AFP548

WWDC 2008 Party: Contest the First

Fri, 09 May 2008 15:34:00 -0500

Haikus are so 2007, so this year our first contest for tickets to our WWDC 2008 bash will be...

Best joke involving directory services.

Write up an original joke that involves directory services in some way. Then e-mail your entry to wwdc2008@afp548.com by Friday June 16th. The top 5 jokes, as picked by the admin staff here, will get 2 tickets to the party.

And you can blame Nigel for picking this contest.

AFP548.com Now Hosting Proton Pack Server

Fri, 25 Apr 2008 09:10:00 -0500

Over the years a lot of people have been confused when setting up a Multicast-ASR (mASR) server. So far there have been two tools out there to help with this: Proton Pack Server and Mac HelpMate. Mac HelpMate is easy to find, but it always seems that people have had trouble tracking down Proton Pack. To that end we are now hosting the Proton Pack Server application on AFP548.com.

Take a look in our downloads section or click here to get started. (Download is 2.46 MB)

InstaDMG: Image Creation Revolution Webcast

Mon, 14 Apr 2008 17:05:00 -0500

The MacEnterprise.org group will be presenting a Webcast on InstaDMG: Image Creation Revolution on April 15, 2008 at 1:00pm EDT (10:00am PDT).

InstaDMG is revolutionizing the way that Mac sysadmins create ASR deployment images and it can help you too. More than just a tool, InstaDMG is actually a methodology for deployment image creation and testing. In this webcast we will cover both the methodology and the reference tool in detail, including a roadmap of the reference script feature set.

For more information on how to view the webcasts, please visit: http://macenterprise.org/content/blogcategory/113/96/

The login ID for April 15th Webcast : MacEnterprise

Passcode for April 15th Webcast is : 724412

Go to the following web page 5-10 minutes prior to the webcast start time: http://webcast.training.apple.com/

Webcast Coordinator

Macenterprise.org

OpenDirectory recipe for 10.4 to 10.5 Migration, keeping your SID intact

Fri, 11 Apr 2008 16:50:17 -0500

As part of some self-documentation, I posted on my personal blog exactly what works and where I found the help for getting an OpenDirectory 10.5 Server running from a 10.4 in production box. The twist is that I needed to keep my SID and other PDC functionality that I've inherited up from 10.3.9. Yes, it can be done, and no you can't upgrade. Below is the reprint from my blog which I'm posting here for posterity:

In EE we've migrated over from various AD and OpenLDAPinstallations to what we hope is a more manageable solution long term.Sadly, upgrading OpenDirectory (MacOSX OpenLDAP-based directoryservices) from 10.4 to 10.5 doesn't work as Apple states it would.Here's the complete recipe we used to keep our data, our passwords, andmost importantly, our domain SID. Apple tends to not care aboutmaintaining the SID in various replica-to-master promotion steps.

As recommended in the above and from other postings, upgrades do not work. Rather, what needs to be done is this:

10.4 Server:

1) go to Server Admin, OpenDirectory, and under the Archive tab,generate an archive of the OpenDirectory DB. Place in admin homedirectory

2) For safe keeping, go to /var/db/samba and get the secrets.tdb file. Place in admin home directory (readable by all)

3)get the current SID by running as root/sudo "net getdomainsid EE" whereEE is the domain we are supporting. Place in home directory

4) copy off to a 3rd party machine the above three files/directories

10.5 Server:

1) Install fresh, and use the exact same IP and name as the 10.4Server. You'll likely need to have these are their own net. Also notethat without a link on the primary interface, smb, dns, andopendirectory don't work. I suggest connecting to the third partymachine listed above, in my case my laptop's physical connection whichI assign to the private net

2) You'll need DNS setuptemporarily, so create a DNS server for your domain (stanford.edu) andcreate a host entry for your self. Point local network settings to selfas DNS server

3) copy over the files saved from 10.4 from the laptop/3rd party machine

4) Make an OpenDirectory Master, using the correct domain "dc=ee,dc=stanford,dc=edu" and correct KRB realm "EE.STANFORD.EDU"

5) import the archive of 10.4

6) run as root "mkpassdb -kerberize"

7)Create a new PDC config for Windows. Use the directoryadminaccount/password to give samba correct access to the OpenDirectory DB

8)edit /var/db/smb.conf to fit the /etc/smb.conf entries you had on 10.4.Likely you'll want to make "local path = " and add "admin users =directoryadmin, domainjoin, @admin" or the like, where the first is thedirectory admin acct, the second is a PDC join account that can'tlogin, but has directory admin rights. @admin works to include anyonein admin group

9) run as root "chflags uchg /var/db/smb.conf" to freeze your samba config. Recommend making a copy as well in the same dir.

