Over Christmas, I updated Dad’s backup (SuperDuper is great), and upgraded to Leopard. It failed miserably — in exactly the same way as my own first Leopard upgrade failed, although I didn’t know what was going on back then. There wasn’t any documentation about the problem then, but now Apple describes a closely related issue:

Mac OS X 10.5: Unable to log in after an upgrade install

Issue or symptom

You may not be able to log in with a user account that has a password of 8 or more characters and was originally created in Mac OS X 10.2.8 or earlier, after performing an upgrade installation of Mac OS X 10.5 Leopard (the default installation type).

I do indeed use a password longer than 8 characters. At least on my own system, the accounts were not created under or before 10.2.8. On my father’s system, the accounts may date back that far, but his password was not longer, and Apple’s suggested workaround did not work either.

On my own upgrade, I installed Leopard, and was unable to log in with my (known correct) password, or my root password. I booted from DVD and was able to see my home directory, but there was no information on how to fix Leopard accounts (and really not much information on Leopard accounts at all) at that time. Reset Password from DVD didn’t work, and neither did passwd. I reinstalled from scratch and restored my home directory.

For Dad, I didn’t have time to do that, so I created a new account with a different username and real name, and swapped his old home directory with the new (basically empty) one. This took about 5 minutes, compared to several hours spent unsuccessfully trying to fix his old account. Somehow during the upgrade, his account was disabled, and I was unable to re-enable it. I booted from the Leopard DVD, and the Reset Password tool said it reset his password, but did not. I booted into my own admin account, and used passwd, which gave me a Directory Services account disabled error. The only references to that error Google has to that error code are copies of the manual page, which lists the error code but not a way to enable such an account. I even updated to get the Login & Keychain update, but it didn’t help.

In the interim, Apple has documented that Leopard stores accounts as .plist files in /var/db/dslocal/nodes/Default/users/, which is very helpful — it makes it easy to do things like change UIDs, which I need to do periodically. On the other hand, those files point into other places for some information, such as the Kerberos KDC (Key Distribution Center) for actual passwords. I don’t know enough Kerberos to feel comfortable creating an identity for his account, as should have automatically happened during the upgrade (before Leopard, non-Server versions of Mac OS X don’t include a KDC, and they store passwords differently). I considered pointing his account to the KDC identity for a new account with the right password, but this seemed fragile, so I went with the new account, which seems to have worked reasonably well.

FUBAR!

I went out tonight to see Gavin perform (accordion, piano, & backing vocals) with Anna Copa Cabanna at Jalopy, a performance space and instrument repair shop so old-timey and rustic they had a wooden bolt to lock the bathroom door and a wooden box sink.

Getting there was surprisingly difficult. I called a local car service, and they told me it would be 10 minutes. In 6, the car was outside; when I went out, she complained that I’d kept a woman waiting, and spent much of the drive complaining about the car we were in. Then she drove 7 blocks south to 9th Street, and asked me how to get there. Since the driver didn’t know the way, I used Google Maps on the iPhone to give her directions. As we got to the Fort Hamilton Parkway, she began to tell me that Columbia Street (which Jalopy is on) didn’t exist on the other (north) side of the Parkway; I insisted at least half a dozen times, and guided her around the entrance — insisting to me all along that we couldn’t get to the north side of the Parkway, until we saw the place, right where Google claimed it was. To get home I called Eastern, and they were 30% cheaper without arguing or needing directions.

I got some very dark pictures (no flash).

It was a very good show, although as a friend of Gavin’s I didn’t really appreciate the harassment of “Smitty” that’s part of their shtick. On the other hand, I wouldn’t have appreciated him treating her that way either…

Lots of strange songs about New York and America, by a fascinating and deliberately somewhat crazy outsider (Australian import). I was particularly impressed that they managed to do “Beauty Bar” as a real punk song — on tambourine & accordion.

I also enjoyed Royal Pine, but was a bit freaked out when they played a song I recognized — “Pearl Polly Adler”. This is inexplicable because I listen to perhaps a couple dozen songs I don’t know each year (largely from James), so recognizing a ‘new’ song that’s not in my iTunes library was a (pleasant) source of shock and confusion. Apparently I found it while surfing YouTube recently — something I also very rarely do, as opposed to effectively never before the iPhone. The Pearl Polly Adler video looks familiar, but I can’t be sure it’s not all delusional deja vu.

Anyway, I enjoyed that song while racking my brain for where I had heard it before, and “Stone Cold Mamacita” even more, although I enjoyed the rougher and tougher live version more than the recording on Huasteca.

I’m digging deeper into CentOS (basically a free version of Red Hat Enterprise Linux) v5.1, and for me that entails dozens of runs through the installer, testing out kickstart configuration variations.

