I needed to install the Citrix ICA client on CentOS 5.2 (RHEL 5.2), but it has very strange dependencies — it complains about a version of libXaw which is present, demands an older version of libXm, and requires manual installation of openmotif 2.2.

The trick (thanks, FriedChips!) was yum --nogpgcheck localinstall ICAClient-10.6-1.i386.rpm, rather than rpm -Uvh yum ICAClient-10.6-1.i386.rpm. This way yum chased the dependencies for me, and didn’t refuse to install the unsigned Citrix package.

Next I associated launch.jsp with /usr/lib/ICAClient/wfica.sh — Citrix should have used .ica instead, because .jsp is used for other things. IIRC, EMC NetWorker used .jsp to launch their graphical console.

Unfortunately the ICA client insists on being wider than the physical display, but I can work around that. I wonder if it’s because I simultaneously connected to the same XP system via RDP from both Linux and a Mac with different resolutions.

Update: Citrix is fixed on the size of my MBP’s 1440900 main display, which means it doesn’t fit properly on the MBP’s external 12801024 (or landscape 10241280) or my Linux box’s 12801024.

Annoyingly, Citrix assigns the Mac’s Command key to Alt on the Windows host. This doesn’t work well, because although they avoid most Command key combinations in the ICA Client, Command-Tab switches Mac apps rather than Windows windows. Guys, just use the Option key! It even says alt on it, and nobody needs that key for Mac specific functions! Today’s happy discovery: Command-Option-Tab switches Windows apps.

Next I have to figure out how to de-assign Alt-Tab from switching virtual workspaces in KDE. Copy & Paste don’t work consistently when connected from KDE either, presumably because some events are being interecpted locally and others are being passed through. I won’t need to use KDE as a Citrix terminal for much longer, though.

Crud. After all that, the Citrix ICA client doesn’t display most text, making it useless. I can get some things to display by selecting them, but many things (including dialog boxes) are un-selectable. Junk!

I’ve been waiting for NetNewsWire for iPhone since I first heard of it, and have already registered Twitterrific Premium, which is very slick (although I’m not sure how GPS or photos work). I am somewhat disappointed that NNW/iPhone doesn’t proactively download updates; that’s one of the nice things about NNW on the Mac — it’s always pretty current, and I never have to wait for an update. On the iPhone, where I may not even be able to get an update on the train, it’s problematic. I was hoping NNW/iPhone would proactively sync feeds, so I could use it on the subway while out of coverage, but no joy.

Twice, all apps have failed to launch until I rebooted, and I’ve had a couple unexpected reboots.

Most apps are very slick, although AIM and iMaze both disappoint. Very much looking forward to using Remote for real, and wondering if I should have gotten an Apple TV for our living room stereo instead of an AirPort Express/n…

There’s a trick to replacing the 4 persistent apps in the Dock at the bottom: you cannot drag into the Dock to bump them out of the way; instead you must drag something out of the Dock to make room first, and then you can drag an app into the free space.

It’s annoying that deleting an app from the iPhone leaves it on the Mac; moreso that re-synching re-installs the app on the iPhone and forces a full (slow) backup of the iPhone. Adding insult to injury, I cannot control-click an app in iTunes to re-install it, or get rid of the confirmation on every deletion from iTunes.

The AIM client stinks. Not sure if it’s push enabled, but it has serious flaws and bugs, both.

Moving apps around Springboard is a bit buggy. As I moved them from one screen to another, Springboard moved a bunch of extra apps to later screens — many more than were actually necessary to make room. I always have 7 screens of apps, even when they all fit on 6. Under 1.1.4, there were no empty screens — empty ones were automatically removed; I preferred that behavior.

I expect to get an iPhone 3G Monday — can’t do it this weekend.

Where’s the OpenSSH port?!?! I do hope Apple didn’t reject a submission…

Update 2008/07/12: The extra screen is correct. When in app rearrangement mode, the iPhone always provides an extra screen so I can move apps there; in normal mode the extra screen goes away.

Ouch! At 10:31pm last night, I started patching both Linux servers running reppep and associated domains, prompted by Rich’s BIND alert. At 12:33am, www.reppep.com finished installing approximately 255 CentOS patches (including BIND), and I rebooted. Everything looked fine, and I went to bed. This morning, I thought it a bit odd that I didn’t have any new email, but not that unusual.

Melissa left me a message that mail wasn’t flowing, but I couldn’t fix it at work. Tonight I discovered that amavisd-new, which handles filtering for reppep email, was unable to start. Strangely, it was complaining about the Compress::Zlib perl module, which was actually installed (version 2.008, via the perl-Compress-Zlib-1.42-1.fc6 RPM). Some more digging indicated Scalar-List-Utils-1.19 needed to be reinstalled, which enabled amavisd-new to start (it checks for Compress::Zlib and refuses to start if it finds something wrong, which was apparently triggered by the Scalar-List-Utils issue).

mailq showed me postfix was now getting errors from amavisd-new about MIME::Parser and File::Temp. CPAN reinstalled MIME::Parser and said File::Temp was already current.

I bounced amavisd-new again, and tried postfix flush. Over the past 15 minutes, postfix has delivered the ~~650 outstanding messages, and all seems well.

Separately, Alex noticed our blogs were inaccessible, but bouncing BIND tonight cleared that — odd, as I checked http://www.bertpepper.com/ and got valid DNS resolution from both nameservers immediately after patching, but obviously something I didn’t notice was still scrambled.

Anyway, at 8:45pm, all seems present and correct.

Sorry for the disruption!

