We ended up narrowing it down to three candidates: the Yamaha DSR series, the JBL PRX600 series, and the QSC KW series. These are the top-of-the-line active systems the largest and most reputable speaker manufacturers have to offer, as of early 2012. The next step was to find a place where we could listen to all three and compare them. Thomann, the largest online shop for musical instruments and PA equipment in Europe, where we have been buying sound equipment for years, has a huge store and showroom in a small town in northern Bavaria. They ordered and set up all these speakers for us and let us listen to them for more than an hour. If the friendly sales guy ever grew tired of listening to our test songs like “He’s A Pirate” by Klaus Badelt or “Man in the Mirror” by Michael Jackson over and over again, he certainly didn’t show it.

We almost immediately ruled out the QSC: We had the QSC KW 153 three-way 15″ top coupled with a QSC KW 181 18″ subwoofer set up, but the mids and highs just sounded muddy.

Some other speakers we temporarily had in the test were some JBL Eon (by accident), which just sounded cheap compared to the others, and some RCF Art, which had crisp and powerful base, but not exactly outstanding highs.

Now we only had the JBL PRX 615 two-way 15″ top coupled with the JBL PRX618-XLF 18″ subwoofer and the Yamaha DSR 115 two-way 15″ top coupled with the Yamaha DSR 118W 18″ subwoofer left over. We tested and compared them for almost an hour: sometimes we tended towards the JBLs, other times we liked the Yamahas more.

The JBLs sounded very smooth (if you want to be mean, you could call them a tiny bit muddy) and their base stretched down to 30 Hz. On the other hand, the Yamahas had super-clear mids and highs and very precise and crisp base. After quite some discussion, we decided to go with the Yamahas. Another advantage was their significantly lower price and their more advanced DSP circuitry to protect the speakers.

They got delivered a few days ago and so far we’re really happy with them. They sound amazing: Perfect for the school’s numerous music performances. And they are powerful: Perfect for events like dances and parties.

If you’re looking for a set of high-quality portable speakers for a school, church, band or DJ, the Yamaha DSR series is most likely your best choice. They sound great, have lots of power and are well worth their money.

If you just use them for speech, a set of Yamaha DSR 112 would probably be a fine choice (I didn’t test the DSR 112, but assume they’re as good as the DSR 115 with a little less low-mids). If you’re using them for a band, go for a set of DSR 115, and if you have drums, base or anything else below 120 Hz, definitely get a pair of DSR 118W subwoofers along with them. Same goes for DJ and party use: a pair each of DSR 115 and DSR 118W should suffice to bring high-decibel, high-quality sound to a few hundred audience members.

If you have experiences with the Yamaha DSR (or the recently-released smaller DXR and DSW series), or have found other speakers in the same price range that sound better, please feel free to share them in the comments.

While they are easily found in the DC=DomainDnsZones and DC=ForestDnsZones branch inside the AD, it turns out that the server information is stored in dnsproperty attributes containing binary data. However, Microsoft actually provides a specification for their DNS data structures, which is certainly very commendable. But as it turns out, it appears to have been written by someone who had no clue about Endianness or how many bits are in a byte (*).
The essence is: everything is Big Endian, except for IP addresses (the spec claims they are Network Byte Order, but in reality they are Little Endian), and every occurence of “1 byte” in section 2.3.1.1 dnsProperty should be replaced with “4 byte”.

So after taking about two hours for something that I expected would only take a couple minutes to hack together, I ended up with 400 lines of code that generate a file you can include in your named.conf that will look something like this:
zone "google.com" {
type forward;
forward first;
forwarders { 74.82.42.42; 2001:470:20:0:0:0:0:2; };
};

zone "youtube.com" {
type forward;
forward first;
forwarders { 74.82.42.42; 2001:470:20:0:0:0:0:2; };
};
(For those curious, this sample configuration would point google.com and youtube.com at Hurricane Electric’s DNS server so that you get AAAA records, a.k.a. Google over IPv6)

After this worked, I decided to also pull my slave zone definitions through the same mechanism. It only took me a minute to do that.
zone "example.com" {
type slave;
file "slave_example.com";
masters { 10.0.0.1; };
allow-notify { 10.0.0.1; };
};

So here we are: BIND9 as a fully-blown sync partner for AD-integrated DNS zones. To add a zone or conditional forwarder to BIND, add it to AD, set it to replicate to all DNS/domain controllers in this domain or forest, add the BIND server to the nameservers tab and allow zone transfers and notifications, and wait for the cron job to kick in.

I ended up having to write this script in PHP because Python’s LDAP module appears to have a broken SASL implementation, and you need SASL to use Kerberos for an LDAP connection.

The PHP script takes two parameters (1. the AD server’s address or the AD DNS domain name; 2. the AD base DN) and requires a valid Kerberos ticket.
The shell script (which you will most likely want to run from a cron job), which shares much of its code with my script from ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS, needs to be configured with your realm, domain, base DN, user name (principal) and path to a keytab for that user (instruction on how to generate the keytab using ktutil are in the script’s comments).

(*) After doing all this, I figured that people from projects like Samba that write open source software to re-implement or interface with Microsoft products are doing an absolutely amazing job. They most likely aren’t getting any better specs than the one I found on MS DNS (if they get specs at all), and yet still somehow create almost perfect software that is a lot more complex than the simple stuff I did here.

UPDATE 2011-10-30: Apparently, AD refuses all requests from Linux clients that come in via IPv6. To force IPv4, line 7 of the PHP script needs to be changed to $conn = ldap_connect(gethostbyname($adserver), 389);, which is also fixed in the downloadable script.

