File Sharing Difficulties Frustrate Tiger Admins

rmallico wrote in to mention a story currently running on Eweek about technical difficulties sites running Tiger are experiencing. From the article: "A number of sites running Apple's new 'Tiger' operating system are experiencing problems with SMB file sharing and authentication with Microsoft's Active Directory, Ziff Davis Internet News has learned. Although Apple Computer Inc.'s Tiger increases support for Server Message Block file sharing and Active Directory, several sources say that the Finder fails to log on to Windows and Linux Samba file servers."

Oh, right, error code -36!

[xiando]

The most interesting thing I noticed in the article was actually that the error message for the Connect to Server failure is "error code -36". A friend of mine who uses Mac OS X has always complained much about how the Mac never tells you anything about what is actually wrong, only gives you a number that is in no way useful for solving the problem. It is amazing this is still the case in Tiger, what in the world would be wrong with giving at least a tiny bit of information or just a hint of what is wrong? Even the good old Windows blue screen is more informative than "error code 4".

Re:Oh, right, error code -36!

[FidelCatsro]

Its actualy very usefull if you have a list of the error codes and what they mean.
http://www.appleerrorcodes.com/

Re:Oh, right, error code -36!

[moonbender]

Error -1, I will never forget you.

Re:Oh, right, error code -36!

[Aphrika]

It is useful until you find that error -36 is written up as:

-36 ioErr I/O error

It'll point you in the right direction I guess, but it's by no means a definitive description of the error.

I must admit that I'm a little baffled as to why Apple don't include better error reporting and descriptions in OSX. It is because they are still assuming these kind of errors will only be seen by techs that know what they mean, or are they still living in a world where they refuse to acknowledge that Macs do throw up the occasional message to the user?

Re:Oh, right, error code -36!

IO error can not read or write to the directory . meaning it is not there , the reason for this is Apples implementation of samba on tiger requires the full path

Re:Oh, right, error code -36!

[FidelCatsro]

More info can be obtained from console.app in the Utilities directory under Applications(/Applications/utilities , or just go through the system logs from the terminal , but console.app is a rather nice time saver), its just a colection of the systems logs but its rather usefull and searchable .
It does give a more detailed output. for example when i try to connect to my existant SMB share it gives me

May 7 11:32:53 Xcomp kernel[0]: netsmb_dev: loaded
May 7 11:32:53 xcomp[0]: netsmb_dev: loaded
May 7 11:35:39 xcomp[0]: smbfs_aclsflunksniff: user sid S-1-5-21-2466424394-2119469220-2469460652-2002 didnt map

I would have given an example of the error output from the specific problem , but i am doing some work on the linux comp that runs my nfs and samba shares right now .

Re:Oh, right, error code -36!

[Megane]

Those low negative number error codes date back to 1984 with the original release of the Macintosh, but usually only a few come up. When you see them with OS X, you know you've got something with roots in the old days, like the HFS file system. And then there are the larger negative numbers (usually 4 digits) from when blocks of error codes were assigned willy-nilly to stuff like the Appletalk network stack and AFP file sharing.

And -36 doesn't help even if you know what it means, because it's just a generic "I/O error". Originally it was for media problems (like an unreadable floppy), usually accompanied by strange sounds from your disk drive, but for a network file system it's kind of silly. So even the old-timers say "yeah, that sure tells me a lot".

Other -3x range errors include file not found (-34?), end of file (-39?), and file name too long. Another good one is -50, parameter error. Well, duuuuuuh, which parameter? What's wrong with it?

The worst one to see is -127. That one means your file system data structures are in deep doodoo.

But seriously, the days of 400K floppy disks are long gone. It's total laziness that nobody bothers to print a text error message along with the number. I've been doing that in my own code since the days of 800K floppies. Even printing out the ten most common error messages as text helps most of the time.

Re:Oh, right, error code -36!