10) run as root "net setdomainsid (SID)" where SID is the one you saved from 10.4

11)Go into Workgroup Manager. Change preferences to enable Inspector. Gointo Inspector and select "Config" and then "CIFSServer". The two Valuelines with "xml version.." need to have Edit run against them, andreplace the SID line in each with the SID you just used.

12)restart Samba/Windows services. Check SID with, as root, "netgetdomainsid" and "net getlocalsid EE" or the like. If anything didn'tstick, do 10, 11 again.

13) before going live, one needs toremove reference to the local DNS in Network preferences, andoptionally disable DNS service. This setup also was only tested withWins service enabled as the WINS Server

14) test, test, testfrom Windows including domain logins, enumeration of groups in windowsfor adding domain users, etc. Logs may show if accounts are failing.

On Windows, the simple tests you can do involve the utility "nltest"which is in the free SUPPORT TOOLS (but may not be installed bydefault). nltest /? gives commands although OS-X samba only supportssome of them.

..to list PDC and BDCs ---

nltest /dclist:your_domain nltest /dclist:ee

Domain 'ee' is pre Windows 2000 domain. (Using NetServerEnum).

List of DCs in Domain ee EE-OD (PDC)

The command completed successfully

..to verify schannel ---

nltest /sc_query:your_domain

C:>nltest /sc_query:ee

Flags: 0 Trusted DC Name EE-OD

Trusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully

To do a more detailed check, you can open the Windows Manager and tryto look at the members of the Administrator group for the machine. Whenwe had trouble, it just showed raw SID numbers, even for EEDomAdmins.Once it was fixed, then that showed correctly.

Error cheat sheet:

1. If smb logs show that directoryadmin or domainjoin and the like havethe "wrong sid" in passdb, you'll need to demote/promote WindowsServers to workgroup and back to PDC. You'll need to run "chflagsnouchg /var/db/smb.conf" first and copy back your copied version afterrepromotion as the file will be rewritten. Do step 9-12 again above

2. If kerberos isn't effectively working on clients, you may need toreimport the archive OpenDirectory, rerun "mkpassdb -kerberize" andfollow the above demote/promote steps.

What's weird using Server Admin for managing Amavis in Leopard Server

Fri, 11 Apr 2008 07:00:48 -0500

Leopard server brings us a new interface for managing amavis in Server Admin. But, using some of the options of Server Admin's GUI doesn't modify correctly /etc/amavisd.conf and brings some weird issues

Be careful with notification

the defaults notification address is :

$mailfrom_notify_spamadmin = "spam.police@$mydomain"; # notifications sender

defaults quarantine addresses are :

#$virus_admin = 'virus@your.domain';
#$spam_admin = 'junk-admin@example.com';
#$spam_quarantine_to = 'junk-quarantine@example.com';
#$virus_quarantine_to = 'virus-quarantine@example.com';

only the following addresses will be modified with Server Admin's GUI :

#$virus_admin = 'virus@your.domain';
#$spam_quarantine_to = 'junk-quarantine@example.com';
#$virus_quarantine_to = 'virus-quarantine@example.com';

if you activate notification and quarantine, without editing /etc/amavid.conf, every incoming spam will be sent to:
```
'junk-admin@example.com'
```
example.com is an existing domain but has no MX record, all mails will stay in the 'deferred' postfix queue!
Anthe result is : a lot of mails staying in the queue, a lot of attemptsfor redistribution, a big slow down of your server and big logs with alot of the folowing lines !

Mar 31 04:07:35 mail postfix/smtp[13211]: connect to example.com[208.77.188.166]: Operation timed out (port 25)
Mar 31 04:07:35 mail postfix/smtp[13211]: C401511A59D: to=<junk-admin@example.com>,
	relay=none, delay=30, delays=0.01/0.01/30/0, dsn=4.4.1, status=deferred
	(connect to example.com[208.77.188.166]: Operation timed out)

What's to do with this :

I'd rather prefer trashing spam and virus, but if you don't :
edit /etc/amavisd.conf to replace @example.com with @$mydomain
create the needed mailing boxes (virus, junk-admin, etc...

