Archive for the ‘Mac OS X Server’ Category

Retrospect by Roxio

Friday, May 21st, 2010

According to a press release currently making the rounds, the Retrospect product has now been sold to Sonic Solutions, the makers of Roxio. To quote the press release:

We are pleased to let you know that Sonic Solutions purchased the Retrospect backup and recovery software from EMC on May 18, 2010 and is responsible for all aspects of the Retrospect product line and business going forward.

Retrospect will be part of the Roxio Division of Sonic, a leader in digital media software. Adding to our broad range of products for content creation and management capabilities for businesses and individuals, Retrospect plays a critical role in expanding the Roxio business in the backup category. We understand that backup and recovery is critical to both your business and to your customers, and the Retrospect product line significantly enhances our ability to meet these needs.

Sandboxing Chrome

Friday, April 23rd, 2010

Thanks to Google for referencing our post introducing sandbox in their sandboxing design document for Chromium at:

http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design

Their use of sandbox is really over and above what we’ve seen from any other vendor. Each installation contains 3 distinct sandbox profiles (currently I have 4.0.249.49 and version 5.0.342.9 although mileage here may vary according to updates), each profile allowing access to only files and resources that are absolutely necessary to complete the task that the process that leverages them requires. You can see the specific resources that are accessible by looking at these profiles. The profiles are located at:

  • /Applications/Google Chrome.app/Contents/Versions/4.0.249.49/Google Chrome Framework.framework/Resources/renderer.sb
  • /Applications/Google Chrome.app/Contents/Versions/4.0.249.49/Google Chrome Framework.framework/Resources/utility.sb
  • /Applications/Google Chrome.app/Contents/Versions/4.0.249.49/Google Chrome Framework.framework/Resources/worker.sb
You can view them easily using a simple cat command:

cat /Applications/Google\ Chrome.app/Contents/Versions/4.0.249.49/Google\ Chrome\ Framework.framework/Resources/renderer.sb

You can then edit the profiles easily. For example, if you want to enable debug logging for sandbox, etc. This allows you transparency into what Chrome is doing but also allows you to further tighten security. Although, they have really taken their time to secure Chrome well and locked things down, so we doubt much further restriction is necessary or really possible. Overall, Chrome provides a great example of taking sandbox to the next level and extending it much more into the applications with graphical user interfaces than we’ve seen it extended to thus far.

10.6.3 Is Out

Monday, March 29th, 2010

For those who have had issues with Samba saving to file shares hosted on Windows Server, EMC or NetApp targets from within Microsoft Office (amongst other minor issues), you’ll be happy to note that Mac OS X 10.6.3 and Mac OS X Server 10.6.3 are now available for download. You can run softwareupdate to pick up the updates, or to download the updates manually see the links below:

Mac OS X Client
Mac OS X Server

318 Open Sources the ASR Setup Tool

Monday, December 14th, 2009

318 has decided to open source our ASR Setup Tool under GPLv3. The tool can now be found at http://asrsetup.sourceforge.net. The ASR Setup Tool is built as a wrapper for the asr command line suite from Apple. The description from SourceForge:

Developed by 318 Inc., ASR Setup Toll is an application for setting up Apple Software Restore (“ASR”). In the context of the ASR Setup Tool, ASR is used for setting up a multicast stream that can then be leveraged for imaging Mac OS X computers.

We hope you enjoy!

Screen Shots & ARD

Tuesday, December 8th, 2009

For what it’s worth, we take ours from the command line. It helps keep proper track of the names screens. Simply open up a terminal window on a remote server via Apple Remote Desktop (ARD) and run the following command:

sleep 3; screencapture -iw ~/Desktop/filename.png

When you run that full string as a command you’ll have 3 seconds after hitting enter to highlight your target window, at which point your cursor will switch to the photo in window selection mode. Alternatively, you can run:

sleep 3; screencapture -iwc

Which will capture the picture to the remote machines clipboard (and can then be copied via ARD, and opened in Preview (File->new from clipboard).

OmniGraffle Tips & Tricks

Tuesday, December 1st, 2009

Here are some great OmniGraffle Tips and Tricks!

