When 10.5 server came out not only were there personal calendars but group calendars. The difference was that the personal calendars allowed the user to fully manage their calendar both on the web and in iCal however Apple still maintained that group calendars would be only subscribe-able in iCal. The difference here was that many users found workarounds that allowed the fully managed solution of group calendars in iCal by using the following methods.

Method A: Creating a user account and changing the server path with the “groups” variable. (Solution)

Method B: Creating a user account and changing the server path with the “wikis” variable. (Solution)

This worked but much needed security updates broke both of these solutions causing unnecessary stress on the Apple user and the Apple systems administrator. The most recant update to 10.6.4 caused the group calendars in iCal to stop working entirely and cause an almost never-ending string of login failed errors on the users computer. This made it very frustrating for Administrators who are trying to sell the idea of a wiki server as being a great web based and iCal based interface for users. In Apples defense they never officially claimed to support group calendaring in iCal.

One of the reasons for this was probably because of the volatile nature of the group account. In 10.5 server group calendars were maintained and created using workgroup manager in 10.6 server they were separated entirely and now the administration of group wikis is all done through their web interface. Due to the separation groups that once had a unique UID, username and password were demoted to the basic functionality of a web folder and directory for the purpose of internet data organization.

With this in mind I was very pleased when Apple released its 10.6.4 Wiki Server update. The thing that really made me happy was the fact that now they have officially come out and are supporting group calendars in iCal. This is awesome finally what we have been waiting for. The best thing is that in true Apple fashion their update offers an elegant and much faster solution.

So how do you setup group calendars in 10.6.4? The answer is not really surprising as it takes some of the steps used in previous solutions.

Oddly enough this solution was and should be credited to a user on this post who had originally tried to get group calendars in iCal working in 2009! Looks like Apple took some much needed advice in this arena and I am very happy that they have officially started supporting this much needed feature.

Alright first thing you have to understand put aside any notion of running mobile access server on any other server you may already have. Mobile access server is meant to run on a gateway server. A gateway server is a server that routes traffic to multiple destinations. Meaning its a stand alone server whose primary function is to keep your private data private.It translates public requests and serves up private content. You must run mobile access server on a separate server from the servers which contain your private data.

The second mental hurdle to get over is that yes, the gateway server or your mobile access server must be on the same subnet as the other private servers for which public requests will be relayed. The server has to have some sort of direct line of communication to the private server or servers in question. The next hurdle is DNS, yes DNS can be a huge headache but here are a few things to understand. The Public DNS that will be routed through the gateway server should point to the gateway server.

The gateway server in turn should be able to resolve all of those DNS names into private IP addresses meaning you must have internal DNS setup with the appropriate zones and records. I learned this the hard way, the Mobile Access service looks to internal DNS do not point to an external private DNS server for internal DNS it must be running on the same server as the Mobile Access service.

The last hurdle is this once DNS is setup and the service is started and you feel like you have configured everything correctly and when your so exhausted and you go to try your Mobile Access server settings and they do not work the first time, do not be surprised as I said this is a very 1.0 feature. Be prepared to check, and re-check your settings. Be prepared to start and stop DNS multiple times. Mobile Access server is a great service and works great once configured correctly.

I am now open to field questions you may have reagarding setup or ideas for further posts to explain in more detail. I hope this at least clears up some of the misconceptions that I had with the service for you ahead of time.

Crontab is one of the longest lasting scheduling daemons around, its part of any linux / unix system and uses a file that will trigger a script at a specific time at specific intervals. Cron can be pretty amazing but pretty daunting too if you are unsure about how to use cron, I recommend starting out easy and using this GUI for Mac OSX called Cronnix.

Cronnix is a great tool because it lets you modify, save and create crontab cronjobs in a very easy to use interface. Before Cronnix you basically had to use the VI editor in order to edit the crontab file manually which did not always prove successful. Once your ready to make your first schedule then you need to know what time or at what intervals you want the backup to run. I had my backup script run at midnight every-night so my crontab looked like this.

1

0 0 * * * /bin/bash /path/to/my/sync/script.sh

Here are some other popular crontab examples that might give you some greater insight and understanding on the whole cronjob scheduling schema.

