From Mac Tips

Configure a Buffalo LinkStation for Active Directory

We recently started deploying Buffalo Network Attached Storage (NAS) devices on our campus to various departments that are looking for additional, non-critical storage in a relatively secure environment. Since we run Active Directory on Windows Server 2008, we chose the Buffalo drives for their ability to interface with AD. The AD bind works well for user management, but I ran into a small problem with the second drive I configured, so I thought I’d share my experience.

The AD configuration screen looks like this, and can be accessed on the drive’s web interface by clicking on Network->Workgroup/Domain:

LinkStation AD

As you can see, there are several fields that need to be populated, but Buffalo’s FAQs are not very specific about what exact info needs to go in them. Here’s what worked for me:

ActiveDirectory Domain Name (NetBIOS Name) – the actual old-school domain name without the .com/.net/.edu part

ActiveDirectory Domain Name (DNS/Realm Name) – the FQDN of the domain, i.e. the same thing as above but with the .com/.net/.edu part

ActiveDirectory Domain controller Name – the machine name of one of your primary domain controller, without the .domain.com part (just the machine name)

Admin user and pass – Domain admin credentials without anything like domain\username

WINS Server IP Address – the IP of your WINS server (usually your PDC)

After I had all this info together, I was still getting a message about authentication failure when joining the AD. I found an article on this problem here, which pointed me to the following troubleshooting steps:

  1. please check the internal Date/Time settings, especially the correct Time-Zone (by default +9 hours). The Timestamps of TS and PDC can only be 5 minutes different, otherwise the PDC will reject the Station. There is a good description of the problem caused by the “Time Difference / LDAP Error 82” located here: Troubleshooting Replication Errors, Microsoft TechNet
  2. The Primary DNS Server IP of the TeraStation network settings must be the IP address of the DNS Server running on the PDC.
  3. The IP address of the Gateway shall be the real gateway/router or the domain controller.In General 1) is the well known point why the Link- or TeraStation still cannot join even if above named things are done properly.
  4. If there is a WINS server given in the ADS-settings test the joining without the WINS IP.
  5. Check if there are some firewalls or Antivirus-Programs up and running that avoid a communication.
  6. If problems still exist please to a “Reset-to-Default” of the Tera/LinkStation by initiate the unit once.

Sure enough, it was the date/time problem for me. I solved this by going into Basic settings, then choosing an NTP server on my domain, then clicking Use Local Time (I think this was what fixed it). Once the time synced up (and it didn’t really look off before I clicked the Use Local Time button), the device joined the domain with no problem and I’m off and running with AD group authentication.

Create an AppleScript GUI to set a local Software Update server

A little while back, I blogged about the Terminal commands you can use to set a local Apple Software Update server on your client machines. Obviously, there are many advantages to this, including faster package downloads and the ability to prevent bad or undesirable updates from being installed too soon. However, in this day and age, many users have laptops or Minis that often travel away from the network on which your local server resides. For this reason, it can be helpful to have a simple program that users can run to set their update server to either Apple’s default, or your own local update box. That way, if they can’t reach your server for one reason or another (like a firewall), they can always get critical updates from Apple. Here’s the AppleScript:

display dialog "Set Update Server" buttons {"Cancel", "Apple", "Local"} default button 3
if the button returned of the result is "Local" then
do shell script "defaults write /Library/Preferences/com.apple.Softwareupdate CatalogURL http://updateserver.mydomain.com:8088/"
else
do shell script "defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL"
end if

Just substitute the URL of your local update server where it says http://updateserver.mydomain.com. You can test that it works by choosing your local server with your new GUI, then running Software Update. The window should read Software Update (updateserver.mydomain.com). If you set it back to the default, it should just read Software Update again.

Remotely enable VNC on OS 10.5 (Leopard) with SSH

Leopard Logo If you find yourself needing to get remote VNC access to your Apple computer running Leopard, you can do it remotely as long as you have an SSH connection to the machine. This is especially helpful because the default configuration for Apple’s remote desktop only allows you to connect from another Mac. You need to set a generic VNC password if you want to connect via a VNC client running in Linux or Windows. Here’s how.

