Normally Bundles no longer work after installing Leopard.
I miss Mail.appetizer. To get these working again in Leopard follow these steps:
Quit Mail
Enter these commands in Terminal:
defaults write com.apple.mail EnableBundles -bool YES
defaults write com.apple.mail BundleCompatibilityVersion -int 3
Start Mail
Monday, November 19, 2007
Friday, November 16, 2007
Turn off Translucent Menu Bar in Leopard
sudo defaults write /System/Library/LaunchDaemons/com.apple.WindowServer 'EnvironmentVariables' -dict 'CI_NO_BACKGROUND_IMAGE' 1
Thursday, November 8, 2007
Changing the root password on MySQL
Many distributions of Linux have an option to install MySQL. In this case, or even if you compile MySQL, the default password is blank. MySQL can also run on Windows boxen. When you install MySQL, make sure that you set the root password. You can do this:
In this example, we set the root password to rubberchicken. Note from the above that the password wasn't set. If we try this again, we need to use the -p option to enter the password:
To reset a root password that you forgot (using paths on our system):
You may have better luck with:
Go back into MySQL with the client:
Start MySQL the normal way for your system, and all is good. For Red Hat this is:
|
In this example, we set the root password to rubberchicken. Note from the above that the password wasn't set. If we try this again, we need to use the -p option to enter the password:
|
To reset a root password that you forgot (using paths on our system):
|
You may have better luck with:
|
Go back into MySQL with the client:
|
Start MySQL the normal way for your system, and all is good. For Red Hat this is:
|
Monday, October 29, 2007
Group Members
Have you ever tried to get a list of group members in a text file.
Well you can do it this way:
dscl /LDAPv3/ldap.company.com -read /Groups/ThisGroup Member > ThisGroupsMembers.txt
Well you can do it this way:
dscl /LDAPv3/ldap.company.com -read /Groups/ThisGroup Member > ThisGroupsMembers.txt
Wednesday, October 17, 2007
Join Kerberos
I was having some troubles getting a server to join kerberos.
After some time I found out that the problem was related to a correct dns entry.
So there are two ways to fix this:
a) correct dns
b) if that is not possible due to some reason as in my case you may try this:
Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.
For example: 123.456.78.910 www.example.com
In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.
After that I had no problems to join kerberos using:
sso_util remove -k -a diradminuser -p diradminpassword
rm /etc/krb5.keytab
# rm /Library/Preferences/edu.mit.Kerberos
# rm -R /Library/Preferences/DirectoryService/
rm -R /var/db/krb5kdc/*
/usr/sbin/sso_util configure -r LDAP.HOPRO.EDU -a diradminuser -p diradminpassword -f /LDAPv3/ipaddrofladserver -v 1 all
Hint found here:
Mac OS X Server 10.4: Kerberos authentication services may not successfully start
After some time I found out that the problem was related to a correct dns entry.
So there are two ways to fix this:
a) correct dns
b) if that is not possible due to some reason as in my case you may try this:
Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.
For example: 123.456.78.910 www.example.com
In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.
After that I had no problems to join kerberos using:
sso_util remove -k -a diradminuser -p diradminpassword
rm /etc/krb5.keytab
# rm /Library/Preferences/edu.mit.Kerberos
# rm -R /Library/Preferences/DirectoryService/
rm -R /var/db/krb5kdc/*
/usr/sbin/sso_util configure -r LDAP.HOPRO.EDU -a diradminuser -p diradminpassword -f /LDAPv3/ipaddrofladserver -v 1 all
Hint found here:
Mac OS X Server 10.4: Kerberos authentication services may not successfully start
Wednesday, October 10, 2007
Passwords not working?
Are you running a Mac OS X server and having troubles with your passwords?
