Category Archives: Mac OS X

Mac OS X Mac OS X Server Mac Security Mass Deployment

Receipts & Bills of Material in 10.8

May 18, 2013 – 6:00 am

When installing a package OS X makes a list of what it installs in /Library/Receipts/InstallHistory.plist. The dictionaries show each package installed, along with the installation date, the name displayed during installation, the version of the package being installed, the identifier of the package and the process name used to install the package. This information, along with the file name of the actual package is stored in corresponding property lists in /private/var/db/receipts. Each bill of material is also stored there, in .bom file.

The lsbom command is used to see a list of objects installed by the package. You can also see the options such as the permissions assigned to files by the package as they’re installed. For example, that Twitter app from the app store; to see what it installs:

lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom

This package is installed by the Mac App Store. When run, packages installed by the Mac App Store should only contain objects within that applications .app bundle. That’s a pretty good bit of information, so you can also use the -s option to constrain the output to only see the paths of files (relative paths, of course). I’m usually a fan of getting more information than less, so I usually run it adding the -m option, which shows me those permissions.

lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom

Note: You can also use the mkbom command to create new .bom files. As the man page for bom indicates, this goes back to NeXTSTEP and was extended for 10.0 and again in 10.3.

Tags , , , , , | Permalink | Comment (0)
Mac OS X Mac OS X Server Mac Security Mass Deployment

Who Needs Root When You Can Have Simple Finder

May 17, 2013 – 6:00 am

Here’s the thing: I’m not very good with computers. So to keep me from hurting myself too badly, I need the simplest interface available that allows me to run multiple applications. But most of the command keys shouldn’t work in this interface and I should only have Finder, file and Help menus.

Luckily for my poor MacBook Airs, Apple thought of people like me when they wrote the Finder and invented something called Simple Finder which makes OS X even simpler than it is by default to use. To enable Simple Finder, just go to Parental controls, enable controls for a user and then check the box for Simple Finder. Or, if you have an entire population of users like me, who simply can’t be trusted with a full operating environment, you can send the InterfaceLevel key with the contents of simple (easy to remember for those of us who resemble said key) to com.apple.finder and restart our friendly neighborhood Finder:

defaults write com.apple.finder InterfaceLevel simple; killall Finder

Come to think of it, maybe I’m not so awful. Let’s say I want to turn that whole Simple Finder thing right back off. Well, all we have to do is delete that key we created and then restart the Finder:

defaults delete com.apple.finder InterfaceLevel; killall Finder

Actually, I am terrible with these things. So much so that it’s not appropriate for me to use a computer. Therefore, just take it away. I’ll be better off using that Samsung with Windows 8 for awhile. At least there, I won’t be able to get any of my apps open or find any of the administrative tools that could damage the computer!

Tags , , , , , , , , , | Permalink | Comment (0)
Mac OS X Mac Security

Using sysdiagnose to Capture Performance Data In OS X

May 13, 2013 – 6:00 am

“My computer sometimes just runs slow,” “the fan on my laptop won’t turn off sometimes,” and “my network connection keeps dropping.” These are amongst the most annoying off problems to solve for our users because they are intermittent. And to exacerbate things, many of these users have these problems at home or at remote locations, making it difficult for systems administrators to see them.
Screen Shot 2013-05-10 at 11.31.17 AM
There is something I use in these cases, though, that has helped isolate these problems from time to time. Simply tell users to Control-Option-Command-Shift-Period when they have these problems. Doing so will run the sysdiagnose command and then open a Finder window with the output of the command. Sysdiagnose takes a quick snapshot of many common logs and performance data, zips it up and opens a Finder window, pointing to where it is (/var/tmp with the filename containing a date stamp of when the command was run). This file contains output from allmemory, lsof, top, netstat, sysctl, spindump, fs_usage, system_profiler, mount, airport, odutil and many others. Each is in its own log and easy to navigate.

When running /usr/sbin/sysdiagnose from the command line there are a couple of options. My favorite is -f (which I think must be short for favorite) which allows me to write to my file to a directory I specify rather than some random object in a tmp directory. You can also get even more output using -t. Verbose logging is obtained using -h and passing a pid will also provide information about the pid. So let’s say that process 10883 is giving me some problems. I could run the following to get some good output on my desktop:

sysdiagnose -h -t -f ~/Desktop

Anyway, hope you enjoy!

