Archive for the ‘Mac’ Category

Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0

Wednesday, September 14th, 2011

UPDATE 2011-11-19: According to several blogs, VMWare Fusion 4.1 now officially runs Mac OS X 10.5, 10.6 and 10.7 (as long as you confirm that you have a valid license for virtualization). A VMWare TechNote confirms this, so I assume the change is here to stay. In my testing, even my 10.4 VM worked just as before.

UPDATE 2011-11-22: According to VMWare, this new feature is a bug. The TechNote linked above is no longer available and the whole thing pretty much sounds like VMWare changed their mind and/or was pressured by Apple.

Back in 2009, I wrote about how to install Mac OS X (non-Server) versions in VMWare Fusion. Since then, Apple has released Snow Leopard (which worked just fine using the exact same hints). VMWare just released Fusion 4.0 today (which officially supports Lion as a guest OS), so I wanted to see whether my old hint still works.

Fusion 4.0 no longer uses /Library/VMWare Fusion for all its support files, but is all self-contained (it even runs all its background services on-demand, which I quite like) and has its stuff in /Applications/VMWare Fusion.app/Contents/Library. So MultiMac Helper (which patches Fusion’s Mac OS X Server detection stuff to trick it into also allowing the non-Server versions) no longer worked, but worked fine after fixing the paths. Grab a copy here: MultiMac Helper 4.app

Next, I fired up my Snow Leopard, Leopard and Tiger VMs one after another. Some of them showed “No operating system found” messages, but I was able to fix that by going into the CD/DVD settings and making sure the virtual drive was enabled and set to my physical SuperDrive. It still shows that message sometimes upon boot of the guest OS, but that can be fixed by restarting the VM, shutting it down and starting it again, or hitting Ctrl-Alt-Del. It might take a few tries to get it to work (might be a timing issue?), but will eventually boot up. The boot loader shows some EBIOS errors, but those don’t seem to matter.

I have not yet tried creating new 10.4/10.5/10.6 VMs yet, but that should still work the same as before.

If you’re having any issues (and if possible fixes for those), please let me know in the comments and I’ll update my post. I’m also attaching my VMX files to this post so that you can compare yours to them if you have trouble getting it to work: SnowLeopard.vmx Leopard.vmx Tiger.vmx

I can’t help it, every time I fire up my Tiger VM (which I only do like twice a year), I get all nostalgic about the Aqua GUI. Ok, it’s horribly inconsistent (glossy white menu bar, structured semi-transparent menus and light gray title bars), but hey, it still looks cool.

Note
Before proceeding, make sure you have an appropriate license for Mac OS X. I.e., don’t install two copies if you only own one — in general, this means you need the Family Pack or an additional copy. Also, make sure that you’re allowed to virtualize your copy of OS X — in Germany that is perfectly fine as limitations imposed by the EULA are effectively not legally binding (which is the reason why the German computer magazine c’t was able to publish MultiMac Helper), but you will need to check what applies in your own country.

UPDATE: If you create a new VM, you need to remove firmware = "efi" from the VMX, or it will complain about the OS not being the server version at some point during boot. If you see the black BIOS-style screen right after powering up the VM, you’re fine. If you see a grey screen with the VMWare logo on it, the VM is set to EFI mode.
However, even then I have not been able to successfully boot a Snow Leopard DVD. This appears to be due to the way VMWare Fusion handles non-EFI OS X boots: Upon boot, it connects darwin.iso to the VM, loads its special bootloader from there. VMWare Fusion 2.0 and 3.0 somehow managed to do that without interfering with the Snow Leopard DVD, but Fusion 4.0 fails at that. I assume it’s not something the VMWare folks would be regression testing because Fusion 3.0 and later by default boot OS X guests in EFI mode.
So the conclusion would be (at least until someone figures out how to patch the virtual EFI) that you need to create your 10.4/10.5/10.6 VMs on VMWare Fusion 2.0 (or 3.0 which requires you to manually remove the firmware = "efi" line as well). They’ll run in Fusion 4.0 just fine.

