If you’re a Mac OS X Server guru and you happen to be hard at work on a recalcitrant OS X Server which is refusing to serve up the Internet to your anxious client, and you happen to use your mobile device—any mobile device—to Google something about OS X Server, you won’t find results for my site at the top of your list. And that’s the way Google wants it.
I got a legitimate (as far as I can tell) E-mail from teh Goog this morning telling me that my site isn’t optimized for mobile and that teh Goog will, as a result, push results from my site down lower on the results list. Here’s the relevant portion (highlighting is mine):
So as you surf the Googles on your mobile browser, keep in mind that Google would prefer you see mobile-friendly results over correct results. I’m not complaining because my site isn’t mobile friendly and might be lower in the list. (I really don’t care.) What I’m complaining about is that I’d rather have correct and relevant information over incorrect and pretty results any day.
Especially when I’m Googling something like “how do I help a choking victim” or “what areas of town do I really want to avoid” or other things where a pretty, but wrong, answer might be a really bad idea.
Amazon recently raised their free shipping threshold to $35, and that leaves me searching for items between $1 and $10 to pad an Amazon.com order with. A recent gift of Darn Tough Vermont socks has turned this hunt into a no-brainer.
Instead of a useless 5-lb. bag of rubber bands, why not pad your Amazon order with some Darn Tough Vermont Socks? Reasonably-priced, guaranteed forever, and OHMYGOSH! the colors…
See how easy that is?
Be sure to choose socks which are eligible for free shipping, or you don’t do yourself any favors.
Seriously, the hype is so ridiculous these days that it’s just better to remember that AAPL is, just like every stock on the market, gambling.
Hmm. NFC, after all.
(Sorry for the bombastic headline.)
I’m surprised that Googling the new Apple store in South Windsor, CT, hasn’t turned up any pictures. So, here’s one photo I took.
It’s a bad photo.
But it’s pretty clearly an Apple Store. Kinda’ hard to mistake that characteristic, no matter how bad the picture.
Note how Apple got its trade dress on the façade of the store, even though this is Evergreen Walk (said with very distinct, highfalutin’ accent, of course).
Xserve is long dead.
Mac OS X Server is an app, not a standalone product anymore, and is a shadow of its former self.
So it would not surprise me if this announcement is the first step towards a partnership which could supply both iOS and Mac OS-friendly “big iron” server technologies for enterprise, an area which Apple clearly has no interest in pursuing.
And with one fell swoop, we know that Mac OS X 10.9’s successor is not Mac OS X 10.something, but is Mac OS X Yosemite.
(Or so I think. Other websites are reporting it as 10.10, though I haven’t heard that mentioned yet.)
I’m not impressed with Mavericks Server or Yosemite server, either, for that matter. First, Apple has moved all of the standard binaries and settings from their usual homes into the Server.app bundle and into /Library. While this certainly lines up better with the Apple “way,” it makes it a royal pain in the butt for those of us who have half a clue and know their way around a LAMP (or MAMP) system.
I decided to update our server from an Xserve to a mini about three months ago. The new mini arrived, and I thought, “This should be ‘Apple simple,’” and tried to migrate. It was a disaster, mitigated only by the fact that I had a backup of the original system—somewhere in the migration process, files on the original server get mangled. This shouldn’t be, of course, but…
I tried various methods of upgrading and none were successful. Open Directory gave me fits, and I spent hours trying all sorts of things, none of which were successful. So today, I decided to go nuclear: start from scratch on the new server. That way, nothing could go wrong.
Since Open Directory gave me many fits, and since I knew OD is somewhat finicky about DNS entries, I decided I’d start with the basics.
Setting the Hostname
What is the name of my host? Well, Apple, in their infinite wisdom, asked my DNS to tell what the host name is, instead of asking me. So the host name was wrong because it was based on an outdated entry in the upstream DNS. So the self-signed certificate had the wrong data, too. To fix this, I changed the upstream DNS name, deleted Server, deleted /Library/Server/, and rebooted. I then reinstalled Server.app and this time the server name and self-signed certificate data were correct.
As it turns out, I could have used Server.app to change the name and the self-signed certificate would have been regenerated. But I found that out too late.
