Duplicate Computer Names and IPs

So there's an incredibly annoying and puzzling behavior in Mac OS X with regards to duplicate computer names on the LAN. Most Mac Admins probably know what I'm talking about. Here's the deal: Let's say you have a Mac Pro on your home network named Spanky and it has an IP address of 192.168.1.25. Let's also say, for the purposes of argument, that your best friend — who likes to emulate you in every way — has a Macbook named Spanky with an IP of 192.168.1.25 on his home network. (Hey, it could happen.) Now let's say your pal decides to come over, and he decides, "Hey, I think I'll bring my Macbook over so we can swap some illegally obtained music and pornography." He gets to your house to find you happily surfing the 'net. He whips out his Spanky and plugs it into your network, fires that puppy up, and Bam! All of a sudden your Mac Pro locks up. You can no longer surf. And you get an error message that looks a little something like this:


Duplicate Computer Name Alert: Why Me?
(click image for larger view)

You go to your Sharing Preferences (or your Terminal, or what-have-you) and, sure enough, your computer has been renamed. Renamed! WTF! Why is your computer, on your network, suddenly called "Spanky-2"? Because that's how Mac OS X handles duplicate computer names on the same network. It renames the existing computer to existing computer-2. Not the intruder. Not the new kid on the block. Your computer is now the computer formerly known as your computer. Why, it's pure genius, I tells ya! Brilliant!

Seriously, what in God's name were they thinking? Because, the way I see it, this goes beyond annoying into the realm of the dangerous.

Case in point: Let's say your Mac Pro Spanky is actually a server that provides services — authentication, Kerberos, LDAP, file sharing, the works — for a network full of computers. And let's say your friend is actually a guest on that network. When that guest plugs his computer into your network, and it just happens to be named the same thing as your server, God help you. You just lost — well, I'm not sure how much, but — a significant portion of your services. And all it takes is a computer name? I can rename any Mac on any network from any other Mac on that network by just changing my Mac's name? What's more, if you can get the IP of that server, you can bring it down entirely. That is total shit.

Strangely, it's been this way for at least three iterations of the OS now — since 10.3 — and it's still this way in 10.5. I am appalled. Can someone please explain the rationale for this to me? Please? 'Cause from where I sit, this is a major security flaw. To my mind it makes way more sense to have the newly installed machine make changes to it's configuration than to essentially be able to force changes on another machine. It's just backwards. And dangerous. And it desperately needs to be fixed.

UPDATE 1:
Mat X points out two very important facts: 1) the name change in this instance should only affect the Bonjour (.local) name of the duplicate machine, not it's actual name (the name it calls itself) or it's FQDN (the name as resolved by a DNS server), and 2) a client name change on the LAN should not be able to bring down a server with the same name because of the previous fact.

Dude, you're totally right, though I have seen, way back in the old days (10.2 maybe?) a duplicate name kill a server. So it did used to be possible. Nowadays though, Mac OS X Server has better, smarter naming conventions that prevent such things. I will say, though, that what prompted this was that I booted a clone of my own machine up on the LAN (same name, same IP) and it killed my computer, internet-wise, probably more because of the duplicate IP address. It's possible that all would have righted itself over time if I'd waited to see. I was just so annoyed by the behavior that I went on a bit of a rant. I still think it would be better behavior to leave the existing LAN client alone and make changes only to the new Mac on the LAN. But still, I got a little carried away.

Thanks for keeping me on my extremely bitchy and unscientific toes!

UPDATE 2:
So I've been doing some more testing on this issue. And while duplicate names on the network will not bring down your Mac OS X Server, a duplicate IP address will. Here's what I did:

  1. I changed my client's IP address to match that of the Mac OS X Server (both Leopard 10.5.1). My machine got kicked off the internet and I got this warning:
  2. I rebooted my client machine. Once the client had rebooted, the server got the above alert.
  3. At which point the server could not ping out to the internet. Bad Mac OS X! Bad!

So, while my rant is partially in error, there does seem to be a bit of a flaw in the way Mac OS X handles new duplicate clients — particularly duplicate IP addresses. And I maintain that a better way would be to only modify the behavior on the most recent addition to the LAN.

MacFUSE Follow-Up

I recently wondered aloud about the benefits of MacFUSE-supplied ssh access in a web development environment. A reader asked for a follow-up in the comments to that post, so I thought I'd just do a quickie today.

