Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » >>> Important: Mac OS X 10.6.8 update issues <<< (Important information for customers with Mac OS X installation.)
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
We've noticed some serious issues with recent Mac OS X 10.6.8 update for Kerio Connect installations on Mac OS X server. It affects installations which are authenticating users against Active Directory server via Kerberos.

Symptoms:
Users cannot login to Kerio Connect after upgrading the server to Mac OS X 10.6.8.

Details:
DNS resolver mDNSResolver on Mac OS X system is trying to locate the Active Directory server via IPv6 and this is causing severe delay in user authentication.

Recommendation:
Do not install 10.6.8 Mac OS X update on server.

[Updated on: Thu, 10 May 2012 10:04] by Moderator

  •  
PascalDorland

Messages: 4
Karma: 1
Send a private message to this user
Well, I guess I'm really up s..t creek here then...
Any suggestions on how I can reverse my installation of 7.2 on my 10.6.8 server?

Performed an update to 7.2 right before I installed the 10.6.8 update on my server here and now Kerio won't start...

[edit]
In activity monitor I saw two versions of Kerio running after the upgrade..
Killing the one with the highest PID seems to have done the trick for me..
After a while Kerio came back online...saving me a lot of sweat blood and tears!

[Updated on: Wed, 29 June 2011 23:19]

  •  
stk_jj

Messages: 47
Karma: 0
Send a private message to this user
This seems to be true for authentication against Active Directory. Using 10.6.8 and Kerio Connect 7.2 (not patch1) with authentication against Apple OpenDirectory works like a charm!
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
stk_jj wrote on Fri, 01 July 2011 18:40
This seems to be true for authentication against Active Directory. Using 10.6.8 and Kerio Connect 7.2 (not patch1) with authentication against Apple OpenDirectory works like a charm!


I strongly recommend to run patch 1.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Is there any affect if IPv6 is disabled for the active network port in System Preferences?
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Lyle M wrote on Fri, 01 July 2011 22:15
Is there any affect if IPv6 is disabled for the active network port in System Preferences?


Unfortunately that won't help. mDNSResponder keeps asking for IPv6 even when IPv6 is disabled on all active interfaces.

Petr Dobry
Product Development Manager | Kerio
  •  
firehaus

Messages: 7
Karma: 0
Send a private message to this user
I hadn't seen this warning before doing the 10.6.8 update and while I had a similar issue it was with Open Directory and Kerberos not Active Directory. I was able to repair the connection between Kerio Connect and Open Directory which took a while. In the meantime the message queue starting filling up with messages sent to users whose accounts were effectively offline while the OD connection was being repaired and the problem seems to be continuing even after things have been repaired.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Has anyone tried plunking the mDNSResponder from 10.6.7 into /usr/sbin/ ?
Since there are no launch parameters specified for mDNSResponder, this problem appears to be coded into the binary itself.
  •  
Tony Dennis

Messages: 7
Karma: 2
Send a private message to this user
Is this problem now fixed in KC 7.2.1, or does the problem remain?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Tony Dennis wrote on Tue, 12 July 2011 20:03
Is this problem now fixed in KC 7.2.1, or does the problem remain?


It is a problem of Mac OS X. It cannot be fixed in the product.
  •  
Justin Michael

Messages: 9
Karma: 0
Send a private message to this user
Quote:
Has anyone tried plunking the mDNSResponder from 10.6.7 into /usr/sbin/ ?


I tried this and it did not work.

However, I did resolve the situation, eventually, by reverting back to 10.6.7. Here's a step-by-step for those who need it:

Note: This is for Mac OS X SERVER 10.6.8, not client.

1. Clone the system drive to another drive (I used an external USB hard drive) using either Disk Utility or SuperDuper!

2. Boot off of your OS X Server install media (in my case it was a 10.6.0 disc).

3. Use Disk Utility to wipe the boot drive.

4. Install OS X Server onto the empty boot drive.

5. Toward the end of the install process it will ask you if you want to import/migrate settings from another server. Point it to the drive you cloned the system drive to in step 1. Note: You must complete the migration at this step; unlike client, you will NOT be able to migrate after Snow Leopard Server is installed.

