Posts Tagged ‘System Preferences’

Quick Update to a Radiotope Guide for Built-In Mac OS X VPN Connections

Tuesday, March 26th, 2013

Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.

In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.

Where it's done

We hope that is of help to current and future generations.

Xsanity Article on Managing Fibre Channel from the Command Line

Friday, January 23rd, 2009

We have posted another article on Xsanity. This one is on managing Fibre Channel settings from the command line. The following is an excerpt from the article:

Once upon a time there was Fibre Channel Utility. Then there was a System Preference pane. But the command line utility, fibreconfig, is the quickest, most verbose way of obtaining information and setting various parameters for your Apple branded cards.

To get started with fibreconfig, it’s easiest to start with just asking the fibreconfig binary to simply display all the information available on the fibre channel environment. This can be done by using the –l option as follows:

View the full article here.

Leopard Server: New Managed Preferences

Wednesday, June 11th, 2008

If you’re familiar with Managed Preferences in Tiger then you’re basically already familiar with Managed Preferences in Leopard Server. But there are some great new features that Apple has provided us with by popular demand. These include the following:

Applications
There are now more features to the Applications Managed Preference. You can allow or disallow applications by selecting them individually or a folder. This means that you can allow access to applications located in the /Applications folder but disallow all applications located in the /Applications/Utilities folder. There are also now controls for allowing specific widgets and disabling Front Row.

Finder
There are new options to limit users from doing tasks when in the Finder such as Ejecting a disk, connecting to servers, rebooting and burning disks.

Login
You can now control the list of users that are displayed to a user during login times to show Mobile accounts and network users. You can show/hide the restart button, disable automatic logon, enable Fast User switching, set the local computer record name to the name of the computer on the server, enable guest access, control the inactive time to logout users and configure computer based Access Control Lists.

Mobility
Mobility now allows administrators to set an expiry for a users home folder on the system they are logging into. This allows administrators to keep local desktop systems from getting polluted with hundreds of home folders without using custom scripts to do so. Administrators can also now force accounts on local systems to use FileVault with Mobility accounts to keep data on local systems as secure as possible and set quota’s for user home directories. Finally, it is also now possible to control the path that the user home folder is located on local desktops.

Network
Administrators can now Disable Internet Sharing, Airport and Bluetooth for client computers.

Parental Controls
Hide profanity in the dictionary, control access to web sites, set the amount of time per day that a computer is allowed to be used and set times when login is not allowed in this new Managed Preference.

Printing
Force users to put their user name, date and/or MAC address in a page that is sent with each print job.

System Preferences
Allow or deny access to each System Preference (including the new ones).

Installing Lithium on Mac OS X

Thursday, November 1st, 2007

Installing Lithium Core 4.9.0 Make sure the system is not currently a web server and port 80 is available. Download the Lithium 4.9.0 package. Double-click on the Core 4.9.0 Installer. Click Continue through the license agreement screens. Choose the packages to install and click on Continue. Choose the location to install the Lithium Core application and click on Install. Enter the credentials of an administrator and Click OK. When the installer is complete, click on the Close button. Open Lithium Core Admin from the /Applications folder. Click Next and enter the name of the client for whom you are installing Lithium. Click Next and enter a new administrative username and password for accessing Lithium. Click Next and you will be placed into the database configuration screen. Unless you are using PostgreSQL on another host, do not modify these settings. Click Next and double-check the settings. If they look good then click on the Finish button and enter administrative credentials to commit the changes. When you open Lithium Console from the /Applications folder for the first time you will be asked whether you would like to check for updates each time. Click Yes. You have now installed Lithium and can move on to adding hosts to be monitored.

Kerberos Pruning Script

Friday, October 26th, 2007

I have noticed that over time inconsistancies can arise where a machine entry will be deleted from LDAP but the relevant kerberos principals remain in the KDC. Here’s a small script that I wrote up to help prune out unwanted/stale kerberos principals. Obviously great care must be taken when running this script; if you delete a principal that is still in use, things ARE going to break. So, think before you type. That being said, if you’re not interested in typing 20 delprinc commands, this script is for you.

Usage: %pruneKerb.sh query

pruneKerb will then list all principals matching “query” (standard case-sensitive grep match)

It takes a single argument query and outputs a list of matching kerberos principals, presenting the user with the option to delete individual principals, all principles or simply print a list of matching principals.

Please read the scripts’ comments for more information.

pruneKerb.sh

Troubleshooting KDC setup in 10.4

Wednesday, October 10th, 2007

During the Apple Open Directory Master creation process scripts start up the Kerberos Key Distribution Center [ KDC ] and creates the necessary encryption keys or “principles” for all the services that can be Kerberized and used with single sign on.

