> Auth-Type = opendirectory
    APC-Service-Type = Admin

Please note that you’ll need a tab indentation before APC-Service-Type

If the RADIUS server is running on an OD client then:

/etc/raddb/users

<username> Auth-Type = System
    APC-Service-Type = Admin

And now edit /etc/raddb/sites-enabled/default and around line 309, in the Authenticate stanza change the line marked unix to:

#unix
Auth-Type unix {
opendirectory
}

Now restart the RADIUS daemon and login to your APC, under Security, Remote-Users, RADIUS you’ll find the place to enter your OS X Server IP, the key we made earlier, and to test the authentication. Make sure this passes before proceeding and that your user you configured earlier authenticates as Administrator.

If you got to this point and the APC is saying it cannot contact RADIUS make sure the RADIUS daemon isn’t crashing on your server. Check out tail -f /var/log/radius/radius.log to see what’s going on.

The final step is click on Authenticate in the APC UI and set it to RADIUS, then Local Authentication


Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

Posted: March 27th, 2013 | Author: | Filed under: Mac OS X, Mac OS X Server, Open Directory, RADIUS, VPN | 3 Comments »

601005_10150867245812933_764239537_n

So you’re using Mountain Lion Server for Open Directory. Good for you! But beware of your users, they have requested VPN access to the network and like any good sysadmin you think, “Jesus H Christ, here’s yet another credential combo for the user to forget, for the user to call me at 10pm Friday night asking: ummmmmm, what’s my password?” FOR WHAT?!?! Jeezus Christ why don’t they ever tell us which password they forgot? Anywho, I digressed. Well with the power of RADIUS on your trusty Mac OS X Server you can now defer the authentication of your Cisco VPN gateway to your directory system. Let’s setup RADIUS on Mac OS X Server.

Prep the directory

Either you Mac an OD Master or bind to a directory, I think this is a given but, just saying. Then, whatever directory system you’re using, you must create a group called “VPN Access” or something to that effect, and subscribe the users and/or groups you want to have access to VPN. I don’t care if this is in Active Directory or Workgroup Manager or Server.app.

Build the RADIUS service

ARD into your Mac OS X server. In Server.app navigate to your hardware and then Settings. Note which SSL certificate your server is currently using and then find that certificate in Keychain Access. Right below it will be the key, right click on the key and choose Export, the destination will be /Users/Shared/cert.p12 and the password can be blank.

Open Workgroup Manager and edit local directory, authenticate yourself so you have read/write privileges. From the view menu enable Show System Records, then click on the groups tab, sort by GID. Scroll down to the 200’s and look for records like “com.apple.ard_access” “com.apple.afp_access” find the last of these groups and note the GID. Now create a new group, the long name is blank, the short name is “com.apple.access_radius” and the GID is incremented by 1 from the last GID you noted earlier. Save changes. GID  2xx

Once created click on the members tab and then “+” symbol. A side pane will appear, in this pane you can choose any directory system the OS X box is bound to, active or open. Cool hey?  Add “VPN Access” group. Save the changes.

Open a terminal and “sudo -s” up. As the root user paste in the following:
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass no
radiusconfig -autorotatelog on -n 15

Now, run these one at a time, when prompted for password, enter the password that you set when you exported the cert from Keychain, I told you to put no password but God knows that sysadmins rarely do what they’re told. 😉

paste one at a time:
WATCH THE LINE WRAP!

openssl pkcs12 -in /Users/Shared/cert.p12 -out /etc/raddb/certs/radius.key -nodes -nocerts
openssl pkcs12 -in /Users/Shared/cert.p12 -out /etc/raddb/certs/radius.crt -nodes -nokeys
radiusconfig -installcerts /etc/raddb/certs/radius.key /etc/raddb/certs/radius.crt

Finally for the server let’s grant access to our Cisco box, IP is obviously the IP of the box, short-name is just a nickname for the system.
radiusconfig -addclient <IP> <short-name> other

You should be prompted to enter a key, please remember this key, let’s call it: theKey.

finally run radius in verbose with radiusd -X Leave the terminal open, do not close. It will help us deduce answers should problems arise. If all goes well you should get something like:

Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.

Connect your Cisco VPN gateway

conf t
radius-server host <enter IP||FQDN> auth-port 1812 acct-port 1813
radius-server key <enter theKey>
aaa new-model
aaa authentication login vpn group radius local
aaa authorization network vpn local

You’ll need to connect this AAA stanza to your crypto map, my crypto map is called VPN. This is how I did it, note the bold similarities.

crypto map VPN client authentication list vpn
crypto map VPN isakmp authorization list vpn

This will allow AAA to check the RADIUS server, but fall back to local auth if RADIUS does not respond.

