LogKext is a freeware keylogger for Mac OS X.
If you know what this is for, then you can get it here:
http://fsbsoftware.com/data/LogKextReadme2.html
Otherwise just forget it.
Friday, March 30, 2007
Wednesday, March 28, 2007
Monitor FileSystem Usage
Have you ever been wondering who is eating your fileserver's performance?
Unfortunately Apple offers no tools to monitor this.
You may however get some indications by entering the command:
fs_usage -w AppleFileServer | grep Volumes
More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process
Unfortunately Apple offers no tools to monitor this.
You may however get some indications by entering the command:
fs_usage -w AppleFileServer | grep Volumes
More on this subject:
TIGER SERVER: High CPU Usage on AppleFileServer process
Tuesday, March 27, 2007
Friday, March 23, 2007
Re-index your ladp
Sometimes it looks like your ldap db is corrupted.
In that case you can try to re-index your ladp
1. Stop slapd with
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml
2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin
3. Re-index your ladp db with
sudo slapindex -v -d 1
(I like the debug output just to see what it is doing.)
4. Start slapd back up with
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml
See if that helps.
In that case you can try to re-index your ladp
1. Stop slapd with
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.xml
2. Wait a minute to give slapd time to stop. You can see it in the OD status pane of Server Admin
3. Re-index your ladp db with
sudo slapindex -v -d 1
(I like the debug output just to see what it is doing.)
4. Start slapd back up with
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.xml
See if that helps.
Backup using rsnapshot
I've been using rsnapshot to back up some of our servers.
rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.
Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....
It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.
Really cool.
There's a good page on this subject to be found here:
rsnapshot on OS X howto
rsnapshot can be installed via Darwinports (or manually; it's only two files:, a Perl script and a config file) and works beautifully on OS X.
Even though there might be an issue when using ACLs I prefer having a copy of the data instead of losing all....
It creates hard links instead of copies of files that have not changed. This way incremental backups can be made where each copy in itself is self containing, meaning that it is a full copy that can be copied back in case of an emergency.
Really cool.
There's a good page on this subject to be found here:
rsnapshot on OS X howto
Reset Xsan Serial Numbers
If by any chance you are setting up a Xsan and are getting these errors:
"Error while writing settings (Duplicate registration)"
Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...
The thing to do is then to get rid of the database by entering the command:
rm /etc/systemserialnumbers/xsan
on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.
This is how I got it working again.
The hint I followed was found here:
http://www.xsanity.com/forum/viewtopic.php?p=348
"Error while writing settings (Duplicate registration)"
Then this apparently has nothing to do with the serial number.
It could be correct. But the problem is that Xsan has a database in which it stores the associations from hostnames an serial numbers. And this database can somehow seem to get mixed up if you install the same Xsan several times...
The thing to do is then to get rid of the database by entering the command:
rm /etc/systemserialnumbers/xsan
on Metadata controllers as well as on all the clients.
Then reboot all of them and start anew.
This is how I got it working again.
The hint I followed was found here:
http://www.xsanity.com/forum/viewtopic.php?p=348
Monday, March 19, 2007
sso_util -- Kerberos -- Open Directory Single Sign On
So this is the tool to manage the kerberos stuff!
I accidentally found it when browsing around for information on how to remove a replica from an open directory system.
That by the way is done by entering the command:
slapconfig -removereplica 192.168.1.1
But here's the info on sso_util:
Manual Page For sso_util(8)
So here's how to stop the kerberos server:
sso_util remove -k -a diradminuser -p diradminpassword
I accidentally found it when browsing around for information on how to remove a replica from an open directory system.
That by the way is done by entering the command:
slapconfig -removereplica 192.168.1.1
But here's the info on sso_util:
Manual Page For sso_util(8)
So here's how to stop the kerberos server:
sso_util remove -k -a diradminuser -p diradminpassword
Thursday, March 15, 2007
Eject key doesn’t work in 10.4.9
I wish that I could configure time it takes for the Eject key to react.
I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....
Let's see if can figure out how to change this...
I personally did never press this key accidentally and I wish that I could set it back to normal behaviour.
Especially since I also use this key to restart or shut down my mac....