VMWare Fusion 4 dropped this tool, but you can download version 3.1.3 and extract /Library/Application Support/VMware Fusion/VMDKMounter.app from the package using Pacifist (just make sure that VMDKMounter.app/Contents/MacOS/vmware-vmdkMounterTool has the sticky bit set and is owned by root:wheel after you extract it).

Next, install OSXFUSE (the successor to MacFUSE) and fuse-ext2 if you don’t already have them installed.

VMDKMounter attempts to mount EXT2 using /System/Library/Filesystems/ext2.fs/Contents/Resources/mount_ext2, so we need to create two symlinks:

cd /System/Library/Filesystems
sudo ln -s fuse-ext2.fs ext2.fs
cd ext2.fs/Contents/Resources
sudo ln -s ../../mount_fuse-ext2 mount_ext2

Now we’re all set, you can simply open a VMDK by double-clicking it, or you can right-click a VMWare VM and open it with VMDKMounter.app and automatically have all its VMDKs mounted.

If you are receiving an NTFS-3G error message when mounting a non-NTFS VMDK: that’s perfectly normal, so you can just click OK. The error message is due to VMDKMounter simply trying a bunch of file system mounters until it finds one that doesn’t fail. As far as I can tell, it tries (in that order) ntfs, msdos, ntfs-3g, hfs, ext2, ext3.

1. In VMWare Fusion or Workstation, do a basic install of Debian Squeeze onto a flat-file (not split into 2GB segments and preallocated) VMDK that is slightly larger than your virtual Xen disk with a separate VMDK for swap.
2. Downgrade it to Grub 1 using apt-get install grub-legacy, grub-install /dev/sda, update-grub (as Grub 2 is not compatible with /boot/grub/menu.lst files as generated by xen-create-image).
3. Shut down and make a copy of the VMDK.
4. Boot the VM back up and re-install Grub2 using apt-get install grub.
5. Edit /boot/grub/grub.cfg and replace root=UUID=xxxxxxxxxx in the linux lines with root=/dev/sda1
6. Shut down the VM and attach the VMDK you copied in step 3 as an additional disk (this will be the target disk for our conversion).
7. Boot it up and make sure that you’re getting a Grub2 screen (i.e. it is not booting from the copied VMDK).
8. Using mount, check that your root disk is sda1 (which usually should be the first disk, not the copied disk). Using ls /dev/sd*, make sure it sees the target disk as sdc.
9. dd if=/path/to/xen/vm/disk.img of=/dev/sdc1 bs=1048576
10. mount /dev/sdc1 /mnt; cd /mnt
11. nano etc/fstab: replace swap disk /dev/xvda1 with /dev/sdb1 and root disk /dev/xvda2 with /dev/sda1
12. nano etc/inittab: replace hvc0 with tty1
13. nano boot/grub/menu.lst: replace /dev/xvda2 with /dev/sda1
14. umount /mnt
15. Attach the new virtual disk to a VM and boot a rescue system. There, drop to a shell on /dev/sda1 and apt-get update, apt-get install grub
16. Reboot
17. Done!

To use it, press Ctrl-P at the BIOS splash screen to get to the MEBx menu, set a password (minimum 8 characters, mixed case, numbers and special characters are enforced), configure the network settings (they can even match the OS’s IP address), enable Remote KVM and disable User Opt-In.

Next, download the Intel AMT SDK, extract the ZIP and open .\Windows\Intel_AMT\Bin\KVM\KVMControlApplication.exe . There, you can enable KVM as seen in the following screenshot:

KVM Status can either be set to “redirection ports” (meaning it will only be accessible to VNC clients that specifically support Intel AMT, such as RealVNC Viewer Plus or Intel’s KVM Console, the former of which costs $100, the latter of which constantly overlays a RealVNC logo on the screen), to “default port” (meaning it will be accessible on TCP port 5900 to any VNC client), or to “all ports” (which is the combination of both).
If you enable VNC access, you will also need to set an RFB Password. As I found out the hard way (Intel actually has it hidden in their documentation as well), it gets truncated at 8 characters and at the same time has the same security requirements as the general AMT password.
If you disabled User Opt-In in the MEBx menu, you can disable it here as well.

So that’s it, now you can use almost any VNC client you like (RealVNC and Chicken of the VNC work fine, while Apple Remote Desktop appears to cause the VNC server to freeze) and control the machine just as if you were sitting in front of it.
Two things I noticed: On my machine, the BIOS splash screen was not visible during a KVM connection (not even on a directly-attached screen), so to get to the BIOS I needed to blindly hit the corresponding key. Also, it is not possible to enter the MEBx menu during a KVM connection (probably for some obscure security reasons): if you hit the corresponding key, it immediately exits and continues normal bot; if you establish a KVM connection while in MEBx, you get disconnected immediately.

After about half an hour of playing with Intel AMT, I have to say it’s really cool. If you’re buying/building a home server, you should definitely consider getting a mainboard with Intel AMT 6.0 or later: You get server-grade remote management capabilities for a very small premium, which are very useful if you ever lock yourself out while remotely connected to the server.

UPDATE 2011-11-22: According to VMWare, this new feature is a bug. The TechNote linked above is no longer available and the whole thing pretty much sounds like VMWare changed their mind and/or was pressured by Apple.

Back in 2009, I wrote about how to install Mac OS X (non-Server) versions in VMWare Fusion. Since then, Apple has released Snow Leopard (which worked just fine using the exact same hints). VMWare just released Fusion 4.0 today (which officially supports Lion as a guest OS), so I wanted to see whether my old hint still works.

