OS X Server going to give me my first ulcer

[foidulus]

Anyone else as frustrated as I am with the bugfest that is the OS X Server?

My bosses(against my wishes) decided that we were going to use macs for our LDAP implementation instead of Linux boxes. It has been nothing but trouble from the get-go.

The most disappointing aspect is that if it actually worked, it would be a very innovative and great way to do server admin, but the problem is the thing just plain doesn't work. Its constantly beset by problems, and if the GUI even reports an error(which it often won't, it will just go along and say nothing when there are issues) its often an obscure error code that Apple's site doesn't even say much about. I have to give a big presentation on Friday and I am running into every conceivable error, often the best way to fix is just to re-install. I feel like I'm working with a Microsoft product, not the well polished and functional product that I am accustomed to Apple delivering.

They have had known bugs for YEARS in Tiger and still haven't(and probably never will) fix them! Major things like time zones resetting which can cause significant havoc on production systems they don't seem to think is a big deal. I have never had a Linux box randomly reset the time zone back to Cupertino......

Anyone else have nightmarish experiences with Apple's server products?

I am a young software engineer, and as much as I love Apple I can never, EVER recommend that anyone I work for use Apple server products. Apple has clearly shown that they just don't care about it. Linux for the win!

I am a young

 

[twoodcc]

i personally have tried to setup an OS X Server several times, and with almost no success. even messed up my client machines trying to connect to the server!

but i'm still hoping to one day figure it out

 

[fall3n]

I have a couple running just fine. What services exactly are your trying to setup? For most issues refer to the logs provided by the service, they do help immensely.

 

[miniConvert]

I run OS X Server (Tiger). It took me a couple of reinstalls, I kept breaking it, and damn it doesn't like having its IP address changed.

However, if you 'think different' and follow Apple's documentation it all 'just works' and after that management is a breeze. http://www.apple.com/server/documentation/

 

[Zjef]

Personally, I think OS X server is the least 'Mac' product I have ever used.

The issues I came across setting up OD was tremendous. Despite the fact that I spent hours studying the support documents and discussion forums on the Apple site, there was always 1 more thing (issue) around the corner.

At first DNS wasn't working -> solved that one
Then Kereberos wasn't working -> solved that one
Couldn't create network home folders -> solved that one
...
At the current moment, when a client logs in, the home folder isn't accessible working when logging in from a different (client) computer at log in. It is accessible and usable when connecting manually.

Also the interface, is not up to Apple's standards.
For instance when the SMB or any other protocol isn't activated, you still are able to set some settings in the Open Directory pane regarding these protocols. There are at least a dozen other GUI inconsistencies.

As much as a like working with most of Apple's products, this one is a disappointment.

 

[Cromulent]

Despite OS X Server having nice GUIs for a lot of things, it still requires a lot of command line administration. I believe it is a well known fact that the GUI has problems. A little foray into Terminal with vi and you should be able to sort out most of your problems.

 

[Zjef]

Ok, I can agree that using the command line is the way to go (a bridge to far for me).

But isn't the point of Apple's advertising that the solution they have come up with is that rock solid that you don't need to use the command line at all? And to elaborate, they even promote the standard and workgroup setup which is even worse then the advanced one.

Anyway, anyone who would like to help me out, I'm willing to document everything I have so far in detail. Just give me a sign.

 

[miniConvert]

I use it for OD/LDAP, too.

I never actually sorted out the DNS stuff, as thankfully it's all working fine regardless (despite some errors in the logs about it). Your home folder issue sounds interesting! I wouldn't really know where to start, most of my initial issues happened due to my IP changing as we moved between several ISPs.

It's working really well now, though!

 

[budward]

Wow, no kidding..

I feel like I'm working with a Microsoft product

No kidding. I have had this same feeling. OSX Server (Leopard) Is not production ready. Stick with linux or Freebsd.

I don't have the time to tell you all the issues we have had with OSX Server Tiger/Leopard.

Problems right now..

Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)
Server Admin is not usable, start it and painfully slow.

I prefer never to use anything apple makes in the server environment, just not worth it since they can care less about their business class customers.

 

[blinkylight]

I use it for OD/LDAP, too.