Server.app Pro Tip: When changing hostnames, Server.app will generate a new self-signed certificate.
Setting Up DNS
Next step: DNS. This should be simple. I should just be able to import a zone file, but, alas, unless I migrated the server, nope. I thought about just typing in all the hosts and whatnot, but what a pain in the rear that would be. Also, you can’t use wildcards in hostnames. So instead, I turned on DNS, set the forwarders to 127.0.0.1 and the upstream servers, and looked at the files in /Library/Server/named.
Complaint: There’s no way to reorder the forwarding servers in Server.app, without retyping the whole list.
Complaint: You can’t type in an asterisk (wildcard) when editing a host name. So aliases like “*.eccles.net” can’t be used without manually editing the hosts file. Still true in Yosemite.
Complaint: Manually-entered wildcards get deleted from the hosts file if you edit the zone with Server.app.
Server.app Pro Tip: Editing zone files is possible, but any changes made in Server.app will overwrite most (if not all) edits.
Now for Open Directory
OK, now that my server knows who it is, it’s time to turn on Open Directory. A few clicks and that was done. I now had a fresh Open Directory master running. Now let’s import some users. (Since I never really monkeyed around with OD in any other version of Server, a plain vanilla OD Master is fine for me here.)
Server.app Pro Tip: Set the Directory Administrator user to diradmin and set the password to be the same as the server administrator password. If you’re like me, you’ll stand a much better chance of remembering these credentials that way.
I exported the users from my 10.6 server (select the users in Workgroup Manager, then use some other command which I can’t remember) and tried to import them using 10.9.
Server.app Pro Tip: Importing users is not found in the “Users” pane in the “gear.” (Why not?) Instead, it’s here:
in the Manage menu. Server.app kept griping about my username and password. My question is, What username and password? The dialog says “Admin Name” and “Password” but doesn’t give a clue which thing it is I’m trying to authenticate into. I assumed it was the server, and several times, I was wrong. I then decided it might be the OD server that I’m trying to authenticate into, and that turned out to be right.
Complaint: Server.app could use a better prompt than “Admin Name”. How about “Open Directory Server Administrator Name”? It’s long, yes, but it’s better to try to fit that into the window than frustrate the user, don’t you think?
Complaint: If that’s too long to fit, how about improving the error message? “Credentials could not be verified. Username or password is invalid” could just as easily say, “Open Directory server credentials…” to save me a few tries and Googling.
Server.app Pro Tip: This dialog:
is asking for the Open Directory administrator username and password (which you just created—see above).
While the import was a success, it left me with questions. First, I have several users with more than one shortname (most, in fact). What happened to these additional shortnames? And what do I do with the blank “E-mail address” box in each user’s information? Does something go there? Does something have to go there? What’s up with that? Let’s tackle each one of these separately.
About those multiple shortnames: It turns out that they are, indeed, imported into the new Open Directory server, but only the first (primary) shortname is displayed. I verified this by making test SMTP sessions and watching the SMTP logs. Messages to all of a user’s shortnames were successfully delivered. Yosemite note: not true anymore. See below.
Managing these shortnames is tricky, though, and can probably be accomplished with a command line tool of some sort, though I was unable to figure out how to do it. (I gave up after ten minutes of Googling.) I stumbled upon an Apple support page which describes how to edit Open Directory records with Directory Editor.
“Directory Edi… wha…? you’re saying, I’m sure. Yes, one of the older apps hidden away from most users is Directory Utility, which I never use other than to enable root user. So what’s changed to make it useful? It has a new pane called “Directory Editor” which allows Open Directory directories to be edited. (Clever name.)
You can find Directory Utility using the Apple-given instructions at the link above, or you can…
Server.app Pro Tip: Make an alias to /System/Library/CoreServices/Directory Utility and stick it in your dock.
In DU, you can edit everything about an OD entry (hence the reason it’s probably hidden from most users’ attention). Since the server is local (it’s on the same machine), authenticate into the node at “/LDAPv3/127.0.0.1”, as shown below:
Each user will have a RecordName which will correspond to the primary shortname. If you have any users with multiple shortnames, you’ll see that they have more than one RecordName. If you want to add another shortname, you can do so with the “+” button out to the right of RecordName, as shown below:
Server.app Pro Tip: Multiple user shortnames can be added, edited and deleted in Directory Utility. But this isn’t really useful in Yosemite.
