OS X: Add local admin rights to an (Active) Directory user

Jul 182012

Sometimes you might want to provide local admin permissions to an Active Directory user.

This can be archived by different solutions:

Automatically obtain the settings from the AD using the Directory Utility

Add an AD group to the local admin group (as described here)

sudo dseditgroup -o edit -a "DOMAIN\group name" -t group admin

Add the domain user to the local admin group

sudo dseditgroup -o edit -a usernametoadd -t user admin

More information can be found at the “Managing OS X Blog”

PS: Maybe you are also interested in how the change the ID of a user the right way.

OS X: Requesting certificates from a Windows Certificate Service

Mac OS X, Windows No Responses »

Jul 182012

Recently a new customer contacted us regarding the integration of OS X devices into his already deployed WiFi infrastructure.

They have several access points that create a company wide WPA2 Enterprise 802.1X network. WiFi access is controlled by a Windows RADIUS server and requires a per user certificate that can be obtained from the Windows Certification Service.

Until now they manually requested the certificate on a Windows machine using MMC‘s Certificate Snap-In and transfered it to the Mac’s user Keychain.

Solution

This steps can be automated with the help of the Windows Web Certificate Service and OS X Lion’s Configuration Profiles.

Here’s what you need:

Windows Web Certificate Service (http://certserv.mydomain.private/certsrv)
Details can be found in the MSDN.
OS X Lion or higher
Hand-written configuration profiles as described in Apple’s KB entry.
You can download my demo profiles here.

If you also have to support older Mac OS X versions you can use the Web Certificate Service to semi-automate the process. Additionally other operating systems (like GNU/Linux) are also able to obtain certificates!

OS X: Xsan resharing crashes AFP service

Mac OS X, Tipps No Responses »

May 232012

Recently a new customer reported sporadic AFP service crashes when sharing folders located on a Xsan volume.

First I want to give you a short overview

The client uses Mac OS X 10.6.8 in combination with Xsan 2.2.1. They have 2 MDCs and several NAS servers. The clients can access the Xsan volumes only through the NAS servers using AFP.

While this works great most of the time sometimes the AFP services crashes. After that the Mac clients don’t see the sharepoints any more. On the NAS server responsible for this share the SAN volume is still mounted but when trying to access it using Finder a crash occurs. It’s interesting that you are still able to browse the folders using ls in Terminal.app.

A temporary fix is to kill the AppleFileServer process!

After investigating further we discovered the following error messages:

5/21/12 1:23:05 PMmds[868] (Error) Server: Peer checkin failed -- no store for path '/Volumes/XSAN/Share'
5/21/12 1:23:05 PMcom.apple.AppleFileServer[837]MDSChannelPeerCreate: (os/kern) invalid argument

My partial explanation

These log messages are well known and documented on several webpages (1, 2). They are caused by a somehow inaccessible .fseventsd folder on the specific sharepoint. While this can be repaired quite easy on “normal” sharepoints it’s not that easy on Xsan volumes.

I have not been able to find the exact cause but I think it’s something like this:

A client connects to the AFP service.
The AFP server tries to connect to the Spotlight service of the specific volume
Spotlight queries the fseventsd subsystem of OS X
Something breaks while talking to fseventsd

A workaround

The problem can be “fixed” by disabling the MDS service. This can be archived either by unloading the launchd plist file or removing it entirely.

Temporary disable MDS (until reboot or reload)

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

Disable MDS

sudo rm /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

Attention: Stopping the MDS service will completely disable Spotlight

OS X: SIMBL

Mac OS X, Tipps No Responses »

May 072012

Today I had a few hours spare time, so I took a look at SIMBL.

SIMBL is a small framework to inject your own code into Cocoa applications. A similar system is used by the super awesome TotalFinder and TotalTerminal.

The Google Code project page includes a very short tutorial on how to create such a SIMBL bundle. First I thought it can’t be that easy – but it definitely is!

Just create a new Xcode bundle project and update the Info.plist file according the given specification:

<key>SIMBLTargetApplications</key>
<array>
        <dict>
                <key>BundleIdentifier</key>
                <string>com.apple.Safari</string>
                <key>MaxBundleVersion</key>
                <string>412</string>
                <key>MinBundleVersion</key>
                <string>412</string>
        </dict>
</array>

After that add the following “callback” methode to your projekt:

+ (void) load {
        // your code
}

That’s it! Now do whatever you want to do 😉
To test your bundle just copy it to one of the following folders …

/Library/Application Support/SIMBL/Plugins
/Users/Username/Library/Application Support/SIMBL/Plugins

… and start the application. SIMBL will take care of loading the correct plugin (by checking the bundle identifier) and calls your load method.