The KDC creation process is triggered automatically by “promoting” an OD server to the role of “Master” in the Open Directory section of the Server Admin application.

You can normally tell if this scripted creation process completed successfully by:

Checking the overview tab of the OD section of server admin and check that kerberos is running ( not “stopped” )

The definitive way however is to check whether the process completed successfully by looking to see if the local Kerberos principals where created in the “/etc/krb5.keytab” binary file you can do this by issuing the following:

$ sudo kadmin.local -q “listprincs”

and also

$ sudo klist -kt

you should see all the principals for services such as afpserver , imap, pop etc. The lowercase names after the service name (i.e. imap/xserve.company.com@XSERVE.COMPANY.COM ) listed conform to the fully qualified domain name a.k.a DNS hostname of the servers primary network interface. the uppercase names should conform also to the fully qualified domain name, but theoretically could have been changed in advanced configurations (perhaps by you at the promotion creation in server admin, thought normally there is no need)

If what you see does not match what’s normal ( as listed above ), you should attempt to repair the kerberos configurations using the following procedures.

Before you do anything else check DNS, and then check DNS again. As a quick fix as well you should not use a password with a space in it for the diradmin user, doing this has known issues with kerberos KDC creation.

The values that are automatically filled in to Server Admin for KERBEROS.REALM and the dc=ldap,dc=search,dc=base are derived from the systems hostname. i.e.

hostname = mail.318.com default keberos realm = MAIL.318.COM default searchbase = dc=mail,dc=318,dc=com

So when you promote the server you should have a good idea that something is not correctly configured by the values that are automatically filled in. The 2 most commonly seen incorrect values are something like mail.local or secondnic.318.com but in rare circumstances you may also see localhost. NOTE: in 10.3 these values where tied to the “Search Domains” section of System Preferences but in 10.4 they come from the systems hostname.

The systems hostname is pulled using the following:

dhcp hostname ( the server is hopefully not using DHCP ).

the reverse DNS record or PTR record for the primary network interface i.e. the top of the active list under “Network Port configurations” in system preferences. or the “default” route when using $ netstat -rn

You can verify the PTR record by determining this IP and running the host command on it.

$ host 192.168.55.8

which will show output such as: 8.55.168.192.in-addr.arpa domain name pointer mail.three18.com.

this information should match the output of the hostname command:

$ hostname mail.318.com

Tethering a Motorola Q and Mac OS X

Saturday, February 17th, 2007

First the Motorola Q must be paired with the computer.
•Enable Bluetooth and go to the Bluetooth Setup Assistant
•Setup a Mobile Phone
•Select the Mobile Phone Name as Set up in the Phone (Bluetooth Settings)
•Enter in the pairing security number into the phone when promted, this number will automatically be generated by the Mac OSX wizard
•Now the wizard will detect what services are available on the device. The option to use the paired item select use device for Dailup Networking connection and select continue

Setup Bluetooth Dialup Network Settings
•Username = Verizon Wireless Telephone number@vzw3g.com (example 3105551234@vzw3g.com)
•Password = vzw
•Phone Number = #777
•Apple Modem Script = Verizon Support (PC 5220)

Connecting Via Paired Q with Mac OS X
•Open Internet Connect
•Select Bluetooth
•Click Connect

Bluetooth Modem Setup for PPC-6700 and Mac OS X

Thursday, January 11th, 2007

Here are the instructions on how to tether your Windows Mobile smartphone to a Mac OS X computer over Bluetooth

1. First, you will need to pair the handheld with the laptop. When doing this, select “Other Device” rather than a mobile phone. Make sure that when you’re setting up your mobile phone’s Bluetooth capabilities within Mac OS X you check “Access the Internet with your phone’s data connection.” If your phone is already paired and you initially forgot to select this option you can find it at System Preferences | Bluetooth | Devices [choose your device] | Configure.

2. Download the “Windows Mobile GSM.zip” archive of modem scripts (see the Documents tab for this KBASE article). You should probably try the 460k script first (which will handle most EDGE/3G phones), and if that doesn’t work, fall back to the other two.

3. Unpack the archive and place the scripts into /Library/Modem Scripts/.

4. Go to System Preferences | Network | Show: [Bluetooth]

5. Click on PPP Options and make sure that “Use TCP header compression” is unchecked. Click OK.

6. Click on Bluetooth Modem and choose the “Windows Mobile GSM 460k” script from the drop-down list (note the update in step 2; you may want to use one of the other scripts if this one does not perform well; a Sprint PCS Vision script is also included in Mac OS X).

7. Disable both “Enable error correction and compression in modem” and “Wait for dial tone before dialing.”

8. Click on PPP. Leave all fields blank except the Telephone Number field….

9. Enter #777 as the phone number.

10. Click Dial Now and then click Connect.