Add Apple Address Book + LDAP information.

[blog.git] / posts / Humanizing_OS_X.mdwn

Over the past few months, my wife has gone through a number of
operating systems.  The Windows XP on her elderly laptop was finally
overrun by viruses, and we didn't have an XP install CD, so I moved
her over to Ubuntu.  Recent stock Ubuntu installations are not
particularly snappy on 300-odd MB of RAM, so after a few days I moved
here over to Gentoo, since I have a lot of experience running
stripped-down Gentoo systems on my netbook.  Unfortunately, my wife's
not really a big supporter of the stripped-down approach, so after the
second 30-MB slide show started taking down Open Office, we threw in
the towl and went shopping for a Mac.  The entry-level MacBook Pros
are reasonably priced (especially with my student discount), and she
gets another core and 10 times the memory and disk space.  I, on the
other hand, get to work the kinks out of a Unix system so I can quash
it into our home network.  Ready?

User switching
--------------

By default, there's no easy means to switch between users without
logging out completely.  Can't have that.  Go to

    System preferences -> Accounts -> Login Options

and select `Name` (or whatever) for `Show fast user switching menu
as`.  This puts a widget in the toolbar near the clock which lets you
switch users without closing all your running applications.

SSH
---

Sooner or later, your wife will come home and want to sit down in
front of her shiny new laptop.  Add a second keyboard by enabling
[[SSH]] ;).

    System preferences -> Sharing -> Remote login

Kerberos
--------

I recently moved the home fileserver to [[Kerberos + NFSv4|Kerberos]].
Luckily, OS X support for Kerberos is pretty solid, and NFSv4 support
is just solid enough for me to mount my shares.  Copy your
`/etc/krb5.conf` over to `/Library/Preferences/edu.mit.Kerberos`.

You might have to edit it slightly, because Snow Leopard was ignoring
my DNS network name suggestion and using `.local`.  This is probably
what I should have used in the first place, but it's not worth
reworking the home system now, so use something like

    [domain_realm]
        .d.net = R.EDU
        d.net = R.EDU
        .local = R.EDU

If your DHCP server doesn't point out your home DNS resolver, you can
add it by hand in

    System preferences -> Network -> AirPort -> SID -> Advanced -> DNS

Now `kinit` and company should work as expected, but with OS X, you're
not doing it right unless you're using a graphical interface, so they
provide `/System/Library/CoreServices/Ticket Viewer`.

If you want to store your password in your keychain, run

    $ echo | kinit

which will pop up a password dialog with a `Remember this password...`
checkbox.  Find the entry in

    /Application/Utilities/Keychain Access

and click on the `info` button.  Under `Access Control`, it should
mention that access is always allowed from `kinit`.  You can test this
from the command line by running

    $ kinit

which will now grab a new TGT automatically (i.e. no password prompt).

For long-running NFS mounts, you might want to setup automatic ticket
renewal.  This is a task for [launchd][], an `rc/init/cron`
replacement that reads service info from `plist` files
(`launchd.plist(5)`).  There is a system-provided Kereberos renewal
service

    /System/Library/LaunchAgents/com.apple.Kerberos.renew.plist

but it [has some issues][krenew].  Rather than patching the system
file, I just created my own alternative:

    $ cat ~/Library/LaunchAgents/local.Kerberos.renew.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>Label</key>
      <string>local.Kerberos.renew.plist</string>
      <key>Program</key>
      <string>/usr/bin/kinit</string>
      <key>Disabled</key>
      <false/>
      <key>RunAtLoad</key>
      <true/>
      <key>ThrottleInterval</key>
      <integer>6000</integer>
      <key>KeepAlive</key>
      <dict>
        <key>SuccessfulExit</key>
        <true/>
      </dict>
    </dict>
    </plist>

Start the service with

    $ launchctl load Library/LaunchAgents/local.Kerberos.renew.plist

The `Disabled` `false` setting shouild mean that the service will
start automatically on the next boot.  Note that if your KDC goes down
and a renewal fails, the service will stop, and you'll have to restart
it once the KDC is back up.

NFS
---

Once you've got Kerberos setup, mounting an NFS file system is just:

  $ sudo mount -t nfs -o vers=4.0alpha,sec=krb5p,intr,soft my-host:/ /Volumes/my-nfs/

Note that the Apple folks are still nervous about their NFSv4
implementation.  From `mount_nfs(8)`:

    The current NFSv4 functionality is "alpha quality" software.  Some
    basic functionality is not yet implemented.  Use at your own risk.
    Currently, the only way to enable NFSv4 is to specify the mount
    option:

      -o vers=4.0alpha

    This special option value is only temporary and will no longer be
    necessary (or supported) once the NFSv4 functionality is ready for
    general use ( -o vers=4 will be sufficient ).

I haven't noticed any glitches yet, but it might be wise to restrict
write access from the OS X client to less critical directories, just
to be on the safe side.

