My Mac Pro’s fire­wall sud­denly started block­ing ssh con­nec­tions for no appar­ent rea­son. I even­tu­ally fig­ured out that I had to set sshd-keygen-wrapper to “Allow incom­ing con­nec­tions” before it would start work­ing again. I’m guess­ing a recent sys­tem update suf­fered from overzeal­ous security.

My new Retina screen Mac­Book Pro arrived today. I’d been plan­ning to buy one even before they were announced, on the assump­tion they would come out some­time this year, and my old Mac­Book Pro (an early 2008 model) died just as they were being announced.

Although the improved screen is notice­able, the biggest improve­ment to me is how much lighter it is than the old model it replaces. On the other hand, all was not perfect–for some rea­son, it came with­out a recov­ery par­ti­tion. Since this model doesn’t have a DVD drive and didn’t come with a sys­tem disc, this would be pretty bad for any­one who got it as their only Mac and then had a prob­lem. It also kept me from turn­ing on Fil­e­vault, which requires the pres­ence of a recov­ery par­ti­tion. For­tu­nately, some search­ing turned up instruc­tions on how to cre­ate a recov­ery par­ti­tion on a sys­tem that didn’t have it.

I’ve finally got the iChat por­tion of my Mac Mini Server up and run­ning. It turned out that some fairly impor­tant parts of the process were poorly doc­u­mented (or not at all), so I decided to write down the process in the hope that some­one set­ting it up in the future will have bet­ter luck with their search results than I did.

Ini­tial DNS Setup

The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my com­put­ers have local IPs (192.168.x.x) and share the same exter­nal IP address, which is sub­ject to change at any time. That’s obvi­ously a prob­lem for any kind of server, but for­tu­nately it was solved long ago by dynamic DNS ser­vices. These work by giv­ing you a sub­do­main such as orangeroad.ddnsservice.org, which resolves to your cur­rent IP, and auto­mat­i­cally updat­ing the DNS record when­ever your IP changes. I signed up for an account with FreeDNS, which is sup­ported by my router’s firmware, so it will auto­mat­i­cally keep my sub­do­main on their ser­vice updated.

Next I logged into the admin­is­tra­tive inter­face for the orange-road.com domain, which has been hosted for many years by the excel­lent Mac-centric host­ing ser­vice MacHigh­way. I then cre­ated a CNAME record point­ing frontier.orange-road.com to the fully qual­i­fied domain name from Free DNS. There were some other DNS changes needed later, but to avoid con­fu­sion I’ll cover them later, where they fit into the process.

Finally, when I started up Fron­tier for the first time I told it that its name was frontier.orange-road.com. The actual server has no knowl­edge of the Free DNS FQDN. I assigned it a sta­tic IP address in my local sub­net, and then logged into the router to for­ward all the ports I’d need (there were quite a few) to that sta­tic local IP. With all this done, an out­side request for frontier.orange-road.com will (so long as it’s for one of the for­warded ports) end up at the Mac Mini Server.

Get­ting a Signed SSL Certificate

When I set the server’s name, it auto­mat­i­cally cre­ated a self-signed SSL cer­tifi­cate. In order to avoid poten­tial prob­lems from poorly designed soft­ware putting up scary warn­ings or pos­si­bly refus­ing con­nec­tions via XMPP, I wanted to get this signed by a cer­ti­fi­ca­tion author­ity. A few days before I’d read an arti­cle which men­tioned StartSSL, which issues free certificates.

On the server side, the soft­ware makes it very easy to export a spe­cial file called a Cer­tifi­cate Sign­ing Request, and then import the signed cer­tifi­cate once it’s received from the CA. The process of actu­ally get­ting cer­tifi­cate signed proved tricky, but thanks to StartSSL’s very help­ful Eddy Nigg I was even­tu­ally able to man­age it. The trick is that when you first go to their web site it seems like you’re request­ing a signed cer­tifi­cate, but what you’re really doing is cre­at­ing an entirely new cer­tifi­cate which iden­ti­fies you for log­ging in to their sys­tem. Once that’s done, it’s sim­ple to paste the con­tents of the CSR file exported by the Server app into a form and then down­load the signed cer­tifi­cate. The trick is to know ahead of time that it’s a two-stage process.

Set­ting up SRV Records

At this point my iChat ser­vice was up and run­ning and I could use the XMPP address khagler@frontier.orange-road.com. How­ever, I wanted to make it just khagler@orange-road.com, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I needed to cre­ate DNS SRV records to send XMPP traf­fic for orange-road.com along to frontier.orange-road.com (the actual orange-road.com machine is a web server in Col­orado which would just ignore XMPP traffic).

The sys­tem my host­ing provider uses to admin­is­ter the orange-road.com domain, cPanel, doesn’t have a way to cre­ate SRV records so I wasn’t able to do this all myself as I did with the CNAME record ear­lier. I new that MacHigh­way wouldn’t be able to offer any sup­port for this, so I care­fully checked and re-checked and then sub­mit­ted a sup­port request ask­ing them to man­u­ally enter the fol­low­ing lines into the record for the orange-road.com domain:

_xmpp-client._tcp.orange-road.com 14400 IN SRV	0 1 5222 frontier.orange-road.com
_xmpp-server._tcp.orange-road.com 14400 IN SRV	0 1 5269 frontier.orange-road.com

Once I got a reply from MacHigh­way sup­port that the change had been made, I checked with dig and con­firmed that every­thing was work­ing per­fectly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impos­si­ble for me to move to another dynamic DNS ser­vice should the need arise with­out bug­ging some­one at MacHigh­way to make another man­ual change for me.

Fix­ing the Server’s Iden­tity Crisis

At this point I dis­cov­ered that as far as the iChat ser­vice was con­cerned it was still frontier.orange-road.com, and it was cer­tainly not going to allow users of orange-road.com to con­nect! I needed to change the name that just the iChat ser­vice had for itself, with­out affect­ing any­thing else on the server, and this turned out to be the biggest headache of the whole process, mostly due to the gen­eral lack of doc­u­men­ta­tion. After a great deal of search­ing and a few red her­rings, I finally came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "orange-road.com" (the iChat ser­vice is actu­ally a vari­a­tion of jabbered2).

Chat Room DNS Setup

The last thing I needed to do was cre­ate a DNS record for the multi-user chat part of the iChat ser­vice. This has its own sub­do­main, “rooms.” fol­lowed by what­ever the host name is–in this case, rooms.orange-road.com. To get it work­ing, I cre­ated another CNAME record which pointed to that Free DNS FQDN. That com­pleted the setup, and if I ever need to change dynamic DNS ser­vices, or if I get a sta­tic IP at home, I can make all the nec­es­sary changes with­out have to involve any­one else.

Ear­lier this week I added this Mac Mini Server, which I named Fron­tier, to my home net­work. It’s a bit strange after so many years of work­ing with Macs, and help­ing to admin­is­ter Win­dows and Linux servers, but this is actu­ally my first Mac server!

I got it pri­mar­ily as a file server for scanned pho­tos, but I’ve also enabled the iChat Server, which is Apple’s front end for the pop­u­lar XMPP server jab­berd. The idea is that once I’ve got some DNS stuff straight­ened out I’ll finally have the same address for instant mes­sages that I do for email.

Man­ag­ing Mac OS X Lion’s appli­ca­tion resume fea­ture. [Mac­FixIt]

This arti­cle has some very use­ful infor­ma­tion on how to con­trol Lion’s resume fea­ture, includ­ing how to dis­able it on a per-application basis and how to cre­ate a spe­cific unchang­ing resume state.

‘Microsoft We Don’t Feel So Good About’.

David Gelles and Richard Waters, in a piece titled “Google Ditches Win­dows on Secu­rity Con­cerns” in the Finan­cial Times:

New hires are now given the option of using Apple’s Mac
com­put­ers or PCs run­ning the Linux oper­at­ing sys­tem. “Linux is
open source and we feel good about it,” said one employee.
“Microsoft we don’t feel so good about.”

[Dar­ing Fire­ball]

I wish the “secu­rity” com­pany I worked for had that much sense. Unfor­tu­nately, they make it as hard to get Mac (or Linux) machines as Google has made it to get Win­dows. And since the Pow­ers That Be decided to “out­source” our entire IT depart­ment to a com­pany that man­u­fac­tures Win­dows PCs, I don’t expect that to change any time soon.

The fol­low­ing was posted to an inter­nal Mac users’ mail­ing list at work. Since it doesn’t men­tion any com­pany busi­ness, I thought it was inter­est­ing enough to post here:

Fig­ured I would let peo­ple know I was able to get a rather nice
hack­in­tosh up and run­ning w/out any sort of mod­i­fied OS install soft­ware
using the EFi-X “don­gle”. I build I quad core with 8 GB of RAM with a
Giga­byte moth­er­board for about 1/3 the cost of equiv­a­lent Apple hard­ware
(even bet­ter if you assume the mon­i­tor I bought is com­pa­ra­ble to the
apple 23 inch — likely it’s not the same qual­ity). After 4 days of
run­ning it still seems sta­ble. I’ve been suc­cess­ful in updat­ing all the
OS and soft­ware patches for my legally owned copies of apple soft­ware
(yah fam­ily license!) with no prob­lems what so ever. Basi­cally you plug
a usb don­gle directly into the usb pins on the mother board and use it
as a boot loader that mim­ics the EFI code from the Apple bios. Pop in
your nor­mal install disk and away things go. About time I replaced my
2k1 Sun­flower Imac! If any­one else wants to hear more about it shoot me
a question.

How Many Mac Users Use Microsoft Office?.

Todd Bishop:

About 77 per­cent of Mac users in the U.S. are run­ning Microsoft’s Office for Mac, the Red­mond com­pany said today.

I know Office for Mac is a huge seller, but 77 per­cent sounds crazy high to me.

[Dar­ing Fire­ball]

I won­der how they define “run­ning” in this case? I have Office on my Mac, in case I need it for work, but since I switched from Entourage to Mail last spring I’ve hardly ever even launched any of it. When I need a word proces­sor, I use Pages.

City of Heroes super­hero MMO comes to Mac. NCsoft is open­ing one of its mas­sively mul­ti­player online (MMO) game fran­chises, City of Heroes, to the Mac. The com­pany has used TransGaming’s Cider engine, which enables the subscription-based game to oper­ate on Intel-based Macs. Beta test­ing is expected to get under­way this week.… [The Mac­in­tosh News Net­work]

I’ve been play­ing this game on the PC since about a month after it came out. It still has the ubiq­ui­tous class-and-level sys­tem, but between the wide vari­ety of power com­bi­na­tions and the excel­lent cos­tume cre­ator (which is almost worth the price all by itself) the prob­lem of cookie cut­ter char­ac­ters com­mon to such sys­tems is not present.