1
2
3
4
5
6

0 0 * * *          -- midnight every day
0 0 * * 1-5        -- midnight every weekday
0 0 1,15 * *       -- midnight on 1st and 15th
                      of month
0 0 1 * 5          -- midnight on 1st of month
                      and every Friday

The second method for scheduling tasks on a Mac OSX Server platform is Launcd. This is the timer system that Apple has written and sanctioned as being the best way to schedule tasks, the reason is that unlike a cronjob where if you want to pause the job, you must remove it from the system entirely and then re-enter it when you want it to resume. With launchd you can unload / or load schedules to run at startup or on regularly scheduled intervals. I would be lying if I told you I was a launchd master, but I do like the advantages that launchd has to offer.

While getting my script up and running I used This tutorial to get me started. The launchd file below is what I used in order to get my backup scheduled. In order to install your launchd file place it in one of these locations.

/System/Library/LaunchDaemons (admin level system daemons)
/System/Library/LaunchAgents (admin level user agents)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

< ? xml version="1.0" encoding="UTF-8" ? >
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" \ "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<dict>
        <key>Label</key>
        <string>com.macresearch.backup</string>
        <key>LowPriorityIO</key>
        <true/>
        <key>Program</key>
        <string>/Users/gohara/Library/Scripts/backup.sh</string>
        <key>ProgramArguments</key>
        <array>
                <string>backup.sh</string>
        </array>
        <key>WatchPaths</key>
        <array>
        <string>/Volumes</string>
        </array>
</dict>
</plist>

Once you have your launchd file installed you must register the launchd file with your system by running

1

  launchctl load ~/Library/LaunchAgents

Then issue

1

 launchctl list

Then you should see something like this

1
2

[Voyager:~/Library/Scripts] gohara% launchctl list
com.macresearch.backup

for my sync script I chose to use a crontab, because my knowledge of launchd is limited and my experience with cronjobs is more extensive I found that adding a cronjob was faster, quicker and more efficient for permanent scheduled items on my servers. I would love to get your feedback however and learn more about launchd from you.

#!/bin/bash
 
echo Sync started `date` >> /Volumes/Logs/Sync_log.txt
 
echo "Now starting rsync"

At this point we are ready for the sync to start, we will start by syncing the files from the primary server to the secondary server. This is a one way sync, whatever we add to the primary server will be copied over to the secondary server. Whatever is deleted from the primary server will also be deleted from the secondary server we accomplish this via the use of rsync.

rsync -avz --delete "/Volumes/PrimaryWebsite/" --rsh='ssh -p8286' username@XX.18.XX.22:www/domains/SecondaryWebsite

Notice that the first line is the path to our primary website, the second value is the port number that you use to ssh into your secondary server if they require that. The third option is the username and the ip address or hostname of the secondary server and then the path to the files on the secondary server. Again in order for this to work you really have to have completed the first step if this is not working refer back to the article that covers the appropriate way to ssh into your remote server Syncing a failover website : Creating an SSH key.

echo "Now starting modifications"
 
scp -oPort=8286 "/Volumes/modifications/wp-config.php" username@XX.18.XX.22:www/domains/SecondaryWebsite

What we are doing above is copying a modified version of the wp-config.php file because we use wordpress installations as our main CMS platform, the configuration settings on the primary server will not always match exactly the configuration settings on your secondary server. Which means that if you failover and the settings on the secondary server are the ones from your first server, and the secondary server uses a different database prefix, username or password the failover will succeed but it will failover to a website that will give you the dreaded “Cannot connect to database” error.

echo "Now starting database sync"
 
mysqldump --user=primarymysqlusername --password=primarymysqlpassword primarydatabasename | ssh secondarysshusername@XX.18.XX.22 -p8286 mysql --user= secondarymysqlusername --password= secondarymysqlpassword secondarydatabasename
 
echo Sync finished `date` >> /Volumes/Logs/Sync_log.txt

The above code, will allow you to sync your database with the database in your secondary location. You will need to modify the settings to match your primary username and password for mysql. Your secondary username and passwords for mysql and the primary and secondary database names in mysql. What this does is it empties the target database and then it re-imports all the content from your primary server. Then it logs a line in the log, stating when it has completed. Here is what the finished script looks like.

