krypted.com

Tiny Deathstars of Foulness

The colrm command is a simple little command that removes columns from standard input before displaying them on the screen (or piping the text into another file). To use, simply cat a file and then pipe it to colrm followed by the start and then stop in $1 and $2. For example, the following would only list the first column of a text file called testfile:

cat testfile | colrm 2

Not providing a second column in the above command caused only the first column to be displayed to the screen. You could pipe all but the second and third columns of a file to another file called testfile2 using the following:

cat testfile | colrm 2 3 > testfile2

April 9th, 2018

Posted In: bash

Tags: , ,

Quick little script to read the length of a string:

#!/bin/bash
echo "Enter some text"
read mytext
length=${#mytext}
echo $length

April 9th, 2018

Posted In: Mac OS X, Mac OS X Server, Programming

Tags: , ,

It’s not likely that your Synology is going to get infected with a virus of some kind. It’s also not likely that, if you’re switching to Synology from a macOS Server, that most of your clients will get infected or be using infected files. But you probably have that one Windows accounting machine in the back of the office. So you should scan your Synology routinely. To do so, Synology provides a clamav bundle, much like what I usually told people to use on macOS file servers.

To install antivirus on your Synology, open Package Center and search for antivirus. Click on Antivirus Essential and then click on Install.  

Once installed, open Antivirus Essential from the Main Menu. From here, you can perform a Full Scan, a Custom Scan (which allows you to select the shared folders to scan), or perform a System Scan (which scans everything else). To automate scans, click Scheduled Scan. 

At the Scheduled Scan screen, click Create. 

At the Schedule screen, choose the type of scan (the same options as when run manually) and when the scan should run. I definitely recommend daily scans. Then, click on OK and check the box for Enable. 

Click on Settings. Here, you can define what happens when an infected file is found (Quarantine is usually the best option as you can then click on Quarantine in the sidebar routinely to check on what files might have been moved). Whitelist allows you to define exclusions. Good files to exclude are Quickbooks files, and other files that aren’t very friendly to antivirus scanning, as they’re open a lot. And use the Update option to have the virus definitions updated before every scan. 

If you ever want to check that the definitions are indeed updated, click on Update in the sidebar. And that’s it, you’re now automatically scanning for viruses on the schedule you defined. I recommend setting a reminder to check on it every now and then. At first maybe weekly and later maybe monthly, depending on how many quarantined files are found when you check in. Just make sure the defs are up-to-date and sift through the logs every now and then and you should be good!

April 9th, 2018

Posted In: Small Business, Synology

Tags: , , , ,

You can backup a Synology in a number of ways. Even if you have a local backup, you should have a backup offsite. Here, we’ll walk through backing up a Synology using Acronis True Image. Before doing so, it’s worth noting that the only things backed up this way are the ones that are by default accessible through an app, and that you’ll have to give access to each of those entitlements in order for the backup to run. These include Contacts, Photos, Videos, Calendars, and Reminders.

To get started, first go to the Package Center on a Synology. Then, search for Acronis.

At the listing for Acronis True Image, click Install. Once installed, make sure you’re accessing your Synology through the web interface directly rather than through QuickConnect. This would be http://<IPADDRESS>:5000. From there, open the Main Menu and then open Acronis True Image from there.

Now, install the Acronis Mobile app from the iOS App Store ( 

https://itunes.apple.com/us/app/acronis-true-image-mobile/id978342143?mt=8 ) on the iOS device you’ll be backing up. Once installed, open the app and tap on Back up to computer or NAS.
Then tap SCAN QR CODE.

Then provide access to the camera in order to scan the QR code. 

Then choose what you’d like to back up and tap on Back up now.

Once the backup is complete, you’ll see the backup shown on the Synology when you open up the Acronis app.

Backing up to iCloud is still the only way to get everything else. But it’s still useful in some ways (e.g. if you are a real estate agency and just want to back up Contacts and Photos in case something happens).

