MarcoMC Tech, Cuisine, Traveling…my hobbies, my life

March 18, 2011

Mac OS X Server 10.6 Open Directory Replica: “Kerberos is: Stopped”

It is common that the configuration process of a Mac OS X Snow Leopard Server 10.6 as an Open Directory Replica for your Open Directory Master comes with some problematic issues: it’s very common that the Kerberos service is not initialized properly and will appear in the ‘Server Admin’ Open Directory’s Overview panel as ‘Kerberos is: Stopped‘.

Googoling about this problem I found that is a fault in the DNS name resolution the most common reason that breaks the configuration of the kerberos service preventing the Open Directory Replica server to be recognized and associated with the proper FQDN (Fully Qualified Domain Name).

The fix to this problem is not complicated but will force us to carefully perform these operations:

  1. First things first, although this is a recommended option for local domain naming, make sure that your domain name  is NOT ending in ‘.local.
    In Mac OS X by default the ‘.local’ domains are resolved by the Bonjour service, with priority over the DNS service.
    I recommend to choose a non public domain name like ‘.private’, ‘.lcl’, ‘.my’, ‘.office’…. and so on.
  2. After that, make sure your DNS is PERFECTLY configured to serve FQDN names (i.e. replica.mynetwork.private.) and that one of this name is fully matching to the replica’s hostname(with the exception of the tail ‘.’ ).
  3. Also check the DHCP service, if activated, to be delivering the correct search domain and the IP address of the DNS server able to resolve the name of your Open Directory Master and Replica servers.
  4. Adjust the Replica server’s hostname accordingly to the DNS settings.You can modify the hostname of your replica server with the ‘scutil’ command:
    # scutil --set HostName replica.mynetwork.private
  5. Now decommission the replica server to a standalone directory using the Open Directory Assistant to change the server’s role.

Now the most important operations are done.
Now I recommend a reboot of the system and a double-check of the DNS and hostname configuration using the following commands:

# hostname

The ‘hostname’ command will show the hostname that should appear like the FQDN configured in the DNS service.

# changeip --checkhostname

The ‘changeip’ command will perform a more accurate check on the hostname, using the system calls used by the other system processes and application.

# nslookup replica.mynetwork.private

The ‘nslookup’ command will check that the DNS server is returning the appropriate IP for the requested domain name.

Now it’s time to re-configure the server as a Open Directory Replica, you can use again the Open Directory Assistant. Provide the requested information and when the process is terminated, if you’re lucky enough, the problem will be fixed and the ‘Server Admin’ will show ‘Kerberos is: running.

Unfortunately I’ve not been so lucky when I encountered this problem my first time: for my replica server the Kerberos service was still in ‘Stopped’ status.

After a couple of headaches and a lot of wasted time I figured out that one of the main Kerberos’ configuration files ‘/Library/Preferences/’ was missing. This was proof that for some reason the ‘kdcsetup’ process hasn’t been executed.

To fix this issue it is necessary to perform the manual procedure to configure and initialize the kerberos process that actually is the last portion of the manual procedure to join a Replica to an existing Open Directory domain, consisting of:

# /usr/sbin/kdcsetup -c /LDAPv3/ -a diradmin -p -v 1

This command will create the file /Library/Preferences/

# /usr/sbin/kdb5_util -r

The ‘kdb5_util’ will load information from the initial.dump file from the previous step into the REALM.

# kdcsetup -e

The ‘kdcsetup’ command will enable kdcmond and kadmind in the configuration for launchd.

Now the Kerberos services should have been started on the replica server.

Reboot the system to make sure it’s started automatically at the system initialization.

January 16, 2011

How-To install and configure ntop 4 on Mac OS X

Filed under: Apple & Mac,How-To — Tags: , , , — marcomc @ 02:15

“ntop is a network probe that shows the network usage”, this is the brief description of ntop extracted from the official ‘overview’ page of

the reason why I like ntop is that it gives us a immediate projection of what is happening in our network NOW! with graphical and table representations of the current, recent and past network statistics.

When the network is stuck, you can know why, and you can know it immediately. You can then take the proper action to ditch the cause 😉

This is not all, there are amazing information you can have from this ‘small’ Italian tool…

In this post I will describe an as-easy-as-possible installation procedure to install ntop in you Mac OS X Server Snow Leopard (I didn’t test this on previous version, but as far as MacPorts is available for older version it shouldn’t be an issue to follow the same steps)


The easiest way ever would be to fire the command

$ sudo port install ntop

but as always happens the easiest way is not the best way, in facts the MacPort version of ntop is 3.3, quite old respect the current stable version 4.0.3.