Fusion 4.0 no longer uses /Library/VMWare Fusion for all its support files, but is all self-contained (it even runs all its background services on-demand, which I quite like) and has its stuff in /Applications/VMWare Fusion.app/Contents/Library. So MultiMac Helper (which patches Fusion’s Mac OS X Server detection stuff to trick it into also allowing the non-Server versions) no longer worked, but worked fine after fixing the paths. Grab a copy here: MultiMac Helper 4.app

Next, I fired up my Snow Leopard, Leopard and Tiger VMs one after another. Some of them showed “No operating system found” messages, but I was able to fix that by going into the CD/DVD settings and making sure the virtual drive was enabled and set to my physical SuperDrive. It still shows that message sometimes upon boot of the guest OS, but that can be fixed by restarting the VM, shutting it down and starting it again, or hitting Ctrl-Alt-Del. It might take a few tries to get it to work (might be a timing issue?), but will eventually boot up. The boot loader shows some EBIOS errors, but those don’t seem to matter.

I have not yet tried creating new 10.4/10.5/10.6 VMs yet, but that should still work the same as before.

If you’re having any issues (and if possible fixes for those), please let me know in the comments and I’ll update my post. I’m also attaching my VMX files to this post so that you can compare yours to them if you have trouble getting it to work: SnowLeopard.vmx Leopard.vmx Tiger.vmx

I can’t help it, every time I fire up my Tiger VM (which I only do like twice a year), I get all nostalgic about the Aqua GUI. Ok, it’s horribly inconsistent (glossy white menu bar, structured semi-transparent menus and light gray title bars), but hey, it still looks cool.

Note
Before proceeding, make sure you have an appropriate license for Mac OS X. I.e., don’t install two copies if you only own one — in general, this means you need the Family Pack or an additional copy. Also, make sure that you’re allowed to virtualize your copy of OS X — in Germany that usually is fine as limitations imposed by the EULA are effectively not legally binding (which is the reason why the German computer magazine c’t was able to publish MultiMac Helper), but you will need to check what applies in your own country.

UPDATE: If you create a new VM, you need to remove firmware = "efi" from the VMX, or it will complain about the OS not being the server version at some point during boot. If you see the black BIOS-style screen right after powering up the VM, you’re fine. If you see a grey screen with the VMWare logo on it, the VM is set to EFI mode.
However, even then I have not been able to successfully boot a Snow Leopard DVD. This appears to be due to the way VMWare Fusion handles non-EFI OS X boots: Upon boot, it connects darwin.iso to the VM, loads its special bootloader from there. VMWare Fusion 2.0 and 3.0 somehow managed to do that without interfering with the Snow Leopard DVD, but Fusion 4.0 fails at that. I assume it’s not something the VMWare folks would be regression testing because Fusion 3.0 and later by default boot OS X guests in EFI mode.
So the conclusion would be (at least until someone figures out how to patch the virtual EFI) that you need to create your 10.4/10.5/10.6 VMs on VMWare Fusion 2.0 (or 3.0 which requires you to manually remove the firmware = "efi" line as well). They’ll run in Fusion 4.0 just fine.

Alternatively, you could try (haven’t tested it yet) to leave the VMX with firmware = "efi", pull an image from your OS X DVD, convert it to read/write, touch /Volumes/OS X Install DVD/System/Library/CoreServices/ServerVersion.plist (to make Fusion believe it’s a server DVD), convert it to read-only, boot it in the VM, install it. Rebooting into the OS will fail (as it does not have ServerVersion.plist), so remove the firmware = "efi" to switch the VM back to the patched non-EFI bootloader.

UPDATE 2011-10-17: Signed GPLPV drivers are now available. I have not yet tested them, but I assume the fix below is no longer necessary.

While the Citrix drivers included in XenServer 5.5 work (after making a single registry tweak), the more recent ones included in e.g. Xen Cloud Platform 1.0 do not work right away:

If you install the XCP drivers, make that registry tweak and reboot the DomU, you’ll notice messages like XENUTIL: WARNING: CloseFrontend: timed out in XenbusWaitForBackendStateChange: /local/domain/0/backend/console/[id]/0 in state INITIALISING; retry. in your /var/log/xen/qemu-dm-*.log and Windows just gets stuck during boot and keeps spinning forever. To get it back to work, you’ll need to
xenstore-rm /local/domain/0/backend/console/[id]
xenstore-rm /local/domain/0/backend/vfb/[id]
after starting the VM (thanks to Keith Coleman‘s mailing list post!).

To automatically run these commands upon DomU start, create a script named /usr/lib/xen/bin/qemu-dm-citrixpv with the following contents
#!/bin/sh

exec /usr/lib/xen/bin/qemu-dm $*
and chmod +x it.

Then, edit your DomU config file and modify the device_model line and point it to your new script:
device_model = '/usr/lib/xen/bin/qemu-dm-citrixpv'

Now your Windows Server 2008 R2 x64 HVM-DomU is all set!