The graphical approach to configuring NFS is

    Applications -> Utilities -> Disk Utility -> File -> NFS mounts
      Remote NFS URL: nfs://my-host/
      Mount location: /Volumes/my-nfs
      Advanced Mount Parameters:  vers=4.0alpha,sec=krb5p,intr,soft

After you do this, the mount should come up automatically on boot.
You can unmount the drive through the Finder sidebar, but I haven't
figured out how to remount it through the graphical interface.

    $ sudo mount -a

seems to work fine though ;).

FLAC and Ogg
------------

Somewhat shockingly, iTunes doesn't support [FLAC][] or [Ogg Vorbis][]
out of the box.  To get Ogg Vorbis support, install the [Xiph
Quicktime Component][xiphqt].  Their `ReadMe.rtf` explains that
installation is just

  $ sudo cp -r Desktop/XiphQT-unpacked/XiphQT.component /Library/Components/

XiphQT gives you the ability to decode assorted xiph codecs and
containers, but iTunes may still need some handholding to actually
import the files into its library.  [Fluke][] handles that for FLAC
files, but the code is a bit crufty.  I've been cleaning it up a bit,
and I'll probably post my changes on the Google Code site over the
weekend.

iTunes
------

Once you've got codec support in place, you should configure iTunes.
I unchecked `Copy files to iTunes Media folder when adding to library`
in

  iTunes -> Preferences -> Advanced

Then get iTunes to index your NFS-mounted FLAC with

  File -> Add to library

Add the FLAC with

  $ flukeapp path/to/my/music/directory

Address Book and LDAP
---------------------

You can configure Apple's [Address Book][aab] to search an LDAP
directory.  Set up your connection with:

  /Applications/Address\ Book.app
    Address Book -> Preferences -> Accounts -> Add
      Account Type: LDAP
      ...

If you're using a self-signed certificate, you'll need to add your CA
to the system keyring or OS X will assume a man-in-the-middle attack
(and give you an uninformative "Can't contact LDAP server" error).
Add your certificate with:

    /Applications/Utilities/Keychain Access.app
      File -> Import Items
        /path/to/your/CA/certificate
        Destination Keychain:  System

After which everything should work as expected.

Remote desktop
--------------

There's not much documentation online, but there is a [MS Remote
Desktop][rd] client available ([Microsoft page][rd-ms], [Apple
page][rd-a]).  The package installs into 

    /Applications/Remote Desktop Connection.app

double-clicking on this from Finder will fire it up, and you can
configure it to log into your company's server, save the
configuration, and make a symlink for easy launching from the desktop:

    $ ln -s ~/Documents/RDC Connections/Default.rdp ~/Desktop/WidgetsLtd.rdp

Gentoo Prefix
-------------

The above steps get everything setup for basic usage, but you'll
notice that we had to install a few applications by hand.  This just
consisted of unpacking a few bundled objects onto the system, but the
OS will not be out checking for bug fixes and upgrades to keep our
installations current.  I'm missing my [portage][] package manager.
It's ok though, there are a number of package managers designed for OS
X.  The major players are [Fink][] ([Debian][] tools) and [MacPorts][]
([FreeBSD][] tools?), but there are fringe groups supporting the DIY
[Homebrew][] and my personal favorite, [Gentoo Prefix][gprefix]
([Gentoo][] tools).  Pick your favorite.  The issue with any of these
tools will be interfacing with the underlying OS, since you don't want
the OS to sneakily replace your GCC without your package manager
knowing about it.  To deal with this, the package managers do varingly
complete jobs of toolchain bootstrapping to isolate their toolchain
from Apples [Xcode][].  Unfortunately, Xcode is not free, but if
you've just bought a Mac, you can probably afford the $4.99 it costs
for 9.3 GB of installed tools ;).

Bootstrap your Gentoo Prefix following the [MacOS docs][gp-mac]:

    $ export EPREFIX="$HOME/Gentoo"
    $ export PATH="$EPREFIX/usr/bin:$EPREFIX/bin:$EPREFIX/tmp/usr/bin:$EPREFIX/tmp/bin:$PATH"
    $ export CHOST="x86_64-apple-darwin10"
    $ curl 'http://overlays.gentoo.org/proj/alt/browser/trunk/prefix-overlay/scripts/bootstrap-prefix.sh?format=txt' > bootstrap-prefix.sh
    $ chmod 755 bootstrap-prefix.sh
    $ ./bootstrap-prefix.sh $EPREFIX tree
    $ ./bootstrap-prefix.sh $EPREFIX/tmp make
    $ ./bootstrap-prefix.sh $EPREFIX/tmp wget
    $ ./bootstrap-prefix.sh $EPREFIX/tmp sed
    $ ./bootstrap-prefix.sh $EPREFIX/tmp python
    $ ./bootstrap-prefix.sh $EPREFIX/tmp coreutils6
    $ ./bootstrap-prefix.sh $EPREFIX/tmp findutils
    $ ./bootstrap-prefix.sh $EPREFIX/tmp tar15
    $ ./bootstrap-prefix.sh $EPREFIX/tmp patch9
    $ ./bootstrap-prefix.sh $EPREFIX/tmp grep
    $ ./bootstrap-prefix.sh $EPREFIX/tmp gawk
    $ ./bootstrap-prefix.sh $EPREFIX/tmp bash
    $ ./bootstrap-prefix.sh $EPREFIX portage
    $ hash -r
    $ emerge --oneshot sed
    $ emerge --oneshot --nodeps bash
    $ emerge --oneshot pax-utils
    $ emerge --oneshot --nodeps wget
    $ emerge --oneshot --nodeps baselayout-prefix
    $ emerge --oneshot --nodeps xz-utils
    $ emerge --oneshot --nodeps m4
    $ emerge --oneshot --nodeps flex
    $ emerge --oneshot --nodeps bison
    $ emerge --oneshot --nodeps binutils-config