Also, the installation of ntop through the port tool doesn’t install and configure it as a service but only as a tool to be run occasionally.

One of the reasons I prefer to install ntop 4.0.3 instead of 3.3 is that it gives us the option to visualise the “Hosts World Map” directly in Google Maps and the “Local Network Traffic Map” giving us an idea where our network users and services and clients are connecting to and from. Of course many other improvements are available in the latest version, but these are the coolest according to me 😀

Another reason to manually install ntop and follow the procedure below is to install and configure it as a daemon (LaunchDaemon) launched by ‘launchd’.

What will will do then, is to download, compile and install the ntop 4.0.3 directly from its official website and rely on MacPorts to install it’s compiling and installing dependencies.


  1. The -latest- sources of ntop.
  2. Xcode (required by MacPorts), you can install it from Mac OS X Server Snow Leopard installation disk, ‘Optional Installs’ folder.
  3. Workgroup Manager, it’s part of the Server Admin Tools and needs to be downloaded from Apple support and installed, unless you are running Mac OS X Server.
  4. MacPorts, you can download and install it from
  5. wget, to be installed via MacPorts

Preparation of system

    1. Make sure you have installed Xcode and MacPorts and Worgroup Manager.
    2. Create a ‘src’ folder where to store and compile the ntop sources:
$ mkdir ~/src
$ cd ~/src
    1. Install wget:
$ sudo port install wget
  1. Fetch the latests source archive from
    $ wget wget
    $ tar xvzf ntop-4.0.3.tgz
    $ cd ~/src/ntop-4.0.3
  2. install ntop dependencies from MacPorts needed to compile and run ntop:
    $ sudo port install depof:ntop

    this command do not istall ntop from MacPorts but only its dependencies.

    This step could take several minutes because it will download, compile and install a lot of ports (libraries).

  3. Creation of the a localuser and local groupntop via ‘Workgroup Manager’:
    1. Create the new local group ntop ntop_group
    2. Create the new local user ntop with primary group ntop ntop_user

      Leave the password blank prevent any possibility of login and also do not specify the home folder, of if you really need to specify one choose /usr/local/etc/ntop.















      This procedure can be executed in command-line as well using the ‘dscl’ command, but you will have to assign the Primary User ID manually retrieving it from the directory service using other scripts.
      The Workgroup Manager calculate the first available User ID automatically.

  4. install mako (needed for “Host World Map” feature of ntop):
    $ sudo easy_install mako
  5. install of graphviz (contains ‘dot’, needed for “Local Network Traffic Map” feature of ntop):
    $ sudo port install graphviz


Make sure to be in ‘~/src/ntop-4.0.3’ folder then

  1. fire the script that checks the dependencies:
    $ ./
  2. and proceeds with the compilation:
    $ make



    1. Run the script that installs ntop and its libraries in the proper places:
      $ sudo make install
    2. Create the LaunchDaemon scripts to make the service running as a daemon:
      $ sudo touch /Library/LaunchDaemons/org.ntop.ntop.plist
    3. copy and paste the following lines into org.ntop.ntop.plist
#-----BEGIN OF org.ntop.ntop.plist-----
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
<plist version="1.0">
#-----END OF org.ntop.ntop.plist-----
  1. Create the configuration file to pass additional custom parameters
    $ sudo touch /usr/local/etc/ntop/ntop.conf
  2. copy and paste the following lines into ntop.conf
    (in this example I put the ‘vital’ paramenteres, you can specify more parameters, but the ones placed in the the LaunchDaemon file will NOT be overloaded by the parameters present on the ntop.conf file)

    #-----BEGIN OF ntop.conf-----
    # interface(s) that ntop will capture on
    #  DEFAULT: The 1st sisernet device, e.g. sis0 
    --interface en0
    # Configures ntop not to trust MAC addrs.
    # This is used when port mirroring or SPAN
    # Logging messages to syslog (instead of the console):
    #  NOTE: To log to a specific facility, use --use-syslog=local3
    #  NOTE: The = is REQUIRED and no spaces are permitted.
    # Tells ntop to track only local hosts as specified
    # by the --local-subnets option
    # Sets the port that the HTTP webserver listens on
    #  NOTE: --http-server 3000 is the default
    #--http-server 3000
    # Sets the port that the optional HTTPS webserver listens on
    #--https-server 3001
    # Sets the networks that ntop should consider as local.
    # NOTE: Uses dotted decimal and CIDR notation.
    # Example:
    # The addresses of the interfaces are always
    # local and don't need to be specified.
    # Sets the domain.
    # ntop should be able to determine this automatically.
    #-----END OF ntop.conf-----
  3. Set the correct file and folder permissions. VERY IMPORTANT!
    $ sudo chmod 644 /Library/LaunchDaemons/org.ntop.ntop.plist
    $ sudo chown -R ntop /usr/local/var/ntop
    $ sudo chown -R ntop /usr/local/etc/ntop

