Re-installation issue on OS X

[bbarker]

I was attempting to reinstall nix on OS X for reasons described elsewhere, however, this fails, as shown below. The error appears like it may be related to active directory, and indeed this machine is an AD-connected system.

macbookwh:~ bbarker$ sudo diskutil umount /Volumes/Nix\ Store/
Volume Nix Store on disk1s6 unmounted
macbookwh:~ bbarker$ curl -L https://nixos.org/nix/install | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4024  100  4024    0     0   2519      0  0:00:01  0:00:01 --:--:-- 3929k
downloading Nix 2.4 binary tarball for x86_64-darwin from 'https://releases.nixos.org/nix/nix-2.4/nix-2.4-x86_64-darwin.tar.xz' to '/var/folders/_f/1dn5fzlx35n3_zc7nw290w119r5pmn/T/nix-binary-tarball-unpack.XXXXXXXXXX.nLcQoy0z'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 33.5M  100 33.5M    0     0  2374k      0  0:00:14  0:00:14 --:--:-- 2903k
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what we are going to install and where. Then we will ask
   if you are ready to continue.

3. Create the system users and groups that the Nix daemon uses to run
   builds.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what we will do?
No TTY, assuming you would say yes :)

We will:

 - make sure your computer doesn't already have Nix files
   (if it does, I will tell you how to clean them up.)
 - create local users (see the list above for the users we'll make)
 - create a local group (nixbld)
 - install Nix in to /nix
 - create a configuration file in /etc/nix
 - set up the "default profile" by creating some Nix-related files in
   /var/root
 - back up /etc/bashrc to /etc/bashrc.backup-before-nix
 - update /etc/bashrc to include some Nix configuration
 - back up /etc/zshrc to /etc/zshrc.backup-before-nix
 - update /etc/zshrc to include some Nix configuration
 - create a Nix volume and a LaunchDaemon to mount it
 - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon

Ready to continue?
No TTY, assuming you would say yes :)

---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Normally, it would show you
exactly what commands it is running and why. However, the script is
run in a headless fashion, like this:

  $ curl -L https://nixos.org/nix/install | sh

or maybe in a CI pipeline. Because of that, we're going to skip the
verbose output in the interest of brevity.

If you would like to
see the output, try like this:

  $ curl -L -o install-nix https://nixos.org/nix/install
  $ sh ./install-nix


~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

---- Found existing Nix volume -------------------------------------------------
  special:	disk1s6
     uuid:	9A05F827-784D-4EE7-9920-8126437F1E96
encrypted:	no

During install, I add 'nix' to /etc/synthetic.conf, which instructs
macOS to create an empty root directory for mounting the Nix volume.
Can I remove /etc/synthetic.conf?
No TTY, assuming you would say yes :)
During install, I add '/nix' to /etc/fstab so that macOS knows what
mount options to use for the Nix volume.
Can I remove /etc/fstab?
No TTY, assuming you would say yes :)

The installer adds a LaunchDaemon to mount your Nix volume: org.nixos.darwin-store
Can I remove it?
No TTY, assuming you would say yes :)

---- Nix config report ---------------------------------------------------------
        Temp Dir:	/var/folders/_f/1dn5fzlx35n3_zc7nw290w119r5pmn/T/tmp.lcHoteEyET
        Nix Root:	/nix
     Build Users:	32
  Build Group ID:	30000
Build Group Name:	nixbld

build users:
    Username:	UID
     _nixbld1:	301
     _nixbld2:	302
     _nixbld3:	303
     _nixbld4:	304
     _nixbld5:	305
     _nixbld6:	306
     _nixbld7:	307
     _nixbld8:	308
     _nixbld9:	309
     _nixbld10:	310
     _nixbld11:	311
     _nixbld12:	312
     _nixbld13:	313
     _nixbld14:	314
     _nixbld15:	315
     _nixbld16:	316
     _nixbld17:	317
     _nixbld18:	318
     _nixbld19:	319
     _nixbld20:	320
     _nixbld21:	321
     _nixbld22:	322
     _nixbld23:	323
     _nixbld24:	324
     _nixbld25:	325
     _nixbld26:	326
     _nixbld27:	327
     _nixbld28:	328
     _nixbld29:	329
     _nixbld30:	330
     _nixbld31:	331
     _nixbld32:	332

Ready to continue?
No TTY, assuming you would say yes :)

---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix

~~> Creating a Nix volume

~~> Configuring /etc/fstab to specify volume mount options

~~> Configuring LaunchDaemon to mount 'Nix Store'

~~> Setting up the build group nixbld
            Created:	Yes

~~> Setting up the build user _nixbld1
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 1
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld2
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 2
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld3
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 3
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld4
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 4
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld5
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 5
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld6
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 6
   Logins Disabled:	Yes
  Member of nixbld:	Yes
    PrimaryGroupID:	30000

~~> Setting up the build user _nixbld7
           Created:	Yes
            Hidden:	Yes
    Home Directory:	/var/empty
              Note:	Nix build user 7
sudo: 4294967295: invalid value
sudo: error initializing audit plugin sudoers_audit

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org

[toonn]

What do id and dsconfig ad -show report? Does it look like rebinding the domain may fix the issue?

[bbarker]

The UID and GID from id appear OK as far as i know, as they are of the form indicated in the forum post:

uid=1234567891(sanitized) gid=9876543219(DOMAINNAME\Domain Users)

dsconfigad -show:

$ dsconfigad --show
Active Directory Forest          = whillus.local
Active Directory Domain          = whillus.local
Computer Account                 = nj-dev-m-19028$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Enabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = domain admins,enterprise admins
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

[abathur]

How big of a disruption/blocker is this for you? Have you re-tried (and if so, how regularly is it failing?)

In a pinch, you can reduce the number of users created with --daemon-user-count N, which may increase the odds of a successful install.

[bbarker]

Thanks for the suggestion, @abathur - i can begin to see why your suggestion worked, as I've had infrequent issues with sudo; my first try with N == 6 worked.

Currently, not a huge issue, I didn't have many Nix workflows on this machine at the moment.

I hit another bump in the road when trying to use Nix however:

$ nix-env -i ripgrep
warning: name collision in input Nix expressions, skipping '/Users/bbarker/.nix-defexpr/channels_root/nixpkgs'
warning: ignoring untrusted substituter 'https://all-hies.cachix.org'
error: store path '/nix/store/dpknw3p7wfhq41yc4np5v42fs16z3jj9-nixpkgs-21.11pre301056.7b4ff2184e4' is not allowed to have references

[abathur]

I'm not familiar with this, but I do see a few issues since the 2.4 release mentioning the same message. I'll ask on Matrix to see if I can find someone up to speed on the issue...

[pinage404]

After several tries (including deleting Nix partition), i had to do this command before launching the installation command

export PATH="/usr/sbin:$PATH"

to make this line work

nix/scripts/install-darwin-multi-user.sh

Line 221 in 1a9bfdc

if [ "$(diskutil info -plist /nix | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then

[stale]

I marked this as stale due to inactivity. → More info

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/cant-reinstall-nixos-on-os-x/20902/1