Outlook’s default behavior is to sort new messages to the top of mailbox windows. I prefer new messages at the bottom, but have noticed that when I start reading mail, threads with new messages appear at the top. So I tried reading mail the way Outlook wants me to, but it still sorted newer messages within each thread (”Conversation”) to the bottom of the group, and deleting messages still moved down (to an earlier message in this arrangement). Since it doesn’t work right either way, I might as well do it the way I’m used to: newest at bottom (as of the time I first display or last Refresh the mailbox; the newest stuff still floats to the top, which I cannot prevent).

Sometimes when I delete messages, Outlook selects the next message down (which is correct, given that I view messages in ascending date order). Other times it selects the top message in the mailbox, which is only the right thing to do if it’s the last message in the mailbox. This inconsistent behavior may be connected to whether any off-screen messages are selected, but that shouldn’t matter. I shouldn’t have to wonder where the selection will go, or try not to select messages across more than one screenful at a time, or rush through selecting and deleting mail or collapsing threads, for fear of a new message coming in, removing my selection, and selecting, previewing, and (almost) marking one of those messages read, before I had a chance to delete, mark, or collapse it. This means that if client-side filters are active, the user must wait after launching Outlook, until it’s finished filing messages into the current mailbox, as new messages will constantly disrupt the selection until Outlook is finished running client-side filters. Even if Outlook has been running a while, it’s easy to select a few messages for processing, be interrupted by new mail, deal with whatever was previewed and start selecting again, be interrupted again, and have to deal with the second undesired selection/preview before attempting to return to manual selection for managing email. Amazingly frustrating, and a great way to “lose” unread mail.

With a multi-monitor setup, the best way to use Outlook is with the mailbox filling one display and the attached preview pane covering most of another display. Unfortunately, as I select different mailboxes, the preview turns off. Each mailbox has its own preview state, which is important because I generally only read messages (via preview) in my “fresh” search pseudo-mailbox. In other mailboxes, clicking a messages shouldn’t mark it read, so preview is a bad thing everywhere except in “fresh” (and often in “fresh”, as well!); unfortunately, viewing messages in their own windows is prohibitively slow. The very confusing thing is that sometimes Outlook spontaneously turns off the preview and shrinks the mailbox to its size excluding the preview. This leaves the mailbox covering one display but not extending onto the next; it looks maximized, but isn’t actually in the maximized state. When I switch back a mailbox with preview on (”fresh”), it reappears one character wide, rather than covering most of the secondary display as before. Very aggravating — I think the workaround will be that I must use one window for my “fresh” filter (with preview), and another for other mailboxes (no preview). Hopefully I can escape more bites from these two bugs.

In Outlook, it’s impossible to mark a message (un-)read from the message window, or even to determine directly what mailbox it’s in. I find myself searching across all mailboxes by title and refining by date (which I can see in the message window) to find out it message is, so I can mark it unread for later attention. It’s also impossible to open a message in a new window from the reading pane; the workaround is to Shift-Tab back into the mailbox window and then hit Enter to open a new message window from there.

I often want to delete a collapsed thread (”Conversation”). Outlook insists on expanding it first, which wastes time and often results in unread messages appearing and then being deleted — disconcerting, as it gives the impression I’m losing important (unread) mail. Worse, Outlook cannot mark a thread unread without expanding it, which moves the selection into the thread and marks that one or two messages read when deselected (unless the selection lasts a second or less, as I have set Outlook to mark messages read after a second, because I cannot eliminate the delay, and above one second it doesn’t automatically mark short messages which I read quickly as read; I have to go back and mark them read manually later). If I have just read a new message in threaded mode, and want to mark it unread, I have to either hit Control-Q to mark it read or move to another message and back (assuming I’ve had the current message previewed for at least a second), mark it unread (Control-U), then hit left-arrow to collapse the thread.

Worse is when I want to mark a whole thread unread (more common). Then I have to collapse the thread to implicitly select the whole thing (switching to and from the mouse slows me down, and I get too much mail to be inefficient in dealing with it); hit Control-U to mark the whole thread read (implicitly expanding it), then hit left-arrow within a second to collapse it again before Outlook decides I’ve read a message in preview.

When I delete a message, Outlook immediately selects (and previews, in “fresh”) another message. When I’m reading mail, this is generally what I want, so I can deal with the next message. When I’m trying to delete or file mail, it means Outlook automatically starts the process of dealing with another next message, and unless I’m very quick marks it pseudo-read (as soon as I deselect), so I must decide what to do about the new selection. This makes it harder to stop reading mail in the current mailbox, as every time I complete an action, Outlook picks the “next” message and engages me in dealing with it; stopping without losing unread status on a message I haven’t actually read yet requires contortions. When I know I’m about to stop, I tend to deal with a message or thread and then hit Control-up-arrow to jump to the top of the mailbox, which should be the first message I read (so already marked read), but is often a new message that’s come in recently; I then have to decide on and handle that before I can move on to another mailbox or activity.

Normally, when a thread (”Conversation”) is collapsed, Outlook deselects its messages. Sometimes (unpredictably) it still shows the preview for a hidden message, which breaks the Control-Q Control-U left-arrow dance, and I have to instead hit Control-Q Control-U left-arrow up-arrow to get a collapsed unread thread.

F5 (Refresh) doesn’t clear collapsed conversations; this is annoying. On the other hand, sometimes messages disappear immediately upon being marked read, which means I don’t even get a chance to mark them unread; they’re effectively just gone. I have no idea what triggers the second problem; fortunately it’s rare, as it tends to result in losing mail — often mail I was saving for later attention.

