Mac OS X SIG

syntax differences between autofs and mount_smbfs

Tue, 29 Mar 2011 11:59:30 -0800

If you are trying to establish static CIFS (aka SMB) mounts on your Mac, here are a couple hints that might save some time and effort.

If you need to specify the domain (say, if you are using Active Directory credentials), you need to escape the semicolon that divides the domain and the username. So if your map file is /etc/auto_smb, then you could use something like this example.

	localmountpoint   -fstype=smbfs  ://DOMAIN\;username:password@nas.stanford.edu/sharepoint\$    

You also need to escape the dollar sign if have such a character on your remote server's sharepoint (plus any funky characters in your password). Thanks Adam! If you do not, you'll get errors like

		/sbin/mount_smbfs[2017] : smb_mount: mount failed to nas.stanford.edu/sharepoint : syserr = No such file or directory    

and the icon in the Mac's Finder will be a broken alias. Note that you may need to enable verbose logging (which isn't terribly verbose) in /etc/autofs.conf file to get these messages in your system.log file.

If you're using mount_smbfs (or mount -t smbfs) via command line, on the other hand, it's unnecessary to escape the trailing $, but acceptable.

It would seem that your autofs map file could have the username, domain and password configured on a different file, as measure of security. This is normally done like this:

	localmountpoint   -fstype=smbfs,credentials=/path/to/file  ://nas.stanford.edu/sharepoint\$    

But that will result in an error message, like

com.apple.automountd[341]: mount_smbfs: -o credentials: option not supported

...so it's important to safeguard the map file if you're going to expose the credentials in plain text (chown root:wheel and chmod to 600).

In the man page for mount_smbfs, the wording suggests we could use the -N flag to bypass a password prompt and instead have mount_smbfs consult /etc/nsmb.conf. It says, "

	Do not ask for a password. At run time, mount_smbfs reads the ~/Library/Preferences/nsmb.conf file for additional configuration parameters and a password. If no password is found, mount_smbfs prompts for it."    

However, the man page for nsmb.conf gives no indication that the password could be a valid key.

kickstart vs serveradmin for ARD ON/OFF

Fri, 03 Dec 2010 11:25:43 -0800

I've always used the kickstart command to manage ARD. But little did I know that it can be managed using serveradmin too.

/usr/sbin/serveradmin settings info:enableARD = yes

...does the trick too!

Flipped mouse buttons, plist and MS Remote Desktop Connection

Thu, 02 Dec 2010 11:37:44 -0800

For a while, I used a mouse with my laptop. Because I was dealing with some wrists issues, I had the buttons flipped so that the main clicking button was on the right side, and the "right click" button was actually on the left side. Over time, I lost the mouse and resumed using the trackpad.

What drove me nuts, however, was how my Microsoft Remote Desktop Connection connections still were programmed with the flipped buttons. Even though my trackpad on my Mac was now set back to the default arrangement, whenever I connected to a Windows machine, my buttons continued to be flipped. And since I connected to these particular Windows servers from different Macs, I had to keep flipping the right/left preference in Windows each time changed Macs.

Unfortunately, there's no evident way to reset your mouse button settings on a Mac laptop via the normal PreferencePane in System Preferences if you don't actually have a mouse attached. No mouse, no GUI.

I searched high and low for where that setting is kept so that I could reverse it, so my RDC connections would also be returned to normal too. For your information, the right/left mouse button configuration is configured in ~/Library/Preferences/ByHost/.GlobalPreferences.[yourMACaddress].plist. That's a hidden, binary-encoded plist that's unique to your Mac hardware, in your home folder.

To edit this file, you will need to convert it to XML using the plutil terminal command, then modify the structure using your favorite text editor. You could also just delete it and a new, default one will be created, but this is a big plist with lots of discrete preference settings. Or, you could use the Property List Editor.app included with Xcode. TextMate will also allow you to convert and edit the file accordingly.

diskutil command line secureErase options

Tue, 16 Nov 2010 13:03:48 -0800

When I need to decommission a hard drive, it's necessary for me to to securely wipe the data prior to disposal. Stanford's data wiping policy is publicly accessible from the internet (though woefully out of date with the product recommendations—Mac OS 8 anyone?). It's usually not enough just to delete the files using the Finder or the rm command, since that action merely hides your files and makes their blocks eligible for possible future write-overs. Inexpensive file recovery software can usually return data when you simply delete files this way, to say nothing of real forensics software.

Retrieving the password for Server Admin-generated Keys

Mon, 23 Aug 2010 15:34:16 -0800

With Mac OS X Server, you can use Server Admin and the Certificate Assistant tools to create your private key for your server. In fact, when you start the server up, out of the box, one has already been created for you. You can use this key to create a certificate signing request (CSR) to send to your certificate authority (CA) to sign. If you do this, you will get a spiffy signed cert back, appropriate for securing your web server, chat server or a variety of other uses.

If you try to use this cert with your own version of Apache, however, you will encounter the default situation where httpd will ask for the password of that .crt file during the startup procedure.

Many admins choose to delete the password from this certificate to eliminate administrator intervention when restarting the service. The usual way this is done is to run the command openssl rsa -in /path/to/mycert.crt -out /output/path/ofmyclean.crt. To run this command, you need to know the original password.

Intuitively, you might think that the password MOSXS uses to create this private key (and thus used to create the signed cert) would be the initial root password, or maybe the first eight characters of the serial number. Instead, it's a randomly generated password created by the system.

You can retrieve this password using the Keychain Access application. Search for the "Mac OS X Server certificate management" object of the type "application password". Double-click to examine this object and to reveal the password used by the system.

With this information, you can proceed with the openssl command to delete the password from your signed certificate. Note that you needn't have to worry about this if you're using the built-in Mac OS X services, since those programs will automatically consult the Keychain to get the password for the .crt file when starting up.

Binding your 10.6 Mac to the Campus OpenLDAP directory

Mon, 23 Aug 2010 11:36:08 -0800

These instructions are Snow Leopard-specific. First, download the Stanford Directory Utility Template installer. It will install a property list file into your home directory, which will make configuring your Mac to use the campus OpenLDAP directory system even easier than before. This template holds the record and attribute matching information, so you don't need to edit much.

Next, launch Directory Utility. It's located in /System/Library/CoreServices folder. Edit the LDAPv3 service to add a new directory system. For the server name, enter ldap.stanford.edu in the field. The program will query the campus OpenLDAP directory, then ask you to choose a template for LDAP mapping. Since you just installed the Stanford LDAP template, choose that from the pull-down menu. Enter cn=accounts,dc=stanford,dc=edu for the searchbase.

You can configure other options as you see fit. You should also install the Kerberos Configuration Utility from the Essential Stanford Software site.

Chassis lock on Xserve prevents bootup

Tue, 23 Feb 2010 10:15:06 -0800

I'm sure there are parameters here that I'm not acknowledging, but this is something that justifies jotting down for posterity. One of the Xserves I manage (Early 2009) has a quad fibre card with connections to two fibre different switches (an Emulex and Qlogic SanBox). If the server's chassis is locked (as if to prevent accidental ejection of the internal hard drives), bootup is prevented; all I get is a blinking folder on the screen. Unlock the chassis and the machine boots normally. In my experience, it doesn't seem to matter how the server was shutdown or started up, via LOM or at the console. Though this behavior seems reasonable, it's still undesirable. After all, what's the point of remote lights-out reboots if you can't reboot, even when your machine is configured properly. Oftentimes, chassis are locked to prevent accidents, which increase in likelihood when a server is in a high traffic area. I suggest the desired behavior should be is for the system to note its state prior to the shutdown, and permit booting only when that state is maintained.

Level II Oplocks and Snow Leopard Server Samba

Tue, 26 Jan 2010 11:28:56 -0800

If you do a testparm on your /etc/smb.conf file on Mac OS X Server 10.6, there's a good chance you'll see this message:

Level II oplocks can only be set if oplocks are also set.

You can read about "level2" or "level 2" opportunistic locking here in the official Samba HOWTO document (though it's written for v3.2 and Apple ships 3.0, I find it's almost entirely compatible and, in the least, quite informative). Here is what the document says,

Level2 Oplocks provides opportunistic locking for a file that will be treated as read only. Typically this is used on files that are read-only or on files that the client has no initial intention to write to at time of opening the file.

Level 2 oplocks appear to be something set to "true" or "on" by default. While Server Admin allows for enabling (plain old) oplocks and strict oplocks, there's no interface for setting level 2 oplocks off. But as the message indicates, it's effectively disabled without enabling locking in the first place.