New CLI Options in Final Cut Server

Wednesday, November 25th, 2009

For those of us who thought that the Final Cut Server 1.5.1 update was just a couple of minor bug fixes, there’s a little more than meets the eye. If you run /Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/MacOS/fcsvr_client then you’ll note that there are a few fun new features. While there hasn’t been enough time to thoroughly put the new options through their paces, we do hope to do further reporting on them as we become more comfortable with leveraging them for automations. Stay tuned!

ATTO Fibre Channel + Snow Leopard

Tuesday, November 24th, 2009

If you’re using the ATTO card along with Snow Leopard then the 2.41MP driver on their website is compatible with 10.6, but they have yet to update the website to reflect that it is. These are the drivers for 42ES coupled with the EMC Clarion system:
http://attotech.com/product.php?model=80

You may want to check with Tech Support, but it appears the latest 10.5 drivers will work with 10.6

Mac OS X 10.6.2 Server Available

Tuesday, November 10th, 2009

Mac OS X 10.6.2 Server is now available. This update represents a great step for environments that have either already made to, or are preparing/planning the upgrade to, Snow Leopard Server. In this update, Apple addresses the following issues (from Apple.com):

  • adding and removing imported users in Server Preferences
  • synchronizing Portable Home Directory content
  • using iCal web interface within select time zones
  • previewing and capturing dual-source video in Podcast Capture
  • server-side filtering of incoming mail messages
  • using chained digital certificates for mail services
  • creating images with System Image Utility
  • automating installation of NetRestore images
  • preventing brute force password attacks
  • using sudo command with authenticated Open Directory binding
  • binding to Active Directory domains with invalid service records
  • creation of mobile accounts for Active Directory users
  • correcting a problem that would cause the Software Update cache to grow excessively

Mail Archival

Saturday, November 7th, 2009

There are a number of messaging solutions that allow for automated message archiving. Message archiving can save space, while freeing up valuable resources and can also help to maintain Sarbanes-Oxley compliance (as well as achieve a number of other objectives). But not all messaging solutions allow for automated archival. Enter Mail Archiva into the picture.

Mail Archiva is an open source project aimed at bringing messaging archival to Microsoft Exchange, Zimbra, Mac OS X Server, Postfix, SendMail, IpSwitch, Axigen and a number of other messaging servers.

If you are in need of mail archival then feel free to reach out to us for more information on Mail Archiva today!

Reading Virtual Memory Stats

Thursday, October 29th, 2009

The vm_stat command in Mac OS X will show you the free, active, inactive, wired down, copy-on-write, zero filled, and reactivated pages for virtual memory utilization. You will also see the pageins as well as pageouts. If you wish to write these statistics routinely then you can use the vm_stat command followed by an integer. For example, to see the virtual memory statistics every 5 seconds:

vm_stat 5

New Mac mini w/ Mac OS X Server for $999

Tuesday, October 20th, 2009

Apple has released a new Mac mini that retails for $999. You might be thinking that $999 is just a little bit high for a Mac mini – and you would be right, that is, if it didn’t come with Mac OS X Server. The combination of the price point, the hardware and the software make the new Mac mini with Mac OS X Server a perfect purchase for small businesses and servers geared for use as specific utility servers!

The new Mac mini server comes with no optical drive, which is great because instead you get a pair of internal drives that can be setup in a RAID to protect your data! The server also comes with 802.11n, Ethernet and bluetooth – allowing a variety of uses.

Call 318 today for more information on this great new product from Apple!

Greylisting and Snow Leopard Server

Thursday, October 8th, 2009

10.6 has introduced the use of Greylisting as a spam prevention mechanism. In short, it denies the first attempt for an MTA to deliver a message, once the server tries a second time (after an acceptable amount of delay, proving it’s not an overeager spammer), it can be added to a temporary approval list so future emails are delivered without a delay.

The problem with this is many popular mail systems, including gmail, don’t exactly behave as expected, so the messages may take hours before they are delivered. To get around this, the people championing greylisting suggest maintaining a whitelist of these popular, but ‘non standard’ mail servers, allowing them to bypass the greylist process entirely and accepting the messages the first time around. The other problem is for companies that send mail through mxlogic and other similar services, the mail is sent from the first available server, potentially causing delayed because they were being sent by a different mxlogic box each time.