6. Once the migration is complete update OS X up to 10.6.7 using the combo update from Apple's site (make sure you don't accidentally grab the 10.6.8 update!).

7. Reinstall Kerio 7.2.1.

Thats it! You should be back up and running. Note that a few low-level settings or configurations might not carry over through the migration. For example, I had a mssql module installed for PHP to use to access our MS SQL servers, and that didn't carry over at all. Also, on our Wiki server, I had to manually replace the themes directory from the clone (the wiki data itself was stored on an external drive in my case, and was not affected).

Also, Kerio, what the hell? Why is this authentication issue isolated to your product, and why can't you fix it? I had several other services (Apache, file shares, etc.) working just fine with Active Directory authentication under 10.6.8. Can you give us more technical details regarding the specifics of why Kerio doesn't function under 10.6.8?
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Justin Michael wrote on Fri, 15 July 2011 02:33
Also, Kerio, what the hell? Why is this authentication issue isolated to your product, and why can't you fix it? I had several other services (Apache, file shares, etc.) working just fine with Active Directory authentication under 10.6.8. Can you give us more technical details regarding the specifics of why Kerio doesn't function under 10.6.8?


It's not isolated to our product. The issue is there even if Connect is not installed. The problem is in OS X system libraries and we can't fix that.

If you run simple kinit command on 10.6.7 and 10.6.8, you will see the difference. On 10.6.8 it takes seconds and it's slow. On 10.6.7 you get instant response.

Petr Dobry
Product Development Manager | Kerio
  •  
sdmactech

Messages: 4
Karma: 0
Send a private message to this user
Does this issue effect only 10.6.8 SERVER running Kerio Connect, or would it effect a Mac running regular 10.6.8 and also Kerio Connect?

Would the problem manifest itself as 993 time out errors?

We have two locations running 10.6.8 and Connect and are effected by port 993 time out errors ever since 10.6.8 and Connect 7.2.1

Mac McAhren
TCM Consulting
  •  
Justin Michael

Messages: 9
Karma: 0
Send a private message to this user
sdmactech wrote on Sat, 16 July 2011 00:19
Does this issue effect only 10.6.8 SERVER running Kerio Connect, or would it effect a Mac running regular 10.6.8 and also Kerio Connect?

Would the problem manifest itself as 993 time out errors?

We have two locations running 10.6.8 and Connect and are effected by port 993 time out errors ever since 10.6.8 and Connect 7.2.1


The problem affects both 10.6.8 client and server. The instructions I posted were for server because that's the only system I have running Kerio (and, thus, the only one I had to fix or test with). I think reverting client 10.6.8 back to 10.6.7 is a simpler process, but I haven't personally done it, so I can't say for sure.

A thread, which I can't link directly to since I haven't posted five messages yet, on Apple's support forums details symptoms of the same issue, which seems to be a result of Apple updating the Active Directory plugin for Directory Services. You can find the thread and various other reports by typing the following into Google:

10.6.8 active directory

Unfortunately the same problem is also reportedly occurring in the GM seed of Lion as well. Yay.
sdmactech

Messages: 4
Karma: 0
Send a private message to this user
sdmactech wrote on Fri, 15 July 2011 15:19

Would the problem manifest itself as 993 time out errors?

We have two locations running 10.6.8 and Connect and are effected by port 993 time out errors ever since 10.6.8 and Connect 7.2.1


How does the problem manifest itself to the clients email program (Specifically Client running Apple Mail, attempting to connect to 10.6.8/Connect?)

Earlier in the thread, it was stated the problem was effecting Open Directory too .... we do not run Active Directory, and are getting 993 port timeouts eversince 10.6.8MacOS/7.2.1Connect install/upgrade.

Mac McAhren
TCM Consulting
Previous Topic: Kerio Connect 7.3.0 Beta 3
Next Topic: Tracing mail delivery
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 09:34:43 CET 2017

Total time taken to generate the page: 0.00581 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.