Low Power File Server for a Sailboat

Recently I was lucky enough to be a crew member on a sailboat that was making passage through the Caribbean. The Captain of the vessel, who lived aboard, was speaking to me about data storage and how difficult of an equation it was. Sailboats have very little power available to them when they’re underway as most don’t run their engine which is the only source to power the limited batteries kept onboard. He was thinking about picking up a Drobo-Mini and using SSDs to reduce the amount of draw on his system, however this solution is DAS based and doesn’t allow him access to the data unless he plugs directly into the box which means, you need a computer as well. Which is even more draw on the electrical system.

After a quick think and a look around the Internet I decided that the best way to address this issue would be to use a Raspberry Pi 3, a four port USB hub,  multi-SD card reader, and mdadm, with smb, nfs, and upnp. I’m not going to go into the nitty gritty of how to setup a raspberry pi as there are many tutorials available online already. However I will touch on some performance metrics that I was able to pull.

I welcome comments to this plan below My next step to this plan would be to get the Pi to be a wireless access point as well.

The New Customer Challenge

I’m an Apple consultant. I help small businesses who want nothing to do with the decision making aspect of technology. Planning, budgeting, procurement, deployment, support, deprecation, and recycling. Out of all these contexts no task is more challenging than workstations.

For those who are in the field, you know what I’m talking about. You get a new customer, they have workstations… some are new, some are old, some have MacKeeper, the bastard ones are carrying old migrated home folders that originated from 10.4 and a Cisco VPN kext. Some have 16 mail accounts filling 70% of the disk but since they’re “disabled” in Mail.app you don’t see them at first. Now you have to dig to find out where the space is. Do this across 10 – 50 workstations and you will soon realize why I went bald early.

I needed a quick dirty way to get some very specific data out of the machine and into a little text file, yes I’m sure there are some sort of MDM tools or whatever might have you that will track everything that I don’t care about widget, but I don’t want that. It’s about workflow, see if I don’t get an idea of what I’m stepping into before I step into it I may find out something nasty far too late. In other words, I wouldn’t deploy an MDM before getting an idea of what’s going on.

Introducing sysAudit.sh: feel free to download here

usage: sysAudit.sh -c <client name> -s <ftp server> -u <username> [-p <password>]

OPTIONS:
-c unique identifier for audit, a folder of this name will be made on your ftp server
-s ftp server fqdn/path sans protocol ie: mybigfat.ftpserver.com
-u username to connect to ftp server
-p password for username, will prompt if none given

NOTE:
Requires root privileges to successfully deduce all features

Once I begin relations with the new customer I immediately gain admin access to all their machines, after placing the following script somewhere on the web I can then push it out through ARD in a script something like this:

curl -o /tmp/sysAudit.sh http://www.copiousit.com/sysAudit.sh; chmod +x /tmp/sysAudit.sh; /tmp/sysAudit.sh -c clientname -s ftp.server.com -u ftpuser -p "ftpuserpass"

I also have it wrapped in AppleScript so that I can pop it over email to any remote machines. Usually also along with a Meraki MDM as well. Just place this code into Script Editor, then save as an application. Place sysAudit.sh inside the package of the AppleScript app.

## change the switch arguments!
set path_ to (path to me as string)
set p to POSIX path of path_
do shell script "" & p & "/sysAudit.sh -c clientname -s ftp.server.com -u ftpuser -p 'ftpuserpass'" with administrator privileges


Enable VNC for Zentyal Community Server

Get a terminal session on your Zentyal box and install the VNC service

sudo apt-get install vnc4server

Next, run the server once to initialize a config file, kill the service and make a backup of the config file and then edit.


vncserver
vncserver -kill :1
cp .vnc/xstartup .vnc/xstartup.bak
nano .vnc/xstartup


Uncomment one line and add another:


# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
/usr/bin/lxsession -s LXDE -e LXDE


Then just launch
vncserver

Watch the output so you can ensure what port to connect to. For example, the following means my VNC server is listening on port 5901


jordan@mrsparkle:/etc/X11$ vncserver

Starting applications specified in /home/jordan/.vnc/xstartup
Log file is /home/jordan/.vnc/mrsparkle:1.log


Apple Magic Triangle Setup with Windows File Server backed Portable Home Directories.

Recently I was hired to give my opinion about merging an existing Macintosh Open Directory(OD) network into a Windows Active Directory(AD) network. This was being done because Company A merged with Company B, and Company B being more powerful and larger wanted to stay with their AD infrastructure. My opinion was to move to a “Magic Triangle” setup where an OD server is bound to an AD Domain Controller(DC). The users and groups are managed by Active Directory, however the Mac clients are bound to both AD and OD for the purpose of being able to hand out MCX records to users, groups, and computers. I wrote this how to because no matter how much documentation I read I have not been able to find some of the key pieces of information I needed to accomplish this goal. On a side note, I would like to give a big hello to Alper Bac, current Systems Administrator of Cohos Evamy for his invaluable help in solving some of the AD configuration issues we were having.

