PDA

View Full Version : OS X Server going to give me my first ulcer




foidulus
Jan 27, 2008, 02:55 PM
Anyone else as frustrated as I am with the bugfest that is the OS X Server?

My bosses(against my wishes) decided that we were going to use macs for our LDAP implementation instead of Linux boxes. It has been nothing but trouble from the get-go.

The most disappointing aspect is that if it actually worked, it would be a very innovative and great way to do server admin, but the problem is the thing just plain doesn't work. Its constantly beset by problems, and if the GUI even reports an error(which it often won't, it will just go along and say nothing when there are issues) its often an obscure error code that Apple's site doesn't even say much about. I have to give a big presentation on Friday and I am running into every conceivable error, often the best way to fix is just to re-install. I feel like I'm working with a Microsoft product, not the well polished and functional product that I am accustomed to Apple delivering.

They have had known bugs for YEARS in Tiger and still haven't(and probably never will) fix them! Major things like time zones resetting which can cause significant havoc on production systems they don't seem to think is a big deal. I have never had a Linux box randomly reset the time zone back to Cupertino......

Anyone else have nightmarish experiences with Apple's server products?

I am a young software engineer, and as much as I love Apple I can never, EVER recommend that anyone I work for use Apple server products. Apple has clearly shown that they just don't care about it. Linux for the win!

I am a young



twoodcc
Jan 27, 2008, 03:01 PM
i personally have tried to setup an OS X Server several times, and with almost no success. even messed up my client machines trying to connect to the server!

but i'm still hoping to one day figure it out

fall3n
Feb 4, 2008, 01:24 AM
I have a couple running just fine. What services exactly are your trying to setup? For most issues refer to the logs provided by the service, they do help immensely.

miniConvert
Feb 4, 2008, 02:58 AM
I run OS X Server (Tiger). It took me a couple of reinstalls, I kept breaking it, and damn it doesn't like having its IP address changed.

However, if you 'think different' and follow Apple's documentation it all 'just works' and after that management is a breeze. http://www.apple.com/server/documentation/

Zjef
Feb 4, 2008, 05:45 AM
Personally, I think OS X server is the least 'Mac' product I have ever used.

The issues I came across setting up OD was tremendous. Despite the fact that I spent hours studying the support documents and discussion forums on the Apple site, there was always 1 more thing (issue) around the corner.

At first DNS wasn't working -> solved that one
Then Kereberos wasn't working -> solved that one
Couldn't create network home folders -> solved that one
...
At the current moment, when a client logs in, the home folder isn't accessible working when logging in from a different (client) computer at log in. It is accessible and usable when connecting manually.

Also the interface, is not up to Apple's standards.
For instance when the SMB or any other protocol isn't activated, you still are able to set some settings in the Open Directory pane regarding these protocols. There are at least a dozen other GUI inconsistencies.

As much as a like working with most of Apple's products, this one is a disappointment.

Cromulent
Feb 4, 2008, 07:36 AM
Despite OS X Server having nice GUIs for a lot of things, it still requires a lot of command line administration. I believe it is a well known fact that the GUI has problems. A little foray into Terminal with vi and you should be able to sort out most of your problems.

Zjef
Feb 4, 2008, 07:54 AM
Ok, I can agree that using the command line is the way to go (a bridge to far for me).

But isn't the point of Apple's advertising that the solution they have come up with is that rock solid that you don't need to use the command line at all? And to elaborate, they even promote the standard and workgroup setup which is even worse then the advanced one.

Anyway, anyone who would like to help me out, I'm willing to document everything I have so far in detail. Just give me a sign.

miniConvert
Feb 4, 2008, 08:33 AM
I use it for OD/LDAP, too.

I never actually sorted out the DNS stuff, as thankfully it's all working fine regardless (despite some errors in the logs about it). Your home folder issue sounds interesting! I wouldn't really know where to start, most of my initial issues happened due to my IP changing as we moved between several ISPs.

It's working really well now, though!

budward
Feb 4, 2008, 08:42 AM
I feel like I'm working with a Microsoft product

No kidding. I have had this same feeling. OSX Server (Leopard) Is not production ready. Stick with linux or Freebsd.

I don't have the time to tell you all the issues we have had with OSX Server Tiger/Leopard.