Control-Q marks individual messages read, but cannot be used on whole mailboxes (with the selection in the left-side mailbox column). There’s no good reason for this, as marking whole mailboxes read is a common function, and in the pop-up menu, it just doesn’t have the obvious keyboard shortcut.

Outlook cannot select multiple mailboxes at one time, which is ungood; on the other hand, it makes an effort to be helpful — when I select a mailbox, it kinda-sorta move the selection into the message list (which is pretty reliably what the user really wants, since you can’t do much with mailboxes except delete or move them). It’s all a bit confusing.

If I have a message which has been previewed for over a second, I know it’s effectively read (it will be marked as such as soon as I deselect it, unless I drag it into another mailbox first). It would be good if I could use Control-U to tell Outlook not to mark this message read as soon as it gets deselected, but instead I have to mark it read, then mark it unread, and then move away within a second — before the preview timer marks it mostly-read again.

We got an Apple TV this week, and it’s excellent, although I tripped over some serious network problems (more Mac problems than Apple TV problems, actually).

Compared to our TiVo (upstairs) or our Time Warner Scientific Atlanta HD DVR, the Apple TV is surpringly advanced. The SA box keeps losing signal (probably TWC’s wiring at fault, but they keep not fixing it), and is much larger (and noisier) than the Apple TV; basically it’s a piece of junk, but it’s substantially cheaper than another TiVo. We’ll probably get rid of this DVR and our downstairs cable connection in favor of the Apple TV very soon.

Comparing the Apple TV to the TiVo is more interesting, not least because people have been comparing the two companies for years, and keep demanding that Apple build a TiVo killer (both before and after the Apple TV release). Given how badly cable companies stink, it’s hard to believe Apple should embroil themselves in this mess, but they seem to be doing okay with the iPhone, and phone companies aren’t much better than cable companies. People also want Apple TVs to play DVDs, which is an obvious feature, but would be less profitable for Apple than iTunes Store rentals and purchases. But back to the comparisons.

The SA DVR has exactly one advantage over the TiVo (aside from price): its “Ouija board” — when you need to “type” with a very limited keyboard, the TiVo makes it possible but not easy. The SA box improves the experience dimming (and skipping over) invalid letters (which would spell words that don’t match the list of available shows). The Apple TV, interestingly, has an unimpressive on-screen keyboard and a very limited remote (it’s the same one Macs ship with, meaning 6 buttons: 4 directions, play/pause, and menu/back). But it’s easier to use, because the Apple TV doesn’t lag behind user input as much (it doesn’t have to match input against all possible titles, remember), and tactile response is very good; I only made one typo when entering usernames of several friends, and it was easy to correct, even though Delete is an onscreen selection (no Clear key, as on the TiVo remote).

This brings us to another interesting comparison: the SA box has Internet connectivity (I think it’s channel 996 that shows the current IP), but doesn’t use it for anything except the electronic program guide and purchasing pay-per-view (which we don’t do). The TiVo adds TiVo-to-TiVo transfers of shows (we only have one, so haven’t tried it), scheduling via http://www.tivo.com/tco/, an unsupported web server which allows downloading encrypted/watermarked television shows, and the ability to run applications from a server (either at home or across the Internet). Applications allow you to play music or slide shows from a Mac or Windows PC, or slide shows (from your Picasa or Yahoo Pictures account — but not Flickr, even though Yahoo owns Flickr!). Unfortunately, you cannot combine these applications, so it’s impossible to listen to music while watching a slide show on the TiVo. TiVo has apparently dropped support for third-party development.

The Apple TV, on the other hand, does this all much better. Out of the box, it comes with a set of high-quality flower photos, which run as a slide show when idle. Music can be a) played from the Apple TV’s hard drive, b) streamed from iTunes on a Mac or PC (controlled from the Apple TV), or c) streamed from within iTunes in AirTunes+ mode — iTunes sends audio and ID3-style metadata including cover art over the network to the Apple TV. In any of these modes, track information is displayed onscreen, and if the Apple TV is left idle, the it starts showing a slide show (ours is photos of Julia, of course); this doesn’t interfere with music playback at all.

Compared to TiVo’s lousy support for Yahoo Photos (!?!) and Picasa (they want you to create your own account and log into it before downloading any photos), the Apple TV supports Flickr and .Mac photos, as well as the owner’s own via iTunes, of course. There is a clear hierarchy of user experience here: no support on SA/TWC; poor slide shows or mediocre media streaming on TiVo; high-quality music and photos on the Apple TV, pre-loaded with nice photos for a superior out-of-box experience.

One of the few things I regret about the Apple TV is that I bought it from Apple; I didn’t get an educational or corporate discount, so I could have gotten it faster for $15 less from Amazon (via Prime), but when I tried to cancel the order at store.apple.com it had already gone through (less than 5 minutes after pressing Submit). This should be the worst problem I have with the new gadget!

Unfortunately, it wasn’t. The Apple TV would not synchronize content from iTunes; I was able to play music through it (AirTunes), but it mostly refused to show up in iTunes’ DEVICES list. I got a warning about port 3689 possibly being blocked by a firewall, which I initially ignored, knowing I had specifically allowed iTunes to connect through Leopard’s “socket firewall”.

pepper@prowler:~$ grep 3689 /etc/services 
daap            3689/udp    # Digital Audio Access Protocol
daap            3689/tcp    # Digital Audio Access Protocol

The second time I got this message, with iTunes’ Preferences claiming the Apple TV was synching even while it wasn’t fully accessible, I did some searching, and found out that indeed several people needed to open up the socket firewall before Apple TV synching would work. I did this, and lo and behold, our Apple TV now has the proper 12gb of video, 51gb of audio, and 3gb of photos it should. It’s bad that iTunes wasn’t properly whitelisted in the firewall, but it’s much worse that people need to turn off a security feature to make the Apple TV work. Fortunately, after I switched the firewall back to “Set access for specific services and applications” (where it should be), the Apple TV continued to appear and synch properly; bug filed with Apple.