April 8th, 2018

Posted In: Synology

Tags: , , ,

Acronis True Image is a cloud-based backup solution. Acronis True Image is available at 

https://www.acronis.com/en-us/support/trueimage/2018mac/. To install, download it and then open the zip. 

Drag the Acronis True Image application to your /Applications directory. Then open Acronis True Image from /Applications. The first time you open it, you’ll be prompted to access the licensing agreement.

Once accepted, you’ll be prompted to create an account with Acronis. Provide your credentials or enter new ones to create a trial account. 

At the activation screen, provide a serial or click Start Trial.

At the main screen, you’ll first want to choose the source (by default it’s the drive of the machine) and then click on the panel to the right to choose your destination.

For this example, we’re going to use the Acronis cloud service. 

Click on the cog wheel icon at the top of the screen. Here, you can set how and when the backup occurs. Click Schedule.

At the schedule screen, select the time that backups will run. Note that unless you perform file level backups, you can’t set the continual backup option. For that, I’d recommend not doing the whole computer and instead doing directories where you store data. Click on Clean Up.

Here, you’ll define your retention policies. How many backups will you store and for how long. Click Encryption.

Here you’ll set a password to protect the disk image that stores your backups. The disk image can’t be unpacked without it, so don’t forget the password! Click on Exclusions.

Here, use the plus sign icon to add any folders you want skipped in the backups. This could be stuff you don’t need backed up (like /Applications) or things you intentionally don’t want backed up. Click Network. 

Here you can throttle the speed of network backups. We’ll skip this for now. Now just click on the Back Up button to get your first backup under way!

If you want to automate certain configuration options, check for the com.acronis.trueimageformac.plist at ~/Libarary/Preferences to see if the app has been launched, as you can see from the defaults domain contents:

{  SUEnableAutomaticChecks = 1;
SUHasLaunchedBefore = 1;
SULastCheckTime = “2018-04-07 21:33:01 +0000”; }

There are also log settings available at 
/Applications/Acronis True Image.app/Contents/MacOS/acronis_drive.config:

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<config><logging>
<channel id=”ti-rpc-client” level=”info” enabled=”true” type=”logscope” maxfiles=”30″ compress=”old” oneday=”true”/>
<channel id=”http” level=”info” enabled=”true” type=”logscope” maxfiles=”30″ compress=”old” oneday=”true”/>
<channel id=”ti_http_srv_ti_acronis_drive” level=”info” enabled=”true” type=”logscope” maxfiles=”30″ compress=”old” oneday=”true”/>
<channel id=”ti-licensing” level=”info” enabled=”true” type=”logscope” maxfiles=”30″ compress=”old” oneday=”true”/>
<channel id=”acronis_drive” level=”info” type=”logscope” maxfiles=”10″ compress=”old” oneday=”true” />  <!–max 10 files, ?MB–></logging>

 

April 7th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , ,

Synology is able to do everything a macOS Server could do, and more. So if you need to move your VPN service, it’s worth looking at a number of different solutions. The most important question to ask is whether you actually need a VPN any more. If you have git, mail/groupware, or file services that require remote access then you might want to consider moving these into a hosted environment somewhere. But if you need access to the LAN and you’re a small business without other servers, a Synology can be a great place to host your VPN services. 

Before you setup anything new, first snapshot your old settings. Let’s grab  which protocols are enabled, running the following from Terminal:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:enabled

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled

Next, we’ll get the the IP ranges used so we can mimic those (or change them) in the new service:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges

Now let’s grab the DNS servers handed out so those can be recreated:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index

Finally, if you’re using L2TP, let’s grab the shared secret:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue

Once we have all of this information, we can configure the new server using the same settings. To install the VPN service on a Synology, first open the Synology and click on Package Center. From there, click on All and search for VPN.

Then click on the Install button for VPN. Once installed, open VPN Server from the application launcher in the upper left-hand corner of the screen. Initially, you’ll see a list of the services that can be run, which include the familiar PPTP and L2TP, along with the addition of Open VPN.