[jellomizer]

Well I don't agree with your idea of Apple's mantra 'Users are Idiots' I use to but it is more of mantra 'Don't make it needlessly difficult to do common tasks'

As a programmer I will often give me error numbers because when I need to fix it the error numbers help me find it in the code quicker. And when I give more detailed error messages. The users will try to analysis my message outside of the context of my code and try to fix it them self. So if I put an error message "Out of Allocated Memory" except for error 49112, the user will go out and buy some more ram hoping it will fix the problem except for going to me and saying hey I have an error 49112 where I will know that I will need to change my code to either be more memory efficient in an area or allocate more ram.
It is not a situation that the User is an idiot it is that they may not have the context of how things are running in the programming level. So when they see an IO error they will go trying to fix there network cards, reinstall their printers and other drivers before reporting the problem with the program.

Re:Oh, right, error code -36!

[hey!]

They're just pandering to the Geek crowd.

"Oh, yeah, -36, that's an I/O Error. Check the logs, then sacrafice a pure white chicken under the full moon and pour its blood into the NT server."

They're just trying to rope in the Geeks along with their artsy-fartsy core fanbase, with the hope that some will mate, producing a new generation of geeksy-farts ultracustomers who will be irresistably drawn to Apple's unique blend of superior design and industrial strength Unix aracana.

Re:Oh, right, error code -36!

[As+Seen+On+TV]

Actually what the spinning cursor icon means is that the program that has focus has events waiting to be processed by the run loop. That cursor appears automatically when an event waits for longer than a hard-coded threshold ... I think it's three seconds, but I doubt myself and I don't feel like looking it up right now. It would usually happen when the process was waiting for a kernel lock for some reason, usually disk or network I/O. The incidence in Tiger should drop dramatically thanks to finer-grained kernel locking.

Admittedly this is an esoteric implementation detail. It's not really meant to communicate anything to the user other than "I'm waiting."

Here's a bet:

[Capt'n+Hector]

Whatever the issue is, my guess is Apple will have it fixed within the month. It's possible they will have a patch out by the end of next week. It's just a bug, and last time I heard, unless active measures need to be taken by network admins NOW to shore up potential security issues, bugs aren't news. Major new OS versions will always have wrinkles to iron out, stop the presses!

Re:Here's a bet:

[Graymalkin]

So, say it worked great in all beta builds until the gold master. It had been tested and came up green so in latter beta builds it wasn't tested anymore because it worked. Then say sometime between the last beta build and the GM (which are a few builds apart) a butterfly flapped its wings bug caused SMB mounting to break in Finder. Errors happen because systems are complex and there's dependancies that depend on more dependancies, a error in the chain can cause really weird errors in seemingly unrelated parts of the system.

Your car analogy is flawed. New cars do have bugs when they roll off the lot. You would be really surprised at the number of real issues every car or every batch of cars has off the factory floor. Many times however these flaws and bugs don't crop up and cause a noticeable problem for a long time if ever. There are some problems that do crop up quickly however. It would be one thing if the manufacturer ignored this and went on its merry way. It is entirely another if they repair your car for you. I just had the dome light fixed in my car because of a faulty latch, should I be screaming about the manufacturer not having any QA? No.

The car analogy also falls flat when compared to something as easily changed as computer software. A patch containing the repair can be very small and be distributed to millions of affected users very quickly. If your car is in the shop for a week you're out one car. If SMB shares don't show up in Finder's Browse window properly you're not out SMB shares as you can work around the problem if need be.

Re:Here's a bet:

[eraserewind]

It had been tested and came up green so in latter beta builds it wasn't tested anymore because it worked.

No offense, but what the hell sort of software engineering practice do you call that?

Work-around

[Noksagt]

Easy workaround:
Command-K to bring up the connect menu and type in the full address INCLUDING THE SHARE NAME:

smb://SERVER/folder

Re:Work-around

[Noksagt]

Also note that you can also do it on the CLI. Open up term and do a:
$ mount_smbfs -W workgroup //user@SERVER/folder ./mntpoint

Opposite Experience

Weird, I've found with Tiger that Windows file sharing has been easier, although I don't use Active Directory. With Panther my password was never remembered by Keychain, despite clicking the option to enable it. With Tiger my password is remembered. It also finds my Windows shares automatically, whereas with Panther I had to manually connect by entering IP addresses.

