Monthly Archives: November 2009

Final Cut Server Mac OS X Mac OS X Server Mac Security Mass Deployment Xsan

Mac OS X Server Groups on LinkedIn

In case you haven’t seen them there are a number of groups for Mac OS X Systems Administrators on LinkedIn:

Mac OS X Server Mac Security

Controlling Access to Mobile Access in Snow Leopard Server

One of the great new features of Snow Leopard Server is the new Mobile Access feature, which is a reverse proxy server. When you enable the Mobile Access service, you will be enabling access for all users of the server. However, in many environments, not all users will be allowed to access collaborative services remotely. Therefore, you can use the Access option to limit who is able to log into the server over each service provided that you have configured the Mobile Access server to leverage your directory server. This Access option is similar to a Service Access Control List (SACL). However, rather than configure in the SACL option for the server, these access controls are configured in the service.

To configure Access controls, open Server Admin and click on Mobile Access for your Mobile Access server. Here, click on the Access icon in the Server Admin toolbar. By default, the Allow access to Address Book, iCal, Mail and Web proxies for everyone option will be selected, meaning that all users with accounts on the server will be able to access all of the services proxied using Mobile Access. Click on Allow access to the selected proxies for these users and groups to limit which users will be able to authenticate to these services.  At this point, no users will be able to access the services. Next, click on the plus sign and drag a user who you would like to grant access to.

Once you have dragged a user into the list, check the box for each of the services that the selected user will have access to. Drag each user into the list and check the appropriate boxes per user. Then click on Save to commit your changes and test that the authentication is allowed as intended.

Mac OS X Mac OS X Server Mac Security

Starting OpenLDAP on Mac OS X Client

LDAP is included, by default, installed on every copy of Mac OS X. For Mac OS X Servers its easiest to get LDAP up and running, given that you have a nice handy graphical means of manipulating LDAP in the Open Directory features of Server Admin and Workgroup Manager. But what about Mac OS X Client. It may be easier than you think…

To setup OpenLDAP in Mac OS X, we’ll do three quick tasks. The first is to set a password and the second is to put the password into the configuration file and the third is to start the daemon. To create that password, we’re going to use the slappasswd. Simply use the command and then enter the password twice in order to get a hash that will be representative of your password:

Krypted:~ cedge$ slappasswd
New password:
Re-enter new password:
{SSHA}GxYuEziafPAUJNwP17BRTAlubfPKDRUG

Copy that output into your clipboard. Now cd into the /etc/openldap directory. From there, cp the slapd.conf.default file to the slapd.conf file:

cp slapd.conf.default slapd.conf

Then edit the file. To do so, scroll down to the bottom. Here, you’ll see three things we’re going to change (you can change more if you want and you really only HAVE to change the first). The first is the password. This is the line that begins with rootpw. Delete secret from there and paste in that SHA1 password you created with slappasswd previously. The second and third are the suffix and rootdn information. Here, change company to whatever domain you would like to use and change cn=Manager in the rootdn line where Manager becomes, well, something else (or leave that part). Save your changes to the file.

Now you’re ready to start up the daemon:

slapd -d 255

slapd -d 255

Port scan yourself. If port 389 is running then you are now an OpenLDAP server! Happy LDAPing (with or without slapconfig).

Mac OS X personal

Friday?!?!

It’s a random Friday. The radio on my central AirPort stops working. I reset the device, do everything I know to do, but while I can log into the device through AirPort Utility there is no SSID, no radio signal whatsoever. What to do? String a cable across the room so that it can get ripped out of a computer when the crazed, sweet & squealing toddler invariably streaks through the office? Not a chance. I’ll just run out to the closest Apple store and grab a quick replacement.

So I hop in the car and drive to the mall. What is going on with parking? I finally find a spot out in no-mans-land, but wait – an 80-something year old woman in a brand new Civic swings in front of me, practically clipping my bumper to steal my spot. Wow. There’s another spot a little further out, but wait – again my life is put in danger, but this time by a car load of 40-something year old women with hair cuts that are shorter in the back than they are in the front, some with a little spike back in the back but all with at minimum two colors in their hair. Wondering whether my car would fit in the back of their Yukon, I think find another spot! After a quick scan, much akin to a running back trying to figure out where that linebacker and free safety are, I see a carload of nuns and orphans, with hate and fear in their eyes, about to take that spot. I slam on the gas, flip right in front of them and gently rest my car between those beautiful golden lines. I hear a scream as their tires scream to a halt and see poor Tiny Tim’s face writhe as his crutch smacks him in the back of his head, knocking him out cold; but I am finally in a spot, after at least 5 minutes of searching for one. As I sit, heart pounding, I wonder at how I was able to get caught up in the craziness. But more importantly, what is the craziness about?