OS X SL Server: extended server-side mail rules

Mac OS X, Tipps No Responses »

Apr 162012

Mac OS X Snow Leopard Server features a new interface to setup automatic replies and server-side mail rules.

It’s super easy to use while still covering 90% of the daily needed features – but it lacks the possibility to forward mails to a user supplied address.

To work around this issue you need another interface for creating sieve scripts. In the end the best (at least for me) solution to this problem is to add the functionality to the webmail interface – either SquirrelMail or Roundcube.

Robert wrote a great tutorial on this topic – Here’s an archived version.

Network Homes: Users sometimes unable to login

Mac OS X No Responses »

Mar 212012

Today a customer called me and told me about a very strange problem. Sometimes they are unable to log in – after the second or third try it works. Whenever this problem occurs the login window reports the following error message:

You are unable to log in to the user account <username> this time. Logging in to the account failed because an error occurred.

After looking at the logs I found the following messages. (The strange characters are rendered correctly!):

AFP_VFS afpfs_mount: /Network/Servers/FQND/very/ long/path/to/Network Profiles/Netw�x�V���Iz��y�V� 
AFP_VFS afpfs_unmount: /Network/Servers/FQND/very/ long/path/to/Network Profiles/Netw��ji�� �G��ji�...

Here are some details about the setup:

Mac OS X Leopard Server (10.5.8) configured as OpenDirectory master
network home directories
DNS properly configured (and tested)
Kerberos working (and tested)

After hours of investigating and searching around I found an Apple KB entry titled “Mac OS X Server: Avoid spaces and long names in network home directory name and path“. After checking out the path length everything was clear – THIS IS THE PROBLEM! In the evening I modified the folder structure to meet the 89 character limit and everything went back to normal – everybody is able to login at the first time.

QLogic FC Switch: Using the right settings

Hardware, Mac OS X, Tipps No Responses »

Mar 012012

We always use QLogic Fibre Channel Switches for our SAN installation. These switches have some options to increase throughput and decrease spikes during large file transfers, namely I/O Stream Guard and Device Scan.

It’s quite important to set this options correct for a good overall performance of the SAN regardless of the used software (XSan, metaSAN, HyperFS, …).

Here’s what you have to use:

Initiators (your clients)

I/O Stream Guard: Enabled
Device Scan: Disabled

Target (your RAIDs)

I/O Stream Guard: Disable
Device Scan: Enabled

Apple also posted a KB article a few years ago about this topic.

bindfs: create “hardlinks” to folders the different way

Mac OS X, Tipps, Tools 1 Response »

Feb 212012

Mac OS X allows hardlinks on directorys (see stackoverlow) but this has two limitations:

as all hardlinks they work only on one partition
it’s not really supported

With the help of osxfuse and bindfs you can bind a directory to a different folder – like the way you would do it on every other unix based system.

PS: Here’s my patched version (only useful to me): bindfs-1.9

sl-groupmailer: Missing the ability to use user groups as mailinglists in Mac OS X 10.6?

Mac OS X, Tools No Responses »

Feb 212012

Mac OS X 10.5 had a great feature that allowed you to use your already created groups as mailing lists. Each group had it’s own mail address (groupname@example.com) and postfix delived each mail to all users of that group

In Snow Leopard Server this feature is not available anymore.

With the help of this scripts you can simulate Leopards group mailing abilities. It creates a postfix alias file out of your LDAP groups (Open Directory) and updates you MTA configuration automatically. You can even exclude groups and use nested groups.

Download: sl-groupmailer.tar

sl-backuper: Want to backup your Mac Server’s services?

Mac OS X, Tools No Responses »

Feb 212012

There are great ways to backup your hole Mac OS X Server. But I have not found any script that enabled me to configure service backups the way i wanted.

With sl-backuper you can backup your server on a service based approach. Currently you can export Mail, iCal Server, AddressBook Server and MySQL

sl-backuper runs each night (or the way you configure it) and exports all enabled services to a special folder. This folder is only readable by Administrators and is managed by sl-backuper. sl-backuper keeps as many backups of each services as you want and removes outdates ones. Additionally per job logfiles are created.

Download: sl-backuper.dmg

Older Entries Newer Entries