Problems right now..

Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)
Server Admin is not usable, start it and painfully slow.

I prefer never to use anything apple makes in the server environment, just not worth it since they can care less about their business class customers.

blinkylight
Feb 4, 2008, 10:56 AM
I use it for OD/LDAP, too.

I never actually sorted out the DNS stuff, as thankfully it's all working fine regardless (despite some errors in the logs about it). Your home folder issue sounds interesting! I wouldn't really know where to start, most of my initial issues happened due to my IP changing as we moved between several ISPs.

It's working really well now, though!

If you don't sort out the DNS stuff, there are many things that just won't work when you want them to. You should try to get the forward & reverse DNS working, then also you can turn on Open Directory and your Kerberos won't report that it's not working.

Unfortunately, in 10.4 it's a major pain to get the name services working right unless you like the command line and reading error logs. 10.5 does try to make this more straightforward with some reasonable feedback though.

0racle
Feb 4, 2008, 11:34 AM
Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)
NTP. Really, servers and clients should not be left to manage time on their own.

I've never had a problem with Server Admin, so I can't even suggest anything.

foidulus
Feb 4, 2008, 11:40 AM
Despite OS X Server having nice GUIs for a lot of things, it still requires a lot of command line administration. I believe it is a well known fact that the GUI has problems. A little foray into Terminal with vi and you should be able to sort out most of your problems.

The biggest problem with the GUI imo is that it doesn't usually tell you when it fails to do something, or if it does, the error is relatively meaningless. I think that poor error messages are a huge problem across the industry, but Apple's server takes the cake. You can be setting one up, thinking everything is fine because the GUI tells you everything is fine, then when you try to actually do something it fails and you have to backtrack over everything you did to try to find what went wrong. And it seems at least in my experience, if you mess up step 2, then go to step 12, you have to start all over again.

I have nothing against the command line, in fact I like it better, but echoing another persons sentiment: why would I use OS X Server if I am going to do everything on the command line anyway? I can do that in Linux, and frankly the support environment, both free and commercial is much better with Linux than OS X.

If the GUI actually worked, it would be a revolutionary step in server management. Theoretically its the perfect system, you can take out of the box and be running a fully kerberized and encrypted Open Directory system in a few hours tops, but the thing just doesn't work and becomes an exercise in frustration.

Evangelion
Feb 4, 2008, 01:45 PM
NTP. Really, servers and clients should not be left to manage time on their own.

One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?

Eidorian
Feb 4, 2008, 01:46 PM
One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?I believe our time server gets its date/time from other time servers. :rolleyes:

timehost.math.purdue.edu

0racle
Feb 4, 2008, 02:51 PM
One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?
Because of the way the real world unfortunatly works, now 2 servers will ever have the same time left on their own. This makes things like coordinating log file events and Kerberos either difficult or outright fail if the difference becomes too large.

A NTP client can also be a NTP server, this is how NTP works.

I believe our time server gets its date/time from other time servers. :rolleyes:

timehost.math.purdue.eduExactly.

We have a Active Directory domain here, as well as Linux servers, a OS X Server and OS X Clients. Since the Domain Controller is going to be the master time source for all the Windows machines, we use it as the time source for everything. To keep its time correct, it syncs up to a stratum 2 NTP time server.

ChrisA
Feb 4, 2008, 02:56 PM
...What if you want to use the server as a master NTP-server?

The purpose of NTP is to keep time synchronized between two systems. NTP servers know nothing about the real "true" time. They only know how to sync to something else. Not even the level zero servers know. So if you did want to set up a master server (I assume you meant "level zero server") you would still need a source of time. Most people today use a GPS receiver for that purpose.

ChrisA
Feb 4, 2008, 03:00 PM
My bosses(against my wishes) decided that we were going to use macs for our LDAP implementation instead of Linux boxes. It has been nothing but trouble from the get-go.

Can't you just download the OpenLDAP sources and pretend you are using Linux?
This way both yo and your boss are happy. You get to use the same software as you would have under Linux and it's running on a Mac.

xparaparafreakx
Feb 4, 2008, 03:20 PM
Been using OS X Server with LDAP and OD. Took me a while to learn it but being young, I follow the manual ideal situation for K-12 and it worked.