That brings up another bug: we have a Gigabit Ethernet network (3.5 switches — 8-port, a couple 5-port, and the 3-port built into our Time Capsule) and an 802.11n network, but unfortunately the wireless doesn’t work right. At 5GHz, I keep losing my connection; at 2.4GHz it stays up everywhere except the guest room (which has no Ethernet), but speeds throughout the apartment are poor and connectivity is less reliable than our 802.11g Airport Extreme network. Since I haven’t fixed this yet, I much prefer to do large transfers over the wired network.

The Apple TV connects to a running copy of iTunes to download content; in my case, most of the connections (once I got past the firewall issue) were to the AirPort IP address, which prevented them from making progress on the 65gb transfer. I had to disable AirPort to force the Apple TV over to the Ethernet connection, which was much faster; after it was done I re-enabled AirPort, but that’s another bug (also reported, and yes, I do have System Preferences set to prefer Ethernet to AirPort).

Half because WordPress really needs to stay upgraded, and half in hopes of fixing the Admin-SSL bug which was blocking posting, I upgraded to WordPress 2.5, a compatible beta of Admin-SSL (now under new management), and a few other plug-ins.

Not knowing how well the upgrade would go, I did the safe thing — I installed WP 2.5 separately from the live Extra Pepperoni site, installed and configured all the plugins I use (with my personal patches), created a new MySQL database, and configured everything, including a couple test comments (not as myself). After I got it working, I brought down the old site, moved the new one in place, reconnected it to the old MySQL DB (with all posts and comments), clicked the button to upgrade, and we’re up.

Unfortunately, there’s still a problem with comments. When I log into a new account to comment, I get a link to https://secure.reppep.com/wp-admin/profile.php, which is bogus; it needs to be https://secure.reppep.com/ep/wp-admin/profile.php. If you have an existing account (Tony), you might be able to login through https://secure.reppep.com/ep/wp-admin/ and comment, but it seems that viewing an actual post (which must be non-SSL) still loses its association with the login session, so you can visit the HTTP site as an anonymous user, or use the HTTPS site as your registered user, but the plaintext side has no access to comment, and the encrypted side doesn’t show the posts you would want to comment on. Hopefully BCG will be able to fix the problem in Admin-SSL. He’s already fixed the Preview function.

Also freaky: When I log into EP as a brand-new user (to comment), I get the Dashboard, telling me I (the brand-new user) have 184 posts. I didn’t think Subscriber users saw the Dashboard, but the post count is definitely bogus.

I did the initial installation as a Subversion checkout, which is very cool. Now, though, I have to create my own private WP hacks repos (easy), and figure out how to set up externals to pick up my additions.

A tip: Don’t try to check out the WordPress source over AFP; the permissions weren’t right, and the checkout couldn’t complete; when I did it locally on the Linux server, there was no problem. I hadn’t even noticed I was running “svn co” on the Mac instead of the server, but it was easy to fix once I noticed the cause.

I found a couple pages of Outlook keyboard shortcuts (the online help lists shortcuts too):

• http://www.hongkiat.com/blog/80-keyboard-shortcuts-for-microsoft-outlook/
• http://www.rnib.org.uk/xpedio/groups/public/documents/PublicWebsite/public_rnib003594.hcsp

Many of these are standard Windows shortcuts, but a few are useful and news to me.

Eudora stopped working on my home MBP recently, so I’m back to Thunderbird, and it strikes me how similar Thunderbird is to Outlook, even extending to some misfeatures (design flaws, not quite bugs), such as over-using the Esc key. Compared to Eudora, pine, and Apple Mail, Thunderbird is clearly much closer to Outlook. A few things are notable improvements, such as being able to mark messages Read and Unread with the M key, instead of Ctl-Q/Ctl-U, or S to flag messages (stored as an IMAP tag; this shows up in Eudora as Label 15). And with a mailbox selected, Ctl-Q doesn’t mark all its unread messages read, which it should.

In both Outlook and Thunderbird, Esc closes message windows; this is inconsistent with all other full windows, which are closed with Command-W, and makes messages feel particularly ephemeral. In Outlook, when I open a received message and hit the Space bar to scroll to the next page (which works in every other email client and browser I know), it instead inserts spaces at the beginning of the received message, which if course is not what I want.

I cannot find a good way to sort threads by date; I’d like every thread (perhaps every thread with new messages) grouped together, with the messages in each thread sorted internally by date, and the threads sorted by date (typically of the first message). In Outlook I can group “Conversations” by Subject: or group by From: line, but new messages keep showing up at the top of the mailbox, instead of the bottom (where they should sort, by date).

I have figured out more what’s wrong with Refresh. First, I have to hit F5 repeatedly to make Outlook clear more and more read messages from unread-only views; second, collapsed conversations are not cleared; I have to expand them out and then hit F5 again. This is particularly annoying because Outlook has such a strong tendency to always keep one message selected and thus read (although it’s not marked read, so I cannot simply mark it unread; I have to mark it read, then mark it unread, and then make sure Outlook doesn’t preview it again), so it’s quite difficult to reorganize a mailbox and get to a “clean” view (only new messages/threads) without losing some messages which Outlook insisted on selecting/previewing/marking read while rearranging.

