Original PDF Flash format asip-black-magic  


Asip Black Magic

ASIP Black Magic
ASIP Black Magic v1.0.3
by Brad Suinn of Apple Computer, Inc.
Revised 1.23.01 rcg
[Notes/Comments]
[ASIP Crashing at 12 PM - 1 AM] [Large File copies over 100 MB getting stuck]
[ASIP File Server getting "hung/frozen/etc.", but other services work...]
[AFP/TCP freezing under heavy load, but AFP/ATalk still works] [Error 43 has
occurred]
[Server hitting the Internet every minute] [ASIP 6.3 not autostarting at startup]
[Slow startup] [Unexpected Disconnects] [Duplexer and Save/RestoreASIP info]
[Retrospect and ASIP] [AppleShare Client hangs on logging into server]
[To make your server more stable] [Virtual Memory and Disk Cache on an
ASIP Server]
[Disabling AppleTalk] [Wiping out fork data] [Turning on DDP Checksums for
AppleTalk]
[DoorStop and AutoPush] [Unistalling ASIP] [Single Link, Multihoming Setup]
[Long delays after mounting a sharepoint] [Network Trash Explanation]
[AppleShare Password Authentication & Security]
[Note About Security] [AppleShare Client that does not support ClearText]
[How come I only see XXX Gb free on my FileSharing CPU]
[Installing AppleShare IP 6.3.1 on Mac OS 9.0.4] [100Mbit Ethernet Notes]
[Another way to access iDisk] [DHX] [AShare Helper]
Notes/Comments (back to top)
Whenever possible, update to the latest ASIP and latest AppleShare clients. This
will ensure that you will all the latest bug fixes.
None of this info in this document is guarantee to be correct! A lot of this
information has come from past postings to the ASIP mailing list. It just seemed
like a good idea to put them into a common file.
ASIP Server crashing at around 12 PM - 1 AM (back to top)
Seems to be HP Jet Admin. running on an NT server somewhere on your network.
For some reasons it crashes the SNMP software on a Mac OS 9 ASIP server, and
since the default time for HP Jet Admin. to poll the network is at 1:00 am, your
server will crash every night at that time.
- Remove the SNMP extensions in your system folder and restart.
Large File copies over 100 MB getting stuck (back to top)
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (1 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
Seems to be related to "OT Auto Push Support" extension in your system folder.
This extension is used for the TCP Filtering, but note that TCP filtering does not
actually have to be in use, just the presence of that extension is enough to cause
problems.
(1) Remove the "OT Auto Push Support" extension from the system folder
(2) Restart your server
(3) This will totally disable TCP filtering which is a bummer.
Maybe try Doorstop Server Edition from Open Door Networks for a better TCP
(4) filter?
ASIP File Server getting "hung/frozen/etc.", but other services work...
(back to top)
Seems to be related to "OT Auto Push Support" extension in your system folder.
This extension is used for the TCP Filtering, but note that TCP filtering does not
actually have to be in use, just the presence of that extension is enough to cause
problems.
(1) Remove the "OT Auto Push Support" extension from the system folder
(2) Restart your server
(3) This will totally disable TCP filtering which is a bummer.
Maybe try Doorstop Server Edition from Open Door Networks for a better TCP
(4) filter?
AFP/TCP freezing under heavy load, but AFP/ATalk still works (back to top)
Seems to be related to "OT Auto Push Support" extension in your system folder.
This extension is used for the TCP Filtering, but note that TCP filtering does not
actually have to be in use, just the presence of that extension is enough to cause
problems.
(1) Remove the "OT Auto Push Support" extension from the system folder
(2) Restart your server
(3) This will totally disable TCP filtering which is a bummer.
Maybe try Doorstop Server Edition from Open Door Network for a better TCP
(4) filter?
Error 43 has occurred (back to top)
I think that is the correct error code that people have been seeing. So far it has
always been due to the users & groups file being corrupted. Rebuild it COMPLETELY
using either ASIP First Aid or my utility Save/RestoreASIP.
Server hitting the Internet every minute (back to top)
For ASIP 6.3.x, turn off "Register with Network Services Location".
ASIP 6.3 not autostarting at startup (back to top)
Fixed in free update to ASIP 6.3.x
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (2 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
Slow startup (back to top)
At startup, the Users & Groups file is checked completely. Over time, it seems to
get filled with a lot of junk and/or it may be corrupted.
- Try rebuilding your Users & Groups File using my utility, "Save/Restore
ASIP". Although the utility needs ASIP 6.3 or later. Previous versions of ASIP
did not export/import the passwords.
Unexpected Disconnects (back to top)
Finding the source of an unexpected disconnect is very difficult since so many
things can cause it to happen. DHCP time-outs, bad cables, bad routers, bugs in
the server, bugs in the client, bad network cards, corrupted data, etc. So one
person's problem with unexpected disconnects may be completely different from
another persons problem. Also, there is the sheer randomness of the disconnects.
That is why you do not see postings from Apple with a single magic answer. That
said, here are some ideas to try...
(1) DHCP - in OS 8.5.X, Open Transport changed their DHCP implementation to
be closer to the published standards. Apparently this has caused some
disconnects to occur when getting close to the renewal times. To determine if
this is your problem, try assigning a static IP address to those clients having
problems. If the problem only occurs on those Macs with 8.5.x, then this is
probably a good place to start.
(2) In AppleShare client 3.8.1 (from OS 8.5.X), I did fix one hanging/
disconnecting bug. It is always a good thing to try the latest AppleShare
client on those Mac's having problems. As far as I know (no guarantee's
here), the AppleShare client should work on most versions of the OS 7.5.x -
8.5.x, without having to upgrade the OS. Some versions of the clients have a
gestalt checking for certain versions of Open Transport that we need. Just
copy the AppleShare extension to the client CPU and reboot and see if it
works. It should.
(3) Software conflicts. There seem to be conflicts with some virus checkers (don't
remember which ones), and some versions of At Ease (donÕt remember
which ones). Try disabling them and see if the problems go away. This is
pretty standard isolations. Start with a "clean" system folder and start adding
things in until the bug shows up.
(4) EtherPeek traces!! Imagine trying to tell someone over the telephone (or by
e-mail) how to assemble a bike while you are reading the instruction manual
inside of a dark closet. Trace files of the network packets tell us exactly what
is going on and exactly who is disconnecting who. The server can initiate or
the client can initiate the disconnect and there is no way to tell the difference
without a trace. Etherpeek is very cheap and a MUST HAVE for debugging
network problems. You can download a free demo copy from their web site.
No, I don't get any endorsement money from AG Group. I don't even get free
copies of their software! ;-)
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (3 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
(5) Network cards/hubs - full/half duplex. Full duplex is kind of like the early 33-
56K modem implementations. If you had a modem from company A and
another modem from company B, they typically did not work well together
even though they both say they support standard XXX. Full duplex is still
pretty much hit and miss if you mix and match components from different
companies. Half duplex Ethernet seems pretty stable and reliable. Give it a
try and see what happens. Trying different Ethernet cards/cables also can
help you isolate where the disconnects may be occurring. I also have a small
utility called Duplexer that allows you to "force" the Ethernet Duplex on many
of Apple's built in Ethernet.
(6) Special note ONLY for ISDN, DSL, modem, and WAN users (i.e. slow links).
We have found that in many cases, older routers can not handle more than
8K of data sent all at once. In AppleShare client 3.8.3, there is a resource in
the DATB #1413 called the "Max. Quantum Size". If you are experiencing
slow performance of disconnects or hanging, then use ResEdit to set the
"Max. Quantum Size" to 0x1ff0. By setting this value, you will be
DECREASING your potential maximum performance if used on "fast" links,
but increasing (or at least not changing much) your current performance
over the "slow" links. Hopefully over the slow links, this will make things
much better. In AppleShare client 3.8.4 and later, this will auto-magically be
done for you. Again, only use resource change if you are on ISDN, DSL,
modems, WANs, or other "slow" links.
Duplexer and Save/RestoreASIP info (back to top)
Duplexer
The Apple iMac (including the slot loading CD-ROM versions), Power
Macintosh G3 (Blue and White version only), Power Macintosh G4, iBook,
1999 PowerBook G3 (Bronze version only), and 2000 PowerBook (Firewire
version) uses auto negotiation to determine what speed (10 Mbit or 100
Mbit) and duplex (half or full) to use for the built in Ethernet. Duplexer is an
unsupported system extension that allows you to disable the auto negotiation
and to use a set speed (10 Mbit or 100 Mbit) and duplex (Full or Half) for the
built in Ethernet.
Save/RestoreASIP
Allows you to save and restore the current access privileges of an ASIP
server into an MPW text file. Combined with ASIP 6.3 ability to export/import
the Users and Groups list, you can recreate your entire Users/Groups AND
access privileges. This is useful when:
q
You wish to create a new copy of the U/G file along with access
privileges instead of trying to repair the existing one. Or, for those
cases where the UG file can not be repaired.
q
Another backup solution for the UG file and access privileges.
q
Makes it easier to move an ASIP server from one CPU to a different
CPU.
q
Combined with AppleScript and MPW's built in scripting, you can
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (4 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
create some automatic ways to create users, groups and assign/
change their access rights using simple to read text or XML files.
Retrospect and ASIP (back to top)
From David Sallak...
Since your freeze is happening during times of low use, but after a backup, the
problem is more likely to be a memory conflict between ASIP and Retrospect. If
your lockups happened during high client activity usage, then I'd be looking at the
RAM, cabling, or hard disk driver software.
Retrospect will expand in memory usage dynamically over time, similar to how the
ASIP Cache expands over time. Because your crash doesn't happen every night,
you are likely having a problem with Retrospect's temp memory overlapping ASIP's
temporary Cache memory as they each build up over time.
Solution? I have Retrospect running on four different ASIP servers, and none of
them have these lockups. What's the secret?
(1) Do not use the checkbox in ASIP Easy Setup, to automatically start ASIP at
startup. OR you can leave it checked and put an alias to Retrospect into the
Startup folder so that it starts up before ASIP.
(2) Adjust Retrospect's memory requirements. Default memory is about 3 megs.
Boost this to at least 5 megs, and 10 megs is preferable.
(3) Make sure you have lots of RAM in your ASIP server. I've found 96 to be
minimum. I've learned that ASIP is much more stable when given lots of RAM.
(4) Put an alias of Retrospect, and an alias of ASIP Web & File Server Extension,
in the Startup Items folder. Make sure you put a space in front of the
Retrospect alias name, so it loads BEFORE the ASIP server extension. Note: if
in step (1), you used the checkbox to startup ASIP, then you do not need an
alias to ASIP here.