Now check `gcc --version` to see which version of [GCC][] Xcode
installed.  If it's not 4.2.1, check the bootstrap docs.

    $ emerge --oneshot --nodeps binutils-apple
    $ emerge --oneshot --nodeps gcc-config
    $ emerge --oneshot --nodeps gcc-apple
    $ emerge --oneshot coreutils
    $ emerge --oneshot findutils
    $ emerge --oneshot tar
    $ emerge --oneshot grep
    $ emerge --oneshot patch
    $ emerge --oneshot gawk
    $ emerge --oneshot make
    $ emerge --oneshot --nodeps file 
    $ emerge --oneshot --nodeps eselect
    $ FEATURES="-collision-protect" emerge --oneshot portage
    $ rm -rf $EPREFIX/tmp/*
    $ hash -r
    $ emerge --sync
    $ USE=-git emerge -u @system
    $ echo 'USE="unicode nls"' >> $EPREFIX/etc/make.conf
    $ echo 'CFLAGS="-O2 -pipe <my-cpu-flags>"' >> $EPREFIX/etc/make.conf
    $ echo 'CXXFLAGS="${CFLAGS}"' >> $EPREFIX/etc/make.conf
    $ emerge -e @system
    $ cd $EPREFIX/usr/portage/scripts
    $ ./bootstrap-prefix.sh $EPREFIX startscript
    $ cp $EPREFIX/startscript ~/

Then run `startscript` whenever you want to start a shell from the
Prefix with appropriate path and environmental variables.  Use this
shell for future `emerge` calls.

Bootstrapping is not the most fun procedure in the world, but once
it's done, you don't have to worry about it ever again.  All your open
source packages can then be easily maintained with a mature package
manager, which will certainly save you some time later on.

Unfortunately, there are not as many open source devs running OS X as
there are running GNU/Linux, so it may take a bit of leg work to get
oddball packages into your package manager's repository.  I've
published my [[Gentoo Prefix overlay]] with assorted tools I used to
troubleshoot Fluke; take a look if you like [[Python]] ;).

Resources
---------

OS X is certaily different from the GNU/Linux systems I've worked with
to date.  For example, the file system is all shuffled around, and
it's built on [HFS+][], which stores metadata and resource forks for
each file.  There are also [aliases][] (fancy symlink), bundles apps,
etc.  For an old-but-useful introduction to the OS from a Linux
perspective, check out Amit Singh's 2003 [What is Mac OS X][wmox].

[launchd]: http://www.afp548.com/article.php?story=20050620071558293
[krenew]: http://linsec.ca/Using_Kerberos_5_for_Single_Sign-On_Authentication#Setting_up_a_Mac_OS_X_Client
[FLAC]: http://flac.sourceforge.net/
[Ogg Vorbis]: http://www.vorbis.com/
[xiphqt]: https://www.xiph.org/quicktime/download.html
[Fluke]: https://code.google.com/p/flukeformac/
[aab]: http://support.apple.com/kb/ht2486
[rd]: http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
[rd-ms]: http://www.microsoft.com/mac/remote-desktop-client
[rd-a]: http://www.apple.com/downloads/macosx/networking_security/remotedesktopconnectionclient.html
[portage]: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
[Fink]: http://www.finkproject.org/
[Debian]: http://www.debian.org/
[MacPorts]: http://www.macports.org/
[FreeBSD]: http://www.freebsd.org/
[Homebrew]: http://mxcl.github.com/homebrew/
[gprefix]:  http://www.gentoo.org/proj/en/gentoo-alt/prefix/
[Gentoo]: http://www.gentoo.org/
[Xcode]: http://developer.apple.com/xcode/
[gp-mac]: http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml
[GCC]: http://gcc.gnu.org/
[HFS+]: http://en.wikipedia.org/wiki/HFS_Plus
[aliases]: http://en.wikipedia.org/wiki/Alias_%28Mac_OS%29
[wmox]: http://osxbook.com/book/bonus/ancient/whatismacosx/