Blog

You may disagree with a lot of things President Reagan said, but you can’t deny the utility of one of his favorite phrases, “Trust, but verify”.  Log files, like spy planes, keep honest people honest. Logs can provide proof of unauthorized access, catching employees or others doing things they shouldn’t be doing on your network. In addition, your logs are often your only recourse to figure out what went wrong and when on a system that is heading south.
More »

The smartphone has assimilated an increasing amount of functionality over the years, from cameras and video, to email, calendaring and the increasingly dizzying array of apps for sale across all mobile platforms.  However, more often than not these mobile implementations barely rise above glorified proof of concept demos.

Today I’m looking at two emerging spaces in the app eco-system: advanced mobile IT management tools & mobile virtualization. More »

If you’ve ever tried to set up NFS behind a firewall, you know that it’s not trivial. NFS relies on several helper applications to do its thing. NFS relies heavily on portmap, which handles incoming NFS connections and coordinates ports for daemons like mountd, statd, and lockd. Each of these daemons listens on its own port (several ports in some cases), and they can be arbitrary in choosing those ports. This makes it next to impossible to firewall a default nfs configuration. We’ll learn how to lock ‘em down in this session, so you can firewall them easily. More »

Sometimes it’s the little things that drive you crazy.  Like when you do a tail of /var/log/messages on someone’s linux system only to find a sea of iptables log entries.  Denied DHCP broadcast queries, multicast DNS, everything.  It takes just an extra step to tack on a grep to clear out this stuff, but as any sysadmin can tell you, the little things add up to a lot of time and aggravation.  In addition, the sea of irrelevant denies does little to tell you who’s actually attempting to get into your systems.  With just a few extra switches in iptables, you can send your firewall log to its own file. More »

Samba is the result of some clever reverse-engineering to create reliable Windows file sharing without the headaches of a Windows server. Mac OS X clients can also use these shares, making Samba a great option for cross-platform environments. It’s not a common scenario to use an Open Directory server to control Linux systems, but here’s how to do it if you have one already, and want to use Samba on Linux with your OD users.  If you are finding the Xserve platform to be a little out of your budget for the amount of performance you get, or you don’t want to administrate yet another Mac OS X Server system, this could be a great alternative to an AFP solution for your Macs.

We could host SMB shares directly on our OD server, but ideally we keep our OD server just as a directory and authentication server, and let other servers do the file sharing heavy lifting. More »

The iChat Server module in Mac OS X Server provides a great interface to the jabberd daemon, getting you up and running quickly with standard and Kerberos authentication using your Open Directory users. Unfortunately, there are a few useful features that are not yet accessible in Server Admin. One of these is a simple tool for automatically setting everyone to be a buddy with each other. In smaller organizations, it’s a great way to get in touch with everyone without having to ask everyone to become a buddy individually. More »

Mac OS X Server builds on well-known and powerful unix tools, tools which are at your full disposal if you understand how they work.  One of these is the FreeRADIUS server included with 10.5 and 10.6 Server.

As is typical of Mac OS X Server, Server Admin makes it easy to add Apple base stations to authenticate against Open Directory using RADIUS.  But what if you want to use the RADIUS server for other devices?  Most decent managed switches and routers can authenticate to RADIUS.  Wouldn’t it be great to have them authenticate against Open Directory?  Read on. More »

Apple’s Mac OS X Server Apache install includes some cool modules to interface directly with Open Directory, if you host your sites on a Mac OS X Server box.  If you are working on a Linux system, one of the easiest solutions is to engage the ldap modules to get authentication and authorization.

More »

The 8-core Xserve platform has often seemed overpriced and overkill for many IT server applications that require less performance, but must have server isolation for industry compliance, security, and high availability.  Parallels has made a welcome step forward in virtualization on the Xserve platform, with Parallels Server for Mac.  For an initial release, it has proven quite dependable despite a few issues with recent X Server updates.  No doubt this product will continue to improve in the near future, and it’s exciting to see the Xserve hardware used more efficiently.

More »

Here is an introductory guide on how to create an Adobe CS3 .pkg installer ( in lieu of the slient install ) with little to no fuss(1), and more importantly no real manual interaction with all the associated files. I have modified a perl script from Geoff Franks that was created for parsing Microsoft Office update log files to now parse the output of logGen. Please note that Perl is not my primary language ( As of late the snake is eating most of my llama time. ) and so this is not yet as polished as other scripts I publicly post ( I really didn’t have to change too much to get this working. ). I encourage the community to send back code additions and bug reports.
1. Its worth mentioning there are easier to use commercial pieces of software such as composer and other methodologies such as the slightly immature package snapshot feature (Not recommended for CS3, trust me I’ve tried it).

Please read the article below and then download pkgGen

More »

This is such a hack and is posted mainly for academic reasons

Here is a quick hack for pushing out environment variables via MCX ( Managed Preferences ), This only will work with 10.4 and its a silly mishmash of stuff that is totally unsupported which of-course makes it the best kind of hack.
First a little background on the file that allows us to do this (environment.plist) curiosity of Apple.

From page 24 of the Command_Line_v10.4_2nd_Ed[PDF]

“Another way to set environment variables in Mac OS X is with a special property list in
your home folder. At login, the computer looks for the ~/.MacOSX/environment.plist
file. If the file is present, the computer registers the environment variables in the
property-list file.”

More »

After seeing this post on afp548.com I decided to take the time to dive into a little cocoa as I have been trying to learn it recently. For anyone interested , I have modified the source code to display the size of /Volumes/<logname> so you can have the menu display a home directory perhaps mounted by MCX, loginhook, location file,alias etc. Basically meaning if you have a (Portable | Mobile) account you can see the quota information (free space) of the mounted share,instead of the local home folder’s file system.