The symptoms you see are:
- A user can't log in to some systems
- The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:
Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Then have a look at this document:
Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"
The symptoms you see are:
- A user can't log in to some systems
- The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:
Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Then have a look at this document:
Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"
Tuesday, August 7, 2007
diskutil resizeVolume
To create a partition for Windows on a iMac with a 150GB disk I used the following commands:
First we need to look at the current disk partitioning:
diskutil list
which returns something like
/dev/disk0
#: type name size identifier
0: GUID_partition_scheme *149.1 GB disk0
1: EFI 200.0 MB disk0s1
2: Apple_HFS MyMac 148.7 GB disk0s2
Then I used the command
diskutil resizeVolume disk0s2 112G MS-DOS Windows 36G
This resizes the Mac partition to 112 GB and creates a second partition in ms-dos format named 'Windows' with a sie of 36 GB
More infos here:
http://www.macgeekery.com/tips/cli/nondestructively_resizing_volumes
A reboot is then required. But wait:
Be sure to set the startup disk first, otherwise your mac will not start up!!!
bless --mount "/Volumes/Macintosh HD" --setBoot
In order to use the newly created volume with netboot, I had to erase the volume.
Otherwise the volume was not visible in NetRestore.
The command to do this is:
diskutil eraseVolume MS-DOS ".Windows XP" /dev/disk0s3
First we need to look at the current disk partitioning:
diskutil list
which returns something like
/dev/disk0
#: type name size identifier
0: GUID_partition_scheme *149.1 GB disk0
1: EFI 200.0 MB disk0s1
2: Apple_HFS MyMac 148.7 GB disk0s2
Then I used the command
diskutil resizeVolume disk0s2 112G MS-DOS Windows 36G
This resizes the Mac partition to 112 GB and creates a second partition in ms-dos format named 'Windows' with a sie of 36 GB
More infos here:
http://www.macgeekery.com/tips/cli/nondestructively_resizing_volumes
A reboot is then required. But wait:
Be sure to set the startup disk first, otherwise your mac will not start up!!!
bless --mount "/Volumes/Macintosh HD" --setBoot
In order to use the newly created volume with netboot, I had to erase the volume.
Otherwise the volume was not visible in NetRestore.
The command to do this is:
diskutil eraseVolume MS-DOS ".Windows XP" /dev/disk0s3
Thursday, June 28, 2007
Printer Stuff
I tried to change the default printer remotely.
Lets see what we got:
/System/Library/StartupItems/PrintingServices/PrintingServices restart
to start and stop the printing.
we have /etc/cups/printers.conf where all the information is stored.
we have 'lpadmin -d printer_name' so set the default printer.
but how do I change the default printer without restarting the mac so that it shows in Remote Desktop?
Lets see what we got:
/System/Library/StartupItems/PrintingServices/PrintingServices restart
to start and stop the printing.
we have /etc/cups/printers.conf where all the information is stored.
we have 'lpadmin -d printer_name' so set the default printer.
but how do I change the default printer without restarting the mac so that it shows in Remote Desktop?
Wednesday, May 23, 2007
Sending email attachments through the terminal
uuencode FILENAME FILENAME | mail -s SUBJECT RECIPIENT
Hint found here:
http://cbutera.wordpress.com/tag/apple/
Hint found here:
http://cbutera.wordpress.com/tag/apple/
Monday, May 21, 2007
kerberos troubles
Are you having troubles getting kerberos to work on Mac OS X Server?
Well here's a hint:
Open Workgroup Manager on the designated Kerberos server and delete everything you may find in the path:
/Config/KerberosKDC
You may have to enable 'Show "All Records" tab and inspector' in the preferences if WGM in order to do so.
I found that the server I work with hat rubbish in there which prevented it from working.
Well here's a hint:
Open Workgroup Manager on the designated Kerberos server and delete everything you may find in the path:
/Config/KerberosKDC
You may have to enable 'Show "All Records" tab and inspector' in the preferences if WGM in order to do so.
I found that the server I work with hat rubbish in there which prevented it from working.
