One silly feature omission in Apple Remote Desktop is the lack of a “Open SSH connection” command. To be able to open a Terminal window with a connection to the currently selected machine. Luckily we can create this ourselves pretty easily: applescript tell application "Remote Desktop" set theIp to Internet address of selection set defaultUser to current user of selection set theUser to text returned of (display dialog "" default answer defaultUser) tell application "Terminal" activate do script "ssh -l " & quoted form of theUser & " " & theIp end tell end tell Save that as a script with AppleScript Editor named “Open SSH connection” under ~/Library/Scripts/Applications/Remote Desktop and now you have way to do just that straight from the menu bar.

This still cracks me up when I see it: this makes it much more useful. Thanks to Robbie for the hint!

One of the cool things about starting a business is that you don’t have any money. This forces you to find creative solutions to problems you might otherwise just throw money at. For instance, we needed a server to host all our ASR images, to do NetBoot and Software Update and perhaps one day to run somekind of preinstallation system. The one server we already had, a Mac mini was set to to email, calendaring and collaboration services so we didn’t want to overburden it.

One of the weirdest bugs I have ever come across. After spending hours in the network closet, systematically unplugging each device to see if it had any effect on the issue, I finally found it - it was a printer who’s Bonjour name was “Mörkö”. The problem disappeared after renaming it to “Morko”. So I filed a bug report. It turned out Apple saw this as a security issue and so they took it very seriously and I’m happy to report that it’s been resolved in 10.

Kannel is a great platform for all things mobile. We use the SMS gateway feature with our service management system to notify customers when their machines are ready for pickup. All you basically need is a mobile phone which you can connect to your Mac via USB and Kannel. Surprisingly, it’s not available through MacPorts or Fink and compiling it from source has been rather tricky in the past. Through some experimentation I found that the CVS version works better on 10.

First off, beware - there are two documents on apple.com, both titled “RAID Utility User Guide - Instructions for setting up RAID volumes on a computer with a Mac Pro RAID Card or Xserve RAID Card” (here and here. The first was created in 2007, the second in 2009. I would assume the latter is more relevant. On page 10 of that document we find the following statement: Expanding a Volume

Data

Dear TV,

There’s a bug in iCal that in some situations will show every name twice when adding attendees to an event. Adding one of them will always give an error (the oh-so-not-helpful tiny exclamation mark next to the name). iCal will still add that “ghost”, but the invitation will obviously never be sent. At first this looked a bit like the proxy bug, but since this isn’t about delegates, but actual user accounts (and since running proxyclean didn’t find any errors) I turned my attention to Open Directory.

If your organisation uses Nokia phones, then by default, a stock 10.6 mail server will be pretty much useless. Even with some fairly recent hardware (E72), the phones won’t be able to send or receive any mail. Here’s how to make it work: Enable PLAIN authentication for IMAP, POP and SMTP. This isn’t such a big issue if you’re using SSL. Some Nokia’s might actually do CRAM-MD5 off the bat, but sooner or later you will run into a user who can’t log in.

OS X Server just makes me want to smoke crack sometimes. Dealing with SSL certs is one of those cases. At first, everything is peachy: Create your self-signed cert in Server Admin, sans passphrase Have it signed by a Certificate Authority Import the signed cert, verify that all works. Great. Now you want to install Rumpus and the WFM and use SSL for that too. First, let’s try to just paste the PEM file:

R&D at mcare It’s the third startup I’ve been involved in, but this one is very different. This one will actually fly. After a month and a half, we know it can. The biggest difference is that for the first time, we have actual employees and the company is our only source of income. This not only motivates you, but also allows you to focus much better. I’ll probably age six years this year, but I must say, even when things are really tough, and with some weeks constantly re-defining the meaning of mental anguish, there are moments when I feel truly happy.

Each week

ini_set(‘auto_detect_line_endings’, TRUE);

Keychain Access went into a weird “trance”-like state today when I tried to import a Cisco VPN certificate: Your browser doesn't support HTML5 video. Here is a link to the video instead. It’s like it’s afraid of the impending Force Quit that happened shortly after.

I (and every other sysadmin who’s had to deal with this) often bash Adobe for creating “enterprise-unfriendly” installers but when you think about it, Apple is just as bad with Final Cut Studio (i.e. “their Creative Suite”). It may come as a pkg but that doesn’t mean you can automate the installation any better. The main reason seams to be that FCS packages refer to each disc using a x-disc URL scheme which installer seems to ignore.

Just in case someone else needs this - here’s one, fairly elegant and succinct way to validate Finnish SSN’s, in JavaScript: /** * Check Finnish social security number * @return true if correct, false if incorrect, -1 if malformed */ function checkSsn(ssn) { ssn = ssn.toLowerCase(); m = ssn.match(/(\d{6})-(\d{3})(\w){1}/); if (!m) { return -1; } c = Array(); base = 35; n = parseInt(m[1] + m[2], 10) % 31; for (i = 0; i < base; i++) { e = parseInt(i, 10).

Yeah, that’s what I thought too. This happens every time I tried to create a NetRestore image using Apple’s System Image Utility. Clicking “OK” just brings the same dialog back after some time. This reminds me of how a customer brought me his PowerBook with the classic “Document was not saved” dialog in Excel 2004, with only one button - “OK”. “No, it’s not OK”, he said. :-)

If you ever find yourself being unable to re-install Final Cut Server.app, then open/Applications/Utilities/Java Preferences > Network and click on the “Delete Files…” button and re-download. I ran into this after deleting the 1.5.1 shortcut from the Desktop. Going to the .app download page just opened the .jnlp launching the app, but the shortcut was gone. Command-clicking the app in the dock just selected the java executable. This trick forces the client to re-download and also create the .

I was cleaning up log files on our web server and noticed I was getting quite a few hits on the script that acts as the backend for the IMDB widget that me and Martin created. Then I tried using it and noticed there were some parse errors with weird numbered lists showing up after a search result. I guess IMDB had tweaked their layout again. Anyways, the script’s been fixed now.

This might actually be in the new documentation, I haven’t checked, but when you rsync your SUS catalog to another volume and set it to use it, you will see a similar error in the logs: Symbolic link not allowed or link target not accessible /Volumes/data/SoftwareUpdate/html/index.sucatalog This will probably only happen if you remove the original swupd datastore. The fix is to clear out all the index files: serveradmin stop softwareupdate rm -rf /Volumes/data/SoftwareUpdate/html/index* serveradmin start softwareupdate IIRC, this wasn’t necessary in 10.

BatchDMG is a handy utility for times when you have to image large collections of disks (like installation media etc). Just run it (as root, to avoid an authentication dialog) and start feeding your machine with media. The imaging starts automatically when a volume is mounted. Should also work with multiple DVD drives. The images are bzip compressed (UDBZ, need 10.4 or later to open) and are named after the volume name.

MediaRelay is a little Python tool I wrote that transfers new items from one FTP server to another. It can be useful when combined with a timer or possibly a folder action. To use it, just modify config.yaml. Multiple sources and destinations can be defined under their own “name”. Anonymous connections haven’t been tested, but should be in the form “:@server/path”. $ python relay.py -- checking default <- getting Untitled_2.wmv -> sending Untitled_2.

Some weeks ago Jussi asked about how to go about intagrating a forum with one’s WikiServer. I thought this was a brilliant idea - a forum is actually much more useful for many environments than a blog or even a wiki. I think the concept of collaborative editing is quite foreign for the majority of existing companies and blogs are very often just silly. A discussion however is something that everyone is used to with email and group addresses yet everyone knows how painful it is to create “workgroups” - a group of people working on the same thing - which is exactly what a discussion group/forum is meant for.

In my experience the thing that Mail users have the most problems with (even before the confusion about how IMAP folders are organized compared to Outlook) is how it handles attachments. Or rather how incompatible the default behaviour is with a lot of Outlook clients out there. A couple of preferences that I’ve found improve things quite a bit are: defaults write com.apple.com SendWindowsFriendlyAttachments -bool Yes defaults write com.apple.com AttachAtEnd -bool Yes It’s the second one, disabling inline attachments, that really makes a difference.

There’s a small bug in the Mail migration script (/System/Library/ServerSetup/MigrationExtras/65_mail_migrator.pl) if your mail server also happens to be an OD replica. Namely it tries to set the correct ownership of mailboxes right after the upgrade but the binding has not been set up at that point yet. Come to think of it, this should happen to non-OD-master mail server, but I’m not sure. The point is, chown will not be able to set the permissions since it won’t have any idea of who those users actually are, so after upgrading and re-binding, one should do something like this (as root):

Here’s a totally unscientific and potentially extremely flawed tool for measuring IO performance. It grew out of the frustration of not being able to at least roughly estimate and compare the performance of different disks when dealing with different file sizes. Most benchmarking tools out there seem to focus on large files, but for mail and iCal servers this information is basically useless. So I hacked together this thing in like 10 minutes.

I finally figured out why I was never able to create matching encrypted passwords for my PHP apps from the command line. For instance: $ echo abc | shasum 03cfd743661f07975fa2f1220c5194cbaff48451 - $ php -r 'echo sha1("abc");' a9993e364706816aba3e25717850c26c9cd0d89d Not quite the same. The reason is of course totally obvious, just not visible - echo puts a newline after everything by default, so instead of the previous, one should use: $ echo -n abc | shasum a9993e364706816aba3e25717850c26c9cd0d89d - Duh.

