Since this is the first mention of Mandrill I’ve made on this blog, I should probably start with a brief description of what it is. As mentioned in README.md on GitHub, Mandrill is a..
Multi-user web front-end for managing a Munki repository.
Extracting tarballs is something that most unix/linux admins do autonomously. We work like that with most of our cli tools because it makes us more efficient when we think more about what we’re doing than how we want to make the tool(s) do it. But when we want to have the tool do something that isn’t habit, it feels a bit like Windows users feel when they try to close an app on OS X by moving their mouse over the top-right corner of the window only to realize the close button isn’t there.
Most of us who have setup a web server have also had to secure said server. If you’re anything like me, SSL is something that is easily understood superficially, but you just know there’s a lot going on down in the depths of the topic which are just waiting to bite you when you’re not looking. If only there were some tool to tell you just what you’re missing. What’s that GlobalSign? You say you’ve made such a tool and it’s free? Well, thank you very much!
Binding an OS X client to an LDAP server is pretty simple, but when it’s time to scale up, Apple wants us to use proxy servers and load balancers to offer failover and redundancy. This is by far the best approach, but sometimes setting up such a front-end for a cluster of servers is time or cost prohibitive depending on the scope of the project and the size of your fleet. In this case, it would be easier to simply have the OS X clients authenticate to a single server, using a list of trusted replica servers as a failover for when that primary server is unreachable for any reason. RFC4512 defines a LDAP attribute called
altServer, and we can use that attribute to configure exactly such a setup.
No, it’s actually not a file, it’s a directory. At least it’s supposed to be. But, multiple reports from multiple lab maintainers had been coming in that included error messages from applications which were trying and failing to access the user’s keychain store. I started troubleshooting by repairing the keychain with /Applications/Utilities/Keychain Access.app, but that did nothing aside from provide more of the same error messages. I suspected keychain corruption or possibly mucked up permissions, so I opened Terminal to take a look. ~/Library/Keychains was a file!
It took me a while to figure this one out, and now that I know what it was, I’m admittedly a little embarrassed. This is one for #macadminshame. For the machines I maintain directly, I manage the user environment with Local MCX. That’s not a technology that my lab maintainers are comfortable with; they’d much rather login using a special account, make their changes, and then rest comfortably knowing that those changes would be present for everyone who logged into their lab machines. I get that – we all have better things to do than learn about complex technologies that we’ll use less than 3 times annually. So I wrote a logout hook for them that ran when this special account logged out. The script empties the trash, clears caches and logs; generally cleans up the home directory for that account. Once cleaned, it bundles that home directory up in an installer package which I then import into Munki and deploy to the rest of their lab machines for them.
Of all the cleanup tasks that I had been doing, one very important one had slipped right by; ~/Library/Containers/. If you happen to update your Non_localized.lproj, English.lproj, .lproj directory like this (which isn’t recommended), please be sure to purge the contents of ~/Library/Containers.
I didn’t bother trying to figure out which container was touching ~/Library/Keychains because once I realized my error, I knew everything in there needed to go anyway. Moral of the story: Profiles/MCX is the way to go, but if you can’t, make sure you’re not putting anything in /System/Library/User\ Template/.lproj/Library/Containers/.
Also, if you find yourself already in this scenario (hopefully I’m the only one who will), you can fix existing home directories by deleting ~/Library/Keychains (as long as it’s a file, not a directory!) before the user’s next login.
Many thanks to Rich Trouton and Greg Neagle for helping me figure out why case matters to OS X when dealing with UUIDs. Couldn’t have written it better myself!
Originally posted on Der Flounder:
A little-known fact about FileVault 2 is that it uses the GeneratedUID user attribute (also known as a UUID) of an account to help identify enabled accounts. For example, when you run the fdesetup list command, you’ll see the user information appear with both the username and UUID information.
For local accounts, this isn’t an issue as the OS will properly generate a UUID for the local account. Active Directory also generally handles this correctly on Macs, so I haven’t seen UUID problems occur for AD mobile users.
Where I have heard of problems has been with non-Apple LDAP servers. If the LDAP server doesn’t provide the GeneratedUID user attribute for mobile LDAP accounts on Macs, or it does not provide the UUID in the way that FileVault 2 is expecting, you may see one or more of the following behaviors:
1. The LDAP account’s icon disappearing from…
View original 422 more words
whichSwitch is just another one of those things that really ought to be in your toolbox. Sure it doesn’t replace all of the features you’d get with a physical Link Runner, but it’s simple and free, so why not? http://www.computernetworkbasics.com/whichswitch/whichswitch-download/
Updated Nov 18, 2013 – updated for Ubuntu 13.10 and Apache 2.4; including suggestions from Brandon Kerns, submitted in the comments. Thanks Brandon!
Lots of web apps are starting to switch from PHP to Python for the backend, and with good reason, but one thing that’s always bothered me is how many people don’t run their Python apps in Apache. Most people find it easier to run these web apps using a development-grade server such as the stand-alone WSGI server commonly used in Django or Flask projects. Generally, this comes with the follow-up task of making sure the web app’s WSGI instance will automatically launch on boot. Then of course there’s the fact that these server stacks were designed to make development easy; they were never meant to run in production. For that, there’s mod_wsgi. (more…)
A few days ago, I was prompted to publicly release a project that I’ve been using internally to add a bit of Munki-awareness to my DeployStudio workflows. So, once I caught my breath at work, I added the Munki Manifest Selector project to github. Since the documentation is severely lacking, I thought I might post something a little less README-ish in hopes of helping folks along with the installation process. (more…)
About 2 years ago, Edward Marczak created screenrez. The goal was simply to offer a tool to OS X admins that would run on a remote client machine and report the screen resolution in use. Pretty handy, especially in scenarios where a projector is attached to the Mac in question.
The original version only supported one screen, which meant you were in good shape if the client machine’s displays were mirrored. I’ve just forked the project and added multiple screen support along with a little more detailed information, such as the screen’s device name.
Seldom updated, occasionally insightful.
Managing Macs in Education
Trials and Tribulations of an OS X Administrator