How about that “Email Address” field in Server.app? What does it do?
I have no idea. [Though it turns out to be useful in Yosemite.]
When a user is created, it suggests the E-mail address based on the user’s shortname. If you change it to be different from the suggested address, it does end up being reflected in the OD entry, but PostFix (the mail server) has no idea what to do with it. E-mails addressed to the different address will bounce. E-mails addressed to email@example.com will be delivered.
Server.app Pro Tip: Leaving the E-mail address field in a user record blank is OK. Except in Yosemite, that is.
Yosemite update: I upgraded from Mavericks to Yosemite. It now ignores the multiple shortnames specified in Directory Utility (see above). For example, my primary E-mail address might be firstname.lastname@example.org and I might have an alternate shortname, email@example.com specified in DU. In Mavericks, I had to add the bill.eccles shortname manually using DU, per the above. I could successfully receive E-mail to either address. The E-mail address field meant nothing.
However, when I updated to Yosemite, PostFix doesn’t have any idea about these other shortnames/addresses anymore, even though they do show in Directory Editor. Panic ensues when incoming mail to these alternate shortnames bounces. This problem is reasonably-easily fixed by adding them to the users in the User editor in Server.app. But if you’re confused because the “+” button is grayed out for the user you’re trying to edit, it’s because you’re not authenticated into the appropriate directory node.
At the top of the list of users, you’ll need to filter to show only the “Local Network Users.” Then you’ll be able to double-click and edit a user. The “+” sign will be enabled for adding more E-mail addresses to the user. This has the same effect as editing the “EmailAddress” for the user in Directory Utility and does not effect the “RecordName” list. It might be a good idea to go back and remove the extra shortnames in the “RecordName” list, but I don’t know. And I haven’t done that yet, either.
About Users’ Passwords
Passwords are lost in the export/import process. It seems that it should be possible to find the various hashes in the older version of the server using mkpassdb, but I can’t find enough corresponding entries to know that I’d make the new server totally happy. The next question is how to handle passwords, since my users use the server only for mail (via IMAP or POP) and won’t have OS X’s native password changing dialogs.
It turns out that there’s a reasonably easy way to handle that, too. If I turn on the default SSL website (in the Website pane, naturally), I have the option to let users change their passwords. I tested this path, and it works well. But because my users come from outside the local network and have to traverse my firewall (which means all port 80 or port 443 access can be directed to one machine only), I have to either (a) migrate all the web services from the old server to the new or (b) set up a special port for accessing this server for password changes. I’ve chosen this latter method in order to make accessing the password change page more difficult. There is no way to change the default server port number, so this change will be done entirely at the firewall, redirecting port N to port 443.
Moving Mail Services
Mail services are somewhat tricky, but now that you have your users moved over, you can pretty easily move the mail to follow them.
First, turn off mail services on both the new and old servers using the Server.app. Then, we have to move the data from machine to machine.
Mail data exists in two places. There’s the Postfix SMTP spool files (mail which is in the process of being delivered) and the Dovecot IMAP spool files (mail which has been delivered to the users’ mailboxes).
First, get the SMTP files from the old server:
sudo tar cf smtp.tar /var/spool/postfix
(ignore the warnings about tar format cannot archive this (type=0140000): Inappropriate file type or format These are sockets and won’t archive, nor would you want them to.)
Get the mailboxes:
sudo tar cf mail.tar /var/spool/imap/dovecot/mail/
Copy them to the new machine somehow, e.g.:
scp smtp.tar firstname.lastname@example.org:~/smtp.tar scp mail.tar email@example.com:~/mail.tar
Now put them where they belong.