Tags , , , , , , , | Permalink | Comments Off
iPhone Mac OS X Mac OS X Server

Apple ID Bulk Importer

May 12, 2013 – 6:00 am

Some iOS and/or OS X deployments require us to create a boatload of Apple IDs. This could be to redeem VPP codes, to do iOS backups, to configure Messages, now giving the ability for OS X Server users to password reset for themselves, etc. I have sat and manually created Apple IDs for a number of clients. I’ve created dozens at a single sitting and there are some serious annoyances and challenges with doing so manually. For example, you’re gonna’ fat finger something. If you type 10 things in for 50 accounts then it’s hard to imagine you’re not gonna’ mess something up in one of those 500 fields. It’s also time consuming and well, just annoying.
AppIcon

Then, along came a script. That script allowed us to create loads of IDs on the fly. Now, we have a very nice GUI tool called the Apple ID Automation Builder that can be used to batch create a number of Apple IDs on the fly. Brought to us by Greg Moore and hosted by enterpriseios.com, this is one of those rare finds that is a serious time saver and very valuable when you need it in your bat belt. Great little tool, well worth the money and I look forward to providing Greg with plenty of accolades should we ever meet!

Tags , , , , , , , , | Permalink | Comments Off
Articles and Books iPhone Mac OS X

Instant Apple iBooks Review

May 11, 2013 – 6:00 am

I just finished reading Instant Apple iBooks, by Zeeshan Chawdhary., available at Packt at http://link.packtpub.com/irY6CN. As with mine and TJ’s Instant Apple Configurator book, it’s a nice, quick read. It has very specific recipes for getting your iBook written quickly. The thing I like about this book is that it allowed me to focus on my content rather than thinking so much about how to technically put the words, images and other elements I wanted where I wanted them. I also have to say that while iBooks is pretty easy, using a book like this will get you up to speed much quicker than just knocking around the system hoping to find that one button that allows you to insert a video at just the right size in just the right spot.

4025OT

I also like the fact that the layout allowed me to read only the parts that mattered to me. For example, I have used the iBooks app for awhile, so I really just wanted to jump straight into writing. While some of the book is very specific to shopping on the iBookstore much of it is also dedicated to writing. I like it when I can pick something up and have no dependencies looking at earlier elements of the book.

Overall, it’s a nice quick read and very practical. Even if you’ve been using iBooks, check it out; you may learn something new (I did).

Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment Ubuntu Unix

Using allmemory To Test Memory in OS X

May 9, 2013 – 6:00 am

Earlier I wrote an article on testing memory using memtest. Memtest actually looks at the memory in a system and checks it for errors. But what about checking the systems use of memory for problems? Well, OS X has a built-in tool call allmemory that can check system or per process memory. In its most simple incantation allmemory can just be run with no options:

allmemory

This is going to result in a few errors if only because allmemory is getting a little long in the tooth. But you can also scan on a per-process basis. To do so, run allmemory with a -proc option and then the pid for the process:

allmemory -proc 13727

You can also use the following options:

  • -noframework: doesn’t show data that comes from frameworks (otherwise it does), so this option would only show the spcific process and not dependencies
  • -noprocess: doesn’t show the process, so more looking at framework utilization
  • -32bit: only show 32-bit processes
  • -64bit: only show 64-bit processes
  • -v: show address space utilization on a per process basis
  • -f: show segment utilization on a per framework basis
  • -i: show data from a previous run of the tool, which uses a path after the -i to load that data from
  • -o: outputs the data to a specific directory (otherwise it defaults to /tmp/allmemoryDataFiles). Note, when called from other Apple tools, the output is normally set within a dmg or zip in /var/tmp
  • -d: loads data from /tmp/allmemoryDataFiles if it exists
  • -P: shows information about VM regions used

There are a few other options, but those are the only ones I can remember using. Overall, allmemory is a pretty cool tool and I think that if nothing else it’s helped me to prove to vendors when I have issues with their software. I’m maybe not always happy with their responses but it’s good to prove that there’s a problem… Finally, output can look something like the following:

Screen Shot 2013-05-08 at 4.44.23 PM

Tags , , , , | Permalink | Comment (1)
Active Directory Mac OS X Mac OS X Server Mac Security Network Infrastructure Ubuntu Unix VMware Windows Server Windows XP Xsan

