OK, so this was a real PITA to figure out, and I didn’t find a great deal of help in Google so I’m going to write a short post about doing this, both so I can find it in future and so that other people can benefit from what I discovered.

So, the first thing to do is to make sure that you have a working Kerberos set-up. To check this, you can try

$ kinit some-user
Please enter the password for some-user@EXAMPLE.COM:

If it successfully authenticates when given the name of a user in your Open Directory set-up, you’re all set. You can, if you like, look at the Kerberos ticket you just gained by using the klist command, but if kinit worked then there’s probably no need. If, on the other hand, that kinit didn’t work, you need to re-configure Kerberos from scratch. This seems to be very hit and miss and often it’s easier to reconfigure Open Directory from scratch instead, but that’s a bit drastic and is only really practical for smaller set-ups because it tends to result in all the passwords getting reset.

If your Kerberos isn’t working, please don’t bother asking me about it. I have yet to find a reliable sequence of commands to completely re-initialise it on OS X Server. You might find AFP548.com useful if you’re in this sort of mess.

Next, make sure that your client machines are configured to authenticate using Kerberos. On OS X 10.5, that means editing /etc/authorization to change

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:authenticate,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

to

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:krb5authnoverify,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

That isn’t the only way to go about this part, but you need to make sure that your users get a Kerberos ticket automatically somehow. If they don’t, they won’t be able to mount the static automount because the server won’t recognise them. See Article 107154: Enabling Kerberos authentication for Login Window on Apple’s site, but note that the part where it says that the information is not required as of OS X Server 10.3 is not, in fact, entirely true. Various universities set things up using Kerberos and some of their pages may also be helpful; I quite like Iowa State’s page, personally.

Next, set-up your shares using Server Admin, setting the Custom mount path setting as required. For instance, I set one up with the path /Network/Groups. On previous versions of Mac OS X, you could do this step from Workgroup Manager, which was useful because it meant you could manually edit the mount URL to remove the hard-coded “;AUTH=NO USER AUTHENT” setting. Unfortunately you can no longer do this as of 10.5, which means that you have to use dscl or the various LDAP utilities.

Even more unfortunate, when I tried to edit with dscl, I just got the error message

*** Uncaught Exception:  ([DSoDataNode initWithDir:value:] value is not a valid NSString nor NSData)

(and yes, I’m certain I used the right command). As a result, I ended up making myself a file like this (I called mine groups.ldif):

dn: cn=server.example.com:/Volumes/SomeVolume/Groups,cn=mounts,dc=server,dc=example,dc=com
replace: mountOption
mountOption: url==afp://server.example.com/Groups

and then I did

$ kinit diradmin
Please enter the password for diradmin@EXAMPLE.COM:
$ ldapmodify -f groups.ldif

The first line is just to authenticate as the directory administrator—you only need to do that once. If you need to examine your LDAP mount records first, you can do something like this:

$ ldapsearch -b "cn=mounts,dc=server,dc=example,dc=com"

which will list all of the mount records.

One other useful tidbit is that if you’re trying to test this from a client machine, you can do

$ sudo automount -v

from Terminal to refresh the automount set-up on the client.

It all sounds so simple written down, but this took me a good few hours and a lot of frustration. Hopefully I’ve saved someone else (or even just myself, in future) from repeating that experience.

On the way into work today I think I scared a motorcyclist. It was partly my fault for being in the wrong lane (not that I had much chance of being in the right lane given the lack of signs until the very last minute—I went a different way to work this morning, along a road I’m not entirely familiar with), but the fact that I gave him a fright was his own silly fault.

I was trying (carefully, I might add… there was never any danger of a collision) to push into the lane he was in. I think when he noticed this happening at first, like a lot of people he decided to be bloody-minded and to not let me in. Which is both rude and awkward, but a lot of people do that kind of thing. Anyway, as a result, he ended up alongside me, with me slightly impinging on his lane and I think assumed then that I hadn’t seen him, which wasn’t true. All I wanted was either (a) for him to slow down and let me in (which, given that I was ahead of him at the time would have been sensible… when I started to move over, there was even a small gap), or (b) for him to speed up and go past. I got the result I wanted in the end, but not without him honking his horn at me and gesturing at his eyes.