Skaffen
Feb 4, 2008, 03:30 PM
Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)
Server Admin is not usable, start it and painfully slow.


That Date/Time issue affects a very limited number of Macs (the new Penryn Macs) and there is a (relatively) trivial workaround for that problem until 10.5.2 comes out - use NTP. Not had a problem with Server Admin under 10.5 and 10.5.1 so can't comment on that really.

Skaffen
Feb 4, 2008, 03:36 PM
The biggest problem with the GUI imo is that it doesn't usually tell you when it fails to do something, or if it does, the error is relatively meaningless.

What particularly meaningless error messages are you getting? Most are either list online or in the appropriate documentation/man pages. DirectoryService has a lot of fairly scary looking error codes but a man DirectoryService will give you a lot of info about them.


If the GUI actually worked, it would be a revolutionary step in server management. Theoretically its the perfect system, you can take out of the box and be running a fully kerberized and encrypted Open Directory system in a few hours tops, but the thing just doesn't work and becomes an exercise in frustration.

I've set up an awful lot of servers and so far this year 8 or so Leopard servers. There are a few bugs with Leopard server at the moment, but they actually mostly seem fairly minor (there's an irritating SMB ACL issue) and there are fixes due. Open Directory has always been absolutely rock solid for me as long as you follow Apple's guidelines closely. You need forward and reverse DNS names before you touch OD, and you need to make sure that hostname in the Terminal is matching your DNS entries. Any IP or hostname changes are better changed using changeip etc. There's quite a few requirements but as long as you follow through the steps carefully then OD will pop up with Kerberos running away nicely in under 10 minutes.

Evangelion
Feb 6, 2008, 09:26 AM
I believe our time server gets its date/time from other time servers. :rolleyes:

timehost.math.purdue.edu

What if timehost.math.purdue.edu ran OS X? Could we trust it? THAT is my point! The argument presented here is that "the server can freely think that 1 minute is 55 seconds long, since we use NTP for timekeeping"... Am I the only one who thinks that that is a HUGE problem that is being "fixed" by relying on NTP? It's like "fixing" security-holes in Windows by running antivirus.

This isn't rocket-science people. A server should be able to keep track of time on it's own. Yes, it makes sense to use NTP when needed, but it still doesn't mean that the server itself should think that 1 minute consists of 55 seconds.

Eidorian
Feb 6, 2008, 10:05 AM
What if timehost.math.purdue.edu ran OS X? Could we trust it? THAT is my point! The argument presented here is that "the server can freely think that 1 minute is 55 seconds long, since we use NTP for timekeeping"... Am I the only one who thinks that that is a HUGE problem that is being "fixed" by relying on NTP? It's like "fixing" security-holes in Windows by running antivirus.

This isn't rocket-science people. A server should be able to keep track of time on it's own. Yes, it makes sense to use NTP when needed, but it still doesn't mean that the server itself should think that 1 minute consists of 55 seconds.All hardware clocks are going to have some drift from the "true" time. Barring some bizarre lack of connectivity you're going to get permission to use higher level NTP servers to get the time from them. Your server is going to calculate the time at your location using the time it obtained and factoring in network latencies. After that your clients would use NTP to get their time from your server.

http://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata

It's only for synchronizing your clocks as it is.

foidulus
Feb 11, 2008, 02:15 PM
What particularly meaningless error messages are you getting? Most are either list online or in the appropriate documentation/man pages. DirectoryService has a lot of fairly scary looking error codes but a man DirectoryService will give you a lot of info about them.



I've set up an awful lot of servers and so far this year 8 or so Leopard servers. There are a few bugs with Leopard server at the moment, but they actually mostly seem fairly minor (there's an irritating SMB ACL issue) and there are fixes due. Open Directory has always been absolutely rock solid for me as long as you follow Apple's guidelines closely. You need forward and reverse DNS names before you touch OD, and you need to make sure that hostname in the Terminal is matching your DNS entries. Any IP or hostname changes are better changed using changeip etc. There's quite a few requirements but as long as you follow through the steps carefully then OD will pop up with Kerberos running away nicely in under 10 minutes.

