Essentially the problem is that some types of network link have a smaller limit on the maximum packet size than others. Originally, machines used to simply assume the worst and only transmitted packets of up to 576 octets in size. This was quickly changed so that hosts using TCP/IP negotiate the maximum segment size during connection set-up. However, if there are routers between the two hosts, it is possible that the hosts’ MTU values are higher than the link between the routers.

If that happens, one option is for the routers to fragment the packets. Unfortunately this has several negative effects and has occasionally been deliberately blocked to prevent various types of Denial of Service attack.

A better approach, therefore, would be for the hosts to attempt to discover the MTU of the network path over which they are communicating. To do this, they transmit large packets with the DF (Do not Fragment) flag set. When a router receives such a packet, it is supposed to reply with an ICMP message indicating that the packet was too large and cannot be forwarded. When such a message arrives, the sending host can reduce the MTU of the link as appropriate and retry.

And herein lies the problem. Some sysadmins apparently don’t realise that ICMP messages are required for correct operation and block all of them. Or maybe they just block the one required for path MTU discovery. Either way, doing this breaks things badly and leads to all kinds of weird symptoms that people tend to blame on end users and their ISPs.

There are some tools you can use to investigate if you think this problem is happening to you; scamper seems to be particularly useful. e.g.

alastair$ sudo ./scamper -c "trace -M -P ICMP" -i 10.0.1.1

will display the MTU at each point along the route from your machine to 10.0.1.1.

Or you can “just” set the MTU on your machine to a lower value. Unfortunately it is usually tricky to configure a special MTU for accessing the Internet and the usual Ethernet MTU for the rest of your network, and in order to avoid problems you really should have the MTU settings the same for all hardware on your network segment.

• I prefer the metal back on the original iPhone. I do understand, though, that it has a negative impact on radio performance and hence battery life.
• The metal buttons on the iPhone 3G don’t appear to be very well finished. I’d have rounded the edges off a bit more; they seem too sharp to me.
• The silent mode switch is significantly stiffer on the 3G. I think I prefer the original feel, but I understand that some people kept knocking it, so maybe the change is necessary.
• The iPhone 3G is physically slightly larger, and the display has a slightly larger border as a result.
• The colour temperature of the display has indeed been adjusted. This is a Good Thing, as I always thought the original iPhone was too blue.
• The touch screen on the 3G seems slightly more responsive.
• iPhone 3G seems like it might be a little quicker than the original. This is just subjective, I haven’t measured or looked at the devices in it, so it may well be entirely imaginary.

Of course, the GPS and 3G features will be useful, particularly in the part of the U.K. where I live because EDGE coverage is patchy so with my original iPhone I ended up having to rely on GPRS which is pretty slow by comparison to EDGE, never mind 3G data. 3G, on the other hand, has pretty wide coverage here in the U.K.

I was a bit worried about having to make the changes to the site because it involved updating some of the important tables in our database, but it all seems to have gone OK… only one “observation” from a customer so far, and I believe that problem is now fixed.

Nor does the fact that these cracked versions could do serious damage dissuade people from downloading them, apparently. We can see from our daily sales figures a drop of nearly 30% since the illegal copies first appeared. Yes, that’s right, 30%.

The worst thing though, worse even than losing 30% of our business to these jerkoffs, is that because the crack was done by an incompetent, the programs could terminate at any time while they’re working on the users’ disks, leaving them with potentially serious filesystem damage. Filesystem damage for which we will be blamed, though it’s not our fault in the slightest.

Sure, iPhone developers have to pay a one-off fee to Apple, and Apple does reserve the right to reject applications if they don’t meet the requirements stipulated in the SDK license agreement. And sure, iPhone does support DRM, something the FSF has been campaigning against for some time, but something the FSF is ill qualified to talk about as it does not, in fact, have any problems of its own with software, music or movie piracy.

I think the most objectionable parts are where the article says things like

iPhone exposes your whereabouts and provides ways for others to track you without your knowledge.

which is nothing less than blatant and unjustifiable scaremongering. Yes, the iPhone 3G has GPS. But in order for an application to use it, the user must agree to a message displayed by the phone. That is, the user is explicitly asked whether to allow an application access to their location.

There is also a claim that

[Fairplay] prevents you from installing free software -- software whose authors want you to freely share, copy and modify their work.

which is total bunk. If authors of Free Software choose to provide a build for the iPhone (and to do that, only a single developer need pay the license fee), they can submit their application to the App Store and Apple will distribute it for free and allow users to install it.

And sure, anyone who wants to modify the application will need a developer license, which they have to pay for. Why is this suddenly a bad thing? Wasn’t it FSF that made the point that Free Software was free as in speech and not necessarily as in beer? And isn’t it also the case that for many platforms those people who build their own versions of Free Software products require the use of commercial tools of some sort?