(5) If you run any other software on your server, put an alias of these apps in
the Startup Items folder, and add a space for each of them as well. You want
any other apps on the server to load before ASIP.
(6) Set Retrospect's preferences so it does not quit after execution of a script.
You want to leave it running all of the time.
The goal is to get Retrospect loaded before ASIP, so the ever-expanding ASIP
cache doesn't bump into Retrospect's memory space. By loading Retrospect before
ASIP, and giving it extra RAM, you give Retrospect a nice clean space to do its
work, and the ASIP cache will never expand into the temp memory space that
Retrospect uses.
Note from Brad Suinn
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (5 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic

There is some hidden feature inside of Retrospect where you can make it
stop using Temp Memory. Hold down the Option key while clicking the
Preferences button under the Special tab. By not using temp memory, it will
slow down Retrospect, but you can compensate by increasing the memory
assigned to Retrospect using the "Get info" panels. By doing this, then you
keep ASIP and Retrospect from "fighting" over memory and that should make
things more stable.
AppleShare Client hangs on logging into server (back to top)
- Try disabling Apple Menu Option's "Remember Recently Used items".
- Second possibility is that you have a corrupt Users/Group file on the server.
Make sure you check your UG file using ASIP Disk First Aid.
- Also run a disk utility and check all the files for a corrupt data or resource
fork.
- You might consider installing the latest AppleShare Client onto your
workstations.
It is free and available from www.apple.com/appleshareip/text/downloads.
html
To make your server more stable (back to top)
Try the following...
(1) Remove any SNMP extensions in your system folder. I have found a case
where SNMP polling, which usually happens around 12 am - 1 am, can cause
the Open Transport SNMP code to die. Usually some NT box with some HP (?)
printing software installed is on the network somewhere and it has SNMP
polling turned on at 1:00 am every night.
(2) Remove the OT AutoPush Support extension from your system folder. This is
known bug in Open Transport that will cause the File Server to hang usually
during heavy traffic on 100 mbit links. Does not seem to happen on slower
links, but still worth removing. Unfortunately, TCP filtering will not work
anymore. Try www.opendoor.com for another TCP filtering that may work
(3) Turn off Sherlock Indexing on your server.
(4) Check your users and groups file on a regular basis with UG first aid, or just
rebuild it completely using my ASIP Save/Restore with XML export/import.
This should also fix the 43 error that seems to crop up. Also fixes weird
freezes when a particular user logs in, startup problems, etc. Actually
checking the UG file is probably the first place to start when isolating a
problem with your server.
(5) Move to ASIP 6.3.x as soon as you can (unless your server is completely
stable, then leave it alone) since it has all the latest fixes in it.
(6) Check your server's HDs on a regular basis. Everyone has their favorite disk
utility to use. Do this on a regular basis to catch disks going bad on you.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (6 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic

Give your server CPU lots and lots of RAM. This will help performance out
quite a bit and will avoid any low memory bugs.
Optional

If you have hubs that support full/half, 10/100 enet and are using built in
ethernet, consider using my Duplexer utility to "force" a particular speed.
There have been several reports due to the ethernet auto-negotiate failing to
correctly set its speed and resulting in terrible performance.
Virtual Memory and Disk cache on an ASIP Server (back to top)
Turning off VM and reducing the Disk caches helps in many ways:
(1) Open Transport is SLOW when VM is on. Guesstimate around 10% slower.
Just terrible.
(2) The Web/File/FTP server (not sure of print/mail) does not use the disk cache,
so setting it lower just frees more memory for the server to use in its own
internal file caching. A file already in the cache can be read or written at
pretty much the speed limit of your network (assuming you donÕt have
really slow CPU). A file that is not in the cache transfers at a much slower
speed which is very dependent on the speed of your hard disks, but is almost
always slower than reading it straight from our internal RAM cache. Adding a
ton more RAM to your file server is always going to be helpful since it means
more files will fit in the server caches which increases your chance that the
file you want is already in the cache and ready to go.
(3) Of course with VM off, you never have to worry about getting page faults and
having to wait while some code is being swapped in for you.
(4) And of course, with lots more RAM, you can worry less about running out of
RAM.
(5) Open Transport will also pick up some speed when you have more RAM. OT
will continue to allocate more internal buffers up to a certain % of total RAM
in the CPU. With more buffers, OT will run faster.
This is all assuming that you have fast enough hardware (both CPU and network)
to make it worthwhile. For example, if your server is dealing with LocalTalk, then
no matter how fast your server is or how much RAM it has, the performance
bottleneck will always be LocalTalk.
UNSUPPORTED Disabling AppleTalk (back to top)
In ASIP 6.1, there is an UNSUPPORTED option that you can turn on that will
disable AFP over AppleTalk access. NBP (in the Chooser) will still show the server's
name and will still do the "magic" switch to TCP/IP, but anyone trying to log in
over AppleTalk will get an error of "The attempted connection to the server has
failed. Try again later." This error dialog appears after the enter password dialog
has appeared. Not the most informative dialog, but hey, that is why it is
UNSUPPORTED!
(1) Shut down the server
(2) Open the AppleShare IP Web & File extension using a resource editor like
ResEdit
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (7 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
(3) Open the 'pref' resource
(4) Edit resource #1699 and set it to be 1
(5) Save the resource and restart your server.
