The Usable Mac

Basic setup stuff

Order of operations: Very first, install all OS X system updates. Then, install Quicksilver. It'll make the rest of the process easier. Add Chrome so that you can use the web while doing the rest of the steps. :-) Next get X11 and XCode tools installed - you'll need xcode for the macports steps. Install Macports. Start building packages while installingEmacs, Firefox, VLC, and the rest.

From MacPorts, you can install all of your favorite unixy software.

Enable Time Machine. It's good. You want it.

CMU specific stuff

I strongly recommend configuring your machine with a short name that's the same as your CS username. It will prevent headaches. If you have facilities create your system for you, ASK FOR THIS IN ADVANCE. Changing your short userid is a real pain if you do it afterwords, though it is possible. Also, if you have a commonly misspelled name (such as, er, Andersen), make sure you spell it out very explicitly in the instructions to facilties. Otherwise, your misspelled name will be permanently etched into the registration for programs like powerpoint.


If you're using, you will be plagued by endless warnings about "unknown certificate." To solve that, you need to install the CMU root server certificate into Keychain Access.


Note: I've disabled OpenAFS on my Mac for now. It was causing way too many crashes. Nice idea, but the implementation isn't there for mobile use.

OpenAFS installation is easy - grab the latest, and use its installer. You'll have to configure /var/db/openafs/etc/ThisCell, and that's about it. Authenticate yourself using klog.

Increase the size of your AFS cache. I set mine to 1GB. Edit /var/db/openafs/etc/cacheinfo and change the last parameter in the line to 1000000 (or whatever you prefer -- but increase it from the default 30 megabytes!).


Kerberos integration is easy for CMU's Andrew and MIT's Athena, but doesn't work yet with the SCS environment. My workaround to be able to have SSH access to files stored in CS AFS spaces is to go indirectly through andrew:

  1. Configure Kerberos on your mac (trivial):
    kinit user@ANDREW.CMU.EDU
  2. Login to andrew and configure cross-realm authentication:
  3. Login to a CS facility machine and give your andrew account access to your CS files, or whatever subset you wish:
    fs sa my_directory perms

    Note that this step creates a way for someone evil to break into your CS account through andrew. Your security chain now has two weak links. This is an unfortunate trade-off of being able to access your files remotely. You may want to only grant cross-realm perms to selected directories (e.g., I have mine set up only for access to my CVS directory) depending on how you use your account.

  4. Configure your andrew .cshrc or other shell initialization file to grab cross-realm tokens. Add to your .cshrc:

And there you should have it.

Why do I want access to my files via both AFS and SSH? Because I run this on my laptop, and AFS is not happy in many network environments, particularly if you find yourself behind a NAT. If you're at home, you'll want to configure your firewall to put your AFS-speaking machine in the DMZ or configure port forwarding so that all port 7001 UDP traffic gets forwarded to your mac. You can only have one "happy" AFS client behind such a firewall. Yes, this is a pain. Without this forwarding, any interruption in connectivity can cause the CS AFS servers to believe that your client is down, and you won't be able to access your files for about two hours.

Access via SSH, on the other hand, is pretty solid. Protocols like CVS and rsync can actually be more efficient remotely (depending on if files change or not!), and they make it possible to operate completely disconnected. Coda may be another solution to this, but I haven't gone there yet.

Access to your files via AFS is super convenient for when you're at the lab - editing web pages is easy, creating stuff for class is easy, etc.

Integrating kinit and klog with the Keychain

I haven't figured this part out yet. If you know, please tell me! Fortunately, you only have to klog once per week, and grab new kerberos tickets daily, so it's not that onerous.

Last updated: Sun Apr 01 12:02:51 -0400 2012 [validate xhtml]