Netatalk 2.2.2 updates UAM naming convention

Posted: July 3rd, 2012 | Author: | Filed under: Debian, Linux Mint, netatalk, Time Machine, Ubuntu | Tags: , , , | No Comments »

After one had upgraded to Netatalk 2.2.3 from a previous version, people who were using DHX method of authentication will experience uam: uam not found (status=-1) on the Netatalk server. On the MacOSX side, when one try to log in, it will display “The version of the server you are trying to connect to is not supported…” error messages. Before you mess with the settings etc, check your uams directory! The Netatalk team have renamed the uams dhx modules.The DHX2 and DHX modules now have _pam.so (which logs authentication information to auth.log) or _passwd.so suffixes. Check the files first in your uams directory, before you pull out your hair or try to reinstall etc. (The default directory is /usr/local/etc/netatalk/uams) Most of the instructions on the web have not been updated to reflect the name change. I have -uamlist uams_dhx2_pam.so,uams_dhx_pam.so in my afpd.conf (as a reminder no spaces between the commas!).

DHX2 is probably the best password authentication scheme to use for modern MacOSX right now. So if you are concerned about security, it is a good idea to use it.

uam: uam not found


More Netatalk Debugging and Solutions

Posted: August 24th, 2011 | Author: | Filed under: Mac, netatalk, Time Machine, Ubuntu | Tags: , , , , , , , | No Comments »

I had to reinstall my Ubuntu system because my Seagate drive died of a horrible and quick death. I replaced the drives with WD Greens. Since the Seagate had a SMART error, bad sectors were growing every second, basically the data on the OS drive was spinning to pieces.

When I reinstalled netatalk; I installed the self compiled netatalk package (that was mentioned previous). However I encounter the following error:

afpd {cnid_dbd.c:314} (E:CNID): dbd_rpc: Error reading header from fd (db_dir /var/dbd/AppleDB/tm): Connection reset by peer
afpd {cnid_dbd.c:400} (E:CNID): transmit: Request to dbd daemon (db_dir /var/dbd/AppleDB/tm) timed out.

That is relatively simple. I just had to make sure the dbpath in AppleVolumes.default exists.

Another error message I got:

afpd {volume.c:1907} (W:AFPDaemon): volume "usr" does not support Extended Attributes, using ea:ad instead

Solution:
I made sure cnidscheme is set to dbd and ea is set to sys in AppleVolume.default.

:DEFAULT: cnidscheme:dbd ea:sys

Reference:
Netatalk manual’s coverage on AppleTalk.default.


Creating a Debian VirtualBox VM

Posted: January 7th, 2011 | Author: | Filed under: Debian, Mac, Virtual Box | Tags: , , , , , , , , | No Comments »

In the past, I used to use Parallels 5 for my VM needs (and I still do). Recently I have found out that in order to install the Parallel Guest Tools on the latest Ubuntu (10.10); I have to upgrade Parallels from version 5 to 6. Since Ubuntu updates every 6 month, it means that there is a good chance that I have to update Parallels every year on order for the latest version of Ubuntu to work. I have decided to check out VirtualBox and see how well it works with my Development environment.

To create a basic Debian VirtualBox image:

  1. Grab the latest netinst image
  2. For typical development use, I don’t think one will use more than 8GB of disc space.
  3. Use the Guided hard disc setup and use the whole drive
  4. Deselect everything else and only install Standard System
  5. Install GRUB to your bootloader
  6. Go through the system setup and reboot
  7. Install OpenSSH server by apt-get install openssh-server
  8. Run apt-get upgrade
  9. Run apt-get update
  10. Do a ACPI Shutdown via the Machine menu or run shutdown now
  11. Edit the VM’s Settings via the Oracle VM VirtualBox Manager
    I typically set:

    • Hardware clock in UTC time. This is to make sure that clocks are in sync so things like ssh won’t misbehave.
    • Disable Audio
    • Change Network -> Adapter 1 -> Attached to: Bridged Networking
    • Disable the Ports (both serial and USB)
    • Leave Shared Folders option unset, I just use SSH for everything.
  12. Reboot, Login
  13. Run ifconfig, the ip address will now be in your home network’s subnet (for me it is 192.168.123.0). So you can ssh into the machine via ssh username@ipaddress
  14. Shutdown again and select Export Appliance under File in the VirtualBox Manager. Now, whenever you need a debian vm, you just have to import the appliance. At this stage. I also highly recommend you take a snapshot of the image before you do any tinkering.
  15. Start the machine again, if you want to give the vm a static IP run nano /etc/network/interfaces
    Replace

    1
    2
    allow-hotplug eth0
    iface eth0 inet dhcp

    with (IP Address and Gateway adjusted to taste)

    1
    2
    3
    4
    5
    6
    iface eth0 inet static
           address 192.168.1.10
           netmask 255.255.255.0
           network 192.168.1.0
           broadcast 192.168.1.255
           gateway 192.168.1.1

    Run /etc/init.d/networking restart

  16. Next time, you can start the Virtual Machine via commandline by using VBoxHeadless -startvm “machinename”

How to setup MacOSX 10.6 for freeRADIUS TLS or WPA2 Enterprise access

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS, Mac | Tags: , , , , , , , , , , | No Comments »

Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.

