krypted.com

Tiny Deathstars of Foulness

Linux and OS X come with the makekey command installed, usually in /usr/libexec/makekey. You can use this binary to create /etc/passwd file entries of hashed passwords. To use the command, simply pipe some text into the command. Here, we’ll echo testpassword into makekey:

echo testpassword | /usr/libexec/makekey

And we’ll get a simple output, such as:

woNH11o4mqvAc

There are certainly other ways to do something like this, but when writing a script you may use in either a Linux or OS X environment, this is one place where you should have a modicum of success crossing platforms.

January 9th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Pretty much every script I’m working on these days must be run as root. Checking what user is running something is pretty straight forward, as there’s a built-in shell variable for $USER that contains the user running a script. To see this real quick, simply run the following:

echo $USER

You can then put this into your scripts. I’ve been using the same block of code for decades, which can be run in a script by itself if you’d like to paste this into one.

if [[ $USER != "root" ]]; then
echo "This script must be run as root"
else
echo "You are root"
exit 1
fi

Note: Keep in mind that the built-in $USER variable is case sensitive.

Obviously, most people won’t keep the lines that contain the else and you are root echo statements. You can just remove these or replace them with the meat of your script that requires elevated privileges to run. Enjoy.

December 21st, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Unix

Tags: , , , , , , , ,

Spotlight just kinda’ works. Except when it doesn’t. Which is luckily pretty rare, for the use cases that Spotlight was designed for. But when it doesn’t work, you have a few tools that I’ve highlighted over the years to help you out, including articles on shared volumes, manually indexing, disabling Spotlight, and a few others. But what if you need to go in more depth to isolate an issue? For this, Apple has provided us with a tool called mddiagnose, in /usr/bin. In the following command, we’ll run an mddiagnose to dump a bunch of system statistics that we can then look at. Here, we’ll do that to a folder called test in our current working directory:

/usr/bin/mddiagnose -f test

The output is then test.mdsdiagnostic, a directory with a CrashReporter, spindump, Samples, DiagnosticReports, a few system.log exports, and a diagnostic.log.

You can then view your log using the more command (or cat or less or whatevers)

more ~/test.mddiagnostic/diagnostic.log

Here, you’ll see the output of a bunch of scripts that were run. I find that this is the most informational aspect of what I get from the mddiagnose output. Every time I’ve actually fixed an issue here, it’s been with this output.

The other aspect of mddiagnose that I’ve found useful is checking permissions and paths. Here, you can answer the simple question of whether mdutil has permissions to check a path. We’ll do so using the -p option:

mddiagnose -p /Library/Application\ Support/Appifitizer

Enjoy!

Screen Shot 2015-12-09 at 11.11.01 AM

December 15th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

You know how in Notification Center, how you see a banner for awhile? You can customize how long that lasts. To do so, use defaults to write a bannerTime key into com.apple.notificationcenterui. They should be an integer that shows the number of seconds for the banner to display, For example, to set the banner to 10 seconds:

defaults write com.apple.notificationcenterui bannerTime 10

Or 2 seconds:

defaults write com.apple.notificationcenterui bannerTime 2

Once you set the time, log out and log back in (or reboot) for the change to take effect. Enjoy

November 17th, 2015

Posted In: Mac OS X

Tags: , , , , ,

Financial services is an interesting business when it comes to what you need to do to meet your regulatory requirements. With so much data and the services that enable you to access data moving to the cloud, it can be hard to keep up with how solutions meet any regulatory requirements you might have. At the end of the day, you’re primarily concerned about customer data leaking out of your environment and making sure that you can report on every single thing that happened in an environment. Whatever help we can provide in this article, make sure that you vet anything against what the individuals that review your regulatory requirements say.

Click Here to Continue Reading More On blog.bushel.com

November 13th, 2015

Posted In: Bushel

Tags: , , , , ,

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/Server.app/Contents/ServerRoot/usr/sbin/server. The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:

So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI.

So for shits and giggles I tried:

server setup

It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode.

Post your trip reports here! Can this be automated?

tardis:~ chapman$ sudo server setup
Password:
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman
Password: 

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$

I don’t know what the ‘unknown error’ was.

The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable:

#!/usr/bin/expect
set timeout 300
spawn server setup
expect "Press Return to view the software license agreement." { send \r }
expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
expect "User name:" { send "MYADMINUSERNAME\r" }
expect "Password:" { send "MYPASSWORD\r" }
interact

Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the Server.app on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The Caching Server in OS X Server 5 is pretty simple, right? You open up the server app and then click on the On button and you’re… off… to… the… races… Yup. There are also a few options that you can configure using the Server app. You can configure which IP addresses (or networks) are able to access your server. You can configure where the cache is stored. You can configure the amount of Cached used. And you can clear out that cache. Boom. Including the ON button, you’ve only got 5 things you can do here. Pretty easy.

To script kicking off the service as just a proxy that caches all patches that it can, simply use the following command:

sudo serveradmin start caching

The above command simply enables the service and starts the daemon. At that point, it registers with Apple and starts caching what it can. For many environments, this is pretty much all you need to do.

