Friday, March 30, 2007


LogKext is a freeware keylogger for Mac OS X.

If you know what this is for, then you can get it here:

Otherwise just forget it.

Wednesday, March 28, 2007

Monitor FileSystem Usage

Have you ever been wondering who is eating your fileserver's performance?

Unfortunately Apple offers no tools to monitor this.

You may however get some indications by entering the command:

fs_usage -w AppleFileServer | grep Volumes

More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process

Friday, March 23, 2007

Re-index your ladp

Sometimes it looks like your ldap db is corrupted.
In that case you can try to re-index your ladp

1. Stop slapd with

sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml

2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin

3. Re-index your ladp db with

sudo slapindex -v -d 1

(I like the debug output just to see what it is doing.)

4. Start slapd back up with

sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml

See if that helps.

Backup using rsnapshot

I've been using rsnapshot to back up some of our servers.

rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.

Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....

It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.

Really cool.

There's a good page on this subject to be found here:
rsnapshot on OS X howto

Reset Xsan Serial Numbers

If by any chance you are setting up a Xsan and are getting these errors:

"Error while writing settings (Duplicate registration)"

Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...

The thing to do is then to get rid of the database by entering the command:

rm /etc/systemserialnumbers/xsan

on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.

This is how I got it working again.

The hint I followed was found here:

Monday, March 19, 2007

sso_util -- Kerberos -- Open Directory Single Sign On

So this is the tool to manage the kerberos stuff!

I accidentally found it when browsing around for information on how to remove a replica from an open directory system.

That by the way is done by entering the command:

slapconfig -removereplica

But here's the info on sso_util:
Manual Page For sso_util(8)

So here's how to stop the kerberos server:

sso_util remove -k -a diradminuser -p diradminpassword

Thursday, March 15, 2007

Eject key doesn’t work in 10.4.9

I wish that I could configure time it takes for the Eject key to react.

I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....

Let's see if can figure out how to change this...

smile ;-)

I use the following script within Apple Remote Desktop (ARD) to take a picture of the people sitting in front of their macs and send it to me via email:

b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" ""
rm /usr/local/sbin/smile.jpeg

It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.

This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.

It also uses 'ldapsearch' to get the real name of the person.

Tuesday, March 13, 2007

Configuring build for universal binaries from open source

Configuring for universal binaries
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running

env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking

This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects

After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).

Apple Remote Desktop - Send Unix Commands

An interesting list of commands can found here:
or here:

Secure OS X

There's an interesting article on how to secure Mac OS X to be found here:
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard

Adding additional security measures is always a subject when working as a system administrator.

PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger

Thursday, March 8, 2007


There is an interesting article on how to set up a syslog server in mac os x on afp548:

Monday, March 5, 2007


slapconfig is a utility for configuring slapd, slurpd, and the Directory
Services search policy. It must be run by root.

Adds a replica to the slapd configuration file.

Create a new replica from an existing LDAP master.

-removereplica -
Removes a replica from the slapd configuration file.

more infos can be found in the man pages of slapconfig.

After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.


echo "steve:jobs"| cut -f 1 -d ":"
returns 'steve' because cut is set to return field 1 using delimiter ":"


Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:

/usr/bin/ldapsearch -x -h -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"

We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.

Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:

perl -p -0040 -e 's/\n //'

-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac

get mac address

To get the mac address use the following command:

hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`


Directory Service command line utility

List users:
dscl /LDAPv3/ -list /Users

Read a users properties:
dscl /LDAPv3/ -read /Users/ms

MCX Cache

Update MCX Cache
sudo /System/Library/CoreServices/ -U UserNameHere


MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"

Performs the pre-login checks and refreshes cache if required.

MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's

MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)

MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)

MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.

MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and

The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.


Display User and Group of a folder:
stat -f "%u:%g" backup/

Display Permissions of a folder:
stat -f "%p" backup/

find installed files

any opaque installer that asks for a password, you might want to take the pause that refreshes and square yourself to capture what was done. a technique...

quit apps that may be changing files. we want as few files mod'd as possible.

before running the installer, in the shell:

% touch ~/newer

then, run your installer. when it has completed, in the shell...

% sudo /usr/bin/find / -xdev -newer ~/newer

this will spit up all files changed since the above touch.

you might want to capture it by redirecting to a file...

% sudo /usr/bin/find / -xdev -newer ~/newer >~/

note that there may be some files in there that were modified, but not by the installer.

Hide 'Other Users...' in Login Window

sudo defaults write /Library/Preferences/ SHOWOTHERUSERS_MANAGED false

To hide local admin users:
sudo defaults write /Library/Preferences/ HideAdminUsers true

Make a client pretend it is a server

Some tools only work on the server version of Mac OS X.

In order to make these tools work on a client you can make the system think it is a server by issuing the following command:

sudo touch /System/Library/CoreServices/ServerVersion.plist

You may then use these server tools.
Afterwards you will have to change things back:

sudo rm /System/Library/CoreServices/ServerVersion.plist

Make sure to not leave out the last line, else your computer will think its Mac OS X Server!

filenames with spaces...

This is a quickie. On the Mac you regularly handle files with spaces in the Finder without issue, and even on the command line when you put quotes around it or let tab-completion escape it properly. However, if you try to do things in a shell script, like a for loop, on filenames that involve a space you're going to hit a wall. For splits items on a space, regardless of it they're quoted (if they're stored in a variable). However, the read command does not. Observe.

find ~ -name '* *' | while read FILE
  echo $FILE rocks.

And that's that. Run the command and pipe to the while stanza and it works like a charm.

Software Update Server

I know that a client can be forced to use a local Software Update Server by managing the preferences on the directory server.

You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.

sudo defaults write /Library/Preferences/ CatalogURL "http://you-server:8088/"

Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.

In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...

create non-admin user

The user created in the last post creates an admin user.

In order to remove admin rights all that has to be done is to take that user out of the admin group.

on the local machine this can be done using the following command:

niutil -destroyval . /groups/admin users username

Create a new user via command line

To create a user:
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.

To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.

To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.

Backup a file....

sudo cp /etc/sudoers /etc/sudoers.`date +%Y%m%d_%H%M%S`
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!

No Startup Sound

sudo nvram SystemAudioVolume=" "

Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..

to restore default behaviour :

sudo nvram -d SystemAudioVolume

tip found at:

The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...

Oh well, I'll just keep on using 'StartupSound.prefPane' found here:

Getting started...

I have been using the internet for years to find solutions to my problems.
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.

So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...