Python pros: * Comes with built-in documentation * Named parameters * Threads * PyObjc, AppScript * plistlib Python cons: * No bundled imaging library * No SOAP * Inconsistent support (2.3 on 10.4) * mod_python not very widespread PHP cons: * No threads PHP pros: * Documentation comes with plenty of examples * PHP Function Index * mod_php * Can use backticks to call external tools Django: Mac running Mac vs Mac running Linux (Python)

10.5 came bundled with PyObjC, but in 10.6 it’s actually usable since we now have Python 2.6.1 (with “batteries included”). This makes Python more and more the language of choice for your everyday Cocoa hacking needs. One of the problems you’ll run into quite early on is accessing the Keychain which is still firmly in Carbon aka procedural C land. Maybe the PyObjC bridge also allows calling C stuff, I don’t know, but lucky for us, we don’t have to.

SOUP (SOftware UPdate) Kitchen is a little web front end I wrote for Software Update Server (SUS). It allows you to download individual packages from the server which can be really handy in some situations. The obligatory screenshot: There’s a number of things I would like to do with it, like have proper version strings displayed for starters. All the metadata on the SUS could also be linked to the packages so that one could get pretty detailed information on what a package actually installs.

I saw a server (build 9L34) with an odd TeamsServer (wikid) problem. Users could log in correctly, but every time they tried to write to the wiki a login dialog would pop up and the popup would only accept an admin’s credentials. This entry would just show up in /Library/Logs/wikid/error_log: [WebDAVProtocol,client] "[Failure instance: Traceback: <class 'zanshin.http.HTTPError'>: <<class 'zanshin.http.HTTPError'> (404) Not Found>\n/usr/share/caldavd/lib/python/twisted/internet/defer.py:304:_s tartRunCallbacks\n/usr/share/caldavd/lib/python/twisted/internet/defer.py:317:_runCallbacks\n/usr/share/caldavd/li b/python/twisted/internet/defer.py:239:callback\n/usr/share/caldavd/lib/python/twisted/internet/defer.py:304:_star tRunCallbacks\n--- <exception caught here> ---\n/usr/share/caldavd/lib/python/twisted/internet/defer.py:317:_runCa llbacks\n/usr/share/wikid/lib/python/apple_calendar/CalendarReportUtilities.py:135:handleReportResponse\n]" with a sprinkle of these here and there:

I’ve updated my little password generator with a web interface. I think this makes this thing much more useful and usable. Other improvements include defaulting the wordlist to /usr/share/dict/web2 which means you can run your scripts against it without any arguments and still get something out of it: > curl http://unflyingobject.com/passgen/passgen.php Prop3ll4 Ph4rm4Co HydroPlu Th4Lth4n Supr4oRb Sc4bB3D M3roG3n1 !ROQUO1S HYPOTH3C If you want to use Webster’s from the web interface, just leave the URL field blank.

Just a little something I needed for work - a simple and consistent way to set the desktop backround of a server. Specs were simple - should be a solid color, with the same resolution as my display and should have some way to help me identify the host in question (like the DNS name or any arbitrary text). So I wrote Desklabel. The interface is so straight-forward that it doesn’t make any sense to waste time explaining it.

ERROR: I could not determine the capabilities for Sieve Mail Filtering. Perhaps connectivity with ManageSieve server (if backend=Managesieve) is bad?

Just recieved one of the weirdest/cutest spam messages ever: The text says something like “I need spam right away!” in Russian. Oh, and that fancy zoom effect is FancyZoom

This is kind of weird, but maybe somewhat useful some day. Looking for a quick way to test out PHP code, I ended up writing a small PHP “shell” (i.e. like IRB): It comes with some useful shortcuts: e() print’s anything to the screen, including arrays (through print_r()) man() prints the entire manual page of a function. This requires that you have PHP Function Index installed. fi() opens a command in PHP Function Index d() reads stuff from the defaults database Entering a function name without the paranthesis gives a short 20 line explanation of the command from the manual There are some limitations - it requires PHP with readline support (which MAMP doesn’t have, not to mention Apple’s stock PHP) and links to render the HTML pages.

A while back I got really frustrated with the belly dance one has to go through to get vacation messages going on OS X server. And even after that you have to leave your users with Squirrelmail as the UI which get’s impossibly slow if they have a lot of messages in their inbox. So the idea was to write a full-blown Sieve script GUI, which would also allow for easy OOF message creation.

Well, as excited as I was about running this blog from text files, I used a few hours today to created a “proper” admin interface for it as well as move the contents to SQLlite (which, btw is a totally kickass project). Perhaps the biggest new “feature” is that the search field actually works now. It gave results before (using grep, no less!), but was unable to link to the actual stories because the files had no notion of what the story ID’s were.