Anecdotal...

[Shag]

One friend indicated that things refused to work in plaintext-password mode, but once he turned on encrypted passwords, they worked fine.

I'm not sure whether he had to turn on the encrypted passwords at the Mac end or the PC end, but I seem to recall thinking "gosh, imagine that, doing something the secure way."

Not sure if it's this...

[mferrare]

I had a problem with 10.3 authenticating to a W2k3 AD server and mounting shares. Turned out I had to modify the Domain Controller Security Policy on the server and set Microsoft Network Server: Digitally Sign Communications (always) to Disabled. I am now running 10.4 and I have no problems connecting to this w2k3 server.

I got this solution from here by the way. Thanks to Drew McLelland.

I fixed my problems

[mr_zorg_mobile]

I had this problem too after upgrading. I found that deleting my SMB keychain entries solved it allowed me to login again (after getting my admin to unlock my account from all those failed attempts).

Re:Samba supports it

[spauldo]

The admin's wrong. Samba can do it now, although in all fairness it took a while after active directory was released for it to be able to work with it well. He's probably just basing that on old information.

As far as the protocol, SMB is (IIRC, I could be wrong) an IBM-designed protocol. It's been around for ages - hell, NT domains were just hopped up lan manager networks. The authentication in active directory uses a slightly modified form of kerberos - also an open protocol. They have tried to put a few legal barriers in the way, but those have been mostly ineffective.

Now, there is another possibility - it might be against policy at your university for non-windows machines to authenticate. If it's set up so that all machines have to be added to the tree by an admin, it's certainly enforcable, and thus your admin would be right in that particular case. He's just not right in the general case.

Re:Samba supports it

[CowbertPrime]

hi. AD is just LDAP with some extra cruft/bloat/stuff added; which is mostly documented anyway. Your IT department is clueless. You can also fall back to kerberos (which despite the FUD, interoperates with the majority of MIT Kerberos V implementations), if you did not have a functional (Open)LDAP infrastructure.

Finder and Linux Sambda shares

[reddish]

On a related note: I'm seeing really bad performance when copying a file from a Linux Samba share to my OSX machine (roughly 100 kb/sec, if that). Oddly enough, file uploads are ok (megabytes per second). Odder still, if I open a terminal and copy directly to my machine from the Samba share mount point, incoming copies are fast too. This has been going on from at least 10.2, and much to my dismay it is still an issue in 10.4. This really seems like the Finder is trying to talk Sambalese by itself (and does so differently than the SMB filesystem driver). Has anyone else noticed this behavior (and, perhaps, solved it)?

I don't use samba anymore

[Sarin]

I used to work with samba, having a linux fileserver and a mac osx powerbook, but recently I started working with nfs. It seems a bit faster and more stable. When I change some file on the server, it's directly visible in finder - without having to refresh it.

I also was annoyed the fact when I turned my powerbook on after it went to sleep it would give me a lot of errors about unmounting a network drive. This also was the case with tiger. With nfs, those problems are gone an nfs mount will stay active after the powerbook comes back from sleep.

History of SMB problems with OS X

[tyagiUK]

I first started using OS X in the early days of 10.2 (yes, a relative latecomer). This was when my wife bought an iBook (after some *ahem* guidance... read encouragement) for studies she was undertaking. When she wasn't working on it, I got to play and set to work integrating it with our home network.

The pain I had getting SMB to perform acceptably under 10.2 nearly put me off OS X. Basically, the way that 10.2 handled mounting network filesystems really sucked. It was unreliable and often left the system hanging with a spinning beachball (the Mac equivalent of an egg timer). Often, powering off was the only solution.

This was fortunately fixed later on in the 10.2 lifecycle with some networking updates. Things got much better from then on.