[incoming-external]
exten => s,1,Dial(SIP/1234,20)
exten => s,n,Voicemail(1234,us)
exten => a,1,VoiceMailMain(1234)
exten => a,n,Hangup()

And it even works when you’re using macros (like I am):

[incoming-external]
exten => 5551234,1,Macro(incoming-plus-voicemail,SIP/1234,20,1234)
exten => 5551337,1,Macro(incoming-plus-voicemail,SIP/1337,20,1337)

[macro-incoming-plus-voicemail] ; SIP/xxx, wait time, voicemail
exten => s,1,Dial(${ARG1},${ARG2}
exten => s,n,Voicemail(${ARG3},us)
; push * during the announcement to access your mailbox
exten => a,1,VoiceMailMain(${ARG3})
exten => a,n,Hangup()

#ifndef AST_MODULE
#define AST_MODULE "res_srtp"
#endif

and compiled and installed it using

gcc -shared res_srtp.c -o res_srtp.so -lsrtp
sudo cp res_srtp.so /usr/lib/asterisk/modules/

You’ll need to have libsrtp0-dev and asterisk-dev installed, otherwise the compile will fail.
Then, you can do sudo asterisk -r and load the module using module load res_srtp (or just restart Asterisk).

I’m still working on getting SRTP working flawlessly both incoming and outgoing and with stuff like transfers. Asterisk Secure Calling Specifics are a good starting point, but I’m also planning to write another post about this in the near future.

But did you know it’s just as easy to change the Callee ID on an outgoing call, i.e. change what your phone displays during the call? This can be very useful to display on the phone which one of several possible outgoing lines (multiple SIP providers, ISDN, …) was used or at which point in an IVR menu you are at the moment. To do this, use Set(CONNECTEDLINE(name)=blah). Before getting started, set sendrpid = pai in your sip.conf.

To make things easier, I created two macros in my dialplan:

[macro-connectedline-name-number]
exten => s,1,Set(CONNECTEDLINE(name,i)=${ARG1})
exten => s,n,Set(CONNECTEDLINE(number,i)=${ARG2})
exten => s,n,Set(CONNECTEDLINE(pres)=allowed)

[macro-connectedline-name]
exten => s,1,Macro(connectedline-name-number,${ARG1}, ${MACRO_EXTEN})

Now I can do things like

[internal-test]
exten => 101,1,Answer()
exten => 101,n,Macro(connectedline-name,Hello World)
exten => 101,n,Playback(hello-world)
exten => 101,n,Hangup()

in my dialplan (IVR example).

Or how about

[outgoing]
exten => 100,1,Macro(connectedline-name,Mailbox)
exten => 100,n,VoiceMailMain(${CALLERID(num)},s)
exten => _XXX.,n,Macro(connectedline-name,VoIP 1)
exten => _XXX.,n,Dial(SIP/${EXTEN}@voipprovider)

(outgoing line example).

The Asterisk Wiki also has an entire page on Manipulating Party ID Information.

After some researching and testing, I tracked it down to the rsize and wsize mount options: they specify the size of the chunks sent at a single time. Apparently, they are set to 1M if you don’t specify anything else. In my case, wsize=131072 and rsize=262144 showed the highest write and read speeds respectively. However, wsize=131072 is not too far away from the cliff after which writing drops to a crawl, so I decided to back it down to 65536.

I believe the acpi command in Grub2 originally came from the Hackintosh community – messing around with DSDTs is a lot more common there because Mac OS X is rather picky.

For those of you who don’t know what I’m talking about: the DSDT describes certain hardware features your PC has, such as buttons, CPU power save modes, and lots of other things. Some mainboards have very poorly done BIOSes that have equally messed up DSDT tables. I won’t go into a lot of detail regarding how to fix those here though (it’s as simple as cat /proc/acpi/dsdt > dsdt.dat; iasl -d dsdt.dat; editing dsdt.dsl to your liking; iasl -tc dsdt.dsl (this last step will probably produce a number of errors that can be solved by googling for the error number and making the appropriate changes in dsdt.dsl)).

Another valuable hint for people messing around with DSDTs: the DSDT is not the only place that can contain this kind of information, the other place would be the SSDT and possibly additional SSDTs. You can find them in /sys/firmware/acpi/tables and decompile them just like the DSDT as described above. Instead of recompiling the SSDT by itself, you could probably also consider merging it into your custom DSDT at the appropriate places.

My solution to this is rather simple: tune2fs -l tells you when the next fsck is coming up, so why not run a script upon every boot and have it write that information into /etc/motd so that you can see it every time you SSH in? The script is below (as a bonus, drives being fscked in less than 5 mounts or a week are printed in red), so all you need to do is put it somewhere on your hard drive and add something like
# Add FSCK status to MOTD
[ -f /root/fsck_stats.sh ] && bash /root/fsck_stats.sh >> /var/run/motd
to the init script that generates your motd (on Debian Squeeze, that would be /etc/init.d/bootlogs).

#!/bin/bash

echo

echo -e "$color Next FSCK on $(basename $disk): $next_check or in $diff_mounts mounts\033[0m"

1. Do a basic install of your favorite Linux distribution.
   Since my server runs Xen, I just did xen-create-image –ip=192.168.200.5 –netmask=255.255.255.0 –gateway=192.168.200.1 –nameserver=192.168.200.23 –mirror=http://ftp.de.debian.org/debian/ –passwd –hostname=router-ipv6 –dist=squeeze –arch=i386 –size=4G –swap=1G –dir=/data/vms/router-ipv6 –memory=64M –role=udev –pygrub and ran ln -s /etc/xen/router-ipv6.cfg /etc/xen/auto to have it automatically start upon reboot. To start the VM, do xm create router-ipv6.cfg
2. SSH into the virtual machine and configure the LAN and the WAN interface. Since I’m using a tunnel, my WAN interface is a 6in4 interface; if you’re using a physical one you’ll need to manually edit the Xen VM config file to add the physical interface to the VM. So we’re adding the following lines to /etc/network/interfaces
   iface eth0 inet6 static
   address 2001:470:xxxb:xxxx::1
   netmask 64

   auto 6in4
iface 6in4 inet6 v4tunnel
address 2001:470:xxxa:xxxx::2
netmask 64
endpoint 216.66.80.30
gateway 2001:470:xxxa:xxxx::1
up ip route add ::/0 dev 6in4