#!/bin/bash
 
echo Sync started `date` >> /Volumes/Logs/Sync_log.txt
 
echo "Now starting rsync"
 
rsync -avz --delete "/Volumes/PrimaryWebsite/" --rsh='ssh -p8286' username@XX.18.XX.22:www/domains/SecondaryWebsite
 
echo "Now starting modifications"
 
scp -oPort=8286 "/Volumes/modifications/wp-config.php" username@XX.18.XX.22:www/domains/SecondaryWebsite
 
echo "Now starting database sync"
 
mysqldump --user=primarymysqlusername --password=primarymysqlpassword primarydatabasename | ssh secondarysshusername@XX.18.XX.22 -p8286 mysql --user= secondarymysqlusername --password= secondarymysqlpassword secondarydatabasename
 
echo Sync finished `date` >> /Volumes/Logs/Sync_log.txt

Thats about it, in our next and final article on the topic of syncing multiple websites on multiple servers for failover purposes we will talk about the proper way to schedule your sync.

First, you must have DNS that can process a failover, you must have a script that will sync your files and your databases and most importantly of all you must have an open SSH tunnel between the two servers so that the sync can perform in a secure way without risk of any hacking happening. In this article I am going to outline the process of creating an ssh key for your second server, using terminal, and CPANEL. The failover hosting company we chose uses CPANEL and before we started we had to ask our host to enable jailed SSH access on our account in order to proceed.

Once enabled we must go through the process of creating a set of keys, a public key, and a private key. You must create the key on the computer that is considered to be the primary or the computer that will be running the sync script. Once your logged into that computer run these commands in terminal to create your private and public keys.

 mkdir ~/.ssh

 cd ~/.ssh

 ssh-keygen -b 1024 -t dsa -f id_dsa -P ''

 chmod 400 id_dsa

Now in your ~/.ssh folder you should have an id_dsa file, an id_dsa.pub and a file called authorized_keys. The first file is your private key. The second file is your public key. The last file is a file that protects your primary server, meaning no one will be able to ssh into your primary server without the public or private keys as a form of authorization.

On the secondary server with CPANEL login to your control panel and choose SSH from the list of options. Once there, press the “Import Keys” button and you will see two fields one for a public key one for the private key. Copy and paste the contents of your private key id_dsa on your primary server into the private key field. Copy the contents of id_dsa.pub into the second field labeled public key. Name the key, in the top field and press save.

Now that you have the keys there, you must authorize the keys, once you have you will be able to ssh into your secondary server from your primary server without entering your password. Your host may have you connect to their ssh tunnel using a custom port, if this is the case then this is the syntax.

 ssh -p8569 username@host_name

This will give you access to your account area, in our next article we will talk about how to create the sync script and sync your files, and databases over from the primary server to the secondary server on a scheduled basis.

After many un-sucessfull attempts at using the search functionality (Spotlight), I decided to do some research on other methods for searching for files on the OSX platform. I came across the “locate” command for the Terminal.

I had never used this command before so I did some reading and I ran

1

sudo /usr/libexec/locate.updatedb

this ran the initial database rebuild which added many new entries into its database. I then ran

1

locate 'File Name here.txt'

and came up with a nice list of files on the users computer, however the problem was that all of the files we found were older revisions of the file that he had lost. I decided that the only way we were going to find his file was to use a much more aggressive approach.

I decided to use the “find” command, this works similar to the “locate” command but it searches the folder, directory or entire volume that you want. It allows you to be as specific or as vague as you want as well. For example

1

find / -name 'filename.txt'

will search the entire volume for a file with the name filename.txt. You can also search for wildcards as well

1

find . -name '*.txt'

which will generate a list of all of the text files on the computer. Notice I used a period here instead of a slash, these are where you can customize the location of the search.

So I let this run, the “find” command is considerably slower than the “locate” command because it does not use a database rather it searches live through the hard drive on the system that you are using. After about 20 minutes letting it scan the entire hard drive, every user account and every directory we came up with a few more results but again nothing that had his new content. I was really hoping that at this point he had accidentally deleted it or something.

I decided to ask him for a phrase located in the text file that could be used as a search term. To search for a phrase in a text document in the terminal run

1

find . -name '*.xlsx' -exec grep -li 'ethiopia' {} \;

this will find any reference to the word ethiopia located in a Excel file. I let this run and again slow but effective it revealed more results but nothing. I explained to the gentleman that I could try looking at the tape backups but it would take me some time. He asked me if I could do that.

