OS X Server Permissions Not Propagating

I hate to have to say this, but I am very disappointed with OS 10.5 server thus far. I've had major issues with getting permissions to propagate correctly. I'm normally pleased with all Apple products, and have had wonderful experiences with 10.5 client, but server should have simmered a little longer on the burner.

The issue seems to be POSIX permissions over writing ACLs or just that ACLs aren't working at all. I've had several reports of people loosing access to their files and after checking permissions, it appears that standard POSIX permissions are propagating over the ACLs, not matter what I have set for inheritance.

I contacted Apple, who said the only real solution was to reformat my server, to which I said NO. I'm not taking a production server down in the middle of a semester unless absolutely necessary.

Finally, after some searching, I came across an old hint from 2003 on macosxhints.com, found here:

http://discussions.apple.com/thread.jspa?messageID=6993381

Basically, it requires setting a cron job to run at a set interval of your choosing to set group permissions to read and write. The process for doing that is:

1. Open Terminal
2. Type: sudo pico /etc/crontab
3. Enter your password
4. Set the following script:
   */10 * * * * root /bin/chmod -R gu+rw /path/to/share

I set my script to run every 10 minutes with the */10 at the start of the script.

WARNING - this will most likely slow down your server depending on how much data you have on your share(s), so be prepared for slowness complaints. For now, it seems, it's either this or go back to propagating permissions every day.

Really hoping to hear something from Apple soon. Posted by jmjenki3 ( Apr 07 2008, 04:12:05 PM EDT ) Permalink

Active Directory Conversion

I've begun to play around with the Wolftech AD environment for possible use in the Design IT labs. I've created a test OU in my office currently consisting of an OU Admin machine (Dell SX 280) and a test deployment machine (Dell Optiplex GX 280).

This summer, I plan to add an intel Mac from the 203B upgrade after we replace the machine in 202. I will begin testing deployment with the dual boot deployment at that time.

For now, I am focusing on Group Policy setup. These settings most likely reflect the policy of the dual boot computers. My current policy is as follows:

Under User Configuration>Administrative Templates>Start Menu and Taskbar
• Remove user's folders from the Start Menu - Enabled
• Remove links and access to Windows Update - Enabled
• Remove common program groups from Start Menu - Enabled
• Remove My Documents icon from Start Menu - Enabled
• Remove Documents menu from Start Menu - Enabled
• Remove programs on Settings menu - Enabled
• Remove Network Connections from Start Menu - Enabled
• Remove Favorites menu from Start Menu - Enabled
• Remove Search menu from Start Menu - Enabled
• Remove Help menu from Start Menu - Not configured
• Remove Run menu from Start Menu - Enabled
• Remove My Pictures icon from Start Menu - Enabled
• Remove My Music icon from Start Menu - Enabled
• Remove My Network Places icon from Start Menu - Enabled
• Add Logoff to the Start Menu - Disabled
• Remove Logoff on the Start Menu - Enabled
• Remove and prevent access to the Shut Down command - Not configured
• Remove Drag-and-drop context menus on the Start Menu - Enabled
• Prevent changes to Taskbar and Start Menu Settings - Enabled
• Remove access to the context menus for the taskbar - Enabled
• Do not keep history of recently opened documents - Enabled
• Clear history of recently opened documents on exit - Enabled
• Turn off personalized menus - Enabled
• Turn off user tracking - Enabled
• Add "Run in Separate Memory Space" check box to Run dialog box - Disabled
• Do not use the search-based method when resolving shell shortcuts - Enabled
• Do not use the tracking-based method when resolving shell shortcuts - Enabled
• Gray unavailable Windows Installer programs Start Menu shortcuts - Enabled
• Prevent grouping of taskbar items - Not configured
• Turn off notification area cleanup - Enabled
• Lock the Taskbar - Enabled
• Force classic Start Menu - Enabled
• Remove Balloon Tips on Start Menu items - Enabled
• Remove pinned programs list from the Start Menu - Enabled
• Remove frequent programs list from the Start Menu - Enabled
• Remove All Programs list from the Start menu - Enabled
• Remove the "Undock PC" button from the Start Menu - Enabled
• Remove user name from Start Menu - Not configured
• Remove Clock from the system notification area - Not configured
• Hide the notification area - Enabled
• Do not display any custom toolbars in the taskbar - Enabled
• Remove Set Program Access and Defaults from Start menu - Enabled

