Jul 302013

It sounds like a simple task to configure a Windows client to connect to a L2TP/IPsec server hosted by Mac OS Server. However it’s not.


To setup the connection you need the following informations:

  • Username and password of a VPN enabled account
  • the L2TP/IPsec shared secret
  • official IP or hostname of the VPN server
  • Administrator account on the Windows machine


The first step it the most important one. Open the registry editor (regedit) on the Windows PC as administrator and add the DWORD AssumeUDPEncapsulationContextOnSendRule with a hex value of 00000002 within HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent. To apply the changes you have to reboot.

Then add a new VPN connection using the Set up new connection or network assistant in the Network and Sharing Center. Be sure to enable the checkbox Don’t connect now, just set it up so I can connect later.

To finish the last step open the Properties dialog of your newly created VPN connection. Within the Security tap change the type to L2TP/IPsec and set the shared secret within the Advanced settings. Furthermore change the dropdown menu Data encryption to Optional encryption.

Now you are able to connect to the VPN service!

Jul 192013

Think about the following rather unusual scenario: You own a current generation MacBook Air and a new iMac that you don’t use. This blog post will show you how you can use the iMac as a pure monitor without any manual intervention.


The current generation iMacs (21″ and 27″) can be used as a Thunderbolt display using Target Display Mode. To enabled this mode you have to boot both Macs and connect them using a Thunderbolt cable. After that you have to press [Command]+[F2] on the keyboard of the “display” iMac. Although this feature is great for rare usage – it’s not very comfortable if you want to use the iMac as a permanent secondary display.


thunderbolt-logoTo solve this problem I created iMacMonitor. It’s a small application running on the “display” iMac that monitors the Thunderbolt bus and automatically switches to Target Display Mode if necessary. Thereby one only has to connect the main computer to the Thunderbolt cable and a few seconds later the iMac can be used as a secondary monitor. This works because Mac’s wake from standby if a Thunderbolt device is connected. As soon as the main computer is disconnected the display will sleep again. Be aware that you should not shutdown the “display” computer as it won’t switch to Target Display Mode anymore.


  1. First you have to download iMacMonitor.app on the “display” iMac and set it as Login Item.
  2. Then make sure that a user is automatically logged in (see this link).
  3. Restart
  4. Voilà

Now you can connect a Thunderbolt enabled Mac and the “display” iMac will switch to Target Display Mode automatically.


As I have written this application for fun you can also download the Xcode project. It’s released under the MIT licence.

Update: Here’s the Xcode 5 Project for 10.9

Dec 282012

RAM disks are available since 1979. They offer a filesystem in RAM and therefore outperform most of all other storage systems. This can be used to do disk intensive operations in a fraction of the normally required time. This article covers Mac OS X 10.5 and later. If you STILL use earlier versions take a look at the article posted by OSXDaily.

Mac OS X includes a way to create RAM disks using the following Terminal command:

diskutil erasevolume HFS+ 'My 4GB RAM Disk' `hdiutil attach -nomount ram://8388608`

The size of the disk is based on the page size number of 512 bytes sectors. That means the size in bytes has to be divided by 512. For example to calculate the size parameter for a volume with 4GiB the following formular is used:

Be aware that the content of a RAM disk is permanently deleted as soon as it is ejected! Only use it as temporary storage!


To simplify the process I created RAMDiskCreator. It’s a freely available tool and offers a graphical user interface for the RAM disk creation. Only the size and the volume name have to be provided. In the background the same command is used as described above.

You can download RAMDiskCreator 1.4 for Mountain Lion or better here. If you are still on Lion or Snow Leopard please download RAMDiskCreator 1.2. Furthermore I will happily provide the source code on request.


  • 2014-04-26 – Version 1.4: Fixed a bug that could lead to a wrong RAM disk size (Thanks to John VanDyk for reporting)
  • 2014-04-10 – Version 1.3: The configuration is stored after a successful RAM disk creation for easier usage (Thanks to rxflyer for suggesting this feature)
  • 2013-05-24 – Version 1.2: Fixed broken free memory calculation (Thanks Dave for reporting)
  • 2012-12-28 – Version 1.0: Initial version released
Dec 212012

Mac OS X extensively uses file metadata. As this post explains there are two fallback mechanisms if a volume is not able to handle this data.