When I got my own iBook several months later, it arrived with 10.3. This release seemed to have a reasonably good SMB implementation, but the performance was truly sucky. File transfer speeds between the iBooks and my Linux-based Samba server were low, but at least mounting was reliable.

As 10.3 progressed, this problem went away and performance/reliability are currently both very good. It means I can use SMB between my Linux server and both iBook and Windows XP clients. All works just fine.

I am, however, considering a move to WebDAV for file sharing on the network. WebDAV is a nicely lightweight protocol and has the benefit of being an open standard. Most good implementations are open source too. There are also client libraries for most decent scripting/programming languages. The added benefit is that you can integrate the WebDAV server in to OS X to perform iSync backups of your system and do calendar sharing etc. All nice, geeky, stuff.

The only major problem I can see at the moment is that the way the WebDAV server interacts with the underlying filesystem is a bit complex, given that my server runs under Apache. The model it appears to assume is that the server will have a dedicated directory or area for WebDAV files, and not simply share out a user's home directory or a backup drive.

I do need to go and RTFM, however.

Re:A typical slashdot response.

[elecngnr]

I will just say at the beginning of this post that I am a fan of Apple products. I try not to jump in on every Apple story on this site because I think there is enough preaching to the choir on this site. Having said that, I will continue on this thread. I have used Windows machines for many years in addition to using Apple. The reason why there is no huge uproar, in my opinion, is because I know it wll be fixed soon. I also know that the fix will make the product better (i.e. it will NOT be SP2). It is not so much that we are brain dead followers....I would not just drink some kool aid if Steve asks me to....I think many of us have just had good experiences with their products. I upgraded to Tiger on Monday of this week. I expected some hiccups and there have been a few. However, they are not major hiccups and I do not expect to be dealing with them for long.

Should all new software have bugs?

[guet]

Perhaps they need to do more automatic regression testing (daily) on each build then?

I think the car analogy is (for once : ) a good one. We have come to expect failure from Software, and that shouldn't be the case - it should be very rare, not inevitable with each new release. They did rush the release of Tiger, and certain things suffered for it. Yes they will probably fix it quickly, but it'd be nice if they had a more extensive testing program, with sufficient time alllotted to do the QA work, for catching regressions like this.

No Admin worth their salt installs a new OS

[Beebos]

If an "admin" installs a brand spanking new OS immediately after release, that admin should have his pocket protector taken away from him. Particularly if one is working in a business or other mission critical environment, installing new OS without giving time for new bugs to be discovered and addressed is a sure sign incompetance.

Re:No Admin worth their salt installs a new OS

[caseih]

This is surely true, although Apple apparently does not think so. Recently I received two e-mails from Apple's development team regarding bug reports that I and others have filed for Panther Server regarding critical OpenLDAP bugs. In a nutshell the e-mails said, "we think the bugs don't exist in Tiger Server. Please upgrade to Tiger Server and tell us if this is the case." I was stunned. I sent them a strongly worded response to tell them that this was not acceptable. Apple just doesn't yet understand what it takes to produce Enterprise software. We need very long support lifetimes (3-5 years minimum) and upgrading major OS versions outside of normal hardware replacement cycles (with proper testing) is *never* done except in extraordinary circumstances. Right now I am very unhappy with Apple. Does anyone even know what the life expentancy of Panther Server is? What about Tiger? I can't find this information anywhere and Apple has not yet responded to my queries. Judging by the terrible LDAP problems I had with OS 10.3 (not fixed until 10.3.9!) I am in no hurry to put Tiger Server into production. I learned my lesson the hard way.

Now that AFP support under linux is much better, I'm almost certainly going to go back to Linux for my main file servers. At least it is a known quantity.

Wait a minute...

[catdevnull]

Hey, I like Macs. I think Apple rules the roost in the OS world, etc. But hey, reality check:
SysAdmin Rule #1: If you depend on it, and it works fine the way it is, don't mess with it. [If it ain't broke...]
SysAdmin Rule #2: If you want to mess with it, test it before deploying it.