And a little attention (not “love”) for IE: I still hit Ctl-L to select the URL for copying, and IE7 still fails to do it, bringing up a blank URL entry dialog, instead of selecting the URL in the current window as Safari & Firefox do. I shouldn’t need the mouse to copy the current URL.

I can write Outlook rules to match on Subject strings, but it lacks “Starts with” instead of “Contains”, so I cannot specify original messages, and distinguish from Re: for replies.

The filter area shows a list of criteria with checkmarks at the top with blue underlines under the keywords. The bottom shows the same labels, with the same blue underlines. But at the bottom they’re “links” to dialog boxes for entering the criteria, while at the top the same “links” aren’t clickable. Way to mis-use a visual cue, and do it in the most confusingly inconsistent way possible!

Oh, and the rules dialogs are all modal, so once I start creating a rule, I cannot open candidate messages to confirm the rule matches.

I’m still aggravated that I cannot match on partial strings, like “The Notification Agent” or “root@” (acrosss multiple machines) in the From: line. Matching on Subject: (especially unanchored) is much less precise.

When I delete multiple messages, why does Outlook select a random message, instead of the next one?

In Conversation mode (which would be a lot more useful if it didn’t waste 2 messages worth of space per “Conversation”), if I use down-arrow to select the next conversation, it expands the conversation instead. Use left/right to collapse/expand converations — they aren’t needed for mailbox navigation! At least Control-KP+ expands all Conversations.

I hit the accursed 32k rules limit. Despite this post, our systems cap rules at 32kb total (client-side + server-side). Apparently this will go to 256kb, once we’re upgraded to Outlook 2007 and Exchange 2007. In the meantime, I’m spending a significant amount of time every day trying to make Outlook 2003 do decent filtering, with very limited success. In particular, Outlook is apparently unable to filter From: “root@*” as a catchall. This would make alerts easier to parse, as distinct from human-originated messages. Yuck!

pctony (congratulations on your Apache httpd PMC membership, Tony!) just informed me that comments here are broken. I knew Preview was broken, and am guessing that it’s a problem with my configuration of Admin-SSL, but hadn’t known it affected anyone other than myself. Admin-SSL in this configuration creates a disruption between the public (reading) side and the SSL-encrypted authenticated side, and preview & user logins for commenting both appear to be falling into that crack.

If I can’t get Admin-SSL working this way, I’ll come up with something else, although at this point I’m hoping Haris can tell me how to sort myself out.

In the meantime, I’m sorry for the inconvenience (especially Tony’s).

His two suggestions were to quote the path in the UltraEdit installer, or to use “dir /x” in CMD.COM to find the DOS-style 8.3 pathname of the destination folder. Unfortunately, I seem to have been wrong about the cause for their installer’s terribly vague “1925″ error message, as I tried another viable path (not containing spaces) today, and UE failed to install there too. Perhaps it’s a registry access issue — I sent email to IDM Software, and hope they have a more useful suggestion than “become an administrator”.

I just got a 1tb Time Capsule — it was a natural accessory for my new MBP, since I finally have a Mac with 802.11n support, and I routinely move large files or folders (500gb-8gb) around our home network; I also like the GE ports.

The Capsule replaced a WRT54G (hacked) and an AirPort Extreme — the APE is now serving as a print server in WDS mode (overkill, but otherwise it would just sit on a shelf, and the print server is handy). It is also providing backup space for all three of our laptops (including Julia’s), and the magic of Time Machine seems like a good security vs. convenience compromise — keeping conventional AFP or SMB shares from reppep.com mounted all the time on all three laptops would be suboptimal. Time Machine seems to handle mounting & unmounting gracefully.

On to the meat of my problem, though: Once I set up the Time Capsule, I noticed my MBP (10.5.2 latest) was getting the TC’s IP as its only DNS server via DHCP. This is annoying, as I configured the TC with 2 upstream DNS servers, and I want it to configure my Macs with at least those two; if the TC inserts itself first that’s fine, but it shouldn’t be my only nameserver.

The problem is aggravated (considerably!) by the fact that the TC is not actually serving names. My dig queries against it all time out.

On a related note, nmap points out that the Capsule is running an FTP server, which I (fortunately) cannot actually log into. I don’t see FTP anywhere in the UI or help (aside from a note about forwarding FTP through NAT). FTP is evil, and I don’t want it on at all! I know why ports 139 & 445 are open — to support SMB/CIFS and WINS, which I could configure but cannot turn off — but why RTSP and RealServer ports, and port 10,000?? I cannot get anything out of 10,000, so it’s not a normal Webmin, but what is Apple doing here??

I filed 3 bugs against Time Capsule, one against AirPort Admin Utility, and one against SP:Network, which I discovered while working around the TC DNS issue.

Meanwhile, I’m not holding my breath for answers & fixes from Apple. Do you all have more information about what’s going on here? Do TC users find a) the TC is the only only nameserver assigned via DHCP, and b) it doesn’t actually work as a nameserver??

This is odd. I have to use View Options to see full headers (in the Message Options window), but while that’s open, the main Outlook program is visible but completely unresponsive. Message Options is apparently a super-modal dialog, which blocks “other applications”, and the Alt-Tab task switcher doesn’t even show the main Outlook icon. I thought Outlook had crashed, until I realized it was accessible again after I dismissed Message Options.

