Author: Hidden User

I Hate RTFM

I regularly search the internet for solutions to problems and one of the things that really irritates me is people who give totally unhelpful and often times rude answers to people’s requests for help. Sure sometimes you come across a thread where someone asks a really “dumb” question but that doesn’t mean you should berate or insult the person by just saying something like RTFM (Read The Fu*king Manual) or some other totally unhelpful remark which doesn’t answer their question. The RTFM responses generally appear most often in the *NIX communities from what I have seen. If you don’t have anything nice to say then don’t say anything at all… an RTFM remark helps no one.

RTFM

And in case you were wondering… Here is a link to a web page which explains how to change the IP address in Red Hat Enterprise Linux 5 (RHEL 5) which happens to be the same way to change the IP address in CentOS.

 

MySpace Developer Website Open

The MySpace developer website is now open. Developers can create and test their applications in a test bed environment. The developer platform uses Google’s Open Social framework. Here is an excerpt from the developer website:

The MySpace Developer Platform (MDP) allows developers to create applications that interact with MySpace members and their social data. With MDP you will be able to create compelling new products that integrate directly into MySpace pages and get exposure to millions of people around the world.

MDP is currently in a sandbox phase. During this phase, we’ll be rapidly adding new documentation, capabilities, and end-user features to the platform. We want your input! You can give us feedback in our forums, notify us about bugs, and contact us directly.”

10.5 Leopard – Change the Version of Apache that Starts Up

A clean install of MacOS X 10.5 Leopard will result in Apache 2 being the default version of Apache that starts up when you enable the web service. If you performed an upgrade to Leopard from a Tiger install then Apache version 1.3 will be the default version of Apache that starts up. MacOS X 10.5 Leopard comes with both versions of Apache. If you need to change the version of Apache that starts up do the following:

  1. Stop the web service if it is running.
  2. Edit the hidden file /var/db/.ApacheVersion with pico or some other text editor
    1. 1 for apache 1.x, 2 for apache 2.x
  3. Restart the web service
  4. The Server Admin app will now display the correct settings for whatever version of Apache you are running
  5. Done.

10.5 Leopard – How to Manually Kerberize Services

Introduction

Today when I went to “kerberize” the services on my 10.5.1 Leopard server I attempted to follow the instructions in the official Leopard server manual. If you have read the “excellently written” (FYI I am being sarcastic) OS X server manuals then you already know how it went. In the manual it states there is supposed to be a nice pretty button in the Open Directory service settings that you can just press to “kerberize” all built-in services on your server which are capable of being kerberized. Well when I went to the location the manual stated the button should be there was no button. At this point I already knew what had to be done. If you haven’t figured this out yet, for every server administration operation you can do with the pretty GUI apps that Apple provides, you better know how to do it from the command line. Because when the pretty GUI tools fail you, you are up the creek unless you know how to bust out the terminal and do it the “hard” way. Before I tell you the terminal command to run to kerberize the services on your server, here is a very brief explanation of how kerberos works with Leopard when a user accesses a “kerberized” service. I warn you that I am no kerberos expert and what I am about to tell you may not be accurate but it is what I have observed from the dozens of test installations I have done with Leopard.

Description of Leopard Client/Server Kerberos Interaction

For this explanation I will use the example of a user wanting to connect to a Leopard file server via Apple File Sharing using purely “single sign-on” kerberos authentication. Let us assume the Open Directory is properly setup and its Kerberos services are running fine and the client computer the user is using to access the file server is configured to authenticate against this Open Directory server. Let us also assume that the file server has been configured to authenticate against that same Open Directory server. So here is the whole process of what happens when the user accesses the file server:

1. The user logs into their Leopard desktop computer in their office. Upon logging into the computer OS X requests and receives a kerberos ticket from the Open Directory server.

2. The user then initiates an AFP connection to the file server.

3. The AFP service on the file server first asks the Open Directory server if the user has already been issued a valid kerberos ticket. Before responding to the AFP service, the Open Directory server first checks its configuration to see if the file server has been authorized by an administrator to use the kerberos services of the Open Directory server. If the file server has been authorized then the Open Directory server responds to the file server. If the user has not been issued a valid ticket, then the user is prompted with a username/password dialog box which allows the user to receive a new kerberos ticket from the Open Directory server.

4. Once the user has a valid kerberos ticket then the AFP service on the file-server issues the user another ticket for accessing its AFP file service. The user is then automatically logged into the server via Kerberos. At this point the user has a valid kerberos ticket for accessing the Apple File Sharing service on the server so until the user reboots their computer or their kerberos ticket expires, they will be able to log into the AFP file service on the server automatically without being prompted for a username/password.

Terminal Command to Manually Kerberize Services

This terminal command will kerberize all the built-in Leopard services which are kerberos compatible. It will write entries into the Open Directory master’s kerberos configuration. There will be a kerberos configuration entry added for each service.

sudo sso_util configure -r YOUR.REALM.COM -a diradmin -p theDirAdminPassword all

Replace YOUR.REALM.COM with the exact name of your Kerberos “realm” which is displayed in the settings of your Open Directory master server. Replace “diradmin” with the username of an account that has “directory administrator” privileges for your Open Directory. By default this account is named “diradmin” but it may be different in your environment. Replace “theDirAdminPassword” with the password of the “diradmin” account.

Once you execute the above terminal command, you may need to restart your newly “kerberized” services on your server for the changes to take effect.