Recently in general Category

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN).

Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you).

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above.

Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made.

Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file.

Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the "Shared Secret" (it is also sometimes called the Group Password).

Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password.

In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field.

I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field.

What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

Establishing password-less logins using public/private keys turned out to be a bigger pain in the butt than I had expected. There are a lot of resources on the web on how to do this, typically for BSD or Linux; and there are even scripts that purport to do this with assistance, but only the simple part. Whenever I do this, I have to pause and give this more thought that should be necessary, googlin' around for an answer to solve what I screwed up.

The problems are, there are always other components at play which are Mac-specific, and the guides are usually generic or aimed at Linux, BSD or some other sort of unix-like operating system. Even Apple's own documentation (from the Developer Connection, no less) is a little scant or can be intimidating for green sysadmins. This blog post is very long because it's very detailed. It's not quite step-by-step, but it's close.

A note: if there's an omission or an error in the instructions, and thousands of credit card numbers, Social Security numbers, cancer test results or SAT scores escape into the open, don't come knocking on my door.

Presentation: Stanford iPhone - iStanford

| No Comments | No TrackBacks

This is a presentation here on campus, Friday, February 20, 2:00-3:30 p.m.

- Aaron Wasserman & Kayvon Beykpour,
- Wyn Davies, Apple

iStanford is a fully integrated suite of Stanford services exclusively for the iPhone and iPod Touch. The suite allows users to access Stanford's directory, campus maps, course bulletin, events calendar, and athletic news, schedules and scores.

Since its release to the public, there has been nearly three times as many downloads of iStanford as there are registered iPhones on campus. On average, users spend around five minutes per session, and some of the most popular features include "Find Me" in Maps, and searching for a person in the directory.

How to properly remove the Zimbra iSync Connector

| No Comments | No TrackBacks

This entry is about the Zimbra iSync Connector, which is used to synchronize data from an iSync-compatible device and a Mac (plus other data stores, such as the computers associated with one's MobileMe account).

Instead of using the Zimbra iSync Connector, I had decided I wanted to use Zimbra's over-the-air notification system to keep my iPhone in sync. Since Zimbra and Apple have incorporated Microsoft's ActiveSync technology, I get email and calendar notifications, more-or-less instantly, without having to attach via USB; addresses are kept in sync this way, too. And since these two methods could compete against each other, I needed to remove the iSync Connector PreferencePane from my system.

Normally, just dragging PreferencePanes to the trash would do the trick—but this wasn't effective. Looking at /var/log/system.log, I was seeing lots of these entries on my Mac Pro running Mac OS X 10.5.5:

Sep 30 13:21:30 beterouge ZimbraHelper[336]: An uncaught exception was raised
Sep 30 13:21:30 beterouge ZimbraHelper[336]: *** -[NSPlaceholderString initWithString:]: nil argument
Sep 30 13:21:30 beterouge ZimbraHelper[336]: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
Sep 30 13:21:30 beterouge ZimbraHelper[336]: Stack: (\n 2451677515,\n 2501561915,\n 2451676971,\n 2451677034,\n 2435643739,\n 52456,\n 72072,\n 9610,\n 9393\n)
Sep 30 13:21:30 beterouge[229]: 2008-09-30 13:21:30.759 ZimbraHelper[336:10b] An uncaught exception was raised
Sep 30 13:21:30 beterouge[229]: 2008-09-30 13:21:30.760 ZimbraHelper[336:10b] *** -[NSPlaceholderString initWithString:]: nil argument
Sep 30 13:21:30 beterouge[229]: 2008-09-30 13:21:30.761 ZimbraHelper[336:10b] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSPlaceholderString initWithString:]: nil argument'
Sep 30 13:21:30 beterouge[229]: 2008-09-30 13:21:30.762 ZimbraHelper[336:10b] Stack: (
Sep 30 13:21:34 beterouge ReportCrash[342]: Formulating crash report for process ZimbraHelper[336]
Sep 30 13:21:35 beterouge ReportCrash[342]: Saved crashreport to /Users/nbfa/Library/Logs/CrashReporter/ZimbraHelper_2008-09-30-132130_beterouge.crash using uid: 501 gid: 20, euid: 501 egid: 20

The problem was, I couldn't find ZimbraHelper on my system, so I couldn't get rid of this "process" that was crashing; this binary was part of the Zimbra iSync Connector PreferencePane that I had deleted, and an exhaustive search on my system revealed no such file. I looked at the BOM file for the iSync Connector installer to see what else might have been installed, but everything was contained in the PrefPane exclusively. What was going on?

Stanford's CS dept to offer iPhone programming course

| No Comments | No TrackBacks

As originally posted on TUAW, Stanford's Department of Computer Science
is offering CS 193P this upcoming fall term. The course is titled "iPhone Application Programming."

On Campus: Mac OS X Support Essentials 3-Day Course

| No Comments | No TrackBacks

If you didn't get this in your inbox, here's a new class that's being offered by the Tech Training crew.

