Tag Archives: Snow Leopard

Mac OS X Mac OS X Server Mac Security Xsan

Disable Swap Files In OS X

Every now and then I need to reclaim that space in /var/vm or I need to stop a process from paging to swap files while I’m troubleshooting something else. I in no way endorse disabling swap files (which basically kills using swap files as a part of your overall virtual memory) for extended periods of time. However, it has saved me in the case of stability concerns long enough to get a system patched or something like that.

To disable OS X swap files, all you need to do is stop the com.apple.dynamic_pager daemon and restart. Use launchctl to stop:

sudo launchctl unload -wF /System/Library/LaunchDaemons/com.apple.dynamic_pager.plist

Once restarted, you may need to remove the files in /var/vm as that is where the swap files are stored. To do so, rm the contents of /var/vm:

rm /var/vm/swapfile*

You should also be able to get rid of the sleepimage file in that directory if needed. Since this is supposed to be a temporary or troubleshooting measure, to turn swapping back on:

sudo launchctl load -wF /System/Library/LaunchDaemons/com.apple.dynamic_pager.plist

Mac OS X Server Mac Security

A Guide To Using Mountain Lion Server (OS X 10.8)

I’ve been doing a number of postings on how to use various features of the latest version of OS X Server. Given that WordPress is pretty much a reverse chronological listing of articles I’ve written, I thought I’d put together a listing of the pages that I’ve done for OS X Server 10.8 (Mountain Lion Server) in order to offer a more pedagogically aligned way of reading these posts. As such, here is the Table of Contents for these posts:

Introduction

Managing the Server

Configuring Services

Troubleshooting

Command Line

Misc

Mac OS X

A Sneak Peak At Mac OS X 10.9

Yes, it’s about a month or two into the OS cycle and there’s now a 10.8.1. So it’s time to announce the name and image that will be used with the next OS. We’re down to Ocelot, Serval and Bobcat. Therefore, I would think that 10.9 will be… Drumroll…

Mac OS X 10.9 - Bobcat

Mac OS X 10.9 – Bobcat

BOBCAT! And from some Chinese factories I’ve been smuggled pictures of what the box that contains the disks will look like. It’s a little retro (disks are now retro btw). And I mean, Police Academy 2 era retro. But think of the startup sounds the OS could make. Think of how much people would want that face beaming back at them during the startup process. Just think of all the endless possibilities just in Police Academy 2 through 4! This is going to be an amazing year.

As proof, see the previous versions of OS X and their cats:

  • Public Beta: Kodiak – September 2000 (still crawling Google Images looking for a picture of one of these)
  • 10.0: Cheetah (March 2001)
  • 10.1: Puma (September 2001)
  • 10.2: Jaguar (August 2002)
  • 10.3: Panther (October 2003)
  • 10.4: Tiger (April 2005)
  • 10.5: Leopard (October 2007)
  • 10.6: Snow Leopard (August 2009)
  • 10.7: Lion (July 2011)
  • 10.8: Mountain Lion (July 2012)
  • 10.9: Bobcat

Note: Since Puma and Cheetah were internal codenames, perhaps they’ll be recycled)

Mac OS X Mac OS X Server Mac Security Mass Deployment Windows Server

Limiting The Number of Windows Users in Lion Server (aka How-to of hidden serveradmin settings)

Lion Server doesn’t have an option in the GUI for throttling the maximum number of users that can connect to the server via SMB. Nor does it have said option in the  serveradmin interface. If you run the following, you would have previously seen the required setting:

serveradmin settings smb

The required setting (if controlled via serveradmin) is MaxClients= followed by the number of clients that you want to be the max:

serveradmin settings smb:MaxClients=10

This is pretty easy stuff, but I have a point that goes beyond limiting the number of users. Not all of the settings that can be run through serveradmin are actually in the preferences any more. You can add more. Not that all of the ones from the developer documentation for the old smb code are still around, but a lot are. Another that a lot of people would want to use is to set the SMB Workgroup name in Lion Server:

serveradmin settings smb:Workgroup=SMBLOWS

You can also disable guest access by setting AllowGuestAccess to FALSE:

serveradmin settings smb:AllowGuestAccess=FALSE

Now, just because the option isn’t obvious doesn’t mean the server hasn’t already got a preconfigured setting. Running the AllowGuestAccess as follows will actually just show you that it defaults to on and most options, when specifically invoked, should provide the setting if it still exists:

serveradmin settings smb:AllowGuestAccess

Overall, there’s a lot you can do with a number of services. The options for many of these used to be a little easier to find, if you to see what some option from 10.6 allowed you to do that isn’t in the GUI in Lion or subsequent OSes that you miss, just look to the serveradmin command, make the change and see what preference changed. Who knows, that option might be available in Lion, even if it wasn’t available in the GUI…

public speaking

MacTech InDepth In New York

I have been added as a speaker at MacTech InDepth in New York. If you haven’t signed up yet, and you work with Mac OS X Server then you should really check out the sessions that have been planned:

  • The Elephant in the Room: The New Lion OS X is out, now what? There are a lot of differences to contend with between Lion and Snow Leopard. Now with the new Mountain Lion update, what changes can we expect to see? We discuss the differences in advanced services, GUI simplicity, and Apache management GUI’s. We help you understand the updates in the new OS and make the transition easier. We go over the new updates of Lion over the Snow Leopard server.
  • Setting solid foundations: To truly grasp the power of Lion, you need to set up solid foundations. We go over minimum requirements for internet DNS, and tackle router tricks. We discuss open directory and what it was used for.
  • Mobile Device Management 101: Apple’s IPCU/Apple Configurator: Mobile Device Management is vital to businesses, large or small. We have an extensive overview of profile manager and how you can use mobile device management on OS X. For those still using Snow Leopard, we go over your options and discuss the possibility of using third parties as a solution.
  • DNS, Ahh, run away, run away: In this session, we tackle DNS and break it down and show how simple it is to work with. We go over how DNS works and cover different components such as internet DNS and internal DNS.
  • Administering a Server with just Server.app: We show you how to use server.app and control administrative programs. For the services, we go over Address Book, iCal, iChat, and Mail.
  • Web Administration of OS X Server : Web Admin on Lion Server versus Snow Leopard is covered, dealing with the differences and how to use each system effectively. On Lion server, we cover using FTP without a GUI.
  • Going old school, using the old tools: After getting used to Snow Leopard we go over the major differences between Snow and Lion and how you can handle the transition. We go over server admin and what is still left in the program and why it has been left.
  • Deployment Part I: Tools & Concepts: In tools and concepts we learn that there aren’t stark differences between Lion server and Snow Leopard. NetBoot, NetRestore and third party tools are covered; we talk about how NetBoot works and what the differences between NetBoot and NetRestore are. Along with this we cover Network configuration requirements and using software update server.
  • Deployment Part II: DeployStudio: DeployStudio is covered in-depth; we cover creation techniques and management techniques.

Overall, this represents a nice, fast way to update your skills to allow for managing Lion Server and to get up to speed with those new to the platform. One thing I like about the session list is that it goes beyond the stock server implementation and looks at DeployStudio, MDM and other important topics not purely server oriented. I hope to see you all there!

These vagabond shoes, are longing to stray
Right through the very heart of it – New York, New York

Mac OS X Mac OS X Server Mac Security

FTP On Lion Server

Much has been made about the demise of FTP on OS X Server. Well, while it may be badly burned, it’s not dead yet. Let’s look at enabling FTP first on the server and then per share.

Enable FTP on the Server

The first thing to do on a server that you want to expose through FTP is enable tnftpd. To do so, open Workgroup Manager or Server and create a group that has user who you want to provide FTP services to. In this example we are going to assume a dedicated FTP server and open access to everyone, but feel free to swap out your group name for the everyone group we use here. Once you have your group (everybody exists by default so we won’t need to create that one), use dseditgroup to create a group called com.aple.access_ftp (everything in this article requires sudo btw):

dseditgroup -o create . com.apple.access_ftp

By default the group is empty and so once enabled, no one will have access to the FTP service. So let’s add everybody:

dseditgroup -o edit . -a everyone -t com.apple.access_ftp

Now let’s fire up FTP using the ftp.plist Apple kindly left us in /System/Library/LaunchDaemons:

launchctl load -w /System/Library/LaunchDaemons/ftp.plist

Enable FTP on Shares

By default share points in Lion have AFP and SMB enabled. The sharing command can be used to list and augment shares. To list:

sharing -l

Make note of the name for a share that you would like to enable FTP for, as well as whether AFP and SMB are enabled. Think of 3 boolean slots, with the first slot being AFP, the second FTP and the third SMB. Let’s use an example share of Seldon. Let’s also say AFP and SMB are enabled on Seldon by default. So sharing can be used to make a change (-e for edit) on the Seldon share, setting the services (-s) to 111:

sharing -e Seldon -s 111

Or to enable just FTP (given that this example is a dedicated FTP server):

sharing -e Seldon -s 010

And let’s say Seldon is a bit promiscuous and so we’re also going to enable guest for the FTP share:

sharing -e Seldon -g 010

Finally, provide the permissions via chmod to grant or deny access at a file and folder level and you’re done. FTP on future shares can be enabled with two or three commands so FTP management really isn’t all that big a deal. Command line doesn’t always mean hard. In fact, some times it’s easier ’cause you’re not hunting around in nested screens for what to click on. Having said that, who knows if this is a temporary reprieve from Apple to finally get away from a protocol older than I am. We would all do well to switch to something more secure…

Mac OS X

Automating Image File Changes

Ever need to automate changes to image files? Maybe a LaunchAgent that would watch a specific folder and resize png files that were dropped in there, or a little script that sanitized images as they came in to be a specific size (e.g. Poster Frames)? Well, sips is a little tool built into OS X that can help immensely with this. It will even convert that png to a jpeg or pict to png. Let’s look at using sips. First up, let’s just get the width and height of an image file:

sips --getProperty pixelHeight /Shared/tmpimages/1.png
sips --getProperty pixelWidth /Shared/tmpimages/1.png

Or for dpi:

sips --getProperty dpiHeight /Shared/tmpimages/1.png
sips --getProperty dpiWidth /Shared/tmpimages/1.png

Or to get the format:

sips --getProperty format Shared/tmpimages/1.png

Now let’s set the property, where the property is format, using the -o option to output a copy of the file to different location:

sips --setProperty format jpeg /Shared/tmpimages/1.png -o /Shared/imageoutput/1.jpeg

Pretty nifty so far. Now, let’s resize an image using the -z option:

sips /Shared/tmpimages/1.png -z 44 70 -o /Shared/imageoutput/converted.png

There’s lots more you can do with sips. It also happens to be built into OS X in the /usr/bin folder. Call on it for general still image manipulation. It’s quick and easily scriptable and best of all, a useful tool that can save lots of manual time converting images.

Mac OS X Mac OS X Server

RAMdisk on MacBook Air

I can’t remember where I picked up how to get a RAM Disk mounted in OS X, but it’s a great way to get some unbelievable speeds on your Mac for those minor IO intensive processes that don’t need persistent data. It should be mentioned that the contents of RAM disks are erased, once ejected, but the speed of processes while they’re running can be pretty phenomenal on systems with fast RAM. The best example is a MacBook Air, where the memory is surface-mounted QFP and so really fast.

Let’s say you have 4GB of memory and you want to run a process that isn’t going to take more than a gig of memory. You have 3GB of memory you can then use as a RAM Disk. To mount up the RAM disk, I usually create a .command file with the following contents:

diskutil erasevolume HFS+ "rdisk" `hdiutil attach -nomount ram://6144000`

I usually call that file mountrdisk.command

Then I create another .command file called unmountrdisk.command with the following:

hdiutil detach /dev/disk1

These allow me to mount and unmount the RAM disk, quickly. I then add a line at the top of the second command file to backup the contents to a folder on my local computer, since anything in there doesn’t get saved once detached:

cp -R /Volumes/rdisk ~/rdiskbackup

Running the first .command file will create the rdisk with the following output:

Started erase on disk1
Unmounting disk
Erasing
Initialized /dev/rdisk1 as a 3 GB HFS Plus volume
Mounting disk
Finished erase on disk1 rdisk

You can then cd into it and treat it as you would any other volume. Once you’re done, run the backup command file and then the unmount command file to back it up and trash it. Speed tests show anywhere from 325 MB/s to well over a thousand according to what you are doing. The performance can degrade quickly in some cases, but when used properly it’s a great little tool.

