Monday, November 19, 2007

Enable Mail Bundles in Mac OS X 10.5 Leopard

Normally Bundles no longer work after installing Leopard.
I miss Mail.appetizer. To get these working again in Leopard follow these steps:

Quit Mail

Enter these commands in Terminal:

defaults write EnableBundles -bool YES
defaults write BundleCompatibilityVersion -int 3

Start Mail

Friday, November 16, 2007

Turn off Translucent Menu Bar in Leopard

sudo defaults write /System/Library/LaunchDaemons/ 'EnvironmentVariables' -dict 'CI_NO_BACKGROUND_IMAGE' 1

Thursday, November 8, 2007

Changing the root password on MySQL

Many distributions of Linux have an option to install MySQL. In this case, or even if you compile MySQL, the default password is blank. MySQL can also run on Windows boxen. When you install MySQL, make sure that you set the root password. You can do this:

root@u-1:/home/u-1# mysql -u root mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 1 to server version: 3.23.47
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
mysql> SET PASSWORD FOR root@localhost=PASSWORD('rubberchicken');
Query OK, 0 rows affected (0.06 sec)

In this example, we set the root password to rubberchicken. Note from the above that the password wasn't set. If we try this again, we need to use the -p option to enter the password:

root@u-1:/home/u-1# mysql -u root mysql
ERROR 1045: Access denied for user: 'root@localhost' (Using password: NO)
root@u-1:/home/u-1# mysql -u root -p mysql
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3 to server version: 3.23.47
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

To reset a root password that you forgot (using paths on our system):

[root@host root]#killall mysqld
[root@host root]#/usr/libexec/mysqld -Sg --user=root &

You may have better luck with:

mysqld --skip-grant-tables --user=root

Go back into MySQL with the client:

[root@host root]# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 1 to server version: 3.23.41
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
mysql> USE mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> UPDATE user
-> SET password=password("newpassword")
-> WHERE user="root";
Query OK, 2 rows affected (0.04 sec)
Rows matched: 2 Changed: 2 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> exit;
[root@host root]#killall mysqld

Start MySQL the normal way for your system, and all is good. For Red Hat this is:

/etc/init.d/mysqld start

Monday, October 29, 2007

Group Members

Have you ever tried to get a list of group members in a text file.

Well you can do it this way:

dscl /LDAPv3/ -read /Groups/ThisGroup Member > ThisGroupsMembers.txt

Wednesday, October 17, 2007

Join Kerberos

I was having some troubles getting a server to join kerberos.

After some time I found out that the problem was related to a correct dns entry.

So there are two ways to fix this:

a) correct dns
b) if that is not possible due to some reason as in my case you may try this:

Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:

IP address FQDN

... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.

For example: 123.456.78.910

In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.

After that I had no problems to join kerberos using:

sso_util remove -k -a diradminuser -p diradminpassword
rm /etc/krb5.keytab
# rm /Library/Preferences/
# rm -R /Library/Preferences/DirectoryService/
rm -R /var/db/krb5kdc/*

/usr/sbin/sso_util configure -r LDAP.HOPRO.EDU -a diradminuser -p diradminpassword -f /LDAPv3/ipaddrofladserver -v 1 all

Hint found here:
Mac OS X Server 10.4: Kerberos authentication services may not successfully start

Wednesday, October 10, 2007

Passwords not working?

Are you running a Mac OS X server and having troubles with your passwords?

The symptoms you see are:

- A user can't log in to some systems
- The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:

Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).

Then have a look at this document:

Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"

Tuesday, August 7, 2007

diskutil resizeVolume

To create a partition for Windows on a iMac with a 150GB disk I used the following commands:

First we need to look at the current disk partitioning:
diskutil list
which returns something like

#: type name size identifier
0: GUID_partition_scheme *149.1 GB disk0
1: EFI 200.0 MB disk0s1
2: Apple_HFS MyMac 148.7 GB disk0s2

Then I used the command
diskutil resizeVolume disk0s2 112G MS-DOS Windows 36G

This resizes the Mac partition to 112 GB and creates a second partition in ms-dos format named 'Windows' with a sie of 36 GB

More infos here:

A reboot is then required. But wait:
Be sure to set the startup disk first, otherwise your mac will not start up!!!
bless --mount "/Volumes/Macintosh HD" --setBoot

In order to use the newly created volume with netboot, I had to erase the volume.
Otherwise the volume was not visible in NetRestore.
The command to do this is:

diskutil eraseVolume MS-DOS ".Windows XP" /dev/disk0s3

Thursday, June 28, 2007

Printer Stuff

I tried to change the default printer remotely.

Lets see what we got:
/System/Library/StartupItems/PrintingServices/PrintingServices restart
to start and stop the printing.

we have /etc/cups/printers.conf where all the information is stored.

we have 'lpadmin -d printer_name' so set the default printer.

but how do I change the default printer without restarting the mac so that it shows in Remote Desktop?

