Archive for the ‘Linux’ Category

Using /etc/auto_home on Mavericks to mount shares under /home

April 6, 2014 2 comments

One of my users at work asked me recently about symlinking his network home folder to /home on his Mac running 10.9.2 and wanted to check to see if it was safe to do so.

In this case, the person in question works on both Fedora Linux, where his network home directory was mounted as /home/username, and on OS X. His network home directory was available via SMB on his Mac as smb://servername/home$/username. He wanted to be able to mount smb://servername/home$/username to /home/username on his Mac, so that it matched the mountpoint of his network home on his Fedora box.

At the time, here’s what I knew about /home:

1. Nothing appears to be stored in it by default

2. It’s listed in /etc/auto_master as a mountpoint

Screen Shot 2014-04-05 at 10.52.02 PM

3. Time Machine does not back it up

Read more…

Fixing Casper’s MySQL database with mysqlcheck

February 1, 2014 Leave a comment

After some VMware host issues that were out of my control, the RHEL VMs that my production and test Casper servers are hosted on were unexpectedly rebooted a couple of times. When I checked the VMs afterwards, everything appeared to be OK. I figured that I had been fortunate, until my Casper test server sent me the nightly “Successful backup of the Casper database” email and my production server didn’t.

Uh oh.

When I checked the directory when my production server stores its backups of the Casper database, there wasn’t a backup from the night before. I immediately launched the JAMF Database Utility application and had it make a backup of the production database. A task which normally would take 10 minutes or so now took 40 minutes.

Not good.

To lighten the load on the database, I went into the JSS and had it manually flush all but the last week’s worth of logs (I normally retain 30 days of logs.)

Screen Shot 2014-02-01 at 5.12.10 PM

Screen Shot 2014-02-01 at 5.12.50 PM

Once the log flush had completed, I then rebooted the box. On reboot, the JSS initialized and then hung halfway through the JSS startup process.

Screen Shot 2014-02-01 at 4.53.48 PM

Really not good.

For the details of how I fixed this, see below the jump.

Read more…

Categories: Casper, Linux

Migrating Macs from one OpenLDAP domain to another OpenLDAP domain

November 22, 2013 Leave a comment

A while ago, I needed to script a method for binding Macs running 10.6.x and later to our Linux-based OpenLDAP server. Recently, we needed to move our OpenLDAP domain to a different OpenLDAP domain as part of a larger directory service migration project. A small part of that project was moving the LDAP-bound Macs to the new LDAP domain, preferably with as little disruption as possible.

One enormous advantage I had with this LDAP move was the following:

All UIDs, GIDs, usernames, passwords and group names were going to be identical between the two LDAP domains.

As a consequence, I would not need to do any permissions changes, rebuild accounts, make sure people got new passwords or a host of other things normally associated with a directory service change. My task was essentially to tell the Macs “Stop talking to the OpenLDAP service at that address, start talking to this other OpenLDAP service at this address”

As part of the project, I also wanted to accommodate two separate Active Directory domains differently. I wasn’t binding to AD as part of this process, but if a particular Mac was bound to Domain A, I wanted to unbind. If a Mac was bound to Domain B, I didn’t want to unbind but I did want the new LDAP server to be the primary authentication source.

Using my previous OpenLDAP binding script as a starting point, I was able to build a script to handle moving our Macs without downtime or account changes. See below the jump for details.

Read more…

Expanding available disk space on JAMF’s NetSUS VM appliance

November 16, 2013 1 comment

Thanks to Allister, I ran across this NetSUS-related feature request at JAMF Nation. While the feature request makes sense in the context of the requester’s shop, it is possible to resize the NetSUS appliance to give it additional space.

The steps should be reasonably similar for each virtualization solution, but see below the jump for how to do this with VMware Fusion 6.x.

Read more…

Updating Red Hat Enterprise Linux and MySQL for Casper JSS server running on Linux

October 9, 2013 3 comments

In my own shop, I’m currently running Casper 8.x on a Red Hat Enterprise Linux server. The server had been set up initially with Red Hat Enterprise Linux 6.0 and MySQL 5.1.47 and it had stayed there for a while. However, I looked ahead to Casper 9.x and saw the following versions of MySQL were now listed as being required:

MySQL Enterprise Edition 5.5 or later, or MySQL Community Server 5.5 or later

I’m still running Casper 8.x, but I wanted to get ahead of the curve and not have to deal with a MySQL upgrade at the same time as a future Casper 9.x upgrade. Thanks to the Linux folks at my workplace, I was able to do so with a minimum of hassle. See below the jump for the details.
Read more…

Categories: Casper, JSS, Linux

Uninstalling Casper on Red Hat Enterprise Linux

September 24, 2013 Leave a comment

I recently had to roll my Casper test server back, as I had been testing Casper 9.x but needed to verify something worked in Casper 8.x. Since I hadn’t found a good knowledge base article on JAMF Nation for uninstalling Casper’s JSS from a Red Hat Enterprise Linux server, I asked JAMF Support how to do this. Here’s the procedure I used, based on their response:

Note: This procedure should only be used if you need to completely uninstall your Casper JSS. It removes all certificates, databases and anything else stored in your JSS.