After writing the article, I tried out MacFUSE and the sshfs extension to that bundle. This combo facilitates the mounting of ssh-enabled computers directly on the Mac OS Desktop via a bundled GUI app, foregoing the need for an FTP client application. It was our hope that this would provide a more intuitive and user-friendly experience for our web developers. Unfortunately, in my experience there were bugs: the ssh filesystems often hung or had trouble mounting, often requiring a logout or restart to get things back to normal. (Mind you, this was over a month ago, in Mac OS X 10.4.something-or-other and God-knows-what version of MacFUSE and sshfs.) Also, from a user-simplification standpoint I felt that adding yet another application to the mix (the sshfs GUI app for mounting shares) didn't really do all that much to simplify things. In fact, in some ways, it complicated matters as it is not standard practice anywhere as yet.

That said, I really like the idea of mounting any sort of network share in the Finder. It's what's done in every aspect of our filesharing lives except web development, for some reason (that reason mainly being that Apple, inexplicably, still has not implemented this capability into the Finder.) As I mentioned in the original article, there are styles of development that take place outside the lab that are inherently different from what can happen inside a lab. The use of MAMP, for instance, is not friendly to a shared, multi-user environment, but is perfectly suited to a lone user on a single computer. So, again, I wonder aloud, do we provide a different way of working inside the lab than outside? A completely different workflow?

Ultimately, my answer will mostly be yes, I think. We provide it. We provide it right alongside the sorts of workflows that are common in the industry today. We provide both. We show students. We show teachers. And hopefully, someday, down the line, this will become the standard way of developing for the web. Until then we leave the old ways in place; they are not mutually exclusive.

My concern with MacFUSE and sshfs right now is stability. Because the product requires kernel extensions, and because I saw bugs in my limited testing, I am reluctant to put this on our machines. I can, however, use NFS from within our lab to provide a testing ground for the same sort of behavior that MacFUSE provides (i.e. ssh servers on the Desktop). And this will actually fit in nicely with the way we mount other shares in the lab as well (more nicely than the sshfs GUI, in particular). I will most likely implement this over the summer, however, as there's not enough time in the semester for it to really have much impact. Also, things will probably change a bit with the arrival of Leopard to the lab, and I don't see much point in making folks learn it twice.

Again, external development can be handled differently. So I may recommend, for advanced users, the use of MacFUSE outside the lab if they really end up digging the Desktop web development experience.

That's my take at this point on MacFUSE and web development. Hope it's useful to someone.

Leopard Quota Alerts

Our home account server — the one all our network users' home accounts live on — mounts via NFS. I've already mentioned one of the improvements with regards to this behavior in Leopard, namely, autofs. But I just discovered another.

See, that NFS mount I'm always talking about, well, it's a Linux RAID — Fedora Core 6, I believe. And we've put quotas on every user's account to keep it from filling up. This has worked great, for the most part. The problem has always been how the Tiger Finder handled a user exceeding his quota. Basically, what would happen is that any Finder copy that exceeded a user's quota would fail, mid-copy, with an extremely vague and essentially — unless you happened to know you were looking for a quota problem — useless error message. Can't recall it exactly, but it's something along the lines of: "The Finder encountered an error and could not complete the request."

Ew.

The good news is that the Leopard Finder behaves exactly like we'd want and expect:

Leopard Quota Alert: That's More Like It!
(click image for larger view)

This alert actually came somewhat prematurely, as I hadn't actually exceeded my quota, and the alert seems to be triggered by hitting the soft quota rather than the hard. What's up with that?

Still, I have to say, I'm endlessly impressed with these little tiny details. They make all the difference in the world from an admin standpoint. I no longer have to worry about quota weirdness! It's great to see Apple do so much for admins with this release. I'm seriously pleased as punch.

Web Programming and MacFUSE

I'm not a web programmer by any means. But a component of the department I work in deals with the web from an artistic standpoint, and a subset of that group does, in fact, do programming. We have web programming classes.

Recently, one of the teachers of one of those classes made the charge that our approach to web programming is old and outmoded. Whether this is true or not is not really the issue. I've been looking for new ways to think about the systems end of that workflow because, well, that's my job, and because it's an inherently interesting challenge to me. How can we make our web development environment more user-friendly?

One general suggestion has been to make the experience more "OS-like." And one step in this direction is to have the web server mount on the Desktop, allowing the developer to work on her site as if it were local. That is, rather than firing up one of the popular SFTP clients and transferring files back and forth from the local machine to the server, the developer could mount her site — or actually, the share her site lives on — directly on the local filesystem. I have two options here: MacFUSE and NFS. I'm testing both currently. So far I've had a couple minor hiccups with MacFUSE's sshfs.app, but it looks to be a fairly smart and user-friendly implementation that web developers here might benefit from. And the NFS approach would work well also, though only from inside the network.

