Yet again our software has been posted to various file sharing websites, and yet again we are forced to ask them to remove it.

But many of them still hide behind DMCA even when told that they are hosting a folder full of infringing material. They won’t act on their own account and don’t actually care that their Acceptable Use Policies already prohibit such material and would enable them to remove the files themselves.

How do I know this? Well today’s little irritation involved sending a notice to MediaFire about a folder full of files over which we hold copyright. I also, in the same e-mail, complained about the containing folder, which contains a lot of other peoples’ copyrighted work (though I noted that I had no legal standing to do so). What did I get in reply? Yes, that’s right folks, a demand that I format my request exactly as required by DMCA and a notice that MediaFire would ignore any request that wasn’t formatted that way. Furthermore they tell me that they will ignore any request relating to a folder, since they can’t be bothered to check all the files in a folder (just the ones you list).

Ethical? Like hell.

Posted by alastair at 9:56 AM Digg It | Permalink | Comments (0) | TrackBacks (0)

If this is true, then good for the Irish too.

Our political leadersmasters won’t let us have a vote on membership of the European Union here in the U.K., because they know we’d vote “No”. In fact, they won’t even let us vote on the Lisbon TreatyE.U. Constitution because they know we’d vote “No” and scupper that too—in spite of promising a referendum on that very subject.

Fortunately it sounds like the Irish have scuppered it for us, but it frankly stinks that our government lies to us, fails to represent our views and then won’t let us have our say even when it promised.

Posted by alastair at 1:34 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

In the wake of Parliament’s passing of the bill allowing forty-two days detention without charge for terrorist suspects, David Davis, the Conservative Shadow Home Secretary, has resigned as an MP to fight a by-election on the issue of whether or not it is right to curtail our civil liberties in this way.

Good for him I say.

The only reason the public thinks (at least according to the polls it does) that these kinds of illiberal measures are acceptable is that the government of our country has been conning us. The theoretical threat from Islamist terrorism and in particular Al Qaeda—and it remains primarily a theoretical threat, unlike for instance the IRA during the late 70s and 80s—has been used to justify large numbers of illiberal and frankly unpleasant measures which we are promised are “to combat terrorism” and which are then promptly misused to keep pensioners out of the Labour Party conference, to spy on people sending their children to school, to prevent law abiding people from attending legitimate peaceful protests and all kinds of other similar things which have nothing whatsoever to do with terrorism.

The steady creep of authoritarianism into the British state has continued unabated under this Labour government and the problem is that because our civil liberties have been chipped away one piece at a time it has been difficult for the public to notice the impact it is having.

David Davis, it seems, intends to bring all of this to the fore in his constituency and it will hopefully make his constituents—not to mention the rest of the population—realise that something is seriously amiss.

Posted by alastair at 1:25 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

OK, so we’ve yet again been asked not to panic-buy fuel. Well it so happens that this morning I really did need to fill my car up (I’d just about run out of petrol), so as usual I drove to work via the local petrol station.

Chaos.

Not only were there large numbers of vehicles trying to fill up (more than normal, I would say), but a Budgens delivery driver (the local petrol station has a Budgens supermarket attached) was reversing a huge articulated lorry into the station and across the forecourt. In order to do that, he had to spend a considerable amount of time completely blocking the road.

Whether the large queues were caused by the amount of time the road was blocked, or whether this heralds the beginning of yet another round of stupid panic buying, I don’t know, but I did notice that Newgate Lane (along which I have to drive every day) was also clogged up until I got past the ASDA roundabout. ASDA, of course, has a petrol station…

Posted by alastair at 1:02 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

OK, so this was a real PITA to figure out, and I didn’t find a great deal of help in Google so I’m going to write a short post about doing this, both so I can find it in future and so that other people can benefit from what I discovered.

So, the first thing to do is to make sure that you have a working Kerberos set-up. To check this, you can try

$ kinit some-user
Please enter the password for some-user@EXAMPLE.COM:

If it successfully authenticates when given the name of a user in your Open Directory set-up, you’re all set. You can, if you like, look at the Kerberos ticket you just gained by using the klist command, but if kinit worked then there’s probably no need. If, on the other hand, that kinit didn’t work, you need to re-configure Kerberos from scratch. This seems to be very hit and miss and often it’s easier to reconfigure Open Directory from scratch instead, but that’s a bit drastic and is only really practical for smaller set-ups because it tends to result in all the passwords getting reset.