3. Next, edit /etc/sysctl.conf and set net.ipv6.conf.all.forwarding=1 by removing the comment sign from the beginning of the line.
4. apt-get install radvd and then edit /etc/radvd.conf to look like this:
   interface eth0
{
AdvSendAdvert on;
AdvLinkMTU 1280;
prefix 2001:470:xxxb:xxxx::1/64
{
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2001:470:xxxb:xxx:yyyy:yyyy:yyyy:yyyy
{
};

   Most of this is pretty self-explanatory (the prefix line should contain the address of the router’s network interface and everything else just enables router advertisements), however the RDNSS line needs to point to the IPv6 address (it will automatically get one after you finish step 6) of your local DNS forwarder.
5. Next, you’ll probably want to configure the firewall so that your computers can’t be accessed from outside (remember, with IPv6 every device gets a publicly routable address). apt-get install shorewall6 and then edit the following files to configure it:
   In /etc/default/shorewall6: startup=1 (enables the firewall) and wait_interface="6in4" (your WAN interface)
   In /etc/shorewall6/zones: Add the lines fw firewall, net ipv6 and loc ipv6
   In /etc/shorewall6/interfaces: Add the lines net 6in4 detect and loc eth0 detect
   In /etc/shorewall6/policy: Add the lines net all REJECT notice, loc all ACCEPT, fw all ACCEPT and all all REJECT notice
   In /etc/shorewall6/rules: Configure the firewall rules to your liking. I added Ping(ACCEPT) all all to allow incoming pings (I don’t believe in this security-by-obscurity stuff). I also added ACCEPT all loc:2001:470:xxxb:xxxx:zzzz:zzzz:zzzz:zzzz because that machine has its own IPv6-configured firewall.
6. Reboot the VM.

All your IPv6-ready clients should start picking up addresses automatically. Linux, Mac OS X and iPhones do as expected and base their IP on the MAC address. Windows 7 does the same, but also makes up a random IP which gets used by default for all outgoing connections due to privacy reasons. On Windows XP, you need to manually add IPv6 to the network protocols in the network connection properties, after which it’ll behave similarly to Windows 7.
The DNS server announced by radvd however only gets picked up by the iPhone. Mac OS X only supports manually-configured IPv6 DNS servers as far as I can tell. Windows automatically configures fec0:0:0:ffff::1, fec0:0:0:ffff::2 and fec0:0:0:ffff::3 as its DNS servers; you could add one of these addresses to your DNS server (and add some other address in the fec0:0:0:ffff::/64 range to your IPv6 router VM’s LAN interface so that clients can actually find a route to it), but unfortunately the site-local prefix fec0::/10 has been deprecated for more than half a decade and should no longer be used. But fear not, it’s perfectly fine to talk to your DNS server using IPv4 – it will still resolve AAAA (IPv6 A) queries without issues. And I expect IPv4 to stay around for at least another decade, so you’re not likely to run into trouble for a long time.

So, what to do if you want to run ISC DHCPd on your Windows network, which is obviously running Microsoft’s DNS server? BIND’s nsupdate tool supports Microsoft’s Kerberos authentication scheme when using the -g flag (the -o flag is only necessary for Windows 2000 Server, but not anymore for Windows Server 2008 R2), and DHCPd supports on commit/release/expiry blocks that let you run scripts upon these events. So here is my script:

#!/bin/bash

## CONFIGURATION ##

realm=EXAMPLE.COM
principal=dhcpduser@$realm
keytab=/root/dhcpduser.keytab
domain=example.com
ns=example-domain01.example.com

exit $result

and here is the relevant part of my dhcpd.conf:

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname);
log(concat("Commit: IP: ", ClientIP, " Mac: ", ClientMac, " Name: ", ClientName));

execute("/root/dhcp-dyndns.sh", "add", ClientIP, ClientName, ClientMac);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
log(concat("Release: IP: ", ClientIP, " Mac: ", ClientMac));
# cannot get a ClientName here, for some reason that always fails

execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", ClientMac);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails

execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

Figuring this all out took me several afternoons because Kerberos 5 1.8 has a bug where forwardable tickets (which is the default on Debian) are incompatible with nsupdate. Manually compiling 1.7 or getting 1.9 from the experimental Debian branch helps, as does adding the -F flag to kinit (which I did in the script above) to make the ticket non-forwardable.
I filed a bug with Debian (#611906) and Sam Hartman (thanks!) helped me track it down.

EDIT 2011-11-17:
I recently ran into the issue that if the AD server could not be reached, dhcpd would stall (and not respond to DHCP requests during that time) until nsupdate reached its timeout. The fix is simple: rename dhcp-dyndns.sh to dhcp-dyndns-real.sh and create dhcp-dyndns.sh with the following contents to fork off the real script into the background:
#!/bin/bash

$(dirname $0)/dhcp-dyndns.sh $@ 2>&1 | logger &

Also, I updated the on commit section in the dhcpd.conf excerpt above to compose a fallback name from the IP address if the client provides no hostname. This fixes the issue that nsupdate tries to register a record based on the name and fails.

