i love log

Our Goal: We want to erase a hard drive that was formerly part of Xsan (in an Xserve RAID). We’ve placed the ATA drive in external enclosure, then connected to a workstation with Xsan software, but not attached to Xsan volume (for safety).

The Problem: Disk Utility won’t erase the drive.

Known Solution: Erase the Xsan label, and then erase the drive afterwards.

ilovelog:~ blog$ cvlabel -l
Insufficient administrative privileges.

ilovelog:~ blog$ sudo !!
sudo cvlabel -l

Hmm, nada, nothing shows up. Strange!

2. Use disk Utility to list available drives

ilovelog:~ blog$ diskutil list
/dev/disk0
#: type name size identifier
0: Apple_partition_scheme *152.7 GB disk0
1: Apple_partition_map 31.5 KB disk0s1
2: Apple_HFS nobody 152.5 GB disk0s3
/dev/disk1
#: type name size identifier
0: Apple_partition_scheme *149.1 GB disk1
1: Apple_partition_map 31.5 KB disk1s1
2: Apple_Driver43 28.0 KB disk1s2
3: Apple_Driver43 28.0 KB disk1s3
4: Apple_Driver_ATA 28.0 KB disk1s4
5: Apple_Driver_ATA 28.0 KB disk1s5
6: Apple_FWDriver 256.0 KB disk1s6
7: Apple_Driver_IOKit 256.0 KB disk1s7
8: Apple_Patches 256.0 KB disk1s8
9: Apple_HFS someone 149.0 GB disk1s9
/dev/disk2
#: type name size identifier
0: Apple_Xsan_Component *233.8 GB disk2

The internal hard drive and the former Xsan drive show up.

3. The drive exists, so let’s try to erase it.

ilovelog:~ blog$ sudo diskutil eraseDisk HFS test /dev/disk2

diskutil won’t let us erase it.

4. Invoking cvlabel without arguments shows us man page. Let’s see what we’re doing wrong.

ilovelog:~ blog$ sudo cvlabel
Usage: cvlabel -l [-s] [-v] [-a]
cvlabel -L [-v] [-a]
cvlabel -c
cvlabel -x [-a]
cvlabel [-v] [-f] [-q ] [-r] [-e]
cvlabel [-f] -u
cvlabel -D
where:
-l List disks. (Not invasive.)
-L List disks in Long format.
-x List disks in Property List format.
-s Display the disk serial number if available.
-a Display all disks, even unusable ones.
-v Verbose output enabled.
Note: specifying -v multiple times increases verbosity.
-c Outputs a cvlabel format template file to stdout.
-e Changes the default label type for 1-2TB LUNs from VTOC
to EFI.
-f Forces immediate operation without confirmation.
WARNING: care should be taken when using the -f option
since data loss may result if an incorrect
is specified when labeling.
-q Set the Irix ctq_depth value in the label. Default=16.
-r Relabel disks, even if they already have valid labels.
-u Unlabel a volume.
-D Dump the label to stdout in ascii.
A file containing “ ” entries for
each disk to label.
A number in the range 0-254.
The name of a volume. For example, “CvfsDisk0″

5. Aha! There’s an option to show all disks, even “unusable ones”. Let’s try that.

ilovelog:~ blog$ sudo cvlabel -la
/dev/rdisk2 [Hitachi HDS722525VLAT80 ] acfs “wee” Sectors: 2935876352. SectorSize: 512. Maximum sectors: 490091377. [Unusable: Unable to read last data block]

ilovelog:~ blog$ sudo cvlabel -u “wee”

*WARNING* This program will remove the volume label from the
device specified (wee).

After execution, the devices will not be usable by the
Xsan. You will have to relabel the
device to use it on the Xsan.

Do you want to proceed? (Y / N) -> y

6. It worked. We found the label, which we then removed. Running cvlabel again shows no label.

ilovelog:~ blog$ sudo cvlabel -la
/dev/rdisk2 [Hitachi HDS722525VLAT80 ] unknown Sectors: 490091377. SectorSize: 512.
ilovelog:~ blog$ sudo diskutil eraseDisk HFS test rdisk2
Could not find the disk rdisk2
ilovelog:~ blog$ sudo diskutil eraseDisk HFS test disk2
Started erase on disk disk2

Creating Partition Map 100% ..
Finished erase on disk disk2

Finished partitioning on disk disk2

7. Now let’s erase the disk

sudo diskutil eraseDisk HFS test /dev/disk2

8. Partition the disk. Don’t worry about the exact size of second (or last) volume, it will auto-magically allocate it.

diskutil partitionDisk disk2 2 HFS+ Untitled 90G MS-DOS DOS 60G

Cloning Mac workstations in the era of Mac OS 9 meant dragging and dropping the files from one drive to another (or using early ASR). When Mac OS X appeared cloning systems, especially building large deployment (e.g. computer labs) became more complicated. Permissions, users and nasty bits. Enter Mike Bombich and Carbon Copy Cloner, and eventually NetRestore (for NetBooting and restoring from disk images).

