I am troubleshooting some network issues and was trying to find an automated way to continuously monitor connectivity between a host and a server. On thing that sprang to mind was to run ping in the background, with a reasonable interval, in the hopes of perhaps narrowing down the network issues to a particular time frame.

This resulted a ping dump with over 30 000 "samples" which weren't that useful as such. So I wrote a little PHP script to parse the ping output. The script (which is now part of MTK) generates a CSV file with the first column being the timestamp and the second the ICMP ECHO delay. When I run Gnuplot on it, I get something that looks like this:

Which is actually pretty cool. I can see right away that during the 24 hours, the delay has never increased over 0.7 ms. There's also an interesting gap around 0.2 ms.

pingraph also has another "mode" of operation. If the number of samples is small (<= 100), then it tells Keynote to draw the graph:

I found that anything above 100 data points chokes osascript.

Anyways, in a serious environment you'd probably have Nagios or some other nice tool to do this for you, but for my purposes this was good enough. Some day I'll try to add a simple method to filter the data set to specific timeframes...

One silly feature omission in Apple Remote Desktop is the lack of a "Open SSH connection" command. To be able to open a Terminal window with a connection to the currently selected machine. Luckily we can create this ourselves pretty easily:

tell application "Remote Desktop"
    set theIp to Internet address of selection
    set defaultUser to current user of selection
    set theUser to text returned of (display dialog "" default answer defaultUser)
    tell application "Terminal"
        activate
            do script "ssh -l " & quoted form of theUser & " " & theIp
        end tell
end tell

Save that as a script with AppleScript Editor named "Open SSH connection" under ~/Library/Scripts/Applications/Remote Desktop and now you have way to do just that straight from the menu bar.

This still cracks me up when I see it:

this makes it much more useful. Thanks to Robbie for the hint!

Some months ago I was helping out on a pretty big installation project. An office of about 60 Macs ,4 servers and 3 networks was basically rebuilt from scratch over the course of one weekend. One of the (many) problems we encountered was a total blackout of printing from any Apple app if the user had admin rights. The print dialog would come up, but the printer menu would be empty and none of the buttons would work, to the point that you had to force quit the app to cancel the print operation. One of the weirdest bugs I have ever come across.

After spending hours in the network closet, systematically unplugging each device to see if it had any effect on the issue, I finally found it - it was a printer who's Bonjour name was "Mörkö". The problem disappeared after renaming it to "Morko". So I filed a bug report.

It turned out Apple saw this as a security issue and so they took it very seriously and I'm happy to report that it's been resolved in 10.6.4:

I think this might be the first time one of my bug reports has actually been fixed. It was really nice to see Apple take this as seriously as they did and it actually motivated me to keep reporting bugs in the future (I had kinda given up on that after all those "known issues"). Of course, having your and your fledgling company's name mentioned on apple.com never hurts either (even though probably 9 people in the world actually read the detailed contents of Security Updates). :-)

Kannel is a great platform for all things mobile. We use the SMS gateway feature with our service management system to notify customers when their machines are ready for pickup. All you basically need is a mobile phone which you can connect to your Mac via USB and Kannel.

Surprisingly, it's not available through MacPorts or Fink and compiling it from source has been rather tricky in the past. Through some experimentation I found that the CVS version works better on 10.6 and was even able to build a universal binary of it. We've been running this version for months now on a Mac mini and an old Nokia phone.

You can download the installer from here. In addition to the application it also includes launchd jobs for bearerbox and smsbox. Check /etc/kannel.conf before loading them in. The full Kannel documentation is available here.

I've only been able to test this with 10.6, let me know if you have problems on 10.5. One day I hope to find time to write a more detailed article on how to set this up...

First off, beware - there are two documents on apple.com, both titled "RAID Utility User Guide - Instructions for setting up RAID volumes on a computer with a Mac Pro RAID Card or Xserve RAID Card" (here and here).

The first was created in 2007, the second in 2009. I would assume the latter is more relevant. On page 10 of that document we find the following statement:

Expanding a Volume
You can use the command line to expand (add space to) an existing volume from
the available space on the RAID set that hosts it.
Expanding a volume doesn’t affect data already on the volume
To expand a volume:
Open Terminal and enter the following command:
$ sudo raidutil modify volume --expand -n volume -s size
where volume is the name of the volume as shown by
the raidutil list volumeinfo command and size is the amount of space you want to add to the volume.

Having been tasked with reorganizing some storage in a late 2008 Xserve, I thought this is perfect - I can resize my volumes without having to format/restore the whole server. In the worst case scenario, maybe having to restore the boot partition, but that's fine. So, boot up the installer, Utilities > Terminal, and:

# raidutil modify volume --expand -n R1V2 -s 1.6TB
Unsupported by this version of the hardware/firmware.

Whatever. You kinda get used to this sorta crap dealing with Apple's servers. Of course, they don't have to explain to my users why the server upgrade's gonna take 3x more time than planned. This is the reason you should never give any time estimate on how long an upgrade will take - this gig just went from a few hours to an entire day, just due to this tiny detail.