Alternatively, you could try (haven’t tested it yet) to leave the VMX with firmware = "efi", pull an image from your OS X DVD, convert it to read/write, touch /Volumes/OS X Install DVD/System/Library/CoreServices/ServerVersion.plist (to make Fusion believe it’s a server DVD), convert it to read-only, boot it in the VM, install it. Rebooting into the OS will fail (as it does not have ServerVersion.plist), so remove the firmware = "efi" to switch the VM back to the patched non-EFI bootloader.

Tags: , , , , , , , , ,
Posted in Mac, Virtualization | 38 Comments »

Extending Active Directory for Mac OS X clients

Tuesday, February 15th, 2011

After I wrote about building your own OpenDirectory server on Linux a while back, I decided to do the same thing on Windows Server 2008 R2. The process of extending the AD schema to include Apple classes and attributes is documented by Apple (this is the Leopard version of the document – if you don’t plan on having exclusively Snow Leopard clients, you can follow the newer version of the document that skips a couple of things that Snow Leopard no longer needs).

But since schema extensions are generally frowned upon in the Windows world because they’re irreversible (why the heck, Microsoft…?), I initially tried a dual-directory (golden triangle, magic triangle) type approach where I’d be augmenting my AD with Apple records coming from an AD LDS (Active Directory Lightweight Directory Services, previously called ADAM, Active Directory User Mode, which is basically a plain LDAP server from Microsoft). While this may sound like a great idea, I just couldn’t get it to work. After dozens of manual schema extensions to AD LDS (Microsoft doesn’t include many standard LDAP attributes, so I had to dig through the dependencies of apple.schema and even tried importing a complete OD schema), I gave up because I could not get Workgroup Manager to authenticate against it to allow me to make changes.

So the next thing to do was follow Apple’s AD schema extension guide (linked above) and do what everybody else did. This was rather straight-forward (managed preferences for users, groups and computers worked right away), but when I tried to create a computer list (which is not possible using Snow Leopard’s Server Admin Tools, but requires Tiger’s (which throw loads of errors on Snow Leopard but still get the job done) since Leopard introduced computer groups which however are not supported by the AD plugin), it just said I didn’t have permission to do that. After enabling DirectoryService debug logging (killall -USR1 DirectoryService && killall -USR2 DirectoryService), I traced it down to Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=xxx,DC=zz with FAILED – LDAP Error 19 in /Library/Logs/DirectoryService/*. Apparently, that’s caused by some versions of ADSchemaAnalyzer setting objectClassCategory to 0 instead of 1 on all exported classes. Too bad AD schema extensions are irreversible and that’s one of the attributes you can’t change later on… :-( Well, with AD Schema Management MMC snap-in, I was able to rename the botched apple-computer-list class, defunct it and add a new one using ldifde. With some really wild hacking in the AD Schema using ADSI Editor, I was then able to  eventually get OS X to no longer look at the renamed attribute, but instead at the new one. To see whether you have been successful, killall DirectoryService, wait a few seconds and grep -H computer-list /Library/Preferences/DirectoryService/ActiveDirectory* will show a line indicating which class in the schema it’s using.

Once you’re there, everything should work as expected. If you don’t want to use Tiger’s Workgroup Manager to create old-style computer lists, you can do that in ADSI Editor and create apple-computer-list objects in the CN=Mac OS X branch by hand.

So, attached is the schema ldif that’s exactly the way it should be. I really wonder why Apple doesn’t provide it themselves – it’s going to turn out exactly like that every time you follow their guide on any Windows server… Apple Schema for Active Directory

I guess that the overall conclusion of this should be that AD schema extensions in general and specifically Mac OS X managed clients in AD environments are a nasty hack. I suppose the dual directory/magic triangle/golden triangle approach with a Microsoft AD and an Apple OD would work, but it requires maintaining two separate directories, which may not be that great in a larger environment either.