In fairness to Apple, I’ve seen cases in Leopard where Apple’s Command-Tab task switcher only shows some of the currently running applications (it sorts itself out fairly quickly), but Windows’ super-modal behavior is fscked up, and designed into the application (or the OS!).

After DreamHost’s breach 8 months ago, I was aggravated at their poor handling of the situation, but willing to give them the benefit of the doubt, and still happy with their low prices and flexible services.

With the new bad news and worse confirmation (still with poor incident handling), though, it’s time to get out of dodge.

I have moved Extra Pepperoni back onto my own hardware. I started blogging on Apple’s Blojsom install, but gave up on Tiger Server for Blojsom (and Mailman) because the services kept silently shutting down, leaving me to notice they were disabled days or weeks later (no fault of Blojsom or Mailman — Apple didn’t do a good job porting SpamAssassin either). Bringing up a WordPress blog and mailing lists at DreamHost was easy and cheap, but that’s no good if they are unsafe.

I’ll look at moving a couple very light-duty Mailman lists off DH next, but the lists are so lightly used I’m not too concerned. There just isn’t any confidential information on the mailing lists, aside from their tiny subscriber lists.

Ah, well. I now know much more about WordPress and MySQL than I cared too, but the setup wasn’t too bad. I hadn’t realized how many customizations and tweaks I made to WordPress until it came time to recreate them on my own system:

1. Almost Spring theme (included by DreamHost); with minor hack
2. PHP Markdown Extra; with minor hack
3. MySQL admin UI
4. WP-DB-Backup (DH included one, which I’m no longer using)
5. mod_rewrite for permalinks
6. Admin-SSL, with “Shared SSL” tweak, integrated into my existing SSL site (meaning EP is available through two different “sites”, and I have to keep the Apache configurations reconciled)
7. Twitter
8. WP-Cache (DH standard)
9. Akismet anti-spam registration
10. Technorati pinger (came over automatically with the DB).
11. Fix for widget.php to use legal JavaScript tag.

Apple put a lot of effort into making network sharing (Mac and Windows networking using the AFP & SMB/CIFS protocols) easier in Leopard. One of the things they did was introduce credential caching at the system level, so once you mount another Mac via AppleShare (for instance), you could then connect to it with Screen Sharing too, without authenticating. This is neat, but a bit problematic. I have had cases where:

1. I had to kill NetAuthAgent (the background process that appears to hold username/password pairs on your behalf) to make mounting work
2. I had to rearrange windows around onscreen, because a (stalled) progress window was hiding a username/password window, and never going to get anywhere without some help; other times I have dismissed the progress dialog without realizing it was waiting for a concealed window.
3. I have had to Force Quit and relaunch the Finder before it could (re-)mount some or all network volumes.
4. I have had to reboot the Leopard server before I could (re-)mount its volumes.
5. I have had Leopard systems fail to share out volumes, and had to re-share them manually. Part of this appears to be a different issue, where Leopard systems don’t even mount additional drives until a user logs in (obviously unmounted volumes cannot be mounted over the network). That’s not right!

Tonight’s problem was a bit different — I was connecting to a Windows server running Samba, and not getting the right permissions. When I looked in the server’s /var/log/samba/smbd.log (because I cannot find any way to see the account used for a network mount in in the Finder), I discovered that the share was mounted as the wrong user. I had never gotten the username/password dialog for this mount, as I had (the wrong) user credentials cached in NetAuthAgent.

The Tiger behavior is to default to the client username (the account mounting the share from the server). Leopard instead uses whichever user it has a cached credential for. I have now changed my scripts to always specify the username when mounting shares, e.g., open smb://pepper@inspectore/inspector.

It feels very very strange to be unemployed — it’s been 7 years since the last time, and I was too freaked out at Shooting Gallery laying me off to feel this way. Now that I’m a grown-up (having kid(s) means you’re responsible, even when you’re irresponsible!) it’s a good thing that we’re covered by RU insurance past the start date for GS insurance, but the whole experience is still very odd. I wiped the third computer today at 5:30pm, and am copying data off computer #4 (old reppep.com) right now in preparation for retiring it (it’s falling apart, apparently — optical drive died an hour ago).

Now I just need Apple to update the MBP15s, so I can replace this PowerBook. It’s doing better than I thought, though — doesn’t seem any doubt that it will serve until the next update.

RU IT did right by me today — a grand spread, consisting of John’s pizza, baby back ribs, beef ribs (they looked like something from The Flintstones), and chicken wings. A nice (short) speech by Armand, and well wishes all around. Elaine hung a bunch of colorful signs, which delighted Julia.

I closed out my helpdesk tickets, turned in my keys (forgot to turn in my ID/swipe card, though), and updated the documentation on our load balancers again, as well as re-re-recapping for my co-workers. I had to say “Look, when you feel like you’re an idiot, don’t worry — I felt like that repeatedly for years while working with these. The Big-IPs are absurdly complicated. Two kernels, a super ’switch card’ that’s doing all kinds of crazy (non-switch) stuff, over 20 IP addresses, 8 networks, plenty of bugs, and delays in getting technical support. It’s not you!”

Maybe I’ll have some time to investigate Linux & Windows text editors.

The Onboard Administrators (we got a pair for redundancy) each ship with a unique password. When you connect them, it appears the active OA resets the standby password to match the active. This was a bit confusing, as OA #2 came up active, and the passwords were not as expected; SSL certificates are created and reloaded in terms of “Active” & “Standby”, so I initially loaded new certs onto the wrong OAs.

ssh Implementation Flawed

The OAs support ssh access and ssh keys, but apparently only for the single Administrator account. This is documented incorrectly — the docs say the last word on the key line is the username the key is for, but actually they’re all linked to Administrator. HP Support doesn’t know much about it. It’s bad when security features don’t work as documented — in this case, it would be easy to follow instructions and upload a key for an unprivileged Operator or User account, unintentionally granting full Administrator access — we had this for a while, until I figured out what was really going on.

