Mac – Umask & You!

I recently came across a situation where I had to setup a shared folder on an AIX filesystem. Usually I would use ACLs to setup permission inheritance but there is no ACL support for Mac OS X on an AIX filesystem. So I had to resort to changing the users’ umask.

There are several places where you can specify a umask. There can different different umasks for:

  • Applications (EX: Finder, TextEdit, etc…)
  • Terminal sessions (EX: SSH)
  • System processes
  • LaunchDaemons & LaunchAgents

For most cases you would only need to specify a umask for applications and terminal sessions. However, I’ll cover all after the jump.

Continue reading

Mac – iMac 1TB Seagate Hard Drive Replacement Utility Check

The title of this post just rolls off the tongue.

I wrote a Ruby CLI utility that can batch check iMac serial numbers for their eligibility into the 1 TB Seagate HDD replacement program. The utility takes either an Excel sheet (xlsx, or xls), or a txt file as an argument. If you’re using an Excel sheet you’ll first need to:

  • Install the roo RubyGem:

sudo gem update --system
sudo gem install roo

  • Format your spreadsheet properly:
    • Serial numbers need to be in column A and start on row 2.
    • Anything can be in column B but it would be best if it’s something identifiable such as hostnames, or IP addresses.

If you’re using a txt file then you only need to make sure it contains one column of serial numbers. You can grab a copy of the utility from my Github page:

https://github.com/Ginja/Admin_Scripts/blob/master/iMac_Warranty_Check.rb

If you run into any problems or have any questions please let me know! I hope it helps.

Mac/Windows – Dynamic DNS

I once had to deal with Macs that weren’t properly updating their DNS A and PTR records. The effect of which was that some Macs were getting the wrong hostname and that was causing issues with the Active Directory plug-in. At the time DNS was located on a Windows Domain Controller, and DHCP was coming from a Cisco router. I fixed the problem by handing the DHCP responsibility to the DC and configuring it to update DNS A and PTR records on behalf of the clients. If you’re in a similar situation and can have a Windows server handle DHCP; the options needed to configure this are in the properties on the DHCP scope underneath the DNS tab:

  • Tick “Enable DNS dynamic updates according to the settings below:”
    • Always dynamically update DNS A and PTR records
  • Tick “Discard A and PTR records when lease is deleted”
  • Tick “Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)”

Once this is done you may want to consider purging the current DNS A and PTR records for the DHCP range so that you’re starting fresh.

Mac – Obtaining A Kerberos TGT On SSH Login

You’re bound to Active Directory and get a Kerberos TGT on a GUI login great, right? Well what if you also wanted to get one automatically when you authenticate via SSH? It’s actually pretty easy to do! Assuming of course that you can successfully get one using kinit, and that you’re using 10.6 or later (10.5 and below does not have the required PAM module). The ticket was (sorry, couldn’t resist) editing the /etc/pam.d/sshd file, and more specifically changing the following line:

auth       optional       pam_krb5.so use_kcminit

to

auth       optional       pam_krb5.so default_principal

There should be no need to restart. If all went well the next time you log in via SSH you should receive a TGT. You can view Kerberos credentials by using the klist command. If you’re only bound to Open Directory and have everything set up correctly, you shouldn’t need to do this as the pam_krb5 module, by default, tries to obtain the principal from the user’s OpenDirectory record. By specifying the default_principal option you tell the module to construct the principal from the authenticating user’s username. Let me know in the comments if this worked for you or if have any questions!

Special thanks to my co-worker who helped me discover this.

Linux/Mac – Have Margarita Startup Automatically On Boot

A little introduction.

Greg Neagle put together a wonderful third party Apple Software Update Service (SUS) called Reposado. In short, the top three greatest features Reposado offers are the ability to create separate update branches, the ability to offer deprecated updates, and it does not need to be run on Mac OS X hardware.

Reposado is great and if you’re using Apple’s SUS solution I recommend you switch. Reposado does have one drawback though, it’s command line only. While that isn’t a problem for most administrators, there may be times when you want someone else, who doesn’t feel comfortable at the command line, to manage updates. Or, perhaps you want the convenience and speed of a GUI. Jesse Peterson filled this void with Margarita, a web front end for Reposado that also runs on Mac or Linux.

We run Reposado on a Red Hat Enterprise Linux (RHEL) 6 server, and I recently installed and configured Margarita incase someone else needed an easy way to add an update to a branch. The only unfortunate part about Margarita on Linux is that it doesn’t startup automatically. If you plan to use Reposado and Margarita on a Mac, Jesse has a launchd task to accomplish this.

After the jump, I’ll explain to how to install the Margarita startup script I wrote for our RHEL 6 server.

Continue reading