I never actually sorted out the DNS stuff, as thankfully it's all working fine regardless (despite some errors in the logs about it). Your home folder issue sounds interesting! I wouldn't really know where to start, most of my initial issues happened due to my IP changing as we moved between several ISPs.

It's working really well now, though!

If you don't sort out the DNS stuff, there are many things that just won't work when you want them to. You should try to get the forward & reverse DNS working, then also you can turn on Open Directory and your Kerberos won't report that it's not working.

Unfortunately, in 10.4 it's a major pain to get the name services working right unless you like the command line and reading error logs. 10.5 does try to make this more straightforward with some reasonable feedback though.

 

[0racle]

Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)

NTP. Really, servers and clients should not be left to manage time on their own.

I've never had a problem with Server Admin, so I can't even suggest anything.

 

[foidulus]

Despite OS X Server having nice GUIs for a lot of things, it still requires a lot of command line administration. I believe it is a well known fact that the GUI has problems. A little foray into Terminal with vi and you should be able to sort out most of your problems.

The biggest problem with the GUI imo is that it doesn't usually tell you when it fails to do something, or if it does, the error is relatively meaningless. I think that poor error messages are a huge problem across the industry, but Apple's server takes the cake. You can be setting one up, thinking everything is fine because the GUI tells you everything is fine, then when you try to actually do something it fails and you have to backtrack over everything you did to try to find what went wrong. And it seems at least in my experience, if you mess up step 2, then go to step 12, you have to start all over again.

I have nothing against the command line, in fact I like it better, but echoing another persons sentiment: why would I use OS X Server if I am going to do everything on the command line anyway? I can do that in Linux, and frankly the support environment, both free and commercial is much better with Linux than OS X.

If the GUI actually worked, it would be a revolutionary step in server management. Theoretically its the perfect system, you can take out of the box and be running a fully kerberized and encrypted Open Directory system in a few hours tops, but the thing just doesn't work and becomes an exercise in frustration.

 

[Evangelion]

NTP. Really, servers and clients should not be left to manage time on their own.

One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?

 

[Eidorian]

One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?

I believe our time server gets its date/time from other time servers.

timehost.math.purdue.edu

 

[0racle]

One could say that NTP merely fixes the symptom (wrong time), not the cause. While NTP is a Good Thing, the server should IMO be able to manage the time on their own. What if you want to use the server as a master NTP-server?

Because of the way the real world unfortunatly works, now 2 servers will ever have the same time left on their own. This makes things like coordinating log file events and Kerberos either difficult or outright fail if the difference becomes too large.

A NTP client can also be a NTP server, this is how NTP works.

I believe our time server gets its date/time from other time servers.

timehost.math.purdue.edu

Exactly.

We have a Active Directory domain here, as well as Linux servers, a OS X Server and OS X Clients. Since the Domain Controller is going to be the master time source for all the Windows machines, we use it as the time source for everything. To keep its time correct, it syncs up to a stratum 2 NTP time server.

 

[ChrisA]

...What if you want to use the server as a master NTP-server?

The purpose of NTP is to keep time synchronized between two systems. NTP servers know nothing about the real "true" time. They only know how to sync to something else. Not even the level zero servers know. So if you did want to set up a master server (I assume you meant "level zero server") you would still need a source of time. Most people today use a GPS receiver for that purpose.

 

[ChrisA]

My bosses(against my wishes) decided that we were going to use macs for our LDAP implementation instead of Linux boxes. It has been nothing but trouble from the get-go.

Can't you just download the OpenLDAP sources and pretend you are using Linux?
This way both yo and your boss are happy. You get to use the same software as you would have under Linux and it's running on a Mac.

 

[xparaparafreakx]

Been using OS X Server with LDAP and OD. Took me a while to learn it but being young, I follow the manual ideal situation for K-12 and it worked.

 

[Skaffen]

Major:
Date/Time Bug, 1 minute = 55 seconds (is accumulative)
Server Admin is not usable, start it and painfully slow.

That Date/Time issue affects a very limited number of Macs (the new Penryn Macs) and there is a (relatively) trivial workaround for that problem until 10.5.2 comes out - use NTP. Not had a problem with Server Admin under 10.5 and 10.5.1 so can't comment on that really.