Let's see if can figure out how to change this...
smile ;-)
I use the following script within Apple Remote Desktop (ARD) to take a picture of the people sitting in front of their macs and send it to me via email:
b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h myldapserver.com -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" "me@mymaildomain.com"
rm /usr/local/sbin/smile.jpeg
It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.
This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.
It also uses 'ldapsearch' to get the real name of the person.
b=`users | cut -d " " -f 1`
u=`/usr/bin/ldapsearch -x -h myldapserver.com -b "cn=users, dc=mydomain, dc=com" "uid=$b"| grep cn: |cut -d":" -f 2`
c=`/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -getcomputername | cut -d":" -f 2 | cut -d " " -f 2`
/usr/local/sbin/wacaw --jpeg smile
echo "This is $u ($b) on $c" | /usr/local/bin/mutt -a "/usr/local/sbin/smile.jpeg" -s "$b@$c" "me@mymaildomain.com"
rm /usr/local/sbin/smile.jpeg
It send me a photo of the person sitting in front of the mac together with their name so that I know who it is.
This script uses:
wacaw to capture a picture from the iSight.
The Mutt E-Mail Client
Unlike mail this email client allows me to send an attachment.
Mutt was compiled using the method described in my last post.
It also uses 'ldapsearch' to get the real name of the person.
Tuesday, March 13, 2007
Configuring build for universal binaries from open source
Configuring for universal binaries
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running
env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking
This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects
After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).
The first approach is to simply have configure build a universal binary, by passing in the appropriate CFLAGS and LDFLAGS environment variables. This is done simply by running
env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
LDFLAGS="-arch i386 -arch ppc" ./configure --prefix=${HOME}/Hello --disable-dependency-tracking
This is documented here:
Technical Note TN2137
Building Universal Binaries from "configure"-based Open Source Projects
After entering the commands 'make' and 'make install' you can then find the binaries in a folder called 'Hello' in your home directory. This is very useful if you don't want to install the binaries directly in your system but would rather have them isolated.
The advantage being that you can now easily use 'PackageMaker' to create a installer package ;-).
Apple Remote Desktop - Send Unix Commands
An interesting list of commands can found here:
http://homepage.mac.com/applesd/page2/page1/page0/index.html
or here:
http://macenterprise.org/content/view/114/140
http://homepage.mac.com/applesd/page2/page1/page0/index.html
or here:
http://macenterprise.org/content/view/114/140
Secure OS X
There's an interesting article on how to secure Mac OS X to be found here:
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard
Adding additional security measures is always a subject when working as a system administrator.
PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger
Howto: A more secure OS X before Leopard
An even more secure OS X before Leopard
Adding additional security measures is always a subject when working as a system administrator.
PDF Guides:
NSA’s Guide to Panther Hardening
Corsaire’s Guide on Securing OS X Tiger
Apple’s Document on Securing Tiger
Thursday, March 8, 2007
syslogd
There is an interesting article on how to set up a syslog server in mac os x on afp548:
http://www.afp548.com/article.php?story=20050816135035340
http://www.afp548.com/article.php?story=20050816135035340
Monday, March 5, 2007
slapconfig
slapconfig is a utility for configuring slapd, slurpd, and the Directory
Services search policy. It must be run by root.
-addreplica
Adds a replica to the slapd configuration file.
-createreplica
Create a new replica from an existing LDAP master.
-removereplica -
Removes a replica from the slapd configuration file.
more infos can be found in the man pages of slapconfig.
After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.
Services search policy. It must be run by root.
-addreplica
Adds a replica to the slapd configuration file.
-createreplica
Create a new replica from an existing LDAP master.
-removereplica -
Removes a replica from the slapd configuration file.
more infos can be found in the man pages of slapconfig.
After having set up a new server, I imported the ldap data from the old server.
After checking the setup I had the problem that I had to remove the old replicas.
Even though I removed them in the server settings they still showed up in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist of the clients.
So i used slapconfig on the server to remove them.
cut
echo "steve:jobs"| cut -f 1 -d ":"
returns 'steve' because cut is set to return field 1 using delimiter ":"
cool!
returns 'steve' because cut is set to return field 1 using delimiter ":"
cool!
ldapsearch
ldapsearch
Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:
/usr/bin/ldapsearch -x -h 192.168.1.10 -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"
We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.
Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:
perl -p -0040 -e 's/\n //'
-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac
Sometimes it may be useful to get the name of a mac with a specific mac address from your directory server:
/usr/bin/ldapsearch -x -h 192.168.1.10 -b "cn=computers, dc=myserver, dc=com" "macAddress=00:0a:95:f1:01:04"
We use this in a script that installs our Mac OS X clients.
This has the advantage that mac clients whose name are defined in our open directory are automatically renamed as they are installed thus always have the correct name without any additional manual renaming.
Unfortunately ldapsearch truncates it's output to 80 characters per line which can be very annoying.
To prevent this one may add one line of Perl:
perl -p -0040 -e 's/\n //'
-p: Loop for each line and print
-0040: Set input delimiter to 040 i.e. space
-e: Command follows - strip newline/spac
get mac address
To get the mac address use the following command:
hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`
hwAddress=`ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'`
dscl
Directory Service command line utility
List users:
dscl /LDAPv3/ldapserver.myserver.com -list /Users
Read a users properties:
dscl /LDAPv3/ldapserver.myserver.com -read /Users/ms
List users:
dscl /LDAPv3/ldapserver.myserver.com -list /Users
Read a users properties:
dscl /LDAPv3/ldapserver.myserver.com -read /Users/ms
MCX Cache
Update MCX Cache
sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U UserNameHere
/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher
MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"
MCXCacher
Performs the pre-login checks and refreshes cache if required.
MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's
mcx_settings
MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)
MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)
-----------------------
MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.
MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and
restart.
The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.
sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U UserNameHere
/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher
MCXCacher -U usershortname [-h homepath]
Creates (or overwrites an existing) mobile account on the current
machine for user "usershortname" with optional home path "homepath"
MCXCacher
Performs the pre-login checks and refreshes cache if required.
MCXCacher -u usershortname
Performs the post login checks and refreshes caches -- does
everything that "MCXCacher" does plus caches the current user's
mcx_settings
MCXCacher -f
Flushes the cache (Mobile accounts not removed; but system is unmanaged)
MCXCacher -d
Dirties the cache so that it will be refreshes at the next login
("MCXCacher" call by mcxd)
-----------------------
MCXCacher -f will put the machine into an unmanaged state until the
next time it reconnects to the management server, so it's a rather
drastic thing to do. From memory, if you run this command, Mobile
Users won't be able to login at the loginwindow unless the machine
can connect to the management server at that time.
MCXCacher -d does the right thing in the vast majority of cases, and
as John DeTroye just pointed out to me, runs at login/logout and
restart.
The flags that allow you to specify where a mobile user home
directory is created are really useful though. I'm using it with a
login hook that means that my users get their home directory set to
another partition when they first login as a Mobile User.
stat
Display User and Group of a folder:
stat -f "%u:%g" backup/
Display Permissions of a folder:
stat -f "%p" backup/
stat -f "%u:%g" backup/
Display Permissions of a folder:
stat -f "%p" backup/
find installed files
any opaque installer that asks for a password, you might want to take the pause that refreshes and square yourself to capture what was done. a technique...
quit apps that may be changing files. we want as few files mod'd as possible.
before running the installer, in the shell:
% touch ~/newer
then, run your installer. when it has completed, in the shell...
% sudo /usr/bin/find / -xdev -newer ~/newer
this will spit up all files changed since the above touch.
you might want to capture it by redirecting to a file...
% sudo /usr/bin/find / -xdev -newer ~/newer >~/install.foo.touched.log
note that there may be some files in there that were modified, but not by the installer.
quit apps that may be changing files. we want as few files mod'd as possible.
before running the installer, in the shell:
% touch ~/newer
then, run your installer. when it has completed, in the shell...
% sudo /usr/bin/find / -xdev -newer ~/newer
this will spit up all files changed since the above touch.
you might want to capture it by redirecting to a file...
% sudo /usr/bin/find / -xdev -newer ~/newer >~/install.foo.touched.log
note that there may be some files in there that were modified, but not by the installer.
Hide 'Other Users...' in Login Window
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED false
To hide local admin users:
sudo defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers true
To hide local admin users:
sudo defaults write /Library/Preferences/com.apple.loginwindow HideAdminUsers true
Make a client pretend it is a server
Some tools only work on the server version of Mac OS X.
