Skip navigation

Today a coworker asked me to take a look at our Munki repository because it was exhibiting some strange behavior with regards to Firefox. As of this writing, Firefox is at version 46.0.1, but Munki was insisting that version 42.0 was the most recent version.

Our Munki repo updates packages automatically as much as possible through Autopkgr, so I started by running through all the configuration options on there, but nothing seemed amiss. Further, in the directory tree used by Autopkgr, the earliest version of Firefox was 43.0.

Finally, I deleted Firefox 42.0 off of the machine that had precipitated this investigation and then checked the access logs for Apache on the repo server. It turns out that at some point in the past, Firefox had been imported into the repo at the base of the directory tree, repo/pkgs/, and that instance of Firefox was taking precedence over the Autopkgr-updated version residing at repo/pkgs/apps/firefox/.

So there you have it. If a package on your Munki repo seems stuck at an older version no matter how many times you download a newer version, check to see if there’s another version of that package higher up the directory tree.


So you’ve got a lot of users in your Active Directory domain whose passwords you need to change for whatever reason, but Windows is all just pointy-clicky, right? Wouldn’t it be better to just be able to use a nice unix-like terminal?

This is where I admit that I didn’t know a whole lot about Microsoft’s Powershell this time last year.

What is Powershell? Well, it’s kinda like the terminal you get on your nice *nix machine, except it’s built to manage Windows Server roles.

And it kinda works like a *nix terminal. You can pipe the output of one command into another command.

You can’t use awk or sed, which I find to be a drag, but.

So getting back to the problem presented at the outset of this post, yes, you can kinda use your *nix-brain to make this happen.

When I started researching this issue, all my searches pretty much ended with scripts that other folks had written, which is fine, except they were usually not known-good for the version of Server that I’m using and I couldn’t be arsed to loosen security settings such that I could import those scripts.

So, if you’re in this boat (or just want to know how the sausage gets made), here it is: How to Change AD Passwords in Bulk

First you need to prep your source material: a CSV file of, at minimum, AD usernames and new passwords. The important part in formatting this CSV is getting the correct headers in so that Powershell can read them and do the right things. If you’re only updating passwords, your CSV should look like this


Once you have your CSV, drop it somewhere where your Server box can access it, then log in to your server, open Powershell, and run the following command:

import-csv [F:\path\to\your.csv] | ForEach-Object {Get-ADUser -Filter "SamAccountName -eq `"$($_.SamAccountName)`"" | Set-ADAccountPassword -NewPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force)}

That’s just great, you say, but actually I also wanted to associate an email address with those users, too. Can I do that in the same line?

Sure you can! Just add a column headed with “Email” to your CSV and populate as necessary, then, before closing the braces in the above command, just add

-PassThru | Set-ADUser -EmailAddress $_.Email

The -PassThru flag indicates that you want to pipe the object through to the next Powershell commandlet, and as such, it can be repeated as much as you like.

Is it a bit of a drag to type all that? You bet it is, but Powershell does have robust tab-completion, and really, how often are you going to have to reset a huge number of passwords?

If you administer a Google Apps domain, for education or otherwise, you really should be using GAM, the Google Apps Manager (and you should really be using it from a *nix or *nix-like environment). GAM is a command-line tool that lets you administer virtually any aspect of a Google Apps domain.

So why should you run it from *nix? Because awk. If you’ve ever had a big csv file that you needed to work with from the command-line and ended up writing a big old bash script that you probably weren’t going to use ever again, you’re in the target audience for awk. With awk, you can fire off beautiful *nix style one-liners like it ain’t no thing. You can pipe the output of other utilities through awk, or you can write awk scripts just like you’d write bash scripts (except the hash-bang at the start would read /usr/bin/awk rather than /bin/bash).

So, an example of the power of the two together:

I need to suspend a large group of users and move them to a different OU within my domain. All these users are currently in the same OU, so I can just dump all the info for the OU, grep for email addresses, and use awk to fire gam for each user found. In bash-land, this would probably mean dumping the users into a csv, then writing a script and passing in that csv. That’s a lot of work. in awk-land, though, it’s just one line:

gam info org /name/of/ou/containing/users/to/modify | grep @domain.tld | awk '{system("python /path/to/ update user " $1 " org /name/of/new/ou suspended on")}'

That’s it.

You can learn about awk here.