The go on to say that

Jobs would have us believe that all of these restrictions are necessary.

and he’s right. They are. Why? Because otherwise the iPhone would be full of viruses and other malware within a few months. The way Apple has chosen to do things does have some disadvantages, but it has the major advantage that it’s significantly harder to publish iPhone malware without getting caught than it is to publish malware for other mobile devices.

And as for the theory that Apple is

a single greedy, dishonest and secretive entity

well I think “johns”, whoever he is, needs to grow up. Apple is, of course, a business and is out to make money. That’s what businesses do. But they don’t do it solely for their own benefit; you and I hold shares in businesses, both directly and indirectly (through our bank accounts, our pensions, and a wide range of other investments). If they make a profit, we benefit. Likewise, if we don’t like how they behave, we can turn up at their AGM, or demand that those who represent our interests do so, and demand that they change their behaviour. This modern notion that big business is the Big Bad Wolf is borne out of ignorance, and it’s a great shame that the FSF seems intent on promoting this jaded and inaccurate view of the world.

It’s also a bit rich FUDding someone else and then accusing that other entity of being dishonest.

When I was a student, I used to think I agreed with some of the goals of the FSF. Maybe even most of them. In recent years though, they seem to have become more and more extreme and I now find myself wishing that they would either go back to their roots and forget about all these new things they’re complaining about, many of which have little or nothing to do with the original Free Software idea, or just pack it in and leave the rest of us the hell alone.

I certainly won’t be supporting them in future, and I have no intention of contributing to any of their projects (as I have occasionally in the past).

FSF, you’ve lost my support.

I don’t understand why anyone would be stupid enough to attempt this, actually. I mean, tampering with the code of a copy protected disk utility is a bit like tampering with a nuclear weapon. The person most likely to get hurt is you.

But hey, dumb-ass cheapskate software pirates, by all means destroy your data with pirated copies. Just don’t come crying to us when it happens… we didn’t give them to you and we didn’t tamper with them.

Shocking as this may be, it really highlights a serious problem with current methods of identifying people, both off and on-line.

Marko is understandably unhappy about this, and suggests that Apple should have checked that it was him “by comparing the information in their personal profile”. Yet most information about most of us, particularly prominent developers like Marko, is publicly available (for instance via WHOIS or via a variety of other means). I’m quite sure that, even if Apple had done those kinds of checks, they could be readily defeated by someone with the gall to try this kind of thing in the first place.

The fact is that we need an identity system that is not based on people’s personal details, or this kind of thing is going to happen all the time.

Seems only yesterday I left primary school…

But many of them still hide behind DMCA even when told that they are hosting a folder full of infringing material. They won’t act on their own account and don’t actually care that their Acceptable Use Policies already prohibit such material and would enable them to remove the files themselves.

How do I know this? Well today’s little irritation involved sending a notice to MediaFire about a folder full of files over which we hold copyright. I also, in the same e-mail, complained about the containing folder, which contains a lot of other peoples’ copyrighted work (though I noted that I had no legal standing to do so). What did I get in reply? Yes, that’s right folks, a demand that I format my request exactly as required by DMCA and a notice that MediaFire would ignore any request that wasn’t formatted that way. Furthermore they tell me that they will ignore any request relating to a folder, since they can’t be bothered to check all the files in a folder (just the ones you list).

Ethical? Like hell.

Our political leadersmasters won’t let us have a vote on membership of the European Union here in the U.K., because they know we’d vote “No”. In fact, they won’t even let us vote on the Lisbon TreatyE.U. Constitution because they know we’d vote “No” and scupper that too—in spite of promising a referendum on that very subject.

Fortunately it sounds like the Irish have scuppered it for us, but it frankly stinks that our government lies to us, fails to represent our views and then won’t let us have our say even when it promised.

Good for him I say.

The only reason the public thinks (at least according to the polls it does) that these kinds of illiberal measures are acceptable is that the government of our country has been conning us. The theoretical threat from Islamist terrorism and in particular Al Qaeda—and it remains primarily a theoretical threat, unlike for instance the IRA during the late 70s and 80s—has been used to justify large numbers of illiberal and frankly unpleasant measures which we are promised are “to combat terrorism” and which are then promptly misused to keep pensioners out of the Labour Party conference, to spy on people sending their children to school, to prevent law abiding people from attending legitimate peaceful protests and all kinds of other similar things which have nothing whatsoever to do with terrorism.

The steady creep of authoritarianism into the British state has continued unabated under this Labour government and the problem is that because our civil liberties have been chipped away one piece at a time it has been difficult for the public to notice the impact it is having.

David Davis, it seems, intends to bring all of this to the fore in his constituency and it will hopefully make his constituents—not to mention the rest of the population—realise that something is seriously amiss.

