Open Directory accounts suffer from slow internet

Question

Level 1

5 points

Open Directory accounts suffer from slow internet

I have been running an OS X 10.8.3 Mac Mini (with 1TB mirrored RAID drives) and Mac Server app on for a couple of months with no sign of this problem. Until the weekend just gone.

Initially the only noticeable problem was that the interent was very slow, often refusing to load pages, but without any error messages. This initially only affected one user account.

Then Safari started to crash / lock up and took the whole computer with it (a one month old 2013 iMac 27" with Fusion drive) causing me to have to force a shut down several times a day.

Poking around a bit (but not making any changes), I have discovered that the administrator account on the iMac (not via OD) works just fine, as does the admin account on my laptop.

Other user accounts are starting to experience slow internet and may go the same way as the account that is used heavily.

Since the local admin accounts are working fine on both computers, but the OD accounts are failing / starting to fail, am I safe in assuming that the problem is with the server?

What is the problem though?

I have not made any changes to the server configuration or to the configuration of the two computers I am referring to. The server runs 24/7 (I was advised to do this as CRON jobs run overnight...), back up from the server and computers are to an external HD attached to the server which also hosts the Software Updates of a spearte partition.

Any one have any ideas as this is making the main user account unuseable and the others seem to be going the same way...

Server-OTHER, OS X Mountain Lion (10.8.2), Server App on Mac Mini

Posted on May 29, 2013 12:30 PM

Reply

Answer 1

May 29, 2013 4:00 PM in response to Karl_B

Look for a DNS-level problem; a failed or wonky DNS server can make networking appear... slow.

Check the server logs for relevant errors, too.

Those Safari crashes imply something a little more serious; possibly a hardware or network issue?

If the box is a month old, call Apple Support and see if they have any suggestions.

Reply

Answer 2

cpragman

Level 2

465 points

May 29, 2013 6:54 PM in response to Karl_B

I experience similar behavior from time to time, but seem to have gotten to the source. I'm running apple's adaptive firewall on my server, mostly to thwart brute force SSH attacks. Since I turned on the adaptive firewall, the system is hyper-sensitive to my user's failed password attempts. The workstations in the office can sometimes get banned by the server due to too many failed password attempts. Once they are on the server's blacklist, they stay blacklisted for 15 minutes by the adaptive firewall. That also means that none of their DNS queries work, so they can't even access the internet (since the server is also serving DNS to the office).

At least for me, this whole thing seems to be caused by people clicking the "add password to keychain" box when they type in a network password to connect to a share on the server. Some days/weeks/months later, they change their network password, but keychain keeps silently offering up that old out-of-date password every time they try to access something on the server. In fact, there seems to be enough auto-retries happening behind the scenes, that they get banned for too many failed attempts very quickly.

If you know the internal IP address of the offending mac, and are running damptive firewall on the server, you can try "whitelisting" the offending mac, by issuing the following command on the server.

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

Reply

Answer 3

Karl_B Author

Level 1

5 points

May 30, 2013 3:25 AM in response to Karl_B

Thank you both for the responses - I'm afraid to say that I didn't understand much of either of them! Sorry.

It seems that it is only affecting one user (my account) on either computer that I have tried.

This morning I tried starting MS Word - and the computer crashed straight away. So it's not limited to Safari and does appear to be something to do with the server.

For clarity, it is the iMac that is a month old. The server is a used Mac Mini that I added two new drives to, reinstalled OS X and added Mac Server app on top of, so I can't get support for the server.

Passwords have not been changed since the server was set up and, as far as I know, I am not running Apple's firewall but relying upon my router to provide that function.

No new hardware has been added in the past three weeks (the last piece added was an external OWC hardrive to use as Time Machine backups & Software Updates storage) unless you count an USB Apple DVD drive that I plugged in to copy a couple of CD's to iTunes on the server and then unplugged again.

I can check the server logs (I think I know how to find those) but wouldn't know what I was looking for unless it was in capital letters, bold and highlighted in red...

Sorry, I'm no Mac or netwroking expert - I was duped by Apple marketing that their server app would be easy to admin for a non-techie...

Reply

Answer 4

Karl_B Author

Level 1

5 points

May 30, 2013 4:43 AM in response to Karl_B

Here is the DNS Service Log taken from the server app in the hope that it might mean something to someone...