  1. Go to Applications -> Utilities -> Keychain Access
  2. Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
  3. Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
  4. Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
  5. Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
    openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
  6. Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt

Setup 802.1X or WPA2 Enterprise access on the guest’s machine:

  1. Open Keychain Assistant (if you have closed it)
  2. Click the user’s keychain, if the padlock is closed, click on it.
  3. Drag the certificates generated above into the keychain
  4. Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
  5. Quit Keychain Assistant
  6. Open Preferences -> Network
  7. Select Airport -> Advanced..
  8. Select 802.1X tab
  9. Create a new User Profile via the + icon on the lower left hand corner of the window.
  10. Give the profile any name you like
  11. Check the TLS box under Authentication
  12. Click on Configure Trust
  13. Select the Certificates tab
  14. On the lower left hand corner, click on the + and select Select Certificate From Keychain
  15. Click OK and the window will close
  16. Select the SSID from the Wireless Network: drop down list
  17. Select WPA2 Enterprise from the Security Type: drop down list
  18. Click OK and you will be back in the Network window
  19. The profile name should appear now next to 802.1X
  20. Click on Turn Airport On
  21. The 802.1X should automatically connect, if not click on the Connect button
  22. To disconnect, click on Disconnect or Turn Airport Off.

Additional Reading:
Apple’s Resources with pretty pictures.


launchctl Tutorial

Posted: December 5th, 2010 | Author: | Filed under: launchctl, Mac | Tags: , , , , , , , , , , , , , , , | No Comments »

launchctl allows users to start / stop applications that is typically processed via launchd. (MacOS’s equivalent of cron).

launchctl command configurations are stored as XML formatted .plist files located in directories /System/Library/LaunchAgents or /System/Library/LaunchDaemons for system wide start items, for user specific items the plist files are stored in ~/Library/LaunchAgents or ~/Library/LaunchDaemons directories.

Agents or Daemons?
An agent is a program that requires access to specific users’ information. A daemon is a program that runs in the background and requires generally no input from any user.

For more a comparison between Agents and Daemons refer to this Apple technote.

What is in a .plist?
A .plist file must contain at the very least the keys Label, ProgramArguments array and a key to tell launchd how the application is run eg KeepAlive, RunAtLoad for one time operations. or StartonMount, StartInterval, StartCalendarInterval for repeating occurrences.

A complete dictionary of all the property keys can be found here. A few things it can do is to monitor modified paths (via the key WatchPath), HardResourceLimits etc.

Here is an example for com.companyname.agentorapplicationname.plist, which runs the application full/path/to/binary every 60 seconds:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
< ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" \
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
 <dict>
  <key>Label</key>
  <string>com.companyname.agentorapplicationname</string>
  <key>ProgramArguments</key>
   <array>
    <string>/full/path/to/binary</string>
    <string>-firstargument</string>
    <string>valueoffirstargument</string>
    <string>-secondargument</string>
    <string>valueofsecondargument</string>
   </array>
  <key>StartInterval 60</key>
  <true />
 </dict>
</plist>


launctl operations

Command Description
launchctl list Lists the PID, status and name of loaded processes
launchctl list com.com.exampleco.eg Output the runtime information (eg. PATH) of com.exampleco.eg
launchctl start com.exampleco.eg Starts com.exampleco.eg
launchctl stop com.exampleco.eg Stop com.exampleco.eg
launchctl loads -w /path/example.plist Loads a process by its plist filename
launchctl unloads /path/example.plist Stop and unload a process by its plist filename
submit -l labelname -p /path/eg/binary -o /path2/stdout -e /path2/sterr Manually run binary under the label labelname with to specified stdout and sterr devices/files


How to start / stop AppleVNCServer via command line properly!

Posted: December 2nd, 2010 | Author: | Filed under: Mac, VNC | Tags: , , , , , | No Comments »

The recent versions of Apple MacOSX (10.5+) come with built in VNC Server which allows users to remote access the Mac graphically. With 10.5 there is a weird bug in the VNCServer, where in mid session, the process will increases its CPU load from a typical ~1 – 10% to 60%+ and locking up the session while it is at it. Typically AppleVNCServer can take about 25% CPU time on a G5 during normal Window dragging etc.

One can terminate the thread brutishly by issuing the command ps -ax | grep AppleVNCServer to find the offending PID and then kill it. The AppleVNCServer will restart assuming your Screen Sharing option is turned on.

However one can also do it elegantly via the launhctl interface.

The actual AppleVNCServer binary is buried in /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/. However it is controlled via the /System/Library/LaunchAgents/com.apple.ScreenSharing.plist.

AppleVNCServer doesn’t seem to accept any runtime flags.

To see if it is actually running run launchctl list.

To STOP a run away AppleVNCServer process: launchctl stop com.apple.ScreenSharing.server
To START AppleVNCServer via command line: launchctl start com.apple.ScreenSharing.server

If you reach this far, I assume you also know how to remote access a mac via ssh.