Well, now we have Intel-based Macs and the possibility of running a dual-boot set up, with Windows alongside Mac OS X. This complicates building a workstation, as you have to image two operating systems, two partitions, two filesystems, etc. NetRestore was updated to handle these issues using ntfs-progs, a free utility. This worked in Mac OS X 10.4 (Tiger) but is failing for many in Mac OS X 10.5 (Leopard). So what to do? Run the commands in Terminal directly. Wheee…

1. Get the list of disks, note the one with Windows

diskutil list

2. Check to see how much space we could save if we resized it

/usr/local/sbin/ntfsresize –info -f /dev/disk2s3

3. Clone Windows partition to a disk image

/usr/local/sbin/ntfsclone –save-image -o windows.img /dev/disk2s3

Note: if you use the excellent Mac Fuse tools (the Google port that allows using other filesystems on Mac OS X), then uninstall them before trying to use ntfsprogs.

Note2: Also check out WinClone, which allows deployable ARD solutions, and a nice little GUI for imaging windows partitions.

REFERENCES:

http://www.twocanoes.com/winclone/

http://www.bombich.com/mactips/dualboot.html

http://www.linux-ntfs.org/doku.php?id=ntfsclone
http://man.linux-ntfs.org/ntfsclone.8.html
http://code.google.com/p/macfuse/

Apparently amongst all the other updates more than a few Unix binaries were tweaked.
Ed at Radiotope has alerted us to changes in tail and syslog. Tail now can follow mutiple logs files.

example:

tail -f /var/log/*.log

This will show you several lines from all these live log files. Overwhelming you with lots of great errors and goingson. Now with Spaces (multiple desktops) in 10.5 you could devote a whole “space” to one huge Terminal windows. Wow. That’s geeky.

Also changed is “syslog”. Using “syslog -w” will get you a similar output to that command above with tail. It polls asl.log.

ref: http://www.radiotope.com/content/os-x-105-leopard-utility-update-syslog

Mac OS X 10.5 (Leopard) was released October 26, 2007 and now we have to sift through all the changes under the hood.

One of the big changes is “local” directory services, a new Directory Utility, OSX Servers auto-configuring clients with available services, and new CLI tools.

Other changes include: a new local database in /var/db/dslocal/nodes/Default on the local workstation, and some new GUI tools. The new “Directory Utility” automatically finds configured Directory Servers and configures the local workstation (sets up iChat, email, etc). In addition, the Accounts pref pane has been greatly enhanced to allow editing of group memberships.

ref: “SystemsBoy” blog: http://systemsboy.blogspot.com/2007/11/leopard-groups.html

In short, NetInfo, the local workstation users/groups directory, is now gone. Out with “nicl” and in with “dscl”. Well, “dscl” has been around for a while now, but 10.5 adds a few new tools (and enhances others) to help out: dsenableroot, dseditgroup, dscacheutil, dserr, and dsmemberutil.

Joel (afp548.com) is paraphrased here:

dsenableroot
- Enables root. Useful now that NetInfo Manager is gone.

dseditgroup
- Good for manipulating group memberships.

dscacheutil
- Brand new in 10.5. Peek into the Directory Service cache and flush it. Like lookupd -d.

dserr
- Lookup DS error codes for you and return the text equivalent of the error.
dsmemberutil
- Check group membership — what groups the system thinks a user is in.

ref: http://www.afp548.com/article.php?story=LeopardServerReview-LocalDirectory

UPDATE: I was poking around (cd /usr/bin ; ls *ds*) and I found dsperfmonitor:

$ dsperfmonitor
Usage: dsperfmonitor -a | -d | -dump | -flush
-a activate API stat gathering
-d deactivate API stat gathering and dump to system.log
-dump dump stats to system.log
-flush reset statistics

A very interesting tool which came in handy for debugging Directory Services.

Also new is the “local” KDC. When connecting to other Macs now you can get a Kerberos ticket which lasts for 10 hours. This applies to ScreenSharing and other neat tricks in Leopard. Using Keychain Access (in Utilities) you can view the Kerberos Ticket Viewer (which opens is the Kerberos app in CoreSerives) to delete tickets sooner.

ref: http://www.radiotope.com/content/more-about-os-x-105-leopard-kerberos

So what do you do when it doesn’t work? Or when it’s not doing what you want? I will list and quickly summarize some tools and procedures which I’ve gleaned from Philip Rinehart, and Mike Bombich.