UNSUPPORTED Wiping out fork data (back to top)
Only for ASIP 6.3.x and later...
If someone does a FPSetForkParm past the EOF of a fork, ASIP does not
automatically zero out that data. So, someone could then read that area and see
what was left over there. Most, if not all the time, the data there is total garbage,
but for those of you who are totally security paranoid...
(1) Shut down the server
(2) Open the AppleShare IP Web & File extension using a resource editor like
ResEdit
(3) Open the 'pref' resource
(4) Edit resource #1762 and set it to be 1
(5) Save the resource and restart your server.
This will fill in the new data areas with 'E' and hopefully 0 in later releases. Note
that this will slow down your server performance and only affects the File Server
part of AISP.
UNSUPPORTED Turning on DDP Checksums for AppleTalk (back to top)
The default checksumming in AppleTalk is not that great, it will occasionally let
through an error. Especially now when people are transferring giant archives or
disk images that have auto checks for errors in the file, we are seeing more and
more errors due to AppleTalk. Turning on DDP Checksumming will slow AppleTalk
performance, but will eliminate these file errors.
(1) Shut down the server
(2) Open the AppleShare IP Web & File extension using a resource editor like
ResEdit
(3) Open the 'pref' resource
(4) Edit resource #1700 and set it to be 1
(5) Save the resource and restart your server.
ON ALL APPLESHARE CLIENTS, you will need to install the "UseChecksums"
extension.
Doorstop and AutoPush (back to top)
Since I recommend removing the OT Auto Push file, here is some more info on an
alternative TCP filtering software from Open Door Network.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (8 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
Question:
Is OT Auto Push Support used by any other ASIP function other than TCP filtering?
Also, can anyone comment on DoorStop's ability to work without this extension?
Answer:
Yes, OT Auto Push is only used by TCP Filtering. The way filtering works is that we
"push" a filter module on top of the TCP module. When packets come in, the filter
module gets a chance to look at the packets and determine whether to let them
through or not.
The Mentat stack is designed so that you can easily push any module on top of any
other, but the particular code for allowing a module to pushed on top of TCP was
not included (and no, I dont remember why). So, we needed a workaround and
that was the OT Auto Push extension.
Doorstop works without the OT Auto Push extension because it "pushes" itself
much lower down in the stack (on top of IP) and the Mentat code for doing that is
still in Open Transport. This allows filtering of UDP packets too.
Unistalling ASIP (or how to revert back to slow FileShare) (back to top)
By John T. Zigrang
(1) Remove all ASIP Extensions
(2) Remove all User Group file (there were two)
(3) Restart the computer
(4) Restart the FileSharing Control panel to check User, Computer name and
Password.
(5) Restart and Rebuild Desktop (just for desktop cleanup)
Single Link, Multihoming Setup (back to top)
Setting up Secondary IP addresses on the ASIP server
See Tech Info article 60019 "AppleShare IP 6.1: Web Server Multi Domain Support"
The second way of configuring the ASIP server for multi domain support is to set
up secondary IP addresses at the server, and have the clients' domain names
mapped to the secondary addresses. Open Transport 1.3 or later and a PCI-based
server is required to support this capability, which is called 'single-link
multihoming', 'IP multinode support', or 'IP aliasing.'
This method is needed when clients are using older browsers (such as Mosaic)
which may not support HTTP 1.1; in these cases, the domain name the client used
in the URL is not passed to the server; only the IP address is. Thus, the ASIP Web
Server must use the IP address to determine what home page to send to the
client. When using this method, you should use IP addresses, rather than the
domain name, in the Multi Domain Settings file.
(1) Verify that the server's primary IP address is static and configured manually.
Open the TCP/IP control panel to verify.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (9 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
(2) Create an "IP Secondary Addresses" file; this will be a plain text file that will
contain the information on the secondary IP addresses. This file needs to be
saved into the Preferences folder of the System Folder.
Within this file, each line begins with "ip=" followed by a secondary IP
address. If the subnet mask and router address are different from those used
by the primary IP address, they should be specified also, preceded by "sm="
and "rt=", respectively. Here is an example; note that the first line which
begins with a semicolon is a comment.
;ip address subnet mask router address
ip=192.1.1.4 sm=255.255.255.0 rt=192.1.1.1
ip=192.1.1.5 ip=192.1.1.6
(3) Restart the server and test. Using a ping utility like MacTCP Watcher (you can
locate and download this handy utility from various ftp sites on the Internet),
try pinging each of the secondary IP addresses you've set up for the server.
Long delays after mounting a sharepoint (back to top)
Your drives are slowly running out of space on them...
(1) Try emptying the Network Trash folder on your server.
(2) On the server, use ResEdit to make it visible using Get File/Folder info, then
delete its contents
For detailed explanation on emptying the "Network Trash Folder" folder manually,
using AShare Helper, or AppleScript, click here.
Network Trash Explanation (back to top)
You will have one network trash folder at the root of every sharepoint. Within that
folder will be a file called Trash Can Usage Map which is used by the Finder on the
client machine to claim a Trash Can #x folder to use as the trash can for the server
volume.
