Changing an Xsan .auth_secret cleanly
21 Oct 2022
We posted previously about making manual profile changes when changing an Xsan’s .auth_secret. After some more testing, we have confirmed that rebuilding Open Directory also allows us to cleanly change the .auth_secret stored in Open Directory, so a newly generated .mobileconfig file will connect clients without modification. To do this we will need to stop the volume, remove all clients, remove the backup mdc, and destroy and rebuild the Open Directory that stores the Xsan configuration. Then we can reconnect all the pieces we removed.
On each client, the easiest way to remove their configuration is to remove the Xsan .mobileconfig profile. This can be done in System Preferences -> Profiles, select the “Xsan Configuration Profile” and click the minus sign at the bottom. The other option is to run
sudo xsanctl unloadProfile.
Remove Backup MDC
On your backup MDC, we can cleanly leave the Xsan with
sudo xsansctl leaveSan. Then we can leave the Open Directory with
sudo xsanctl destroyReplica --account <diradmin name> --pass <password>.
On the primary MDC, stop the volume with
sudo xsanctl stopVolume <volumename>.
Destroy Open Directory
Still on the primary MDC, destroy the Open Directory with
sudo slapconfig -destroyldapserver.
Now we can modify the .auth_secret. This is a string in /Library/Preferences/Xsan/.auth_secret that works like a password to connect to the Xsan. Without this value clients can not connect.
This file is owned and writable only by root. To edit it, I recommend
sudo nano /Library/Preferences/Xsan/.auth_secret. We will discuss a reason to make multiple Xsan .auth_secrets match in a future post.
Rebuild Open Directory
Now we can create a new Open Directory on our primary MDC with
sudo slapconfig -createldapmasterandadmin --certAuthName <xsan cert name> --certAdminEmail <firstname.lastname@example.org> diradmin "Directory Administrator" 1000. Please change the cert name, admin email, and directory admin account as appropriate for your organization.
You will be prompted for your administrator password to trust the new certificate and then for the new directory administrator’s password.
Once that is complete, we can populate the Xsan configuration in Open Directory with
sudo xsanctl pushConfigUpdate. This is the step that pushes the new .auth_secret value into our Open Directory.
Now we can start the volume again with
sudo xsanctl startVolume <volumename>. In testing sometimes this worked, other times I had to restart the MDC. In either case, make sure the volume is up and running on the MDC before continuing.
Rebuild Backup MDC
Now we can re-join the Backup MDC with
sudo xsanctl joinSan <san name> --controller-name <fully qualified metadata network mdc name> --controller-user <admin name> --controller-pass '<admin pass>' createReplica --master <fully qualified metadata network mdc name> --account <diradmin name> --pass '<diradmin pass>'
From one of the MDCs, run
sudo xsanctl exportClientProfile --path ~/Desktop to create a new .mobileconfig file on the MDCs Desktop. Distribute this to your clients (MDM, ARD, sneaker net) and re-join them to the Xsan. If you manually copy them over and double click, you will need to open System Preferences -> Profiles to finalize the install.