Mac OS X SIG

Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)

Thu, 12 Nov 2009 21:44:32 -0800

WebAuth (cf developer link) can be built cleanly on Mac OS X Server 10.6 with no additional flags or configuration edits. Just ./configure, make and sudo make install. Because of the changes in Snow Leopard server, you can now use WebAuth while continuing to use Apple's Server Admin.app tool to manage your web server.

This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)

Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.

Hiding directories containing spaces in Samba

Tue, 20 Oct 2009 16:27:38 -0800

When configuring Samba 3 to hide Mac-specific directories from Windows users, I typically edit /etc/smb.conf on my Mac OS X Server, using either veto files = hide files = This worked fine — until it didn't. Seems I wasn't doing it properly. There's a lot of (typically legacy) HFS detritus sprinkled around on a Mac server. When both AFP and SMB are enable, Windows users see these bits and pieces, much to their confusion. (These files and directories are invisible to Macs.) Originally, I had this at the end of my smb.conf file, but once I added the final veto files = option below at the bottom, I was disappointed things didn't work as expected.

[global]
  veto files = /Thumbs.db/
  veto files = /.DS_Store/
  veto files = /.TemporaryItems/
  veto files = /Network Trash Folder/

It seems I was incorrectly adding the files and directories in my smb.conf file. That last line refers to a directory that has a space in the middle. When I did a

sudo serveradmin stop smb; serveradmin start smb

they still were there, staring out at me. (By the way, I'm not confident in the smbcontrol reload-config command, since smbd is controlled by launchd on a Mac. I just do a quick severadmin command.) NB: The slashes have nothing to do with the filename or with a path. See this entry in the SMB book from O'reilly. They're there just so smbd properly parses out when an entry starts and ends. But it's the space that tripped things up.
So it seems what I needed to do was to group all the files and directories into one line, like what's below.

  veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/  

That was the trick. I'm not sure why, because seemingly the individual entries should work just as well as the string of filenames. Now those Mac filenames are now hidden from my Windows users.

Removing ADS for Samba Users

Fri, 16 Oct 2009 11:02:14 -0800

Occasionally, I get a call that my Windows users connected to my Samba server on Mac OS X Server 10.5 can't manipulate a file. They get various errors when trying to open or download the file. The problem seems to be random but consistent; some files show problems, others are fine — even in the same directory. Consider whether the problem is related to Windows NTFS alternate data streams (ADS). (See also the Wikipedia article.) You can see whether this is the case using the Terminal.

[root@hsd-data-server 10:48:10 /Files/Annoyances]# ls -l@
total 184
-rw-r--r--@ 1 bobjones  finances  26112 Sep 21 09:13 FY_10_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 
-rw-r--r--@ 1 janedoe  finances  62464 Sep 21 09:13 FY_11_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 

The extended attribute is the :ZONE.IDENTIFIER:$DATA part and needs to be whacked off. It's expendable. One command uses the xattr command. (Note that you'll need to escape the dollar sign.)

xattr -d :ZONE.IDENTIFIER:\$DATA senate.xls

There are (at least) two additional ways to handle these.

Directory Services, OpenLDAP and DNS pools

Thu, 01 Oct 2009 15:50:22 -0800

Like many universities, we use OpenLDAP for our central directory system. As you might guess, the hostname for this system is ldap.stanford.edu. This is actually a DNS pool, though. There are multiple machines offering the same service. There's ldap1.stanford.edu, ldap2.stanford.edu, ldap3 and so on. When I configure a Mac to use an external directory system, it's usually our OpenLDAP directory. Using Directory Access.app in the Utilities folder (or the command line equivalent, dsconfigldap), I usually enter that hostname, ldap.stanford.edu. However, there are limitations to this. At some point during configuration, the Mac connects to the DNS pool, gets sorted to one of the physical machines, does a forward name resolution, then uses that numerical IP address for subsequent connections. Here's the rub: if the IP address of that specific host changes, things break.

Getting LDAP entries to work in 10.6 Address Book.app

Thu, 17 Sep 2009 11:44:12 -0800

Special thanks to Florian Schoppmann for bringing this issue to the community's attention. I'm extracting the steps to get Address Book and Mail to read from the Stanford LDAP directory. General instructions for setup can be found here: http://www.stanford.edu/services/email/config/osx5mail/ldap/index.html Since Address Book in 10.6 does not allow for self-signed certificates, you will need to take the following steps to get it working: 1. Retrieve the certificate by going to Terminal and typing: openssl s_client -connect mothra.win.stanford.edu:636 2. Copy everything in between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" (including these lines) to a new file with suffix .pem 3. double click on the file you just saved (.pem) to open it in Keychain Access 4. double click on the new certificate, click on the 'Trust' disclosure triangle and set "When using this Certificate:" to "Always trust". As Florian says, Voilà!

Configuring the built-in Cisco IPSec VPN client in Snow Leopard and iPhone

Thu, 27 Aug 2009 10:53:35 -0800

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN). Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you). The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients. If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above. Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made. Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file. Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the "Shared Secret" (it is also sometimes called the Group Password). Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password. In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field. I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field. What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

AFP stops logging after indicated period

Fri, 10 Jul 2009 10:02:00 -0800

There's a bug with the Mac OS X Server 10.5.7 Apple Filing Protocol (AFP or "Mac filesharing") process where (perhaps under certain conditions) it fails to restart logging after an arbitrary period of time as specified in /Library/Preferences/com.apple.AppleFileServer.plist (which is typically edited via the Server Admin.app tool).

This bug appears to persist in Mac OS X Server 10.5.8.

For example, if you set AFP to rotate logs every 14 days, the system should compress and roll over logs located in /Library/Logs/AppleFileService every-other week. However that appears not to happen. It will begin to log after the AFP service is restarted, though that's a drastic action. I presume that /usr/sbin/AppleFileServer handles it owns logs, rather than /usr/sbin/newsyslog, which deftly takes care of old-school logs like ftp.log, system.log and ipfw.log. It's initiated every midnight by the the launchd item /System/Library/LaunchDaemons/com.apple.newsyslog.plist. (It's worth noting that this is not the same as asl, or Apple System Log.) Anyway, here are three workaround ideas to consider (certainly there are more).

Server Monitor.app stupidity

Fri, 05 Jun 2009 10:56:36 -0800

This confounded me until it I sorted it out. Once done so, it made sense, but it doesn't help that, in this case, the user interface is unhelpful and unintuitive, and the behavior is different than other configurations for similar machines. (Note: I haven't regressively seen is this is the case pre-Mac OS X Server 10.5.7 Update or pre-Server Admin Tools 10.5.7.) On this Xserve (Late 2006), Server Monitor.app on the local machine has the LOM feature configured for Network 1 (which corresponds to en0 aka the port labeled Ethernet 1 on the machine and by default the Network preference pane). This LOM interface has its own MAC address distinct from the physical port. I've registered this address for convenience's sake. To configure this server for monitoring, launch Server Monitor --> Server --> Configure Local Machine. Give it an IP (again, distinct from the physical Ethernet ports), give it a username and password. This is the only step that's the same on this and the Xserve (Early 2008) model.

CrashPlan Pro Server restore metrics, estimates

Wed, 29 Apr 2009 16:46:15 -0800

Updated May 05, 2009 Additional information, clarifications and corrections have been added inline. After the publication of this blog post, I discussed an unrelated experience with the CrashPlan Technical Support team. They provided the information I've added here; this update concerns changes in product naming, decryption, decompression and a partial explanation for slow restore times. One particular note about product offering and features: There is a consumer and business product, and within the consumer release, there are different versions. To help compare the consumer version, visit this web page. This article talks about CrashPlan Pro, which is the enterprise solution.

I've deployed CrashPlan Pro Server (CPPS) as a backup solution for a department here at Stanford. They use it for both their desktops and servers. As is best practice, I performed a dry-run restoration of their files kept a network-attached storage. I used the performance metrics to make a back-of-the-envelope guess at how this would compare if we used our direct-attached FireWire 800 device as the backup repository.

Scary Excel "Share Workbook" feature behavior

Thu, 16 Apr 2009 20:37:44 -0800

Update: Apple Enterprise Support suggested a modification to the /etc/smb.conf file that seems to have addressed this problem. Citing this entry in the Samba man page the suggestion is to append "nt acl support = no" at the very end of this conf file. Ours now looks like this:

; Site-specific parameters can be added below this comment.   

; END required configuration.

[global]
   use kerberos keytab = yes
   realm = stanford.edu
   veto files = /Thumbs.db/
   veto files = /.DS_Store/
   veto files = /.TemporaryItems/
   log level = 1 
   nt acl support = no 

You can also find more information by reading the authoritative Samba3-HOWTO.pdf and review sections 16.4, 16.5.3-5 and 43.5 as they pertain to this configuration option. Original posting: Here's something I've been chewing on that's alarming. There seems to be an exceptional issue with Microsoft Excel's "Share Workbook" feature while serving a spreadsheet on a Mac OS X Server via both AFP and CIFS. In short, if a couple of users collaborate simultaneously on a spreadsheet, it will radically (and dangerously) alter your ACLs and POSIX-style permissions, irrespective of the parent folder's settings. Here's how to reproduce this. Much of this is arbitrary for the sake of illustration, but it should be reproducible with other variables.

ssh keys on Mac OS X Server: the fuller, longer, better instructions

Tue, 10 Mar 2009 13:13:25 -0800

Establishing password-less logins using public/private keys turned out to be a bigger pain in the butt than I had expected. There are a lot of resources on the web on how to do this, typically for BSD or Linux; and there are even scripts that purport to do this with assistance, but only the simple part. Whenever I do this, I have to pause and give this more thought that should be necessary, googlin' around for an answer to solve what I screwed up. The problems are, there are always other components at play which are Mac-specific, and the guides are usually generic or aimed at Linux, BSD or some other sort of unix-like operating system. Even Apple's own documentation (from the Developer Connection, no less) is a little scant or can be intimidating for green sysadmins. This blog post is very long because it's very detailed. It's not quite step-by-step, but it's close. A note: if there's an omission or an error in the instructions, and thousands of credit card numbers, Social Security numbers, cancer test results or SAT scores escape into the open, don't come knocking on my door.

