dotmac.AU

Use a non-Apple parent for Software Update Server

Andrew — Mon, 26 Oct 2009 07:12:04 +0000

If you run multiple Apple software update servers in your organisation you can point them to another local software update server. This could save bandwidth costs not having to download the same files multiple times.

To point to a server that isn’t Apple’s, all you need to do is change one line change in:

/etc/swupd/swupd.plist

Find the key metaIndexURL and point it to your local server.

You could then use a DNS round robin to spread the load across multiple servers, or simply point individual clients are particular servers.

Keeping user and administrative user passwords in sync

Andrew — Sat, 10 Oct 2009 06:18:24 +0000

Best practice says that your everyday user account should not be an administrative user. The solution? Creating an alternate administrative user and then using those credentials when needed. Deploying in such a scenario to many computers can be confusing for users - in particular having to remember an alternate username and password combination that often will not fall under traditional password age policies. To this end, linking a local administrator account to a users password can simplify password management for users, while maintaining password age policies. Creating a symlink to the localadmin users password hash will make the regular users password the same as a local administrators.

First you need to know both the regular and local administrators GUID as the password hash file is the user GUID. In this example our local administrator account is “localadmin”.

dscl . -read /Users/localadmin GeneratedUID

Repeat the command replacing localadmin with the regular username.

You will need to remove the existing localadmin password hash. In this example localadmin’s GUID is “ABAE7944-FBDD-4FA6-8419-B24AC0293B0D”

sudo rm -R /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

Finally put a symlink in place that points from the regular users password hash to localadmin’s hash. In this example the regular user password hash is “513B539B-7DB2-48C3-93B8-0C33C7B39722″.

sudo ln -s /var/db/shadow/hash/513B539B-7DB2-48C3-93B8-0C33C7B39722 /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

In other words: ln -s /var/db/shadow/hash/regular_user_GUID /var/db/shadow/hash/localadmin_GUID

Creating a user from the command line

Andrew — Wed, 13 May 2009 23:08:10 +0000

Used in conjunction with a modular disk imaging solution this guide explains the basics to create a new user from the command line. The code can be used as a first run script, distributed through Apple Remote Desktop etc.

The “Directory Service command line utility” dscl allows creation and management of user records in Mac OS X. The example below creates a user called “Local Administrator” with a short name of “ladmin”. To set a secure password via a hash file is outlined at the end of the guide.

Create the user (via the short name)
dscl . -create /Users/ladmin

Set the user shell
dscl . -create /Users/ladmin UserShell /bin/bash

Set the user real name
dscl . -create /Users/ladmin RealName "Local Administrator"

Set the user unique ID remembering it must be unique. If you set an ID below 500 and use the “hide 500 users” login window default (defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE) you can create hidden - to the average person - users.
dscl . -create /Users/ladmin UniqueID 510

Set group ID (20 is “Staff”)
dscl . -create /Users/ladmin PrimaryGroupID 20

Set home directory
dscl . -create /Users/ladmin NFSHomeDirectory /Users/edadmin

Set a password temporarily (as an encrypted password will be put in place so it is not stored in plain text)
dscl . -passwd /Users/ladmin temppassword

Set a password hint
dscl . -append /Users/ladmin AuthenticationHint "No hints!"

Finally add the user to admin group (or not in the case of a standard user)
dscl . -append /Groups/admin GroupMembership ladmin

and the _lpadmin group (so that printers can be controlled)
dscl . -append /Groups/_lpadmin GroupMembership ladmin

If a default home directory has been copied in place the ownership will need to be changed to the newly created user. To use this script in a modular disk image solution such as InstaDMG the home directory could be “installed” via a package. If you want a default home folder from the machine do not worry about this step.
chown -R ladmin "/Users/ladmin/"

Setting the password

To keep the password secure as the script is stored in plain text, copying an encrypted password hash file from /var/db/shadow/hash/ of a user on another computer with the desired password will keep it out of plain sight. Once copied to the new computer the hash needs to be renamed to the GUID of the new user.

To find the GUID of the new user
dscl . -read /Users/ladmin GeneratedUID

This will output the GUID that can then be used to remove the existing temporary hash and move the real password hash in place. The following example assumes the the hash file is located in /tmp/usercreate/ as ladmin_hash).

rm /var/db/shadow/hash/GUID_NUMBER_HERE mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/GUID_NUMBER_HERE

Alternatively as a simple script the GUID can be stored in a variable to then copy the new hash into place.

#!/bin/sh ladminGUID=`/usr/bin/dscl . -read /Users/ladmin GeneratedUID | cut -f2 -d " "` #remove and place new password hash rm /var/db/shadow/hash/"$ladminGUID" mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/"$ladminGUID"

File permissions for the password hash

-rw------- root wheel

Real simple security configuration of Mac OS X

Andrew — Thu, 12 Mar 2009 05:40:51 +0000

Apple has published a guide on best practice to secure Mac OS X installations in it’s Security Configuration guide. Here are a few commands that are handy on any Mac OS X computer.