Wednesday, May 23, 2007

Sending email attachments through the terminal


Hint found here:

Monday, May 21, 2007

kerberos troubles

Are you having troubles getting kerberos to work on Mac OS X Server?

Well here's a hint:

Open Workgroup Manager on the designated Kerberos server and delete everything you may find in the path:


You may have to enable 'Show "All Records" tab and inspector' in the preferences if WGM in order to do so.

I found that the server I work with hat rubbish in there which prevented it from working.

Thursday, April 26, 2007

Sharing files on OS X with ACL

A problem with the /Users/Shared folder in OS X is that it is only shared read-only. You can add write access to all items in the shared folder, but when a new user adds files, it will be read only by the others. With Tiger and ACL you can now setup a both read and write shared folder, which inherits write access to all files automaticly. Here is how;

First you need to enable ACL on your root file system:

sudo /usr/sbin/fsaclctl -p / -e

Then enable inheritable write access to the Shared folder:

sudo chmod -R +a
"admin allow delete,chown,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Users/Shared

Monday, April 16, 2007

"Well Known" TCP and UDP Ports Used By Apple Software Products

"Well Known" TCP and UDP Ports Used By Apple Software Products

Managed Client: How to prevent profanity from appearing in Dictionary

This is an interesting subject.
I guess this could be helpful to manage other preferences from the workgroup manager as well:

Actually this tip should help manage any preferences that use the plist format.
Now this is really interesting.

I wonder if I can turn off the software update function of iTunes...

Tuesday, April 10, 2007

Screensaver over LoginWindow

Unfortunately Apple does not supply a method of using a screensaver while the mac is in the login window.

This may however be accomplished using this hint:
Screensaver over Loginwindow

Screensaver Configuration

Some details on how to configure the behaviour of the default screensaver on Mac OS X:

The settings for the default saver are to be found here:
System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/Engine Defaults.plist

More information on this subject here:
Screensaver configuration

Tuesday, April 3, 2007

Enable auto login via command line [update]

I have been wondering on how to do this for a long time.

Here's the clue:
On Mac OS X Server side there is this tool:

Amongst a lot of other features, it offers these functions:

serversetup -setAutoLoginUser Name UID Password
Set the autostart user using the name and password supplied.

serversetup -getAutoLoginUser
Returns the current AutoLoginUser.

serversetup -clearAutoLoginUser UID
Disables AutoLogin feature.

Now what if I copied this tool to a Mac client?
Guess what...

It works. Well sort of. Sometimes.
It works if the script is executed while logged in locally on the machine.
But that's not what I want.

But I found another hint here:

What you can do is copy the file/private/etc/kcpassword generated on one machine to all the macs you want to log in automatically. It contains an encrypted password. Unfortunately there is no documented way of generating this file on a client. Hmm.

Then all you have to do is change the login preferences by issuing the following commands:

/usr/bin/defaults write /Library/Preferences/ autoLoginUser yourusername
/usr/bin/defaults write /Library/Preferences/ autoLoginUID yourUIDnumber

There is a cooler way to do this.
I found a utility whose name is 'kcpasswd'.
kcpasswd is a command line application that changes a user's KeyChain password.
That's not exaclty that I was looking for, but it comes real close.
So I sent an email to the author of 'kcpasswd' if there were any chance that he could support generating the /etc/kcpassword file.

After a while I received an email from Phill Tejada telling me that he had this new tool called 'loginoptions' which does just that.
Way cool and thanks a lot Phill.

Oh yes, the links, I almost forgot:

Friday, March 30, 2007


LogKext is a freeware keylogger for Mac OS X.

If you know what this is for, then you can get it here:

Otherwise just forget it.

Wednesday, March 28, 2007

Monitor FileSystem Usage

Have you ever been wondering who is eating your fileserver's performance?

Unfortunately Apple offers no tools to monitor this.

You may however get some indications by entering the command:

fs_usage -w AppleFileServer | grep Volumes

More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process

Friday, March 23, 2007

Re-index your ladp

Sometimes it looks like your ldap db is corrupted.
In that case you can try to re-index your ladp

1. Stop slapd with

sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml

2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin

3. Re-index your ladp db with

sudo slapindex -v -d 1

(I like the debug output just to see what it is doing.)

4. Start slapd back up with

sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml

See if that helps.

Backup using rsnapshot

I've been using rsnapshot to back up some of our servers.

rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.

Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....

It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.

Really cool.

There's a good page on this subject to be found here:
rsnapshot on OS X howto

Reset Xsan Serial Numbers

If by any chance you are setting up a Xsan and are getting these errors:

"Error while writing settings (Duplicate registration)"

Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...

The thing to do is then to get rid of the database by entering the command:

rm /etc/systemserialnumbers/xsan

on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.

This is how I got it working again.

The hint I followed was found here:

Monday, March 19, 2007

sso_util -- Kerberos -- Open Directory Single Sign On

So this is the tool to manage the kerberos stuff!

I accidentally found it when browsing around for information on how to remove a replica from an open directory system.