Set the password for the admin user of ntop database (from the web interface you’ll be able to create other users with different degree of administration)

$ sudo ntop -t o -u ntop -P /usr/local/var/ntop --set-admin-password


Now start the service using the launchctl command and it will run as a daemon:

$ sudo launchctl load /Library/LaunchDaemons/org.ntop.ntop.plist

You will be able to access ntop through port 3000 (by default) of your server:

Click on this link to download here the archive containing my prepared copies of org.ntop.ntop.plistand ntop.conf files

If you found this how-to useful, please leave a feedback, it will be really appreciated.


October 16, 2010

What to do if the AFP service needs to be restarted periodically?

Filed under: Apple & Mac,IT,Troubleshooting — Tags: , , — marcomc @ 15:39
Listen to me!
Audio MP3
download mp3

Recently, after upgrading my Mac Mini Core 2 Duo (turned into server) to Snow Leopard Server 10.6.4, I started experiencing a very annoying problem, the AFP service was periodically stopping to share the chosen folders (Shared Points) to the clients.

I noticed that this is sometimes related with the server resources and performance.
For instance the AFP may stop working properly during intensive file transfer such remote backup via TimeMachine or when another service is keep the CPU at 100% usage.
It especially happens in my MacMini as the RAM is limited to only 1GB and then a lot of disk activity is generated for swapping.

Basically the service is not crashed or discontinued, the AFP server process is still running and still allows the users to log in from any workstation connected, the problem is that once logged in the users is able to see only its own home folder but all the other Shared Points configured in the Server Admin control panel are not listed.q

The solution has been for a long while to periodically monitor the service and when I noticed the misbehaviour I restarted the service and in a few second the users were able to connect to all the shared points again.

I wasn’t happy with this inelegant solution, so when I had a little of spare time I investigated better the problem and I found an old thread on the Apple Support page, it was describing the same issue performing on Leopard server 10.5 series:

Apparently for the Leopard server the solution is a little tricky and involve a script that periodically toggle the Guest Account access option.

Then the idea, EUREKA! CARAMBA! I had a little check and I found that for security reasons I disabled the access for the Guest Account.

The Solution has been quite fast, I enabled again the Guest Access to the AFP service from the Server Admin, AFP service, Settings panel, Access tab (as shown in the picture below). This fix is still woking for me and the service never stopped again!



Anyway I wanted to prevent access to the Shared Points of the AFP services to the Guest Account so I disable the Guest Account specifically for each Shared Point.

From the Server Admin, AFP service, Shared Point panel, I selected the Shared Points individually, I accessed the Protocol Options and I disabled the Guest Access toggle (as shown in the picture).

AFP SharedPoint GuestAccess Toggle

AFP SharedPoint GuestAccess Toggle

Doing so I allow the Guest Access to log in to the AFP service but I prevent it to use any Shared Point (shared directory). For further security it’s possible to limit the access to the AFP service to a selected number of user groups (they must NOT include the Guest account as their member) through the Services Access settings of the Server Admin tool, according to my experience this is as a ‘best practice’ operation that we should apply in most of the AFP servers we set up.

Please feel free to reply this thread if you have found better solutions to this issue.

August 27, 2010

How-To change hostname in Mac OS X Server Snow Leopard with scutil

Filed under: Apple & Mac,How-To,IT — Tags: , — marcomc @ 10:05

scutil provides a command line interface to the “dynamic store” data maintained by configd. [from the scutil manual]

sudo scutil --set HostName hostname[.domain]

if the domain is not specified the hostname will be automatically configured as .local

August 19, 2010

Snow 303 Notebook

Filed under: Apple & Mac,IT — Tags: , , , , , , , — marcomc @ 19:25

My personal notebook made in preparation for the Snow 303 exam for the Apple Certified Specialist – Security and Mobility 10.6 certification on Mac OS X Server 10.6 Snow Leoaprd.