List All DNS Records For A Domain

May 8, 2013 – 6:00 am

Sometimes you want to move a domain but you don’t have a copy of the zone file in order to recreate records. The easy way to do this is to grab a zone transfer. To do so, dig is your friend:

dig -tAXFR mycompany.com

Sometimes though (and actually more often than not) a zone transfer is disabled. In that case you’ll need to dig the domain a bit differently. I like to use +nocmd, query for any and list the results (+answer):

dig +nocmd krypted.com any +answer

Which results in the following:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39183
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 1262 IN A 97.74.215.39
krypted.com. 3600 IN MX 0 smtp.secureserver.net.
krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3600 IN NS ns25.domaincontrol.com.
krypted.com. 3600 IN NS ns26.domaincontrol.com.
krypted.com. 3600 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2010010400 28800 7200 604800 3600

;; Query time: 127 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:31:15 2013
;; MSG SIZE rcvd: 207

The above shows the naked domain name entry (yes, I still giggle every time I write the word naked so it’s ok if you giggled when you read it), all of the mail (which btw I don’t actually use that mail so please don’t try and send any at this time) and the ns servers. Now, the serial and refresh information isn’t included in this output. Actually, it is but it might not make sense, so we’ll just add the +multiline option which will make this look strangely like a zone file:

dig +nocmd krypted.com any +multiline +answer

Notice the serial, refresh, retry, expire and minimum options are now listed in a much more fashionable way:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10965
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 3225 IN A 97.74.215.39
krypted.com. 3225 IN MX 0 smtp.secureserver.net.
krypted.com. 3225 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3225 IN NS ns25.domaincontrol.com.
krypted.com. 3225 IN NS ns26.domaincontrol.com.
krypted.com. 3225 IN SOA ns25.domaincontrol.com. dns.jomax.net. (
2010010400 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)

;; Query time: 22 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:32:20 2013
;; MSG SIZE rcvd: 207

And there ya’ go. You’ve basically done a zone transfer on a box, even though zone transfers are disabled. Silly DNS admins, disabling zone transfers and all that… Yes, I disable zone transfers on most of my DNS boxen as well, or at least only allow them for specific IPs… ;)

Tags , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security

Recovering Open Directory Databases

May 7, 2013 – 6:00 am

Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd:

/usr/libexec/slapd -Tt

Corruption usually looks a little something like this:

51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb"
51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well:

slaptest -f /private/etc/openldap/slapd.conf -v

Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server):

db_recover -h /var/db/openldap/openldap-data/

Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first:

serveradmin fullstatus dirserv

If it’s running, stop it:

serveradmin stop dirserv

Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good:

serveradmin start dirserv

Tags , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment

Testing Memory On Apple Computers

May 4, 2013 – 6:00 am

Memory can make a computer run slow, cause kernel panics and in general drain productivity. Bad memory can compound these issues by increasing the frequency of these issues. As such, testing memory every now and then will help to make your life better.

Memtest is a great little tool for troubleshooting memory problems across a variety of platforms. The tool can be installed pretty easily on clients using this little package that was posted awhile ago, but is still functional. Once you’ve installed the package installer, you can run memtest and have it check memory. To do so, just run memtest all and it will test all of your memory:

memtest all

You can also be a bit more specific about how you’re testing memory. You can define the amount of memory to test as well as the number of iterations to test through. The following command shows the first position being the amount of memory and the second position is the number of iterations, as follows (test 1024 Megs of memory and run the tests twice, logging to stderr):

memtest 1024m 2

Adding the –log operator then logs to stderr and memtest.log:

memtest 1024m 2 --log

Overall, memtest is a really easy tool to use. It’s also pretty good at isolating issues and can easily be folded into other tools!

Permalink | Comments (2)
Mac OS X Mac OS X Server Mac Security personal

Half Off My Book (and other O’Reilly Titles)!

May 3, 2013 – 7:00 am

In Celebration of *Day Against DRM* Save 50% on 5000+ Ebooks & Videos at O’Reilly (including mine). And save 60% on orders over $100, so feel free to order multiple copies of my book!

Having the ability to download files at your convenience, store them on all your devices, or share them with a friend or colleague as you would a print book is liberating, and is how it should be. This is a critical moment in the fight against DRM. A proposal currently being considered by the W3C would weave DRM into HTML5 — in other words, into the very fabric of the Web.

Ebooks from oreilly.com are DRM-free. You get free lifetime access, multiple file formats, free updates.

Use discount code: DRM2013 – Deal expires May 3, 2012 at 11:59pm PT and cannot be combined with other offers.

Tags , , | Permalink | Comments Off

Next Page »

Next Page »