Security Update 2005-003 (#4): Continuing problems with (now pulled) Server edition
Security Update 2005-003 (#4): Continuing problems with (now pulled) Server edition
Originally posted, March 24th
Continuing problems with (now pulled) Server edition Yesterday we reported that Apple pulled the Mac OS X Server edition of Security Update 2005-003, apparently due primarily to severe issues affecting Cyrus-based mail service reported here.
Now users are reporting a host of other issues with the Mac OS X Server version of Security Update 2005-003.
Active Directory binding MacFixIt reader John Skinner reports an issue with Active Directory binding since applying the 2005-003 update, as well as a fix:
"I've been using Apple Active Directory plug-in for Directory Services to 'bind' a Mac to an Active Directory (AD) computer account ever since Mac OS X 10.3 came out. It (previously) worked like a charm. Users with an AD user account (in a specified AD group) could log on to a Mac that they never had before, and would have a local account created for them with administrative rights on the Mac. They could connect to network file shares without authenticating for each connection."
"Now after the latest 003 update, trying to bind a Mac to an AD computer account stopped working. It gave me an error at the last stage of the bind saying that the user account didn't have sufficient privileges (referring to the AD user account I supplied) to joint the Mac to the AD computer account.
"So, I called up a network administrator to help me troubleshoot it, and here is what we found out: When you create the computer account in AD, just like always, it inherits the permissions of the OU it was created in. The admin group I am a member of has full permissions on this OU, so the group was added to the computer account with full permissions.
Before the Apple Security Update 2005-003:: The Apple AD plug-in would be fine with this and realize that the AD user account supplied during the bind was in an AD group that had sufficient permission to join the Mac to the AD computer account.
After the Apple Security Update 2005-003:: The Apple AD plug-in will not check to see if the AD user account supplied during the bind is a member of an AD group with sufficient permissions to join a Mac to the AD computer account.
The Fix:The way we were able to get around this was to give my AD user account full permissions for the AD computer account I was trying to bind the Mac to.
Virtually all networking services lost Meanwhile, a handful of readers are reporting loss of virtually all network services, save DNS and Web services. MacFixIt reader Cory writes:
"Not only do I have the broken IMAP/Accounts issues already reported, it has totally taken down my access to Server Admin, Server Monitor, ARD, FTP, Telnet, and SSH. The only services still running are DNS and Web.
"I believe it has taken down servmgrd, postifix/master, etc. I did the normal, preinstallation maintenance sequence - backup, repaired permissions, installed update, restarted, repaired permissions, restarted again. When I noticed that the mail accounts weren't showing in Server Admin, I stopped the Mail service to look into it and possibly rebuild. As soon as I did this, I was locked out and haven't been able to get back in."
Cyrus data files preserved after downgrade? Meanwhile, yesterday we noted that reverting to a version of Mac OS X Server 10.3.8 that does not include Security Update 2005-003 (per instructions in the tutorial "Reverting to an earlier version of Mac OS X") resolves nearly all difficulties introduced by the update.
However, some readers have now noted that performing this reversion process will leave Cyrus data files in a post-update state, barring their compatibility with the reverted system.
MacFixIt reader Jed Davidow writes:
"I called Apple Tech support last night because after running the update our server no longer connected to port 143 and 110 requests.
"Apple support told me they had taken down the update after I gave them my info [...] I had not done a backup directly prior to the update."
"I asked one very important question: If I rolled my system back to the original installation or 10.3.6, could I then use my Cyrus data files? They told me that the Cyrus mail data files had been updated with the patch and that they would not work on a previous release. [...] That is, upgraded mail files may not be backwards compatible."
UPDATE: We've now confirmed that the downgrade process will not render Cyrus data files unusable. As such, we recommend that users who experience major mail service problems after Security Update 2005-003 revert to a Mac OS X installation sans-update.
Feedback? Late-breakers@macfixit.com.
Resources