Abandoning the Mac

I still remember the day I bought my first Mac, it was the Macintosh IIFX. It had an 68030 processor with 24MB of memory and 100MB SCSI hard drive. If you know anything about 68k machines, you should this the Spruce Goose of hardware. The machine originally had a price tag of $11,000 but I got mine for $30. P.C. Place in Surrey BC was having a sidewalk sale in the late 90’s and they were stacked on a skid about 6 units high. As urgently as a girl getting her first period, I rushed home completely beside myself with anticipation. Mac, check… ADB keyboard, check…. ADB mouse, check… Mac compatible monitor adapter, uh… uhhhh… what the heck is this video port? This isn’t VGA.

One angry bike ride later I had my Mac compatible VGA adapter, you remember them: the one with the dip switches and the two parrots on it. I plugged it in, turned it on, and was greeted by what I now call the Sound of Failure. After about a day on this machine, I got TCP/IP up and running on a hacked version of System 7.5.5 that I got off a buddy’s Hotline server. Yeah, that’s right, Hotline. Deal with it. The only other computer I had was a Windows 95 box that I used to download Apple floppy images. Hey, who remembers booting off floppy? Oh hey Andrew!

Those were the glory days, when getting a Mac was a special privilege. Ownership instantly baptized you into this world of insanity where people congregated just to boast about the superiority of their chosen platform. It meant you were a bit of a hacker, trying to squeeze as much as you could out of an old machine, mostly due to the superior case design, upgradability, and stability of OS 7-9. RIP. G3 upgrade for my 6400/180 603e? Yes please!

Today things are different. Apple has abandoned their professional customers, reduced the value of their product to commodity status, and all but destroyed the sub-culture that existed. Most MUGs are dead, with members taking to a recollection of better days more often than they experience new ones. Those die hard faithfuls struggled for Apple when they were dying, we celebrated them when they arose from the ashes, we promoted them and helped achieve relevant market footprint by proselytizing their almost evangelical status. However, in the end Apple abandoned us, they give us shittier tools with every revision, mediocre hardware often built on last years advances, and $29.99 server software that is promoted by a K-Mart style blue light.

The revolution is over. Communism won, and we cheered for it.

Apple Certified Technical Coordinator (ACTC) OS X Server Essentials 10.8 Test Review

I recently submitted an application with Apple to join the Apple Consultants Network. In doing so I knew I had to pass the ACTC certification tests within 45 days of joining. Unfortunately I could not find a testing center in Vancouver so I took the test down in Seattle at Crywolf Training. Gordon Davisson was the proctor and did an amazing job, I showed up 30 mins early and was greeted with donuts and a free review of ML201. Gordon took us thru all the services associated with 10.8 server and gave a couple great tips. (DORA FTW)

The test comprised of 80 multiple choice questions, with two hours on the clock and two crullers in my gut, I began. The first thing I noticed was a lot of the questions would ask “Which is the best sentence to describe blah” and give two correct sentences out of four. This left the tested to choose one answer which they thought was the most applicable, the one that stuck out in my mind most was for the wiki service. Questions with only one possible answer were marked with radio buttons while multi-answer questions had checkboxes. The questions also told the tested how many answers were needed, pick 2, pick 3. The questions themselves were quite simple with exception given to an SSL question and two permissions questions where I had to think, OK do I answer it correctly or the way I think Apple wants me to answer it. To prepare, I used the Amsys Revise IT app to test myself before going in as well as the OS X Server Essentials book by PeachPit.

Do the tests, take screen shots of the questions you’re puzzled by and research those in the PeachPit book, if you do this you’ll be fine.

Zentyal 3.0, Mountain Lion, Kerberos and SSO

Now with Zentyal, you can kerberize your shoes.

This article is a continuation of a really great read by shabangs.net His article is great to bind your Macintosh to a Zentyal directory server however, after completing the how-to I was unable to change a network user’s password, store a local copy of the network user’s password for “mobility” nor leverage some great single sign on services from zentyal.

What we will attempt is to configure /etc/krb5.conf for Mac OS X 10.8, Mountain Lion, so that we will receive a TGT from zentyal when the user either logs in or wakes the computer from sleep.

First you need to get the kerberos realm. To do this sign into Zentyal and go to Users and Groups. In here you’re looking for the LDAP search base, this base will also be your Kerberos realm.

Now we want to search and replace EXAMPLE.COM with that realm, and replace your.server.example.com with the FQDN of your Zentyal server. Only set the dns_lookup_* values to true if you’re using the Zentyal server for DNS.

All edits are client side ONLY
If /etc/krb5.conf does not exist then just create it.

