Repair Permissions From The Command Line

I’ve long been a supporter of building tools in self service portals such as those provided by JAMF and Munki to provide users who don’t have administrative permissions to perform tasks that wouldn’t typically otherwise be destructive. One such example is a simple repair permissions. An administrator can simply open Disk Utility, select their disk and then click Repair Disk Permissions Screen Shot 2013-10-24 at 7.11.31 PMBut if you want to do this as a user who doesn’t have administrative privileges you would need to elevate your privileges before doing so. In a larger environment this would be incredibly annoying for dozens, hundreds, thousands or even tens of thousands of users to bring their computer to an administrator just to type in a password. But, if you have a patch management solution that has some kind of a self service portal, users could do this themselves. Typically, you would create a very small payload free package. This package might just contain a single script that might even be as short as a one-liner. For example, the following command would actually run a repairPermissions. diskutil repairPermissions / You could also send some environmental variables from your patch management tool for the boot volume, but in this simple instance we’re just going to run it, with the following type of output: Started verify/repair permissions on disk0s2 Macintosh HD Permissions differ on "Library/Application Support"; should be drwxr-xr-x ; they are drwxrwxr-x Repaired "Library/Application Support" Group differs on "Library/Printers/InstalledPrinters.plist"; should be 80; group is 0 Permissions differ on "Library/Printers/InstalledPrinters.plist"; should be -rw-rw-rw- ; they are -rw-r--r-- Repaired "Library/Printers/InstalledPrinters.plist" [ \ 0%..10%..20%..30%..40%..50%..60%..70%................ ] 74% 0:00:34 Finished verify/repair permissions on disk0s2 Macintosh HD You could get much more complicated, writing the output to syslog or even a syslog server. You can also have metapackages that just do a bunch of tasks and call them things like “Try to fix my computer.” Provided you have a patch management tool, you could also just scope some devices and push some of these things out en masse; however, for the most part, I’m a fan of self service, so that’s the example I’m using this for.

Using the xsanadmin Command

There are some commands where you just have to wonder why. Sure, I see what this command does, but why bother? Well, I’m not going to say that xsanadmin is one of those commands, but I’m not going to say that it isn’t. At first glance, you might think that the list, stop, start and other verbs look promising. Like maybe you can actually administer a volume from a much simpler to use command line interface. However, if you want a quick and dirty of what xsanadmin does, look no further than just running the command without any verbs or operators: xsanadmin The result is help information from the serveradmin command: Usage: serveradmin [-dhvx] [list | start | stop | status | fullstatus | settings | command] [<service_key> [ = <value> ]] -h, --help display this message -v, --version display version info -d, --debug print command -x, --xml print output as XML plist Examples: serveradmin list --Lists all services serveradmin start afp --Starts afp server serveradmin stop ftp --Stops ftp server serveradmin status web --Returns current status of the web server serveradmin fullstatus web --Returns more complete status of the web server serveradmin settings afp --Returns all afp configuration parameters serveradmin settings afp:guestAccess --Returns afp guestAccess attribute serveradmin settings afp:guestAccess = yes --Sets afp guestAccess to true serveradmin settings --Takes settings commands like above from stdin serveradmin command afp:command = getConnectedUsers --Used to perform service specific commands serveradmin command --Takes stdin to define generic command that requires other parameters Why’s that? Because all the command is doing is piping information to and from the serveradmin command, thus the verbs are basically the same: list, status, fullstatus, etc. To see which services, let’s pipe settings for all to a file: xsanadmin settings all > xsanadminsettings.txt Here, you’ll notice that you have settings for the xsan/san service, file sharing and info. That’s it. You may be asking yourself, “why did you write this article then?” My answer would be that I’m not really sure. Mostly because I wasted my time trying to see if I could do cool stuff with this command and it turns out I can’t…

My MacSysAdmin Presentations For Today

The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here: MacSysAdmin_Windows The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here: MacSysAdmin_iOS If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.

Installing Final Cut Server on Lion & Mountain Lion Server

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.
In ————- Websites: Check “Enable PHP web applications” Install Java ———— Open /Applications/Utilities/Java You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted. Install Final Cut Server ———————— Run Final Cut Server installer. Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates. Check Configuration ——————- 1) Check fcsvr user has been created: dscl /Local/Default -search /Users RecordName fcsvr Output should look something like this: fcsvr RecordName = ( fcsvr ) 2) Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server” dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory Output should look something like this: NFSHomeDirectory: /Library/Application Support/Final Cut Server If it doesn’t, caorrect it with this command: sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server” Customisations To Make It Work —————————— A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place. 1) An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job: sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 2 If you’re being more daring and trying to work with an Active Directory, then you’ll want the following: sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 1 2) Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space. sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf” 3) Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd. Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like: sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf 4) Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions. So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c: <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} ^TRACE RewriteEngine On RewriteRule .* – [F] RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L] </IfModule> ORIGINAL_SOURCES: SPECIAL_MENTIONS: Matt Geller, David Colville

Signing Installation Packages

In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows: productsign --sign 'Developer ID Installer: 31415926535897932384626' '/temp/Alpha.pkg' '/temp/Omega.pkg' You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg: spctl --assess --type install /temp/Omega.pkg

A Guide To Using Mountain Lion Server (OS X 10.8)

I’ve been doing a number of postings on how to use various features of the latest version of OS X Server. Given that WordPress is pretty much a reverse chronological listing of articles I’ve written, I thought I’d put together a listing of the pages that I’ve done for OS X Server 10.8 (Mountain Lion Server) in order to offer a more pedagogically aligned way of reading these posts. As such, here is the Table of Contents for these posts: Introduction Managing the Server Configuring Services Troubleshooting Command Line Misc

A Sneak Peak At Mac OS X 10.9

Yes, it’s about a month or two into the OS cycle and there’s now a 10.8.1. So it’s time to announce the name and image that will be used with the next OS. We’re down to Ocelot, Serval and Bobcat. Therefore, I would think that 10.9 will be… Drumroll…
Mac OS X 10.9 - Bobcat
Mac OS X 10.9 – Bobcat
BOBCAT! And from some Chinese factories I’ve been smuggled pictures of what the box that contains the disks will look like. It’s a little retro (disks are now retro btw). And I mean, Police Academy 2 era retro. But think of the startup sounds the OS could make. Think of how much people would want that face beaming back at them during the startup process. Just think of all the endless possibilities just in Police Academy 2 through 4! This is going to be an amazing year. As proof, see the previous versions of OS X and their cats:
  • Public Beta: Kodiak – September 2000 (still crawling Google Images looking for a picture of one of these)
  • 10.0: Cheetah (March 2001)
  • 10.1: Puma (September 2001)
  • 10.2: Jaguar (August 2002)
  • 10.3: Panther (October 2003)
  • 10.4: Tiger (April 2005)
  • 10.5: Leopard (October 2007)
  • 10.6: Snow Leopard (August 2009)
  • 10.7: Lion (July 2011)
  • 10.8: Mountain Lion (July 2012)
  • 10.9: Bobcat
Note: Since Puma and Cheetah were internal codenames, perhaps they’ll be recycled)

Configuring Time In OS X Mountain Lion & OS X Mountain Lion Server

Time is a very important aspect of OS X Server, as it has been since the early days. Time is so important that if you see network time server, NTP or 5 minutes as the answer on an Apple exam, you should just pick that one, as it’s invariably correct. The traditional way to configure time zones and Network Time Servers is to use systemsetup command. Before you set a time zone, run the following to see a list of all available time zones, use the -listtimezones option in systemsetup: sudo systemsetup -listtimezones To set the time zone, pick one and use the -settimezone option in systemsetup: sudo systemsetup -settimezone "America/Chicago" To check the current time, then run -gettime: sudo systemsetup -gettime The -settime option can then be used to set the time, although it’s invariably better to set the time zone automatically with a network time protocol (NTP) server, using the -setnetworktimeserver option: sudo systemsetup -setnetworktimeserver You would then need to turn using NTP servers on, using -setusingnetworktime option and setting the value there to on sudo systemsetup -setusingnetworktime on Now let’s look at a different way to do this. Run the following, in OS X Server: sudo serveradmin settings info:timeZone = "America/New_York" That shouldn’t work. Now ya’ know, OS X Server isn’t fully matured yet, so they’ll get around to it… But what does work is setting the NTP server and enabling NTP services. To enable NTP: sudo serveradmin settings info:ntpTimeServe = yes To set the NTP server: info:ntpServerName = "" Note: The NTP server must be accessible when set.