But since schema extensions are generally frowned upon in the Windows world because they’re irreversible (why the heck, Microsoft…?), I initially tried a dual-directory (golden triangle, magic triangle) type approach where I’d be augmenting my AD with Apple records coming from an AD LDS (Active Directory Lightweight Directory Services, previously called ADAM, Active Directory User Mode, which is basically a plain LDAP server from Microsoft). While this may sound like a great idea, I just couldn’t get it to work. After dozens of manual schema extensions to AD LDS (Microsoft doesn’t include many standard LDAP attributes, so I had to dig through the dependencies of apple.schema and even tried importing a complete OD schema), I gave up because I could not get Workgroup Manager to authenticate against it to allow me to make changes.

So the next thing to do was follow Apple’s AD schema extension guide (linked above) and do what everybody else did. This was rather straight-forward (managed preferences for users, groups and computers worked right away), but when I tried to create a computer list (which is not possible using Snow Leopard’s Server Admin Tools, but requires Tiger’s (which throw loads of errors on Snow Leopard but still get the job done) since Leopard introduced computer groups which however are not supported by the AD plugin), it just said I didn’t have permission to do that. After enabling DirectoryService debug logging (killall -USR1 DirectoryService && killall -USR2 DirectoryService), I traced it down to Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=xxx,DC=zz with FAILED – LDAP Error 19 in /Library/Logs/DirectoryService/*. Apparently, that’s caused by some versions of ADSchemaAnalyzer setting objectClassCategory to 0 instead of 1 on all exported classes. Too bad AD schema extensions are irreversible and that’s one of the attributes you can’t change later on… Well, with AD Schema Management MMC snap-in, I was able to rename the botched apple-computer-list class, defunct it and add a new one using ldifde. With some really wild hacking in the AD Schema using ADSI Editor, I was then able to  eventually get OS X to no longer look at the renamed attribute, but instead at the new one. To see whether you have been successful, killall DirectoryService, wait a few seconds and grep -H computer-list /Library/Preferences/DirectoryService/ActiveDirectory* will show a line indicating which class in the schema it’s using.

Once you’re there, everything should work as expected. If you don’t want to use Tiger’s Workgroup Manager to create old-style computer lists, you can do that in ADSI Editor and create apple-computer-list objects in the CN=Mac OS X branch by hand.

So, attached is the schema ldif that’s exactly the way it should be. I really wonder why Apple doesn’t provide it themselves – it’s going to turn out exactly like that every time you follow their guide on any Windows server… Apple Schema for Active Directory

I guess that the overall conclusion of this should be that AD schema extensions in general and specifically Mac OS X managed clients in AD environments are a nasty hack. I suppose the dual directory/magic triangle/golden triangle approach with a Microsoft AD and an Apple OD would work, but it requires maintaining two separate directories, which may not be that great in a larger environment either.

If Apple discontinues Mac OS X Server at some point in the near future (which the demise of the Xserve and the lack of announcements regarding Mac OS X 10.7 Server alongside Mac OS X Lion suggest), this is definitely something they need to improve. There are some third-party solutions that store MCX settings outside of AD (similar to Windows GPOs, which are stored on the SYSVOL share) such Thursby ADmitMac – however that’s a rather expensive solution (a dozen client licenses costs about as much as two Mac mini servers) and might break after OS updates (though from what I’ve heard, they’re rather quick at providing updates). If Apple does discontinue Mac OS X Server, they should definitely improve Lion’s AD integration to replicate ADmitMac’s features.

After trying Calibre rather extensively, I came across an app named Sigil, which does exactly what I want: You just throw in your HTML files (it automatically imports images referenced by them) and add some metadata.

Before proceeding, you should use your favorite scripting language (or modify the attached quick-and-dirty PHP script) to remove everything but the main part of the chapter from the HTML files. (Make sure to remove any tables or divs surrounding the entire content because that might break page-by-page navigation on your ebook reader).

Sigil works very smooth if your HTML files are in alphabetical order. If they’re not, don’t despair: take the index.html file that (hopefully) came with them and us your favorite scripting language (or modify the attached quick-and-dirty PHP script) to grab all the links from it (be sure to remove anchors and duplicates) and generate an XML structure like <spine toc="ncx">
<itemref idref="file1.html" />
<itemref idref="file2.html" />
</spine>. Manually replace the spine section in the content.opf file inside the generated ePub with the lines you just created. Then re-open the ePub in Sigil and check whether it found any HTML files you forgot to include (they will show up at the top of the file list) – if there are any, move them to the place where you want them.

Once you have everything the way you want it, check the auto-generated table of contents using the TOC Editor option. Chances are that you have everything in there duplicated if the links in your index.html file are recognized as chapter headlines. In that case, just uncheck those (if you don’t feel like unchecking 500 items, I’ve attached an AppleScript to do that, just select the bottom-most line you want unchecked and adjust the number of lines inside the script).

Wondering how Cisco got around these App Store limitations, I took a closer look at the AnyConnect app. Upon first starting it, it asks whether you want to let it “extend… the Virtual Private Network (VPN) capabilities of your device”.

Cisco AnyConnect Secure Mobility Client extends the Virtual Private Network (VPN) capabilities of your device. Do you want to enable this software? Don't Allow / OK

To configure the settings for ....., use the app provided by Cisco.

Odd, how would an app be able to do any of this if it’s not allowed to get involved with iOS deeper than the App Store guidelines would allow?