  1. Connect to the remote machine via SSH.
  2. Enter the following command, as all one line:
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -activate -access -on -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw [your password] -restart -agent
  3. This will set the remote Mac to allow legacy VNC connections from non-Macs and allow you to use the password you chose with the -vncpw option (note there should be no brackets around your actual password) to connect from any VNC client.
  4. I have found that often you will also need to kill the AppleVNCServer process after running this command before you can connect. Just type killall AppleVNCServer and it should let you connect. You can also find the PID through the top command, then type kill <process #>.

I originally found this solution in an Apple forum thread that has an interesting discussion about the subject.

Run UNIX commands in an AppleScript

Leopard Logo If you want to easily encapsulate a shell script or a UNIX command in an AppleScript, but that command must be executed as root (through a sudo), just do the following (all one line):

do shell script "unix_command" password "your_password" with administrator privileges

where unix_command is the actual command you want to execute. In my case, this was to set the Sharing hostname to match the actual DNS hostname of the computer, which looked like this:

do shell script "sudo scutil --set ComputerName `hostname`" password "NoWayJose" with administrator privileges

By the way, if you do intend to set the Sharing name to the computer’s hostname, make sure to include the backticks (located under the ~ sign at the top left of most keyboards) around the word hostname, otherwise you’ll just name your computer ‘hostname’ rather than its DNS name.

It’s important to note that this a) leaves your password in the script, and b) runs silently. If you just want to be prompted for a password, add the following lines before and after your script, like this:

tell application "Terminal"
do script "sudo scutil --set ComputerName `hostname`"
end tell

This will launch Terminal, which will then prompt you for your password in order to sudo.

Disable an Open Firmware (EFI) password on an Intel Mac

Ok, so you thought it would be a good idea to secure your Mac using a firmware password, and then you forgot it. Or, alternatively, you left your machine logged in and an enterprising and mischievous co-worker set a password while you were away. In either scenario, you’re confronted with the same problem: you can’t do anything but boot normally unless you enter the password to unlock the firmware.

If you’re running Leopard, the latest release of OS X from Apple, the solution is actually quite easy. As with most Apple stuff, the firmware password seems really secure, but it’s not, since Apple has nicely built in a backdoor. Here’s what you’ll need: your computer, a Leopard install disk or original system disk, and an administrative account on the Mac you’re unlocking. Got it? Ok, let’s get started:

  1. Boot normally into Mac OS X. You should be able to do this, because you’re not changing any boot options.
  2. Insert the OS X Leopard DVD into your computer. The popup will appear asking to install OS X. Just ignore or close it.
  3. Open Terminal by going to Applications -> Utilities -> Terminal or typing ‘Terminal’ into Spotlight.
  4. Enter the following: open /Volumes/Mac\ OS\ X\ Install\ DVD/Applications
  5. In the Finder window that opens, choose Utilities and then Firmware Password Utility. Uncheck the box to set the firmware password and hit Change. Your password is now reset to blank, and you won’t be prompted to enter one when changing boot options.

Configure a Leopard client for an Apple Software Update server

To configure a Mac running OS X 10.5 (Leopard) to connect to a local Apple Software Update server, simply use the following command, where servername is the name of your local server that runs Software Update.

defaults write /Library/Preferences/com.apple.Softwareupdate CatalogURL http://servername:8088/

If you have any problems, verify that you can see the update server by accessing the following URL from the client’s web browser:

http://servername.domain.com:8088/index.sucatalog

If you don’t see an XML-type page come up, you should verify that the Software Update service is running on the server, and that port 8088 is properly configured to allow traffic on your network.

Make an Active Directory user a local administrator in Leopard

Leopard LogoApple’s latest offering, OS 10.5 “Leopard” offers GUI-based integration and account management for Microsoft Active Directory that is fairly full-featured and complete. However, as tends to be the case when it comes to enterprise-level account management, Apple dropped the ball and forgot to include a very important feature: the ability to promote a domain user to local administrative status without them having to log in. You can add groups through the Directory Utility GUI, but not individual users. Why would this be important? Well, at least for me, it’s because a lot of the users I support aren’t there when I’m setting up their computer, but they’ll need to administer it down the road. Getting their password in advance is a huge security no-no in an environment where pretty much everyone has sensitive data on their machine, so how can you give a user local admin privileges before their home folder is even created? Terminal, obviously.

