Every so often, a user may call the help desk to report that they can’t log into their Mac using their Active Directory account’s username and password. Here’s a way to diagnose remotely if their workstation is having an AD problem and needs to be re-bound.
1. Use SSH to remotely connect to the Mac in question: ssh email@example.com
This message may appear if it’s the first time connecting from your workstation to the remote Mac:
The authenticity of host ‘workstation-name.domain.org (ip.address.here)’ can’t be established.
RSA key fingerprint is 47:15:1f:e0:b1:dc:05:25:2c:cf:ae:aa:8c:ac:83:c3.
Are you sure you want to continue connecting (yes/no)?
Enter yes when prompted and hit Return.
On Friday, March 23rd at 1:26 PM Eastern Daylight Time, the certificate that Apple embedded in various Apple software installers expired.
If you’re using Installer.app in Mac OS X’s GUI, you’ll get a warning about the certificate being invalid and asked if you want to install it anyway.
However, the command line installer tool does not have the option of “certificate invalid, install anyway.” Instead, installations run with the installer tool will fail. This affects any systems management tool that uses Apple’s installer tool via the command line to install packages.
At this time, the best recommendation I have is to download new copies of the various Apple-provided installers that you need for your workflow. The new installers should include a new certificate that’s good until 2019.
One installer in particular that you may want to re-download is the 10.7.3 installer from the Mac App Store, as the installer has a RemoteDesktop.pkg installer included that may have an expired certificate. Re-downloading the 10.7.3 installer from the MAS after Friday, March 23rd will give you a 10.7.3 installer that works properly.
Update: Greg Neagle’s checkPackageSignatures and flatpkgfixer scripts are extremely helpful here. checkPackageSignatures will help you find expired certificates in your packages and disk images. flatpkgfixer will help you with any software you can’t re-download by removing package signing either from single flat packages or from disk images that contain packages.
I’m very fortunate that WordPress.com’s hosting has provided me with a free way to blog without having to worry about anything besides “Is it up?” However, along with the question “Is it up?”, there’s the possibility that the answer someday may be “No”. The usual answer to this problem is “Set up an automated backup”, but I had the following technical issues to deal with:
- Backups can only be made manually via the admin console
- Backups made via the admin console would not include the hosted media (images, videos, etc)
- Media is linked at a separate address
- I do not have shell access to the server(s) hosting the blog (which would allow me to set up a normal WordPress backup)
Fortunately, there’s a relatively straightforward solution: mirror the site to a local backup using HTTrack. See below the jump for the details.
We’ve gotten in a couple of calls from our users asking how to set their fonts to be larger. So that other folks know, here’s how you do it:
Changing the default font for outgoing messages in Outlook 2011
1. Go to the Outlook menu and select Preferences
2. In the Outlook Preferences window, open Fonts
3. Change the font and font size to what’s desired, then close the Fonts window to save the changes
Changing the font size for incoming messages in Outlook 2011
To change the font size in the Reading Pane or while you are viewing a message:
1. Go to the Format menu in Outlook
2. Select Increase Font Size or Decrease Font Size
I’ve posted a new script (adapted from the original by Patrick Gallagher) that’s designed to help folks migrate from local user accounts to a non-syncing LDAP mobile user account.
The script currently supports 10.6.x and 10.7.x. If you need this for your own shop, feel free to download a copy.
Direct link to script and README:
I’ve written an interactive script that uses the Cauliflower Vest csfde tool as a standalone utility to enable FileVault 2 encryption on your boot volume. The script will ask some questions, then uses that information to initialize the encryption and enable the user account specified.
The script is available here on my GitHub repo.
The script is expecting the csfde tool to be installed in /usr/local/bin. Install the csfde tool there before running the script.
If the script detects that csfde is not present in /usr/local/bin, it will stop and not run.
If you are using a managed recovery key (i.e. a properly configured FileVaultMaster.keychain in /LibraryKeychains) – the script will report that fact and not output a machine-generated recovery key.
If you are not using a managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.
If you are using a improperly configured managed recovery key – the script will output a machine-generated recovery key that is individual to this specific Mac and display it to the user.
VERY IMPORTANT: The machine-generated individual recovery key is not saved anywhere outside the machine. Make a record of it or you will have no recovery key to help unlock your Mac’s encryption if there’s a problem.
The script will request a restart and then report [Process Completed] once it has completed initializing the FileVault 2 encryption process and reported on the recovery key. Once you’ve made a record of the recovery key (if needed), It is safe at that point to close the Terminal window and reboot your Mac.
Recently at work, I was given an interesting assignment: “Figure out a way to build an inexpensive solution for 30 large displays to display individual content.”
The requirements included the following:
1. Solution needed to be able to display multiple presentations (think PowerPoint and Keynote slides)
2. Solution needed to be able to loop the multiple presentations in a pre-determined order
3. Solution needed to be cheaper than the other solutions under consideration
4. Solution preferably would be automated, with as little human intervention needed as possible
After evaluating a number of options, I came up with an all-Apple solution that cost under $5000. See below the jump for details.
“Setting Warning Banners in Lion” and “Encrypting Beyond the Boot Drive” in MacTech’s March 2012 issue
I’ve got two articles in the March 2012 issue of MacTech: Setting Warning Banners in Lion and Encrypting Beyond the Boot Drive.
Setting Warning Banners in Lion discusses the login banner options available in Lion and how they can be applied towards meeting the warning banner requirements your workplace may be mandating.
Encrypting Beyond the Boot Drive is a nuts-and-bolts article about encrypting non-boot volumes with FileVault 2’s encryption, to make sure that your data is protected no matter where it’s stored.
My shop upgraded to Dell Kace KBox 1000 5.3.x recently, so I’ve had to update my uninstaller script to uninstall the new 5.3 agent as well as the older 5.1 agent.
We received an unusual ticket this morning. One of our users had a Quicktime movie file that was playing fine on his 10.4.11 Mac, but was not in the PowerPoint he was creating in his new MacBook Air running Lion.
On investigation, the problem looked clear. The Quicktime movie was using the Quicktime 7 XVid codec. While the codec was still working with Quicktime 7 on Lion, PowerPoint was tapping into Quicktime X, which refused to work with the codec. Meanwhile, efforts to export it from Quicktime 7 were failing. At that point, I remembered that VLC could play XVid-encoded movies. Could it export them too? It turned out that VLC could. See below the jump for the details.