Thursday, April 26, 2007
Sharing files on OS X with ACL
A problem with the /Users/Shared folder in OS X is that it is only shared read-only. You can add write access to all items in the shared folder, but when a new user adds files, it will be read only by the others. With Tiger and ACL you can now setup a both read and write shared folder, which inherits write access to all files automaticly. Here is how;
First you need to enable ACL on your root file system:
sudo /usr/sbin/fsaclctl -p / -e
Then enable inheritable write access to the Shared folder:
sudo chmod -R +a
"admin allow delete,chown,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Users/Shared
First you need to enable ACL on your root file system:
sudo /usr/sbin/fsaclctl -p / -e
Then enable inheritable write access to the Shared folder:
sudo chmod -R +a
"admin allow delete,chown,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Users/Shared
Monday, April 16, 2007
Managed Client: How to prevent profanity from appearing in Dictionary
This is an interesting subject.
I guess this could be helpful to manage other preferences from the workgroup manager as well:
http://docs.info.apple.com/article.html?artnum=305348
Actually this tip should help manage any preferences that use the plist format.
Now this is really interesting.
I wonder if I can turn off the software update function of iTunes...
I guess this could be helpful to manage other preferences from the workgroup manager as well:
http://docs.info.apple.com/article.html?artnum=305348
Actually this tip should help manage any preferences that use the plist format.
Now this is really interesting.
I wonder if I can turn off the software update function of iTunes...
Tuesday, April 10, 2007
Screensaver over LoginWindow
Unfortunately Apple does not supply a method of using a screensaver while the mac is in the login window.
This may however be accomplished using this hint:
Screensaver over Loginwindow
This may however be accomplished using this hint:
Screensaver over Loginwindow
Screensaver Configuration
Some details on how to configure the behaviour of the default screensaver on Mac OS X:
The settings for the default saver are to be found here:
System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/Engine Defaults.plist
More information on this subject here:
Screensaver configuration
The settings for the default saver are to be found here:
System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/Engine Defaults.plist
More information on this subject here:
Screensaver configuration
Tuesday, April 3, 2007
Enable auto login via command line [update]
I have been wondering on how to do this for a long time.
Here's the clue:
On Mac OS X Server side there is this tool:
/System/Library/ServerSetup/serversetup
Amongst a lot of other features, it offers these functions:
serversetup -setAutoLoginUser Name UID Password
Set the autostart user using the name and password supplied.
serversetup -getAutoLoginUser
Returns the current AutoLoginUser.
serversetup -clearAutoLoginUser UID
Disables AutoLogin feature.
Now what if I copied this tool to a Mac client?
Guess what...
It works. Well sort of. Sometimes.
It works if the script is executed while logged in locally on the machine.
But that's not what I want.
But I found another hint here:
http://www.applescript.net/viewtopic.php?id=17957
What you can do is copy the file/private/etc/kcpassword generated on one machine to all the macs you want to log in automatically. It contains an encrypted password. Unfortunately there is no documented way of generating this file on a client. Hmm.
Then all you have to do is change the login preferences by issuing the following commands:
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser yourusername
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUID yourUIDnumber
[update]
There is a cooler way to do this.
I found a utility whose name is 'kcpasswd'.
kcpasswd is a command line application that changes a user's KeyChain password.
That's not exaclty that I was looking for, but it comes real close.
So I sent an email to the author of 'kcpasswd' if there were any chance that he could support generating the /etc/kcpassword file.
After a while I received an email from Phill Tejada telling me that he had this new tool called 'loginoptions' which does just that.
Way cool and thanks a lot Phill.
Oh yes, the links, I almost forgot:
FruitBatSoftware
loginoptions
Here's the clue:
On Mac OS X Server side there is this tool:
/System/Library/ServerSetup/serversetup
Amongst a lot of other features, it offers these functions:
serversetup -setAutoLoginUser Name UID Password
Set the autostart user using the name and password supplied.
serversetup -getAutoLoginUser
Returns the current AutoLoginUser.
serversetup -clearAutoLoginUser UID
Disables AutoLogin feature.
Now what if I copied this tool to a Mac client?
Guess what...
It works. Well sort of. Sometimes.
It works if the script is executed while logged in locally on the machine.
But that's not what I want.
But I found another hint here:
http://www.applescript.net/viewtopic.php?id=17957
What you can do is copy the file/private/etc/kcpassword generated on one machine to all the macs you want to log in automatically. It contains an encrypted password. Unfortunately there is no documented way of generating this file on a client. Hmm.