Maybe they'll fix this some day (or just withdraw the instructions), I don't know, but it's something to be aware of, for sure.

There's a bug in iCal that in some situations will show every name twice when adding attendees to an event. Adding one of them will always give an error (the oh-so-not-helpful tiny exclamation mark next to the name). iCal will still add that "ghost", but the invitation will obviously never be sent.

At first this looked a bit like the proxy bug, but since this isn't about delegates, but actual user accounts (and since running proxyclean didn't find any errors) I turned my attention to Open Directory. Luckily, iCal Server 2 comes with actually helpful logging, even at Information log level, just:

    tail -f /var/log/caldavd/error.log

and you'll be able to see exactly how caldavd is talking to OD. Looking at that I was able to determine that OD was actually returning all the right search results (when the user was typing a name of the attendee). But even when OD returned just 1 record, iCal would still show 2. Then I remembered seeing a button iCal > Preferences > Advanced called "Clear Attendee Cache"

"Yes! The attendee cache! Sounds like just the thing!" - I yelled, only to find the button no longer there, in 10.6:

Well, let's make that "button" ourselves. Fire up Remote Desktop, select the ailing machines, Click "Send UNIX command" (as the currently logged in user), and:

    killall -m '^iCal$'
    mv ~/Library/Caches/com.apple.iCal ~/.Trash/
    open /Applications/iCal.app/

And voilà! Problem solved!

If your organisation uses Nokia phones, then by default, a stock 10.6 mail server will be pretty much useless to them. Even with some fairly recent hardware (E72), the phones won't be able to send or receive any mail. Here's how to make it work:

• Enable PLAIN authentication for IMAP, POP and SMTP. This isn't such a big issue if you're using SSL. Some Nokia's might actually do CRAM-MD5 off the bat, but sooner or later you will run into a user who can't log in.

• Enable "SMTPS" support in Postfix. "SMTPS", on port 465, was a "brilliant" Microsoft idea to start using port 465 for secured SMTP connections after they apparently couldn't get Outlook 2000 to work with port 25. They just missed the fact that 465 had already been assigned to another protocol by IANA. What's fine for Microsoft's fine for Nokia, unfortunately, changing the mail client on a mobile is a bit more difficult than moving your poor Outlook user to Thunderbird, so:

  sudo nano -B +30 /etc/postfix/master.cf
  <uncomment lines 30-33> and save
  sudo postfix reload
  

And also don't forget to forward tcp/465 to your mail server in your firewall.

OS X Server just makes me want to smoke crack sometimes. Dealing with SSL certs is one of those cases. At first, everything is peachy:

1. Create your self-signed cert in Server Admin, sans passphrase
2. Have it signed by a Certificate Authority
3. Import the signed cert, verify that all works.

Great. Now you want to install Rumpus and the WFM and use SSL for that too. First, let's try to just paste the PEM file:

# cat /etc/certificates/mycert.key.pem
-----BEGIN RSA PRIVATE KEY-----
<OUTPUT REMOVED FOR BREVITY>
-----END RSA PRIVATE KEY-----

Paste that into stunnel... and:

Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 906A068 : error:0906A068:PEM routines:PEM_do_header:bad password read
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: SSL_CTX_use_RSAPrivateKey_file: 906406D: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password

Yeww. Hmm. Looks like I have to strip the passphrase. Weird, I didn't give one, but... mmkay, no biggie:

# openssl rsa -in /etc/certificates/mycert.key.pem -out mykey.nopass.key
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters

Well, like I said - THERE IS NO PASSPHRASE!!!

Wait, 10.6 put something in the System Keychain... ah, there it is. Maybe I should export the key from there. Launch KA, select the key, File > Export, and:

Wtf? No, wait, "it was a bug, Dave". Keychain Access doesn't have permissions to export anything from the System keychain. Ah, yes, I remember now:

$ sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

... export the key and. Ah, thank you!

Ok, that was weird... But wait a minute - this is PKCS format, I can't use this! Back to Terminal:

$ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
Enter Import Password:<enter>
MAC verified OK

And finally I have something to use with Rumpus.

If 10.6 Server is "simpler than ever" then I can't wait for 10.7! How the hell is a "typical" OS X Server admin (a graphic designer who shares his time between the Wacom and the server closet) supposed to know all this crap? This is exactly the kind of set up a typical design firm would run - 10.6 for collaboration, file sharing and backup and Rumpus for client access.

... I guess they just never use SSL.