Photoshop in OSX workgroups

Getting a “this file is locked” error in Photoshop, when no such lock exists?

As you may know, Apple tried to retire user Umasks in Leopard. As you may know, Mac workgroups are hell without uMasks – user A creates a folder full of documents for everyone to modify, but the group can’t write into the folder or modify any documents. It’s a hoot!

The solution was ACLs – basically NTFS-type permissions that Apple ported over for Tiger. They’re super, but the implementation was a little lacking – they were basically broken in Finder Get info for the whole of Tiger and therefore pretty much useless. In Leopard, you *still* can’t do any proper ACL admin in Finder, but they’re pretty working in Server Admin (and Xsan Admin), and as a result it all got manageable.

Except for Photoshop (and FCP, too, apparently, but as you’re meant to always work with a local copy of a project in FCP workgroups, not an issue I’ve personally run into). Photoshop just plain doesn’t notice ACL permissions: if a file’s POSIX permissions say you can’t write to it, photoshop gives you the following:

Photoshop error dialog

IOW, it thinks you’ve locked the file, OS 9-style. This is true of at least CS3 and CS4 (11.0). The only solutions were either some funky watch scripts that chmodded stuff, or get everyone to log into the server as the same person – fine for three employees or less, but stark raving mad for anything bigger.


In 10.5.3, Apple relented and allowed a new method of defining per-user Umasks, this allows you to spec that new files created by User A are writeable by anyone in A’s primary group. At last, you can rest.

Painless PNG – avoiding, er, pain

Something else not currently easy to find on the interweb is painless PNG – a rails plugin that transparently handles whatever it is you have to do to get IE 5.5/6 to display PNGs with alpha correctly (documentation and broken download link here). It’s the very definition of a suave OO plugin that makes you agile as heck by making all your code work with IE6 without any modification – it subclasses image_tag and alters the html if it detects you’re on an incompetent dinosaur monopolist browser.

Sadly, the original writer’s SVN has been down ever since I found out about the plugin, and Google’s top 6 hits are still to that site or sites that refer to it.

Well, some nice guy called Alexy (who obviously likes a bit of the ole fantasy role playing), has kindly made the whole thing available via good old fashioned http (including a couple of fixes, apparently). It’s the only version I’ve ever used, and so far everything looks suitably transparent on IE 6.

(I did make one slight change – got it to use double quotes not single – to make it comply with some of my higher up hackings. But you wont have to)

Microsoft RIS and Apple Netboot – do they play together?

Couldn’t see this anywhere else on the interweb (and believe me I looked!) so I thought I’d just let it be known that, yes, it seems that these two very similar protocols can exist on the same subnet without affecting each other – Apple’s NetBoot uses two ‘vendor” DHCP options (41 and 60), while RIS/PXE uses 66 and 67, so clients only connect to servers that talk their language. On a very small sample size here in the pdaddy lab, a Mac NetBooted and a PC was able to stagger into a vile DOS menu screen thingy (i.e. they both worked as expected) while both services were active at the same time. The macs were using the Windows/AD DHCP.

Shameless, but possibly vital, plug

Recently cooked up a small web site as contra for some friends. Google doesn’t seem to be doing that good a job of finding it, so they reckon a few links in blogs will do wonders: 

 The Pet Nanny is Melbourne’s finest pet minding/pet walking institution. Servicing most of the inner northern suburbs, your pets will thank you for calling them, even if you aren’t going away! 

(and then, look at the source html. Lean!!

Compressor: “QuickTime Error: 69”

Documented nowhere on the web is that this error would appear to be thrown (in batch monitor) when you are out of room on your destination directory. (Or just in your home directory)


We got this error with 2 users who had roaming home folders which were over quota. One was trying to decompress to the desktop (which was full), the other may possibly have been compressing to a drive which did have free space, but the lack of home space was enough to throw the error (can’t confirm this) Restoring some free space to the home folder made the error go away. 

Getting @#$%ing Citrix to work on your Mac. Again.

Three-and-a-half years after I wrote this, this page is still getting scads of traffic. Citrix has been Not My Problem for a long time now. If you’re one of the many folks who’ve come here with an SSL error 61, scroll down to step 2 – I don’t actually know if the info is still current, but you don’t need to know about step 1

(back to original post)

Just had to re-trawl the web to get this godless peice of software working again on a new machine, and thought I’d gather it all together in the one spot for the benefit of someone (even if it’s just me in another coupla years).


