Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Contributed Documentation
Deploying Mac OS X in Clusters
10.1 Open Questions
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Training & Education
Technical Support & Services
Campus Partners
Information Security Office (ISO)
Contributed Documentation
This document is NOT supported by Computing Services.
DO NOT contact the Help Center with questions on this document.
 
Carnegie Mellon

10.1 Open Questions

This is an archive of the open issues that remained during the midpoint of our initial Mac OS X deployment project, based on version 10.1. Notes have been added to indicate how we resolved the issues. See the Open Questions document for a list of outstanding issues in our current project to deploy Mac OS X 10.2.

Licensing Mac OS X

  • Volume license for all of campus through TAP, or
  • Just enough licenses for cluster machines
  • Depends on whether we deploy 10.1 or 10.2 initially
  • Depends on cost of 10.2 and 10.1->10.2 upgrade
  • Some machines came with a license to 10.1, need a pay upgrade for 10.2
  • New Hunt machines might come with 10.2
  • Older machines have no 10 license at all
  • If SCS gets machines, push for TAP?
  • RESOLUTION: We enrolled our cluster Macs in a maintenance agreement that covered 10.1 and 10.2

Crypted password security

  • Admin's crypted password is kept in NetInfo, readable by all users
  • Password was selected to be dictionary resistant
  • Might not be good enough anymore
  • Can LDAP be configured to store password safely?
  • RESOLUTION: We left the password in NetInfo and don't know of any resulting comprimises
  • RESOLUTION: 10.2 offers shadow password crypts, not readable by all

Initial Installation missing details

  • RESOLUTION: Note that removing the "setuid" permission bit from some files can keep your system safer, but not functioning properly. We found a situation where the "scselect" command no longer functioned when run as a normal user. It took a while to remember that the setuid bit was originally set.

OpenAFS

  • What happens when the user goes over quota?
  • Are we increasing quota for all users this year?
  • Get permission to distribute modified login authenticator
  • Create a default Login Item that alerts users at login time
  • What happens if tokens expire?
    • Tokens expiring overnight lead to kernel hang, requiring a reboot
  • RESOLUTION: Quotas can now be increased using a self-service web page. No problems turned up as a result of expired tokens.

Quota Checker Tool

  • Review the interface, especially the message
  • Needs an icon
  • Display the quota in the dock icon
  • Have more people test it out
  • RESOLUTION: Done

Printing

  • Not allowed to save custom settings: why not?
  • For first cluster, use AppleTalk printing to existing print queues
    • Need cover pages
    • AppleTalk routing goes away Dec 31, 2002 but we don't need it to print from within the same subnet
  • LPR support works fine, but our spoolers reject unauthenticated printing
  • KLPR isn't available today so the long-term plan needs work
  • Wait for Jaguar (Mac OS X 10.2) before investing any significant thought
  • RESOLUTION: We switched from AppleTalk to LPR and configured our spoolers to allow unauthenticated printing

Mortis

  • Can it be ported?
  • RESOLUTION: Done

aklog

  • Recompile from Andrew sources to fix long lifetime bug
  • RESOLUTION: Done

Telnet

  • Come up with a replacement for NiftyTelnet
  • Chaskiel already ported Andrew "telnet" command line program
  • Hook it up with "TelnetLauncher" or the like
  • See Jim's post on project bboard for others
  • RESOLUTION: Done, created CMU Telnet

Login Window

  • Get to a better place wrt sources
  • Implement user.permits feature to restrict who can log in
  • RESOLUTION: Sources not required under 10.2, so this problem goes away
  • RESOLUTION: User permits not implemented, but might be possible in loginhook under 10.2

Documentation on MyAFS and Preferences

  • Update documentation as needed
  • Advertise MyAFS as a safe and convenient Zip disk replacement
  • Give Help Center docs on how to reset preferences for solving problems with apps
  • RESOLUTION: Some docs written, but still no guidance given to users on storage options

OpenFirmware

  • It would be a good idea to set an OpenFirmware password on all cluster machines
  • That can be done manually by booting with Command-Option-O-F
  • An automated approach would be nice
  • Are there scriptable tools that run under Mac OS 9 (while NetBooted)?
  • Can the "nvram" command under Mac OS X do the job?
  • RESOLUTION: I think we did it manually, but tools are being developed now to automate under 10.2

NetBoot

  • Can we enable NetBoot version 1 for the B&W G3s? We'll have 25-40 of them
  • RESOLUTION: Didn't want to go there. Used a boot CD for those machines.

Application problems

  • Omnipage requires administrator rights to write files
  • Fetch doesn't work properly under Kerberos for Macintosh (fixed in 4.0.3)
  • RESOLUTION: See the Application Deployment PDF presentation for more details on problem apps