Under User Configuration>Administrative Templates>Control Panel
• Prohibit access to the Control Panel - Enabled

Under User Configuration>Administrative Templates>Control Panel>Display>Desktop Theme
• Load a specific visual style or force Windows Classic - Enabled

Under User Configuration>Administrative Templates>System>Cntrl+Alt+Del Options
• Remove Lock Computer - Enabled
• Remove Change Password - Enabled
• Remove Logoff - Enabled

Posted by jmjenki3 ( Mar 27 2008, 05:46:01 PM EDT ) Permalink

Mac OS 10.5 Dual Boot and Login/Logout Hooks We are about to deploy dual boot iMacs in the Downtown Studio and discovered that our OS 10.4 lab kit was not working with the machines. So, we decided to deploy a OS 10.5 image that had a standard Studio login instead of the kerberized lab login.

This led me to push up my need to test the login and logout hooks for ummounting and mounting the Windows partition on login and logout respectively.

Since the official OS 10.5 lab kit isn't yet published as of the writing of this entry, I created the hooks successfully. There was one change on the logout hook.

In the 10.4 kit, on the logout hook, you have to first mount the windows partition at logout and then call for the the Bootpicker application to launch with an addtion to the existing hook perl script:

# Mount Windows Partition for Design
$myerr = `diskutil mount disk0s3`;
$myerr = `/Applications/Utilities/BootPicker.app/Contents/MacOS/BootPicker`;

Under 10.5, all I had to do was mount the windows partition with the script:

#!/bin/sh

diskutil mount disk0s3

Then I saved the script as LogoutHook to /private/etc/hooks and sent the following commands through the Terminal.app:

sudo chmod +x /private/etc/hooks/LogoutHook (to make the script executable)

sudo defaults write com.apple.loginwindow LogoutHook /private/etc/hooks

After that, upon Logout, Bootpicker automatically launches. I'm hoping this means that something was updated with Bootpicker for 10.5.
Posted by jmjenki3 ( Mar 20 2008, 12:24:06 PM EDT ) Permalink

Dual Boot Lab Kit Project - Finishing Touches
Thanks go out to Tom Farwig for this one. As I have mentioned previously, the one thing with deploying the Windows Lab Kit on the Macs has been downloading the Novell Client and then logging in as WolfPrep to start the process. The problem was that the WolfPrep process would freeze after the first login and I would manually have to restart each machine. No longer. Thanks to this tip, as part of my sysprep process, I can set a post sysprep command to run which calls the WolfPrep.cmd file and does a fully scripted install. No more restarting manually.

Remember, instructions on how to sysprep a machine (including how to set up a post install command) can be found here.
Posted by jmjenki3 ( Aug 15 2007, 06:11:45 PM EDT ) Permalink

Combo Lab Kit Project - Windows Partition Unmount Solution
Well, after a lot of work and a very late night talking with Everette at ITD, It has been determined that the best way to proceed for unmounting the Windows Partition is through a login hook. Yes, this will likely go away with 10.5, but we are going to stick with 10.4 for a while and the capability is there with launch agents, but it will need some tweaking. I plan to continue investigating launch agents, but for now will stick with login and logout hooks.

One thing of note is that you can't implement the hook recommended by bombich.com with the NCSU Mac Lab Kit, or with any Mac that already has login and logout hooks implemented. To unmount the Windows partition at login put this line at the end of the login.hook file just above the "exit 0;" line:

#Unmount windows volume for Design
$myerr = `diskutil unmount force disk0s3`;

Replace "disk0s3" with whatever your Windows volume is called.

To remount the volue and relauch Bootpicker at logout, put the following in the logout.hook just above the "exit 0;" line:

# Mount Windows Partition for Design
$myerr = `diskutil mount disk0s3`;
$myerr = `/Applications/Utilities/BootPicker.app/Contents/MacOS/BootPicker`;

I've had four machines, three in a public lab and one in our equipment checkout office, running for a while now with no problems. The next problem I face is getting a WSUS server up and running for our Windows side and a Software Update server running for the OS X side.