Using Time Machine Server in Mountain Lion Server

The Time Machine service in Mountain Lion Server hasn’t changed much from the service in Lion Server. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane. Click on the ON button to see a list of volumes to use as a destination for Time Machine backups. This should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the ON button, a list of volumes appears. Here, click on the volume to save your backups to. In this case, it’s the internal hard drive; however, in most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click “Use for Backup” and the service will start. Don’t touch anything until the service starts. Once started, change the backup destination at any time using the Edit button. Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule. Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the¬†sharing:sharePointList:_array_id:/Shared Items/Backups sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as: sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeStandard:GeneratedUID = "1B1C7CFB-2B95-4087-B28B-C786E9CD68E2" sharing:sharePointList:_array_id:/Shared Items/Backups:smbName = "Backups" sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/Backups:smbDirectoryMask = "0755" sharing:sharePointList:_array_id:/Shared Items/Backups:afpName = "Backups" sharing:sharePointList:_array_id:/Shared Items/Backups:smbCreateMask = "0644" sharing:sharePointList:_array_id:/Shared Items/Backups:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Shared Items/Backups" sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/Backups:name = "Backups" sharing:sharePointList:_array_id:/Shared Items/Backups:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Shared Items/Backups:ftpName = "Backups" sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsShared = no sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsShared = yes sharing:sharePointList:_array_id:/Shared Items/Backups:timeMachineBackupUUID = "29B22ADA-97A3-46B2-9CB3-8EF9AFC9334E" sharing:sharePointList:_array_id:/Shared Items/Backups:isTimeMachineBackup = yes sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseOplocks = yes sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeNative:sharepoint_group_id = "59161FF9-78E7-4A41-B071-B6E60866694F" sharing:sharePointList:_array_id:/Shared Items/Backups:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Shared Items/Backups:mountedOnPath = "/" Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command: sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk" Another way to see the share and attributes of the share is through the sharing command: sharing -l Which should show output similar to the following: List of Share Points name: Backups path: /Shared Items/Backups afp: { name: Backups shared: 1 guest access: 0 inherit perms: 0 } ftp: { name: Backups shared: 0 guest access: 0 } smb: { name: Backups shared: 0 guest access: 0 } There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule). One major difference between the Time Machine service and others is that there’s no specific serveradmin option for tm or tmutil (the Time Machine command line) or timemachine. Instead, most everything piggy-backs off the sharing service. Also, what I consider a major difference is that most other services now have generic names (e.g. Address Book is now called Contacts, iCal is now called Calendar, etc). The only services still using marketing terms as their names are really Profile Manager, Time Machine and Open Directory. I would expect these to eventually be called Profiles, Backup and Directory to keep the naming convention already started with the rest of the services. I think that as a free aspect of OS X Server Time Machine Server is well worth the money for small workgroups. However, there are backup solutions from 3rd party vendors worth far more than their purchase price due to reduced disk capacity requirements (e.g. through deduplication), reduced overhead (e.g. by streamlining or accelerating traffic for the backup protocols, or even offloading all the work to the client systems) and allowing for more redundancy to backups (e.g. 2 targets). This additional logic can at first appear to come at a steep cost, but when you look at bandwidth, disk and other expenditures to get Time Machine server integrated it can be a challenge. Also, Time Machine is built to work via Bonjour, meaning that by virtue it’s then limited to smaller subnets. Time Machine Server is a great add-on, but many organizations may quickly outgrow it. Not all though, and so for a SoHo comprehensive server that needs to provide for client-based backups, OS X Server has a great feature in Time Machine. While I found plenty to ramble on about in this article, nothing has really changed since the Lion iteration of the service. Mass deployment is still the same, as is client side configuration. One change is that the screen for the Time Machine Options on the client no longer has an option for managing Versions, as seen below.

Copy Files Status in Mountain Lion

Of the new features in Mountain Lion, one I have already started to love is the fact that when you’re copying folders, you see a status in the Finder screen that lists the folders. This allows me to do a bunch of Finder level copies and rather than tile out the screens that I’m using to copy, I can just watch them from the parent folder. Sometimes it’s the little things…