UNIX

List the local user accounts whose UIDs are greater than 100

Here’s an example of how you can use the DirectoryService dscl utility to find which local user accounts have UIDs greater than 100. These users are by convention most likely to be non-system accounts, and therefore of interest for some tasks in a tool like Applejack. (I pulled this example from some comments in the Applejack 1.4.3 source.)

$ dscl /Local/Default -list /Users UniqueID | awk '$2 >= 100 { print $1; }'
supersecretadminaccount
christen
jeremy
elijah
demoguy

What’s going on in this example?

I’m getting a list of users from the default local DirectoryService node, whose path is /Local/Default. The output of this step gives you all of the local user accounts’ short usernames, followed by their UIDs, because that’s the property I was requesting. The data is arranged in two columns.

A drop into awk can make quick work of processing this columnar data, so I pipe the output of the first command in. Taking the output of dscl, I wanted to find whether the number in the second column was greater than or equal to 100, so I compare $2 to the desired number. When the UID column’s data matches, I print out only the short username from the first column, $1.

This gives you a list of usernames whose UIDs are greater than or equal to 100. The output is one per line, which is what you want if you have further processing steps.

UniqueID” is the DirectoryService record type for UID. You could also use “uid” instead, and in this instance I’ve found that it works equally well.

$ dscl /Local/Default -list /Users uid | awk '$2 >= 100 { print $1; }'
supersecretadminaccount
christen
jeremy
elijah
demoguy

Substituting “uid” for “UniqueID” may not always work. It probably will in most cases, since the output is formatted similarly, but it depends on what subsequent processing steps are expecting. If those steps are splitting the columns/fields by whitespace, they should be fine either way.

$ dscl /Local/Default -read /Users/jeremy uid
dsAttrTypeNative:uid: 503
$ dscl /Local/Default -read /Users/jeremy UniqueID
UniqueID: 503

Another point of interest would be accounts greater than 500, as the Mac OS X Setup Assistant and Accounts System Preferences pane create local accounts starting with UIDs 501 by convention. Whether you choose greater than or greater than or equal to 500 is up to you. I’ve come across some situations where ID 500 gets used (somewhat unexpectedly), so you may want to find such UIDs or GIDs if it suits your purposes.

The difference between those accounts whose UIDs are greater than or equal to 100 and those greater than or equal to 500 would yield a list non-system accounts that are hidden by default from the login window or Accounts System Preferences pane. While you could generate two lists and compare with sort and uniq, you could just add to your awk statement.

$ dscl /Local/Default -list /Users UniqueID | awk '$2 >= 100 && $2 < 500 { print $1; }'

On most Mac OS X systems (as of this writing at least), there will be no accounts listed from the above statement. So, you’ll just get your command prompt back.

This should work in Tiger and Leopard, since dscl first became available in Tiger and replaced the NetInfo nicl utility entirely in Leopard.

Authenticated printing with Active Directory on Leopard

A few+posts+on+the+MacEnterprise+mailing+list+have+reported+that+Leopard+does+support+authenticated+printing+with+Active+Directory. This is a good step forward for Mac OS X. However, it’s unclear if it is using Kerberos to do so.

Leopard includes CUPS 1.3.3. I don’t exactly know how to tell this from the command line. There’s no cups -V at all, as the main executable is cupsd. But, there’s no cupsd -V, either. So, I resorted to the CUPS Web administration page, which is found at http://localhost:631/ on any modern Mac.

The What’s new in CUPS page — which as of this writing documents version 1.3 — says that Kerberos is now supported. So it’s reasonable to guess that Kerberos could be in use on Leopard for this type of authenticated printing.

So, I took a moment to ask on the Apple Printing mailing list, and got immediate results. Right away, Michael Sweet posted that no, by default it doesn’t … but it can be activated with the “Negotiate” option in cupsd.conf. There is one caveat: it reportedly doesn’t work with Windows Server 2003R2, however. You need CUPS 1.3.4 for that.