If you do enable oplocks via Server Admin, and find the need to not have level 2 oplocks enabled too (for some odd reason — perhaps you're neurotically conscientious of your testparm output) you will need to specify this option explicitly on the share realm, not the global realm.

Hand-edit your /etc/smb.conf file, following the convention indicated by Apple (that is, make your changes at the bottom of the conf file, using [My Sharepoint] instead of [global], setting

level2 oplocks = no [or false, if you prefer]

For example,

			; Site-specific parameters can be added below this comment.

			; END required configuration.

			[global]

			    realm = stanford.edu

			    acl check permissions = no

			    nt acl support = no 

			    veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/        
	
			[Projects]

			    path = /Shares/Projects     

			    acl check permissions = no 

			    nt acl support = no

			    level2 oplocks = no

Remember that Apple recommends using oplocks only on shares accessed via SMB only.

Snow Leopard's Samba adds unwanted directives to shares

Thu, 14 Jan 2010 14:53:18 -0800

Update: Be sure to add the path of the share in your 10.6 edits suggested below.

There's an important behavioral difference between the version of Samba in Mac OS X Server 10.5 (Version 3.0.25b-apple) Snow Leopard's (Version 3.0.28a-apple) in the way it handles processing the /etc/smb.conf file and manages shares.

With 10.5 you could edit your /etc/smb.conf file include at least two directives in your custom [global] parameter set "acl check permissions = no" and "nt acl support = no" to address issues with locking and access. In some environments, these are very important to have, especially some Office documents and Windows XP clients.

With 10.6 however it appears you can't entirely rely on including these in your custom [global] section any longer, as recommended by Apple. You may need to append a share-specific parameter set with these two directives instead.

For example, at the end of /etc/smb.conf file:

	; Site-specific parameters can be added below this comment.

	; END required configuration.
	
	[global]

	    veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/    

	[Test Share]

	    path = /Shares/Test Share

	    acl check permissions = no

	    nt acl support = no

I have a few ideas about what the problem might be.

ACLs not being properly honored in Samba with XP clients

Thu, 07 Jan 2010 10:18:01 -0800

NB: Snow Leopard Server (10.6) handles directives on shares differently than with Leopard Server. Please also read this article if you are using Mac OS X Server 10.6 and Samba for new information on how to address the issues below.

Back in January 2008, I began to notice troublesome behavior with Windows clients connecting to my Mac OS X Server 10.5 fileserver. When some Windows clients, particularly Windows XP users, try to connect to a share, they can create a folder but can't change the name of the folder from "New Folder". Also, they can drop a file on the share, but not change that name, either. This always happened when activity was performed at the root level of the network share, while subfolders behaved as expected. If the network share had 777 (rwxrwxrwx) at the root level, all worked well, which indicated a permissions issue, not so much a communication issue. BUt it's the ACLs that caused grief. I posted this to the Mac OS X Server list hosted by Apple.

Extended attributes, Office 2007 clients via SMB from Xsan

Wed, 16 Dec 2009 23:51:51 -0800

We recently deployed Mac OS X 10.6.2 Server, sharing files on an Xsan volume via Samba to Windows users with Office 2007. When these PC users try to download or open the file, however, they got this warning, "Error Copying File or Folder. Cannot copy FILENAME: Cannot find the specified file. Make sure you specify the correct path and file name."

Some forums suggested adding two parameters at the very end of your /etc/smb.conf file:

[global]
ea support = yes
stream support = no

I've edited this entry to reflect some changes in late 10.6 Samba releases. Further, with the right smb.conf configuration, the changes below to various EAs don't need to be made.

We I noticed that I could download the .doc files to my Mac via AFP, make a neglible modification and save the file, then upload it back to the SAN, my Windows colleagues could then view the file. When I did an ls -l@ on the file, I could see that this process added the com.apple.ResourceFork extended attribute. At this point, the modified Office files could be opened by my PC friends.

So, ironically, rather than deleting the EAs, I needed to apply this EA to the right files. It's probably OK to write this EA on each file and directory, but that's a little heavy handed. So instead, I executed this command:

find /Shares/Docs -name "*.doc" -print0 | xargs -0 sudo xattr -w com.apple.ResourceFork  

This will find the files with the .doc extension in my /Shares/Docs, add the extended attribute, and make everyone happy.