In case you’ve ever wondered why your launchd scripts are not sending mail (even though they seem to be running), it’s probably because of a silly incompativiliy between launchd and mail, described in more detail here. To work around this, always include the following in your job’s plist: <key>AbandonProcessGroup</key> <true/> and then just reload the plist. I find myself doing that quite often, so this Bash alias helps cut down on typing:

Has your OD master began to run really slow, with DirectoryService taking over 100% of your CPU? Running iCal server on the same machine? Deleted any accounts recently? Then you might be bitten by the same bug I finally figured out, thanks to the AFP548 forum. When you delete a user, the delegates are not deleted, which, depending on the number of delegates you have (we have quite a few as all group members are set as RW delegates for the group account in addition to personal delegations), puts a tremendous burden on DirectoryService as caldavd pounds it with questions it doesn’t know how to answer, ala:

Shell scripting is awesome, but there are situations where it just won’t help you. Like when you’re supposed to save the full-res icon of any file as a PNG image. Luckily it’s quite easy with a bit of ObjC. This is what I threw together for this particular problem: # GeIcon.m # Save icon of given path as a PNG image #import <AppKit/AppKit.h> int main (int argc, const char * argv[]) { if (argc < 2) { printf("Usage: GetIcon input output"); return 1; } NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; NSString *imgPath = [NSString stringWithCString:argv[1]]; NSString *outPath = [NSString stringWithCString:argv[2]]; NSWorkspace *ws = [NSWorkspace sharedWorkspace]; NSImage *img = [ws iconForFile:imgPath]; NSData *data = [img TIFFRepresentation]; NSBitmapImageRep *bits = [NSBitmapImageRep imageRepWithData:data]; NSData *imgData = [bits representationUsingType:NSPNGFileType properties:nil]; [imgData writeToFile:outPath atomically:NO]; [pool drain]; return 0; } If anyone know how to do this using shell tools, please let me know.

I needed a reliable way to find out a user’s default email client. After being fed up with monkey around with launchservice defaults and awk, I turned to XCode, and wrote this Foundation tool: # GetHelper.m # Return the helper app for a URL scheme #import <Foundation/Foundation.h> int main (int argc, const char * argv[]) { if (argc < 2) { printf("Usage: GetHelper scheme"); return 1; } NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init]; NSString * s = [NSString stringWithCString:argv[1]]; id helper; NSUserDefaults * defaults = [NSUserDefaults standardUserDefaults]; [defaults addSuiteNamed:@"com.

Something for people who use PHP for Mac OS stuff - a class wrapper for Theo Hultberg’s nice PLIST parsing implementation. Usage example: include "plist.php"; $plist = new PropertyList("/Users/filipp/Music/iTunes/iTunes Music Library.xml"); $array = $plist->toArray(); echo count($array['Tracks']); 6670 Great for building reports from System Profiler dumps and all sorts of cool stuff. Download here.

A customer was having problems with server-side Spotlight searching in Finder giving inaccurate results - basically using a partial file name would give less results than using the whole name. When rebuilding the index didn’t help I began to study this problem closely… … which lead me to the discovery of yet another “undocumented (bad) feature” in Finder and more importantly, Spotlight. When you use the built-in search field, the search term is not “any name that contains this” or even “any name that starts with this”, but rather “any *word within a name* that contains this”.

Diskspacemonitor is a nice feature and something I try to remember to activate on all servers I manage, but unfortunately it’s missing the ability to choose which volumes you actually want to monitor. So whenever someone sticks a CD in or mounts a disc image, your helpdesk inbox will be flooded with messages, every 10 seconds. I looked into it and could’t find any hidden variable to change this, but being a nicely written shell script, diskspacemonitor is easy to customize.

SmartSieve is something one can use to set up server-based mail filtering, including vacation messages. It has a nice feature which enables it to fetch any list of email addresses for a user account. The default hook for this uses LDAP, but unfortunately does not work with OS X server. Here’s a modified get_email_addrsesses_hook that works on both 10.4 and 10.5: function getEmailAddresses() { $server = 'localhost'; $baseDn = 'cn=users,dc=pretendco,dc=com'; $addresses = array(); if (extension_loaded('ldap')) { $ds = ldap_connect($server); // To avoid protocol error ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); if ($ds) { // Anonymous bind.

HansaWorld Enterprise is probably the most used enterprise-level business software for the Mac in Europe (maybe because it’s the only one). It’s been around for ages and so has picked up a bit of cruft along the way (I hear there’s a native Cocoa port in the works, but we’ll see). This means that when it works, it works, but when it starts to crash, you’re options are to try what little tricks you may know yourself, pay an insane amount of money to have some guy look at it, or just restart it.