The web interface doesn’t allow copy & paste of keys — they must be downloaded by the OA from a web server. Afterwards, though, the public keys (which had to be accessible on through a web server, remember) are not visible to other authorized users of the OAs — only Administrator can see or modify keys. Feh.

Additionally, the web interface shows line breaks as ‘^’, so the keys look corrupt. Despite this they work, and display correctly in the command-line interface.

OA doesn’t automatically configure its accounts onto blade iLO. Instead, it creates an account for OA itself on each blade’s iLO. This is a bit odd, as it means authorized users cannot connect directly to iLO — instead they must connect through an OA, and have the OA login, before using iLO. We will presumably use the Compaq iLO configuration language to deploy our accounts to iLO, but this shouldn’t be necessary.

Good News

On the bright side, the chassis is easier to mount than our (smaller) IBM BladeCenter chassis; it’s also better labeled. The Onboard Administrator interface is better laid out, although it doesn’t work in Safari (seems fine in Firefox/Mac). The command line is a bit less bizarre than IBM’s.

HP makes it easy to dump the configuration to a text file, tweak it, and load it into another chassis, although we haven’t tested yet; they call this “Configuration Scripts”.

For several years, I’ve been saying Apple made a bad choice when they picked Cyrus IMAPd as the POP/IMAP server for Mac OS X Server. It’s a huge and complicated system, encompassing IMAP, POP, SSL, Sieve filtering, LMTP delivery, USENET news, clustering/proxy (Murder), pluggable authentication (SASL), etc. I cannot think of a single company outside Cupertino where it would make sense to run an enterprise mail system on Mac OS X Server, but Apple continues to add these inexplicable high-end features to its mail server, most recently XSan-based email clustering in Leopard Server.

The statement that convinced me (shortly after I had migrated to Cyrus IMAPd on Mac OS X Server 10.4 “Tiger”) that I would never choose to run Cyrus for my personal use, was the following — which I came across again today:

Installation Overview

This system should be expected to have the same order-of-magnitude installation complexity as a netnews system. Maintenance should have similar complexity, except administrators will have to deal with creation and deletion of users and will have the option of managing quotas and access control lists.

USENET news is infamously demanding and bandwidth intensive. It would be wonderful if Apple had taken Cyrus IMAPd, repackaged it (without too many changes!), and put a powerful and simple interface on top. The did this quite successfully with Apache httpd (although Server Admin breaks down on complicated configurations and has obscure bugs). Lots of people use Mac OS X Server to run websites and think it’s easy & simple. Considering the typical reactions of those same people to the httpd .conf files “under the hood”, this is a noteworthy triumph. Similarly, Time Machine provides a reasonable approximation of scheduled snapshots on a high-end NAS for do-it-yourself file recovery, with a simple interface that insulates users from the nitty-gritty of copy-on-write and hard links.

Cyrus did not get as much attention, though. Basically, Apple makes it pretty easy to create email accounts, provides a Repair button for the overall Cyrus database, and provides a Reconstruct button for individual accounts. That’s about it. Unfortunately, Apple doesn’t really document maintenance beyond “press the button and it will fix your problem”. I’ve had several serious database problems which Apple’s Repair button did not help with. Those were bad times.

Similarly, I have had problems where users could not log in, but Workgroup Manager claimed their accounts were usable. I eventually discovered that resetting passwords with passwd works sometimes, and re-setting passwords in Workgroup Manager works consistently, but when I asked Apple about it, the eventual response was basically, “Yes, that’s bad; you should restore your accounts from your recent Open Directory export.” Not a good answer.

It doesn’t help that Apple’s SpamAssassin and ClamAV installations are broken, as these result in more spam and slower deliveries.

So why am I planning to migrate to Cyrus IMAPd on CentOS 5.1? Well, I’d really like to just copy my 5gb mail directory to the new system and have my clients not notice the difference. Eudora doesn’t handle (IMAP) change well — renaming a single IMAP directory can force it to download all messages again, and various other things can cause Eudora to lose date stamps on sent mail, or message state information (when it gets disassociated from the actual message on the IMAP server). If I can make Cyrus work, I’ll be very happy, and if I can’t I’ll try Dovecot (Red Hat’s default) or Courier (which I hear is also good).

Also, I know it can work, and I have a rough model to work from on my Tiger Server, but if I wasn’t using Cyrus already I would stay away from it, as I wish Apple had done.

Update 2008/01/04: I tried again with a bulk (manufactured/pressed, not burned ont a DVD-R/DVD+R) DVD, and it worked fine. In retrospect, it seems likely to be drive deterioration, as I installed several betas from DL DVD+Rs I burned.

This is odd. I have a 1.5GHz 15″ PowerBook G4 (3.5 years old), running Leopard, which I want to reinstall. I have tried booting from two different Leopard DVDs I burned (both DVD+R DL, since I can’t find any DVD-R DL media) from legit Apple ISOs. It won’t boot from either, and often if I insert one of these DVDs while it’s running, the DVD drive chugs a bit and spits the DVD out. Sometimes, however, it reads the DVD — I can run the “Install Mac OS X” app (which just sets the startup disk and reboots), but not boot from disc.