Download:QuotaMonitorMenuMobile.zip

note: different name so modify the hook accordingly

Posted with Adam Gerson’s permission

I also made one that uses the OriginalHomeDirectory attribute but it would only work for people using a non-guest pure kerberos automount setup. if you would like it instead feel free to contact me

For anyone interested in deleting Mobile (Portable) accounts after a certain number of days ( most likely a lab environment ) I have created a bash with an accompanying loginhook and package installer(w/postflight). Any feedback or code additions would be greatly appreciated. Static Link here

Elmer “Rabbit Droppings” remover v1.9

These scripts are designed to remove mobile home directories after 15 days of inactivity, test in a non production environment before deploying!

You can find the package maker project ->here<- and the installer package ->here<-

More »

Update: 8/20/2007 Zack has posted a guide to convert CS3 into a .pkg installer

The instructions in Official CS3 Deployment guide [PDF] are somewhat misleading, and in some cases just don’t include information that you need (of course, if you are using logen or other deployment tools to create a package, you can ignore this article, but this is a resource for those who want to see / use / implement the cs3 silent installer).

1. Understand the that “Silent” installer is just running the normal installer (you get an icon on the doc and everything) with the screen output and dialogs supressed. So instead of prompting on error, the app just quits, with no log or mention of why it did. For example, the installer fails if you have safari or firefox open, the normal install will prompt you with the error, but no mention of why the install failed shows up in the log.

2. It also fails if the installer is not run with Sudo or Root privileges. Again, no error message to tell you otherwise. (this is mentioned indirectly in the ARD part of the deployment guide, but nowhere else).

3. the “deploy over ARD” option is to just copy the installation files to the client machine, and to then push out the unix command from ARD to run the silent installer.
More »

There are many compelling reasons to use SSL wherever possible on your server. We use and deploy Kerio MailServer quite frequently and there is extensive support for SSL certificates built into the product.

By default Kerio MailServer generates a self-signed certificate the first time it is setup. A self-signed certificate is good enough for some types of secure connections and does ensure that communications to and from the server are encrypted, but in many situations you will get errors stating that the certificate is not trusted because it has not been signed by a certificate authority. In short, the connection is encrypted but the other end of the client-server conversation has no way to ensure that your server is who it says it is unless the certificate is signed by a trusted certificate authority.
More »

Awhile ago I posted to the Mac OS X Server list a way for changing/setting the root password in Single User Mode i.e. without a install DVD handy and without having to start any deamons.I even found it the other day on Mr. Shoop’s site (Firefox: direct link Safari: index link) I thought I would write it up and talk about how it works and some caveats. I also included a little bit of of general information about “local” passwords More »

One of my clients is a small group of Mac users in a large, Windows-centric company. The Mac’s use ADmitMac to authenticate against Active Directory for user login and to mount network shares. One user suddenly stopped being able to mount network shares, either as a login item or manually using “Connect to Server”. The symptom when logging in is an error dialog, one for each share, that states “tss\_check\_cifs is not running”. I checked Activity Monitor and tss\_check\_cifs what gives? I check the logs, and there’s nothing. I try mounting the share manually, and the symptom then is the blue barber shop bar comes up for a few seconds like normal, then nothing no mount, no error, no log, no anything.

I know it’s not Kerberos or time being off or DNS or anything basic like that, because she can still authenticate and log in successfully. I Google the error and there’s two pages, neither has anything to do with this situation. I go as far as uninstalling and reinstalling ADmitMac with no improvement. Sigh.

Finally, after several hours of pulling my hair out, trying everything short of archive and install, I break down and call Thursby’s tech support (I figure I’ve done enough RTFM’ing at this point) and the first thing off the guy’s tongue is “Oh yah, that’s a bug. Apple changed the way startup items work after 10.4.6. Here’s a link to a pre-release build that fixes the issue.” The official update should be out soon. Until then, here’s Thursby’s number: 1-817-478-5070.

I was setting up a brand new MacBook for a client, and when I tested the .inetloc URL for the client’s network share on one of the MacBooks I got a curious dialog box saying “…blah blah couldn’t mount blah blah unexpected error blah blah…”

I checked the system log and found this:

“kernel[0]: mount version mismatch: kernel=103700, mount=103600″

First I reinstalled Mac OS X 10.4.9 Combo Update and Security Update 2007-004, but no joy. Then I did some investigating and, Voila!, I found that the smb daemon version (in Terminal: /sbin/mount\_smbfs -v) and the smb kext version (System Profiler > Extensions > smbfs) didn’t match, the former being 1.3.6 and the latter being 1.3.7. The fix is to locate mount\_smbfs version 1.3.7 on another machine and then copy it (I used cp -Rpv) to the problem machine, repair permissions and then restart. SMB network shares now mount fine.

Updated: 6/6/2007 I added some Apple script for all you Googlers.

First a little background: for a while now I have been teaching about “URL Fun” in my server classes. Its a pretty universal concept that you find server admins implementing on Mac OS X clients: the idea of an alias, link, script or application that connects to a server on login. The windows folks normally refer to this conceptually as a “Mapped Network Drive” which is why I choose it for the name of this article. I actually find it humorous how often I get asked to make a link to the “x” or “q” drive when doing consulting, its actually a testment to how simple this works on windows, people have no idea of the shares name, just the drive letter ( for better or worse sometimes ). Now there are multiple ways of accomplishing this on OS X ,some are better or fancier then others. All of them try at best to get around requiring users to use “Go” > “Connect To Server”

Part 1: “Aliases” and “Location” Files

Part 2: AppleScript and Login items

Part 3: Shell Scripts and Login Hooks

Part 4: Automounts with Directory Services More »