Moving on and digging deeper into the .ipa bundle:

The Payload contains AnyConnectDataAgent.vpnplugin, in addition to the AnyConnect.app:

AnyConnectDataAgent.vpnplugin

AnyConnect.app‘s Entitlements.plist contains an entitlement named com.apple.networking.vpn.configuration:

com.apple.networking.vpn.configuration

Neither vpnplugin bundles nor the com.apple.networking.vpn.configuration entitlement are documented anywhere (at least not in a way that can be found through Google). Since this appears to be a special iOS API created by Apple specifically for Cisco, the question is whether it’s also open to other developers. The only other app I’ve found that uses it is Juniper Junos Pulse, which was posted a few weeks before the AnyConnect app. Since both Junos Pulse and AnyConnect have in common that they require iOS 4.1, I think it’s safe to assume that 4.1 introduced the API they use.
Personally, I’d be interested to see an OpenVPN client for the iPhone. I’m not sure whether that will ever happen though if this VPN API only exits semi-officially, especially since OpenVPN is not backed by a big company like Cisco or Juniper.

Services:
Google Mail using Google Sync: Gmail (free) or own domain (free for up to 50 users)
coming in June: Hotmail
NuevaSync Premium: works with any IMAP mail server ($25/year)

Server software:
Kerio Connect‘s ActiveSync Support ($540 for 5 users)
Open-Xchange using OXtender for Business Mobility: ($21.75 / 14.50€ per user)
Scalix using Scalix ActiveSync: ($299 for 10 users)
Zimbra Collaboration Suite using Zimbra Mobile for Smartphones: ($25/$35 per user per year + $500/$1000 per year)

Z-Push (free, appears to with any IMAP server)

If you know any others, please go ahead and add them to the comments, and I’ll add them to this list.

You may download it here. If you find a bug, please do let me know in the comments, but don’t expect I’ll fix it anytime soon .

To start, you’ll need a command-line tool called afsctool which can compress (and, amongst other features, decompress) folders using HFS compression. The command you’ll need to run is e.g. sudo afsctool -c -l -k -v -i -9 /Library/Application\ Support/Final\ Cut\ Studio. This compresses all files the given folder using the highest possible compression, verifies its results, prints out the names of files it is unable to compress, and outputs statistics once it’s done.

Some of the folders I compressed:
/Library/Application Support/Final Cut Studio/ (contains Motion and DVD Studio Pro templates): 22.5% compression savings
/Library/Application Support/LiveType/ (contains Motion’s LiveType fonts): 11.4% compression savings
/Library/Application Support/GarageBand/ (contains GarageBand’s  instruments and learning-to-play stuff): 14.3% compression savings
/Library/Application Support/iDVD/ (contains iDVD’s themes): 19.5% compression savings
/Library/Audio/Apple Loops/ (contains GarageBand’s and Soundtrack Pro’s loops): 4.1%
/Library/Audio/Impulse Responses/ (contains  Soundtrack Pro’s impulse response data): 41.3% compression savings

Looking at the compression savings: everything that contains high-quality video can be compressed by around 20%, while audio which is already heavily compressed only yields around 5%. The most amazing result though are the 40% by which the Impulse Responsed were compressed – apparently, these are uncompressed AIFF audio files and thus ideal for compression.

Obviously, your mileage may vary and I’m not responsible if you compress too much and break your system (I’m sure there is a reason why Apple didn’t compress all system files). However, compressing the iLife and Final Cut Studio media content appears safe, I haven’t noticed any unwanted side-effects and it seems well worth trying if you’d like to regain a few gigabytes.

After 3 major releases of LTT and beta testing on close to 200 computers, I can now say that version 3.0.4 is very stable and runs well on both Tiger and Leopard, has no known bugs and is ready for widespread use. My current server setup can (theoretically) handle around 10000 simultaneously active clients. If you’re interested in testing it or if you would like to give your Mac some additional theft protection, please contact me so that I can set you up with an account to use the service.

Frequently Asked Questions

How secure is LTT?
All communication is done over an SSL-encrypted connection, so it is protected from being spied on and not prone to things like ARP spoofing or DNS poisoning.

How do you prevent unauthorized access to my LTT account, which could potentially be used for spying?
As long as you keep your password secret, there is not a whole lot you need to worry about. However, if somebody were to break into my server, I obviously can’t guarantee for it .

Why am I not receiving screenshots?
If the screen is asleep, screenshots are apparently not possible – this is not a bug in my software, it’s probably due to the way Apple implemented WindowServer.

Why am I not receiving iSight captures?
Either  the camera is in use by a different program or the laptop is being operated with the clamshell closed.

A while ago, I bought the Sharkoon DriveLink. The nice thing about it is that it can run 2.5″ hard drives without the power brick. However, it would randomly disappear from the computer, interrupting any file transfers that may have been in progress. I returned it and got a replacement unit that showed the exact same behavior, so I returned it for a refund.

Instead, I bought the Scythe Kama Connect 2. So far, it’s been working like a charm.

0. Prerequisites
- OpenLDAP server with Samba integration (I’m runnig it on a Ubuntu 8.04 server, using the standard OpenLDAP and Samba packages). I won’t go into the details of how to set this up, there are lots of tutorials around the web on this.
- some kind of LDAP admin tool, I used phpLDAPAdmin
- Mac OS X 10.5 Leopard clients

1. Adding the Apple schema to your OpenDirectory server
It is located in /etc/openldap/schema/apple.schema on any Mac. Copy this file to your OpenLDAP server and add it to your slapd.conf.
You may run into the problem that apple.schema references some samba.schema entries that were deprecated with Samba 3. Specifically, these are acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID, so you’ll need to editapple.schema and replace these with their Samba 3 counterparts.
Now, restart the OpenLDAP daemon so it recognizes the changes.