This led me to wonder if it is faster to install via NFS or HTTP. I couldn’t find a useful answer online, so I ran a couple simple tests. My client is a 2.4GHz Dell PowerEdge 600SC using SATA disks on a Promise TX4. My server is a dual 1.25GHz Power Mac G4, running Mac OS X Server 10.4.11. They’re connected via private network, using a NetGear gigabit Ethernet switch.

For NFS installations, anaconda takes a directory containing a DVD ISO (or set of CD ISOs), and automatically loopback mounts them as part of the installation process. This is very handy with the CD ISOs, as it doesn’t require much configuration on the server — just an NFS export.

In contrast, HTTP installation doesn’t work against ISOs — the web server must serve up the individual files, whether from a loopback mount on the server, or a directory where the files have been extracted. With the 6 CD ISO files, this is quite a nuisance; with the DVD ISO, it’s not so bad.

My fairly complete kickstart configuration installs 2,103mb of packages. Installation times were quite similar, but a bit faster for HTTP, at 18:28 for package installation and 24:37 total. Via NFS packages took 19:57; total was 27:38.

For reference, I used the following partitioning configuration, which factors into total installation time:

part /boot --onpart=sda1 --fstype=ext2
part /     --onpart=sda2 --fstype=ext3
part swap  --onpart=sda3 --size=2048
part /var5  --onpart=sda5 --fstype=ext3
part /home6 --onpart=sda6 --noformat
part /sdb1  --onpart=sdb1 --noformat

The partitions already existed:

[root@pe ~]# df -hl|grep -v tmp
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             7.7G  2.8G  4.5G  39% /
/dev/sda6             664G  198M  629G   1% /home6
/dev/sda5             3.9G   73M  3.7G   2% /var5
/dev/sdb1             688G  198M  653G   1% /sdb1
/dev/sda1             251M  7.4M  231M   4% /boot

I used the following set of packages for testing:

%packages
@core
@base
@editors
@system-tools
@text-internet
@dns-server
@base-x
@network-server
@games
@web-server
@mail-server
@server-cfg
@admin-tools
@development-tools
@graphical-internet
@office
@development-libs
@x-software-development
@gnome-desktop
@graphics
@kde-desktop
@sound-and-video
kdegraphics
kdemultimedia
-bluez-gnome
-bluez-hcidump
-bluez-utils
-evolution
-evolution-connector
-evolution-webcal
-ibmasm
-krb5-auth-dialog
-mod_perl
-mod_python
-numactl
-openldap-clients
-openoffice.org-calc
-openoffice.org-draw
-openoffice.org-graphicfilter
-openoffice.org-impress
-openoffice.org-math
-openoffice.org-writer
-openoffice.org-xsltfilter
-pam_krb5
-pcmciautils
-php-ldap
-planner
-rp-pppoe
-sabayon
-sendmail
-sendmail
-sendmail-cf
-squid
-stunnel
-sysreport
-system-config-samba
-tux
-vconfig
-ypbind

In Leopard, Tab completion in bash doesn’t immediately append trailing slashes to symbolic links that point to directories. When I complained about this change to Apple, I was told it was user configurable, and I should just configure the old behavior. It took me a while to actually find the solution — partially because it isn’t within bash itself, and partially because it was quite a nuisance but not a serious problem.

For example, ~/www is a symlink to /Volumes/www, and I cd to directories below it quite frequently. I’m in the habit of typing “cd w[Tab]/pu[Tab]“, which should expand to “cd www/public_html“. This broke in Leopard — I needed an extra Tab to get the / — otherwise I’d end up with the ugly and non-functional “cd wwwpu“. Anyway, the fix is:

echo "set mark-symlinked-directories on" >> ~/.inputrc

Now Tab completion works the way I want it to again. Thanks, stylishpants!

Red Hat has, with good consideration and foresight, been pushing people to use logical volume management for a while. It’s not completely integrated into the RHEL5 installer, but they’re pushing hard to make it ubiquitous, and telling people this is the right way to do things. Unfortunately, the syntax for specifying logical volumes within DOS-style partitions is still a bit obscure, and the manual page examples don’t show the LV syntax; this is fixable, but will take time.

I used software RAID and LVM on my new installation, but it doesn’t boot — I’ve found several articles on making GRUB work with software RAID, so I believe I’ll be able to get it working. The docs say I should be able to just use “lvm” (which is present) to get an lvm shell, but neither lvm nor lvm.static does anything — they just dump me back in bash.

Fortunately, “linux rescue” finds my partitions (this time), but not being able to even list out physical volumes is worrisome.