I exit the car and start making my way towards the mall entrance. After traversing the distance of a marathon, with a group of nuns seemingly chasing behind (my time was 3 hours and 2 minutes, theirs 3 hours and 1 minute – but they were slowed up by Tiny Tim until they left him behind) I finally approach the door of the mall. Just then, the Salvation Army guy pounces from behind a column, ringing the Vorpal bell so loudly that I can see the sound waves approaching and feel the 1d6+5 hit points of damage they do inside of my temples. I pull a spin move, and while I have no idea how he’s made it this far, this fast I see Tiny Tim lunging at me from my periphery. Recalling all those games from his days at Georgia, I hurdle Tim in a manner that Knowshown Moreno would be proud of and fall into the door of the mall, feeling the warmth already thawing out my semi-frost bitten feet. I sigh.

But just then I see a shopping cart barreling down on me at a break-neck pace. I roll away just in time and see who I guess to be Large Marge from Pee-Wee’s Big Adventure wearing a Green Bay Packers sweater and shrieking with laughter. Before I can contemplate what in tarnation is wrong with people the group of nuns flings the door open just behind me, with a bloody stump of an arm still clasping his bell waving over their heads. They lock their eyes on me and I sprint into the mall, juking right, then left and then an old school swim move to get past the thin, pale, faux-hawk toting/director glasses wearing college kid who for some reason is foaming at the mouth and snarling at me. Once past, I look back and see him lock onto the nuns. I smile.

I see a father with his 3 children sitting on the floor eating ice cream. they are sitting in front of the Apple Store. There is a nice young lady at the door of the Apple Store. As I cross the threshold of the store I notice the number of people inside. The nuns, Large Marge, the ladies from the Yukon, Tiny Tim (apparently he found a supercharged wheelchair and changed his name to Timmy 2000 – TIMMMAAAAAAHHHHHGGGG!!!!) and the poor one armed Salvation Army guy approach but slam into what is apparently a force field surrounding the Apple Store. Relief!

I move to the back of the store, passing the Geico lizard, peaking from behind the genius bar (that would explain the angry cavemen hovering outside the store). There, I see the AirPort that I am there for. But no, I have a question. Crap. It’s busy. A nice young lady (another nice young lady) approaches and asks if I need anything, seeing the furrow in my brow). Why yes, I respond. She knows more than someone her age should about 802.11a/b/g/n but alas not the answer to my question, but wait here, I’ll be right back. Ya’ right. Within a few seconds she appears again, with a nice young man (apparently they’re an equal opportunity nice young person employer) who actually does know the answer to my question. Well good grief, I guess I should get two of them then… He swipes my card, gives me a bag with my schwag in it and actually gives me the small business discount, apparently having remembered me from a previous ACN event. Wow.

I look back at the door with the forcefield, Large Marge (now armed with a curtain rod from Macy’s, Tiny Tim (now armed with a bolo made from Bang and Olufsen speakers and speaker-wire), the Nuns (wielding torches made from burning t-shirts from Spencer’s) and of course the Salvation Army guy wielding fugly fashion victim white sunglasses from Louis Vitton with tight, pegged $900 jeans and a $400 flannel shirt that makes Kurt Cobain roll over in his grave. I know I will survive though, as Apple has called in Bruce Campbell to escort us all to our cars. Finally, I think to ask. What is wrong with people today? Ash looks down at me and asks “what is wrong with you people, going to the mall on Black Friday?!?!”

I didn’t know what I was getting into. I just needed an AirPort. On Black Friday I was able to walk into the Apple Store at Rosedale Center and in less than 15 minutes, walk out the door with what I needed. The only good experience in the whole mall – even on Black Friday! Kudos to you Apple and to the whole team at Rosedale.

iPhone Microsoft Exchange Server

iPhone + Locked Down Exchange

Some iPhones can have a problem with some Exchange servers due to the fact that they are not fully manageable using ActiveSync Policies. The New-ActiveSyncMailboxPolicy commandlet is can be used with the -Name parameter to assign a name to the new ActiveSyncMailboxPolicy, which we’ll call iPhone. To allow devices that are not fully manageable to use ActiveSync, an ActiveSyncMailboxPolicy needs to be created where  -AllowNonProvisionableDevices is set it to $true. For example, if we were to create such a policy and call it iPhone we would use the following command:

New-ActiveSyncMailboxPolicy -Name iPhone -AllowNonProvisionableDevices $true

Microsoft Exchange Server

Bypassing Exchange 2007's Content Filter

Exchange 2007 is often set to filter all spam and reject mail that is classified as spam. If you configure Exchange 2007 to do so then you still need an email address that does not get filtered. The reason is that in the body of your rejection emails, you need to provide a valid user with a means to contact you in order to get their mail through. To bypass the content filter for an email address can be done using a commandlet, Set-ContentFilterConfig. When using the Set-ContentFilterConfig you can use the -BypassedRecipients option to specify email addresses that the filter will not be applied to, which would then be followed by the email address to bypass. For example, if I wanted to do this for admin@krypted.com I would use the following cmdlet:

Set-ContentFilterConfig -BypassedRecipients admin@krypted.com

Xsan

Xsan Addendum

Some time ago, I did a little article for Xsanity on using Xsan with removable media. The other day, while helping a friend prepare to give a talk on Xsan I learned a nice little tidbit. It’s just a little addendum to that that brings a smile to my face and makes me a little thankful: If you tell Xsan Admin to flash the LUN so that you can identify which LUN you are labeling the USB drive lights up. Sometimes it’s the little things, man…

iPhone

iPhone Worm is Crap

Sorry, I can’t help it. That whole “iPhone Security Problems” thread I’ve seen on a few sites recently due to that worm. Oh, then there was a second worm that did the same thing. Really? Did these awesome security gurus realize that the device has to be jailbroken? Oh and they have to still have the default password used for SSH? I would hope that if you know enough to jailbreak the device without bricking it that you know enough to change the default SSH password.

Interestingly enough though, an estimated 6 to 8 percent of iPhones are jail-broken… If there have been 21 million sold, that provides an attack surface of around a 1.2 million if you just target jail-broken phones. A PC needs to be running on the same network infected with a totally different worm that tries to log into the phone and steal things. By the way, here’s a huge new security vulnerability I should write – if you leave your LinkSys with the default password AND you allow administration over the WAN then someone can break in over the WAN and mess it up… Of course, in that case you should maybe be with the LinkSys (although the power adapter might cause more damage in terms of hit points), but for some reason people aren’t being beaten over the head with an iPhone but instead so-called security experts find spreading FUD is far more helpful than doing something for a living, like real research.

I just have to reiterate this. There’s a worm out there that scans a subnet and attempts a specific SSH user name and password, if it works then it tries to steal some data, or in a different variant just Rick Rolls ya’. Somehow the fact that in order to put an SSH server on the subnet in the first place you had to void a warranty and forklift SSH onto a device, which took great pains to do, and subsequently forgot to change the password for that SSH server means nothing; nor does the fact that you also need a frickin’ Windows computer to carry the worm to you that’s also infected. Crap, just crap.

Business

HP Paying $2.7 Billion for 3Com?

HP is gung-ho to go after Cisco. It’s going to take too long to R&D better switches for the price than Cisco sells. 3Com has those switches for cheaper. Core routers for data centers are pretty complicated as well, so throw in a few extra bucks to get those from 3Com while you’re at it. There is overlap in the entry-level switches and already a lot of competition out there, so I would expect whichever product HP considers inferior to fall to the wayside. There’s also overlap with a number of other products, such as wireless and then a number of synergistic (how 90’s of me) aspects, such as what VoIP, TippingTpoint, IP PBX and Trapeze. Overally, it’s an interesting merger. It feels more like HP’s answer to Cisco releasing their own iron than HP’s best strategic move though. Although the network engineers that work for 3Com are likely going to be the most long-term acquisition to speak of being that they’re supposedly more wicked smart with engineering the flow of electrons in enterprise routing/switching than the average guy ya’ meet on the street, meaning that HP is immediately going to have a better core to edge story immediately and assuming that the talent isn’t lost and that HP and former 3Com employees can work together, an even better story over time…

It’s funny, Reductive Labs just got $2 Million in VC and to me that’s actually a more compelling cost justified move…

Final Cut Server Mac OS X Mac OS X Server

FCS 1.5.1 Story on Xsanity

Posted a little whatnot on FCS 1.5.1 over at Xsantiy, here. Hope you enjoy!