On the one hand .DS_Store files are created to store mostly Finder specific settings. On the other hand metadata like resource forks or creator types are stored in “Dot Underscore” Files. For example the metadata for the file “Demo.avb” is stored in “._Demo.avb”. Both mechanisms are great in an all Mac environment but can cause troubles in mixed setups. Luckily there are ways to at least minimize the pain.


Even Apple thought that this files are not always necessary and build in a setting to disable the creation on network drives.

defaults write com.apple.desktopservices DSDontWriteNetworkStores true

Furthermore the guys from BinaryAge (the creators of the epic TotalFinder) build a tool called Asepsis. It is used to redirect all .DS_Store files into a folder buried in the depth of the system. Thereby the Finder is still able to store folder specific settings but external drives aren’t effected anymore.

Dot Underscore Files…

… cause more trouble. As they eventually store application specific data there is no official way to disable them. A possible workaround is to schedule a script to delete them (every night). This is exactly what I did for Windows (Powershell script) and Unix (Bash script) operating systems. On Windows the script can be scheduled using the “Scheduled Tasks” system setting. On Mac OS X a launchd configuration should be used – it can easily be created using Lingon. Other Unix operating systems can use a cronjob!

The script recursively searches a given folder for Dot Underscore Files and deletes them. Be aware they will most likely be recreated! You can download the Windows and Unix version using this link.

Dec 052012

SAMBA the open source SMB implementation got replace in Lion with SMBX. SMBX supports SMB2 which is was first used in Windows Vista and reduces the chattiness of the protocol. Additionally Samba 3 was release under the GPLv3 licence which prevent Apple from packaging it in a commercial package.

While there are several advantages the overall stability decreased. Two examples are given below:

  1. Several multifunction printers are not able to connect to the new SMBX service to deliver scanned images as they only support SMB1. A possible workaround is to use a FTP server like PureFTPd.
  2. A race condition can occur after booting the system that prevents any user  to log in. The message “NTLM domain not configured” is logged. A possible solution is discussed here.

BUT the most frustrating part about SMBX is that there is no official documentation. Furthermore it’s not using plaintext configuration files anymore.

To track down errors it’s essential to have a good error log. To enable logging the launchd configuration file com.apple.smbd.plist has to be modified. After identifying the problem based on the logs you have to solve it. There are two different places where the configuration is stored. The overall service configuration is stored in the plist file /Library/Preferences/com.apple.smbd.plist. The share point configuration in turn has been moved into the Directory Service!!!!! This can be accessed using the dscl utility. After that you have to navigator into the “folder” /Local/Default/Sharepoints.

dscl localhost
> cd Local/Default/SharePoints/
> ls #this will list all you share points
> read SharepointName #lists all the configured settings

It’s awful to see a great software like Samba to be thrown out based on licensing issues.

Nov 292012

In previous versions of OS X it was easily possible through rc.shutdown.local to run commands before shutdown. I have not been able to use it in Lion or Mountain Lion.

Thankfully even if you restart or shutdown using the Apple menu the UNIX commands are used. This can be misused by replacing the system supplied tools with a self-written proxy script that runs your commands and the executes the original executables.

The script at the bottom is such a proxy. It should be created in /sbin/shutdown_proxy.sh. Then the original shutdown and reboot executables must be renamed to contain the suffix “.old” (shutdown.old and reboot.old). To complete the installation shutdown-proxy has to be symlinked to shutdown and reboot.

Terminal installation instructions

  1. sudo nano /sbin/shutdown_proxy.sh #insert and adjust the code from below
  2. sudo chmod 755 /sbin/shutdown_proxy #make the file executable
  3. sudo mv /sbin/shutdown /sbin/shutdown.old #move the old file aside
  4. sudo mv /sbin/reboot /sbin/reboot.old
  5. sudo ln -s /sbin/shutdown_proxy.sh /sbin/shutdown #link the proxy
  6. sudo ln -s /sbin/shutdown_proxy.sh /sbin/reboot


echo "Shutdown proxy executing"


echo "Will run $COMMAND $@"

"$COMMAND" "$@"
Aug 082012

Although Filemaker 9 and 10  aren’t supported on Lion and Mountain Lion anymore several of our customers still use it. As long as you upgrade from Snow Leopard everything is working as expected – even the “Open Remove” feature that is used to connect to a Filemaker Server.

