Wednesday, December 17, 2008

Keeping my iTunes Library on an external hard drive across systems

Real simple: I have both an Apple desktop and laptop with limited disk space and want all my iTunes media to reside on an external HD that I can switch between systems.

This is fairly straight-forward.  In "Advanced Preferences" I changed the "iTunes Music folder location" to my external drive (in my case:  WD Passport/iTunes:).  This worked well for me until today.  Now to backtrack a little, when I first set-up this schema I even symlinked the ~/User/Music/iTunes directory to my external disk with the notion that I'd even want " iTunes Music Library.xml" (the dictionary file that maps every file in iTunes) on the external drive.  Ultimately this was stupid because if the external drive was not connected I couldn't fire up iTunes to listen to, say, the radio, without the application wanting to create an new library (equivalent to launching iTunes while pressing alt).

But that was then and this is now.  I'm not sure why my iTunes directory got screwed today but it did.

What happened was I accidentally "reset" the "iTunes Music folder location" which defaulted to my local hard drive.  When I tried to add the external hard drive location, the iTunes directory was greyed out (grayed out). Greyed out meaning I couldn't add it.  Then I attempted "Add to Library" (command+o) and the external iTunes directory was also greyed out.  WTF??

At first I thought there was some defaults RootDirectory entry I could fool with like I did when I wanted to default my iPhoto Library to the external hdd some time ago.  But no go (another case of an OS X inconsistency).

It wasn't until I thought about doing something inane with permissions that I noticed that the iTunes directory on the external disk was an iPhoto-esque package content directory.  "Get Info" on iTunes even listed "open with iPhoto".  Hmmm. I stupidly changed it to "open with iTunes" but that was low-brow desperation.

Opening a shell and doing a "ls -lad" on iTunes showed:

drwxr-xr-x@ 20 rpetkus staff 680 Dec 17 19:40 iTunes/

What is "@"?  "man ls" informs me that @ = extended attributes which I can list with "-@"

$ ls -lad@ iTunes/

drwxr-xr-x@ 20 rpetkus staff 680 Dec 17 19:40 iTunes/ 32

What is Turns out this is a Uniform Type Identifier (UTI) which ascribes a lot more meaningful type data to a file than a mere file extension (.jpeg) or MIME type.  I found this older link which was a informative read about UTIs on OS X.  

After my reading assignment I surmised that I want to get rid of this extended attribute using the "xattr" command which doesn't have a man page but "xattr -help" is pretty self-explanatory.

Make iTunes a normal folder again:

$ xattr -d iTunes/

Viola! iTunes on my external hard drive is no longer greyed-out, I can set it as my Music Folder location and "Add to Library".  Resolution.

As a side note, if you're doing the same thing with your external hdd, make sure under "Advanced Preferences" that you select "Copy files to iTunes Music folder when adding to library".  This way, if you add more media to iTunes on one system with the external drive, it indeed gets copied there for consumption on the second system.

Monday, December 1, 2008

Solaris 10, Kerberos, and OpenLDAP

Solaris 10 - Solaris in general - annoys me and Linux is favored for all instances except those where I need to reap the benefits of ZFS. Today as a precursor to deploying SUDO on a number of Solaris systems, I sought to eliminate ssh-key access and allow individual accounts to logon. Piece of cake in Linux but Solaris?

I want to use kerberos for authentication and ldap for authorization. I'm using OpenLDAP and not SUN LDAP so this already creates a bit of chafe, but I'm not going to install SUN LDAP or install a 3rd party PAM module - I want everything to be default so the next person to inherit this mess doesn't go mad.

Now I don't want to use pam_ldap for account authorization since this implies 1) I'm using SUN LDAP and 2) I'm storing account information like PASSWD in LDAP. We don't.

I *do* want to use vanilla pam_unix_account and rely on nsswitch.conf to state my name service preferences.

Now one would assume, given my requirements, that a reasonable SSH PAM stack would look like this:
other auth requisite
other auth required
other auth required
other auth sufficient
other auth required
other account requisite
other account required
other account sufficient

Then why doesn't it work???? Why, in debug mode, does it always complain that account so and so is not found?

After some investigation it turns out that if using OpenLDAP for authorization one needs to add "objectClass=shadowAccount", and that's it, as an attribute to every single uid=xxx,ou=People,dc=place,dc=org. At least for those users that want to be authorized for login.

What a pain. And how much precious time did I waste on this? 2, maybe 3 hours? Unbelievable.