2. Adding some Mac-specific attributes to your LDAP server
Add an ou=macosx branch to your LDAP tree, under which you’ll need to create ou=accesscontrols, ou=augments, ou=automountMap, ou=autoserversetup, ou=certificateauthorities, ou=computer_groups, ou=computer_lists, ou=computers, ou=filemakerservers, ou=locations, ou=machines, ou=maps, ou=mount, ou=neighborhoods, ou=places, ou=preset_computer_groups, ou=preset_computer_lists, ou=preset_computers, ou=preset_groups, ou=preset_users, ou=printers, and ou=resources.
To all your LDAP groups, add the apple-group objectClass. To all your LDAP users, add the apple-user objectClass.

3. Connecting your Mac to the LDAP directory
On your Mac, go into Directory Access and add your LDAP server. Choose OpenDirectory as the server type and adjust the Samba mappings to match your changes from step 1. Here is a plist you can import into Directory Access that already has these mappings corrected: LDAPv3_Unix_Samba3_OD.plist.
If you want your other clients to automatically use this mapping, create a cn=config branch in your LDAP tree and use the Write to Server button in Directory Access.

4. Use Workgroup Manager to set network home folders, managed preferences, …
Now, you can use Workgroup Manager to manage network home folders and managed preferences, just like you would on a Mac server.  You’ll need to authenticate using an LDAP user who has full write privileges to the directory (as set in slapd.conf). The standard cn=admin,dc=example,dc=com user will NOT work.

5. Conclusion
Almost everything works, except for:
- adding new users and group through Workgroup Manager
- solution: unknown
- assigning directory admin privileges to users through Workgroup Manager
- solution: using an OpenLDAP server set up to use cn=config instead of slapd.conf. This will also require going into Directory Access again and adding the OLCBDBConfig, OLCFrontEndConfig, OCGlobalConfig, OLCSchemaConfig and OLCOverlayDynamicID record types back in (they are included in the OpenDirectory mapping, but I deleted them from mine because they only cause error messages on an OpenLDAP server with slapd.conf configuration).

Here are all the web sites that helped me in the process of figuring this out:
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c6od15.html (this one is especially important because it explains what to do if your LDAP server is not set up for SASL authentication)
http://www.emmes-world.de/mac-afp-homes.html (this one describes a similar setup and was my most important resource)
http://rajeev.name/blog/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/
http://www.netmojo.ca/blog/tag/ldap/
http://www.macdevcenter.com/pub/a/mac/2003/08/26/active_directory.html?page=2

7. Further Information
Since you’re not using Kerberos for authentication, you may want to look at securing your LDAP connections with SSL. Here are some links that talk about it:

http://www.afp548.com/article.php?story=20071203011158936

Someone else also wrote a blog post about Setting up a Linux server for OS X clients, in which they also describe how to incorporate Kerberos into the whole equation. That’s certainly something worth considering.

Patching VMWare
First of all, you’ll need to patch the Mac OS X VMWare Tools ISO, replacing all occurrences of ServerVersion.plist with SystemVersion.plist inside it. This is the only thing Fusion looks at to determine whether you’re trying to run OS X Server or Client (/System/Library/CoreServices/ServerVersion.plist only exists on OS X Server, while /System/Library/CoreServices/SystemVersion.plist exists on both). Since Fusion uses some signature checking, you’ll need to re-sign all VMWare Tools ISOs with your own certificate, otherwise Fusion will refuse to run.
The German computer magazine c’t  (issue 24/2008, page 266) figured all of this out and even wrote a small tool (MultiMac Helper) to automate the process.

Note
Before proceeding, make sure you have an appropriate license for Mac OS X. I.e., don’t install two copies if you only own one — in general, this means you need the Family Pack or an additional copy. Also, make sure that you’re allowed to virtualize your copy of OS X — in Germany that is perfectly fine as limitations imposed by the EULA are effectively not legally binding (which is the reason why the German computer magazine c’t was able to publish MultiMac Helper), but you will need to check what applies in your own country.

Installing Leopard
Installing Leopard is very straight-forward – just pop in your Leopard retail DVD and create a new VM in Fusion (selecting Mac OS X 10.5 Server 64-bit). Now proceed as if you were installing Leopard Server in Fusion. After completing the installation, you can even install VMWare Tools and they’ll run just fine.

Installing Tiger
Installing Tiger is a bit more difficult. Since there are no retail DVDs of Tiger for Intel (it was exclusively shipped with new Macs, and those machine-specific discs refuse to install on anything but the Mac model they came with), you cannot install it by booting it in a VM. So what you’ll need to do is: install Tiger onto an external HD and make an image of it. Then attach a second virtual hard drive to your Leopard VM and from inside the VM, clone the image to the second virtual hard drive. Now remove that virtual hard drive from your Leopard VM and attach it to your Tiger VM. It will boot up and run just fine. However, VMWare Tools will not work in Tiger and your host CPU will probably run at 100%.

UPDATE: Installing Snow Leopard
Works the same as Leopard, just select Mac OS X 10.6 Server 64-bit.

UPDATE: VMWare Fusion 3.0
Existing VMs continue running flawlessly.
If you create a new VM, you need to remove firmware = "efi" from the VMX, or it will complain about the OS not being the server version at some point during boot. If you see the black BIOS-style screen right after powering up the VM, you’re fine. If you see a grey screen with the VMWare logo on it, the VM is set to EFI mode.

UPDATE: VMWare Fusion 4.0
Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0