Open Radar

 
Summary:
When attempting a diskless NetBoot with OS X server (2.2.1), the Shadow file is instead put on the local drive. Checking the server reveals incorrect file permissions on the Shadow file. After an arbitrary number of reboots (1 or 2 usually) the server will correct the permissions on the Shadow file and the Shadow file is kept on the server allowing the local drive to be unmounted for repair or reinitializing.

Steps to Reproduce:
1. Set up Netboot on OS X 10.8 with Server with a NetBoot image set to diskless  (BTW why did that option go away in the GUI unless you first edit the plist?!)
2. Boot up to that volume
3. Check Disk Utility to see what the mount point is for Macintosh HD (or run mount from Terminal)

Expected Results:
Expected mount point for Macintosh HD is /Volumes/Macintosh HD

Actual Results:
Usually the mount point is /private/var/netboot for Macintosh HD, resulting in Macintosh HD being unable to unmount for disk utilities or re-imaging.

Looking on the server before and after rebooting the client reveals the Shadow file having erroneous group permissions that are eventually taken away.

Permissions on Server when mount point incorrect:
/Library/NetBoot/NetBootClients0/NetBoot147:
total 98304
-rw-rw----  1 netboot111  admin  50331648 May 20 09:15 Shadow


Permissions after several reboots of client computer and mount point is correct:
/Library/NetBoot/NetBootClients0/NetBoot147:
total 98304
-rw-------  1 netboot111  admin  50331648 May 20 09:25 Shadow


Regression:
_Never_ had this issue with 10.6 Server
Issue started in 10.7 with Server

Notes:
I have followed ALL the steps in the KB article TS4316 for Netboot issues (turning off services, deleting /Library/Netboot/NetBootClients0) starting with a clean clients directory, the permissions are still set incorrectly initially and only after several boot attempts do they get corrected by the Server.

Also puzzling is why the folder names and the owner names do not correspond? Otherwise I'd make a script enumerates through all the netboot users, creates folders with correct permissions and touches a Shadow file with correct permissions, as well, to try and mitigate. However since folder names and file owners do not match this does not seem possible.

I also corrected the BASH Parameter Expansion syntax error in /private/etc/rc.netboot on the netboot image, but to no avail:
INCORRECT ===> NETBOOT_SHADOW=${NETBOOT_SHADOW:-NETWORK-}
CORRECT ===> NETBOOT_SHADOW=${NETBOOT_SHADOW:--NETWORK-}

(it doesn't matter because the Case switch falls through to the wildcard *, but FYI the :- operator has the effect of setting the parameter to "NETWORK-" not "-NETWORK-" as intended, thus a double -- is needed)

21-May-2013 12:03 PM Joel Bruner:
Adding an fs_usage log that shows bootpd making the file, and then after several client reboots AppleFileService corrects the file permissions. Extraneous messages edited out (mds, mdworker, repeating messages)

##############################################

# fs_usage -w -f filesys | grep Shadow

#initial creation of Shadow, file permissions are incorrect (rw-rw----)
11:17:01.903533  chown                  [  2]           /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                            0.000005   bootpd.5177
11:17:01.903572  open              F=5        (_WC_T_)  /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                   0.000039   bootpd.5177
11:17:01.903702  chown                                  /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                             0.000010   bootpd.5177

#client reboot - file perms still wrong (rw-rw----)
11:29:51.936328  stat64                                 /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000007   bootpd.5177

#client reboot - file perms still wrong (rw-rw----)
11:37:01.534399  stat64                                 /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000006   bootpd.5177
11:37:50.091950  getattrlist                            /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000013   AppleFileServer.10771

#finally permissions are corrected to (rw-------) by the AFP service
11:37:50.099502  setattrlist                            /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000040   AppleFileServer.10775
11:37:50.099974  getattrlist                            /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000012   AppleFileServer.10774
11:37:50.135514  lstat64                                /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000005   AppleFileServer.10776

#the file is opened read/write and the client harddrive mounts to /Volumes instead of /private/var/netboot
11:37:50.135547  open              F=15       (RW____)  /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000015   AppleFileServer.10776
11:38:08.943086  getattrlist                            /Library/NetBoot/NetBootClients0/NetBoot092/Shadow                                0.000012   AppleFileServer.10701

#############################################
file listing showing incorrect, then corrected permissions
#############################################

bash-3.2# ls -lRt
total 16
drwxrwx---  3 netboot129  admin   102 May 21 11:17 NetBoot092
-rw-rw-r--@ 1 root        admin  6148 May  9 10:28 .DS_Store

./NetBoot092:
total 98304
-rw-rw----  1 netboot129  admin  50331648 May 21 11:17 Shadow

bash-3.2# ls -lRt
total 16
drwxrwx---  3 netboot129  admin   102 May 21 11:17 NetBoot092
-rw-rw-r--@ 1 root        admin  6148 May  9 10:28 .DS_Store

./NetBoot092:
total 258064
-rw-------  1 netboot129  admin  132126720 May 21 11:39 Shadow