  1. Launch Terminal from Applications->Utilities->Terminal.
  2. Type the following command, substituting the name of your domain user in the appropriate field, surrounded by quotation marks:
    sudo dscl . -append /Groups/admin GroupMembership "new_user"

You’ll be prompted for your password, then you should see the command prompt again. If you’re not sure whether or not it worked, try promoting a domain account for which you have the password the same way and logging in. Go into System Preferences and try to unlock something. If your name appears in the username field, you’re an admin!

Office Word 2008 for Mac crashes when you choose File > Open

Someone at my work had a problem with Microsoft Office 2008 for the Mac crashing whenever they’d go to File > Open inside of Word. If they double-clicked on the file, everything was fine. Not wanting to hunt around through infinite Library folders looking for the offending files and “uninstalling” Office, I found a quick and easy solution online:

According to this site, “This is due to corrupt preferences, specifically the UserName/Library/Preferences/com.microsoft.Word.plist . Quit Word, drag that file to the desktop, and relaunch Word.” That solution worked perfectly for my customer, and they’re back to happily opening files from inside of Office.

Now, if that doesn’t work, there are some additional preferences files you can tweak/delete. You can find that additional troubleshooting advice here.

PokerStars.com’s Mac software to arrive soon

The following is a compensated review for PokerStars for Mac.

If you’ve ever played online poker, you’re probably familiar with PokerStars.com, one of the most popular poker sites on the Web. The ‘Mac-friendly’ poker reference site PokeronaMac.com, is reporting that the Mac version of PokerStars’ downloadable PC client will be hitting the Web soon. If you want, there’s a place to voice your support of the new Mac version, and press PokerStars for its release.

Now, it’s pretty neat that PokerStars is choosing to support a Mac client, especially in light of the fact that most new Macs will run Windows just fine. It speaks to the volume of PokerStars’ subscriber base that they have seen a significant demand for a Mac client from their customers. However, what I don’t understand about PokerStars or many of the other popular poker sites is simply why a well-written Java client is not the standard. Java will run on Mac, Windows, and even Linux, and it’s this sort of thing that the sometimes cumbersome, always lethargic language was designed for. There’s no offline play in the downloadable clients of any of the companies, as far as I know, so it seems that there’s no reason to use the player’s computer as the source of the application, when a universal client-server language exists that is universally compatible with all desired target platforms.

In spite of this note (and perhaps someone from PokerStars will care to comment), I think it is pretty nifty that the Mac client will be coming out. I’m only a little hesitant because there doesn’t seem to be a release date on PokerStars.com or PokeronaMac.com for the Mac client, and this wouldn’t be the first time that such a project never appeared after a lot of advance publicity. I certainly hope this isn’t the case here, but only time will tell. Until then, hope springs eternal!

mac, poker, pokerstars, pokerstars.com, poker on a mac

My BlackBerry is better than your iPhone

Our resident Apple toady made a passing remark this morning to me after seeing a colleague’s new iPhone, something like this: “Hey, his iPhone’s better than your BlackBerry.” Now, my BlackBerry is about three years old, nowhere near top-of-the-line, yet that horribly biased statement got me thinking. After all, it’s undeniable that the iPhone’s Mac OS X-based environment is slicker and prettier than the BlackBerry’s rather austere JAVA environment. But the point of a smartphone is, for lack of a better word, to be smart, and the BlackBerry still does a better job.

It boils down to one thing above all else, beyond the minor problems like no expansion slots and no one-touch phone dialing (the other half of ‘smartphone’): no 3rd-party apps. Apple, as has always been their hallmark, wants to keep everything in-house, so we get a phone that shows Youtube, but not Flash-based content on the bundled Safari browser. And, we get a phone that can do barely a tenth of what my JAVA-based phone can. Here’s what my BlackBerry can do right now that the iPhone will never be able to do:

  1. S/FTP access
  2. Remote Desktop access
  3. VNC access
  4. SSH
  5. Opera Mini browser
  6. SharkModem tethered modem software

The list goes on, but the point is that RIM made a good decision to go with a technology that was demonstrating itself both universal and capable of being deployed on handheld devices. All of the apps I’ve mentioned are 3rd-party, and I’m not counting gadgets like Gmail which may be on both phones. Apple decided to keep everything tightly under wraps, and now they’ve delivered a phone that’s glitzy and slick, but also inherently limited in scope. And that’s why the BlackBerry line is still better.

blackberry, iphone, apple, itunes