#$virus_admin = 'virus@$mydomain';
#$spam_admin = 'junk-admin@$mydomain';
#$spam_quarantine_to = 'junk-quarantine@$mydomain';
#$virus_quarantine_to = 'virus-quarantine@$mydomain'; 
$mailfrom_notify_admin     = "virusalert@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

Empty the deferred queue if you're late reading this ;-)

mail:etc root# mailq		<-- to see what's in the queues

mail:etc root# postsuper -d ALL deferred	<-- to delete the queue content
postsuper: Deleted: 4946 messages

Be careful, thhis command delete ALL the 'deferred' queue content

if you want to verify what was sent to this queue before, you can grep the log :

mail:~ root# cat /var/log/mail.log |grep 'status=deferred'

Mar 31 04:07:35 mail postfix/smtp[13211]: C401511A59D: to=<junk-admin@example.com>,
	relay=none, delay=30, delays=0.01/0.01/30/0, dsn=4.4.1, status=deferred
	(connect to example.com[208.77.188.166]: Operation timed out)

WWDC Party!

Thu, 10 Apr 2008 02:03:41 -0500

We're back again for another year. We'll be at the Thirsty Bear, same place as always, on June 11th. Save the date and we'll have more information on the party times and how to get tickets shortly.

InstaDMG Happenings

Tue, 08 Apr 2008 10:05:00 -0500

I've been quiet for a bit on InstaDMG so I thought I would give an update.

Yes, there is a new version of the reference script coming soon. Work has been crazy lately, and not left me in the office much to work on my dev systems. I'll be posting an actual roadmap of the functions to be added to the code soon. I haven't posted it yet only because I got a fantastic code submission from reader Gordon Davisson. He submitted enough new code that I will be able to jump ahead on several of the milestones after I vet and integrate his changes.

The InstaDMG forums are still hopping with great tips and tricks for getting your build train going. If you haven't poked around in there you should really take a look.

To help with file tracking I've created an InstaDMG category in our downloads section. In the category I have a section for the reference script and one for user submitted packages. Our first upload is a comprehensive take on Instauser, submitted by reader Pete Akins. Feel free to grab it and see if you like it.

Overall we have been thrilled with the response to InstaDMG. Keep sending your feedback and we will keep pushing forward!

LANrev InstallEase Now Free

Wed, 02 Apr 2008 12:48:00 -0500

LANrev announced today that their InstallEase automated packaging tool is now free.

InstallEase is a tool for creating installer packages and has functionalities like automated "Before" and "After" snapshots, installation of files to current user's home folder, exclusion filters and uninstaller packages all wrapped into a graphical user interface for administrators.

Registration is required to get the free download, and is available here -http://www.lanrev.com/solutions/installease.shtml

LabMan 2008

Wed, 26 Mar 2008 00:32:00 -0500

LabMan is a conference of and focused on people who are in the trenches implementing stuff for academic computer labs, kiosks, libraries, and the like. Good place to make contacts with people doing your kind of work at other institutions as well. Tends to be education heavy, is not Mac specific, has a mix of higher Ed and K-12 attendees plus some businesses. Attendance has been in the 170-210 range the last few years.

Note that the attendees ARE the presenters. If you have a nice setup or a unique experience that you think others might be interested in/learn from, submit a proposal.

Official announcement:
http://www.mnsu.edu/labman2008/email/default.htm

Main site:
http://www.labmanconference.org

AD Schema Mods - Request for Testers

Thu, 20 Mar 2008 22:48:00 -0500

So I've cooked up a way of doing schema mods to AD using only Microsoft-supplied tools. This method leverages ADAM, Active Directory Application Mode, but doesn't require you to actually install ADAM on any of your systems.

You should be able to get full MCX management of your Macs from AD using this.

I'm looking for some testers for this that have a Windows 2003 AD domain and a variety of Mac clients that they can test with. The instructions are easy and should only take you about 30-45 mins at most. Note that schema changes, even on 2003, are a fairly permanent thing and should not be taken lightly, so only engage in this if you have a test domain, a virtual machine, or some other setup that you can test with.

If you're game for being a crash test dummy, drop me an e-mail with what your test environment would be.