I'd also like to get netboot running on all the lab machines so I can deploy the kits with a click of the button.

Otherwise, all is well and I'm proceeding with the plan to provide Dual Boot with the new Macs for this Fall at the earliest and Spring at the latest.
Posted by jmjenki3 ( Aug 02 2007, 03:16:19 PM EDT ) Permalink

Combo Lab Kit Project - Agents, Daemons and Hooks. Oh My!
With the "death" of login and logout hooks, as well as ttys editing falling by the wayside with the move to 10.5, I've begun to investigate Launch Agents and launchd editing under OS X for use in the labs. I've mentioned Lingon before, which does an excellent job of creating Launch Agents, but I've run into a slight issue. With Lingon, you can create Users Agents and Users Daemons. Agents run as the login user and Daemons run as root.

The problem I'm having is that I have a script that unmounts the Windows partition so an intrepid user can't go snooping around through the Windows partition and do nasty things. If I run the script as a Users Agent, then on login, I get prompted for Administrative access, no surprise since I'm logged in as a non admin account. If I run the script as a Users Daemon, then the Windows partition unmounts at boot, which breaks my OS selection screen (Bootpicker).

Further, at logout, I need the computer to go back to the OS selection screen. However, since the Windows partition is unmounted, Bootpicker doesn't see it as a choice and the computer just goes back to the OS X login screen. Under Windows, I've accomplished this by remapping the logout button to restart the computer. Our OS X labkit could be made to do the same thing, but there may be other things done behind the scene at logout in the OS X labkit that I need to verify before I implement at restart at logout. I would much rather have a script that logs out the user and remounts the windows partition or just lets it appear as part of the OS selection screen.

I'm going to head over to Bombich.com to see if I can get any advice on this.
Posted by jmjenki3 ( Jul 19 2007, 10:47:06 AM EDT ) Permalink

Ditto
Found a neat little trick with OS X. I'd never had occasion to copy a whole directory through the command line until today. While restoring a server after a hard drive upgrade, I needed to copy my backups from an external disc. Drag-n-drop in the Finder would fail because of permission issues and I didn't feel like waiting for a Verify and Repair Disk Permissions. I just needed the data back on the server.

I tried running a simple sudo cp in the Terminal, but it failed because what I wanted to copy was a directory.

So, I found this hint from MacDevCenter. It is a command line utility called ditto and you can use it to restore entire directories. It has two flags that I've found to be very useful - the -V flag turns on verbose mode, so you can see what's copying and -rsrc preserves permissions and ownership. Here's the full usage:

ditto -V -rsrc /PATH-TO-SOURCE/DIRECTORY /PATH-TO-TARGET/DIRECTORY
Posted by jmjenki3 ( Jul 13 2007, 10:06:05 AM EDT ) Permalink

Windows Vista and Retrospect
I upgraded my laptop to Vista yesterday and started testing some common apps. One thing I did find was that the Retrospect client does not work immediately after installation. You have to take the following three steps to make it work:

1. Allow the program access through Windows Firewall.
• Windows Button>Control Panel>Windows Firewall
• Click on the Exceptions Tab
• Click on the Add Program button
• In the Path Field type: c:\Windows\System32\RetroClient.cpl
2. Add TCP/UDP ports for the Firewall.
• Windows Button>Control Panel>Windows Firewall
• Click on the Exceptions Tab
• Click on the Add Port button
• Add a TCP and UDP exception for port number 497
  

Posted by jmjenki3 ( Jun 15 2007, 11:40:12 AM EDT ) Permalink

Combo Lab Kit Project - Adventures In Time

After many tears and much blood, I think, I hope I have solved my dual boot time sync problem.

