Mac OS X Lab Deployment Notes

The Instructional Lab and Learning Center were converted to Mac OS X during the two weeks of the Winter 2001 break.  The decision to convert was based on:

1. The existence of Mac OS X version 10.1
2. The existence of Carbon versions of Stata and R
3. A desire to improve the experience for our (mostly Windows centric) student population and dispell their misperceptions about the Macintosh operating system
4. An attainment of a critical level of comfort with and understanding of Mac OS X, Mac OS X Server and Darwin's idiocyncracies and interdependencies

What follows is an informal collection of notes outlining things that were done during the conversion to achieve our ends. The conversion has been made but improvements continue to be applied.  Notes on these will also be included here.

Manipulating Environments

Setting System Wide Preferences

We have been able to control system wide preferences manipulating a few files.  These include:

• /Library/Preferences/loginwindow.plist

  We enforce running startup scripts and user anonymity with this file.

• /Library/Preferences/com.apple.finder.plist

  By default the Finder's Toolbar and the Dock are empty.  In coordination with scripts, these preference settings are intended to keep first time visitors focused on discovering their personal account information and encourages them to log out of the kiosk account as quickly as possible.

• /Library/Preferences/com.apple.dock.plist

  Read previous line.

• /System/Library/Frameworks/ScreenSaver.framework/Versions/Current/Resources/EngineDefaults.plist

  We enforce screen lock on everyone that uses the lab machines and set their idle time to 10 minutes.

Setting User Preferences in Advance

A new account's environment inherits the items and settings that exist in /System/Library/UserTemplate/English.lproj.  This directory contains the folders...

• Desktop
• Documents
• Library
• Movies
• Music
• Pictures
• Public
• Sites

For our purposes Library, Desktop, Documents and Sites are the folders of most interest.  After configuring preferences using a test account, key files are copied from the test account's folders to the respective folder counterpart in the English.lproj directory.  The files we have been working with are:

• Library/Preferences/com.apple.dock.plist

  The applications used in our labs are preloaded on the Dock.

• Library/Preferences/com.apple.finder.plist

  We replace the Home icon with the Documents icon in the Toolbar.

• Library/Preferences/com.apple.desktop.plist

  All students inherit the same distintive desktop background image.

• Library/Preferences/com.apple.print.PrintCenter.plist

  The lab printers are predefined.

• Library/Preferences/Explorer/*

  Course related bookmarks and URLs are predefined.

Copying the Template Files Manually

Server Admin copies the template files into a new account's folder with correct permissions and ownership.  Occassionally we have found it necessary to do these steps manually.  Here is what we have learned:

1. The permissions to the directories are: 755 on the home, Public and Sites folders; 700 on the Desktop, Documents, Library, Movies, Music, and Pictures folders. These permissions can be set either using chmod or through the Get Info>Privileges window.
2. It is important that these folders (and in some cases the files they contain) retain their meta-data information.  Copy these directories using the Finder and everything will work.  Avoid 'tar'.  It will not retain meta-data information and the end result will be files that the system can not use during log in.
3. Giving ownership on the new folders to its prospective owner is most easily done using 'chown -R'.  The Finder does not make this available.

System Scripts

In /Library/Preferences/loginwindow.plist we identify a startup script.  The script is a compiled AppleScript.  It checks the identity of the person, i.e. whether they are the kiosk user or anyone else and interjects system routines that we want to run when a user logs in.  The script is a work in progress and I will skip its details here, except to say that as of AppleScript 1.8 tighter integration with UNIX has begun to emerge.  Commands are at last appearing in AppleScript that make the language truly valuable to a UNIX administrator.  The new commands include:

• do shell script

  Example: set whoisi to (do shell script "whoami")

• system attribute

  Example: set attrib to (system attribute "USER")
  Other attibutes are: "HOME", "SHELL", "LANG", "PATH"

Account Management

Authentication

We are using a two tier NetInfo authentication scheme with a 'Student' child domain and a 'Department' parent domain.  The information for setting up such a system can be found in the document "Understanding and Using NetInfo" under the section "Setting Up Shared Domains in Deeper Hierarchies".  This set up is working fine so far: undergraduate students are limited in scope to the resources of the lab while department members have wider access.

Account Creation

The majority of the accounts for the lab are created in batch.  A Perl script parses an ASCII file of student information and outputs an XML import file for later consumption by the Server Admin import function.  The documentation that assisted in the creation of our scripts was found in "Mac OS Server Administrator's Guide" in the section "Example XML File".  Additional understanding of the XML format was gotten by studying the files the Server Admin application produces.  Additional accounts are created singly with this script.  Accounts are reinitialized between quarters with this script.

In a hierachical UNIX system UID assignments must be planned.  By default, Mac OS X Server assigns UIDs starting at number 100.  This starting point is fine for our department accounts.  For our student accounts we picked a starting number well above the range the department accounts are expected to reach.

A Kiosk-Like Account

We created an account with no shell nor home directory.  Without a shell or home directory the account can only log in locally on the lab machines and inherit the hard coded environment (see "Setting System Wide Preferences" above).  Changes a user makes while logged in are lost on logging out.

Maintaining the System

Managing Files Remotely

Previous to Mac OS 9.1 we were using Network Assistant to manage files remotely.  With Mac OS X we have started using SSH and RSync for remote file managment and computer control.  Public keys for special local accounts have been set up on the machines and now administrative commands can be run remotely:

• ssh -1 <dest_mach> <command>
• scp -oProtocol=1 <src_mach>:<src_file> <dest_mach>:<destination>
• rsync -e 'ssh -1' <src_file> <dest_mach>:<destination>

The machines are behind a firewall for added security.

We are interested in using Network Assistant again when it becomes available for Mac OS X and will post our notes here as our experience with this application grows.

Problems and Work-Arounds

Adaptec 39160 SCSI card and Disk Utility's RAID 1

The Adaptec 39160 SCSI card with its latest driver does not work with Disk Utility's Stripe configuration.  Problems occur where the Catalog data becomes corrupted.  Discussions in the Mac OS X Server mailing list indicate that the ATTO cards work reliably and we will be trying these.  In the mean time we are not using any RAID.

Mac OS X 10.1.3 AFP Slowness

We have logged a bug with Apple regarding the slowness of AFP during a user log in.  If the system has been idle for more than a couple of hours, a user waits about 5 minutes to log and then their home directory is not mounted.  Before 10.1.3 a reboot would fix the problem but this does not work in 10.1.3.  Our work-around is to force the home directory to automount through the Terminal by doing 'cd /Network/Servers/normal'.  We now have a cron job running from one machine that will do this every couple of hours on all the lab machines.  Since this work-around was implemented users have been able to log in after an idle period without a problem.