Changing an Xsan .auth_secret cleanly

21 Oct 2022

We posted previously about making manual profile changes when changing an Xsan’s .auth_secret.  After some more testing, we have confirmed that rebuilding Open Directory also allows us to cleanly change the .auth_secret stored in Open Directory, so a newly generated .mobileconfig file will connect clients without modification.  To do this we will need to stop the volume, remove all clients, remove the backup mdc, and destroy and rebuild the Open Directory that stores the Xsan configuration.  Then we can reconnect all the pieces we removed.

Remove Clients

On each client, the easiest way to remove their configuration is to remove the Xsan .mobileconfig profile. This can be done in System Preferences -> Profiles, select the “Xsan Configuration Profile” and click the minus sign at the bottom.  The other option is to run sudo xsanctl unloadProfile.

Remove Backup MDC

On your backup MDC, we can cleanly leave the Xsan with sudo xsansctl leaveSan.  Then we can leave the Open Directory with sudo xsanctl destroyReplica --account <diradmin name> --pass <password>.

Stop Volume

On the primary MDC, stop the volume with sudo xsanctl stopVolume <volumename>.

Destroy Open Directory

Still on the primary MDC, destroy the Open Directory with sudo slapconfig -destroyldapserver.

Change .auth_secret

Now we can modify the .auth_secret.  This is a string in /Library/Preferences/Xsan/.auth_secret that works like a password to connect to the Xsan.  Without this value clients can not connect. 

This file is owned and writable only by root.  To edit it, I recommend sudo nano /Library/Preferences/Xsan/.auth_secret.  We will discuss a reason to make multiple Xsan .auth_secrets match in a future post.

Rebuild Open Directory

Now we can create a new Open Directory on our primary MDC with sudo slapconfig -createldapmasterandadmin --certAuthName <xsan cert name> --certAdminEmail <email@domain.tld> diradmin "Directory Administrator" 1000.  Please change the cert name, admin email, and directory admin account as appropriate for your organization.

You will be prompted for your administrator password to trust the new certificate and then for the new directory administrator’s password.

Once that is complete, we can populate the Xsan configuration in Open Directory with sudo xsanctl pushConfigUpdate.  This is the step that pushes the new .auth_secret value into our Open Directory.

Start Volume

Now we can start the volume again with  sudo xsanctl startVolume <volumename>.  In testing sometimes this worked, other times I had to restart the MDC.  In either case, make sure the volume is up and running on the MDC before continuing.

Rebuild Backup MDC

Now we can re-join the Backup MDC with 

sudo xsanctl joinSan <san name> --controller-name <fully qualified metadata network mdc name> --controller-user <admin name> --controller-pass '<admin pass>' createReplica --master <fully qualified metadata network mdc name> --account <diradmin name> --pass '<diradmin pass>'

Rejoin Clients

From one of the MDCs, run sudo xsanctl exportClientProfile --path ~/Desktop to create a new .mobileconfig file on the MDCs Desktop.  Distribute this to your clients (MDM, ARD, sneaker net) and re-join them to the Xsan.  If you manually copy them over and double click, you will need to open System Preferences -> Profiles to finalize the install.