I'm curious what other Lab Admins are doing with regards to web development in their environments. How have you facilitated ease-of-use for a process that's inherently complicated? Or have you? Also, I'm curious if anyone is using MacFUSE — specifically the sshfs component — and what experiences you might have had with it, either positive or negative.

If any of you fine readers have any thoughts on this I would really love to hear them. I've been querying students, staff and faculty for ideas, but haven't come up with much. Maybe things here are perfect, but somehow I doubt it. And, as always, I really just want to make things better.

Please sound off in the comments if you're so inclined.

Leopard

The founding article for this blog — indeed, the very reason for TASB's existence — was a little post called "Tiger Beefs" in which I ranted for a few thousand words about everything I disliked about Tiger. It's been over two years since that faithful first post, and Apple has just released the follow-up to Tiger, Mac OS X 10.5, codenamed Leopard. Please note the absence of the word "beef" from today's title. So far, I have to say, I'm quite pleased — and certainly not deeply irritated — by this latest OS iteration.

Right off the bat I want to point you to the best and most thorough review of Leopard. Every time a new cat is born, John Siracusa not only reviews many of the new features, but goes deep into the depths of the OS to tell us geeks what's really changed and what it means for the future of the platform. It should be required reading for anyone seriously interested in Mac OS X changes.

Also, I want to point you to Apple's infamous list of new features. It's pretty comprehensive for the surface features, and even touches on some of the things I'll deal with here. And speaking of, my particular perspective on Leopard will be less about productivity features (though there will be some of that, to be sure) and more about Leopard from an administration and maintenance standpoint. So, let's get started!

Time Machine

The most highly touted new feature in Leopard — and rightly so — is Time Machine, which automatically makes backups of your data to any external hard drive (or even, I'm told, partition). The whole idea behind Time Machine is that it's so simple, and requires so little thought, that anyone can — and, more importantly, will — use it. It's backups for the masses. And while Time Machine is really made for the end-user, the fact that such a beast now exists as part of the OS is a huge boon to SysAdmins.

Time Machine: Drop-Dead Simple

(click image for larger view)

I maintain a backup system for all staff members in my department. Anyone who's ever had to deal with such a system knows what a pain it is to implement and maintain. In the old days, we used to back up to tape using Retrospect. But as data storage became increasingly large, and tape increasingly expensive, the system grew unwieldy. An unwieldy system, as you surely know, is not reliable. A few years ago (in fact, with the introduction of Mac OS X, come to think of it) we moved to the free, scriptable, and very reliable rsync (we use the RsyncX version). This allows us to back up over the network to a large RAID drive. But still, the scripts require occasional maintenance, staff must be sure to leave their computers on. There are numerous points of failure. And most inconvenient of all, if a staff member does lose data, they have to come to me to retrieve it, which is inconvenient for both them and me.

Time Machine removes that last step from the equation. Time Machine puts the end-user in control, not just of their current data, but of their backups as well. Now, if a staff member accidentally throws away a file, or makes changes they don't like to a document, or whatever, they simply activate Time Machine and roll back. No freak-outs. No calls to the SysAdmin. No worries. Time Machine is frickin' beautiful.

I will continue to make backups to the RAID with rsync for the foreseeable future. It doesn't hurt to have an extra backup, and, Hell, the system's already in place. But I've also bought all staff a firewire drive specifically for Time Machine as well.

Time Machine: Limited Options

(click image for larger view)

One thing to note about Time Machine: It is geared towards the idea of backing up everything. Like in Spotlight, you can add exclusions to Time Machine, but the default is to back up all your data. A fellow SysAdmin complained that he needed the ability to select what would be backed up, not what wouldn't, if this were to be useful in a production environment. Yes, my friend, but this is not made for production. It's made for people. So the default is, back up everything. What could be simpler?

The Finder

I won't spend too much time on the Finder. In a nutshell, I'm mostly happy, though I'm a bit peeved that the first thing I felt the need to do was hack that ugly-ass Dock.

The Dock: Ugly-Ass

(click image for larger view)

Seriously. Ouch. I can see liking it on first glance. I mean it is shiny. I know people like shiny. But damn is it intrusive, and not the least bit of an increase in functionality. Yikes! What were they thinking?