Mac OS X Mobility and Security v10.6

This notebook can be used complementary to the book Mac OS X Security and Mobility v10.6 by Robert Kite, Ph.D., Michele Hjörleifsson, and Patrick Gallagher published by Peachpit Press.

June 2, 2010

How-To backup and restore cydia packages

Filed under: Apple & Mac,How-To — Tags: , , , , — marcomc @ 15:32

When upgrading the iPhone or iPad firmware, if you own a jailbroken iDevice, you may want to make a backup of the list of installed Cydia (deb) packages to be able to perform a bulk installation of them after the firmware upgrade and jailbreak.

This procedure come from, and is suitable for, any deb (apt) unix system that need a bulk installation of packages, usually for deployment purposes, i.e. Mac OS X configured with Fink, GNU/Debian based Linux distributions like Ubuntu probably the ANDROID mobile phones too.

The following procedure will show you the necessary command-line instruction necessary to backup and restore the list of current installed packages on Cydia, please mind that the configuration of the installed packages will not be preserved, you need to follow other instruction to backup and restore your personalised configurations:

  1. Before upgrading or restoring the device firmware login to the console of you iPhone or iPad via a terminal application, possibly from an external computer and issue the following command:
    dpkg –get-selections > packages_list.txt
  2. Save the packages_list.txt file (and your packages personalised configurations) in an external location like your computer or a web site and then you can perform the upgrade or restore of the device firmware.
  3. After the iPhone has been reinstalled and jailbroken update the Cydia sources and then install OpenSSH to be able to remotely connect the the device in command-line.
  4. Copy the file packages_list.txt to the iPhone or iPad and from the console issue the following commands (you can copy and paste):

    apt-get update;
    dpkg –set-selections < packages_list.txt;
    apt-get -u dselect-upgrade;
    rm /private/var/mobile/Library/Caches/;
    killall SpringBoard
  5. Restore your package personalised settings according to the backup method you used to save them.

May 23, 2010

Resetting the Firewall to the Default Setting in Mac OS X Server 10.6

A server can become unreachable for remote administration due to an error with the firewall configuration. In such a case, you must reset the firewall to its default state so Server Admin can access the server.

This recovery procedure requires you to use the command-line interface and must be done by an administrator who has physical access to the server.

To reset the firewall to its default setting:

  1. Disconnect the server from the Internet.
  2. Restart the server in single-user mode by holding down the Command–s keys during startup.
  3. Remove or rename the address groups file found at /etc/ipfilter/ip_address_groups.plist.
  4. Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf.
  5. Force-flush the firewall rules by entering the following in Terminal:
  6. $ ipfw -f flush
  7. Edit the /etc/hostconfig file and set IPFILTER=-YES-.
  8. Complete the startup sequence in the login window by entering exit:
    the computer starts up with the default firewall rules and firewall enabled. Use Server Admin to refine the firewall configuration.
  9. Log in to your server’s local administrator account to confirm that the firewall is restored to its default configuration.
  10. Reconnect your host to the Internet.

Dead Men’s Switch with OS X Server

Filed under: Apple & Mac,IT — Tags: , , , , — marcomc @ 13:28

Dead men’s switch (name taken from the railroad industry) is a technique you can use to protect yourself against accidental lockout while configure firewalls.

A dead men’s switch enables a service but allows the administrator a temporary backdoor to remediate a temporary lockout.

i.e. on Mac OS X Server 10.6 Snow Leopard with bash in command line:

# sudo ls; sleep 90; sudo serveradmin start ipfilter; sudo server admin stop ipfilter

this process will enable the firewall and automatically disable the firewall in 90 seconds.

May 19, 2010

Snow 301 Notebook

Filed under: Apple & Mac — Tags: , , , , — marcomc @ 14:37

My personal notebook made in preparation for the Snow 301 exam for the Apple Certified Specialist – Directory Services 10.6 certification on Mac OS X Server 10.6 Snow Leoaprd.

Mac OS X Directory Services v10.6

This notebook can be used complementary to the book Mac OS X Deployment v10.6 by Arek Dreyer and Ben Greisler published by Peachpit Press.

April 16, 2010

Snow 302 Notebook

Filed under: Apple & Mac — Tags: , , , , — marcomc @ 12:01

My personal notebook made in preparation for the Snow 302 exam for the Apple Certified Specialist – Deployment 10.6 certification on Mac OS X Server 10.6 Snow Leoaprd.

Mac OS X Deployment v10.6

This notebook can be used complementary to the book Mac OS X Deployment v10.6 by Kevin M. White published by Peachpit Press.

Older Posts »

Powered by WordPress