Nothing in the logs.

Hardware Overview:

Model Name: PowerBook G4 15″
Model Identifier: PowerBook5,4
Processor Name: PowerPC G4 (1.1)
Processor Speed: 1.5 GHz
Number Of CPUs: 1
L2 Cache (per CPU): 512 KB
Memory: 1 GB
Bus Speed: 167 MHz
Boot ROM Version: 4.8.6f0
Serial Number: ****

When the disk was mounted, Apple System Profiler showed:

MATSHITA DVD-R UJ-825:

Firmware Revision: DAM5
Interconnect: ATAPI
Burn Support: Yes (Apple Shipping Drive)
Cache: 2048 KB
Reads DVD: Yes
CD-Write: -R, -RW
DVD-Write: -R, -RW, +R, +RW
Write Strategies: CD-TAO, CD-SAO, DVD-DAO
Media:
Type: DVD-ROM
Blank: No
Erasable: No
Overwritable: No
Appendable: No

Over Christmas, I updated Dad’s backup (SuperDuper is great), and upgraded to Leopard. It failed miserably — in exactly the same way as my own first Leopard upgrade failed, although I didn’t know what was going on back then. There wasn’t any documentation about the problem then, but now Apple describes a closely related issue:

Mac OS X 10.5: Unable to log in after an upgrade install

Issue or symptom

You may not be able to log in with a user account that has a password of 8 or more characters and was originally created in Mac OS X 10.2.8 or earlier, after performing an upgrade installation of Mac OS X 10.5 Leopard (the default installation type).

I do indeed use a password longer than 8 characters. At least on my own system, the accounts were not created under or before 10.2.8. On my father’s system, the accounts may date back that far, but his password was not longer, and Apple’s suggested workaround did not work either.

On my own upgrade, I installed Leopard, and was unable to log in with my (known correct) password, or my root password. I booted from DVD and was able to see my home directory, but there was no information on how to fix Leopard accounts (and really not much information on Leopard accounts at all) at that time. Reset Password from DVD didn’t work, and neither did passwd. I reinstalled from scratch and restored my home directory.

For Dad, I didn’t have time to do that, so I created a new account with a different username and real name, and swapped his old home directory with the new (basically empty) one. This took about 5 minutes, compared to several hours spent unsuccessfully trying to fix his old account. Somehow during the upgrade, his account was disabled, and I was unable to re-enable it. I booted from the Leopard DVD, and the Reset Password tool said it reset his password, but did not. I booted into my own admin account, and used passwd, which gave me a Directory Services account disabled error. The only references to that error Google has to that error code are copies of the manual page, which lists the error code but not a way to enable such an account. I even updated to get the Login & Keychain update, but it didn’t help.

In the interim, Apple has documented that Leopard stores accounts as .plist files in /var/db/dslocal/nodes/Default/users/, which is very helpful — it makes it easy to do things like change UIDs, which I need to do periodically. On the other hand, those files point into other places for some information, such as the Kerberos KDC (Key Distribution Center) for actual passwords. I don’t know enough Kerberos to feel comfortable creating an identity for his account, as should have automatically happened during the upgrade (before Leopard, non-Server versions of Mac OS X don’t include a KDC, and they store passwords differently). I considered pointing his account to the KDC identity for a new account with the right password, but this seemed fragile, so I went with the new account, which seems to have worked reasonably well.

FUBAR!

In Leopard, Tab completion in bash doesn’t immediately append trailing slashes to symbolic links that point to directories. When I complained about this change to Apple, I was told it was user configurable, and I should just configure the old behavior. It took me a while to actually find the solution — partially because it isn’t within bash itself, and partially because it was quite a nuisance but not a serious problem.

For example, ~/www is a symlink to /Volumes/www, and I cd to directories below it quite frequently. I’m in the habit of typing “cd w[Tab]/pu[Tab]“, which should expand to “cd www/public_html“. This broke in Leopard — I needed an extra Tab to get the / — otherwise I’d end up with the ugly and non-functional “cd wwwpu“. Anyway, the fix is:

echo "set mark-symlinked-directories on" >> ~/.inputrc

Now Tab completion works the way I want it to again. Thanks, stylishpants!

Red Hat has, with good consideration and foresight, been pushing people to use logical volume management for a while. It’s not completely integrated into the RHEL5 installer, but they’re pushing hard to make it ubiquitous, and telling people this is the right way to do things. Unfortunately, the syntax for specifying logical volumes within DOS-style partitions is still a bit obscure, and the manual page examples don’t show the LV syntax; this is fixable, but will take time.

I used software RAID and LVM on my new installation, but it doesn’t boot — I’ve found several articles on making GRUB work with software RAID, so I believe I’ll be able to get it working. The docs say I should be able to just use “lvm” (which is present) to get an lvm shell, but neither lvm nor lvm.static does anything — they just dump me back in bash.

Fortunately, “linux rescue” finds my partitions (this time), but not being able to even list out physical volumes is worrisome.

I want mirrored /boot, but it’s RHEL’s mirrored /boot capabilities are pretty limited:

If you are making a RAID partition of /boot/, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a seperate RAID partition of /boot/, and you are making a RAID partition for the root file system (/), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).

Speaking of LVM being immature, check out What is the process to fsck lvm volumes? in the Red Hat Knowledgebase:

First, boot into rescue mode by using the correct media. This is very important: When prompted to mounted the drives, do not. Using fsck on a mounted filesystem will destroy all the data on that file system. This is unrecoverable. The data will be gone forever–save for very expensive hardware-level data recovery.