Most likely, you already have mail directories where they belong, but they need to be cleaned out to prepare for new data. So here we’ll delete the mail data directory (i.e., clean it out… permanently!) and repopulate it with the mail from the original server:
sudo rm -R /Library/Server/Mail/Data/mail mkdir -p /Library/Server/Mail/Data/mail cd /Library/Server/Mail/Data/mail sudo tar xf ~/mail.tar --strip-components=5 cd .. sudo chown -R _dovecot:mail mail
Then we’ll make the spool directory (if it isn’t there already) and populate it with the spool data from the original server:
sudo mkdir -p -m 755 /Library/Server/Mail/Data/spool cd /Library/Server/Mail/Data/spool/ sudo tar xf ~/smtp.tar --strip-components=3
I think this all I did, but you may have to jigger your permissions and ownership so it looks like this:
home:spool admin$ ls -la total 0 drwxr-xr-x 16 root wheel 544 May 26 2014 . drwxr-xr-x 13 root wheel 442 Aug 10 12:17 .. drwx------ 2 _postfix wheel 68 Jan 2 19:15 active drwx------ 2 _postfix wheel 68 Dec 8 08:00 bounce drwx------ 2 _postfix wheel 68 Feb 19 2010 corrupt drwx------ 18 _postfix wheel 612 Aug 10 12:33 defer drwx------ 18 _postfix wheel 612 Aug 10 12:33 deferred drwx------ 3 _postfix wheel 102 Dec 2 13:55 flush drwx------ 2 _postfix wheel 68 Feb 19 2010 hold drwx------ 2 _postfix wheel 68 Jan 2 19:15 incoming drwx-wx--- 2 _postfix _postdrop 68 Aug 8 02:01 maildrop drwxr-xr-x 24 root wheel 816 Aug 10 13:19 pid drwx------ 27 _postfix wheel 918 Jan 1 14:01 private drwx--x--- 7 _postfix _postdrop 238 Jan 1 14:01 public drwx------ 2 _postfix wheel 68 Feb 19 2010 saved drwx------ 2 _postfix wheel 68 Dec 31 21:59 trace home:spool admin$
So what’s next? PHP, web services, and other things… but that will have to wait until a future article. This one’s already long enough.
A few people have asked why a tax increase of 2.849% is required for a budget increase of 2.59%, saying that it just doesn’t make sense. On the surface of the problem, it certainly doesn’t! Here’s a quick explanation which I hope helps make sense of these two different numbers.
For purposes of discussion, let’s assume that our town budget was $100 last year, and that we need $105 this year. That’s a 5% increase in the budget. If we had to raise all of that money ourselves through taxes, the tax increase would be 5%, too.
But some of that $100 comes from the state government. Let’s say the state contributed $50 of that budget last year, leaving the town to raise only $50. Now let’s say that the state will contribute the same amount this year, $50, leaving us to raise $55. Last year, we only had to raise $50. This year, we have to raise $55. Year over year, that’s a 10% increase in taxes.
So a 10% tax increase is required even though the budget only went up 5%, and that shows how the two numbers can be different.
In real life, we have the same thing going on, but with different numbers. This year’s budget is about $53 million, an increase of 2.57% over last year. About $13 million of our budget comes from the state, so last year we needed $39 million in taxes. This year, the state is giving us the same amount, about $13 million, so we’re left to raise just over $40 million in taxes. The difference between last year, ≈$39 million, and this year, ≈$40 million, is about 3.28%.
If the grand list were kept just as it is, the tax rate would be going up by 3.28%. But there are adjustments to the grand list year-over-year, too, and these adjustments reduce the amount to 2.849%, which is different from the budget increase of 2.57%.
No mystery, just math.
Want to know my position on this budget? I support it. Read why here.
(All of these numbers can be found in the Town’s 2014-2015 budget, which can be viewed here.)
Last week, the Tolland Town Council approved our 2014-2015 budget by a vote of 6-1. Now it’s up to Tolland’s voters to decide if it’s the right budget for us. As I said that night, I am suitably impressed with the process used this year to arrive at our budget, and I am fully in support of it.
So… why? After all, it contains a 2.849% increase in taxes, and any increase in taxes is bad. Even I have to agree with that.
But the big, hairy problem is that all costs are rising. I’m sure you’ve felt the squeeze at the pumps and in the checkout lines, with each paycheck and its increased insurance premiums—in just about every facet of life, you’re paying more for the same. (Or even for less.)