(This guide is for those people whose corporations get them to connect via a web page, often called “MetaFrame Presentation Server”)To get Citrix to work you need to do just 2 simple things:

  • Convince citrix that you’re actually on a Mac.  (It does now believe that FireFox can be a Mac browser, but Safari? Never heard of it, can’t be a Mac browser)
  • Determine what kind of security certificate you organisation uses and, if necessary, add it

The Devillish Details:

1. Convince Citrix you’re on a Mac

Citrix uses a special Mac client and the metaframe server will only serve you up the kind of file their Mac client wants if it thinks you are on a Mac – and (until very recently) the only Mac web browser is IE, right?

If, when you first connect to the “presentation server” page, you see some messages at the lower-right which include a link for the Mac client, you do not have to do this step. Mac Firefox is finally recognised, but not Safari.

So, you could actually run MSIE if you want, but I find it much easier to stay in Safari. Safari has a handy hidden feature where it can pretend to be a range of other browsers, we just have to turn on the “Debug” menu. This is well documented right across the internet, you simlpy run the Terminal and type in:

defaults write IncludeDebugMenu 1

You can just copy & paste that. It’s that simple. Obviously you hit “enter” after that. Then quit and reopen Safari, Here’s what to do next:

  1. open a new blank page or tab
  2. Go to the new “Debug’ menu, go down to “User Agent” (it’s actually near the top in Safari 3 now) and tell it to be “Mac MSIE 5.22”
  3. Enter the URL for your organisation. You should see the telltale “If you do not have the ICA Client for Macintosh” message at the right which means Citrix has correctly determied your platform

You can also use the link provided to download a Mac client, if you don’t have one. These three steps are now all you’ll have to do to connect to your organisation via citrix. The next section deals with some stuff you’ll only have to do the first time.

2. Security Certificate

The Citrix client stores a selection of “CA”s (certificate authorities) in the “keystore” folder. Wherever you install the client, the keystore folder must go. If not, you’ll get the “keystore is unreadable” errorIf you get the “SSL error 61” message, that means your organisation is using a certificate that wasn’t provided by Citrix (the Mac client, it seems, doesn’t ship with that many). Safari wont tell you anything about the certificate being used by a page (that I could find) but Firefox can, so open your organisation’s page in firefox – it may, of course, assume that you’re on a non-Mac, so you can’t use firefox to actually connect, we’re just trying to find out the name of the certificate we’re using.Once you have the page up in Firefox:

  1. Go to Tools -> Page Info in the menus
  2. In the “Page info” dialog which opens, click on Security
  3. It should say “Web Site Identity Verified” and have a “view” button. Click it
  4. You should see, about halfway down, a field called “Common Name” – the vaue next to that is the one we care about

Now you need to get that and install it. Root CA’s can be downloaded from most providers, but they don’t always make them easy to find. Mine were from Thawte, and there is no sign of any CA download on their website. But Google “Thawte root CA’s” and bang, the Gbot finds them straightaway!Sticking with Thawte as an example, the root CA download gives you a zip file with well over 10 CA’s. Find the one you need based on the steps above and, if you’re using Leopard, add it using the “Keychain Access” application (which lives in the Utilities folder). Pre-Leopard, you should copy it to the keystore/cacerts folder (the one that you installed in the same folder as your ICA client). And, and this bit is critical, rename it from whatever.cer to whatever.crt. Without the .crt extension, mine wouldn’t work.And that should be that, a modern Citrix should work from a Mac browser every time

Cardboard Cubbyhouse: 3. Construction

I could write very thick book! But I wont, suffice to say the following truisms are .. true:

  • You get much better (and quicker) with practice
  • Measure twice, cut once
  • Tools are good. Tools actually designed to do the job to which they are being used, are even better

Construction went more or less as expected. I basically spent a long time slicing and gluing, and finally ran out of room in the shed to store bits. At that point, I worked out that what I needed was a tarp so I could part build the thing and actually leave it up. After that it was easy.

I also discovered that fine-pitch corrugated iron is very floppy. I had to cheat and prop up the corners with some left over plywood from the floor. Now that I mention it, the plywood was a lot less rigid than I’d anticipated, too.

Pictures tell the story so much better:

Part F
7 dec 2005
ran into a man at work wheeling 10 empty Dell server boxes, he was looking for the paper recycling skip. “Follow me”. I said.
nine months in!
Aug again
Finally, the whole base
very hard to make columns stay up without walls
making the slanted columns
2 February 07
Take some time off work, and buy a tarp. Now I can part-assemble and leave the thing up!

Feb 6
in goes the floor
and a wall!
Feb 7
a bit of lacquer, try to waterproof it. After 6 years virtually without rain, I can already see that construction of the cubby will break the drought. Pregnant rain clouds cover the continent.
Feb 10
I can almost taste the finish
Feb 12
we got wet
Feb 17, behold! I am risen. The girls are inside beautifying.
Feb 17