Mac OS X Server Ubuntu Unix

Hosting afp on Linux

One of the main reasons people get a server is to share files. Mac OS X Server is one of the more common devices used to share files to Mac OS X clients, using afp, the default file sharing protocol for Mac OS X. But you don’t have to use Mac OS X Server. You can use Linux as well. We’re going to look at using an open source project called netatalk to do so. If you find that after reading this that you’d like to find out more about netatalk then check out the open source project page at http://netatalk.sourceforge.net.

The netatalk installer can be installed through most of the package installers for Linux. However, due to licensing issues with many versions of Linux, some of what you need might not come with the source, namely that Mac OS X 10.5 and above will not be able to authenticate to the netatalk daemon due to the lack of uams so files for dhx. Therefore, we’re going to look at building netatalk from source using apt-get in Ubuntu or Debian (for Redhat, use yum). To get started let’s get our dependencies (everything in this article needs to be run with elevated privileges):

apt-get install dpkg-dev devscripts libssl-dev fakeroot cracklib2-dev

Now let’s grab the netatalk source:

apt-get source netatalk

Now let’s get any other dependencies we might not have noticed already:

apt-get build-dep netatalk

Now cd into the netatalk directory (current version is 2.0.3):

cd netatalk-2.0.3

Now let’s tell it to build with SSL enabled:

DEB_BUILD_OPTIONS=ssl debuild

And to finally run the built package:

dpkg -i ../netatalk_*.deb

Next, let’s choose which authentication mechanisms we want to support. I practically always enable the pam modules so that netatalk can pass authentication back through my directory service and it’s very important that for Mac OS X 10.5 and above support that you make sure to go ahead and enable dhx as well. For most environments I’ll also disable cleartext passwords at this time. This is all done in the /etc/netatalk/afpd.conf file. At the bottom, by default you will see a list of authentication modules. Add the following line, adding any additional uams modules you’d like to support and removing any you would not like to support:

- -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so

We can also go ahead and restrict users from being able to save their password using the -nosavepassword option, meaning the line would instead appear as follows:

- -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so -nosavepassword

Note: The afpd.conf man page and the project documentation will lay out more about what each of these does.

Once you have updated afpd.conf you will want to edit the /etc/netatalk/AppleVolumes.default file, which is where you create your shares. At the bottom of this file you’ll want to add a line that adds each new share (home directories are automatically shared by default). Here, you’ll specify the path to the share, followed by how you want the share to appear in the connect to server dialog, followed by an allow statement of who is able to access the share and then the options for the share (options are indicated in the man page and have commented descriptions in the actual file):

/SHARED/Accounting “Accounting” allow:accounting,root options:crlf,noadouble,mswindows,nodots,usehex dbpath:/tmp

The above file is also where you would make changes to the method used to store authentication database used (ie – using CNID In order to have different daemons or more likely to kill off the AppleTalk daemon) you’ll need to customize the /etc/default/netatalk file. Here, you can choose whether AppleTalk will run (ATALKD_RUN, whether to use bdb (CNID_METAD_RUN) and whether or not AFP will run (AFPD_RUN). You can also choose a maximum number of users to hit the server (AFPD_MAX_CLIENTS) and set AppleTalk names and zones if you’re running AppleTalk (ATALK_NAME and ATALK_ZONE respectively). And by default, AFP guests (AFPD_GUEST) are mapped to nobody (for permissions)…

Once you’ve made your changes, save and then let’s restart the daemon and test connectivity:

/etc/init.d/netatalk restart

While testing, I usually like to run a tail of syslog to see if any errors pop up:

tail -f /var/log/syslog

When new versions come out, you will then be able to perform an update using apt-get as well:

apt-get update && apt-get install netatalk

If you find that through this you installed some things that you’d like to get rid of or that you’d like to start over, you can get rid of netatalk using the apt-get autoremove option:

apt-get autoremove netatalk

And if you don’t want the dependencies either, check out deborphan to clean those up as well!

Mac OS X Mac OS X Server Mac Security

AFP and Cleartext Passwords

AFP can be persnickety about you doing something as painfully silly as authenticating into a host using a password sent in cleartext (completely unencrypted). But when you’re troubleshooting it can be useful to disable this behavior, if only to test and then re-enable again. To do so:

defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool YES

And to disable the warning:

defaults write com.Apple.AppleShareClient afp_cleartext_warn -bool NO