On the Mac Server 10.6

Step 1: Check the Active Directory configuration.
Make sure your Active Directory server and its DNS service is properly configured and running.

Step 2: Turn on Open Directory service.
Use Server Admin to turn the Open Directory service on. After the service is turned on you can configure Open Directory service settings.

Step 3: Ensure the computer is a standalone directory service.

Step 4: Connect to Active Directory.

• Go to Server Admin, Open Directory.
• Click Settings button at top, then the General tab. The window should report that its role is “Standalone Directory.” If this is correct you can now click change, otherwise go to Step 3.
• In the pop-up dialogue choose “Connect to another Directory”
• Then Continue, and click “Open Directory Utility”
• The Directory Utility application will appear. If it is locked please unlock it.
• Ensure that active directory is uncheck
• Double click “Active Directory”
• Type in your domain and expand the arrow beside “Show Advanced Options”
• Ensure that “Create mobile account at login” and “Force Local home directory on startup disk” is uncheck. Then click OK
• Quit Directory Utility
• Back in the Open Directory Wizard box click Done
• Open System Preferences and go to Accounts
• Click on Login Options and Click “Join”
• Type the name of Active Directory Domain Controller (DC) in where it says “Server:” as well as the AD Admin user/password credentials in the appropriate boxes. Also give the computer an record name. This name will be the record that is created in Active Directory.
• Once joined the Mac will ask about Kerberos. Just ignore this for now.

Step 5: Set up an Open Directory master.

• Go to Server Admin, Open Directory
• Click Settings button at top, then the General tab. The window should report that its role is “Connected to another directory” If this is correct you can now click change, otherwise go to Step 4.
• Choose the first option “Remain connected and set up an Open Directory Master”
• If it complains about Kerberos just ignore this again.
• Setup the diradmin account. Give it a secure password as this is our Directory Administrator account.
• Now type in a relevant LDAP Search Base. If you don’t know what should go here just click continue. However if you don’t know what goes here yet you’re trying to integrate a Mac into AD I must say that you may be in over your head. 😉
• Confirm your settings and click continue.
• Now in Server Admin we want to set a policy under Open Directory. So click on Policies tab and then Bindings subtab and enable the “Require authenticated binding….” check box.

Step 6: Disable Kerberos on Open Directory master.
Disable Kerberos on your Open Directory Master server to avoid conflicts with your Active Directory Kerberos realm. In a terminal type: (use the diradmin credentials)
sudo sso_util remove -k -a username -p password -r NAME. OF.KERBEROSREALM

Step 7: Kerberize services.
Kerberize your Open Directory server services with the Kerberos realm of your Active Directory server, in a terminal type:
sudo dsconfigad -enablesso

On the Windows Server 2003

What we need to do is assign a home folder to an existing user account. So let’s grab the user account “Test” and map a home folder to it.

• Go to Start, Administrative Tool, Active Directory Users and Computers
• Right click domain name and search for users
• Open Properties and then profile tab
• Click the “home folder” radio button and select an unused drive letter. For our example it will be “Z:” and then enter beside it the Windows File server fqdn in this format. \\fqdn\share\username
• Once you accept Windows will go and create this folder and assign all the appropriate ACLs

On the Mac Client 10.5

What we need to do on the Mac client is bind it to both AD and OD.

Active Directory

• Login as a the local admin user
• Open Applications/Utilities/Directory Utility.app
• Click on “Services” and then double click “Active Directory”
• Expand the Show Advanced Options arrow and disable “Force local home directory on startup disk”
• Now click on “Directory Servers” and click on “+”
• From the drop down select “Active Directory” and type the name of the DC
• Enter the computer ID and AD username/password and click join.
• If this fails then try clicking on Services and double click on Active Directory
• Type in the domain and client ID here and click “Bind”

Open Directory

• Open Applications/Utilities/Directory Utility.app
• Click “+” and select “Open Directory” from the drop down menu
• Type in the name of the ODM
• The computer should ask you for the OD diradmin password and client ID. Type in the same ID as you did for the Windows box (for consistency’s sake)

Now you should have two directory servers listed in the Directory Utility both with green lights.

You should now have a working Magic Triangle. The user and group accounts come from Active Directory and their home folders come from a Windows back File Server. We can now use WGM to introduce things like Portable Home Directories and MCX records. Yay!

Portable Home Directories

• Open WGM (WorkGroup Manager) and authenticate as diradmin
• Create a new group called “Mobility” we’re going to use this group to designate PHD users.
• Under the members tab click on the Plus sign, a side bar should appear.
• At the top of the side bar will be a text string like “Directory: /LDAPv3/127.0.0.1” click on this and change it to “/Active Directory/All Domains”
• Wait up to a couple minutes and you will start to see users from Active Directory appears. You can drag these users into the members pane of WGM. AFAIK you can also embed AD groups although I’ve never tried this.
• Now we have an OD group with an AD user member as well as a computer record from the mac client.
• Let’s click on Preferences for the mobility group and then click on “Mobility” under Overview tab.
• Under account creation tab click on “Always” and check “Create mobile account when user logs into network account” a
• Then click on rules tab and select always for all three subtabs yet leave their default values. Except for checking on “Show status in menu bar” under “options” sub tab
• Now try logging in with your AD account again and watch as the mac creates you a PHD and enables the HomeSync menu.