Rinehart is co-chair of the Mac OS X Enterprise Project, and he recently published a Troubleshooting DS basics in MacTech, which elaborates on his many posts on the same subject on the macenterprise list. Some of this undocumented officially so getting the word about ‘dirt’ is our mission here.

Directory Services debug

1. Dirt (testing directory services)

dirt -u username -n
dirt -m “/Active Directory/All Domains” -u aduser -p adpass

2. kinit (testing Kerberos)

kinit username

3. debug (generate log files)

killall -USR1 DirectoryService
killall -USR2 DirectoryService

In conclusion, Mr. Rinehart stresses the importance of DNS, and making sure thoroughly that it is working properly. As well simple things like IPs and checking physical cables can help troubleshoot this matters before you go and rebuild half a dozen servers.

I LOVE LOG sez: In troubleshooting, always do the least painful fix first.

Bombich, is an Apple Systems Engineer, his published a “Leveraging Active Directory on Mac OS X” on bombich.com in 2006, from which I will highlight a few points.

1. dscl (using directory service command line)

dscl localhost

cd LDAPv3/

2. lookupd -d

> userWithName: oduser

> configuration

3. LDapper: Active Directory testing

User LDapper to poll AD server before binding to browse and verify.

4. dsconfigad

show (-show),

destroy bind (-r -u aduser -p adpass),

bind (-f -a “computerid” -domain “apple.edu” -u “binder“ -p ʻpasswordʼ -ou “CN=computers,DC=apple,DC=edu” )

5. troubleshooting

a. Check clock skew, dns, AD admin with credentials to add
b. dsconfigad -show
c. dscl /Active\ Directory/All\ Domains -read /Users/student
d. use “adcheck” in Win server

6. OD + AD

a. destroy OD kerb realm

sudo sso_util remove -k -a diradmin -p password
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosKDC
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/
KerberosClient

b. bind OSX server to AD
c. config services to use AD kerb realm

sudo dsconfigad -enableSSO
sudo klist -ke
defaults read /Library/Preferences/com.apple.AppleFileServer
kerberosPrincipal
grep “realm” /etc/smb.conf

References:

http://macenterprise.org/
http://www.bombich.com/mactips/activedir.html

Mac Servers in AD
http://www.peachpit.com/articles/article.asp?p=430213&seqNum=6&rl=1

Linux+AD
http://adminspotting.net/articles/windows/Linux-and-Active-Directory.html

Directory Access is an application in Mac OS X 10.4.x (aka Tiger) which is used by sysadmins to allow Network users to login. By configuring the specific plug-ins you need users can login to a Mac with an account in a Directory Server, for example: Apple Open Directory, Windows Active Directory or Linux LDAP. In larger networks Directory Access is used to allow existing Windows or Unix accounts to login to all the Mac computers — without first having to create all those accounts on each and every computer. So far so good.

This is historically significant if you compare it to Mac OS 9 which had no users. No user accounts, that is. And when the machine booted up you did not need to log in to it. Try configuring that Mac box running OS 9 to use your existing Windows accounts sitting in Active Directory. It aint gonna happen. Switch to Mac OS X and wait for very 10.3.x for it actually start working properly. Suddenly, you don’t have to duplicate every Windows account on your Mac server, you just point the Mac clients to the Windows server and voila everyone can login. Wheee… Harmony at last. Almost.

If you configure all your Macs to point to your Mac OS X Server, running Open Directory, using the LDAPv3 plugin, then you have network accounts and management right there. Set the Dock for everyone on the left, ban Torrent apps, and auto launch Terminal. Additionally, you point all the Macs to Active Directory for accounts, and you got the Golden Triangle of AD-OD and your Macs. Bliss. Sweet Serenity. Kinda.

Now what if you wanted to throw a Linux (eg. CentOS) file server (running Samba) into the mix. Why not? Just for the sake of further complication make that Linux box randomly assign each Windows AD account a sane UNIX numerical ID. Sounds like fun. Now how would the Macs know anything about it. They could authenticate and login with their AD account, but when they connected to Linux samba file server and mounted the share it would show users and groups that they aren’t familiar with. Do a listing the of the files. Who owns them, numbers (IDs) or names (Users). How to fix that? Either install the Unix tools for AD on your Windows server. Or we tell the Macs to use a uniqueID in the AD plugin and map it to some unused field, eg. streetAddress. Then in AD on the Win2003 box fill in that unique ID in the street address field. Great everything works again. Now what if you built a failover linux server which assigned different IDs? Now you’ve got an overly complicated 4 sided triangle. Mac-Windows-Linux and you. Is there a better way? Just use Mac OS X and Mac OS X server.