Advice on server upgrade to 10.11 or 10.12?

[DEMinSoCAL]

A client has a Mac mini running Yosemite 10.10.5 Server. It serves a small workgroup of Mac users in an otherwise Windows environment (Windows PC's on a Windows server domain).

I've left the server alone, but now that the Mac Pro's have been updated to Sierra, we want to update the server.

BUT, ever since updating the Mac Pro's to Sierra, we have issues with SMB authentication (doesn't remember passwords in keychain) and even AFP shares not always connecting. I thought bringing the server up to current 10.12.3 Sierra might help alleviate that, but now I've also read that Sierra has SMB issues.

So the question is, should I just update the server to the latest El Capitan server until 10.12.4 is released, or bring it fully up to date with 10.12.3? Recommendations?

 

[DJLC]

Biggest question: what services do you have running on the Mac server? That will really inform whether or not you should or need to update.

I'm still on Yosemite for my Mac server at work. But at this point, 99% of our services run off Windows Server 2012. The only thing the Mac server is doing at this point is sharing printers via Bonjour across a couple subnets. So I'm probably not going to bother upgrading it unless something happens.

 

[DEMinSoCAL]

DJLC, it's used for file sharing and as an ftp server for their clients to upload files. That's it. Everything else is done by the Windows server (file sharing for everyone else, Exchange, print, etc.).

 

[Longer Lane]

A client has a Mac mini running Yosemite 10.10.5 Server. It serves a small workgroup of Mac users in an otherwise Windows environment (Windows PC's on a Windows server domain).

I've left the server alone, but now that the Mac Pro's have been updated to Sierra, we want to update the server.

BUT, ever since updating the Mac Pro's to Sierra, we have issues with SMB authentication (doesn't remember passwords in keychain) and even AFP shares not always connecting. I thought bringing the server up to current 10.12.3 Sierra might help alleviate that, but now I've also read that Sierra has SMB issues.

So the question is, should I just update the server to the latest El Capitan server until 10.12.4 is released, or bring it fully up to date with 10.12.3? Recommendations?

Upgrade to Sierra.

My Macs run on 10.12.3. I usually keep the server environment back till the x.1 update has been released. During that time, I had similar compatibility issues. They have gone away once I had upgraded the servers to Sierra.

 

[chrfr]

BUT, ever since updating the Mac Pro's to Sierra, we have issues with SMB authentication (doesn't remember passwords in keychain) and even AFP shares not always connecting.

This is actually not a bug, but an intentional change by Apple. There's a workaround: https://support.apple.com/en-us/HT207112
It seems like this behavior may change in 10.12.4 as well.

 

[DJLC]

DJLC, it's used for file sharing and as an ftp server for their clients to upload files. That's it. Everything else is done by the Windows server (file sharing for everyone else, Exchange, print, etc.).

I'd probably update it to Sierra then. Or offload those services to Windows and get rid of it.

 

[DEMinSoCAL]

Sierra it is. Looking forward to 10.12.4.

Thanks, everyone!

 

[DEMinSoCAL]

This is actually not a bug, but an intentional change by Apple. There's a workaround: https://support.apple.com/en-us/HT207112
It seems like this behavior may change in 10.12.4 as well.

FYI, that fix did not work. Did the fix, then I went into Keychain Access and removed all keychain entries for the server (by name and my IP), and logged out and back in. When the login box popped up, I provided credentials (used "domain\username" as it connects instantly compared to just username which sits there for a minute) and the share popped up. I confirmed the entry in Keychain Access was correct. I removed the entry in the users' Login Items, and dragged the newly connected volume into Login Items. Logged out, back in, and the dialog box popped up to authenticate again.

 

[talmy]

FYI, that fix did not work. Did the fix, then I went into Keychain Access and removed all keychain entries for the server (by name and my IP), and logged out and back in. When the login box popped up, I provided credentials (used "domain\username" as it connects instantly compared to just username which sits there for a minute) and the share popped up. I confirmed the entry in Keychain Access was correct. I removed the entry in the users' Login Items, and dragged the newly connected volume into Login Items. Logged out, back in, and the dialog box popped up to authenticate again.

You probably have some other issue (what I don't know). I run the latest El Capitan Server on a mini with a mixture of Sierra and El Capitan clients (later on systems too old to run Sierra). I use the login items as you do and haven't seen this issue with shares. I did see this issue with using the Server app remotely, but that went away when I removed all the keychain entries for the server (as you did).

 

[DEMinSoCAL]

You probably have some other issue (what I don't know). I run the latest El Capitan Server on a mini with a mixture of Sierra and El Capitan clients (later on systems too old to run Sierra). I use the login items as you do and haven't seen this issue with shares. I did see this issue with using the Server app remotely, but that went away when I removed all the keychain entries for the server (as you did).

So what I discovered after trying a few more things, is that even with the keychain having only one entry, and that entry stores the username as "domain/username", when this login pops up, only the username is populated, and it always only shows the username, not domain/username, and no password is there. So it seems it isn't getting it from Keychain.

Second weird thing, I can do a Connect to Server, and I have the SMB connection saved there so I just click connect, and it connects to it right away. No login box. It uses the Keychain entry correctly. I put that volume in Favorites (in Finder) and it works. I eject it. Then I click it again in Favorites (should remount), and it pops up the login dialog with just the username (not domain/username) and no password. So, again, it's not using the Keychain.

It's driving me crazy why these seemingly identical ways of mounting a volume are not doing it the same way!

 

[talmy]

So what I discovered after trying a few more things, is that even with the keychain having only one entry, and that entry stores the username as "domain/username", when this login pops up, only the username is populated, and it always only shows the username, not domain/username, and no password is there. So it seems it isn't getting it from Keychain.

Directory Server?

 

[DEMinSoCAL]

Directory Server?

Directory server points to the Mac server. But the volume in question is the Windows server.