Then all you have to do is change the login preferences by issuing the following commands:
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser yourusername
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUID yourUIDnumber
[update]
There is a cooler way to do this.
I found a utility whose name is 'kcpasswd'.
kcpasswd is a command line application that changes a user's KeyChain password.
That's not exaclty that I was looking for, but it comes real close.
So I sent an email to the author of 'kcpasswd' if there were any chance that he could support generating the /etc/kcpassword file.
After a while I received an email from Phill Tejada telling me that he had this new tool called 'loginoptions' which does just that.
Way cool and thanks a lot Phill.
Oh yes, the links, I almost forgot:
FruitBatSoftware
loginoptions
Friday, March 30, 2007
logKext
LogKext is a freeware keylogger for Mac OS X.
If you know what this is for, then you can get it here:
http://fsbsoftware.com/data/LogKextReadme2.html
Otherwise just forget it.
If you know what this is for, then you can get it here:
http://fsbsoftware.com/data/LogKextReadme2.html
Otherwise just forget it.
Wednesday, March 28, 2007
Monitor FileSystem Usage
Have you ever been wondering who is eating your fileserver's performance?
Unfortunately Apple offers no tools to monitor this.
You may however get some indications by entering the command:
fs_usage -w AppleFileServer | grep Volumes
More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process
Unfortunately Apple offers no tools to monitor this.
You may however get some indications by entering the command:
fs_usage -w AppleFileServer | grep Volumes
More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process
Tuesday, March 27, 2007
Friday, March 23, 2007
Re-index your ladp
Sometimes it looks like your ldap db is corrupted.
In that case you can try to re-index your ladp
1. Stop slapd with
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml
2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin
3. Re-index your ladp db with
sudo slapindex -v -d 1
(I like the debug output just to see what it is doing.)
4. Start slapd back up with
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml
See if that helps.
In that case you can try to re-index your ladp
1. Stop slapd with
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml
2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin
3. Re-index your ladp db with
sudo slapindex -v -d 1
(I like the debug output just to see what it is doing.)
4. Start slapd back up with
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml
See if that helps.
Backup using rsnapshot
I've been using rsnapshot to back up some of our servers.
rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.
Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....
It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.
Really cool.
There's a good page on this subject to be found here:
rsnapshot on OS X howto
rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.
Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....
It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.
Really cool.
There's a good page on this subject to be found here:
rsnapshot on OS X howto
Reset Xsan Serial Numbers
If by any chance you are setting up a Xsan and are getting these errors:
"Error while writing settings (Duplicate registration)"
Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...
The thing to do is then to get rid of the database by entering the command:
rm /etc/systemserialnumbers/xsan
on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.
This is how I got it working again.
The hint I followed was found here:
http://www.xsanity.com/forum/viewtopic.php?p=348
"Error while writing settings (Duplicate registration)"
Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...
The thing to do is then to get rid of the database by entering the command:
rm /etc/systemserialnumbers/xsan
on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.
This is how I got it working again.
The hint I followed was found here:
http://www.xsanity.com/forum/viewtopic.php?p=348
Monday, March 19, 2007
sso_util -- Kerberos -- Open Directory Single Sign On
So this is the tool to manage the kerberos stuff!
I accidentally found it when browsing around for information on how to remove a replica from an open directory system.
That by the way is done by entering the command:
slapconfig -removereplica 192.168.1.1
But here's the info on sso_util:
Manual Page For sso_util(8)
So here's how to stop the kerberos server:
sso_util remove -k -a diradminuser -p diradminpassword
I accidentally found it when browsing around for information on how to remove a replica from an open directory system.
That by the way is done by entering the command:
slapconfig -removereplica 192.168.1.1
But here's the info on sso_util:
Manual Page For sso_util(8)
So here's how to stop the kerberos server:
sso_util remove -k -a diradminuser -p diradminpassword
Thursday, March 15, 2007
Eject key doesn’t work in 10.4.9
I wish that I could configure time it takes for the Eject key to react.
I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....
Let's see if can figure out how to change this...
I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....
Let's see if can figure out how to change this...
smile ;-)
I use the following script within Apple Remote Desktop (ARD) to take a picture of the people sitting in front of their macs and send it to me via email:
b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h myldapserver.com -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" "me@mymaildomain.com"
rm /usr/local/sbin/smile.jpeg
It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.
This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.
It also uses 'ldapsearch' to get the real name of the person.
b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h myldapserver.com -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" "me@mymaildomain.com"
rm /usr/local/sbin/smile.jpeg
It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.
This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.
It also uses 'ldapsearch' to get the real name of the person.
Tuesday, March 13, 2007
Configuring build for universal binaries from open source
Configuring for universal binaries
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running
env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking
This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects
After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running
env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking
This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects
After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).
Apple Remote Desktop - Send Unix Commands
An interesting list of commands can found here:
http://homepage.mac.com/applesd/page2/page1/page0/index.html
or here:
http://macenterprise.org/content/view/114/140
http://homepage.mac.com/applesd/page2/page1/page0/index.html
or here:
http://macenterprise.org/content/view/114/140
Secure OS X
There's an interesting article on how to secure Mac OS X to be found here:
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard
Adding additional security measures is always a subject when working as a system administrator.
PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard
Adding additional security measures is always a subject when working as a system administrator.
PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger
Thursday, March 8, 2007
syslogd
There is an interesting article on how to set up a syslog server in mac os x on afp548:
http://www.afp548.com/article.php?story=20050816135035340
http://www.afp548.com/article.php?story=20050816135035340
Monday, March 5, 2007
slapconfig
slapconfig is a utility for configuring slapd, slurpd, and the Directory
Services search policy. It must be run by root.
-addreplica
Adds a replica to the slapd configuration file.
-createreplica
Create a new replica from an existing LDAP master.
-removereplica -
Removes a replica from the slapd configuration file.
more infos can be found in the man pages of slapconfig.
After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.
Services search policy. It must be run by root.
-addreplica
Adds a replica to the slapd configuration file.
-createreplica
Create a new replica from an existing LDAP master.
-removereplica -
Removes a replica from the slapd configuration file.
more infos can be found in the man pages of slapconfig.
After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.
cut
echo "steve:jobs"| cut -f 1 -d ":"
returns 'steve' because cut is set to return field 1 using delimiter ":"
cool!
returns 'steve' because cut is set to return field 1 using delimiter ":"
cool!
ldapsearch
ldapsearch
Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:
/usr/bin/ldapsearch -x -h 192.168.1.10 -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"
We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.
Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:
perl -p -0040 -e 's/\n //'
-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac
Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:
/usr/bin/ldapsearch -x -h 192.168.1.10 -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"
We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.
Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:
perl -p -0040 -e 's/\n //'
-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac
get mac address
To get the mac address use the following command:
hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`
hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`
dscl
Directory Service command line utility
List users:
dscl /LDAPv3/ldapserver.myserver.com -list /Users
Read a users properties:
dscl /LDAPv3/ldapserver.myserver.com -read /Users/ms
List users:
dscl /LDAPv3/ldapserver.myserver.com -list /Users
Read a users properties:
dscl /LDAPv3/ldapserver.myserver.com -read /Users/ms
MCX Cache
Update MCX Cache
sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U UserNameHere
/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher
MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"
MCXCacher
Performs the pre-login checks and refreshes cache if required.
MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's
mcx_settings
MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)
MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)
-----------------------
MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.
MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and
restart.
The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.
sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U UserNameHere
/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher
MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"
MCXCacher
Performs the pre-login checks and refreshes cache if required.
MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's
mcx_settings
MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)
MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)
-----------------------
MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.
MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and
restart.
The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.
stat
Display User and Group of a folder:
stat -f "%u:%g" backup/
Display Permissions of a folder:
stat -f "%p" backup/
stat -f "%u:%g" backup/
Display Permissions of a folder:
stat -f "%p" backup/
find installed files
any opaque installer that asks for a password, you might want to take the pause that refreshes and square yourself to capture what was done. a technique...
quit apps that may be changing files. we want as few files mod'd as possible.
before running the installer, in the shell:
% touch ~/newer
then, run your installer. when it has completed, in the shell...
% sudo /usr/bin/find / -xdev -newer ~/newer
this will spit up all files changed since the above touch.
you might want to capture it by redirecting to a file...
% sudo /usr/bin/find / -xdev -newer ~/newer >~/install.foo.touched.log
note that there may be some files in there that were modified, but not by the installer.
quit apps that may be changing files. we want as few files mod'd as possible.
before running the installer, in the shell:
% touch ~/newer
then, run your installer. when it has completed, in the shell...
% sudo /usr/bin/find / -xdev -newer ~/newer
this will spit up all files changed since the above touch.
you might want to capture it by redirecting to a file...
% sudo /usr/bin/find / -xdev -newer ~/newer >~/install.foo.touched.log
note that there may be some files in there that were modified, but not by the installer.
Hide 'Other Users...' in Login Window
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED false
To hide local admin users:
sudo defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers true
To hide local admin users:
sudo defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers true
Make a client pretend it is a server
Some tools only work on the server version of Mac OS X.
In order to make these tools work on a client you can make the system think it is a server by issuing the following command:
sudo touch /System/Library/CoreServices/ServerVersion.plist
You may then use these server tools.
Afterwards you will have to change things back:
sudo rm /System/Library/CoreServices/ServerVersion.plist
Make sure to not leave out the last line, else your computer will think its Mac OS X Server!
In order to make these tools work on a client you can make the system think it is a server by issuing the following command:
sudo touch /System/Library/CoreServices/ServerVersion.plist
You may then use these server tools.
Afterwards you will have to change things back:
sudo rm /System/Library/CoreServices/ServerVersion.plist
Make sure to not leave out the last line, else your computer will think its Mac OS X Server!
filenames with spaces...
This is a quickie. On the Mac you regularly handle files with spaces in the Finder without issue, and even on the command line when you put quotes around it or let tab-completion escape it properly. However, if you try to do things in a shell script, like a for loop, on filenames that involve a space you're going to hit a wall. For splits items on a space, regardless of it they're quoted (if they're stored in a variable). However, the read command does not. Observe.
find ~ -name '* *' | while read FILE
do
echo $FILE rocks.
done
And that's that. Run the command and pipe to the while stanza and it works like a charm.
find ~ -name '* *' | while read FILE
do
echo $FILE rocks.
done
And that's that. Run the command and pipe to the while stanza and it works like a charm.
Software Update Server
I know that a client can be forced to use a local Software Update Server by managing the preferences on the directory server.
You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://you-server:8088/"
Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.
In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...
You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://you-server:8088/"
Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.
In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...
create non-admin user
The user created in the last post creates an admin user.
In order to remove admin rights all that has to be done is to take that user out of the admin group.
on the local machine this can be done using the following command:
niutil -destroyval . /groups/admin users username
In order to remove admin rights all that has to be done is to take that user out of the admin group.
on the local machine this can be done using the following command:
niutil -destroyval . /groups/admin users username
Create a new user via command line
To create a user:
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.
To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.
To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.
To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.
To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
Backup a file....
sudo cp /etc/sudoers /etc/sudoers.`date +%Y%m%d_%H%M%S`
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!
No Startup Sound
sudo nvram SystemAudioVolume=" "
Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..
to restore default behaviour :
sudo nvram -d SystemAudioVolume
tip found at:
http://forum.onmac.net/archive/index.php/t-507.html
The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...
Oh well, I'll just keep on using 'StartupSound.prefPane' found here:
http://www5e.biglobe.ne.jp/~arcana/StartupSound/index.en.html
Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..
to restore default behaviour :
sudo nvram -d SystemAudioVolume
tip found at:
http://forum.onmac.net/archive/index.php/t-507.html
The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...
Oh well, I'll just keep on using 'StartupSound.prefPane' found here:
http://www5e.biglobe.ne.jp/~arcana/StartupSound/index.en.html
Getting started...
I have been using the internet for years to find solutions to my problems.
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.
So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.
So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...
Subscribe to:
Posts (Atom)