For one, I am trying to enforce account lockout after 3 failed attempts. I click the button on the passwords policy setting pane in Server Admin, and then click "save", the wheel spins and it saves, and of course unchecks the selection I JUST made without even the slightest hint that something went wrong.....not the behavior I expect from an Apple product.

twoodcc
Feb 11, 2008, 03:08 PM
yeah, i think i've given up again for a little while. i might try to configure the server how i want it later, as in 10.5.2

Eidorian
Feb 11, 2008, 03:39 PM
Going to need to work on my LDAP schema to get web services working...joy.

Les Kern
Feb 11, 2008, 06:38 PM
I have 25 Xserves running 10.4 and 10.5 using LDAP and Open Directory with 2600 clients, and have been running the same thing for over 5 years. I have had almost no issues at all, and none related to the problems encountered here that I've been reading about. One day I wanted to have a separate OD server for a specific group of users, and after the OS was installed, set it up and had the clients connected in less than 15 minutes.
Using Apple servers has been a GODSEND... without the ease of setup and robustness of the system I would have had a heart attack long ago. I can't afford to have any downtime, and a few of these boxes have been running nonstop for years.
Call me lucky? Nah, it's inherent in the system.
Call a third party in to help you.

pezza
Feb 14, 2008, 10:42 AM
I have 25 Xserves running 10.4 and 10.5 using LDAP and Open Directory with 2600 clients, and have been running the same thing for over 5 years. I have had almost no issues at all, and none related to the problems encountered here that I've been reading about. One day I wanted to have a separate OD server for a specific group of users, and after the OS was installed, set it up and had the clients connected in less than 15 minutes.
Using Apple servers has been a GODSEND... without the ease of setup and robustness of the system I would have had a heart attack long ago. I can't afford to have any downtime, and a few of these boxes have been running nonstop for years.
Call me lucky? Nah, it's inherent in the system.
Call a third party in to help you.

Buy that gentlemen a beer!

I've been looking after 10 xserves for the last two years across 10 sites connected by a VPN. Reliable servers start with a correct install and setup. Get it right and these boxes are fantastic, get it wrong and you will pay the penalty. DNS DNS DNS, as already has been stated, DNS must be working correctly, for OD/LDAP etc to function as expected.

Software bugs are another issue, and yes there are some annoying ones introduced with Leopard Server, lets hope that Apple address them, but that is why we run a test server to check for all these issues before we deploy in a production environment.

Xserve and Mac OSX Server are great products in my experience, that are highly under-rated.

Sayer
Feb 15, 2008, 10:58 AM
Apple never claims you don't need to touch the CLI to get OS X server working, they claim that you can do a lot of mundane things like turning services on, setting up user account info, in a nice GUI instead of in a Terminal.

Having studied for the OS X Server Admin test (and thus having all kinds of for-pay documentation) you do need to know a fair bit about Unixy server stuff to use OS X Server as a server (for example Open Directory still requires lots of arcane LDAP configuration parameters to get it to work for clients).

Having set up postfix on a non-OSX Server install, by hand, with numerous incorrect "tutorials" sometimes it is easier to know what you are doing before trying to do it. That way you can just dig in to a config file and read STDERR and see what is happening, and then try and fix it.

And if a server could manage time on its own there would be no need for publicly accessible atomic clock NTP servers. Electronics are not 100% precise, or even precise to 4 decimals when it comes to timing. Correcting for timer drift is expected in our imperfect universe, so use a public atomic clock for a master NTP server, and set clients to use your OS X NTP (or just give in and use public NTP for everything).

Finally the old adage applies: Garbage in, garbage out. If you configure something wrong, even in a GUI, it won't *magically* work for you. There should be a certification just for getting DNS/Bind working properly on your own.

Les Kern
Feb 16, 2008, 05:18 PM
.... for example Open Directory still requires lots of arcane LDAP configuration parameters to get it to work for clients.

You mean that annoying "Start Service" button? Because that's all I do. :)

Finally the old adage applies: Garbage in, garbage out. If you configure something wrong, even in a GUI, it won't *magically* work for you. There should be a certification just for getting DNS/Bind working properly on your own.

Man, You got that right. I was running for years and discovered the DNS was set up slightly wrong. And I'm supposed to know what I'm doing! But on it's most basic level, it's pretty easy to set up.