The town has felt the squeeze, too, and since the crash of 2008, previous Town Councils have been doing their best to keep tax increases to the absolute, barest of minima, in the hopes that things would get better. While the average tax increase over the past five years has been only about 0.5% per year, consumer prices have been increasing by 1.6% per year. You can see where this might be a problem.
In order to keep costs low, or at least constant, past councils have done some superb work in controlling costs. But they’ve had to delay maintenances, cut town staff (by nearly 10%!) and basically bet that the economy would recover in a meaningful way sooner than later. When, or if, the economy made its recovery, the Town could catch up on these things.
Unfortunately, six years later, while the rest of the nation seems to be in a minor recovery at best, Connecticut isn’t making much, if any, progress at all, and these delays cannot be tolerated anymore. We have no choice at this point but to respond to the needs of the schools and the town. New mandates from the state and federal governments are squeezing us even more, there are few savings left to be found, and things are beginning to crack—if they’re not broken already.
Simply: we have no choice but to increase the budgets of both the town and the school system.
In order to increase these budgets, income must increase, and income and outflows must balance. In a normal economy, property values increase, tax revenue increases, and there’s enough income to cover the increasing expenses of the town and school system. This year? Not so much. Our property values are flat, there have been few increases in the grand list, and yet prices rise all the same. We’re in between the proverbial rock and hard place, and the result is a requirement to increase taxes.
So, if a tax increase is necessary, how much do we increase them by? Do we increase them the smallest amount possible, straining every resource in town to do more with less, possibly breaking things which are expensive to fix later on? Do we increase them substantially so that everything which is stretched gets put back on an even keel? Or do we increase them somewhere in between, looking for a reasonable increase which addresses some of the needs and gets us back on a course to health?
It’s this last alternative that the Board of Education, the Town Manager, and indeed the Town Council have chosen, for better or worse, because there is a lot that needs to be done in town.
Our equipment isn’t going to fix itself, the salt we consumed during these last two harsh winters won’t restock itself, the departments which are stretched to the max will not be able to sustain this pace, and fuel won’t magically appear to fill the tanks of the trucks and cars this town needs to continue operations. Our schools won’t meet the curricular needs of our children, their safety and welfare will not be increased in any meaningful way, and we will not provide for the activities and support these children need to get the best start in life that we can provide for them as a town. None of this will happen without this budget and the tax increase it comes with.
And that’s why we… no, that’s why I voted in support of this budget.
On particular matters within the budget, there really were only two contentious issues, and that’s an amazingly low number and is a breath of fresh air to those who have been involved in town government for the past decade.
The first contentious issue is all-day kindergarten, and the superintendent found a way to fund that within the budget presented to the Town Council. For those who are angry, as I was, that he found this money after the budget was already submitted and feel that the budget should have been lowered to the promised “level services” level, I remind you that the Town Council asks our town manager to do the same thing, year after year: find us a way to fund X, even though it’s not in the already-approved budget. On the Superintendent’s priorities of all-day kindergarten and reducing the pay-to-play costs, I can’t comment—it’s not my area of expertise, and efforts to enlighten me by both sides of the argument have proven that the old adage about statistics holds true.
The second contentious issue is funding a School Resource Officer (SRO). I’m very much in support of this expense. As to its necessity, I can only point to the anecdotal evidence offered by the Town Manager and social services staff who say that it’s a good and necessary program. It is also my understanding—and I may be wrong—that the Superintendent’s priorities have included an SRO for many years and that, though there may be higher priorities on each of the school principals’ lists, an SRO has been quite a high priority for the principals in years past, too. Here, I also trust that when the Town Manager and the Superintendent, not necessarily two people who agree on much, agree on a priority and a way to fund it, it’s better than a good idea. Finally, we have an opportunity to bring a resource to our community which, if we do not do so now, we will not be able to do so for several years. The State Police, which is in my opinion the most cost-effective and reasonable way to have SRO services for Tolland, face a manpower shortage and we’d be on the bottom of the list for an SRO when we do decide we need one. On the other hand, if the SRO doesn’t work out to be as valuable as indicated, the position can be cut. We have very little to lose here.