But you can also configure the options available in the GUI, and a few that aren’t, using the command line. And then there are some pretty cool things you can do in Caching under the hood that aren’t included in the Server app. Let’s look at what it might take to script setting up the Caching service. For example, if we wanted to do scripted Caching Server deployments. Well, we’d need to start the service. By default the service would start with only local subnets being able to access the service and all available content would be heated. Additionally, the default location for the cache is /Library/Server, with no limit to the cache and a reserved volume space of 25000000000 bytes. You can see this by looking at the output of serveradmin with a settings verb and the caching service, as follows:

sudo serveradmin settings caching

Which results in the following:

caching:ServerRoot = "/Library/Server"
caching:ReservedVolumeSpace = 25000000000
caching:LocalSubnetsOnly = yes
caching:Port = 0
caching:CacheLimit = 0
caching:DataPath = "/Library/Server/Caching/Data"

Now, let’s open up the caching server to the world, assuming of course that people can’t get to it unless they’re routable on our network. This makes caching for multiple subnets in a given LAN environment much simpler. To do so, we’d feed that caching:localSubnetsOnly back in, with a no:

sudo serveradmin settings caching:LocalSubnetsOnly = no

Once the service is started, you will be able to perform tasks, such as disabling the iCloud caching option. This is done by setting the AllowPersonalCaching key to false, as follows in the /Library/Server/Caching/Config/config.plist.

<key>AllowPersonalCaching</key>
<integer>false</integer>

This can be done using the serveradmin command as well, using the settings verb with the caching service and the AllowPersonalCaching key, as follows:

sudo serveradmin settings caching:AllowPersonalCaching = no

You can also limit the space that the Caching Server uses for cached iCloud data with the Settings verb, the caching service and the PersonalCacheLimit keep, provided the PersonalCacheLimit doesn’t exceed the CacheLimit. For example:

<key>PersonalCacheLimit</key>
<integer>200000000000</integer>

In /Library/Server/Caching/Config/ you’ll find a file called Config.plist. Here, you’ll find way more settings, including those not output when you run serveradmin. You can actually drop lots of settings into new servers by copying this file into the correct location. However, prior to doing so, you’ll need to sanitize the file. There are two unique keys that should never be copied between servers. The first is the ServerGUID. The ServerGUID is a generated unique identifier that the server creates for itself when started.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CacheLimit</key>
<integer>0</integer>
<key>DataPath</key>
<string>/Library/Server/Caching/Data</string>
<key>LastConfigData</key>
<data>
XXX
</data>
<key>LastConfigURL</key>
<string>http://suconfig.apple.com/resource/registration/v1/config.plist</string>
<key>LastPort</key>
<integer>52303</integer>
<key>LocalSubnetsOnly</key>
<true/>
<key>Port</key>
<integer>0</integer>
<key>ReservedVolumeSpace</key>
<integer>25000000000</integer>
<key>SavedCacheDetails</key>
<dict/>
<key>SavedCacheDetailsOrder</key>
<array>
<string>Mac Software</string>
<string>iOS Software</string>
<string>iCloud</string>
<string>Books</string>
<string>iTunes U</string>
<string>Movies</string>
<string>Music</string>
<string>Other</string>
</array>
<key>SavedCacheDetailsStrings</key>
<dict>
<key>de</key>
<dict>
<key>Books</key>
<string>Bücher</string>
<key>Mac Software</key>
<string>Mac-Software</string>
<key>Movies</key>
<string>Filme</string>
<key>Music</key>
<string>Musik</string>
<key>Other</key>
<string>Anderes</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS-Software</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>en</key>
<dict>
<key>Books</key>
<string>Books</string>
<key>Mac Software</key>
<string>Mac Software</string>
<key>Movies</key>
<string>Movies</string>
<key>Music</key>
<string>Music</string>
<key>Other</key>
<string>Other</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS Software</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>es</key>
<dict>
<key>Books</key>
<string>Libros</string>
<key>Mac Software</key>
<string>Software Mac</string>
<key>Movies</key>
<string>Películas</string>
<key>Music</key>
<string>Música</string>
<key>Other</key>
<string>Otros</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>Software iOS</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>fr</key>
<dict>
<key>Books</key>
<string>Livres</string>
<key>Mac Software</key>
<string>Logiciels Mac</string>
<key>Movies</key>
<string>Films</string>
<key>Music</key>
<string>Musique</string>
<key>Other</key>
<string>Autres</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>Logiciels iOS</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>it</key>
<dict>
<key>Books</key>
<string>Libri</string>
<key>Mac Software</key>
<string>Software Mac</string>
<key>Movies</key>
<string>Film</string>
<key>Music</key>
<string>Musica</string>
<key>Other</key>
<string>Altro</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>Software iOS</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>ja</key>
<dict>
<key>Books</key>
<string>ブック</string>
<key>Mac Software</key>
<string>Mac ソフトウェア</string>
<key>Movies</key>
<string>ムービー</string>
<key>Music</key>
<string>ミュージック</string>
<key>Other</key>
<string>その他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS ソフトウェア</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>ko</key>
<dict>
<key>Books</key>
<string>책</string>
<key>Mac Software</key>
<string>Mac 소프트웨어</string>
<key>Movies</key>
<string>동영상</string>
<key>Music</key>
<string>음악</string>
<key>Other</key>
<string>기타</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 소프트웨어</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>nl</key>
<dict>
<key>Books</key>
<string>Boeken</string>
<key>Mac Software</key>
<string>Mac-software</string>
<key>Movies</key>
<string>Films</string>
<key>Music</key>
<string>Muziek</string>
<key>Other</key>
<string>Overig</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS-software</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh-CN</key>
<dict>
<key>Books</key>
<string>图书</string>
<key>Mac Software</key>
<string>Mac 软件</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音乐</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 软件</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh-Hans</key>
<dict>
<key>Books</key>
<string>图书</string>
<key>Mac Software</key>
<string>Mac 软件</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音乐</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 软件</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh-Hant</key>
<dict>
<key>Books</key>
<string>書籍</string>
<key>Mac Software</key>
<string>Mac 軟體</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音樂</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 軟體</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh-TW</key>
<dict>
<key>Books</key>
<string>書籍</string>
<key>Mac Software</key>
<string>Mac 軟體</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音樂</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 軟體</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh_CN</key>
<dict>
<key>Books</key>
<string>图书</string>
<key>Mac Software</key>
<string>Mac 软件</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音乐</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 软件</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
<key>zh_TW</key>
<dict>
<key>Books</key>
<string>書籍</string>
<key>Mac Software</key>
<string>Mac 軟體</string>
<key>Movies</key>
<string>影片</string>
<key>Music</key>
<string>音樂</string>
<key>Other</key>
<string>其他</string>
<key>iCloud</key>
<string>iCloud</string>
<key>iOS Software</key>
<string>iOS 軟體</string>
<key>iTunes U</key>
<string>iTunes U</string>
</dict>
</dict>
<key>SavedCacheSize</key>
<integer>0</integer>
<key>ServerGUID</key>
<string>A955E484-E2A6-4759-A8F4-108CF9B733A7</string>
<key>ServerRoot</key>
<string>/Library/Server</string>
<key>Version</key>
<integer>1</integer>

