Practical Terminal Commands Reference

I just found this amazing list of Terminal commands today:

The list is not customized for OS X systems, so not all of the commands or options necessarily work as listed. I was however able to find similar commands using the man pages. This list is really an amazing reference for commands to do practical things that you might not have known you could do.

I just discovered wget using this list. I think I might have used this a long time ago and then promptly forgot it existed. Basically it downloads files or websites for you. This was exactly what I happened to need to download all of the student websites for my Web Design class. I was able to download all of them in a matter of minutes. The only problem was that it didn’t seem to pick up CSS background images or fonts used from @font-face, so I had to manually check those. An indispensable nevertheless.

Destroy Kerberos Ticket

Since we deployed Leopard to the computers labs at work, I’ve been running in to this annoying problem involving Kerberos. I hadn’t spent any time trying to figure out how to circumvent it until now because it really only affects administrators. We can deal with our own problems right?

When a user logs in, they authenticate to our server using their account username (use Alice for this example). At this point they are given a Kerberos ticket. From then on, in Leopard, whenever the user attempts to connect to an AFP share on the server, Leopard assumes that they are connecting as the same user, Alice. Because the Kerberos ticket is still valid, the user is automatically authenticated as Alice. Of course, this makes perfect sense. That’s the whole point of Kerberos: single sign-on.

The problem resides in the assumption that the user wants to connect as the same user every time. What if Alice is actually an admin who needs to log on to a share using different credentials? Here’s an example: I’m testing a student account, with normal student privileges. During the course of my testing, I need to access a document from our administrative share point. Now, obviously the student account does not have access to the administrative share point. I would need to log in to the share using a user with permissions to access the administrative share point.

Unfortunately, Leopard will not even ask me what user account I want to use because I already have a valid Kerberos ticket for the student account. Fortunately, after finally getting fed up with this problem, a quick bit of googling solved it.

All that needs to be done is to destroy the Kerberos ticket. Simply open Keychain Access and select Kerberos Ticket Viewer from the Keychain Access menu. Select your Kerberos ticket from the window and click the destroy button. This doesn’t actually harm anything, it simply makes your Kerberos ticket expire. The next time you try and connect to the server, you will be asked to authenticate again; at which point you can authenticate as a different user.

Alternately, you could also create a new Kerberos ticket using a separate username to the same server. The before authenticating to a share, you would simply change the active user. Unfortunately it seems as though you can only access one at a time. For example, I could not mount two different user’s home directories at the same time. I would have to activate a user, mount their home directory, eject it, activate the second user, and then mount their home directory. Hmm, as you can probably see, there doesn’t really seem to be a reason why this would be useful. Probably simply destroying the ticket is the best bet.

For more information on this, check out the Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients knowledge base article from Apple.

Home Directory Helper

Anyone whose ever implemented networked home directories on and OS X Server has probably come across the need to add or remove preference files from user accounts. Changing settings for new accounts is easy, just add the files to the User Template folder.

Existing users is a different story though. They already have their home directories. Depending on how many users you have, adding/deleting files from you old users can be a daunting task. Ten users is easy enough, but 50 is silly and over 100 is ridiculous.

Long ago I wrote a series of scripts (well actually just one) that I use and modify for whatever files I need to change. I basically just loops through each home folder in a specified directory. It’s really a pretty basic script. Here’s an example of one that I was using:

# Copy new dock and fix permissions

echo "\ncpdock.sh"

dir=`ls $1`

cd ${1:?"No directory specified!"}

echo "PWD = `pwd`"

echo "\n$dir\n"

for folder in $dir; do
    echo "...copying dock plist to $folder"
    cp /com.apple.dock.plist $folder/Library/Preferences/com.apple.dock.plist
    chmod -R 700 $folder/Library/Preferences/com.apple.dock.plist
    chown -R $folder:staff $folder/Library/Preferences/com.apple.dock.plist
done

That’s easy enough. It’s kind of a pain though to modify the scripts all the time. Also, it’s very difficult (and scary) to try and explain how to use these scripts to my less Bash-inclined co-workers.

The other day I found this great little piece of software written by Nicole Jacque called Home Directory Helper. It does exactly what all of my scripts did, except with an easier to use GUI interface. Very nice, and highly recommended.

Leopard Server Quickstart Guide

Corey Carson was written a fantastic quickstart guide for Leopard Server.

This updated quickstart guide is very similar to the Tiger Server Quickstart Guide posted in 2005. It’s primary purpose is to get you up and running quickly, overcoming common hurdles such as DNS and binding confusions. With the move to launchd over cron, those steps are now included as well.

You can grab the pdf at AFP548.com.

The article includes some particularly good instructions on using and setting up rsync, launchd, and Network Home Redirector.

Via Infinity’s End.

You Are Unable to Log in to the User Account at Time

This one is just a quickie, but I thought I’d post it because I know that I’ve gotten this message before and that there is very little useful information turned up in a relevant Google search.

At my work we use an OS X server to host the home directories of all of our users who log in to our lab computers. We currently only support OS X clients, so we’re only doing this over AFP. Last semester we used a Tiger server and clients, but this summer we are upgrading everything to Leopard.

After setting up a test client computer in Directory Utility (used to be Directory Access in Tiger) to connect to our server I figured we were good to log in with one of migrated user accounts. We don’t do binding or Active Directory or really anything complicated so usually the process is pretty straightforward.

After setting up the client and restarting, I attempted to log on using one of our network users, and was met with this big fat error message:

You are unable to log in to the user account [username] at this  time

Not only did not logging in not work, but the entire description of the error read “Logging in to the account failed because an error occurred”. Gee, thanks Apple. Very useful.

This error wasn’t entirely foreign to me. I remembered seeing it occasionally in Tiger, but couldn’t remember if we had ever established a cause, let alone a solution. Just for kicks I tried logging on with the same account on one of our older Tiger clients (that was known to work with the old Tiger server). The message is slightly more verbose, but generally still the same:

You are unable to log in to the user account [username] at this  time (Tiger Message)

I knew that AFP was working because we had some share points up and running. So, AFP and at least some level of authentication were working. After inspecting the server firewall and open directory logs, as well as the client logs, it seemed clear that the user was authenticating properly. It was something that was happening after the actual successful authentication that was causing the error message.

After some research and thought, it occurred to me that it was very likely that there was some sort of configuration gone awry with the actual home directories. Then I realized that I had completely neglected to actually configure the old home directories on our server to be shared at all!

So basically the user was logging in and authenticating successfully. Then when the client asked for the home directory the server was like, what home directory? And the client was like aww shit. I’m gonna log you out right now ’cause I need your home to work. And the server was like, all right, fine. Something like that.

After some simple home directory sharing configurations, everything was running without another episode. Sigh.



appointive
appointive
appointive
appointive