The Dock: Now That's Purdy

(click image for larger view)

There are a few awesome new touches in the Finder, though. Quick Look is probably my favorite. Hitting the spacebar to view a preview of a document is a great productivity boon. Students in the art department where I work will love it for presentations as well. It's beautiful, useful and extremely well-implemented. I only wish it were more key-command-able. (Or maybe we'll discover that it is.)

The Finder: Quick Look

(click image for larger view)

Speaking of key-commands, the Desktop now has a presence and key-command in the "Go" menu (it's command-shift-d). Sweet!

Go Menu: Go Desktop!

(click image for larger view)

Also, a long-standing (read: never solved) problem with Tiger's inspector, wherein the inspector would not properly update file ownerships, has been fixed.

I also rather like the look of the new Finder. I'm pleased as punch that there's finally a window standard, and that it's not brushed metal. While I'd probably prefer a lighter shade of gray, and apps in the background to be darker rather than switching to a lighter shade (dark recedes; light comes forward, at least that's what they always told us in art school), the current iteration is really quite nice. The Sidebar is also, in my opinion, more efficient than it once was. And Cover Flow in the Finder might even prove useful at some point.

Other nice touches:

  • Clicking on a file name only highlights the file's name, not its extension, thus making file renaming a lot quicker and easier.

  • Drop shadows are larger and darker and generally more dramatic, making windows easier to discern.
  • Drop shadows are also now included in screen captures of individual windows.
  • File sharing, which is now possible on a per-folder basis (hooray!), can be activated and configured right from the Inspector.

One oddity: the Finder seems to be a bit more fascistic about what you can and can't do with your data. In fact, it disallows trashing key folders in your home account. I was unable to trash, or even rename my Library folder from the Finder. This might be great for the home user. But it could slightly complicate troubleshooting from an admin standpoint. Not a big deal, but I'm not crazy about the trend towards over-management of user data. It's fine for Time Machine. Not so sure about the Finder.

Finder: Data Nazis?

(click image for larger view)

Still, that's a lot of good and very little bad. Overall, the Finder's a big win for me.

Disk Utility

Probably the best thing about Leopard is that there is so much good stuff for SysAdmins. Each OS upgrade has brought us a couple goodies, but Leopard is chock full of them, and the goodies are so... Uh... Good...

First off, Leopard now handles broken disks more gracefully. Attach a damaged external firewire drive, for instance, and if it's mountable, Leopard will mount it and allow you to copy any data that might be salvageable. This actually happened to me in the beta days, and Leopard provided successful, albeit partial, disk recovery where Tiger simply refused to even mount the damaged drive. That's a pretty sweet improvement that no one but SysAdmins are likely to see. Kudos to Apple's Disk Utility team for that one!

Disk Utility: Plays Well with Broken Disks

(click image for larger view)

Another huge advancement in Disk Utility is the ability to re-partition a drive without wiping it, within limits, of course. Actually, it might be more accurate to say that Disk Utility allows partitioning — or splitting — of partitions. Let's say you have two partitions. But you want to turn that into three. In Tiger and before you had to erase the entire drive and repartition. In Leopard, you can cut one of your two partitions in half (or quarters, or whatever). Leopard will even indicate the free portion of the disk and cut it at the right point. It's pretty damn cool, and something I've been wanting for a long time. For forever, really. I've already used it in the beta, and it seems to work great. Cool!

Disk Utility: Splitting Partitions

(click image for larger view)

The one caveat to this dynamic partitioning is that the disk must be formatted using the GUID partition map, which Apple has adopted for the move to Intel. It's GUID that makes all this possible. The old style Apple partition map won't allow non-destructive partitioning.

Disk Utility: GUID is the Wave of the Future

(click image for larger view)

The final touch in Disk Utility — and actually, this appears to be true through much of the new OS — is that the wording of dialog boxes and information panels has been made much clearer. This should do a lot to make scary disk operations a bit less scary.

Disk Utility: Clearer Language

(click image for larger view)

Directory Utility

The application formerly known as Directory Access gets some love in Leopard too. Now called Directory Utility, the application does more with less. It's simple, four-tab interface still allows the configuration of services, but there's just a lot less to configure. The only services left now are Active Directory, BSD Flat File and NIS, LDAPv3, and Local. Gone are the services that were never really configurable in the first place, save for turning them on and off.

Directory Utility: Do More with Less

(click image for larger view)

But Directory Utility allows for the configuration of Directory Servers now in a separate panel, and this is where you'll most likely set up your Open Directory server (though the option still exists in the list of services as it always did). Setup is super simple: check the type, and enter the name. That's it!