The problem is, that whenever you try to reinstall Filemaker 9 Pro the required SSL Update fails to install. This happend because the OpenSSL used in this update is PPC only! After that you are still able to work on local FM databases but you are unable to connect to a remote server. The remote database list stays empty!

Luckily this problem can be easily fixed.

As far as I can tell the Filemaker application uses an SSL encrypted connection to transmit it’s data (or at least the database list 😉 ). To fix the encyption you only have to replace the certificate stored in the application bundle:

  • /…/FileMaker Pro.app/Contents/MacOS/root.pem
  • /…/FileMaker Pro.app/Contents/MacOS/server.pem

The following solutions are possible:

Obtain the certificates from a newer installation

The needed certificates are also installed by newer Filemaker versions. Just install the trail version or obtain the certificates from a different machine. To do that open the application bundle and copy the root.pem and server.pem files. To finish the surgery replace the original files (see above) in the Filemaker 9 bundle.

Download my files

To shorten the process I have uploaded my test certificates. You can also use them.

Aug 072012

Recently we had severals clients complaining about being unable to connect to their fileservers.

The following solution ONLY applies if this conditions are met:

  • The user is unable to connect to all remote servers (it takes literally forever)
  • Other users on the same machine are still able to connect (add a test user to be sure)
  • All AFP and SMB servers are affected (maybe other protocols like WebDAV too)
  • (optionally) If you select the server in the Finder sidebar you are not automatically logged in – but you are still able to authenticate using the “Connect as” button.

As you are still reading this post, you probably have a broken GlobalPreferences.plist configuration file.

Here’s how to fix it:

This problem can be easily fixed by opening the Terminal application and typing the following commands:

rm ./Library/Preferences/.GlobalPreferences.plist
killall Finder


This commands remove the GlobalPreferences configuration file and restart the Finder application. Several colleges reported that restarting Finder is not necessary but I still recommend it!

I have also found a blog post about a similar (most likely the same) issue: derflounder. The author investigated even further and found out, that the problem occurs while the Finder tries to connect to the already unavailable iDisk.

Aug 012012

The following problem can be reproduced on all Mac OS X Lion clients:

When you set your Adobe After Effects CS5.5 render output path to a folder on an NFS volume shared by an Windows 2008 R2 server the render process stalls. After that the machine has to be hard reset!

While doing some server and network protocol performance tests we discovered the described problem. We also set up a dedicated Windows NFS test server and a Mac OS Lion client to verify it. Other NFS servers are working as expected.

It looks like that After Effect tries to set a lock on the render destination file. During that something (??) goes wrong and the process stalls. After that the NFS kernel extension is still dead locked (??) and you need to hard reset your Mac.

To work around this issue the “sync” mount command line option can be used! This causes a big performance loss but at least it allows you to render to the NFS volume.

mkdir mountpoint
mount -t nfs -o sync server:/sharepoint mountpoint

Further details about the sync/async operation can be found in the exports man page.

Aug 012012

Sometimes it is necessary to throttle the throughput of a specific service like AFP or HTTP. This is possible with the help of ipfw‘s pipe feature on Mac OS X.

The following example slows the in- and outgoing AFP traffic down to 100KByte/s.

ipfw pipe 1 config bw 100KByte/s # configure the speed limit
ipfw add 1 pipe 1 src-port 548 # monitor out-
ipfw add 2 pipe 1 dst-port 548 # ... and incoming traffic

It is also possible to only slow down some hosts. To do that the rules have to be adapted. This example throttles only AFP traffic from and to the host

ipfw pipe 1 config bw 100KByte/s
ipfw add 1 pipe 1 ip from any to src-port 548
ipfw add 2 pipe 1 ip from to any dst-port 548

PS: To reset a (possible broken) ruleset use the flush command

ipfw flush