Before we potentially open up dangerous services to users we might not want to have access to, click on Privilege. Here, enable each service for each user that you want to have access to the VPN services.

Now that we can safely enable and disable each of the services, click on PPTP in the sidebar of the VPN Server app (if you want to provide PPTP-based services to clients).

Here, check the box for “Enable PPTP VPN server” and enter the following information:
  • Dynamic IP address: The first DHCP address that will be given to client computers
  • Maximum connection number: How many addresses that can be handed out (and therefore the maximum number of clients that can connect via PPTP).
  • Maximum number of connections with the same account: How many sessions a given account can have (1 is usually a good number here).
  • Authentication: Best to leave this at MS-CHAP v2 for compatibility, unless you find otherwise.  
  • Encryption: Leave as MPPE optional unless all clients can do MPPE and then you can enforce it for a stronger level of encryption.
  • MTU: 1400 is a good number.
  • Use manual DNS: If clients will connect to services via names once connected to the VPN, I’d put your primary DNS server in this field.

Click Apply and open port 1723 so clients can connect to the service. If you’ll be using L2TP over IPSec, click on “L2TP/IPSec” in the sidebar. The settings are the same as those above, but you can also add a preshared key to the mix. Go ahead and check the enable checkbox, provide the necessary settings from the PPTP list, and provide that key and then click on Apply. Note that the DHCP pools are different between the two services. Point UDP ports 1701, 500, and 4500 at the new server to allow for remote connections and then test that clients can connect.

That’s it. You’ve managed to get a new VPN setup and configured. Provided you used the same IP address, same client secret, and the ports are the same, you’ll then be able to probably use the same profile to install clients that you were using previously.

April 6th, 2018

Posted In: Mac OS X Server, Mac Security, Synology

Tags: , , , , , , ,

People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory services to provide.

To get started, open the Package Center and search for Directory. Click Install for the Directory Server and the package will be installed on the Synology.

When the setup is complete, open the Directory Server from the launcher available in the upper right hand corner of the screen. 

The LDAP server isn’t yet running as you need to configure a few settings before starting. At the Settings screen, you can enable the LDAP service by checking the box to “Enable LDAP Service” and providing the hostname (FQDN) of the service along with a password.


Once the service is configured, you’ll have a base DN and a bind DN. These are generated based on the name provided in that FQDN field. For example, if the FQDN is “synology.krypted.com”, its Base DN will be “dc=synology,dc=krypted,dc=com”. And the Bind DN would add a lookup starting a root, then moving into the users container and then the hostname: uid=root,cn=users,dc=synology,dc=krypted,dc=com

If this is for internal use, then it’s all setup. If you’ll be binding external services to this LDAP instance, make sure to open ports 389 (for LDAP) and/or 636 (for LDAP over SSL) as well. 

Once you have information in the service, you’ll want to back it up. Click on Backup and Restore. Then click on Configure.

At the Configure screen, choose a destination.

I prefer using a directory I can then backup with another tool. Once you have defined a place to store your backups using the Destination field, choose a maximum number of backups and configure a schedule for the backups to run (by default backups run at midnight). Then click OK. You now have a functional LDAP service. To create Groups, click on the Group in the left sidebar. 

Here, you can easily create groups by clicking on the Create button. At the wizard, provide a group name and then enter the name of a group (accounting in this example).

Click Next, then Apply to finish creating the group. One you have created your groups, click on User to start entering your users. Click Create. At the User Information screen, enter the name, a description if needed, and the password for a user. You can also restrict password changes and set an expiration for accounts. Click Next to create the user. 

At the next screen, choose what groups the new user will be in and click Next.

Enter any extended attributes at the next screen, if you so choose (useful for directories).

Click Next and then Apply.