I found out that CUPS 1.3.3 in Leopard can potentially be replaced with version 1.3.4 at your own risk. You should only do that if you are comfortable with compiling applications, if you absolutely need to make Kerberized authenticated printing work with Windows Server 2003R2, and you are willing to test the changes before you deploy it to more than your non-production test computer. Otherwise, the following risk is not worth it. However, if you still feel the need to try CUPS 1.3.4 despite these warnings:

  1. Get the CUPS 1.3.4 source and compile it as a “4-way fat” binary with:
    $ ./configure --with-archflags="-arch i386 -arch ppc -arch x86_64 -arch ppc64"
    $ make
  2. Copy the resulting cups/libcups.2.dylib file to /usr/lib/.
  3. Reboot or log out.

The new libcups.2.dylib could then be copied to other computers if your testing with it is successful and it fixes the problem with authenticated printing through Windows Server 2003R2. You’re on your own if you try any of this; I’m not suggesting you do it, and can’t help you if you try. It’s unsupported and YMMV.

(By the way, replacing one key file like this is a really great opportunity to use a Radmind overload, if you’re into that sort of thing.)

Apple purchases the rights to CUPS

Wow, Apple bought the Common UNIX Printing System (CUPS) back in February, and the announcement has just come out. (I have to wonder why the delay … perhaps it has something to do with Leopard?) The software continues to be licensed under its regular terms.

Michael Sweet, one of the principals behind Easy Software Products and developer of CUPS, is now an Apple employee.

I’m sure this all means something.

Enabled the Zsh completion system

I’ll admit it: I’m a bit slow when it comes to the shell. I use it a lot, but never feel like I’m using it as well as I could. But today, I figured out how to turn on Z Shell completion system. And it is very, very good.

This guide helped me, leading me to add the following to my .zshrc file:


autoload -U compinit
compinit

Once I’d done that, I could begin completing various commands and parameters. Within a few moments, using the tutorial above, I’d already completed:

  • command names
  • file and directory paths
  • changing a directory with cd, listing only directories
  • listing each directory that would be extracted from a tar archive
  • ssh destination, including user and host
  • changing to a directory three-levels deep with cd, using only the first letter of each of the three paths (i.e. “/u/l/b” for “/usr/local/bin”).

This is cool.

Shell with color in Tiger

Here is how I colorized my shell environment in Mac OS X Tiger:

  1. Added “CLICOLOR” and set it to “1” in the ~/.MacOSX/environment.plist, using the handy environment editor in SSHKeychain
  2. Changed my terminal type to “dtterm” in Terminal’s “Preferences” window.NOT FOUND: TerminalZshAndTerm.jpg

I don’t recall exactly how I got to this point, but I’d never seen a hint that provided color with this level of ease — and I recently fell into a pique of wanting but not having colorized shell output.

Thoughts on Mac OS X 10.4.9 from the MacEnterprise extended KB article

Based on my reading of the MacEnterprise.org extended knowledgebase article on Mac OS X 10.4.9, some interesting changes have been made. Here are some of my comments on items listed in that article:

  • “Includes iChat support for USB Video Class webcams,” which seems to mean that UVC webcams will work without additional drivers on this version of the OS … so I doubt we’ll see a replacement for the standalone Apple iSight and I wouldn’t doubt we’ll just have to make do with the third-party opportunities this presents.
  • “Resolves an issue when using Kerberos authentication with Active Directory if the user is a member of many groups,” which may mean that my problem with binding to Active Directory over UDP using an account with a large TokenGroups attribute is resolved … presumably, if it is fixed, the kpasswd utility now supports TCP as well (although I do not see a change to /usr/bin/kpasswd in a Radmind transcript, the Kerberos framework did change).
  • “Adds support for WPA2 encryption in Network Diagnostics,” which is an option that is coming at just the right time for me.
  • “Includes updated security certificates,” which should mean that the root SSL certificates database has been updated (I note in a Radmind transcript that both X509Anchors and X509Certificates has changed with this update).
  • I’m not exactly hip with whatever change happened in /private/var/db/sudo. Based on what I’m seeing, a subdirectory for each sudo user will appear; so far, I’ve only seen this on Radmind model systems, and so I see one subdirectory with a blank “ttyp1” file inside. I think I might want to put this new directory in a negative transcript for Radmind.