No matter what I was trying, my OS X time was defaulting back to four hours behind. I found this possible solution here:

OS X Solution
http://www.macosxhints.com/article.php?story=20070507030228844

Windows Solution
http://discussions.apple.com/message.jspa?messageID=2378251#2378251

Here are the steps I've taken:

1. Disable Windows Time Service. Start>Control Panel>Date and Time
2. Click on Internet Time tab
3. Uncheck the box next to "Automatically synchronize with an Internet time server" and click OK.
4. Install Tardis 2000. It's a third party time management app that runs as a service when Windows starts.
5. Reboot into OS X
6. Log in as labadmin
7. Install Lingon
8. Copy the Lingon application to your /usr/labadmin/Admin Apps folder
9. Launch the Lingon application
10. Click the toolbar's "Assistant" button (bow-tie icon)
11. Make sure that "Run a job at startup" radio button is selected and click "Next"
12. In the "Label" field, type in a name for this task, using reverse-domain naming (edu.ncsu.time)
13. Uncheck the "Launch only when I log in" checkbox
14. Check "Must be run as root" (this checkbox will be enabled when you un-select the one above)
15. Click "Next"
16. In the "Job" field, type "/usr/sbin/ntpdate -u" and click "Create"
17. At this point, you should be prompted to authenticate as an admin user
18. Reboot into Windows and then back to OS X to verify the time is right.

Posted by jmjenki3 ( Jun 12 2007, 02:51:03 PM EDT ) Permalink

Combo Labkit Project - Timesync Issues ****UPDATE - 6/11/2007****

So, it turns out that the registry edit messed up both Operating systems. A student worker came to me and told me that the Windows OS time was ahead by 4 hours. It seems that there is no problem with the time when logged in as admin.

My next idea is try a login hook on OS X that resets the correct time. Windows seems to run on the correct time without the registry edit, so if I can get OS X to reset its time on login, this problem will be licked.

****END UPDATE****

One of our students workers found an interesting problem with our dual boot test machine. When booting into OS X after booting into Windows, the system time is offset by 4 hours. The time appears correctly in Windows.

After some research, I found a potential solution here. Here's the snippet of what I had to implement:

1. Boot Windows
2. Click Start --> Run and type regedit. Click OK
3. The Windows Registry Editor should pop up. Navigate within the explorer to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
4. Click on the TimeZoneInformation "folder" from the navigation pane if you haven't already done so.
5. This assumes the correct key doesn't exist. If it does, you will just change the existing key's value: Right click on the white space within the folder (If you don't have a right mouse button, you may need to download a program called applemouse to emulate the "control-click" of the apple 1-button mouse). Select new --> DWORD Value. Title the key "RealTimeIsUniversal" (No quotes). Set the value to "1" (No quotes again). Hexidecimal should be fine.
6. Either reboot and set the clock in MacOS or set the clock in Windows. You should now be able to reboot into either OS and have a correct clock.

Both operating systems appear to functioning with the correct time. I'll watch for any more oddities.

Posted by jmjenki3 ( Jun 11 2007, 11:46:50 AM EDT ) Permalink

IT Database Revamp Over the past three years (and beyond before I came here), The College of Design IT Department has been using Filemaker to keep track of its assets. While the current database design has been functional, it has also become a hassle to keep up to date. The current IT Database consists of three separate databases that are tied together through a series of commands and value lists that transfer data to one another.

My project is intended to bring all that data into one database, stored in different tables. I'm also hoping to including a bit more functionality that will perform some common functions like sorting and finding records, rather than having to go through the program menus in Filemaker.

The basic structure is already done and the database is functional. I'm just working on a few extra bells and whistles (such as the afore-mentioned sorting and finding records) that will make this project complete.
Posted by jmjenki3 ( Jun 05 2007, 08:53:21 AM EDT ) Permalink

Combo Labkit Project Update We recently learned about another bootloader program called Bootpicker. It seems to be a much better choice for our dual boot lab deployment because it addresses all of the security concerns we had about rEFIt.

1. It locks down external device booting through OS X's firmware password, so it is no longer possible to insert an external hard drive, CD or DVD and select it as a bootable volume. You must know the machine's firmware password to boot to anything other than the Mac or Windows Volume.
2. Bootpicker boots into an OS X shell instead of through EFI, thereby enabling remote commands to be sent to all machine's via Apple Remote Desktop. This makes management of the labs much easier.
3. It is now possible to combine Bootpicker and NetRestore to image the labs (both Mac and Windows OS's) from one central location.

