Reset OS X Panther password without the Install CD

A customer recently brought me an old Mac G4 notebook for which he had forgotten the password. He wanted me to reset it for him somehow. Now that we have the Internet you would think this kind of thing would be easy to Google. Unfortunately, because different versions of OS X seem to have different ways of resetting a password this isn’t as straight-forward as it seems.

The advice offered by the friendly denizens of the Internets falls into three broad categories:

  • Reset the user’s password in single user mode with the passwd program
    • When the notebook boots hold down the Apple+S keys until you see a black and white terminal
    • You are now in single user mode
    • At the prompt type:
# fsck -y
# /sbin/mount -uw /
# sh /etc/rc
# /sbin/SystemStarter
# passwd <short username>
    • This didn’t work for me. After the “passwd …” command it silently returned me to the command line.
  • Trick OS X into thinking this is the first time it’s running
    • In single user mode type:
# fsck -y
# /sbin/mount -uw /
# rm /var/db/.AppleSetupDone
    • After it reboots it will behave like this is the first time it has ever run and take you through it’s First-Run Wizard, which will allow you to create a new administrative user that can reset the old user’s password from within OS X itself
    • This didn’t work for me at first, but did work the second time arround when I tried it again before writing this post. Meh, probably “UserError” on my part.  Anyways, it is less elegant and clean than simply resetting a password
  • Reset the password from single user mode using the dscl command
    • In single user mode type
# fsck -y
# /sbin/mount -uw /
# launchctl load /System/Library/LaunchDaemons/
# launchctl load /System/Library/LaunchDaemons/

# dscl . passwd /Users/<short username>
# reboot
    • This apparently only works on more recent versions of OS X, such as Leopard and Lion (which this one is not)

At this point I was just about ready to give up and toss it back to its owner with a curt –“Just wipe it clean and start fresh” response when I came across this thread, which finally solved my problem.  If you’ve read this far already, here’s how I finally managed to reset the password:

# fsck -y
# /sbin/mount -uw /
# /sbin/SystemStarter
# /usr/libexec/register_mach_bootstrap_server /etc/mach_init.d
# cd /var/db/netinfo
# netinfod -s local
# passwd <short username>

What the #$%&!  I would-a-never figured this out in a million years!


Stop using .local as the top level domain for your LAN

If you live in a country like mine, where most networks are not publicly routable, you’ve probably given your LANs whimsical names so that they don’t have any chance of colliding with “real” domains on the internet.  Of course, if you’re not pedantic (like me) you don’t bother to setup a DNS server since the network is not accessible from the outside anyway.  However, for the few of you who do setup DNS servers on your local area networks I have one request.  PLEASE PLEASE PLEASE do not use a .local top-level domain.  I use .lan, and so should you.

The .local domain is what is called a pseudo-top-level domain.  What does that mean? It means that it’s not an official top level domain usable (routable) on the internet, but it has a semi-official standing because it is used in some applications.  In the case of .local it is used by the Multicast Domain Name Service (mDNS).  Hosts that implement this service use .local as their domain names and have their own way of resolving names.  Normally, this wouldn’t be a problem; however, if you also implement DNS on your network with .local as the top-level domain it will cause serious name resolution issues.  I’ve seen this happen a lot on Linux systems, and I imagine Apple’s OS X will probably have these issues as well.  Usually, on these types of networks you find that DNS name resolution doesn’t work at all or works only some of the time.  In the end, you end up having to use ip addresses all the time because you don’t know whether a name might resolve or not (which negates the whole point of having a DNS server in the first place).

So, instead of naming your PCs server.mycompany.localboss.mycompany.local, and sec.mycompany.local, use server.mycompany.lanboss.mycompany.lan, and sec.mycompany.lan.  I’ve been doing it for many years and haven’t had  any problems.


P.S. – Please, also make sure to turn recursion off on your DNS server so that you don’t clog the internetz with spurious DNS requests for hosts on your internal domain.

www Prefix No Longer Considered Mandatory

Lately I’ve been noticing a lot of ‘.et’ websites require you to type ‘www’ in front of the domain name for the website to come up.  This used to be OK during the early days of the internet when everybody was hand crafting html in Notepad and Altavista was the search engine of choice.  Not any more. In an age where’’ works just as well as ‘’ (and is in fact considered common sense) this seems rather counter-intuitive to me.  So , here’s my modest contribution to making the Ethiopian web just a bit more user-friendly.

When you come down to it, it’s actually rather easy.  You just have to define an additional resource record for the domain that points to the same IP Address as your ‘www’ record.  But before we get to that let’s look at the basic structure of a zone file first.

A zone file consists of directives, resource records, and comments. The first thing in your zone file, other than comments, should be a $TTL directive. This should be followed by an $ORIGIN directive and an SOA record.

$TTL 24h
@    IN    SOA (
                           2012091601   ;serial
                           1d           ; refreesh
                           15           ; update
                           3w           ; expiry
                           3h           ; negative TTL

Make note of the origin directive in the above snippet.  This is crucial to what we will be doing next.  This directive is used to determine the fully qualified domain name (FQDN) of an unqualified resource.  Basically, it means that when we encounter a name in the zone file that doesn’t end with a dot ‘.’ the origin will be tacked on at the end of it.  For the above example ‘www’ would become ‘’  If your zone file doesn’t have an $ORIGIN Bind will substitute the zone name from the named.conf configuration file.

Next, we have our DNS and mail servers:

               IN        NS
               IN        NS
               IN        MX 10

Lastly, we define resource records for each of the hosts in our domain.  In our case we will define only 2 records: one for ‘’ and another one for ‘’.

@        IN        A
www      IN        A

The magic happens in the first line.  The ‘@’ label is replaced by the value in the $ORIGIN directive. So, effectively the last two lines could also be written as:  IN        A
www              IN        A

Since, both names point to the same IP Address typing ‘’ in the address bar of your browser has the same effect as ‘’.