The problem with this under 10.6 is there is no gui or interface to inform you that greylisting is enabled (it gets turned on when you enable spam filtering), and so it just takes forever for messages to hit your inbox. You can start managing the whitelist / greylist system, or you can just turn it off:

cp /etc/postfix/main.cf /etc/postfix/main.cf.bak

vi /etc/postfix/main.cf

change line 667 from:

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit

To the following (removing check_policy_service unix:private/policy):

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit

You can then run postfix with the reload verb to reload the config files, as follows:

postfix reload

Open Directory Auto Archiver

Saturday, October 3rd, 2009

Have you struggled with Open Directory backups? Do you open up Server Admin and click on the Archive button when an alarm in your calendar tells you to do so? Well, we’re gonna’ help you out then. We’re going to automate backing up your Open Directory. We’re going to invoke the backups through launchd and we’re going to keep them for an amount of time you determine and automatically prune the old ones. We’re going to let you choose the location to store them and the password to unlock them. And we’re going to let you do all this through a graphical package called the 318 Auto Archiver.

Originally written for our own staff we now open it up to you as well.

318 & MacWorld 2010

Thursday, September 24th, 2009

318 is proud to announce that we will have 3 speakers doing a total of 4 sessions at the upcoming MacWorld Conference & Expo in San Francisco in February. Speakers will be Beau Hunter, Zack Smith and Charles Edge.

We will also be announcing some events as the conference gets closer. If you are planning to attend then you can sign up here. We hope to see you there!

The VPN

Wednesday, September 23rd, 2009

Virtual Private Networks, abbreviated “VPN” is technology that that allows users to connect from one place to another securely.  What makes it secure is that the connection between point A and point B is encrypted.  An encrypted tunnel is built between Point A and Point B, and then data is passed through that tunnel.

VPN’s come in many different types (protocols).   Some of the most common include the following:

PPTP

Often called “dial up VPNs”, it technically extends the functionality of PPP. It was originally started by Microsoft, US Robotics, Ascend Communication, 3Com, and ECI Telematics.  Their first draft of their IETF document for the protocol extension was submitted in June, 1996.  The protocol extension is supported by Linux, Mac and Windows workstations.

Current versions of all three operating systems include the VPN Client application pre-installed in the operating system.  All three operating system server versions can also be setup to allow PPTP connections. A Microsoft Routing and Remote Access Server (RRAS) typically uses Microsoft Point to Point Encryption (MPPE) which is based on RSA RC4 and supports up to 128 bit encryption.

IPSec

IPSec is short for Internet Protocol Security.  It works on Layer 3, and is often called “Site to Site VPN”.  It is usually used to connect one LAN to another LAN, most times using two hardware VPN units at each side communicating with each other.  It can also be used to connect a workstation to the corporate LAN, typically using proprietary software from the VPN manufacturer/developer (although you can sometimes use the built in software in the operating system – as is the case with Windows). The protocol can function in two modes (Transport and Tunnel) and provides end to end security by authenticating and encrypting the packets between parties.  It can support up to 168bit encryption with 3DES.

SSL VPN

SSL VPN is a type of VPN that allows communication to happen over https via web browsers.  The main advantage of SSL VPN is that no additional client software is required besides a web browser.  Since no software needs to be installed on a computer, a user can access the corporate network via VPN from just about any computer (i.e, Public Computer, kiosk, etc.).   The disadvantage is that because it tends to make the applications you would normally use a web type of application, you often lose some of the intended user experience of those converted applications.

L2TP

L2TP is short for Layer 2 Tunneling Protocol.   It doesn’t do any encryption on it’s own, and is often used in conjunction with IPSec (L2TP/IPsec VPN). The biggest thing to remember about L2TP is that it allows more types of applications to communicate through the VPN connection that otherwise are not supported in a standard IPSec implementation.

In a nutshell, deciding which VPN protocol to implement depends on your budget, the hardware that you have, what will be connecting (workstation/user, or LAN to LAN) and the ease of use.  Please feel free to contact us, and we will be happy to help plan out your VPN infrastructure, or answer any questions that you may have.

New Video on System Image Utility in Snow Leopard

Tuesday, September 1st, 2009

Now that NetRestore has been moved into Mac OS X Server (kinda), we have created a new video on creating a NetRestore image for Snow Leopard.

Snow Leopard Videos on the 318 YouTube Channel

Friday, August 28th, 2009

You can also view the videos individually by clicking on http://www.youtube.com/view_play_list?p=EFFC3A3FF65CC37D.