If you want to make it more thorough, you could try:

find . \( -name "*.doc" -or -name "*.docx" -or -name "*.xls" -or -name "*.xlsx" -or -name "*.ppt" -or -name "*.pptx" \) -print0 | xargs -0 xattr -w com.apple.ResourceFork   

One possible issue, though, is that if you apply this command too high up the hierarchy, it seems to make a problem. You might get this error: unable to execute /usr/bin/xattr: Argument list too long

You may wish to recursively apply this further down the directory tree.

Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)

Thu, 12 Nov 2009 21:44:32 -0800

WebAuth (cf developer link) can be built cleanly on Mac OS X Server 10.6 with no additional flags or configuration edits. Just ./configure, make and sudo make install. Because of the changes in Snow Leopard server, you can now use WebAuth while continuing to use Apple's Server Admin.app tool to manage your web server.

This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)

Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.

Hiding directories containing spaces in Samba

Tue, 20 Oct 2009 16:27:38 -0800

When configuring Samba 3 to hide Mac-specific directories from Windows users, I typically edit /etc/smb.conf on my Mac OS X Server, using either veto files = hide files = This worked fine — until it didn't. Seems I wasn't doing it properly. There's a lot of (typically legacy) HFS detritus sprinkled around on a Mac server. When both AFP and SMB are enable, Windows users see these bits and pieces, much to their confusion. (These files and directories are invisible to Macs.) Originally, I had this at the end of my smb.conf file, but once I added the final veto files = option below at the bottom, I was disappointed things didn't work as expected.

[global]
  veto files = /Thumbs.db/
  veto files = /.DS_Store/
  veto files = /.TemporaryItems/
  veto files = /Network Trash Folder/

It seems I was incorrectly adding the files and directories in my smb.conf file. That last line refers to a directory that has a space in the middle. When I did a

sudo serveradmin stop smb; serveradmin start smb

they still were there, staring out at me. (By the way, I'm not confident in the smbcontrol reload-config command, since smbd is controlled by launchd on a Mac. I just do a quick severadmin command.) NB: The slashes have nothing to do with the filename or with a path. See this entry in the SMB book from O'reilly. They're there just so smbd properly parses out when an entry starts and ends. But it's the space that tripped things up.
So it seems what I needed to do was to group all the files and directories into one line, like what's below.

  veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/  

That was the trick. I'm not sure why, because seemingly the individual entries should work just as well as the string of filenames. Now those Mac filenames are now hidden from my Windows users.

Removing ADS for Samba Users

Fri, 16 Oct 2009 11:02:14 -0800

Occasionally, I get a call that my Windows users connected to my Samba server on Mac OS X Server 10.5 can't manipulate a file. They get various errors when trying to open or download the file. The problem seems to be random but consistent; some files show problems, others are fine — even in the same directory. Consider whether the problem is related to Windows NTFS alternate data streams (ADS). (See also the Wikipedia article.) You can see whether this is the case using the Terminal.

[root@hsd-data-server 10:48:10 /Files/Annoyances]# ls -l@
total 184
-rw-r--r--@ 1 bobjones  finances  26112 Sep 21 09:13 FY_10_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 
-rw-r--r--@ 1 janedoe  finances  62464 Sep 21 09:13 FY_11_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 

The extended attribute is the :ZONE.IDENTIFIER:$DATA part and needs to be whacked off. It's expendable. One command uses the xattr command. (Note that you'll need to escape the dollar sign.)

xattr -d :ZONE.IDENTIFIER:\$DATA senate.xls

There are (at least) two additional ways to handle these.

Directory Services, OpenLDAP and DNS pools

Thu, 01 Oct 2009 15:50:22 -0800

Like many universities, we use OpenLDAP for our central directory system. As you might guess, the hostname for this system is ldap.stanford.edu. This is actually a DNS pool, though. There are multiple machines offering the same service. There's ldap1.stanford.edu, ldap2.stanford.edu, ldap3 and so on. When I configure a Mac to use an external directory system, it's usually our OpenLDAP directory. Using Directory Access.app in the Utilities folder (or the command line equivalent, dsconfigldap), I usually enter that hostname, ldap.stanford.edu. However, there are limitations to this. At some point during configuration, the Mac connects to the DNS pool, gets sorted to one of the physical machines, does a forward name resolution, then uses that numerical IP address for subsequent connections. Here's the rub: if the IP address of that specific host changes, things break.