Why the hell did people install a .0 release and expect that it would not be without bugs? I say if any sysadmins out there were silly enough to make a hasty upgrade before testing (ignoring the above caveats) they deserve the problems they're experiencing.

We waited to deploy WinXP until the first service pack was released--and that saved our ass. I think it's ignorant to ignore that principle on the Mac side as well--esp. with a major update.

Early adopters are unpaid beta testers. Congratulations--you found the bugs!

Apple or not...

[phillymjs]

...you're a fool and deserve everything you get if you put a week-old OS on production hardware without doing non-production testing or having a fall-back.

If you insist, however, do it right. Prep a build of the new OS and put it on its own hard drive in the machine of your one or two most clueful end users. Let them beat on it for a while and document their problems/questions as they try to do their work. Once in a while go through the list and address their fixable issues. If they happen upon a show-stopper, they simply boot from the drive with the old build on it and use that until the next service release appears. Then you apply it, and test again. Repeat as necessary until the number of issues is low enough that you can confidently deploy the new OS build to all end users.

I have used this technique to great effect at several of my Mac clients, though I don't even consider giving them the newest OS until the .2 or .3 service releases have been out for a few weeks. A couple of my clients used to question this conservative method until some renegade users bought and installed Panther right after its release (without authorization from anyone) and ended up being basically unable to work until I reverted them to the standard OS/applications build.

As for OS X Server, that gets tested in my company's lab and on my bench at home from the day we get it, but it doesn't get rolled out anywhere until .4, and even then we clone the old drive to a FireWire drive before upgrading, just to be safe.

~Philly

So far I'm having the opposite experience

[NtroP]

With 10.2 and Panther, getting client to successfully bind and work with Active Directory to something akin to VooDoo and several other flavors of black magic. That being said, when we did a thorough audit and clean up of Active Directory (Sites and Services, DNS, etc.) most of the problems disappeared, but there were often little things we did to increase our odds of things working smoothly.

The other day a colleague of mine installed Tiger on his laptop (he never had it bound before, just connected to whatever shares with Cmd-K, etc.). He asked about using his AD credentials to log on. I told him "Sure, we just need to bind it to AD, do a few tweaks and anyone with an AD account could log in, just like Windows." Meanwhile, I was mentally crossing my fingers that there wouldn't be any new tweaks that needed to be learned.

So I pointed him to Utilities/Directory Access and had him click the Active Directory option, put in his domain (this is where I would usually start my VooDoo dances with the "advanced" options -- but I thought, "what the hell, lets give it a shot") click on Bind. It asked for a domain admin account, which I entered, and it bound without a hitch (I about fainted). I had him reboot (just to make sure) and then had him log in with his AD account. I worked beautifully, including mounting his home directory off our Win2K server. This had NEVER worked without tweaking for us under panther (although with a little tweaking under 10.2.8+ it worked fine). We transfered files, which went smoothly and quickly, and we looked around the network a bit.

Although I haven't thoroughly tested it yet, I'd say my initial experience with Tiger and SMB/AD has been great. That being said, MOST of our problems with Macs using our AD domain has been Windows-related (missing DNS entries, Sites-and-Services borked, or WINS not working/configured right, etc). Hearing about problems like this after a major change doesn't exactly surprise me, and I'm willing to cut Apple a bit of slack here. They are dealing with a reverse-engeneered protocol on networks where it is very likely that AD isn't in pristine or "best-practices" condition.

We have 35 sites using AD right now in our domain, and the migration from NT4 to Win2K/AD was a learning experience, to say the least. We've learned a lot in the process and, we've found that if you mess up something in AD in the beginning, it's damn near impossible to cleanly remove or fix it. I suspect that there are a lot of installations out there that still have AD ghosts hanging around that make 3rd-party integration a crap-shoot at best. What apple needs to work on is improving their tolerance for broken AD implementations, like windows does.

Of course, if MS would publish the full SMB/AD protocol it would be easier.