For smaller workgroups, you now have a functional LDAP service! If you’d like a nice gui to access more options, look at FUM ( 

https://github.com/futurice/futurice-ldap-user-manager ), LAM ( https://www.ldap-account-manager.org/lamcms/ ), LinID ( http://www.linid.org/welcome/index.html )or other tools. I wrote an article on LDAP SACLs awhile back, so I’ll try and track that down and update it for Synology soon!

April 5th, 2018

Posted In: Mac OS X Server, Synology

Tags: , , , , , , , , ,

Before we have this conversation, I want to give you some bad news. Your passwords aren’t going to migrate. The good news is that you only do directory services migrations every decade or two. The better news is that I’m not actually sure you need a directory service in the traditional sense that you’ve built directory services. With Apple’s Enterprise Connect and Nomad, we no longer need to bind in order to get Kerberos functionality. With MCX long-dead(ish) you’re now better off doing policies through configuration profiles. 

So where does that leave us? There are some options.
  • On Prem Active Directory. I can setup Active Directory in about 10 minutes. And I can be binding Mac clients to it. They’ll get their Kerberos TGTs and authenticate into services and the 90s will be as alive on your server as they are in Portland. Here’s the thing, and I kinda’ hate to say it, but no one ever got fired for doing things the old reliable way. 
  • OpenLDAP. There are some easy builds of OpenLDAP to deploy. You can build a new instance from scratch on a Mac (probably a bad idea) or on a very small Linux box. This is pretty easy, but to get all the cool stuff working, you might need some tweaking.
  • Appliances. I’m already working on an article for installing OpenLDAP on a Synology.
  • Microsoft Azure Active Directory. If you’re a primarily Microsoft shop, and one that is trying to go server-less, then this is probably for you. Problem is, I can’t guide you through binding a client to Active Directory in Azure just yet. 
  • Okta/Ping/other IAMs. Some of these can act as a directory service of sorts ( https://help.okta.com/en/prod/Content/Topics/Directory/About_Universal_Directory.htm ). As with Azure, you’re likely not going to bind to them (although Nomad has some interesting stuff if you feel like digging into that).
  • A hosted directory service provider (Directory as a Service) like Jumpcloud.
There are probably dozens of other options as well (please feel free to add them in the comments section of this article). No matter what you do, if you have more than a dozen or two users and groups, you’re going to want to export them. So let’s check out what that process looks like. The easy way to export data is to dump all of the services out with one quick command:

sudo slapconfig -backupdb ~/Desktop/slapexport/

This process produces the exact same results as exporting Open Directory from the Server App. To do so, open the Server app and click on the Open Directory entry. From there, click on the cog-wheel icon and choose the option to Archive Open Directory Master. 

When prompted, enter your directory administrator (e.g. diradmin) credentials.

Once you have authenticated, provide a path and a password to export the data.

Now you’ll see a sparse image in your export path. Open it to see the backup.ldif file.

That’s the main thing you’re looking for. The ldif file can be imported into another openldap system, or once you have an ldif file, you can also get that over into csv. To help with this, I wrote a little ldif to csv converter and posted it here.

Finally, you could export just users or groups, or specific objects from the Server App.

That option is more built for importing into other macOS servers, but if you’d like to try, click on Users in the left sidebar and then click on Export Users from the cog wheel icon towards the bottom of the screen.

Then select what to export and where to export the file to. 

You can also repeat this process for Groups, if needed.

April 4th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

April 3rd, 2018

Posted In: Mac OS X

Ever wanted to be able to view devices from your Jamf server from within your Freshdesk environment? Well, I just posted a new integration on the Jamf Marketplace just for Freshdesk.


This plugin will display a search bar on the right side of the screen. Enter a serial number to find your devices. If a match is found, you’ll see information on the device (note: this is up on GitHub so you can change what fields you see).

If you don’t find anything that matches a given pattern, you’ll get an error.

April 2nd, 2018

Posted In: JAMF, Product Management

Tags: , ,

« Previous PageNext Page »