Video on Using Archive and Restore with Final Cut Server

Friday, July 31st, 2009

Video: Creating a Device on Final Cut Server

Wednesday, July 29th, 2009

Mac OS X Server 10.6 Announced

Monday, June 8th, 2009

You can read the press release at Apple. Highlights include:

  • Half the cost: $499 for Unlimited Clients
  • NetRestore is now bundled with Mac OS X Server
  • Wiki2 includes iPhone and QuickLook-type image display
  • Address Book Server now included
  • iCal Server works with iPhone
  • Push Email Support
  • New iPhone Configuration Utility
  • Supa-fast (OK, that last part is not official)

Mass Deploying Firefox Preferences for Mac OS X

Friday, April 24th, 2009

Firefox has a number of preferences.  Not all are available in the GUI.  To access these preferences, you can simply open Firefox and type the following in the address bar:

about: config

This will allow you to customize preferences, whether or not they’re otherwise known, line by line.  These can then be copied between users, by inserting lines into the preferences file.

Like with most applications on Mac OS X, the preferences for Firefox can be deployed en masse.  It is a bit more complicated than deploying preferences for some other applications.  The reason for this is that the path to the preference file isn’t the same for all users.  The file is located in the ~/Library/Application Support/Firefox/Profiles directory.  It is an 8 character string followed by .default.  For example, lzwntwo9.default.  In this folder is a file called prefs.js, which contains all of the preferences for Firefox.  For example, the following line will disable the check for whether you wish Firefox to be the default web browser for a user:

user_pref(“browser.shell.checkDefaultBrowser”, false);

Once you know what preferences you’d like to push out there are two options to do so (there might be more, but these are the two we’ve used):

  • The first is to edit items in the Firefox.app bundle.  Most of these can be edited using the /Applications/Firefox.app/Contents/MacOS/defaults/profile/prefs.js file, although the home page will be set using the /Applications/Firefox.app/Contents/MacOS/browserconfig.properties file.  One note is that when you go to customize the prefs.js file it will give you a fairly nasty warning, but then it will push changes out to new accounts; however, don’t make any changes while the application is open.  Additionally, this method requires deleting the existing preferences, so if you simply want to push out updates you’ll need to resort to the second method.
  • For the second method, we look at a script that finds the name of the directory located in ~/Library/Application Support/Firefox/Profiles for the user (or all users for computer-based policies) of the system.  We then set that as a variable.  For example, using the output of ls ~/Library/Application\ Support/Firefox/Profiles/ as a variable called FFPREFSFOLDER would then be used to alter the contents of the js file using ls ~/Library/Application\ Support/Firefox/Profiles/$FFPREFSFOLDER/prefs.js as the actual path of the file for a user.

Now you can insert (or replace) the line that makes up the specific preference.  This isn’t nearly as clean as using defaults to push out Safari preferences.  But it does provide a way to push out Firefox preferences, be it as a file drop to replace the preferences in the application bundle or as a line edit to alter settings of an existing users browser.

File Replication Pro Story About 318

Wednesday, March 25th, 2009

The File Replication Pro folks have published a customer success story outlining some of the ways we’re using their product. Check it out and if you have any questions about what we’re doing with it feel free to drop us a line!

File Replication

Thursday, February 19th, 2009

Performing replication between physical locations is always an interesting task. Perhaps you’re only using your second location for a hot/cold site or maybe it’s a full blown branch office. In many cases, file replication can be achieved with no scripting, using off the shelf products such as Retrospect or even Carbon Copy Cloner. Other times, the needs are more granular and you may choose to script a solutions, as is often done using rsync.

However, a number of customers have found these solutions to leave something to be desired. Enter File Replication Pro. File Replication Pro allows administrators to replicate data between two locations in a variety of fashions and across a variety of operating systems in a highly configurable manner. Furthermore, File Replication Pro provides delta synchronization rather than full file copies, which means that you’re only pushing changes to files and not the full file over your replication medium, greatly reducing required bandwidth. File Replication Pro is also multi-platform (built on Java), allowing administrators to synchronize Sun, Windows, Mac OS X, etc.

If you struggle with File Replication issues, then we can help. Whatever the medium may be, give us a call and we can help you to determine the best solution for your needs!