I find these kinds of things, which happen to me rather rarely, somewhat upsetting. Not least because he will doubtless tell all his friends that some stupid car driver nearly knocked him off because he wasn’t looking, which is totally untrue—as I say, there was never any danger of that happening. It’s the kind of incident for which there isn’t really any blame to apportion, because nothing actually happened and nothing ever would have. It’s still frustrating though. Ah well…

Haven’t we heard all of this before? I mean about how thin clients will take over the world and relegate the desktop and desktop applications to the past?

I often disagree with Matt Asay’s views (which makes his blog fun to read, if only for the rush of righteous indignation I tend to feel after reading it). But to argue that Google Docs, Zoho et al. are going to replace desktop apps is just plain crazy.

Who wants all their documents stored on someone else’s server where they could be snooped on (or even sold) by wayward systems or database administrators and where Big Government is much more likely to come up with a justification as to why it should be allowed to poke its nose into them at will. No thanks, I think I’ll pass.

Even if a substantial proportion of the general public decided that hosted web apps were the way to go, I can’t see any sane CEO or MD agreeing to their company going down that route. And most of the money in the office suite market is in corporate sales, not least because of widespread piracy by home users.

The only way out of that problem is selling e.g. a Google Docs “appliance”. And once you start going down that route, I don’t really see many advantages over buying a conventional desktop office suite. Sure, with an appliance you get single-point upgrades (and single point of failure too, unlike a desktop suite). Except that (a) there are already tools to manage desktop applications across multiple machines, and (b) as your company grows, you start needing more and more of these appliances, which eventually need to be distributed between your offices so that users get an acceptable response time. Pretty soon you have all the same problems you had before, but now you have this special box that you can’t easily maintain yourself (even if it is commodity kit, fiddling with it is likely to void any warranty or maintenance contracts you may have).

No, sorry Matt, I just don’t buy it.

My two cents: desktop software is here to stay.

The newly updated Coriolis Systems website now has a blog too. Hopefully we’ll be able to use that to cut down on our use of e-mail. Also, I can think of at least one useful announcement I can use it to make over the next week or so.

It’s been a while since I last posted on my blog, and people who follow me on twitter, or who read any of the mailing lists I occasionally contribute to will have noticed my absence also.

There are various reasons for this, but the most recent has been that I’ve been busy doing a re-design of the Coriolis Systems website. It’s still a way from where I’d like to be with it, but the new design is a lot better in many respects and what’s more it fixes a couple of long-standing bugs and problems with the old site, the most commonly complained about being that you can now specify your own password.

And, unlike so many websites out there, your password is stored safely on our server; even we can’t read it, and we won’t be told by our site about any incorrect passwords you may try (well, we’ll be told you’ve tried, but not what you tried). A lot of websites’ administrators have direct access to cleartext copies of your password (if you use the same password everywhere and this doesn’t scare you, it probably should).

It should be a lot easier for people to download our software now too… as long as you’re logged-in, all the download demo links change to download links for the full version.

Apparently, hiccuping is a throwback to a part of our evolutionary history where our distance ancestors still had gills.

I also like the way the author of the piece claims that

There must, however, be a reason why hiccupping persists 370 million years after animals started hauling themselves onto the land.

Apparently he or she is a subscriber to the old chestnut that there must be a reason for everything. For what it’s worth, I suspect that there is no good reason for the persistence of the hiccup—but since there is no obvious evolutionary disadvantage to keeping it, there doesn’t actually need to be.

I’ve been getting a lot of CVs recently, some good and some bad. There’s plenty of advice out there already about CVs, but I thought I’d just list a few observations, both good and bad:

1. When e-mailing a CV, rename the document first so it has your name in it. If someone receives 50 CVs all imaginatively titled “C.V.doc”, it’s a royal pain in the neck because they have to rename them separately when they copy them out of your e-mail.

2. Don’t use text boxes and the like. There’s no need and the layout can screw up in various interesting ways for various reasons.