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
preferred_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

[kadmin]
default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt

In order to obtain a Ticket Granting Ticket (TGT) when logging in via the login window, edit /etc/pam.d/authorization and append default_principal option to the pam_krb5.so line.


auth optional pam_krb5.so use_first_pass use_kcminit default_principal


In order to obtain a Ticket Granting Ticket (TGT) when authenticating to the Screen Saver, edit /etc/pam.d/screensaver and append default_principal option to the pam_krb5.so line.


auth optional pam_krb5.so use_first_pass use_kcminit default_principal


Now sign out and back in as a network user, open a terminal and type klist You should get something like:


lisa:~ test$ klist
Credentials cache: API:51104:6
Principal: test@EXAMPLE.COM

Issued Expires Principal
Mar 2 09:28:04 Mar 2 19:28:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM


If so, great! This means kerberos is running, now try to change the user’s Open Directory password. It should succeed as well. If not make sure you have the console open to see what’s going on. 99% of the time it’s a DNS issue or the clocks on your workstation is out of sync with Zentyal.

Now try to mount an SMB volume from the Zentyal server, it *should* mount without credentials and a new ticket will appear in the output of klist


Issued Expires Principal
Mar 2 09:34:52 Mar 2 19:34:48 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Mar 2 09:34:56 Mar 2 19:34:48 cifs/your.server.example.com@EXAMPLE.COM


Enable VNC for Zentyal Community Server

Get a terminal session on your Zentyal box and install the VNC service

sudo apt-get install vnc4server

Next, run the server once to initialize a config file, kill the service and make a backup of the config file and then edit.


vncserver
vncserver -kill :1
cp .vnc/xstartup .vnc/xstartup.bak
nano .vnc/xstartup


Uncomment one line and add another:


# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
/usr/bin/lxsession -s LXDE -e LXDE


Then just launch
vncserver

Watch the output so you can ensure what port to connect to. For example, the following means my VNC server is listening on port 5901


jordan@mrsparkle:/etc/X11$ vncserver

Starting applications specified in /home/jordan/.vnc/xstartup
Log file is /home/jordan/.vnc/mrsparkle:1.log


Keep External Drives Mounted in OS X when logged out

This tip was graciously donated by my good friend Luis Giraldo from Fully Managed
Create:
/Library/Preferences/SystemConfiguration/autodiskmount.plist
Put the following contents in the plist file:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>AutomountDisksWithoutUserLogin</key>

<true/>

</dict>

</plist>

Magic Triangle, Snow Leopard Server, Lion Clients

Just tried to bind a Lion client to our Magic Triangle infrastructure. Apple describes the problems as: A Mac OS X v10.7 Lion client may be unable to connect to a Mac OS X v10.6 Open Directory Server. This can happen if Lion uses Authenticated Binding to a Mac OS X v10.6 Open Directory Server that is also bound to Active Directory by means of a magic triangle.

Apple’s fix is to use Terminal to run a pair of shell commands on the Snow Leopard Server Open Directory Master Server and Replicas. Apple says:

Note: These commands will turn off GSSAPI authentication for the LDAP Server on the Mac OS X v10.6 Open Directory Master Server and Replicas. The servers will then use CRAM-MD5 authentication.

sudo rm /usr/lib/sasl2/openldap/libgssapiv2.2.so
sudo rm /usr/lib/sasl2/openldap/libgssapiv2.la

Restart the server after making this change.

If you want to restore the original settings, execute these commands:

cd /usr/lib/sasl2/openldap
sudo ln -s ../libgssapiv2.2.so
sudo ln -s ../libgssapiv2.la

Restart the server after making this change.

Zabbix Template for Apple Airport Extreme

Right click and save file as, import to zabbix, don’t forget to mass update the SNMP community string. I made a couple graphs too, nothing too fancy.

Link Here

Backup and Restore Lion Wiki

Backup the Collaboration Database

on the server running the wiki open a terminal and paste the following into the file backup-wiki.sh


#!/bin/bash
PGUSER=_postgres

BACKUPFILE=`date +%Y%m%d`-wikibackup.tar.gz
/usr/bin/pg_dump -U $PGUSER collab -c -f /Library/Server/PostgreSQL/Backup/collab.sql
tar -cvzf /Users/admin/Backups/$BACKUPFILE /Library/Server


Save and exit the file, then do the following


chmod +x wiki-backup.sh
sudo ./wiki-backup.sh


This will create the file wiki-backup.tar.gz in the /Users/admin/Backups folder

Prep the migration file

Copy this file to the new server, untar it.

Then follow this procedure.

1. Open server.app and turn on wiki
2. Open terminal and find pgsql process (ps aux | grep pgsql) , copy it to clipboard
3. Stop wiki server
4. open terminal and enter  psql -U _postgres -d collab -f /Library/Server/PostgreSQL/Backup/collab.sql

5. a bunch of shit will fly by, forget about it.

6. copy the Wiki folder from our backup into /Library/Server

7. Repair permissions
8. Turn on wiki, pray

How to Build an 802.1q LACP Trunk for Xen in CentOS 5.5

Overview

In this how-to we’re going to install CentOS 5.5 and prep it to become a virtual machine server. Before proceeding PLEASE read our Xen software page so you understand how the VM and network topology works. This how-to was built combining various methods publicly already available. If you find some copy and pasted text just remember: a good sysadmin is a lazy sysadmin.

