Archive for ‘Server’ Category
Browse:
Server »
Subcategories:

This took a while to figure out, mainly because I’m a unix guy trying to “figure out” Windows Server and it’s archaic ACL system and the fact that ACL’s/attributes under OSX are just insane. The main issue I had with all the other recipes on the net describing this process was that it did NOT work for OSX/Finder. When users transferred the files, Finder was not able to strip off it’s “in-use” attribute from the file once copied to the destination. This would leave files in limbo (greyed out) and no one could touch/access them from another Mac until I stripped the “in-use” attribute off manually. Normally SMB capable NAS’s ignore Finder/OSX attributes and this does not happen, but FS7500 is “mac friendly” and preserves the attributes so we had to figure out a way to give Finder enough rights to be able to strip the attribute off once the file was copied.

The core idea here is that you have a windows share (\\elm\DROPBOX in my case) which has a bunch of subfolders under it, one per class (they are in the form of BDCxxx.yyy in my case). What we’re trying to do is give AD users who are in AD groups (also called BDCxxx.yyy in my case) which represent classes enough permission to get inside \\elm\dropbox and see the name of the subfolders and be able to drag files onto the appropriate class subfolder (BDCxxx.yyy), essentially submitting their assignment. What we don’t want to let the users do is to peak inside those subfolders. It’s the equivalent of a “write only” group permission on a folder (no execute or read bit) in unix land. We also want to have our instructors be able to access everything in the DROPBOX share, so we use a group called DropBoxMasters for that purpose.

For the sake of this example I will use the student/class group BDC974.011 which the students belong to and DropBoxMasters group for our instructors. So here we go:

1) We obviously need a share. If you’re using a FS7500 NAS you just create the share and that’s it, no sharing permissions, everything is controlled by Windows ACL’s. If your share is on windows then I guess you can give full control sharing permissions to Domain Users. Once this is done we access \\elm to set the Windows permissions on DROPBOX share.

2) For DROPBOX we need the following permissions to be set to Allow and Apply it to “This folder only”: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions. This will allow our BDC974.011 students to see the content of this folder (i.e. the subfolders, one per course). Remember that you need to create this permission set for each individual course/group/class. And remember to apply to “This folder only”.

Screen Shot 2013-02-28 at 3.11.57 PM Screen Shot 2013-02-28 at 3.12.15 PM

3) Still on DROPBOX share permissions we want to setup the DropBoxMasters group. This one is easy since it’s “Full control” permission that applies to “This folder, subfolder and files”. Easy :-)

Screen Shot 2013-02-28 at 3.16.58 PM

4) Before we go on, a note about the above process. In the permissions/Advanced security settings you should only have the “class/course” groups, the DropBoxMasters group, SYSTEM group (with full control) and Domain Admins (with full control). Next we want to create the subfolders inside DROPBOX, one subfolder per course/class (BDC974.011 in my case). Permission wise we want to setup the following permissions for the group that matches our course/folder (i.e. the example screen shots here are for group BDC974.011 on subfolder \\elm\DROPBOX\BDC974.011). We need the following permissions to be set to Allow and Apply it to “This folder only”: List folder/read data, Read attributes, Read extended attributes, Create files/write data, Create folders/append data, Write attributes, Write extended attributes, Read permissions.

Screen Shot 2013-02-28 at 3.31.53 PM Screen Shot 2013-02-28 at 3.32.07 PM

5) Still in the security settings for the course subfolder we need to add “CREATOR OWNER” to the list of permissions (This is a built-in windows entity) and give it the following permissions for “Files only”: basically all the allow check boxes EXCEPT the following (leave unchecked)……Full control, Change permissions, Take ownership. Remember these permissions are to be applied to “Files only”.

Screen Shot 2013-02-28 at 3.37.06 PM Screen Shot 2013-02-28 at 3.37.18 PM

That’s it…..Now just keep repeating this for all your courses/groups.

Adding mcrypt support to builtin php5 on OSX Leopard….

datePosted on 17:51, February 4th, 2011 by Many Ayromlou

I got a request to add mcrypt support to our Leopard server today and here is a brief step-by-step installation instruction. This works well under the current 10.5.8 server installation. It should also work for 10.6 (snow leopard), but I have not tried it. Before you start here are the requirements:

  • Backup your system
  • Install (and update) the latest XCode (I’ve got version 3)
  • Install X11 client stuff from your server install DVD
  • install X11 SDK stuff from your server install DVD
  • Ensure you have server 10.5.8 (latest update as of Feb.04.2011)
  • Make sure you have not tried to install mcrypt using another method. We need a “virgin” 10.5.8 install (as far as homebrew/local installs)
  • BACKUP

Please note that this will add mcrypt support to php. This is NOT the same as compiling mcrypt.