May 30 00:30:19 macserver newsyslog[45193]: logfile turned over

30-May-2013 12:28:49.507 zone 0.0.127.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 1997022700

30-May-2013 12:28:49.543 zone 2.1.168.192.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2013053001

30-May-2013 12:28:49.544 zone macserver.local/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2013053001

30-May-2013 12:28:49.544 zone localhost/IN/com.apple.ServerAdmin.DNS.public: loaded serial 42

30-May-2013 12:28:49.545 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loaded serial 0

30-May-2013 12:28:49.545 running

30-May-2013 12:28:49.546 zone 2.1.168.192.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: sending notifies (serial 2013053001)

Looking through the System Log (again from the server app) I noticed these (at about the time I started the computer and logged on for it to crash as soon as word was launched):

May 30 09:51:36 macserver.local ruby[73037]: CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile.

May 30 09:51:37 macserver.local collabd[73037]: CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile.

May 30 09:54:36 macserver.local ruby[73158]: CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile.

I'm not sure if it is relevant, but the server is set up as a .local server. And had been running fine for a while.

Reply

Answer 5

May 30, 2013 10:05 AM in response to Karl_B

Don't use .local for your server's domain name. That'll eventually get tangled up, with weird problems. Possibly these that you're seeing. In general, do not "squat" in a domain that you don't have registered yourself, or don't have permission to use.

I can't tell from the log whether there are DNS errors.

Start with the following non-destructive, diagnostic-only no-changes-made command issued on the server, after launching Applications > Utilities > Terminal.app and see what's reported:

sudo changeip -checkhostname

But the Apple network engineers recommend against using .local for anything other than Bonjour, and even Microsoft — which had Windows Server "suggesting" use of the .local domain in the past — is coming around to a similar view in recent years.

If both Safari and Word are now crashing, you probably have a hardware problem somewhere, or a very serious software problem or curruption. While it's probably possible to occur, I've not encountered crashes secondary to DNS problems or to Open Directory problems, and haven't seen reports of anything similar in recent years. Hangs, wedges, login-box-shaking, etc., yes, but not outright application crashes. Hardware problems and network errors and WiFi interference and such can cause all manner of weird.

It's a new box, and likely within the hardware warranty and any AppleCare that's been purchased. Consider calling Apple Support directly, and have them troubleshoot this.

Reply

Answer 6

Karl_B Author

Level 1

5 points

May 30, 2013 1:34 PM in response to MrHoffman

Thank you for the clear and easy to follow instructions. Much appreciated.

I tried setting up something other than a '.local' server environment, but encountered problems and had to revert to the 'lowest common denominator' and one that worked. I really wish Apple Server lived up to the promises pf being easy to administer - even for non-techies like me...

Here's the full results from the sudo command you gave me:

Last login: Wed May 22 13:32:27 on console

macserver:~ NetAdmin$ defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

2013-05-23 09:03:02.931 defaults[30952:707]

The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, CatalogURL) does not exist

macserver:~ NetAdmin$

Last login: Tue May 28 11:54:37 on console

macserver:~ NetAdmin$ sudo changeip -checkhostname

Password:

Primary address = 192.168.1.2

Current HostName = macserver.local

DNS HostName = macserver.local

The names match. There is nothing to change.

dirserv:success = "success"

macserver:~ NetAdmin$

I'm a bit (in a minor way) worried that the Software Update catalog is not being discovered / seen. That could explain a different issue I have had when trying to update software through the App Store.

I've tried a couple of user accounts on the iMac today - and they seem fine!

I've also tried the problem account on a MacBook Pro, and that seemed fine as well (apart from issues with Word which may be due to a corrupt or missing database as the Microsfot Database Utiliy - that I am told to use to reapir the database - does not see any as being available).

I've logged a call back from AppleCare tomorrow evening, so we will see what they say about it.

Reply

Answer 7

cpragman

Level 2

465 points

May 30, 2013 2:10 PM in response to Karl_B

FYI,

Password server logs are at:

/var/log/secure.log

/library/logs/passwordservice/applepasswordserver.server.log

Reply

Answer 8

Karl_B Author

Level 1

5 points

May 31, 2013 7:05 AM in response to cpragman

Thank you.