When a client throws a file on a remote volume away the Finder tries to get a lock
on the first byte of the Trash Can Usage Map if that byte is locked, it tries to get a
lock on the second byte and so on. When it gets the lock it "claims" the
corresponding Trash Can folder. It then moves the file to be thrown away into its
Trash Can folder. When the User selects Empty Trash, the Finder will empty its
Trash Can Folder.
If the client machine breaks the connection via crashing or being disconnected, the
Trash Can folder will not be emptied. However when a client Finder claims a Trash
Can folder, it will delete anything that was in the folder previously.
For detailed explanation on emptying the "Network Trash Folder" folder manually,
using AShare Helper, or AppleScript, click here.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (10 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
AppleShare Password Authentication & Security (back to top)
A note about authentication from Leland Wallace
OR "I heard that AppleShare passwords are easy to break..."
The algorithms for all of the AppleShare Authentication methods are public. I don't
see this as a problem. The security of the method is in the math, not in some
secret algorithm. The AppleShare password encryption method he mentions, is
probably the method for storing the passwords in the Users & Groups data file on
the Server, which is only a problem if you send your attacker that file (AppleShare
won't share the System folder on the server). Or, if the attacker has physical
access to your server, then he/she could copy the Users & Groups data file; of
course your server should ALWAYS be in a secure location.
The most widely used (at this time) auth method is 2 Way random (introduced in
1989) which sends two 8 byte DES encrypted random numbers over the network.
From a computational standpoint the algorithm is exactly as strong as 56-bit DES.
It is however vulnerable to an off-line password guessing attack (similar to running
crack against a unix passwd file), and it has a password length limit of 8 characters.
We have developed a new authentication method that addresses the weaknesses
of 2 Way randnum, called DHX. DHX uses Diffie-Hellman key exchange to create a
128 bit session key and then sends a 64 character password to the server
encrypted with CAST 128. It's strength is approximately equivalent to 128-bit SSL.
(iDisk uses DHX)
So I suppose the answer to the question is, we've been doing 56-bit encryption
since 1989, and we're in the process of moving to 128 bit encryption. Both are
reasonably safe on the Internet, and infinitely safer than protocols like FTP, POP or
HTTP which send passwords in the clear over the network.
Note About Security (back to top)
A short note about Security
(by no means is this a complete list on how to protect your server!!!)
(1) LOCK YOUR SERVER UP IN A SECURE ROOM!!!
No one should have physical access to a server. If someone else has physical
access to a server, then forget about trying to make the server secure, you
will not be able to.
(2) Setup a firewall to protect your intranet and servers.
(3) Disable ClearText logins on the clients!!!
See below for instructions on how to create an AppleShare client that does
not support cleartext, then PUT IT ON ALL of your workstations. This is not a
perfect solution, but it will at least make it harder for hackers/crackers. Here
is a good example from Ron Chmara on how to use clear text to get
passwords.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (11 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
(i) Scout out site. Set up a linux laptop with netatalk, and sniffers on the
wire. Find out the name of the ASIP server (Appleshare is silly enough to
_broadcast_ the name to all askers. Feature is Security Hole. Sheesh.)
Set up laptop with same name as server, same IP as server. Find
unobtrusive way of jacking into the LAN, an easy thing to do in a
computer lab, or a "wired" school... they seem to have lots of "live"
jacks. If necessary, just use computer lab machine jack, keep laptop in
backpack, and pretend to be working. For offsite work, just put it in the
ceiling to "bug" the LAN.

(ii) Perform standard denial of service attack on server, anything to overload
it or crash it. These are network security holes, so there's not much you
can do about 'em. ICMP the bugger to death, SYN it into silence,
whatever's fashionable this week. This should be timed right before a
new class/lab session, for maximum effect.

(iii) As users initially try to connect via aliases, and fail, some will go to the
chooser. They will select the "ASIP" server name, which, unfortunately is
now a netatalk server, which *doesn't support* randnum. Which means
it's now open season, as every password used to connect to the fake
server is passed in cleartext. To the sniffer. If I'm lucky even the admin.
will try to log in remotely, if not the first time, maybe the second or third
(to keep from having to walk back to the server room)"
UNSUPPORTED - AppleShare Client that does not support ClearText (back to
top)
(1) Make a copy of the AppleShare Client
(2) Run ResEdit and open it
(3) Open the 'FSMNT' resource, then open up "ApShare Mounter"
(4) Select "Find ASCII" and search on "Cleartxt"
(5) Highlight just the 'C' character and type 'X' instead. DO NOT DELETE ANY
CHARS, just replace the 'C' char!!!
(6) Close the "ApShare Mounter" and the 'FSMNT' windows.
(7) Open the 'EXFS' resource, then open up "ApShare ExFS".
(8) Select "Find ASCII" and search on "Cleartxt".
(9) Highlight just the 'C' character and type 'X' instead. DO NOT DELETE ANY
CHARS, just replace the 'C' char!!!
(10) Close the "ApShare ExFS" and the 'EXFS' windows.
(11) Quit ResEdit and save the file.
(12) Now find every AppleShare client that is on your network and replace it with
this version. Maybe give it a special name.
How come I only see XXX GB free on my FileSharing CPU (back to top)
The Mac OS FileSharing code is very, very old and can only display up to 3.99 G of
"free or in use" space. Upgrade to ASIP if you need to transfer a lot of files from
that cpu and need to access larger HD's.