We have deployed our Mac Mini beta machine with Bootpicker and are continuing to test it.
Posted by jmjenki3 ( May 29 2007, 02:03:45 PM EDT ) Permalink

XGrid and Windows Rendering I've been researching XGrid for OS X as a possible replacement for the College of Design Render Farm. Bascially, XGrid using a server to got out and use other computers to render jobs, just like the Render Farm did. My only problem - find a solution for the Windows users. I've found nothing as yet, but I'm starting to wonder what the feasibility would be of exporting jobs from programs like StudioTools and 3D Studio Max to Maya, which runs on OS X.

As I'm not an avid user of any of these programs, I intend to seek out faculty and students who are everyday users to test my idea. Of course, this all assumes that Maya will render under XGrid...another test to run.
Posted by jmjenki3 ( May 08 2007, 11:28:48 PM EDT ) Permalink

Render Farm End of Life As most of you may or may not know, the Render Farm will be shutting down on May 14, 2007. The machines that comprise the Render Farm are well over seven years in age and many are beginning to show their age. As such, we will be discontinuing rendering service over the summer as we investigate other possibilities.

One such possibility is XGrid, a service offered through Mac OS X. Basically, it collects unused processing cycles from available machines and creates one big rendering node. We will investigate this as a possibility over summer break and keep you posted.
Posted by jmjenki3 ( May 07 2007, 09:05:52 AM EDT ) Permalink

Combo Lab Kit Project We are investigating the possibility of deploying dual boot Macintosh machines running Mac OS X and Windows XP. Currently, we are using a 1.83 mHz Dual Core Mac Mini as our test machine.

Setting up the machine

I used Apple's bootcamp to partition the machine under the factory install OS and then installed Windows XP. The Windows partition cannot be Wolfprepped (for more information on Wolfprep, see http://microsys.unity.ncsu.edu/wolfprep/) because part of the Wolfprep process includes creating a backup partition to reimage machines in the case of disaster recovery. This process corrupts the bootcamp setup and renders the Windows partition unusable.

Instead, I installed a base install of Windows XP and made sure all software updates were run. Next, I downloaded the Novell client and logged into the network as Wolfprep (to obtain the password for the Wolfprep user and gain access to the Wolfprep server, you must contact the ITD Help Desk).

The Imaging Process

I chose to set up the Windows lab kit first because the Mac Lab Kit has a Firmware password enabled that you have to enter every time when you choose which partition to boot at startup. Once I installed Windows through Bootcamp, I downloaded the Novell client and logged in with the Wolfprep user. This performs a modified Wolfprep install - the Application Launcher is installed and access to all applications associated with that computer is granted.

After the Windows lab kit was installed, I imaged the Mac partition with the Mac lab kit. Once the lab kit was installed, I had to find a way to deal with the Windows partion mounting on login. Although the partion mounted as read-only, there was still a security risk. Any file on the Windows partition could be read and copied, including a file conatining sensitive information about system administrative access.

After talking with Apple, I was told of a login hook that would unmount the Windows partition at login. Once the login hook was tested, I had to find a way to select which OS to boot without having to input the administrative password. After some research, we learned of a bootloader program called rEFIt (homepage: http://refit.sourceforge.net/). rEFIt bypasses the firmware password when OS X boots up and allows a user to choose an Operating System.

Deployment and Security Concerns

I placed the Mac Mini in the IT Lab Checkout office for student workers to use as a private beta test. The reason we have not moved forward with a full rollout in the labs is because of a security concern with rEFIt. It is possible to boot external devices and CDs with rEFIt and there is currently no way to lock down that capability (i.e. with a password or complete disabling of external booting). Until such time as we find another solution, or the makers of rEFIt fix this problem, we will not be moving forward with a full lab deployment.

Looking Forward

We recently received the shipment of new Intel Macs for the Mac Lab updates. Joe and I are discussing designating one machine to be the public beta dual boot machine. More on this as time progresses.
Posted by jmjenki3 ( May 07 2007, 08:48:27 AM EDT ) Permalink