Require password to wake from sleep

defaults -currentHost write com.apple.screensaver askForPassword-int 1

Disable automatic login

defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref DisableAutoLogin -bool yes

Disable IR control

defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no

Next Gen Deployments: Modular Imaging

Andrew — Mon, 16 Feb 2009 06:21:05 +0000

Disk images assist in desktop deployment by ensuring each computer is configured mostly the same, provides a time effective solution to deploying each computer and simplifies desktop management down the track amongst other things. The traditional process of creating the image is to setup a computer exactly as required and then to take a snapshot using any number of the disk imaging tools available. The method is very simple to follow and very effective. Unfortunately once you need to begin supporting multiple configurations the traditional method falls flat.

Enter modular imaging. With the capability of adding to or subtracting from the image on the fly while maintaining the exact foundation on all desktops, modular imaging has numerous advantages over the older snapshot based solution.

Packages

Just the same as applications are installed, modular imaging leverages the package distribution process to build the image. Each application is installed as the image is being built rather than by a human manually installing the application on the master computer. The image will be built exactly the same the first or tenth time it is created and not change unlike building images manually will.

Some applications are already installed by packages but most are simple drag and drop installs without an installation process. Such applications will need to be packaged so that they can be inserted into your image. Fortunately there are various applications available for free and commercially (see links) that wrap the application up in Apple’s package format.

Although the necessity of packaging everything may appear to complicate the image creation process the same packages can also be leveraged by post deployment strategies keeping deployed desktops up to date through Apple Remote Desktop, Casper and other similar solutions.

System Configuration

In Mac OS X every configuration is a file change. If the file that was changed can be located it could be packaged and slotted into the image. Alternatively actions can be performed by “payload free” packages that rather than install files will run a script. Further again to running scripts at installation time, first run on boot scripts can be used to complete final configuration after the desktop has been imaged.

Modular imaging may appear complicated on first investigation but once the methodologies of newer imaging processes are understood the possibilities and advantages quickly become apparent. Whether it is each version of an image created exactly the same each time it’s built or modified through to removing the need to recreate a brand new image next time an updated piece of hardware is released, the flexibility of modular imaging is the next natural step from traditional imaging.

Links

InstaDMG - solution to creating modular images.
Iceberg - free package authoring application.
Apple Remote Desktop - software deployment and remote control.
Casper - commercial desktop management and deployment solution.
fseventer - watches file system changes that aids you in determination of which file is needed for repackaging installers.

Server serial number from terminal

Andrew — Sun, 07 Dec 2008 04:41:53 +0000

Type:

more /etc/systemserialnumbers/xsvr

to output the server’s serial number and registered user.

Video encode test (Core Duo VS Core 2 Duo)

Andrew — Thu, 27 Nov 2008 23:37:05 +0000

The purpose of this test was to identify the comparative speed differences between various Mac computers (including one with a 32-bit Core Duo processor). All systems were running 10.5.5 with VisualHub set to identical settings on each computer. The results are general and a guide only. Time is as reported by VisualHub in MIN:SEC.

The Core 2 Duo performed well compared to it’s older 32-bit predecessor with the 1.83GHz Core 2 Duo Mac mini beating the 2GHz Core Duo MacBook by almost 4 minutes. The 2.66GHz iMac beat the white 2GHz computer by almost 11 minutes but with the comparison between the 2GHz iMac (Late 2006) and 2GHz MacBook (Mid 2007) uncertainities of the speed of the iMac (Late 2006)’s load could have affected the results.

File information
Stargate Continum
Fromat: XVID 624 x 352, 25 FPS, 610.73MB, 938.09 kbit/s
MP3 Stereo 48.000 kHz
Duration: 01:34:33.52

VisualHub Settings
DVD, PAL, Standard Quality (Author as DVD UNselected)

MacBook Air (Mid 2009) - 34:46
1.86GHz Core 2 Duo, 2GB RAM
MacBook (Mid 2008) - 24:53
2.1GHz Core 2 Duo, 2GB RAM
iMac (Early 2008) - 19:59
2.66GHz Core 2 Duo, 2GB RAM
Mac mini (Mid 2007) - 29:34
1.8GHz Core 2 Duo, 2GB RAM
MacBook (Mid 2007) - 27:11
2GHZ Core 2 Duo, 1GB RAM
iMac (Late 2006) - 30:30
2GHz Core 2 Duo, 2GB RAM
MacBook (2006) - 33:08
2GHz Core Duo, 2GB RAM

dirt: testing directory services

Andrew — Tue, 24 Jun 2008 01:54:12 +0000

dirt is a command line goodie that lets you test directory services without the pain of logging in and out to discover if it will let you authenticate. For example:

dirt -u username -n

will check if the user name exists in any of the directories defined on the computer and list what directory it was found in.

Helpful group policies

Andrew — Wed, 02 Apr 2008 22:42:09 +0000

More helpful group policies will be added to this page as time goes on.

Redirect My Documents folder
User Configuration > Windows Settings > Folder Redirection
My Documents

IE7 pop-up allow list
User Configuration > Administrative Template > Windows Components > Internet Explorer
Pop-up allow list

Refresh software update server contents

Andrew — Tue, 26 Feb 2008 03:08:59 +0000

To force software updates residing on Mac OS X software update server removed everything in the /usr/share/swupd/html folder.