Installing AppleShare IP 6.3.1 on Mac OS 9.0.4 (back to top)
This document describes one method for installing AppleShare IP 6.3.1 on a
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (12 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
computer running Mac OS 9.0.4. Many users have run into difficulty attempting to
install Apple's Mac OS server suite AppleShare IP 6.3.1 after a clean installation of
Mac OS 9. Specifically, the ASIP installer requires an earlier version of ASIP 6 be
installed. Earlier versions of ASIP 6 refuse to install unless an out-of-date version
of OpenTransport is installed. Attempting to install the older version of
OpenTransport is problematic, leaving the user unable to install ASIP 6 on Mac OS
9 in order to update it to ASIP 6.3.1.
Overview of Installation Procedure
(1) Perform a clean installation of Mac OS 9 as normal.
(2) Install the Mac OS 9.0.4 update as normal.
(3) Downlaod the ASIP 6.3.1 Update.smi to the hard disk.
(4) Manually install the ASIP extensions from the ASIP 6.3.1 updater.
(5) Run the ASIP 6.3.1 updater as normal.
(6) Restart and continue setup using Easy Setup.
Detailed Walkthrough For Steps 4 - 6
- Double-click the ASIP 6.3.1 Update.smi file to mount the installer disk-image
on the desktop.
- Locate the file AppleShare HD.img within the AppleShare IP 6.3.1 Update
image.
- This can be found in AppleShare IP 6.3.1 Update:Software Installers:Restore
AppleShare IP:AppleShare HD.img.
- Double-click the AppleShare HD.img to mount the AppleShare HD disk-image.
- Copy the contents of the Extensions folder on the AppleShare HD disk-image
to the Extensions folder inside your Mac OS 9 system folder on the hard disk
of your server.
- Drag the AppleShare HD icon from your desktop to the Trash.
- Double-click the Apple SW Install icon within the AppleShare IP 6.3.1 Upate
to begin installing AppleShare IP software on your server hard disk. When
installation is finished, restart your server as normal.
- After restarting, you will be able to proceed with AppleShare IP Easy Setup to
configure your ASIP server.
100Mbit Ethernet Notes (most if not all is unconfirmed) (back to top)
(1) Apple's Zynx card (aka Apple 10/100) 100Mbit card has been reported (but
not confirmed ) to not work at Full Duplex, but will report that it can. This
can result in terrible performance. Force your switch/hub to half duplex for
any computer that is using this card.
(2) Several people have reported that Cisco Switches work much better if you
turn off spanning trees which is on by default.
(3) Unconfirmed from Asante
Three extensions seem to interfere with the connection on the b/w g3s but
not necessarily other g3s or g4s, although the folks at Asante suggested I
scrub them on all machines. They are: DNSplugin, SLPplugin & WebSharing.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (13 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
(4) If you have an aftermarket ethernet card, you should also disable the Apple
Enet extension.
(5) If you are using Asante cards, be absolutely sure you have the latest driver.
(6) Another unconfirmed report. Try moving your ethernet card to a different PCI
slot like A1. Apparantly some customers have reported that this has fixed
their problems.
DHX (note that iDisk use DHX) (back to top)
If you use DHX authentication, it is important that you upgrade to AppleShare
client 3.8.6 or later. It fixes a crash when you attempt a second login using DHX
after the first attempt over DHX failed with a wrong password.
Get the latest client from www.apple.com/appleshareip/text/downloads.html.
Another way to access my iDisk (requires client 3.8.6 or later) (back to top)
(1) Make sure you have access to the internet.
(2) Go to Chooser, select AppleShare, click on the "Server IP Address..." button.
(3) Enter in "idisk.mac.com:suinn".
(4) For user name, use "suinn", password is "t0sjriah".
(5) This will give you access to the "Public" part of my iDisk.
AShare Helper (back to top)
AShare Helper is an application that was designed to help AppleShare IP Server
Administrators with the upkeep of their Servers by doing a number of minor tasks,
then sending notification to remote locations.
- Detect a System Crash (IE not properly quit) then use Disk Warrior to repair
all local non boot or non network volumes.
- Manually launch the AppleShare IP Web & File Server on startup (after doing
repairs). Only works on AppleShare v5.0 - v6.2.
- Keep a nominated Application running in the foreground and launch it if it is
not running.
- Do regular checks for free space on any mounted volume.
- Make regular backups of the local Users & Groups Datafile (with an append
date).
- Empty the contents of the invisible Network Trash Folder on each volume
(deletes all files more than 24hrs old).
- Log all it's actions to a local text file plus send email notifications and errors
to any remote location.
How to operate it?
When launched, AShare Helper does not show any interface windows or dialogues.
You should start by selecting 'Preferences' from the File menu (shortcut is Cmd-P).
This window should be self explanatory as it allows you to nominate Tasks, Actions
and Warnings plus when you want to have them occur (once a week, daily and at
what time of the day).
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (14 von 15)04.11.2003 1:40:07 Uhr
ASIP Black Magic
You can use the Notifications are to setup where to send a copy of the Event Log
for both the Actions and Warnings. All email errors are saved in the event log as
are the email logs themselves.
The Event Log can viewed at any time by selecting 'View Log' from the File menu
(shortcut is Cmd-L). This allows you to scroll through the log and clear it if
required.
Where to put AShare Helper?
Probably the Startup Items folder in the System Folder would be a good place,
otherwise launch it manually whenever you feel the need.