Prerequisites

LACP bonded 802.1q trunk with necessary VLAN’s assigned

Installation

Install CentOS 5.5, during the package selection screen make sure to enable the Virtualization option.

Configuration

First let’s make sure that xen is running properly. Log into the GUI of the server, if you do not have a GUI then log into an ssh session as root with X forwarding on. Run virt-manager from the console. You should see “dom0” running, if you double click on it you’ll be able to see the statistics for this domain and how much resources it is consuming. If you cannot see this or if virt-manager does not find a dom0 to connect to you have done something wrong. I cannot help you.

1. Physical Networking Devices
What we first need to do is setup our networking devices.
Edit some files in /etc/sysconfig/network-scripts. Remember that bond0 is the physical interface that the trunk is connected to therefore it does not need an IP address.
# ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
TYPE=BOND
BONDING_OPTS="mode=4"


#ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
TYPE=Ethernet
HWADDR:(MAC-ADDRESS OF ETH0)

#ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
TYPE=Ethernet
HWADDR:(MAC-ADDRESS OF ETH1F)

Then for every VLAN that you are passing in your trunk create a file as follows. Please replace the ‘N’ with the VLAN ID number

[root@xentest jeunson]# more /etc/sysconfig/network-scripts/ifcfg-bond0.N
DEVICE=bond0.N
BOOTPROTO=none
#IPADDR=192.168.100.51
#NETMASK=255.255.255.0
ONBOOT=yes
VLAN=yes
TYPE=BOND


Note how the IP address is commented out on this VLAN interface. You can assign an IP address to the VLAN interface that will be the management interface for the hardware.

Finally don’t forget to add the following line to /etc/modprobe.conf

alias bond0 bonding


Now that you’ve created the VLANs and assigned a management interface we edit the file /etc/sysconfig/network

[root@xentest jeunson]# more /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=xentest.example.com
GATEWAY=192.168.101.254
GATEWAYDEV=bond0.101


Now restart the networking with /etc/init.d/network restart It should restart with out any errors

Shutting down interface bond0.100: Removed VLAN -:bond0.100:-
[ OK ]
Shutting down interface bond0.101: Removed VLAN -:bond.101:-
[ OK ]
Shutting down interface bond: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0 [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface bond0.100: Added VLAN with VID == 100 to IF -:bond0:-
[ OK ]
Bringing up interface bond0.101: Added VLAN with VID == 101 to IF -:bond0:-
[ OK ]


2. Xen Networking Scripts
First modify /etc/xen/xend-config.asp and change the netdev device from eth0 to bond0. You’ll probably have to reboot the computer.

A.Modify the network-bridge script

Now that we’re done that we need to configure Xen to tell it what networking interfaces to use. First make a backup of the xen network-bridge script and edit as follows.
cp /etc/xen/scripts/network-bridge /etc/xen/scripts/network-bridge.orig
Change around line 78 from
[ -f "/sys/class/net/$1/bonding/slaves" ]
to
[ -f "/sys/class/net/$1/bonding/slaves" ] || [ -f /proc/net/vlan/$1 ]

B. Modfiy xend-config.sxp
The second change involves modifying the xend configuration file to use a new network initialization script.
[root@xentest scripts]# cd /etc/xen
[root@xentest scripts]# cp -p xend-config.sxp xend-config.sxp-dist
Change the network-script configuration directive to the new script name – such as network-multi-bridge. After the modification:
[root@xentest xen]# diff xend-config.sxp-dist xend-config.sxp
91c91
< (network-script network-bridge) --- > (network-script network-multi-bridge)
C. Create network-multi-bridge script
This script uses the two VLAN interfaces previously defined.

[root@xentest scripts]# cd /etc/xen/scripts
[root@xentest scripts]# more network-multi-bridge
#!/bin/sh
dir=$(dirname "$0")
"$dir/network-bridge" "$@" vifnum=0 netdev=bond0 bridge="xbr_trunk"

/sbin/ifup eth0.100
“$dir/network-bridge” “$@” vifnum=1 bridge=”xbr_v100″ netdev=”bond0.100″
/sbin/ifup eth0.101
“$dir/network-bridge” “$@” vifnum=2 bridge=”xbr_v101″ netdev=”bond0.101″

At this point you should reboot your server to make sure that everything comes up cleanly. Use the logs to debug problems and look out for which type of bond your computer connects to the switch as.

How to Force Propagation on Apple Secondary DNS Server

As you all probably know that using Apple’s DNS server can be challenging at times. If you make changes on the primary you usually have to wait some time before those changes propagate to the secondaries. However with the following commands you can force this propagation without having to nuke files or folders in /var/named

1. On the secondary server, run this command. (use whatever zone you want to transfer in place of lan.example.com
rndc -p 54 retransfer lan.example.com IN com.apple.ServerAdmin.DNS.public

2. Reload configuration
rndc -p 54 reload

3. Forcing client cache flush
dscacheutil -flushcache

The reason I think this is better in my opinion is it gets rid of the potential “oops” of deleting critical files in /var/named.