Click here for a tl;dr version that just gives you the fix without the background.

At my school, we have a fairly robust iPad program, and the decision was made, when we began to ramp up the deployment of iPads, that users should be able to print to their iPads.

Like so many of Apple’s technologies, AirPrint is one of those things that works well in a home environment but pretty quickly breaks down when taken into an enterprise environment.  Sure, you could go out and buy all new printers that have AirPrint built in, but when you’ve got a dozen or more printers that you might want to have available for iPad users, that quickly becomes a very expensive proposition.

You can roll your own AirPrint solution using a Linux box running avahi, but most people and departments would rather have a pre-baked solution, and then there’s only really one option: Printopia Pro.  If you’re running any sort of Bonjour gateway, such as the one built in to Cisco’s wireless access point controllers or Aerohive’s HiveManager cloud controller, you don’t even need more than one instance of the software.

And then Apple broke it all.

An engineer at the company that now develops Printopia Pro told me that for iOS 8 and OS X Yosemite, Apple moved away from a widely-used open-source mDNS discovery daemon to their own, in-house-developed daemon, and that’s where all the trouble started.

In a best-case scenario, we could maybe advertise four printers, and we often had to manually restart the Printopia Pro service when even those printers disappeared.

There is a solution that should work for most deployment cases, though.

This solution works only on networks running IPv4 and assumes that your Printopia Pro server is using a static IP address.  No, I don’t know all the technical details behind the IPv4/6 portion of this fix; I could have asked, and would have been very interested to find out the answer, but I didn’t feel like I had time for a several-hour conversation at the time.

Log in to your Printopia server and open the Terminal application and run the following command

networksetup -setv6off Ethernet

networksetup -setv6off EthernetLike the option says, this command turns off IPv6, which can’t be done through the GUI.  Next, open Printopia’s Advanced Settings.

Open Advanced Settings (command + comma)Under the General tab, there is a box to check that says “Publish printers using IPv4 addresses only.”  Uncheck this box if it’s checked.  Yes, that may seem counter-intuitive, but remember that you just turned off IPv6.

Picture of General tab under Advanced Settings with arrow pointing towards bottom-most checkbox with directions to uncheck that option.At this point, it’s worth making sure that printers are being advertised only over the Ethernet interface.  For each printer group, click “Settings…”

Picture indicating location of Settings button for printer groupand, under the Network Interfaces tab, select the bottom radio button and then select only your Ethernet interface.

Network Interface tab opened with only the Ethernet interface, en0, selected.Finally, for good measure, restart the Printopia service from the General tab.  Within a minute of applying these changes, we went from seeing four printers advertised over Printopia to seeing all seven printers that we were sharing.  You can check to make sure that the printers are being advertised over your network using the free Bonjour Browser application.

Bonjour Browser application window showing printers being advertised.So far, this solution has been totally stable for us, though it’s also recommended that you update your instance of Printopia Pro to the most recent release,, which can be downloaded here.

As part of studying for my CCNA Routing and Switching certification, I set up a home lab: a couple of old Cisco routers and a couple more switches, all second-hand from eBay.  Let me tell you, if you can afford to do that (my lab came in around $150 with cables and a couple interface cards), or if you can get your job to pay for your lab, there’s nothing quite like actual hands-on time with equipment (and in some ways it’s less hassle setting up real equipment than it is configuring GNS3 properly so it doesn’t eat all your memory).


You may encounter an issue with used equipment.  My routers seemed not to hold their configuration between boots, no matter how many times I told it to copy run start.

It would appear that this isn’t that uncommon of a problem, though, and it’s an artifact of the way that eBay sellers wipe equipment before sending it out.

So, if your used router boots to the initial configuration dialog every time, check this out.

On boot, cancel the dialog and enter privileged mode, then run show start. If the startup configuration shown is the same as the configuration you were running when you last shut down your router, check the Configuration Register by running show version. The Configuration Register will probably show 0x2142, which means the router is bypassing the startup config that’s stored in NVRAM, something that’s often invoked during password-recovery.

Fixing this is easy. Enter global configuration mode (conf t) and type config-register 0x2102, then end (or ^Z if, like me, you’re lazy). Another sh ver should now report

Configuration register is 0x2142 (will be 0x2102 at next reload)

Now just reboot your router (reload) and you’re back in business.