Finally we’re going to test all of this by using the test command. So get out of conf t by typing exit and try the following:

test aaa group radius <username> <password> legacy

If it returns “User was successfully authenticated.” You’re in business. Also, note the terminal where radiusd -X is running, you’ll see some interesting output.

Clean Up

wr mem on your router and exit the session. Cancel that radiusd -X process we started and set the process to run. serveradmin start radius Immediately test the connection from the outside to ensure it’s stable.

Check out my next post: Authenticate APC UPS against RADIUS on Mac OS X Server 10.8 Mountain Lion


Apple Certified Technical Coordinator (ACTC) OS X Server Essentials 10.8 Test Review

Posted: March 25th, 2013 | Author: | Filed under: Blog, Mac OS X, Mac OS X Server | No Comments »

I recently submitted an application with Apple to join the Apple Consultants Network. In doing so I knew I had to pass the ACTC certification tests within 45 days of joining. Unfortunately I could not find a testing center in Vancouver so I took the test down in Seattle at Crywolf Training. Gordon Davisson was the proctor and did an amazing job, I showed up 30 mins early and was greeted with donuts and a free review of ML201. Gordon took us thru all the services associated with 10.8 server and gave a couple great tips. (DORA FTW)

The test comprised of 80 multiple choice questions, with two hours on the clock and two crullers in my gut, I began. The first thing I noticed was a lot of the questions would ask “Which is the best sentence to describe blah” and give two correct sentences out of four. This left the tested to choose one answer which they thought was the most applicable, the one that stuck out in my mind most was for the wiki service. Questions with only one possible answer were marked with radio buttons while multi-answer questions had checkboxes. The questions also told the tested how many answers were needed, pick 2, pick 3. The questions themselves were quite simple with exception given to an SSL question and two permissions questions where I had to think, OK do I answer it correctly or the way I think Apple wants me to answer it. To prepare, I used the Amsys Revise IT app to test myself before going in as well as the OS X Server Essentials book by PeachPit.

Do the tests, take screen shots of the questions you’re puzzled by and research those in the PeachPit book, if you do this you’ll be fine.


Zentyal 3.0, Mountain Lion, Kerberos and SSO

Posted: March 2nd, 2013 | Author: | Filed under: Blog, Kerberos, Mac OS X, Mountain Lion, Open Directory, Zentyal | Tags: , , , , , , | No Comments »
Now with Zentyal you can kerberize your shoes.

Now with Zentyal, you can kerberize your shoes.

This article is a continuation of a really great read by shabangs.net His article is great to bind your Macintosh to a Zentyal directory server however, after completing the how-to I was unable to change a network user’s password, store a local copy of the network user’s password for “mobility” nor leverage some great single sign on services from zentyal.

What we will attempt is to configure /etc/krb5.conf for Mac OS X 10.8, Mountain Lion, so that we will receive a TGT from zentyal when the user either logs in or wakes the computer from sleep.

First you need to get the kerberos realm. To do this sign into Zentyal and go to Users and Groups. In here you’re looking for the LDAP search base, this base will also be your Kerberos realm.

Now we want to search and replace EXAMPLE.COM with that realm, and replace your.server.example.com with the FQDN of your Zentyal server. Only set the dns_lookup_* values to true if you’re using the Zentyal server for DNS.

All edits are client side ONLY
If /etc/krb5.conf does not exist then just create it.

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
preferred_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

[realms]
EXAMPLE.COM = {
admin_server = your.server.example.com
kdc = your.server.example.com
kpasswd = your.server.example.com
}

[kadmin]
default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt

In order to obtain a Ticket Granting Ticket (TGT) when logging in via the login window, edit /etc/pam.d/authorization and append default_principal option to the pam_krb5.so line.


auth optional pam_krb5.so use_first_pass use_kcminit default_principal

In order to obtain a Ticket Granting Ticket (TGT) when authenticating to the Screen Saver, edit /etc/pam.d/screensaver and append default_principal option to the pam_krb5.so line.


auth optional pam_krb5.so use_first_pass use_kcminit default_principal

Now sign out and back in as a network user, open a terminal and type klist You should get something like:


lisa:~ test$ klist
Credentials cache: API:51104:6
Principal: test@EXAMPLE.COM

Issued Expires Principal
Mar 2 09:28:04 Mar 2 19:28:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM

If so, great! This means kerberos is running, now try to change the user’s Open Directory password. It should succeed as well. If not make sure you have the console open to see what’s going on. 99% of the time it’s a DNS issue or the clocks on your workstation is out of sync with Zentyal.

Now try to mount an SMB volume from the Zentyal server, it *should* mount without credentials and a new ticket will appear in the output of klist


Issued Expires Principal
Mar 2 09:34:52 Mar 2 19:34:48 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Mar 2 09:34:56 Mar 2 19:34:48 cifs/your.server.example.com@EXAMPLE.COM