Shared Memory Settings Explained

Friday, February 6th, 2009

Shared memory is a method of inter-process communication (IPC), where two processes communicate with each other through shared blocks of RAM. Because communication is resident in RAM, shared memory allows for very fast communication between processes. There are significant drawbacks to shared memory; one obvious limitation is that all communicating processes must exist on the same box. Additional complexities with the implementation of shared memory means that it is typically relegated to lower-level, performance oriented systems, such as databases or backup systems.

In OS X, these settings MUST be tweaked if you are expecting to backup significant amounts of data with any semblance of speed or stability. I can confirm that both TiNa and NetVault use shared memory for IPC. Other products such as Retrospect or PresStore utilize other IPC methods, such as named pipes.

kern.sysv.shmall
shmall represents the maximum number of pages able to be provisioned for shared memory. It determines the total amount of shared memory that the system can allocate. To determine total system shared memory, multiply this value by the size of the page file. The page file size can be determined via `vm_stat` or `getconf PAGE_SIZE`. A typical page size is 4KB, 4096 bytes.
In OS X, Apple uses extremely conservative settings for shmall. At 1024, OS X defaults to only 4MB of shared memory.

kern.sysv.shmseg
shmseg represents the maximum number of shared memory segments each process can attach. Default in OS X is 8.

kern.sysv.shmmni
shmmni limits the number of shared memory segments across the system, representing the total number of shared memory segments. Default in OS X is 32.

kern.sysv.shmmin
shmmin is the minimum size of a shared memory segment, this should pretty much never need modification. Default is 1.

kern.sysv.shmmax
shmmax is the maximum size of a segment. Default in OS X is 4 MB, 4194304.

Suggested Settings:

512MB of shared memory
kern.sysv.shmall: 131072
kern.sysv.shmseg: 32
kern.sysv.shmmni: 128
kern.sysv.shmmin: 1
kern.sysv.shmmax: 536870912

1GB Shared memory
kern.sysv.shmall: 262144
kern.sysv.shmseg: 32
kern.sysv.shmmni: 128
kern.sysv.shmmin: 1
kern.sysv.shmmax: 1073741824

Mac OS X 10.5: Time Machine at the CLI

Saturday, October 18th, 2008

You can customize what Time Machine does not back up by using the following plist:

/System/Library/CoreServices/backupd.bundle/Contents/Resources/StdExclusions.plist

Simply add the strings that you don’t want to back up and it will no longer back up those locations. Remove the strings to re-add them at a later date.
In the UserPathsExcluded key, you can exclude paths that in relation to users home directories.

Mac OS X Server: Cascading Software Updates

Thursday, August 7th, 2008

Software Update Services allow your server to cache updates from Apple and then redistribute them to clients within your organization. Now, this is going to greatly cut down on the amount of bandwidth consumed when new software patches are released. But if you have a large distributed organization you might want to have multiple Software Update Servers daisy-chained together in a cascade to download updates from each other and provide updates to sets of clients (maybe they’re geographically separated or you just have too many clients to provide updates to for just one server). Cascading the Software Update Services would further conserve bandwidth in your environment if you have multiple Software Update Servers.

In order to cascade Software Updates from one server to another you would first setup your first Software Update Server. Let’s say that we set it up as SUS1.domain.com and set it to run on port 8080. Next you would setup your second server (let’s call it SUS2.domain.com) and edit the “metaindexURL” key (by default it’s set to be swscan.apple.com) of the file, /etc/swupd/swupd.plist. So you would change the key to be SUS1.domain.com/content/meta/mirror-config-1.plist.

launchdaemons vs. launchagents

Thursday, July 10th, 2008

There are two types of services that launchd manages:

launch daemons can run without a user logged in. launch daemons cannot display information using the GUI. launch daemon configuration plist files are stored in the /System/Library/LaunchDaemons folder (for those provided by Apple et al) and /Library/LaunchDaemons (for the rest)

launch agents run on behalf of a user and therefore need the user to be logged in to run. launch agents can display information through the window server. As with launch daemons, launch agent configuration plist files are stored in the /System/Library/LaunchAgents and /Library/LaunchAgents. User launch agents are installed in the ~/Library/LaunchAgents folder.

Mac OS X Server: Dealing with Directory Services Woes

Sunday, June 22nd, 2008

In Mac OS X Server occasionally the Directory Services daemon will just stop working. To term it you can just run the following command:

killall DirectoryService