Anyone whose ever imple­mented net­worked home direc­to­ries on and OS X Server has prob­a­bly come across the need to add or remove pref­er­ence files from user accounts. Chang­ing set­tings for new accounts is easy, just add the files to the User Template folder.

Exist­ing users is a dif­fer­ent story though. They already have their home direc­to­ries. Depend­ing on how many users you have, adding/deleting files from you old users can be a daunt­ing task. Ten users is easy enough, but 50 is silly and over 100 is ridiculous.

Long ago I wrote a series of scripts (well actu­ally just one) that I use and modify for what­ever files I need to change. I basi­cally just loops through each home folder in a spec­i­fied direc­tory. It’s really a pretty basic script. Here’s an exam­ple of one that I was using:

# Copy new dock and fix permissions

echo "\ncpdock.sh"

dir=`ls $1`

cd ${1:?"No directory specified!"}

echo "PWD = `pwd`"

echo "\n$dir\n"

for folder in $dir; do
    echo "...copying dock plist to $folder"
    cp /com.apple.dock.plist $folder/Library/Preferences/com.apple.dock.plist
    chmod -R 700 $folder/Library/Preferences/com.apple.dock.plist
    chown -R $folder:staff $folder/Library/Preferences/com.apple.dock.plist
done

That’s easy enough. It’s kind of a pain though to modify the scripts all the time. Also, it’s very dif­fi­cult (and scary) to try and explain how to use these scripts to my less Bash-​inclined co-​workers.

The other day I found this great little piece of soft­ware writ­ten by Nicole Jacque called Home Direc­tory Helper. It does exactly what all of my scripts did, except with an easier to use GUI inter­face. Very nice, and highly recommended.

This one is just a quickie, but I thought I’d post it because I know that I’ve gotten this mes­sage before and that there is very little useful infor­ma­tion turned up in a rel­e­vant Google search.

At my work we use an OS X server to host the home direc­to­ries of all of our users who log in to our lab com­put­ers. We cur­rently only sup­port OS X clients, so we’re only doing this over AFP. Last semes­ter we used a Tiger server and clients, but this summer we are upgrad­ing every­thing to Leopard.

After set­ting up a test client com­puter in Direc­tory Util­ity (used to be Direc­tory Access in Tiger) to con­nect to our server I fig­ured we were good to log in with one of migrated user accounts. We don’t do bind­ing or Active Direc­tory or really any­thing com­pli­cated so usu­ally the process is pretty straightforward.

After set­ting up the client and restart­ing, I attempted to log on using one of our net­work users, and was met with this big fat error message:

Not only did not log­ging in not work, but the entire descrip­tion of the error read “Logging in to the account failed because an error occurred”. Gee, thanks Apple. Very useful.

This error wasn’t entirely for­eign to me. I remem­bered seeing it occa­sion­ally in Tiger, but couldn’t remem­ber if we had ever estab­lished a cause, let alone a solu­tion. Just for kicks I tried log­ging on with the same account on one of our older Tiger clients (that was known to work with the old Tiger server). The mes­sage is slightly more ver­bose, but gen­er­ally still the same:

I knew that AFP was work­ing because we had some share points up and run­ning. So, AFP and at least some level of authen­ti­ca­tion were work­ing. After inspect­ing the server fire­wall and open direc­tory logs, as well as the client logs, it seemed clear that the user was authen­ti­cat­ing prop­erly. It was some­thing that was hap­pen­ing after the actual suc­cess­ful authen­ti­ca­tion that was caus­ing the error message.

After some research and thought, it occurred to me that it was very likely that there was some sort of con­fig­u­ra­tion gone awry with the actual home direc­to­ries. Then I real­ized that I had com­pletely neglected to actu­ally con­fig­ure the old home direc­to­ries on our server to be shared at all!

So basi­cally the user was log­ging in and authen­ti­cat­ing suc­cess­fully. Then when the client asked for the home direc­tory the server was like, what home direc­tory? And the client was like aww shit. I’m gonna log you out right now ’cause I need your home to work. And the server was like, all right, fine. Some­thing like that.

After some simple home direc­tory shar­ing con­fig­u­ra­tions, every­thing was run­ning with­out another episode. Sigh.

AFP548 is report­ing a bug with Fire­fox 3 where appar­ently it doesn’t work with Macs that are set up to use a net­worked home directory.

When I updated to Fire­fox 3, I imme­di­ately noticed that Book­marks were not vis­i­ble under book­marks menu. The Search engine field had a generic icon and when I selected ‘Manage Search Engines’, the dialog box was frozen and I couldn’t get out of it with­out quit­ting Fire­fox. When I tried to enter a URL into the URL field and press ‘enter’, noth­ing hap­pens. How­ever, when double-​click on a URL in an e-mail mes­sage, that appears to work. […] When I switched to a local admin account (i.e., Fire­fox pro­file on the local hard drive), it seems to work fine. How­ever, when I switch back to my net­work home account (on our XServe), it still dis­plays the prob­lems described above. I tried other user accounts on our XServe with the same problems.

This is kind of unbe­liev­able to me that Fire­fox 3 was released with such a show-​stopping bug on the Mac side. I’m pretty sure that most com­pa­nies that use Macs use them with net­worked home direc­to­ries (at least in the Aca­d­e­mic world). It’s good to know though before I start adding Fire­fox to the images for fall semester.

Appar­ently this is a doc­u­mented bug and as a com­menter sug­gested, will be fixed in the future. You can read the bug track in Bugzilla to see how the fix is progressing.

Imag­ine my sur­prise when I opened up Con­sole yes­ter­day and found this error mes­sage from Mail in the console.log:

I wonder what caused the error why the devel­oper thought “this should never happen.”

Preface and Disclaimer

This paper presents an overview of the secu­rity sit­u­a­tion of Mac OS X. The pur­pose of this paper is to present secu­rity in a very easy-​to-​understand fash­ion. I firmly believe that there is an absurd amount of FUD about com­puter secu­rity in gen­eral, mostly prop­a­gated by ven­dors of antivirus soft­ware and their part­ners. In the case of Mac OS X in spe­cific, it is very dif­fi­cult to get accu­rate, non-​sensational infor­ma­tion about what the real secu­rity threats are. This paper began as a gen­uine effort to figure out, and then convey, what the real status of Mac OS X secu­rity is.

Please be aware that I am no secu­rity expert (nor am I a hacker), but simply a normal com­puter nerd with a pas­sion for most things relat­ing to com­put­ers and design. I have made every effort to con­sult the writ­ings of secu­rity experts and convey accu­rate infor­ma­tion. If any secu­rity ninjas out there find any inac­cu­ra­cies, please let me know.

With the excep­tion of the sec­tion “Out Of The Box Secu­rity and Addi­tional Hard­en­ing Measures”, the entire report refers to Mac OS X 10.4 and prior ver­sions. Where pos­si­ble, I state spe­cific ver­sions of the oper­at­ing system that I am refer­ring to.

I’ve broken up this report into sev­eral pages because it is quite long. You can also down­load the report in its entirety in PDF format.

(more…)