1. SSH into the RHEL server as my user account.

2. su into the root account on the server by running the following command:

su root

3. Stop JAMF’s Tomcat by running the following command:

/etc/rc.d/init.d/jamf.tomcat7 stop

4. Delete the jss directory from /usr/local by running the following command:

rm -rf /usr/local/jss

Once /usr/local/jss was removed, I needed to remove the JSS’s MySQL database in order to complete the uninstall. Here’s the procedure I used:

5. Run the following command to get a MySQL prompt:


6. From the mysql> prompt, run the following command to remove the existing database:

mysql> drop database jamfsoftware;

7. Exit out of MySQL with the following command:

mysql> exit;

At this point, the JAMF-provided parts of the JSS were all removed. I hadn’t removed anything from my JSS’s file share, so all my installers and deployable scripts were intact. I then rebooted, just to make sure no stray processes remained before I tried reinstalling Casper 8.x.

Once the server was back up, I ran the following procedure to prepare the server for re-installing Casper 8.x.:

1. SSH into the RHEL server as my user account.

2. su into the root account on the server by running the following command:

su root

3. Run the following command to get a MySQL prompt:


4. From the mysql> prompt, run the following command to create a new empty jamfsoftware database for the JSS:

mysql> create database jamfsoftware;

5. Exit out of MySQL with the following command:

mysql> exit;

With the new jamfsoftware database created in MySQL on my test server, I was then ready to reinstall Casper 8.x.

Categories: Casper, JSS, Linux

First look at Crypt

December 31, 2012 4 comments

Since the release of Google’s Cauliflower Vest, one of the wishlist items that a number of Mac admins have wanted is to use Cauliflower Vest’s capabilities without needing to use Google App Engine as the server backend. Crypt, a new open-source project being developed by Graham Gilbert, looks like a step in the right direction. See below the jump for details.

Read more…

Fully automating installation of automatically-generated installers

November 11, 2012 Leave a comment

As part of your Mac’s standard build process for your environment, you may need to install certain packages that are generated for you by another process. A good example may be your workplace’s central antivirus management console, or a systems management tool.

Generally, these applications are installed once and then the centralized management server takes care of managing and updating them on your Macs afterward. For that first install though, they still need to be installed on your Macs and it’s usually a manual process for Mac admins to copy the latest installer from wherever it’s stored and add it to the build process.

However, if you have access to where the installer is stored, you can script the process of installation and fully automate the process of getting the latest installer and installing it on your Mac. See below the jump for an example of how to do this with Sophos Antivirus.

Read more…

Binding to a Linux-based OpenLDAP server from 10.6.x and 10.7.x

March 2, 2012 3 comments

One of the services our IT team occasionally provides is connecting Mac desktops up to our Linux-hosted OpenLDAP server. Our OpenLDAP server doesn’t have any schema support built in for OS X, but historically we’ve gotten around that by using the RFC 2307 template support built into the LDAPv3 directory service plug-in. Then we hit Lion. Then we discovered how many other folks were having problems with Lion and OpenLDAP.

A lot of the problem was centered around the fact that Lion’s LDAP plug-in is now attempting to use the best SASL authentication method advertised by the LDAP server. Even if the server doesn’t require authentication, the Mac’s LDAP plug-in will still try to authenticate. What you’ll wind up with is an LDAP bind that allows lookups, but does not allow LDAP accounts to log in.

Most of the fixes involved going into the GUI and making some changes, then opening the relevant plist and making some more changes. Others recommended setting up the bind on one machine and then copying the relevant files from machine to machine.

Because I’m a lazy admin, I decided to see “How hard is this to script?” As it turned out, harder than you might think. Not all of the GUI buttons and tools have command-line equivalents and dsconfigldap turned out to be completely useless for this purpose.

In the end, I scripted the equivalent of “set up the bind on one machine, then copy the files.” I successfully bound one 10.7.x Mac, then studied the .plist carefully to find just the entries I needed for our OpenLDAP server. Then, I used a trick with /bin/cat that Peter Bukowinski showed me a while ago to feed the complete plist into a new file:



/bin/cat > /path/to/destination << ‘NEW_LDAP_BIND’

plist contents…



Since the technique worked on 10.7.x, I scripted my 10.6.x support in the script using the same model. At this point, the script handles everything about the OpenLDAP binding except for actually adding the LDAP domain to the authentication search path. I kept munging existing Active Directory search path entries in my testing, so it’s still necessary to go into Directory Utility at this point to add and promote the LDAP search path to be above our AD search path. For those folks who don’t have to worry about that, scripting the addition of your LDAP server to the authentication search path should be fairly straightforward.

For those interested, I’ve made the script available here. There are some Active Directory values mentioned that currently don’t do anything, but I’m planning to keep working on this script to see if I can fix the search path entry issue mentioned above.

Testing notes:

One difference I found between 10.6.x and 10.7.x plists were that, on 10.6.x all the RFC 2307 LDAP mappings are included in the plist and must be included in the script. On Lion, just referencing that RFC 2307 is being used seems to work fine.

Another thing I found in my 10.7.x testing was that you couldn’t send the plist output directly to /Library/Preferences/OpenDirectory/Configurations/LDAPv3. Weird, but there was so much weird going on that I made a note then worked around it by sending the plist first to /tmp, then moving the complete plist over into /Library/Preferences/OpenDirectory/Configurations/LDAPv3.

Modifying JAMF’s NetSUS to host DeployStudio NetBoot boot sets

February 7, 2012 5 comments

Gary Larizza updated his NetSUS appliance write-up earlier today, to include information on how to modify the NetSUS’s /var/www/webadmin/scripts/ so that it can accommodate DeployStudio’s NetBoot sets.

Gary’s way is elegant and uses vim. Consider this the illustrated version that’s doing the same process the hard way with nano. See below the jump for the details.

Read more…


Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: