Wikifications - New pages [en]

Gnuplot

2009-09-08T18:20:53Z

Dre:

Basic x / y plot of data from a file in the form:

x1 y1
x2 y2
x3 y3

set ytic auto
set xtic auto
set title "iCal Server Queue Depth / Latency"
set xlabel "Queue Depth"
set ylabel "Latency"
plot "ical-queues.txt" using 1:1 title "Queue Depth" with lines
plot "ical-queues.txt" using 1:2 title "Latency" with lines

How to compile other software using Macports libraries

2009-07-16T18:12:20Z

Dre:

=How to compile other software using Macports libraries=
Audience: Beginner / Intermediate

==Introduction==

This document will attempt to illustrate how to use Macports to fulfill library dependencies of other software that has not been incorporated into Macports. Two examples will be covered here, representing two of the most common way that software is compiled. The first example will demonstrate how to compile a single C source file using gcc directly, linking and including the Macports libraries via the -L and -I gcc command line options. The second example will demonstrate how to link against Macports libraries when compiling software that uses the GNU autoconf system, in which case you do not run gcc directly, but instead pass arguments to the 'configure' script.

==Executive Summary and Cheat Sheet==

When using gcc, usually you want to add the following to the list of gcc command line arguments:
-I/opt/local/include -L/opt/local/lib

When using autoconf, you usually have a couple options:

1) populate the following environment variables with Macports paths, e.g.

export LDFLAGS='-L/opt/local/lib'
export CPPFLAGS='-I/opt/local/include'
export LD_LIBRARY_PATH=/opt/local/lib
export LD_INCLUDE_PATH=/opt/local/include

2) Pass the required paths as arguments to the configure script. Most configure scripts have specific options for defining the location of dependent libraries; run ./configure --help to see a list of the available options.

==Using Macports libraries with gcc==

In this first example, we will be compiling a simple program that exercises some basic functions of the GMP library, available here: http://gmplib.org/. Since gmp is available via Macports, begin by installing gmp:

sudo port install gmp

Next, we'll make a working directory and download the C source file we'll be compiling, located at http://silassewell.googlecode.com/svn/trunk/2008/10/18/gmp_hello_world/gmp_hello_world.c

mkdir ~/gmp-test
curl -O

Copy the code

Configuration

TODO

Optional Parts

TODO: What else can be done?

LKDC

2008-05-13T00:05:39Z

Dre: typo

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos service principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The Kerberos v5 spec (rfc 1510) assumes and requires that the server name portion of a kerberos principal be just that: a server name (or address). To wit:
<pre>7.2.1. Name of server principals

The principal identifier for a server on a host will generally be
composed of two parts: (1) the realm of the KDC with which the server
is registered, and (2) a two-component name of type NT-SRV-HST if the
host name is an Internet domain name or a multi-component name of
type NT-SRV-XHST if the name of the host is of a form such as X.500
that allows slash (/) separators. The first component of the two- or
multi-component name will identify the service and the latter
components will identify the host. Where the name of the host is not
case sensitive (for example, with Internet domain names) the name of
the host must be lower case. For services such as telnet and the
Berkeley R commands which run with system privileges, the first
component will be the string "host" instead of a service specific
identifier.</pre>
Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it is not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://crpit.com/confpapers/CRPITV26Pirzada2.pdf Kerberos assisted Authentication in Mobile Ad-hoc Networks. Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

* http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.383 Distributed Authentication in Kerberos Using Public Key Cryptography. This document from 1997 describes how a PKI might be used to perform distributed authentication using Kerberos. This implementation eliminates the need for a centralized KDC (instead relying on a centralized certificate authority), although does not deal with dynamic peer discovery in an ad hoc networking context.

Iphone terminal bootstrap

2008-04-24T22:04:28Z

Dre: New page: # mkdir -p /usr/local/arm-apple-darwin/lib # ln -sf /usr/lib/libgcc_s.1.dylib /usr/local/arm-apple-darwin/lib/libgcc_s.1.dylib # chmod +s /Applications/Term-vt100.app/Term-vt100

# mkdir -p /usr/local/arm-apple-darwin/lib
# ln -sf /usr/lib/libgcc_s.1.dylib /usr/local/arm-apple-darwin/lib/libgcc_s.1.dylib
# chmod +s /Applications/Term-vt100.app/Term-vt100

Iphone commands

2008-04-24T20:20:58Z

Dre:

<pre>BTServer
BlueTool
[
ac
alias
apply
arp
awk
banner
basename
bash
bzip2
cap_mkdb
cat
chflags
chgrp
chmod
chown
chown
chroot
cksum
col
colrm
column
comm
compress
configd
cp
cron
crontab
csh
csplit
curl
cut
cut
daily
date
dd
df
dirname
ditto
domainname
du
echo
ed
env
expand
expr
false
fdisk
find
finger
fmt
fold
fsck
fsck_hfs
fstyp
fstyp_hfs
funzip
getopt
getty
grep
groups
gunzip
gzexe
gzip
head
hexdump
hostinfo
hostname
id
ifconfig
ifconfig
install
ioreg
iostat
ipcrm
join
jot
kextload
kextstat
kextunload
kextunload
kill
killall
lam
last
lastcomm
launchctl
launchd
less
libgzip.a
link
ln
locate
login
logname
look
ls
lsvfs
mDNSResponder
mDNSResponderHelper
makedbm
makekey
md
md5
md5
mediaserverd
mesg
minicom
mkdir
mkfifo
mkfile
mknod
mknod
mktemp
more
mount
mount_hfs
mtree
mv
nano
nc
netstat
nice
nl
nohup
notifyd
nvram
nvram
od
passwd
paste
pathchk
pax
pico
ping
ping
pppd
pr
printenv
printf
printf
ps
pt_chown
pwd
racoon
racoonctl
readlink
reboot
reboot
reboot
renice
rev
rm
rmdir
rmt
route
route
rs
rsync
sar
scp
screen
script
sed
sftp
sh
shlock
showPic
simulatecrash
sleep
snap
sort
split
srelay
ssh
ssh-add
ssh-agent
ssh-keygen
ssh-keyscan
sshd
stat
stty
su
sum
sync
sysctl
syslogd
tabs
tail
tar
tcopy
tcpdump
tcsh
tee
telnet
test
tftp
time
top
touch
tr
traceroute
true
true
tsort
tty
ul
umount
uname
unexpand
uniq
unlink
unvis
unzip
unzip
unzipsfx
update
uptime
users
vi
vim
vipw
vis
vmstat
vpnd
wall
wc
whereis
which
who
whoami
whois
xargs
yes
zcat
zcmp
zdiff
zdump
zegrep
zfgrep
zforce
zgrep
zic
zless
zmore
znew
zprint
zsh
</pre>

Iphone

2008-04-24T20:20:50Z

Dre:

[[iphone_terminal_bootstrap]]

[[iphone commands]]

How to make and apply patches

2007-07-01T03:40:00Z

Dre: page created

Once you have the needed changes, apply them (pre autoconf) to a copy of a fresh source directory. You should now have a 'patched' directory sitting alongside an unpatched direcetory. Now generate the patch...

diff -ruN old new > my_patch

To apply this patch to a fresh source directory, place the patch alongside the source dir:
patch -p0 < my_patch

Installing and using unix software in userland

2007-07-01T03:39:15Z

Dre: page created

In your shell init file, set the following (for bash / zsh compatible shells):

export LDFLAGS='-L/path/to/your/home/lib'
export CPPFLAGS='-I/path/to/your/home/include'
export PATH='/path/to/your/home:$PATH'
export LD_LIBRARY_PATH=/path/to/your/home/lib
export LD_INCLUDE_PATH=/path/to/your/home/include

Log out / in, so that the above takes effect.

* Configure any dependencies with --prefix=/path/to/your/home, and make / make install as usual. They will be installed into your home directory (~/lib, ~/include, ~/bin)
* Configure your desired software with --prefix=/path/to/your/home and make /make install as usual. It should pick up all your new libs / includes due to the environment variables.

When you execute your new binaries, they will be able to find your userland libraries thanks to LD_LIBRARY_PATH.

Net SNMP

2007-06-29T23:07:57Z

Btimby:

In investigating how to dynamically produce data that I could plumb via snmp, it became quickly apparent that the snmpd shipped on Intel macs in 10.4.* is pretty well busted. It only supports a very small subset of the functionality provided by the net-snmp daemon in general (i.e. on other platforms). This can be observed by running snmpd with the -H switch. Notable omissions include 'exec' and 'extend', for example, which are typically used to easily fork off arbitrary sub processes tasked with collecting data for the targeted OID or range of OIDs.

