Mac OS X SIG

Continue reading "Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)" »

When configuring Samba 3 to hide Mac-specific directories from Windows users, I typically edit /etc/smb.conf on my Mac OS X Server, using either

veto files =
hide files =

This worked fine — until it didn't. Seems I wasn't doing it properly.

There's a lot of (typically legacy) HFS detritus sprinkled around on a Mac server. When both AFP and SMB are enable, Windows users see these bits and pieces, much to their confusion. (These files and directories are invisible to Macs.)

Originally, I had this at the end of my smb.conf file, but once I added the final veto files = option below at the bottom, I was disappointed things didn't work as expected.

That was the trick. I'm not sure why, because seemingly the individual entries should work just as well as the string of filenames. Now those Mac filenames are now hidden from my Windows users.

Occasionally, I get a call that my Windows users connected to my Samba server on Mac OS X Server 10.5 can't manipulate a file. They get various errors when trying to open or download the file. The problem seems to be random but consistent; some files show problems, others are fine — even in the same directory.

Consider whether the problem is related to Windows NTFS alternate data streams (ADS). (See also the Wikipedia article.) You can see whether this is the case using the Terminal.

The extended attribute is the :ZONE.IDENTIFIER:$DATA part and needs to be whacked off. It's expendable. One command uses the xattr command. (Note that you'll need to escape the dollar sign.)

There are (at least) two additional ways to handle these.

Continue reading "Removing ADS for Samba Users" »

Like many universities, we use OpenLDAP for our central directory system. As you might guess, the hostname for this system is ldap.stanford.edu. This is actually a DNS pool, though. There are multiple machines offering the same service. There's ldap1.stanford.edu, ldap2.stanford.edu, ldap3 and so on.

When I configure a Mac to use an external directory system, it's usually our OpenLDAP directory. Using Directory Access.app in the Utilities folder (or the command line equivalent, dsconfigldap), I usually enter that hostname, ldap.stanford.edu. However, there are limitations to this.

At some point during configuration, the Mac connects to the DNS pool, gets sorted to one of the physical machines, does a forward name resolution, then uses that numerical IP address for subsequent connections.

Here's the rub: if the IP address of that specific host changes, things break.

Continue reading "Directory Services, OpenLDAP and DNS pools" »

Special thanks to Florian Schoppmann for bringing this issue to the community's attention. I'm extracting the steps to get Address Book and Mail to read from the Stanford LDAP directory. General instructions for setup can be found here:

http://www.stanford.edu/services/email/config/osx5mail/ldap/index.html

Since Address Book in 10.6 does not allow for self-signed certificates, you will need to take the following steps to get it working:

1. Retrieve the certificate by going to Terminal and typing:
openssl s_client -connect mothra.win.stanford.edu:636

2. Copy everything in between

"-----BEGIN CERTIFICATE-----"

and

"-----END CERTIFICATE-----" (including these lines)

to a new file with suffix .pem

3. double click on the file you just saved (.pem) to open it in Keychain Access

4. double click on the new certificate, click on the 'Trust' disclosure triangle and set "When using this Certificate:" to "Always trust".

As Florian says, Voilà!

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN).

Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you).

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above.

Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made.

Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file.

Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the "Shared Secret" (it is also sometimes called the Group Password).

Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password.

In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field.

I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field.

What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

There's a bug with the Mac OS X Server 10.5.7 Apple Filing Protocol (AFP or "Mac filesharing") process where (perhaps under certain conditions) it fails to restart logging after an arbitrary period of time as specified in /Library/Preferences/com.apple.AppleFileServer.plist (which is typically edited via the Server Admin.app tool).

This bug appears to persist in Mac OS X Server 10.5.8.

For example, if you set AFP to rotate logs every 14 days, the system should compress and roll over logs located in /Library/Logs/AppleFileService every-other week. However that appears not to happen. It will begin to log after the AFP service is restarted, though that's a drastic action.

I presume that /usr/sbin/AppleFileServer handles it owns logs, rather than /usr/sbin/newsyslog, which deftly takes care of old-school logs like ftp.log, system.log and ipfw.log. It's initiated every midnight by the the launchd item /System/Library/LaunchDaemons/com.apple.newsyslog.plist. (It's worth noting that this is not the same as asl, or Apple System Log.)

Anyway, here are three workaround ideas to consider (certainly there are more).

Continue reading "AFP stops logging after indicated period" »

This confounded me until it I sorted it out. Once done so, it made sense, but it doesn't help that, in this case, the user interface is unhelpful and unintuitive, and the behavior is different than other configurations for similar machines. (Note: I haven't regressively seen is this is the case pre-Mac OS X Server 10.5.7 Update or pre-Server Admin Tools 10.5.7.)

On this Xserve (Late 2006), Server Monitor.app on the local machine has the LOM feature configured for Network 1 (which corresponds to en0 aka the port labeled Ethernet 1 on the machine and by default the Network preference pane). This LOM interface has its own MAC address distinct from the physical port. I've registered this address for convenience's sake.

To configure this server for monitoring, launch Server Monitor --> Server --> Configure Local Machine. Give it an IP (again, distinct from the physical Ethernet ports), give it a username and password. This is the only step that's the same on this and the Xserve (Early 2008) model.

Continue reading "Server Monitor.app stupidity" »

Updated May 05, 2009 Additional information, clarifications and corrections have been added inline. After the publication of this blog post, I discussed an unrelated experience with the CrashPlan Technical Support team. They provided the information I've added here; this update concerns changes in product naming, decryption, decompression and a partial explanation for slow restore times.

One particular note about product offering and features: There is a consumer and business product, and within the consumer release, there are different versions. To help compare the consumer version, visit this web page. This article talks about CrashPlan Pro, which is the enterprise solution.

I've deployed CrashPlan Pro Server (CPPS) as a backup solution for a department here at Stanford. They use it for both their desktops and servers. As is best practice, I performed a dry-run restoration of their files kept a network-attached storage. I used the performance metrics to make a back-of-the-envelope guess at how this would compare if we used our direct-attached FireWire 800 device as the backup repository.

Continue reading "CrashPlan Pro Server restore metrics, estimates" »

Update: Apple Enterprise Support suggested a modification to the /etc/smb.conf file that seems to have addressed this problem. Citing this entry in the Samba man page the suggestion is to append "nt acl support = no" at the very end of this conf file. Ours now looks like this:

You can also find more information by reading the authoritative Samba3-HOWTO.pdf and review sections 16.4, 16.5.3-5 and 43.5 as they pertain to this configuration option.

Original posting:

Here's something I've been chewing on that's alarming. There seems to be an exceptional issue with Microsoft Excel's "Share Workbook" feature while serving a spreadsheet on a Mac OS X Server via both AFP and CIFS.

In short, if a couple of users collaborate simultaneously on a spreadsheet, it will radically (and dangerously) alter your ACLs and POSIX-style permissions, irrespective of the parent folder's settings.

Here's how to reproduce this. Much of this is arbitrary for the sake of illustration, but it should be reproducible with other variables.

Continue reading "Scary Excel "Share Workbook" feature behavior" »