Okay, so now that we have all the requirements, you need to get a command line window opened and get a root shell (sudo -i). The rest of this document assumes you’re typing the commands in a root shell.

There is one dependency that we need to clear before we actually get down and dirty and that is libmcrypt. Follow the instructions below to get this installed:

mkdir /SourceCache
cd /SourceCache
curl http://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.bz2/download -o libmcrypt-2.5.8.tar.bz2 -L

This is the latest version as of this writing (Feb.04.2011).

NOTE: If you’re compiling on a G5 machine you’ll need to tell the compiler that you want to build/configure for a ppc64 target so instead of the below configure command you need to use this:

MACOSX_DEPLOYMENT_TARGET=10.5 CFLAGS=" -arch ppc64 -g -Os -pipe -no-cpp-precomp" CCFLAGS=" -arch ppc64 -g -Os -pipe" CXXFLAGS="-arch ppc64 -g -Os -pipe" LDFLAGS="-arch ppc64 -bind_at_load" ./configure --enable-shared
tar -xjvf libmcrypt-2.5.8.tar.bz2
cd libmcrypt-2.5.8/
./configure
make
make -n install

The last command will simulate the installation process. Make sure the stuff is getting installed in /usr/local/lib

make install

At this point you should have a working installation of libmcrypt. This next command prints out the current version of your php engine. In my case under 10.5.8 it’s php 5.2.14.

server:libmcrypt-2.5.8 root# php -v
PHP 5.2.14 (cli) (built: Oct  6 2010 16:57:10)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

Grab the appropriate php-5.2.XX.tar.bz2 file from php.net. I just grabbed the stock PHP 5.2.14, since I wanted a perfect match between my php engine and the extension. I transferred the file using sftp to the /SourceCache folder on the server.

NOTE: If you’re compiling on a G5 machine you’ll need to tell the compiler that you want to build/configure for a ppc64 target so instead of the below configure command you need to use this:

MACOSX_DEPLOYMENT_TARGET=10.5 CFLAGS=" -arch ppc64 -g -Os -pipe -no-cpp-precomp" CCFLAGS=" -arch ppc64 -g -Os -pipe" CXXFLAGS="-arch ppc64  -g -Os -pipe" LDFLAGS=" -arch ppc64  -bind_at_load" ./configure --with-php-config=/Developer/SDKs/MacOSX10.5.sdk/usr/bin/php-config
cd /SourceCache
tar xjvf php-5.2.14.tar.bz2
cd /SourceCache/php-5.2.14/ext/mcrypt
phpize
./configure --with-php-config=/Developer/SDKs/MacOSX10.5.sdk/usr/bin/php-config
make
make test
make -n install

The last command will simulate the installation process. Make sure the stuff is getting installed in /usr/lib/php/extensions/no-debug-non-zts-20060613

make install

Now we need to modify our php.ini file and tell the php5 engine of the availability of this new module. To do this you need to copy php.ini.default to php.ini (in /etc directory). For details of why have a look at this article.

cd /etc
cp php.ini.default php.ini

Edit the newly created/copied php.ini using your favourite editor. Add the following line to the appropriate location (read the comments in the file to find the location):

extension=mcrypt.so

Still in the same file find the variable “extension_dir” and change it’s value to “/usr/lib/php/extensions/no-debug-non-zts-20060613” path instead of “./”. Save the php.ini and use the following command to see if mcrypt extensions are available:

server:etc root# php -i |grep mcrypt
mcrypt
mcrypt support => enabled
mcrypt.algorithms_dir => no value => no value
mcrypt.modes_dir => no value => no value

Done. Restart Apache service from the server manager (just for the sake of completeness).

Open Source lovin’ for your Server….

datePosted on 12:12, January 11th, 2008 by Many Ayromlou


Continuing with our coverage of “Free your Apps”, here is how you can free your Server (and workstation) of those expensive (usually useless) so-called Enterprise Applications. BitNami stacks make it incredibly easy to install your favorite open source server software. Application stacks include an open source application and all the dependencies necessary to run it, such as Apache, MySQL and PHP or Ruby. All you need to do is download the Stack, provide a few pieces of information when prompted by the installation wizard, and that’s it. By the time you click ‘finish’, your new application will be ready to run. All stacks have been packaged using BitRock’s multiplatform installer.


Bitnami Infrastructure stacks are designed for developers and system administrators and provide you a way of installing a LAMP or Ruby environment, but do not include any extra applications. It is not necessary to download an infrastructure stack to use an application stack.

All this ofcourse for free, so again to recap, here is a complete list of what they offer:

So what are you waiting for…..fire up those downloads :-)