I want mirrored /boot, but it’s RHEL’s mirrored /boot capabilities are pretty limited:

If you are making a RAID partition of /boot/, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a seperate RAID partition of /boot/, and you are making a RAID partition for the root file system (/), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).

Speaking of LVM being immature, check out What is the process to fsck lvm volumes? in the Red Hat Knowledgebase:

First, boot into rescue mode by using the correct media. This is very important: When prompted to mounted the drives, do not. Using fsck on a mounted filesystem will destroy all the data on that file system. This is unrecoverable. The data will be gone forever–save for very expensive hardware-level data recovery.

I put 2 750gb drives in a Mac Pro to run Leopard. Now I want to get them out, so they can go in a Linux PC. I’ve spent at least an hour struggling with the stupid things, and losing.

They were a bit odd to get in, but they’re almost(?) impossible to get out. The drives are inside plastic guides, and only the edges stick out. I can’t get a good grip on the top & bottom because the PCB (circuit board) is at the bottom and fragile. I can grab the left & right edges, but all I can do is wiggle. I removed a fan screw so I could have some more room to work; I loosened a drive bracket screw, but only a little bit, and stripped my philips screwdriver some on the process — thus also the screw-head, of course. I would take the whole drive cage out, but it has 2 screws at the far (un-removable) side of the case, and I’d need to do quite a bit more disassembly to get at them.

I’ve been loosening the plastic cage — basically just wiggling it to soften it up — with a flat-head screwdriver. It’s visibly looser, but the drives are still quite stuck. I’ve been prying up on the left edge of the drives with a flat-head screwdriver — there’s a lip I can just get a bit of a grip on — but only moved 1-2mm so far, and I have to hope I don’t damage anything by prying at the drive like this. I can see I’ve already scraped black paint off the drive.

Fie!

Perhaps this is why they came up with a totally different drive mounting design in the similar-looking Mac Pros.

For over a year now, I’ve been following the development of Mac OS X Server 10.5 Leopard and testing betas, and anticipating upgrading reppep.com from Tiger Server on a dual 1.25GHz Power Mac G4 to Leopard Server on a dual 2GHz Power Mac G5. Over the weekend I had a change of plans, though.

Although I support Mac OS X Server at Rockefeller, I don’t recommend it for most requirements, as Linux compares favorably for transparency (some of the MOSXS internals are unique and poorly documented), server software compatibility (although Macs are quite good here too), and price/features at the low end. A Core Duo Mac mini has plenty of juice to saturate our 768kbps/3mbps DSL circuit, but adding a couple drives more than doubles its price, and Apple’s software RAID is quite broken; Linux software RAID is apparently quite good; I might eventually switch to hardware RAID. An Xserve is a great piece of hardware, but it’s a bit exotic and I can get a fast generic PC cheaper; I don’t want all the high-end features for a box that sits in our apartment.

Additionally, I’ve read perhaps 600 pages of docs on Leopard Server, and had at another 400-1500 yet to go. This is an investment I was finding hard to justify. The migration process is quite complicated, and Apple doesn’t support migrating accounts from a Tiger system to a Leopard system — I don’t want to do an upgrade. I could clone the G4 to the G5 and upgrade it there, but I prefer to handle upgrades as scratch installations with manual migration of applications, so I know exactly what’s been done. A lot of this is masked by upgrade procedures.

As part of this, I’ve decided to invest a bit more time in learning RHEL5 — we have a couple systems at Rockefeller, but not much in production yet, and now seems like a good time to dig in some more.

Fortunately, all the services I’ve been using on reppep.com are available on Linux (and FreeBSD), so aside from another incredibly inconvenient password change cycle (for which it is arguably time anyway), the switch should be largely transparent to reppep.com users, although I still have plenty of research to do.