It was quickly obvious that we'd have to use the macports snmpd. That version does have support for more functionality than the one shipped with Mac OS X, but it's *missing* exec and extend! But wait! What's this about 'pass' and 'pass_persist'? They are similar to 'exec' except that pass and pass_persist allow the script to dynamically define the OID hierarchy. This is different from exec; with exec you call out the specific OID to script mappings in the config file. With pass_persist, the script takes control of an entire 'tree', and is responsible for responding for any OIDs under that tree.

To use pass_persist, we need a script that can speak the net-snmp pass_persist protocol, which is described in the snmpd.conf(5) man page.

<pre> pass_persist [-p priority] MIBOID PROG
will also pass control of the subtree rooted at MIBOID to the
specified PROG command. However this command will continue to
run after the initial request has been answered, so subsequent
requests can be processed without the startup overheads.

Upon initialization, PROG will be passed the string "PING\n" on
stdin, and should respond by printing "PONG\n" to stdout.

For GET and GETNEXT requests, PROG will be passed two lines on
stdin, the command (get or getnext) and the requested OID. It
should respond by printing three lines to stdout - the OID for
the result varbind, the TYPE and the VALUE itself - exactly as
for the pass directive above. If the command cannot return an
appropriate varbind, it should print print "NONE\n" to stdout
(but continue running).</pre>

One bit of information that is missing from the man page is the shutdown sequence employed. For example, when snmpd is stopping, how does it inform the pass-persist agents of that? Well, it sends a blank line to the agent, this signals that the agent should shut down. A sample script might look something like this - note, this is just proof of concept (does not implement getnext, for example):

<pre>#!/usr/bin/python -u
'''This is a python backend for snmp's "pass_persist" function. It is critical
that the python interpreter be invoked with unbuffered STDIN and STDOUT by use
of the -u switch in the shebang line.'''

import sys
from select import select

def readStdin () :
'''Read from standard input. Use "select" to wait for new data'''
(rr, wr, er) = select([sys.stdin], [], [])
for fd in rr:
line = fd.readline()
processInput(line)

def processInput (line) :
'''Examine input, call subroutines'''
if line.strip() == '':
sys.exit(0)
if 'PING' in line :
playPingPong()
if 'get' in line :
target = sys.stdin.readline()
doGet(target)

def playPingPong () :
'''Perform the snmpd secret handshake'''
print 'PONG'

def doGet(target) :
'''Process a "get" request'''
print target,
print 'integer'
print '42'

# loop
while 1 : readStdin()</pre>
Next, we add an entry in the snmpd config file, associating an SNMP OID tree with our script:
<pre>pass_persist .1.3.6.1.4.1.2021.255 /path/to/persist_test.py</pre>
Now let's start snmpd in a debug mode, asking for details about the pass_persist backend:
<pre>snmpd -c /etc/snmpd.conf --logTimeStamp=true -f -Lf /tmp/snmpd.log \
-Ducd-snmp/pass_persist,ucd-snmp/pass,snmpd,output,helper:debug</pre>
Tail that log file in one window, and make an snmp request in another.
<pre>snmpget -v 1 -c <community> localhost .1.3.6.1.4.1.2021.255.2</pre>
In the snmpd debug log, we see:
<pre>2007-06-29 16:06:09 ucd-snmp/pass_persist: open_persist_pipe(1,'/path/to/persist_test.py')
2007-06-29 16:06:09 ucd-snmp/pass_persist: persistpass-sending:
get
.1.3.6.1.4.1.2021.255.2</pre>
... and then a response to our snmp query:
<pre>UCD-SNMP-MIB::ucdavis.255.2 = INTEGER: 42</pre>
Sweet!

Wow

2007-02-04T20:57:31Z

Dre: /* Macros */

=Macros=
(many of these are outdated)

==Druid==

'''innervate''''
#showtooltip
/cast Innervate
/script s, d, e = GetSpellCooldown("Innervate");
/script if (s==0) then if (d==0) then SendChatMessage("Innervate on %t!", nil); end; else print('cooldown?'); end

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/use 13
/use 14
/cast Nature's Swiftness
/cast Healing Wave

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

* in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

* in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

* or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it once to declare the function before you can use it. This function will let you more easily adjust the camera speed (less typing).
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

After running the above to declare the function, use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Vi

2006-10-14T22:26:07Z

Dre:

range-based stuff:

ma - sets marker a on current line

mb - sets marker b on current line

'a,'bs/foo/bar sub foo to bar between marker a and b