Mac OS X Snow Leopard Self Service Client Only Communicates with JSS via root

Allen
New Contributor

Hello,

Several months ago I began having issues installing any software via the Self Service application. The application will launch and when you click on an item to install, at one point you would only see the minimized icon move toward the corner of the window and never see a progress bar for the policy. After a while the progress bar would show up briefly along with the install package in the left pane and then they would silently go away.

As a test today I started the Self Service application from a terminal session via sudo and autenticated with my credentials (my account is the administrator account). After doing so, I was able to use the Self Service application that was launched to successfully install packages.

I then decided to perform some other test to attempt to isolate the cause.

I first attempted to check the connection without obtaining "admin/root" access and received the following:

vms-cic-0001:~ myuser$ /usr/sbin/jamf checkJSSConnection Checking availability of http://casper.ourjss.net:9006//... Waiting 5 seconds to try again... Checking availability of http://casper.ourjss.net:9006//... Waiting 5 seconds to try again... ^C

I then performed the same connection test via sudo as "admin/root" it was successful:

vms-cic-0001:~ myuser$ sudo /usr/sbin/jamf checkJSSConnection
Checking availability of http://casper.ourjss.net:9006//...
The JSS is available.

I then checked the permissions on the plist file that contains the JSS server info and it is readable by everyone, so I don't think this is causing the failures (also, even in the initial test it correctly identified the DNS name and port of the server it is supposed to be contacting):

vms-cic-0001:~ myuser$ ls -l /Library/Preferences/com.jamfsoftware.jamf.plist
-rw-r--r-- 1 root admin 193 Feb 6 14:39 /Library/Preferences/com.jamfsoftware.jamf.plist

I then tried contacting http://casper.ourjss.net:9006 via both the Firefox and Safari web browsers without obtaining "admin/root" and successfully reached the login page on the JSS via both browsers. That would rule out a certificate or firewall issue (from what I can tell the local firewall on my MB is disabled anyway).

Next I started up an IP level trace and noticed that when I issue "/usr/sbin/jamf checkJSSConnection" without becoming "admin/root" first, I see no traffic leave my MB targeting casper.ourjss.net on any port. However, if I execute the same command via sudo with "admin/root" I see packets exchanged between my MB and the JSS (see excerpt below):

myhost.mydomain.net.49713 > casper.ourjss.net.9006: Flags [S], cksum 0x3e32 (incorrect -> 0xfda2), seq 1704906950, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 647411969 ecr 0,sackOK,eol], length 0
11:20:51.894287 IP (tos 0x0, ttl 56, id 36767, offset 0, flags [DF], proto TCP (6), length 64) casper.ourjss.net.9006 > myhost.mydomain.net.49713: Flags [S.], cksum 0xdfd1 (correct), seq 2060480419, ack 1704906951, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 1073738573 ecr 647411969,sackOK,eol], length 0
11:20:51.894344 IP (tos 0x0, ttl 64, id 1784, offset 0, flags [DF], proto TCP (6

One other thing… I did find that when I execute "/usr/sbin/jamf checkJSSConnection" without sudo it creates the following two files, but both are empty and only exist until the command goes into the wait state. Presumably it deletes them and recreates them when it attempts to verify the connection again:

/private/tmp/PID.form (where "PID" is the process ID of the process executing the command) /private/tmp/PID.tmp (where "PID" is the process ID of the process executing the command)

I don't manage our JSS installation. I am an operating system engineer for Linux on System z and use a MacBook as my client device. However, the engineer that architects and manages our Mac images and the JSS installation is very knowledgeable and excellent at what he does. I'm sure any information you may provide here he can make sense of if it is something that needs to be checked/modified on the server side. If it is on my MacBook client, with some guidance I should be able to find it.

I have gone through the steps to correct permissions, etc. on my MacBook while booted from a restore partition and it did not help the situation.

Thanks in advance for any suggestions.

Best Regards,

Ted

0 REPLIES 0