If your Kerberos isn’t working, please don’t bother asking me about it. I have yet to find a reliable sequence of commands to completely re-initialise it on OS X Server. You might find AFP548.com useful if you’re in this sort of mess.

Next, make sure that your client machines are configured to authenticate using Kerberos. On OS X 10.5, that means editing /etc/authorization to change

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:authenticate,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

to

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:krb5authnoverify,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

That isn’t the only way to go about this part, but you need to make sure that your users get a Kerberos ticket automatically somehow. If they don’t, they won’t be able to mount the static automount because the server won’t recognise them. See Article 107154: Enabling Kerberos authentication for Login Window on Apple’s site, but note that the part where it says that the information is not required as of OS X Server 10.3 is not, in fact, entirely true. Various universities set things up using Kerberos and some of their pages may also be helpful; I quite like Iowa State’s page, personally.

Next, set-up your shares using Server Admin, setting the Custom mount path setting as required. For instance, I set one up with the path /Network/Groups. On previous versions of Mac OS X, you could do this step from Workgroup Manager, which was useful because it meant you could manually edit the mount URL to remove the hard-coded “;AUTH=NO USER AUTHENT” setting. Unfortunately you can no longer do this as of 10.5, which means that you have to use dscl or the various LDAP utilities.

Even more unfortunate, when I tried to edit with dscl, I just got the error message

*** Uncaught Exception:  ([DSoDataNode initWithDir:value:] value is not a valid NSString nor NSData)

(and yes, I’m certain I used the right command). As a result, I ended up making myself a file like this (I called mine groups.ldif):

dn: cn=server.example.com:/Volumes/SomeVolume/Groups,cn=mounts,dc=server,dc=example,dc=com
replace: mountOption
mountOption: url==afp://server.example.com/Groups

and then I did

$ kinit diradmin
Please enter the password for diradmin@EXAMPLE.COM:
$ ldapmodify -f groups.ldif

The first line is just to authenticate as the directory administrator—you only need to do that once. If you need to examine your LDAP mount records first, you can do something like this:

$ ldapsearch -b "cn=mounts,dc=server,dc=example,dc=com"

which will list all of the mount records.

One other useful tidbit is that if you’re trying to test this from a client machine, you can do

$ sudo automount -v

from Terminal to refresh the automount set-up on the client.

It all sounds so simple written down, but this took me a good few hours and a lot of frustration. Hopefully I’ve saved someone else (or even just myself, in future) from repeating that experience.

Posted by alastair at 6:36 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

On the way into work today I think I scared a motorcyclist. It was partly my fault for being in the wrong lane (not that I had much chance of being in the right lane given the lack of signs until the very last minute—I went a different way to work this morning, along a road I’m not entirely familiar with), but the fact that I gave him a fright was his own silly fault.

I was trying (carefully, I might add… there was never any danger of a collision) to push into the lane he was in. I think when he noticed this happening at first, like a lot of people he decided to be bloody-minded and to not let me in. Which is both rude and awkward, but a lot of people do that kind of thing. Anyway, as a result, he ended up alongside me, with me slightly impinging on his lane and I think assumed then that I hadn’t seen him, which wasn’t true. All I wanted was either (a) for him to slow down and let me in (which, given that I was ahead of him at the time would have been sensible… when I started to move over, there was even a small gap), or (b) for him to speed up and go past. I got the result I wanted in the end, but not without him honking his horn at me and gesturing at his eyes.

I find these kinds of things, which happen to me rather rarely, somewhat upsetting. Not least because he will doubtless tell all his friends that some stupid car driver nearly knocked him off because he wasn’t looking, which is totally untrue—as I say, there was never any danger of that happening. It’s the kind of incident for which there isn’t really any blame to apportion, because nothing actually happened and nothing ever would have. It’s still frustrating though. Ah well…

Posted by alastair at 11:13 AM Digg It | Permalink | Comments (2)