3. Don’t use floating graphics drawn with Word. They’re unnecessary and, again, the layout can easily go wrong. If you want to put a line under or over something, use a paragraph style or (if you really must) a table.

4. I don’t want to see your ugly mug. Keep photos in Flickr or iPhoto, where they belong.

5. Make sure your paper size is set to A4. If you’re applying for a job in the U.K. or Europe, your CV is likely to get printed out on A4 paper.

   If your paper size setting is set to U.S. Letter, it’s annoying because the printer will either (a) refuse to print it until the size is changed (which will mess up your tables, frames, floating graphics and other unnecessary things), or (b) ask for confirmation before printing it (which is dead annoying if you just told it to print 20 CVs).

   A corrollary to this is that when applying for a job in the U.S., you should be using U.S. Letter paper. Using A4 will annoy them.

6. If possible, send a PDF rather than a Word document. This guarantees that your document will look the way you intended (unlike Word), it’s safer to open, and it shows an awareness that not everyone in the world likes or has Microsoft Word.

7. Do include your grades. If you just tell me that you have four A-levels, you could have an ‘E’ in all four for all I know.

8. Don’t tell me you have A-levels in Maths, Biology and Media Studies and then tell me that you have an ‘A’ and two ‘F’s. If you do that, I don’t know which subject you got the ‘A’ grade in!

9. For technical jobs, if you have a poor A-level grade in a technical subject (mathematics, for instance), it would be a good idea to explain why. Especially if you are also claiming to have (or to be about to receive) a first-class honours degree.

10. The reason people ask for covering letters is that they’re expecting you to write a covering letter specific to the job for which you’re applying. In theory it saves updating your CV, because you can use the opportunity to point out which of your talents make you a good fit for the job.¹ Even if you don’t tailor your CV, make sure you tailor your covering letter.

11. One application is sufficient. Applying for the same job over and over again doesn’t increase your chances (indeed, it may be annoying, which would have the opposite effect).

Oh, and if you apply for our job having read this, why not say so? It at least shows that you’ve made some effort to find out about us :-)

Yesterday, Daring Fireball linked to two pirated copies of the recent (and excellent) BBC 4 documentary about the Gutenberg Press.

It is an excellent programme, and certainly something I would recommend that people watch, but it does peeve me somewhat that it’s being distributed illegally for free when it has been paid for by the British license-fee payer.

We Brits often forget that the BBC’s output is not free, but moreover that it is collectively owned by all of us taxpayers and funded largely by way of the Television License. That is, we own that content and our license fees will be higher next year if the BBC doesn’t make its expected return on it.

(Aside: as it happens in this particular case it may well sell just fine in spite of being available for free on the ’Net; the programme really is that good. That’s hardly the point though.)

Erm, no.

Go away.

We don’t want to support you. You and your stupid hackintosh are a pain in the backside. A waste of our time. Your machine doesn’t work the same as a real Mac, and that’s why you’re having problems. Go buy a real Mac, then come back.

Seriously, hackintosh owners are really annoying. They often try to skirt around the fact that they’re using hardware other than that supplied by Apple. This is, of course, highly relevant when you’re dealing with a disk utility. Often it will become apparent, after we’ve wasted our time asking and answering several rounds of questions, that their machine is not normal. At which point, the question “Are you, perchance, using a hackintosh?” is inevitably broached. Responses to this vary from “Oh, er, am I?” through to self-righteous nonsense about how it shouldn’t matter (as if they have a clue).

We never claimed that our software would work on their hackintosh. It might do, it might not, but we aren’t going to make a huge effort to make it work if it doesn’t. Our software is for Macs. Macs are not hackintoshes.

You would have thought that H.M. Revenue & Customs would have learned from its past mistakes.

Apparently not.

Interestingly they seem to be arguing that they shouldn’t repay the VAT to M&S because that would constitute “unjust enrichment”. Yet if a customer fails to pay VAT when they should have, HMRC tell me that they regard the business that sold a good or service as liable for that VAT in any case. And M&S would presumably have been able to sell their teacakes for the same price regardless of whether that price contained an element of VAT…