Note: if this solution doesn’t work, well, I’m sorry.  For a lab environment, any lost configs are just another opportunity to practice, but if you’re using this equipment in a production environment, I hope that you’re backing up your configs.  If you’re not backing up your production router and switch configs, check out RANCID, the Really Awesome New Cisco confIg Differ.

Two Cisco 2950 switches mounted above two Cisco 2620 routers on an Ikea Lack table re-purposed as an equipment rack.Final note: if you’re looking to build your own CCNA practice lab, the setup I’m using is

2x Cisco Catalyst 2950 switches

2x Cisco 2620Xm routers (if you can, the 2621 and 2611 are better than the 2620 and 2610 because they have two built in fastethernet ports rather than only one).

Ten Internet Points™ to the first person who can tell me what I’ve done wrong in this picture.


For those of you with rack-mountable hardware (servers, network hardware, and even pro audio gear) who are still looking for a cheap, stylish, modular solution to mount it all, look no further; the Dutch have found the solution, and the solution is Swedish.

It turns out that the LACK side table from IKEA is perfectly sized to hold up to 8U worth of 19-inch rack-mount equipment, which is astounding when you consider that it comes in twelve colors and costs $10 (USD).  If you go on Amazon, Monoprice, or CDW, you’re going to pay a minimum of $50, and the color choices are black, black, or black.  The grey-turquoise LACK even looks like it would go well with the weird blue-green-grey plastic that Cisco uses for their bezels.

While the LACK is the cheapest option, it turns out that someone at IKEA really cares about people who use rack-mount equipment, since there are lots of other options for furniture with an internal spacing of 19 inches.

More information about the LACKRACK (including an IKEA-style manual for assembly) can be found at <>.

So our initial notifier messaged us when players were on our Minecraft server, but it always messaged us, even if we already knew there were players online.  That’s not brilliant.  Instead, let’s have the script create a little file that says there are players online.  The pseudo-code then would be:

if the .players file exists and isn’t empty
check if players are still online
if they aren’t, clear the .players file contents, otherwise do nothing
if the .players file doesn’t exist or is empty
check if players are online
if they are, write status to the .players file and message

In this case, the script ends up being a lot simpler-looking than the pseudo-code.


if [ -s .players ]; then
lsof -iTCP:25565 -sTCP:ESTABLISHED > .players
lsof -iTCP:25565 -sTCP:ESTABLISHED > .players && echo "Players online" | /usr/bin/ssmtp

Of course, this script will tell you when you log on to the server yourself, which you probably don’t need to know and might be annoying, but it’s getting there.

I like Minecraft, but sometimes, it can get a little dull just playing on my own.  Since I think setting up servers is fun, I set up a Minecraft server on an old Linux machine so I could play with my friends.  They’re on the other side of the country from me, though, so it can be hard to coordinate times to play when we’re all on.  So why not set up a little notifier to tell me when my friends are online?  If you’re running your Minecraft server on Linux, you can, too, with just a few minutes of work.

What you will need:

  • A Linux-based Minecraft server that you control (duh)
  • ssmtp (configuration instructions here)
  • lsof (should be installed on your system already)

The code is pretty straightforward if you just want to be pinged at some interval if there is anyone signed in to your Minecraft server.  If you want to only have it ping you if things have changed, that’ll be more complicated, and that’s not something I’m going to try to get into right now (because I haven’t written the spells yet).  Here’s the code:

lsof -iTCP:25565 -sTCP:ESTABLISHED && echo "Players online" | /usr/sbin/ssmtp

Just pop that into your crontab to fire at whatever interval you’d like, and you’re good to go.  If you want to get fancy, you can even use the requisite sms/mms email gateway from this GitHub repo to have it text you when your friends are online, but maybe not if you’ve got it checking very often, since it will just keep firing off texts to you as long as there are players on your server.

Now the (quick) explanation.  lsof is a command that lists every open file on your system. Since in Linux, everything is a file, this includes network connections. The -iTCP:25565 flag indicates that you’re filtering only for network connections using TCP port 25565 (if your Minecraft server is running on an alternate port, you’ll need to change the port number accordingly). Finally, the -sTCP:ESTABLISHED flag tells it that you’re filtering only for connections with the status of “ESTABLISHED.”  If that command succeeds (the && part), then it’ll echo your notification through a pipe into ssmtp.