Mac OS X 10.5 Support Essentials

Dates: Aug 11-13, 2008
Location: POST classroom in Jordan Quad
Fee: $1,800 STAP funds eligible

Mac OS X Support Essentials is a three-day, hands-on course that provides an in-depth exploration of troubleshooting on Mac OS X. This course is designed to give you a tour of the breadth of functionality of Mac OS X and the best methods for effectively supporting users of Mac OS X systems. The course is a combination of lectures and hands-on case study exercises that provide practical real-world experience.

Who Should Attend:

  • Help desk specialists, technical coordinators, service technicians, and others who support Mac users
  • Technical support personnel in businesses that use Macs for general productivity or creative design
  • Technical coordinators or power users who manage networks of computers running Mac OS X — such as technology specialists who manage classroom networks or computer labs

What You Will Learn

  • The troubleshooting process and how to become more efficient with available tools and resources
  • Mac OS X v10.5 features in depth, including how to find additional information
  • How to prepare for Apple Certified Support Professional certification

For more information and to register: Visit the Tech Training news website.

krb5authnoverify thwarting FileVaultMaster.keychain

| No Comments | No TrackBacks

So, I'm writing this gigantically long document on FileVault, and I come to the part about passwords, master passwords, and resetting things using the latter.

The way it works is, if your user forgets her account password (the one used for creating the FileVault), anyone with the master password should be able to enter that in Login Window, reset the user's password, which will in turn modify the key used to unlock his FileVault disk image. Except, it wasn't working for me.

Login Window allowed me to enter the master password, but when the forgetful user tried to enter her new password, it would just shake.

Reviewing secure.log, I got a lot of this:

Jul 10 12:53:12 home-mac SecurityAgent[71]: User info context values set     
Jul 10 12:53:12 home-mac authorizationhost[70]: k5_authenticate(): got -1765328378 (Client not found in Kerberos database) on plugins/krb5/krb5_operations.c:54     
Jul 10 12:53:12 home-mac authorizationhost[70]: -[SFBuiltinKrb5Authenticate invoke](): got -1765328378 (Client not found in Kerberos database) on authhostbuiltins.m:1057     

I thought it might have something to do with the Local KDC, or the file, but the problem was in the log messages.

Mac OS X 10.5.3 released

| No Comments | No TrackBacks

Apple has released the latest significant update to Mac OS X 10.5 (Leopard) today. You can read their online support article for the details.

I've always recommended that users do a full and complete backup of their system prior to such dot upgrades (say, from 10.5.2 to 10.5.3). This isn't always practical, of course, but it's always a good idea. After doing the backup, I launch Disk Utility and have it verify my startup disk is OK. You can run Disk Utility and do the verify procedure while logged into your Mac, but if it detects problems, you'll have to repair it using a different methodology. While your using Disk Utility, why not also do a "Repair Permissions" just to make sure your house is in order first?

Also, I recommend trusting Apple's built-in Software Update tool to deliver the appropriate version for your computer. Other admins recommend always using the Combo update, which can be downloaded from Apple's website, but I think this is generally unnecessary. It probably can't hurt, but I'm dubious about claims of better success rates.

Another step that some people take, which does a bunch of handy things at once, automatically, is to boot first into Safe Mode, the reboot normally before applying the update.

If you hold down the shift key while booting, you'll enter Safe Mode. It deactivates third party extensions, launchd and startup items, as well as run fsck and clear out a few system caches, so it's an easy step to take that helps ensure things are copacetic before updating. Again, not necessary, but not a harmful action.

Mac OS X Fundamentals (on-campus course)

| No Comments | No TrackBacks

If you didn't get this in your inbox, here's a class that's being offered by the Tech Training crew.


Date / Time: Wednesday, May 14, 1:00-4:30
Location: POST (Redwood Hall, Room G6)
Fee: $195

Learn the basics necessary to use your Mac effectively.

In this hands-on training class, you'll learn all the basics necessary to get started using your Macintosh features productively.

The new Mac operating system, Leopard, will be used.

Topics covered include such basics as:

  • Getting to know Mac OS X
  • Customizing your Mac
  • Working with applications
  • Managing multiple tasks


To register and pay with STAP Funds:

  1. Go to the Axess portal at, and log in.
  2. Click on the "Training" tab. (Note: If the "Training" tab is not present on your page, click the "My Home" link instead.)
  3. Click on "Search Catalog."
  4. Type "Mac OS X Fundamentals" in the "Title" field, then click "Search."
  5. From the results, click on the course title or "Enroll" to bring up course details.
  6. Follow the instructions to enroll. Note: "Add to Plan" does NOT enroll you.

Note: Recently, there have been intermittent problems within STARS, our registration system. If you have any problems, please call us at 723-4391.

To register using University Department, Hospital Tuition Assistance or Personal Funds:

  1. Download and fill out the paper registration form found at
  2. Fax it to us at 725-0995.

Conferences of note

| No Comments | No TrackBacks

Two conferences of note:

LabMan 2008 is happening this year in MN. on June 2nd-4th, 2008. Here is the official announcement.

And of course, the other conference of note (which is much, much bigger, not to mention more Mac-related) is Apple's World Wide Developer's Conference (WWDC). It's June 9-13, 2008 in San Francisco.

About this Archive

This page is an archive of recent entries in the general category.

advanced is the previous category.

iphone is the next category.

Find recent content on the main index or look in the archives to find all content.