Presentation: Stanford iPhone - iStanford

Thu, 19 Feb 2009 15:01:20 -0800

This is a presentation here on campus, Friday, February 20, 2:00-3:30 p.m. PRESENTERS: - Aaron Wasserman & Kayvon Beykpour, Terriblyclever.com - Wyn Davies, Apple DESCRIPTION: iStanford is a fully integrated suite of Stanford services exclusively for the iPhone and iPod Touch. The suite allows users to access Stanford's directory, campus maps, course bulletin, events calendar, and athletic news, schedules and scores. Since its release to the public, there has been nearly three times as many downloads of iStanford as there are registered iPhones on campus. On average, users spend around five minutes per session, and some of the most popular features include "Find Me" in Maps, and searching for a person in the directory.

FTP anonymous only, no account holders please

Thu, 20 Nov 2008 15:09:29 -0800

I had a client request an anonymous FTP service be configured on their Leopard server. I did this, but had a concern that users with accounts on the server might try to connect. This would be highly undesirable; FTP as we all know, is an insecure protocol. So how to allow anonymous access only, but deny account holders with valid credentials?

How to properly remove the Zimbra iSync Connector

Thu, 02 Oct 2008 09:18:43 -0800

This entry is about the Zimbra iSync Connector, which is used to synchronize data from an iSync-compatible device and a Mac (plus other data stores, such as the computers associated with one's MobileMe account). Instead of using the Zimbra iSync Connector, I had decided I wanted to use Zimbra's over-the-air notification system to keep my iPhone in sync. Since Zimbra and Apple have incorporated Microsoft's ActiveSync technology, I get email and calendar notifications, more-or-less instantly, without having to attach via USB; addresses are kept in sync this way, too. And since these two methods could compete against each other, I needed to remove the iSync Connector PreferencePane from my system. Normally, just dragging PreferencePanes to the trash would do the trick—but this wasn't effective. Looking at /var/log/system.log, I was seeing lots of these entries on my Mac Pro running Mac OS X 10.5.5:

Sep 30 13:21:30 beterouge ZimbraHelper[336]: An uncaught exception was raised
Sep 30 13:21:30 beterouge ZimbraHelper[336]: *** -[NSPlaceholderString initWithString:]: nil argument
Sep 30 13:21:30 beterouge ZimbraHelper[336]: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
Sep 30 13:21:30 beterouge ZimbraHelper[336]: Stack: (\n    2451677515,\n    2501561915,\n    2451676971,\n    2451677034,\n    2435643739,\n    52456,\n    72072,\n    9610,\n    9393\n)
Sep 30 13:21:30 beterouge com.apple.syncservices.SyncServer[229]: 2008-09-30 13:21:30.759 ZimbraHelper[336:10b] An uncaught exception was raised
Sep 30 13:21:30 beterouge com.apple.syncservices.SyncServer[229]: 2008-09-30 13:21:30.760 ZimbraHelper[336:10b] *** -[NSPlaceholderString initWithString:]: nil argument
Sep 30 13:21:30 beterouge com.apple.syncservices.SyncServer[229]: 2008-09-30 13:21:30.761 ZimbraHelper[336:10b] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
Sep 30 13:21:30 beterouge com.apple.syncservices.SyncServer[229]: 2008-09-30 13:21:30.762 ZimbraHelper[336:10b] Stack: (
Sep 30 13:21:34 beterouge ReportCrash[342]: Formulating crash report for process ZimbraHelper[336]
Sep 30 13:21:35 beterouge ReportCrash[342]: Saved crashreport to /Users/nbfa/Library/Logs/CrashReporter/ZimbraHelper_2008-09-30-132130_beterouge.crash using uid: 501 gid: 20, euid: 501 egid: 20

The problem was, I couldn't find ZimbraHelper on my system, so I couldn't get rid of this "process" that was crashing; this binary was part of the Zimbra iSync Connector PreferencePane that I had deleted, and an exhaustive search on my system revealed no such file. I looked at the BOM file for the iSync Connector installer to see what else might have been installed, but everything was contained in the PrefPane exclusively. What was going on?

Stanford's CS dept to offer iPhone programming course

Thu, 24 Jul 2008 12:20:31 -0800

As originally posted on TUAW, Stanford's Department of Computer Science is offering CS 193P this upcoming fall term. The course is titled "iPhone Application Programming."