A brief timeline of reppep.com

1. 1999: I left the National Audubon Society, and bought the Power Mac 7300 with accelerator card I’d been using there. I set it up with LinuxPPC and Apache, and started offering free web hosting to friends & family. LinuxPPC was eventually discontinued.
2. I upgraded from LinuxPPC to Yellow Dog Linux, which was better than LinuxPPC, but had serious flaws.
3. 2001: I was working on a couple remote FreeBSD machines (as admin of the Info-Mac server, and a user on the Apache Software Foundation userhost), and decided to learn more; I bought a cheap Celeron PC and installed FreeBSD 4.3 (IIRC); I upgraded through about v5.1 and a Pentium 4 (giving the Celeron box to the Info-Mac Archive, where it became the Info-Mac server for a while). I learned a lot about FreeBSD and UNIX in general, but eventually realized I was investing more time learning FreeBSD than I could justify. The best thing about FreeBSD is not a technical feature, but rather that the user community is so rich with knowledge. Reading the FreeBSD-STABLE list was amazing, as there was so much depth, freely shared with the community. While running on FreeBSD, I added mail services to the web services I had been offering. Note: Disruptions to personal email service are much worse than problems with personal web service.
4. 2005: It became clear that I needed anti-spam, so I began researching SpamAssassin. While I was figuring out how to build the SMTP sandwich, with a public untrusted Postfix listener on port 25 & 587, and a filter, and then a listener on a high port like 10025 to accept and deliver mail to actual users, I installed a beta of Mac OS X Server 10.4 “Tiger”, which had the whole thing implemented, plus ClamAV as a bonus. I started testing heavily before the release, and switched to MOSXS 10.4 shortly after it was finalized. It’s been very good, but as time has passed, I’ve had more and more problems. In particular, Apple chose to use Cyrus as an IMAP/POP server, and Cyrus is complicated, but Apple ignores the complexity; this can make troubleshooting impossible. The SpamAssassin installation is slightly broken; it’s a bit too old to offer the newer SpamAssassin self-upgrade mechanism. Server Admin is great, but has a bunch of bugs around SSL certificates, some of which destroy the certificates. Blojsom was nice, but Apple’s installation was very unstable; I eventually moved my blog to WordPress hosted externally.
5. 2008: I intend to switch to CentOS 5.1, which is basically a (legal) no-charge clone of Red Hat Enterprise Linux 5.1. This should make future upgrades a bit more straightforward, as I won’t have to deal with Apple’s Open Directory (OpenLDAP); it will also give me a bit more experience with RHEL5, which is a better investment for my time than Leopard Server.

I take a lot of pictures of Julia, and every year we make holiday photo albums (normally from iPhoto); last year we got 6.

I just went through December 2006’s photos, picking 5. Now I have 2,400 that made the initial cut from January through November 2007 to review. There are also 47 Julia took this year to check out.

It’s a big job! The books tend to be a bit longer than the base 20 pages, but we like them.

I’ve been complaining about iPhoto’s Crop command for years (generally to Apple). Crop worked, then it got erratic, then I complained, and then Apple disimproved it, removing the flaky feature (Keyboard shortcut? Something like that). This removed the bug from their dashboard at a cost in functionality and convenience

In iPhoto 7 (iLife 08), cropping is much improved. Hit the ‘c‘ key to start a crop. Since grabbing the handles is problematic with top and bottom strips that flash over the photo at the edges of the screen, iPhoto helpfully (in full-screen Edit mode) shrinks the whole photo to not touch the edges. It looks strange, but helps a lot. When done, hit Enter to perform the crop.

There are still several rough edges, though:

1. Sometimes the un-cropped image appears. This is confusing!
2. iPhoto 6 always set a consistent proportional default crop area when selecting a new image. I liked this, as it offered a standard (relative) resolution when cropping photos, and I used that suggested size to sizes some photos the same. This is minor, but I miss it.
3. The crop constraint (I normally use “4 x 3 (Book)”, which can be inverted with the Option key) sometimes gets unset; it should stay the way I set it (ideally, even across launches of iPhoto). Additionally, when the Crop checkbox clears itself, the proportion flips back to “3072 x 2304 (Original)” on images from my Canon PowerShot SD800IS.
4. The default crop constraint (original) for some reason cannot be inverted with Option, so I have to switch to “4 x 3 (Book)” when I want to crop “crossways”.

ARD includes a very handy script called kickstart (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart), to configure the Remote Desktop agent, which is also what Leopard’s Screen Sharing uses. This is important because Murphy says that you will always first need to connect to a recently installed machine and only then discover the ARD agent is off. With the kickstart agent, you can configure user access to Remote Desktop through an ssh connection, and turn the agent on.

Unfortunately, it never worked for me. I have tried to use kickstart on at least 4 separate occasions (always on Tiger systems), and it never did what I wanted. Tonight, I used it on a 10.5.1 system, and in about 5 minutes I had access (manually tunneled through ssh, no less). It would have been faster if the kickstart command was simple (it’s somewhat involved), or if I wasn’t determined to configure access controls before turning on ARD. It’s easy to configure ARD access via System Preferences:Sharing, but bad practice to enable services without access control configured.

Hoo-rah!

To learn about kickstart, use sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help. If WordPress won’t let you read that whole line, try copying it into another program. Apple’s Apple Remote Desktop Administrator’s Guide includes some helpful examples.

We also use an UID 0 account, which doesn’t appear in System Preferences:Sharing, so I tend to create the account, set the UID, remember ARD, and curse as I discover I can no longer enable ARD access to that account without restoring the UID — quite a nuisance. Since local accounts are now stored in .plist files, adding our UID 0 account and giving it ARD access should both be much easier now.