It was a long walk back upstairs, I loaded the first tape into the drive and got ready. I began the search. Not 10 minutes later did I get a phone call back saying, that he had found the file on a thumb drive that he had. Go figure, turns out that no matter how many cool ways there are to search a hard drive none of them will index a thumb drive in someones pocket.

Comments like, the Apple TV should have included a Tuner and a DVR, or the Apple Hi-Fi should have been made as a more portable unit with more functionality.  I guess no matter what the product is there are two truths, it’s not meant to be a perfect product for everyone simply the masses and with every product no matter how intuitive or ingenious there is always room for improvement.

The good thing about the iPad is that Apple has figured out another way to sell great content. The iPod  brought us the iTunes music store. The Apple TV brought us movies that we could rent. The iPhone brought us the App Store. Now the iPad brings yet another venue the iBook Store. Trying hard to compete with devices like the Kindle, Apple has staked claim on yet another content niche.

Soon enough there will be keynote presentations where Apple will claim that they are the largest Music, Video and Book content provider in the world and at that time the iPad will be more of a modern institution rather than a foreign entity. So what you can do with the iPad, you can do many good things. Listen to music, watch videos, browse the internet, use apps, read books, play games and more. Could it do more? Sure, it could. Will it eventually? Sure it will.

The bad thing about the iPad is that it is not what everyone really wanted when they were first thinking about what this product would eventually be. Who knows, maybe there is a tablet computer rolling around in Job’s head. But for those of us, myself included who were hoping for a computer, a graphics tablet, a stylus interface, and a breakthrough in how we look at performing our day to day tasks, well we will have to keep dreaming, and hoping for the future. For some of us with the cash, we can live the dream now by getting the ModBook by Axiotron. This device is what many Mac fans were expecting.

From the perspective of a systems administrator, this could be a technical and logistical nightmare when you consider people doing work on these on secured networks where encryption is important. From a hardware perspective if you ever had to perform your own battery replacement or even from the philosophical angle, is this a computer, or is it just a cool content viewer. If it is the later, then will or should IT Departments support such a device.

The Ugly thing that I believe is more of a philosophical debate is the slow agonizing death of the printed word in its truest format. While we all know Print Media is dying and we have known that for a long time, many will argue that bookstores and books are not going anywhere while that may be true I lived in a state recently and witnessed the death of its last newspaper.

Thats right, in the state of Maine every newspaper has gone out of business. I am not saying that the iPad is or will kill off traditional media or that it has but its just one device closer to its extinction. Perhaps I am just nostalgic for the days when I used to like to read the comics as a kid, getting them out of the middle of the sunday paper, was and always will be a special memory for me.

No matter what, side of the fence you land on, Apple has made a smart move by entering into this market. Apple is a company and I am sure they have a plan for everything that they do. They have methodically created each new device over the past 4 years and released each one with a new content store. Perhaps Apple is planning a takeover of all digital content, and its syndication rights. Only one man knows and it certainly is not me. For now I will just sit back and watch my Apple stock soar, thanks Steve.

Great, another strange Apple bug I thought until someone was able to forward me the bounced email to my personal email account. Further insight in the error showed that the message was getting bounced back due to a blank subject line. As you can see from the example below its due to a blank or empty subject heading. Yes, apparently Apple has added this as an actual “Feature”. You can turn this off however by commenting out the only line of code in the file /etc/postfix/custom_header_checks.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

=====================================
This is the mail system at host mail.xxxxxxx.org.
 
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
 
For further assistance, please send mail to postmaster.
 
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
 
The mail system
 
<user@domain.org>: host
mail.domain.org http://xx.xxx.xxx.xxx said: 550 5.7.1 empty subject
=====================================

Turn off the mail service before you do this. Once the mail service is off edit the file using sudo pico.

1
2
3
4
5

/^subject: *$/ REJECT empty subject header in /etc/
 
into:
 
#/^subject: *$/ REJECT empty subject header in /etc/

Start mail back up again and you will notice that the blank subject line blues are gone away.

However in 10.6.2 there is a detachment from the way you authenticate. You create access for each blog based on the settings in the web interface rather than in Workgroup Manager. This threw me off a bit the first time due to the fact that I had already had our previous wiki server split up into groups using workgroup manager.