There’s always some sanity checking you can do. The main reason I’ve seen the server not want to start is because the server cannot register with Apple. The first thing that the server does when it registers is establishes a connection to Apple using the ServerGUID and then pulls down more settings from http://suconfig.apple.com/resource/registration/v1/config.plist and if needed, begins heating the cache. Now, if the serveradmin command reports back a fullstatus that the server is pending and never makes a connection, there are two issues I’ve seen occur. The first is that you copied the ServerGUID from another host that’s already registered with Apple. The second is an error for “The operation couldn’t be completed” with an error code of 1. To see this, you can run serveradmin with fullstatus and then the service identifier and the caching:startupStatus identifier:

caching:RegistrationStatus:error = <62706c69 73743030 d4010203 04050618 19582476 65727369 6f6e5824 6f626a65 63747359 24617263 68697665 72542474 6f701200 0186a0a4 07081112 55246e75 6c6cd409 0a0b0c0d 0e0f1056 4e53436f 64655a4e 53557365 72496e66 6f584e53 446f6d61 696e5624 636c6173 73100180 00800280 035f1014 636f6d2e 6170706c 652e7365 72766572 6d677264 d2131415 165a2463 6c617373 6e616d65 5824636c 61737365 73574e53 4572726f 72a21517 584e534f 626a6563 745f100f 4e534b65 79656441 72636869 766572d1 1a1b5472 6f6f7480 0108111a 232d3237 3c424b52 5d666d6f 7173758c 919ca5ad b0b9cbce d3000000 00000001 01000000 00000000 1c000000 00000000 00000000 00000000 d5>
caching:RegistrationStatus:errorDescription = "The operation couldn’t be completed. (com.apple.servermgrd error 1.)"
caching:RegistrationStatus:errorCode = 1

caching:RegistrationStatus = 0

This is usually because the server cannot make a connection to Apple. Check that the server can ping, or access the suconfig.apple.com server. Most of the time I’ve found that this involves a proxy. To sanity check for this in a script, try and curl down a copy of http://suconfig.apple.com/resource/registration/v1/config.plist.

There’s more, but I’m out of time. Will come back to this.

October 23rd, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , ,

The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at http://www.amazon.com/Enterprise-Mac-Administrators-Guide-Second/dp/1484217055/ref=sr_1_1?s=books&ie=UTF8&qid=1445529968. This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market.

Screen Shot 2015-10-22 at 11.06.21 AM

In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management.

The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with!

This was a pretty big update, so hope you enjoy!

 

 

October 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

The third edition of the Enterprise Mac OS X Security book is now available for pre-order on Amazon at http://www.amazon.com/gp/product/148421711X!

Screen Shot 2015-10-22 at 10.26.51 AM

Another title with Apress, for this edition I welcome Dan O’Donnell as a coauthor and in addition to modernizing everything, added a lot more on FileVault, signing, iCloud and Apple services. I don’t know how long the editorial process for this book will take, but it’s listed on Amazon with a ship date of December 3rd!

October 22nd, 2015

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , ,

Next Page »