What are the limitations?
(1) AShare Helper was written for English language versions of MacOS. It will not
experience any major problems running on other language versions of
MacOS, but all the windows, dialogs and buttons will not be correct.
(2) AShare Helper currently does not check to see if the boot volume is full prior
to writing it's log. It is a good idea to enable a 'Check for Available Space'
Warning for the boot volume.
(3) AShare Helper is totally free and no warranty is provided or implied. Use it at
your discretion.
Questions / Comments
All comments / questions should be directed to dbakkers@ozemail.com.au.
To download AShare Helper 1.7.2, click here.
For more details or to download the latest version, click here.
[Documentation - Main Page]
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/ASIP_Black%20Magic.html (15 von 15)04.11.2003 1:40:07 Uhr
Network Trash Folder Overview
Network Trash Folder Overview
by Richard Glaser
Revised 1.23.01 rcg
[What is the Network Trash Folder?] [Issues]
[Workarounds - Manually Emptying, AShare Helper, AppleScript]
What is the Network Trash Folder? (back to top)
When file sharing is turned on, or a file server is running, an invisible folder is created on
the server called the Network Trash Folder. When a client logs into the server and deletes
a file from the server, a folder is created inside the network trash folder (called Trash #1).
Any subsequent user who deletes a file from the server, will cause a new file to be created
(called Trash #2), and so on. There can be any amount of these folders depending on how
many logged in users have items in the trash from the server.
When the user empties the trash on the client machine, the folder is deleted and those
items will no longer remain on the server. In the AppleShare Admin program, the
administrator has the option to empty the network trash. This option exists because any
user who trashes something on the server, then crashes before trash is emptied, will cause
those deleted items to be persistent in the network trash folder.
Once the session is terminated, that user has no control over any item that was left in the
trash. The administrator can clear out any of these persistent trashed items by emptying
the network trash. If a user has trashed a file from the server and logs off from the server
gracefully, the finder will put up a dialog saying that all items in the network trash will be
deleted. .
Issues (back to top)
The following isses can be caused by the build up of "items" in the "Network Trash Folder":
q Drives are slowly running out of space on them.
q Long delays after mounting a sharepoint
q ASIP server crashes every X days.
I was experiencing the "Network Trash Folder" build up on a ASIP 6.3.2 file server which
would cause first cause long delays in mounting sharepoints, then would crash the server
every 3 to 4 days.
After setting up a schedule to remove the "build up" items daily using AppleScript I have
not had any problems with the file server 8-)
If you are experiencing the above issues on your ASIP file server you might emptying the
"Network Trash Folder". If that does not work see other suggestions on the ASIP Black
Magic page.
Here are some TIL Articles related to the issue:
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (1 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
q AppleShare: Trashed Item from Server Remains in Window
q AppleShare 4.2.x: Network Trash Recovery
q AppleShare: Network Trash Description
q AppleShare IP 6: File Service FAQ
Workarounds (back to top)
There are three workarounds to the issue of the "build up" of items in the "Network Trash
Folder" on share points.
q Manually Emptying
q AShare Helper
q AppleScript
Manually Emptying (back to top)
To manually empty the items from the "Network Trash Folder" on each of the sharepoints:
On the file server use a resource editor. to make it visible using Get File/Folder info, then
delete its contents.
There are many resource editors that can do the job (i.e. ResEdit, Resorcerer, File Buddy,
FileTyper, etc.), but for the example here we will use ResEdit.
To download ResEdit application with examples, click here.
To download Apple's ResEdit documentation, click here.
To learn more about ResEdit, see ResExcellence web site.
(1) Open the ResEdit application, then click the ResEdit splash screen.
Then click the "Cancel" button on the Open/Save dialog box
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (2 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview

(2) From the "File" menu select the "Get File/Folder Info..."
(3) Navigate to the location of your sharepoint "Network Trash Folder".
Note - This folder is located at the root of each sharepoint.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (3 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
(4) Deselect the checkbox named Invisible...
and save modifications...

(5) In Finder, open the "Network Trash Folder" and delete contents.
AShare Helper (back to top)
AShare Helper is an application that was designed to help AppleShare IP Server
Administrators with the upkeep of their Servers by doing a number of minor tasks, then
sending notification to remote locations.
Related to this issue, AShare Helper can automate emptying the "Network Trash Folder".
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (4 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
Note - When I tried AShare Helper a few versions back, it did not properly empty the
"Network Trash Folder" on the servers sharepoints, even after the 24 hr time period. So,
for more control over the process and time period I wrote an AppleScript (see below).
But, it is working properly for other users (on the ASIP list) and gives you other ASIP tasks
and upkeep. So you might give it a try and see if it meets your needs.
To download AShare Helper 1.7.2, click here.
For more details or to download the latest version, click here.
AppleScript (back to top)
Overview
To setup AppleScript automatically emptying the "Network Trash Folder" I used the
following software...
AppleScript, to download the latest version, click here.
iDo Script Scheduler, is software that allows scheduling the running of
AppleScripts. You set up schedules by creating "events", which can run scripts one
time, or at any repeating interval from minutes to weeks, when a "hot-key" is
pressed, and when the system is idle.
Jon's Commands, is a Scripting Addition that is used to delete "Network Trash
Folder" contents. It also provides added functionality in the form of about 30
useful commands which can be called from AppleScript.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (5 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
Appearance OSAX, is a Scripting Addition that is used to provide user feedback.