I guess you mean to look at the server for these files?

Is so, apart from /var/log/secure.log not being there and having 6x ApplePasswordServer.Error.log files and 9 x ApplePasswordServer.Server.log files, what am I looking for?

Reply

Answer 9

May 31, 2013 7:07 AM in response to Karl_B

OS X Server is definitely not a no-IT solution.

All modern servers do expect some knowledge of DNS and IP networking however — and this is where many folks new to servers get tripped up — and there's no getting around that. There are a gazillion slightly different ways to set up DNS and IP networking, too, and there are some of the ISPs around — I'm looking at you, AT&T Uverse — that make documenting this network setup much harder than it really should be.

Here's a (long) write-up on OS X Server DNS configuration.

FWIW, if you ever plan to use VPNs, I'd also encourage you to get out of 192.168.1.0/24 subnet (and stay out of the 192.168.0.0/24 subnet) if/when you rebuild your DNS setup and your network. Those two subnets are very common in homes and coffee shops, and VPNs are based on IP routing and IP routing really doesn't like finding the same subnet on both ends of a connection; VPN routing gets tangled.

Reply

Answer 10

cpragman

Level 2

465 points

May 31, 2013 9:47 AM in response to MrHoffman

Love the plugh and xyzzy examples!

Reply

Answer 11

cpragman

Level 2

465 points

May 31, 2013 9:52 AM in response to Karl_B

Is so, apart from /var/log/secure.log not being there and having 6x ApplePasswordServer.Error.log files and 9 x ApplePasswordServer.Server.log files, what am I looking for?

The system automatically rotates the log files by compressing the current log file, appending a .1 to it, and then creating a new blank log file. Over time, the .1 file is demoted to .2, .2 demoted to .3, etc. The oldest file is deleted, when some predetermined limit is reached (limits set in /etc/newsyslog.conf). The current logfile is the one without any number after it.

You can examine these log files using the Console.app, or via terminal (using cat <filename> command). You'd want to look for errors reported in the same timeframe that you know your particular user was experiencing errors.

Reply

Answer 12

Karl_B Author

Level 1

5 points

Jun 1, 2013 4:35 AM in response to cpragman

I've had a look in the log files at the time that I used the problem account, and couldn't see anything untoward (bear in mind that I do not actually know what I am looking for).

Reply

Answer 13

Karl_B Author

Level 1

5 points

Jun 1, 2013 4:36 AM in response to Karl_B

I've also had a call back from Apple Support who have identified a problem with my server causing the slow interent to OD accounts. I have no idea what the issue is, he didn't look into that last night.

What he did do is delete a folder on: (Computer HD) > Users > (User Name) and create a new one.

This seems to have helped a bit as opening and running programmes no longer seem to crash the computer. But the interent access and network access still runs much slower than he expected (I had noticed the slow internet - but this is fine on the laptop connected wirelessly).

I still have slow interent and have on-going issues with Microsfot Word for Mac 2008. I've solved the 'normal.dotm' file problems and have been left with a 'database' issue on starting Word. I believe that if I delete the users 'Microsoft Word Data' folder and allow Entourage to rebuild it then copy the contentds back, it may solve the problem. However, I cannot seem to delete the folder as I do not have the correct permissions!

I have used 'Get info' to change permissions, but cannot add the computer administrator to the folder and am unable to delete it or modify it...

Seems I have a lot of issues that need dealing with...

Reply

Answer 14

Jan 17, 2014 9:14 AM in response to Karl_B

Our internet was slow and we made sure we added DNS 8.8.8.8 to server and client computer which helped users that upgraded to Mavericks.

Also, we upgraded our router to the new Apple Gen 6 (Tower) and noticed immediately after we could no longer connect to a shared folder from home. We all were using the same account to access it (using Filecute). We had no problem doing this before we installed the new router. We did try to set it up so that each of our accounts could access it...which seemed to work. We also note that the new Tower has dumbed down it's abilities for FTP and abilities to see traffic using traffic tools.

Not sure if this applies to your situation...but we found that upgrading to Mavericks and getting the new dumbed down Gen 6 tower within 3 weeks....really wreacked havoc for awhile..

Reply