If you have problems with this process then feel free to leave a comment with some contact info and I’ll try to get back to you and help. I’ll have another post coming up for you Windows Sysadmins on how to easily managed your mac clients with Group Policy. If you would like me to help you directly then please refer to my company website and use our contact form.

Update: Please check out next post regarding the deployment of this solution: http://jordaneunson.com/2010/10/apple-magic-triangle-deployment-results/

Update #2:I had a reader have trouble with this above procedure, we communicated for a while about his setup here: http://www.edugeek.net/forums/mac/72958-magic-triangle-permissions.html

Sharp as a Marble

So if you’ve been reading my blog you’ll know that a couple months ago I quit my 9-5 job. Since then to be honest, I haven’t done much in the way of systems administration. I’ve had a couple contracts here and there but nothing really big. I tell you what, do the skills dull quickly! I sat down the other day to help a friend with a pretty simple problem. He had 10.5 OSX Server and wanted to extend his LDAP schema…. I couldn’t remember how to do it! Or just little things, mostly in bash, like how to tell processes to stfu. Don’t get me wrong I know how to do it, its just not coming to me as quickly as I would like.

To any sysadmins out there thinking about quitting, make a list of things you think are cool and don’t want to forget. Cause soon after your notice, there won’t be anything upstairs! 😉

Cutting the Umbilical Cord

I quit my job. It’s was a big step…. no, it was a huge step towards where I actually want to be in life. I wasn’t happy working a 9-5 day in and day out. I think it has something to do with that salary slave (being paid one flat rate for all my professional services) feeling. That did not jive with how I wanted to live.

However, this new found freedom and choice of working for myself comes with a price. Finding funding. Thankfully my first few months have been funded by some smart decisions on my part as well as person who has a lot of faith in me. You know who you are. My concern actually lies in my next round, which will need to be quite substantial comparatively. It’s at this point that I begin to see the similarities between owning a startup, and having a sign similar to the one on the left. You see, when I had a full time position I was taken care of, in fact the company that I used to work for took care of me and all its employees so well that it was a very difficult decision to leave. When I walked out for the last time and saw that door close behind me the first thing that raced through my mind was; “did I do the right thing?” “Did I just totally screw myself over?” “Can I do this?” For you see, now I have no extended medical, no extended dental, no automatic payment system into my bank account and worst of all no one to blame except myself. This is the price that I have to pay. The sacrifice of that umbilical cord, that lifeline. My cash flow will no longer come via automatically deposited, semi-monthly payments. Instead it will come by means of investors and angels.

It’s a big leap of faith on my part to go after what I dream and at the end of day I feel happier and more fulfilled. I’m sure it will be a big challenge and a huge adventure, and really why wouldn’t I go for it? As Seth Godin pointed out to me in Tribes, it was the fear of the possibility of failure that was holding me back. Once I wrapped my head around that, I quit.

Choice

Force a person to perform an action or accomplish a goal and they will do the absolute minimum.

Allow the same person the choice to accomplish the goal and they will not only accomplish it but go above and beyond the requirements.

I recently learned this while looking over different corporate policies. Companies without vacation policies didn’t worry about employees taking time off near a big deadline; they allowed their employees the choice — if taking time off before a deadline would be wise or not. That choice, that freedom, which the employee can feel, is so important to a company and to a company’s corporate culture. Without choice your workers will feel as just that, workers. Drones. Slaves.

Slaves have no choice, no freedom. They do what they are told or suffer the consequences.

For employees the consequence may be getting “written up” or perhaps even let go. Of course, this however will only motivate an employee to work the bare minimum. Consider the following situation, and again I’m going to use a vacation policy as an example: Bob wants to take time off of work, however the dates he originally selected are days before a large deadline. Bob says to himself, ‘those two days I booked off are coming up but I can’t go because the vacation policy mandates that I can’t.’ Now, what if Bob thouht the following instead: I want to take those two days off but I won’t because that big deadline is coming up. Instead I will take time off the next week. See the difference? It’s can’t versus won’t.

Bob made a choice to move his personal time off around for his company. He wasn’t forced. He chose to. This gives Bob a sense of pride in his work and, by not being forced to move his vacation due to some esoteric policy, by allowing him choice, he has no reason to resent the company.

Same can be said for working from home, taking sick days, whatever.

The more policies you put in place at a company the stricter you make it and therefore the less choice you allow your employees to make for themselves. When your employees are given “The Choice,” then they are choosing to not only do their job, but also to follow a company. Contrast that with being forced by corporate policy; the employees will drag their heels because they know they have no alternative. They are slaves. No choice.

If you want your employees to feel empowered, if you want them to be more productive, then allow them the choice to be productive.