Chaos.

Not only were there large numbers of vehicles trying to fill up (more than normal, I would say), but a Budgens delivery driver (the local petrol station has a Budgens supermarket attached) was reversing a huge articulated lorry into the station and across the forecourt. In order to do that, he had to spend a considerable amount of time completely blocking the road.

Whether the large queues were caused by the amount of time the road was blocked, or whether this heralds the beginning of yet another round of stupid panic buying, I don’t know, but I did notice that Newgate Lane (along which I have to drive every day) was also clogged up until I got past the ASDA roundabout. ASDA, of course, has a petrol station…

So, the first thing to do is to make sure that you have a working Kerberos set-up. To check this, you can try

$ kinit some-user
Please enter the password for some-user@EXAMPLE.COM:

If it successfully authenticates when given the name of a user in your Open Directory set-up, you’re all set. You can, if you like, look at the Kerberos ticket you just gained by using the klist command, but if kinit worked then there’s probably no need. If, on the other hand, that kinit didn’t work, you need to re-configure Kerberos from scratch. This seems to be very hit and miss and often it’s easier to reconfigure Open Directory from scratch instead, but that’s a bit drastic and is only really practical for smaller set-ups because it tends to result in all the passwords getting reset.

If your Kerberos isn’t working, please don’t bother asking me about it. I have yet to find a reliable sequence of commands to completely re-initialise it on OS X Server. You might find AFP548.com useful if you’re in this sort of mess.

Next, make sure that your client machines are configured to authenticate using Kerberos. On OS X 10.5, that means editing /etc/authorization to change

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:authenticate,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

to

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:krb5authnoverify,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

That isn’t the only way to go about this part, but you need to make sure that your users get a Kerberos ticket automatically somehow. If they don’t, they won’t be able to mount the static automount because the server won’t recognise them. See Article 107154: Enabling Kerberos authentication for Login Window on Apple’s site, but note that the part where it says that the information is not required as of OS X Server 10.3 is not, in fact, entirely true. Various universities set things up using Kerberos and some of their pages may also be helpful; I quite like Iowa State’s page, personally.

Next, set-up your shares using Server Admin, setting the Custom mount path setting as required. For instance, I set one up with the path /Network/Groups. On previous versions of Mac OS X, you could do this step from Workgroup Manager, which was useful because it meant you could manually edit the mount URL to remove the hard-coded “;AUTH=NO USER AUTHENT” setting. Unfortunately you can no longer do this as of 10.5, which means that you have to use dscl or the various LDAP utilities.

Even more unfortunate, when I tried to edit with dscl, I just got the error message

*** Uncaught Exception:  ([DSoDataNode initWithDir:value:] value is not a valid NSString nor NSData)

(and yes, I’m certain I used the right command). As a result, I ended up making myself a file like this (I called mine groups.ldif):

dn: cn=server.example.com:/Volumes/SomeVolume/Groups,cn=mounts,dc=server,dc=example,dc=com
replace: mountOption
mountOption: url==afp://server.example.com/Groups

and then I did

$ kinit diradmin
Please enter the password for diradmin@EXAMPLE.COM:
$ ldapmodify -f groups.ldif

The first line is just to authenticate as the directory administrator—you only need to do that once. If you need to examine your LDAP mount records first, you can do something like this:

$ ldapsearch -b "cn=mounts,dc=server,dc=example,dc=com"

which will list all of the mount records.

One other useful tidbit is that if you’re trying to test this from a client machine, you can do

$ sudo automount -v

from Terminal to refresh the automount set-up on the client.

It all sounds so simple written down, but this took me a good few hours and a lot of frustration. Hopefully I’ve saved someone else (or even just myself, in future) from repeating that experience.

I was trying (carefully, I might add… there was never any danger of a collision) to push into the lane he was in. I think when he noticed this happening at first, like a lot of people he decided to be bloody-minded and to not let me in. Which is both rude and awkward, but a lot of people do that kind of thing. Anyway, as a result, he ended up alongside me, with me slightly impinging on his lane and I think assumed then that I hadn’t seen him, which wasn’t true. All I wanted was either (a) for him to slow down and let me in (which, given that I was ahead of him at the time would have been sensible… when I started to move over, there was even a small gap), or (b) for him to speed up and go past. I got the result I wanted in the end, but not without him honking his horn at me and gesturing at his eyes.

I find these kinds of things, which happen to me rather rarely, somewhat upsetting. Not least because he will doubtless tell all his friends that some stupid car driver nearly knocked him off because he wasn’t looking, which is totally untrue—as I say, there was never any danger of that happening. It’s the kind of incident for which there isn’t really any blame to apportion, because nothing actually happened and nothing ever would have. It’s still frustrating though. Ah well…