With Appearance OSAX you can display enhanced movable alerts, post system
notifications, and create floating windows with text messages and progress
indicators.
Setup
(1) If you do not have AppleScript installed on your ASIP file server, install it.
To check if you have it installed, you should have the following items in your System
Folder...
q Scripting Additions folder - Located in root of the System Folder
q AppleScript - Located in the "System Folder:Extensions" folder
q AppleScriptLib - Located in the "System Folder:Extensions" folder
(2) Install iDo Script Scheduler, the lite versions comes with Mac OS 9.x. Or you can
upgrade to the "Enhanced" version for additional "events" when a "hot-key" is
pressed, and when the system is idle.
It will install the following items on the server...
q iDo Script Scheduler - Located in the System Folder:Control Panels" folder.
q iDo Script Scheduler Extension - Located in the "System Folder:Extensions"
folder.
q iDo Folder - Located in the "System Folder:Preferences" folder.
(3) Install Jon's Commands, by dragging the scripting addition to the "System Folder:
Scripting Additions" folder.
(4) To provide user feedback whilst the AppleScript is running, install Appearance OSAX.
Note - When the AppleScript is processing, you will get 5 to 10 second pause in
mouse movement, etc., which might appear to users that the server is hung, hence
the user feedback.
To install "Appearance OSAX" drag scripting additions to the "System Folder:
Scripting Additions" folder.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (6 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
(5) Next you need to modify, test, and debug AppleScript to fit your current sharepont
setup.
This is the generic AppleScript:
To download the compiled AppleScript, click here.
(6) Modify AppleScript to match your servers sharepoint(s) path(s)...
On the lines:
set Share_Point_Path1 to "Hard Disk:Share Point1"
set Share_Point_Path2 to "Hard Disk:Share Point2"
set Share_Point_Path3 to "Hard Disk:Share Point3"
Change the text "Hard Disk:Share Point1", "Hard Disk:Share Point2", and "Hard Disk:
Share Point3" to match your server sharepoint(s) paths.
Fewer Sharepoints
If you have fewer sharepoints, delete the corresponding lines (i.e. "Hard Disk:Share
Point2", "Hard Disk:Share Point3", etc.) .
More Sharepoints
If you have more sharepoints, add the corresponding lines (i.e. "Hard Disk:Share
Point4", "Hard Disk:Share Point5", etc.)
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (7 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
(7) If you have added or deleted lines above, modify the following lines...
On the lines:
set Network_Trash_Folder_Path1 to Share_Point_Path1 & ":Network Trash Folder"
as alias
set Network_Trash_Folder_Path2 to Share_Point_Path2 & ":Network Trash Folder"
as alias set Network_Trash_Folder_Path3 to Share_Point_Path3 & ":Network Trash
Folder" as alias
Add or remove lines depending on the modifications you made to the sharepoint
paths above. The reason for these lines, is to put minimal safeguard for user
mistakes, typo's, etc.
(8) If you have added or deleted lines above, modify the following line...
set The_Network_Folders to {Network_Trash_Folder_Path1,
Network_Trash_Folder_Path2,¬
Network_Trash_Folder_Path3}
Fewer Sharepoints
If you have fewer sharepoints, delete the variables (i.e.
"Network_Trash_Folder_Path3", "Network_Trash_Folder_Path2", etc.) .
More Sharepoints
If you have more sharepoints, add the corresponding variables (i.e.
"Network_Trash_Folder_Path4", "Network_Trash_Folder_Path5", etc.)
(9) Test & Debug
Warning - If you have mistakes, or typo's you can delete items from folders that
you do not intend. Make sure you double-check (and triple-check) that your paths
are correct. Also, you might test the script first on non-production box. Basically,
simulate the paths to sharepoints on your server, by creating similar folder
structure. Since the name "Network Trash Folder" is reserved by the Mac OS, name
your test folder (and the path in the script) to something else like "Network Trash
Folder Ä".
Then add items inside this "test" folder and run the script.
Also, to be really cautious, make sure you have a recent backup of your file server
before trying it on the server.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (8 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
(10) Once you have tested and debugged the AppleScript, in Script Editor save it as a
"Classic Applet", and set the "Never Show Startup Screen" option.
Then copy the applet to your file server in any desired folder.
(11) Now, you can setup the schedule to launch the AppleScript applet. Open the "iDo
Script Scheduler" control panel.
Unless you haved previously added events, the window will be empty.
Click on the "New..." button.
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (9 von 10)04.11.2003 1:40:14 Uhr
Network Trash Folder Overview
Select the desired "Trigger" (i.e. Repeating, Days of Week, Day of
Month, etc.) and set desired options ,then select your "Empty Network
Trash Folder" applet.
I would recommend a time/date that your server is under less load
and good availability of the administrator to troubleshoot issues.
After you have setup iDo Script Scheduler to automatically run your
applet. I would recommend manually checking the "Network Trash
Folder" folders, to make sure everything is working properly after the
time/date it is supposed to launch it.
If all is working properly, you are done.
[Documentation - Main Page] [ASIP Black Magic]
file:///Volumes/Daten/ASIP:MacOS%20X:AFP/ASIP_Black_Magic/Network_Trash/network_trash.html (10 von 10)04.11.2003 1:40:14 Uhr

Document Outline