If Apple discontinues Mac OS X Server at some point in the near future (which the demise of the Xserve and the lack of announcements regarding Mac OS X 10.7 Server alongside Mac OS X Lion suggest), this is definitely something they need to improve. There are some third-party solutions that store MCX settings outside of AD (similar to Windows GPOs, which are stored on the SYSVOL share) such Thursby ADmitMac – however that’s a rather expensive solution (a dozen client licenses costs about as much as two Mac mini servers) and might break after OS updates (though from what I’ve heard, they’re rather quick at providing updates). If Apple does discontinue Mac OS X Server, they should definitely improve Lion’s AD integration to replicate ADmitMac’s features.

Tags: , , , , , ,
Posted in Mac, Technical Stuff, Windows | 12 Comments »

Slim down Final Cut Studio’s Media Content using HFS Compression

Saturday, December 26th, 2009

A full installation of Final Cut Studio 3 with all media content (for Motion, DVD Studio Pro, and Soundtrack Pro Loops) takes up around 40-50 GB of hard drive space.
How about regaining 5-10 GB of precious by enabling HFS compression for these folders? Since HFS compression is completely transparent, there are no adverse effects to expect (other than browsing the content libraries being almost unnoticeably slower).

To start, you’ll need a command-line tool called afsctool which can compress (and, amongst other features, decompress) folders using HFS compression. The command you’ll need to run is e.g. sudo afsctool -c -l -k -v -i -9 /Library/Application\ Support/Final\ Cut\ Studio. This compresses all files the given folder using the highest possible compression, verifies its results, prints out the names of files it is unable to compress, and outputs statistics once it’s done.

Some of the folders I compressed:
/Library/Application Support/Final Cut Studio/ (contains Motion and DVD Studio Pro templates): 22.5% compression savings
/Library/Application Support/LiveType/ (contains Motion’s LiveType fonts): 11.4% compression savings
/Library/Application Support/GarageBand/ (contains GarageBand’s  instruments and learning-to-play stuff): 14.3% compression savings
/Library/Application Support/iDVD/ (contains iDVD’s themes): 19.5% compression savings
/Library/Audio/Apple Loops/ (contains GarageBand’s and Soundtrack Pro’s loops): 4.1%
/Library/Audio/Impulse Responses/ (contains  Soundtrack Pro’s impulse response data): 41.3% compression savings

Looking at the compression savings: everything that contains high-quality video can be compressed by around 20%, while audio which is already heavily compressed only yields around 5%. The most amazing result though are the 40% by which the Impulse Responsed were compressed – apparently, these are uncompressed AIFF audio files and thus ideal for compression.

Obviously, your mileage may vary and I’m not responsible if you compress too much and break your system (I’m sure there is a reason why Apple didn’t compress all system files). However, compressing the iLife and Final Cut Studio media content appears safe, I haven’t noticed any unwanted side-effects and it seems well worth trying if you’d like to regain a few gigabytes.

Tags: , , , , ,
Posted in Final Cut Studio, iLife, Mac, Technical Stuff | 4 Comments »

Laptop Theft Tracking Software for Mac OS X

Monday, August 17th, 2009

Over the past 2.5 years or so, I’ve been developing a piece of software that allows tracking a stolen Mac laptop (works for Desktops too, though they are obviously less likely to get stolen).
Once installed on your Mac, it starts contacting my server in regular intervals to check whether it has been armed through a Web GUI. If it is armed, it starts sending screenshots and iSight captures, as well as network information like internal and external IP and available wireless networks, which you can then provide to the police in order to aid recovery of your Mac. So in that regard, it is very similar to software like e.g. Orbicule’s Undercover.

After 3 major releases of LTT and beta testing on close to 200 computers, I can now say that version 3.0.4 is very stable and runs well on both Tiger and Leopard, has no known bugs and is ready for widespread use. My current server setup can (theoretically) handle around 10000 simultaneously active clients. If you’re interested in testing it or if you would like to give your Mac some additional theft protection, please contact me so that I can set you up with an account to use the service.