 

[Skaffen]

The biggest problem with the GUI imo is that it doesn't usually tell you when it fails to do something, or if it does, the error is relatively meaningless.

What particularly meaningless error messages are you getting? Most are either list online or in the appropriate documentation/man pages. DirectoryService has a lot of fairly scary looking error codes but a man DirectoryService will give you a lot of info about them.

If the GUI actually worked, it would be a revolutionary step in server management. Theoretically its the perfect system, you can take out of the box and be running a fully kerberized and encrypted Open Directory system in a few hours tops, but the thing just doesn't work and becomes an exercise in frustration.

I've set up an awful lot of servers and so far this year 8 or so Leopard servers. There are a few bugs with Leopard server at the moment, but they actually mostly seem fairly minor (there's an irritating SMB ACL issue) and there are fixes due. Open Directory has always been absolutely rock solid for me as long as you follow Apple's guidelines closely. You need forward and reverse DNS names before you touch OD, and you need to make sure that hostname in the Terminal is matching your DNS entries. Any IP or hostname changes are better changed using changeip etc. There's quite a few requirements but as long as you follow through the steps carefully then OD will pop up with Kerberos running away nicely in under 10 minutes.

 

[Evangelion]

I believe our time server gets its date/time from other time servers.

timehost.math.purdue.edu

What if timehost.math.purdue.edu ran OS X? Could we trust it? THAT is my point! The argument presented here is that "the server can freely think that 1 minute is 55 seconds long, since we use NTP for timekeeping"... Am I the only one who thinks that that is a HUGE problem that is being "fixed" by relying on NTP? It's like "fixing" security-holes in Windows by running antivirus.

This isn't rocket-science people. A server should be able to keep track of time on it's own. Yes, it makes sense to use NTP when needed, but it still doesn't mean that the server itself should think that 1 minute consists of 55 seconds.

 

[Eidorian]

What if timehost.math.purdue.edu ran OS X? Could we trust it? THAT is my point! The argument presented here is that "the server can freely think that 1 minute is 55 seconds long, since we use NTP for timekeeping"... Am I the only one who thinks that that is a HUGE problem that is being "fixed" by relying on NTP? It's like "fixing" security-holes in Windows by running antivirus.

This isn't rocket-science people. A server should be able to keep track of time on it's own. Yes, it makes sense to use NTP when needed, but it still doesn't mean that the server itself should think that 1 minute consists of 55 seconds.

All hardware clocks are going to have some drift from the "true" time. Barring some bizarre lack of connectivity you're going to get permission to use higher level NTP servers to get the time from them. Your server is going to calculate the time at your location using the time it obtained and factoring in network latencies. After that your clients would use NTP to get their time from your server.

http://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata

It's only for synchronizing your clocks as it is.

 

[foidulus]

What particularly meaningless error messages are you getting? Most are either list online or in the appropriate documentation/man pages. DirectoryService has a lot of fairly scary looking error codes but a man DirectoryService will give you a lot of info about them.



I've set up an awful lot of servers and so far this year 8 or so Leopard servers. There are a few bugs with Leopard server at the moment, but they actually mostly seem fairly minor (there's an irritating SMB ACL issue) and there are fixes due. Open Directory has always been absolutely rock solid for me as long as you follow Apple's guidelines closely. You need forward and reverse DNS names before you touch OD, and you need to make sure that hostname in the Terminal is matching your DNS entries. Any IP or hostname changes are better changed using changeip etc. There's quite a few requirements but as long as you follow through the steps carefully then OD will pop up with Kerberos running away nicely in under 10 minutes.

For one, I am trying to enforce account lockout after 3 failed attempts. I click the button on the passwords policy setting pane in Server Admin, and then click "save", the wheel spins and it saves, and of course unchecks the selection I JUST made without even the slightest hint that something went wrong.....not the behavior I expect from an Apple product.

 

[twoodcc]

yeah, i think i've given up again for a little while. i might try to configure the server how i want it later, as in 10.5.2

 

[Eidorian]

Going to need to work on my LDAP schema to get web services working...joy.