Could the SRO money be spent on technology which, as I’ve heard firsthand from my kids, is ancient (at best)? Yes, it could be. But I also understand that there is a plan to upgrade it in an orderly fashion. Given that the curriculum is in an incredible state of flux right now, I can’t see that dumping money into technology without aligning the purchase with the curriculum change makes much sense. It would solve a problem right now, certainly, but I’m more in favor of solving a problem long term. We’ve had too many years of short-term thinking in this town driven by short election cycles, and we cannot afford short-sighted thinking anymore. There’s a plan for technology in place, and though it will need to be changed, derailing it is not my idea of wise spending.
So there you have my thoughts on this year’s budget and why I support it. Though I know it’s not perfect, I think this budget is exceptional not only for the process by which it was created, with development of consensus early in the process, but also because it represents an excellent mix of restraint and utility. Should you vote in support of it on May 6th? I think you should.
Two winters ago, but still relevant today.
To those of you who, as Mr. Wilson puts it, are looking at 2014 balefully, I recommend reading his entry of a few days ago, The West Is Dead. Long Live the West. He quotes The Everlasting Man (G.K. Chesterton, 1925) which forms a substantial portion of his thesis:
“Christendom has had a series of revolutions and in each one of them Christianity has died. Christianity has died many times and risen again; for it had a God who knew the way out of the grave.”
Alone, this is enough for hope in the future. With the added encouragement of Mr. Wilson, I wish you a happy new year!
A friend posted pictures of his sons playing with their Nintendos at their dining room table. It looked like they were in prayer, so I hacked this together:
Our Nintendo, which art on the table,
Hallowed by thy games.
My high score is won, my brother’s be none,
On Mario Kart as it is on Super Mario.
Give us this day our daily cheat code,
Up up down down left right left right B A,
As we forgive those who use it against us.
And lead us not into Bowser’s Castle,
But deliver stuff from Amazon.
For mine is the Mario, the power up and the Luigi,
For Yoshi and Birdo,
Next up: “Hail Mario, full of grease…”
It’s about time that the media shed the pretense of being “unbiased” and came clean right up there in the masthead.
“NEW YORK TIMES—Today’s Edition: 89% liberal”
“FOX NEWS: Trying to be 50/50, but looking a little imbalanced these days”
“WASHINGTON POST: We’re owned by a big-time Obama contributor. What do you think you’re going to get?”
“MSNBC: We’re not even trying.”
“CNN: Wait, we’re still relevant?”
Is that an Internet in your pocket, or are you just happy to see me?
I’m sort of surprised nobody has made these observations (that I can find, anyway).
First, did you notice that all of the so-called “flat” interface elements are ridiculously easy to draw with vector graphics? As I’ve stated before, the various flavors of Apple OS are going to be resolution independent someday. The departure from textures and bitmapped elements will make this transition much easier, and the sweeping hands on the iOS Clock app icon is a pretty good example of a traditionally-bitmapped element which has become all or nearly all vector graphics.
Second, when you’re composing an E-mail, Mail app on iOS 7 does a pretty good job at guessing which account the message should be sent from. Let’s say you have two E-mail accounts, “firstname.lastname@example.org” and “email@example.com” and that your default “from” address is “firstname.lastname@example.org”. When you start writing a message, the “from” field will show “email@example.com”, as it should. But then when you put in a recipient, such as “firstname.lastname@example.org”, iOS 7 will change the “from” account to the “company.com” address. This feature would have saved me and my co-workers much confusion as I have been known to send them E-mails from my personal account when I meant to send them from my work account.
That’s all for now.
The animation in the iOS 7 Clock app is gorgeous, and it addresses my long-standing gripe about the minute hand motion. Older versions of clocks would move the minute hand once per minute in a herky-jerky motion which didn’t match the beautifully designed motion of the second hand. All of them sweep in the live Clock icon, too!!
The iOS 7 version moves the minute and hour hands right along with the second hand in the smoothest, most incredibly-lickable animation I’ve longed for.
It’s the little things, and they got this one right… finally.
[Ironic—or coincidental—that it took a lessening of the realism of the clock face itself to get the realism of the clock mechanicals right, isn’t it?]