Frequently Asked Questions

How secure is LTT?
All communication is done over an SSL-encrypted connection, so it is protected from being spied on and not prone to things like ARP spoofing or DNS poisoning.

How do you prevent unauthorized access to my LTT account, which could potentially be used for spying?
As long as you keep your password secret, there is not a whole lot you need to worry about. However, if somebody were to break into my server, I obviously can’t guarantee for it ;-) .

Why am I not receiving screenshots?
If the screen is asleep, screenshots are apparently not possible – this is not a bug in my software, it’s probably due to the way Apple implemented WindowServer.

Why am I not receiving iSight captures?
Either  the camera is in use by a different program or the laptop is being operated with the clamshell closed.

Tags:
Posted in Mac, Programming | No Comments »

Building your own OpenDirectory server on Linux

Saturday, April 4th, 2009

OpenDirectory is a feature included with Mac OS X Server. Wouldn’t it be nice if you could use it without having to spend hundreds of dollars on a server license? Wouldn’t it be great if you could add it into your existing Linux-based OpenLDAP server? It’s actually quite easy because OpenDirectory is a standard OpenLDAP server with a special Apple schema.

0. Prerequisites
- OpenLDAP server with Samba integration (I’m runnig it on a Ubuntu 8.04 server, using the standard OpenLDAP and Samba packages). I won’t go into the details of how to set this up, there are lots of tutorials around the web on this.
- some kind of LDAP admin tool, I used phpLDAPAdmin
- Mac OS X 10.5 Leopard clients

1. Adding the Apple schema to your OpenDirectory server
It is located in /etc/openldap/schema/apple.schema on any Mac. Copy this file to your OpenLDAP server and add it to your slapd.conf.
You may run into the problem that apple.schema references some samba.schema entries that were deprecated with Samba 3. Specifically, these are acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID, so you’ll need to editapple.schema and replace these with their Samba 3 counterparts.
Now, restart the OpenLDAP daemon so it recognizes the changes.

2. Adding some Mac-specific attributes to your LDAP server
Add an ou=macosx branch to your LDAP tree, under which you’ll need to create ou=accesscontrols, ou=augments, ou=automountMap, ou=autoserversetup, ou=certificateauthorities, ou=computer_groups, ou=computer_lists, ou=computers, ou=filemakerservers, ou=locations, ou=machines, ou=maps, ou=mount, ou=neighborhoods, ou=places, ou=preset_computer_groups, ou=preset_computer_lists, ou=preset_computers, ou=preset_groups, ou=preset_users, ou=printers, and ou=resources.
To all your LDAP groups, add the apple-group objectClass. To all your LDAP users, add the apple-user objectClass.

3. Connecting your Mac to the LDAP directory
On your Mac, go into Directory Access and add your LDAP server. Choose OpenDirectory as the server type and adjust the Samba mappings to match your changes from step 1. Here is a plist you can import into Directory Access that already has these mappings corrected: LDAPv3_Unix_Samba3_OD.plist.
If you want your other clients to automatically use this mapping, create a cn=config branch in your LDAP tree and use the Write to Server button in Directory Access.

4. Use Workgroup Manager to set network home folders, managed preferences, …
Now, you can use Workgroup Manager to manage network home folders and managed preferences, just like you would on a Mac server.  You’ll need to authenticate using an LDAP user who has full write privileges to the directory (as set in slapd.conf). The standard cn=admin,dc=example,dc=com user will NOT work.

5. Conclusion
Almost everything works, except for:
- adding new users and group through Workgroup Manager
- solution: unknown
- assigning directory admin privileges to users through Workgroup Manager
- solution: using an OpenLDAP server set up to use cn=config instead of slapd.conf. This will also require going into Directory Access again and adding the OLCBDBConfig, OLCFrontEndConfig, OCGlobalConfig, OLCSchemaConfig and OLCOverlayDynamicID record types back in (they are included in the OpenDirectory mapping, but I deleted them from mine because they only cause error messages on an OpenLDAP server with slapd.conf configuration).