Directory Utility now also has a panel for configuring NFS mounts. This is also really easy to use. Simply type the path to your NFS server, and type in the mount point. Directory Utility will verify that the server is functioning and then, when you hit apply, it will mount it. Neat-O!

NetInfo (RIP)

NFS mounts were once handled in an obscure admin utility called NetInfo Manager. NetInfo Manager is now dead. Leopard has moved all of its arcane functionality into other more GUI-friendly apps. Directory Utility handles NFS mounts. The Finder and Sharing Prefs handle per-folder file sharing (which was once the domain of a little app called SharePoints, which configured properties in NetInfo). And home account location can now be configured by using the Accounts Preference Pane and control-clicking the account in question, then choosing "Advanced" and selecting the appropriate options. It's true, I can't think of too many more reasons to go to NetInfo Manager.

But wait... How do I activate root?

AutoFS

autofs is the new automounter daemon in Leopard, and boy is it cool. I've watched with envy for years as my Linux counterparts dynamically mounted NFS shares — or folders within NFS shares — as they get called by the OS. I realize that autofs does a great deal of good for hangs caused by network dependencies, but what I'm most excited about is the dynamic nature of autofs. Prior to Leopard we used automount, which I simply could never coax into doing what autofs does out of the box. With automount, we basically just hard-mounted our NFS server at /home at every boot. With autofs, however, we can specify a wildcard in our map file. What that allows us to do is to never keep the entire NFS server mounted, ever, ever. Instead, when the needed share is requested, autofs mounts the portion of it that was requested.

Perhaps an example is in order. Currently, our NFS server gets mounted in its entirety at /home on every client in the lab. This happens using an arcane Startup Item that contains a truly Byzantine script that I made. It's horrible. Not only does it require this crazy-ass script, it only happens at boot or when automount is specifically restarted. It also requires (for reasons I can't recall) a series of symlinks to land in the /home folder properly. And, worst of all, it keeps the entire home account server mounted over the network on every client all the time. Yuck!

By contrast, autofs requires no such Startup Item. You simply edit one tiny text file (/etc/auto_home, if you're interested) and you're done. Not only are you done, though, but the entire process is now dynamic. No reboot required. In fact nothing happens. The home account server doesn't mount... Until it's called! That's right. No home account server is mounted until joe_user comes and logs in. When that happens, autofs springs to life and mounts the user's home account. And here's the other thing: it only mounts the user's home account, not every folder on the share. This is a huge savings in terms of network overhead. It's also much easier for me to maintain and manage. For me, a working autofs is a huge, huge deal, and it's the thing I'm most pleased about. SysAdmins doing any kind of NFS home account mounting will totally understand where I'm coming from here, I'm sure. This is fantastic. My job just got easier, and my network and Mac systems just got a helluva lot more efficient. Awesome!

Other Notables

There's a whole other list of new features that should make SysAdmins and even regular folk pretty happy. Here are my faves, in no particular order:

  • Preferences and applications (i.e. Sharing, etc.) that can be applied to specific users now list network users and groups.

  • Login, remote login (SSH), and file sharing are all now configurable on a per-user/group basis.

  • The firewall is now configurable on a per-application basis.
  • There is now a built-in guest account that gets deleted at logout.
  • Software Update now logs you out for certain updates where your presence might cause problems.
  • Software Update now remembers what it's downloaded and will use that if you postpone an update, rather than having to re-download it.
  • iCal event entry doesn't suck as bad now, and is reminiscent of Google's method of contextual calendar entry.
  • Dictionary now includes Wikipedia and can easily toggle the three views (dictionary, thesaurus and encyclopedia) or view them all at the same time.
  • Spotlight works well now, like it always should have.
  • Spaces might actually be useful as well!
  • Screen Sharing! For free! Cool!

So, that pretty much covers my initial impressions of Leopard. We'll be holding off on installing it in the lab until I can run the majority of major applications (currently, AfterEffects is listed as not working, and that's a deal breaker). Until then, I will run it on my test machine.

And happily. Leopard has been extremely stable and reliable so far, and I must admit I really rather like it. I was never a big fan of Tiger, actually. I found everything "cool" about it to be buggy or annoying. Spotlight sucked, Dashboard was stupid, and there were all manner of problems, and few features to recommend it over Panther, at least not from a SysAdmin standpoint. Leopard, on the other hand, is completely the opposite. There are tons of new, useful features for both users and admins alike. So far, I'm very happy with this release.

Nice job, Apple people!