[Via Philip Rinehart on the MacEnterprise.org list.]

First post to Site5

Having just started my previously-described relationship with Site5, it’s taken a bit of time to get used to shared Web hosting and determine how to move my site to their servers. Trying to intertwingle the site move with the higher priorities of parenting and shoveling all of the snow we’ve gotten means that time for the Web site has simply come up short.

No longer. This post is the result of my move (although I’m staying up late so I’m going to suffer for it). The database is imported. My Drupal instance is installed. Irreality is now on Site5 — and assuming I don’t have a problem that requires the use of Site5’s money back guarantee — it’ll be staying here for a while.

On the way to Site5

I’ve decided to follow Sthomas’ referral to Site5, taking them up on their $5 hosting deal. It simply came down to a price I was willing to pay.

I figure that I’ll probably save around that much electricity per month by not having to run my server at home. I’ll regain some upstream bandwidth on my Internet connection, which can be put to other uses. And, my son will not have so many whirring fans running in his room, since we haven’t finished remodeling the room all the technology is moving to.

I had been hoping to get:

  • a several GB storage allotment
  • a high bandwidth allotment
  • High or unlimited hosted sites
  • Full DNS control (for potential use with DNS-SD, perhaps)
  • Dedicated IP address
  • SSL
  • Greater than 5 hosted databases (well, just because)
  • SSH/SFTP
  • Shell access
  • Python 2.3 or later, preferably with mod_python (using FastCGI seems to be a big workaround)
  • WebDAV
  • QuickTime/Darwin Streaming Server
  • Reliable, consistent server performance
  • Good customer service (even if you never need it, it should be there)

I had to compromise on several points, but ultimately the price point was important to me. I had to balance some items that I wanted versus what I felt was needed, and consider some items which could be added onto an account locally rather than by the hosting provider.

It’ll take a little time for me to sort it out, but I’ll be moving this site to my new hosting account shortly. Hopefully, I can make it happen without an outage.

I had also considered the following hosting companies, and each had compelling offerings that were just not outweighed by $5 per month. I’ll list some of the benefits and drawbacks for each of these well-reviewed major hosting firms.

  • Dreamhost: WebDAV, QuickTime/Darwin Streaming Server, more quota space
  • WebFaction: considered very good for Python (including mod_python, which seems to be a rarity) and open source hosting, but had some of the most limited stats (like only three hosted dynamic sites for $7/month with a two year commitment)
  • Bluehost: considered good for Python, good stats.

In the future, I'm still considering some arrangement with Rsync.net or another off-site backup/storage provider. I think it’s an interesting time to be on the Internet, when you can really start to take advantage of some truly useful hosted services.

Pondering the switch to zsh

Geoff got me thinking about zsh last fall, and it’s on my mind again. I’m pondering a switch to it.

I’m still stuck on tcsh because it’s what I started with for my heavy interactive shell use. All my shell config files and knowledge reside in tcsh, because that’s what you used by default in Mac OS X 10.0. But, I dislike that the tcsh syntax is different than what I’m used to when it comes to shell scripting with bash. Bash is what I learned when I first took up scripting. Well, more to the point, I learned sh, and have grown a bit into using some bash-isms.

So I’m reading more about zsh, which means I’ll probably be firmly rooted in analysis paralysis for a while. But it looks good, and my chances in converting will improve if I can get my .tcshrc custom-tailoring moved over with reasonable ease.

In the meantime, here’s a search for zsh on Del.icio.us.

Syndicate content