Here are all the web sites that helped me in the process of figuring this out:
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c6od15.html (this one is especially important because it explains what to do if your LDAP server is not set up for SASL authentication)
http://www.emmes-world.de/mac-afp-homes.html (this one describes a similar setup and was my most important resource)
http://rajeev.name/blog/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/
http://www.netmojo.ca/blog/tag/ldap/
http://www.macdevcenter.com/pub/a/mac/2003/08/26/active_directory.html?page=2

7. Further Information
Since you’re not using Kerberos for authentication, you may want to look at securing your LDAP connections with SSL. Here are some links that talk about it:

http://www.novell.com/coolsolutions/feature/19965.html

http://www.afp548.com/article.php?story=20071203011158936

Someone else also wrote a blog post about Setting up a Linux server for OS X clients, in which they also describe how to incorporate Kerberos into the whole equation. That’s certainly something worth considering.

Tags: , , , , , , ,
Posted in Linux, Mac | 3 Comments »

Running Mac OS X (non-Server) in VMWare Fusion

Monday, March 23rd, 2009

VMWare Fusion supports running Mac OS X Leopard Server. But did you know that with a little hacking, you can easily run Leopard non-Server or even Tiger in VMWare Fusion 2.0? Here is how to:

Patching VMWare
First of all, you’ll need to patch the Mac OS X VMWare Tools ISO, replacing all occurrences of ServerVersion.plist with SystemVersion.plist inside it. This is the only thing Fusion looks at to determine whether you’re trying to run OS X Server or Client (/System/Library/CoreServices/ServerVersion.plist only exists on OS X Server, while /System/Library/CoreServices/SystemVersion.plist exists on both). Since Fusion uses some signature checking, you’ll need to re-sign all VMWare Tools ISOs with your own certificate, otherwise Fusion will refuse to run.
The German computer magazine c’t  (issue 24/2008, page 266) figured all of this out and even wrote a small tool (MultiMac Helper) to automate the process.

Note
Before proceeding, make sure you have an appropriate license for Mac OS X. I.e., don’t install two copies if you only own one — in general, this means you need the Family Pack or an additional copy. Also, make sure that you’re allowed to virtualize your copy of OS X — in Germany that is perfectly fine as limitations imposed by the EULA are effectively not legally binding (which is the reason why the German computer magazine c’t was able to publish MultiMac Helper), but you will need to check what applies in your own country.

Installing Leopard
Installing Leopard is very straight-forward – just pop in your Leopard retail DVD and create a new VM in Fusion (selecting Mac OS X 10.5 Server 64-bit). Now proceed as if you were installing Leopard Server in Fusion. After completing the installation, you can even install VMWare Tools and they’ll run just fine.

Installing Tiger
Installing Tiger is a bit more difficult. Since there are no retail DVDs of Tiger for Intel (it was exclusively shipped with new Macs, and those machine-specific discs refuse to install on anything but the Mac model they came with), you cannot install it by booting it in a VM. So what you’ll need to do is: install Tiger onto an external HD and make an image of it. Then attach a second virtual hard drive to your Leopard VM and from inside the VM, clone the image to the second virtual hard drive. Now remove that virtual hard drive from your Leopard VM and attach it to your Tiger VM. It will boot up and run just fine. However, VMWare Tools will not work in Tiger and your host CPU will probably run at 100%.

UPDATE: Installing Snow Leopard
Works the same as Leopard, just select Mac OS X 10.6 Server 64-bit.

UPDATE: VMWare Fusion 3.0
Existing VMs continue running flawlessly.
If you create a new VM, you need to remove firmware = "efi" from the VMX, or it will complain about the OS not being the server version at some point during boot. If you see the black BIOS-style screen right after powering up the VM, you’re fine. If you see a grey screen with the VMWare logo on it, the VM is set to EFI mode.

UPDATE: VMWare Fusion 4.0
Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0

Tags: , , , , , , , ,
Posted in Mac, Virtualization | 1 Comment »