In order to make these tools work on a client you can make the system think it is a server by issuing the following command:
sudo touch /System/Library/CoreServices/ServerVersion.plist
You may then use these server tools.
Afterwards you will have to change things back:
sudo rm /System/Library/CoreServices/ServerVersion.plist
Make sure to not leave out the last line, else your computer will think its Mac OS X Server!
In order to make these tools work on a client you can make the system think it is a server by issuing the following command:
sudo touch /System/Library/CoreServices/ServerVersion.plist
You may then use these server tools.
Afterwards you will have to change things back:
sudo rm /System/Library/CoreServices/ServerVersion.plist
Make sure to not leave out the last line, else your computer will think its Mac OS X Server!
filenames with spaces...
This is a quickie. On the Mac you regularly handle files with spaces in the Finder without issue, and even on the command line when you put quotes around it or let tab-completion escape it properly. However, if you try to do things in a shell script, like a for loop, on filenames that involve a space you're going to hit a wall. For splits items on a space, regardless of it they're quoted (if they're stored in a variable). However, the read command does not. Observe.
find ~ -name '* *' | while read FILE
do
echo $FILE rocks.
done
And that's that. Run the command and pipe to the while stanza and it works like a charm.
find ~ -name '* *' | while read FILE
do
echo $FILE rocks.
done
And that's that. Run the command and pipe to the while stanza and it works like a charm.
Software Update Server
I know that a client can be forced to use a local Software Update Server by managing the preferences on the directory server.
You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://you-server:8088/"
Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.
In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...
You can do this through the command line too. That app is just editing the software update .plist file. For a global change of software update server for all users, type this.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://you-server:8088/"
Remember to add that "/" after the port number. And the part with the address, you do actually put that in quotes when entering in the terminal.
In our environment it is also necessary to add the software update server to the list of servers that will not pass throug our web proxy server because the software update won't work with a proxy between client and server...
create non-admin user
The user created in the last post creates an admin user.
In order to remove admin rights all that has to be done is to take that user out of the admin group.
on the local machine this can be done using the following command:
niutil -destroyval . /groups/admin users username
In order to remove admin rights all that has to be done is to take that user out of the admin group.
on the local machine this can be done using the following command:
niutil -destroyval . /groups/admin users username
Create a new user via command line
To create a user:
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.
To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.
To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
The name, short name, and password must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name or short name is already in use.
To create a user with a specific UID:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID
fullname shortname password userid
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
The command displays a 1 if the full name, short name, or UID is already in use or if the
UID you specified is less than 100.
To create a user with a specific UID and home directory:
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password userid homedirpath
The name, short name, password, and UID must be typed in the order shown. If the full
name includes spaces, type it in quotes.
Backup a file....
sudo cp /etc/sudoers /etc/sudoers.`date +%Y%m%d_%H%M%S`
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!
This will create a file name like this /etc/sudoers.20051025_115428 which has not only the date of when you backed up this file, but also the time - useful if you're doing many revisions on one file in a day!
No Startup Sound
sudo nvram SystemAudioVolume=" "
Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..
to restore default behaviour :
sudo nvram -d SystemAudioVolume
tip found at:
http://forum.onmac.net/archive/index.php/t-507.html
The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...
Oh well, I'll just keep on using 'StartupSound.prefPane' found here:
http://www5e.biglobe.ne.jp/~arcana/StartupSound/index.en.html
Seems to use ASCII character values from 32 upwards to represent the different volumes - the default is "{" which is quite loud..
to restore default behaviour :
sudo nvram -d SystemAudioVolume
tip found at:
http://forum.onmac.net/archive/index.php/t-507.html
The MacBook I tried this on however does not seem to do as it should.
After a reboot the value of SystemAudioVolume seems to get set back to 'w'...
Oh well, I'll just keep on using 'StartupSound.prefPane' found here:
http://www5e.biglobe.ne.jp/~arcana/StartupSound/index.en.html
Getting started...
I have been using the internet for years to find solutions to my problems.
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.
So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...
Now I think the time has come for me to publish my knowledge as well so that others with similar problems might profit from my experience.
So instead of writing down my stuff for my own records I will now write them down here so that others might profit from them as well...
Subscribe to:
Posts (Atom)