Here is how I migrated our wiki, the default directory for wiki and blogs on 10.5 and 10.6 is

1

/Library/Collaboration

Inside that folder, you’ll find a Groups folder of interest. You’ll want to repeat the following procedure for each group:

1
2
3
4
5
6
7

sudo serveradmin stop teams
sudo mv <Group Folder from Backup> /Library/Collaboration/Groups/
sudo chown -R _teamsserver:_teamsserver /Library/Collaboration/Groups/<group_directory>
sudo rm /Library/Collaboration/dataVersion.plist
sudo rm /Library/Collaboration/globalIndex.db
sudo rm /Library/Application Support/Apple/WikiServer/directoryIndex.db
sudo serveradmin start teams

Once you complete those steps, you’ll need to login as an administrator and set the permissions for the wiki(s). 10.6 removes the privileges for wikis from Workgroup Manager and instead allows for security management via the wiki web interface.

Once we were done with the wiki, we had to migrate over DNS this was a little bit scary however retyping our DNS records was equally as scary. I decided to try to migrate the settings since it was sanctioned by Apple.

Basically the first step was to stop DNS service on your Snow Leopard server. I then created a backup of my DNS config files that lived on my Snow Leopard server in the event that everything went bad.

1

mkdir /var/backups/dns; cp -r /etc/dns /var/named /etc/named.conf /var/backupsdns

I then preceded to copy the following files and folders from Leopard server into the same locations on Snow Leopard Server

1
2
3

/etc/dns
/etc/named.conf
/var/named

Once done start DNS via the command line on Snow Leopard server

1

sudo serveradmin start dns

Next I urge you if you are going to try this test, test, test, test and test again. I got it almost 100% however there are a few fields in the DNS settings in Server Admin that do not exist in 10.5 Server. Also I did notice that it messed up my FQDN’s in some places. Tell me your migration headache story, or lack thereof.

The one great thing about 10.5.8 was the development of Mailbfr this was an amazing script that would help you backup your entire mailstore, recover email accounts, repair quotas, and of course rebuild or repair the entire mail-store. This was an invaluable tool, however since switching we have had to come up with our own solution.

We tried at first to get RSYNC running however this did not work because we did not have the permission to copy the mailstore with the permissions in tact. The reason is that while the root account does have access to look at the mailstore the secondary user on the mailstore folder is the mail user itself. Without running the script as each user then its near impossible to use RSYNC to move the mailstore or to even perform a simple backup.

Our solution was to create a backup script that use SCP with SCP we were able to move our mail-store to another drive on the server. It copies the store over and it resets the permissions to the administrator account. This solution works very well however after some time with a large mailstore you will run out of space on the target volume. Unlike RSYNC which uses hard links to save space SCP creates a new copy of the mailstore each time it is run.

In order to save space on the backup volume the oldest 2 weeks worth of backed up email gets dumped to DVD and removed from the drive on a monthly basis. This is fine but not optimal. Here is a copy of the script that we use on our server.

1
2
3
4
5
6

#!/bin/bash
echo backup started daily backup `date` >> /Volumes/EMAIL\ BACKUP/Backup/Logs/Backup_log.txt
 
scp -r /Volumes/Mailstore-Location/spool /Volumes/EMAIL\ BACKUP/Email-Backups/$(date +%d)-$(date +%m)-$(date +%Y)backup 
 
echo backup daily backup completed `date` >> /Volumes/EMAIL\ BACKUP/Backup/Logs/Backup_log.txt

This will backup the mailstore and then log each time that it does so. To recover an email to the original mailstore is not as hard as it seems. Navigate to the backed up mailstore destination and match up the name of the folder to the users UID of which you want to recover. For example if the users UID is 7458-58713-952554-544226 then you would look for a folder with the same name. Once in the folder you can copy or look at individual email files. Find the ones or one that you need and copy it to the folder of the original mailstore. In order to do this you will have to use sudo. For example this is how you would restore the entire folder

1

sudo scp -r "Volumes/EMAIL\ BACKUP/Email-Backups/7458-58713-952554-544226/.*" "/Volumes/Mailstore-Location/spool/7458-58713-952554-544226/.*"

Until Mailbfr comes back for Dovecot this is how we are protecting ourself against the accidental loss of email. I am not saying that this is the best method it is simply the one we are using. If you have another solution that works bette than please let me know and share your own experience!