That by the way is done by entering the command:

slapconfig -removereplica

But here's the info on sso_util:
Manual Page For sso_util(8)

So here's how to stop the kerberos server:

sso_util remove -k -a diradminuser -p diradminpassword

Thursday, March 15, 2007

Eject key doesn’t work in 10.4.9

I wish that I could configure time it takes for the Eject key to react.

I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....

Let's see if can figure out how to change this...

smile ;-)

I use the following script within Apple Remote Desktop (ARD) to take a picture of the people sitting in front of their macs and send it to me via email:

b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" ""
rm /usr/local/sbin/smile.jpeg

It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.

This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.

It also uses 'ldapsearch' to get the real name of the person.

Tuesday, March 13, 2007

Configuring build for universal binaries from open source

Configuring for universal binaries
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running

env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking

This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects

After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).

Apple Remote Desktop - Send Unix Commands

An interesting list of commands can found here:
or here:

Secure OS X

There's an interesting article on how to secure Mac OS X to be found here:
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard

Adding additional security measures is always a subject when working as a system administrator.

PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger

Thursday, March 8, 2007


There is an interesting article on how to set up a syslog server in mac os x on afp548:

Monday, March 5, 2007


slapconfig is a utility for configuring slapd, slurpd, and the Directory
Services search policy. It must be run by root.

Adds a replica to the slapd configuration file.

Create a new replica from an existing LDAP master.

-removereplica -
Removes a replica from the slapd configuration file.

more infos can be found in the man pages of slapconfig.

After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.


echo "steve:jobs"| cut -f 1 -d ":"
returns 'steve' because cut is set to return field 1 using delimiter ":"


Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:

/usr/bin/ldapsearch -x -h -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"

We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.

Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:

perl -p -0040 -e 's/\n //'

-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac

get mac address

To get the mac address use the following command:

hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`


Directory Service command line utility

List users:
dscl /LDAPv3/ -list /Users

Read a users properties:
dscl /LDAPv3/ -read /Users/ms

MCX Cache

Update MCX Cache
sudo /System/Library/CoreServices/ -U UserNameHere


MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"

Performs the pre-login checks and refreshes cache if required.

MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's

MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)

MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)

MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.

MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and

The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.


Display User and Group of a folder:
stat -f "%u:%g" backup/

Display Permissions of a folder:
stat -f "%p" backup/

find installed files

any opaque installer that asks for a password, you might want to take the pause that refreshes and square yourself to capture what was done. a technique...

quit apps that may be changing files. we want as few files mod'd as possible.

before running the installer, in the shell:

% touch ~/newer

then, run your installer. when it has completed, in the shell...

% sudo /usr/bin/find / -xdev -newer ~/newer

this will spit up all files changed since the above touch.

you might want to capture it by redirecting to a file...

% sudo /usr/bin/find / -xdev -newer ~/newer >~/

note that there may be some files in there that were modified, but not by the installer.

Hide 'Other Users...' in Login Window

sudo defaults write /Library/Preferences/ SHOWOTHERUSERS_MANAGED false

To hide local admin users:
sudo defaults write /Library/Preferences/ HideAdminUsers true

Make a client pretend it is a server

Some tools only work on the server version of Mac OS X.

In order to make these tools work on a client you can make the system think it is a server by issuing the following command:

sudo touch /System/Library/CoreServices/ServerVersion.plist

You may then use these server tools.
Afterwards you will have to change things back:

sudo rm /System/Library/CoreServices/ServerVersion.plist

Make sure to not leave out the last line, else your computer will think its Mac OS X Server!

filenames with spaces...

This is a quickie. On the Mac you regularly handle files with spaces in the Finder without issue, and even on the command line when you put quotes around it or let tab-completion escape it properly. However, if you try to do things in a shell script, like a for loop, on filenames that involve a space you're going to hit a wall. For splits items on a space, regardless of it they're quoted (if they're stored in a variable). However, the read command does not. Observe.

find ~ -name '* *' | while read FILE
  echo $FILE rocks.

And that's that. Run the command and pipe to the while stanza and it works like a charm.

Software Update Server

I know that a client can be forced to use a local Software Update Server by managing the preferences on the directory server.

You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.

sudo defaults write /Library/Preferences/ CatalogURL "http://you-server:8088/"

Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.

In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...

create non-admin user

The user created in the last post creates an admin user.

In order to remove admin rights all that has to be done is to take that user out of the admin group.

on the local machine this can be done using the following command:

niutil -destroyval . /groups/admin users username

Create a new user via command line

To create a user:
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.

To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.

To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.

Backup a file....

sudo cp /etc/sudoers /etc/sudoers.`date +%Y%m%d_%H%M%S`
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!

No Startup Sound

sudo nvram SystemAudioVolume=" "

Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..

to restore default behaviour :

sudo nvram -d SystemAudioVolume

tip found at:

The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...

Oh well, I'll just keep on using 'StartupSound.prefPane' found here:

Getting started...

I have been using the internet for years to find solutions to my problems.
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.

So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...