Apple Mac OS X Server manual

Mac OS X Ser v er Command-Line Administration For Version 10.4 or Later Second Edition[...]

K Apple Computer , Inc. © 2006 Apple C omputer , Inc. All rights reser ved. The owner or authoriz ed user of a valid copy of Mac OS X Ser ver software may repr oduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purpose s, such as selling copies of thi[...]

3 1 C on ten ts Prefac e 1 5 About This Guide 16 Using This Guide 16 Understanding Notation Con ventions 16 Summar y 16 Commands and Other T erminal T ext 16 Command P arameters and Options 17 Default Settings 17 Commands Requiring Root P rivileges 18 Getting Documentation Updates 18 Getting Additional Information Chapter 1 2 1 Executing Commands 2[...]

4 Contents 34 What is an SSH Man-in-the-Middle Attack? 34 Contr olling Access t o SSH Ser vice 35 Connecting to a Remote C omputer 35 Using SSH 36 Using T elnet Chapter 3 3 7 Installing Ser ver Software and F inishing Basic Setup 37 Installing Ser ver Software 38 Locating C omputers for Installation 39 Specifying the T arget C omputer V olume 39 Pr[...]

Contents 5 59 Viewing or Changing Sleep Settings 59 Viewing or Changing Automatic Restart Settings 60 Changing the P ower Management Settings 60 Viewing or Changing the Star tup Disk Settings 61 Viewing or Changing the Sharing Settings 61 Viewing or Changing Remote Login Settings 61 Viewing or Changing Apple Event Re sponse 61 Viewing or Changing t[...]

6 Contents 79 Computer Name 79 Hostname 80 Bonjour Name 80 Managing Pref erence F iles and the Configuration Daemon 81 Changing Network Locations Chapter 7 8 3 W orking with Disks and V olumes 83 Understanding Disks, Partitions, and the File System 83 Mounting and Unmounting Volume s 84 Mounting V olumes 84 Unmounting V olumes 85 Displaying Disk In[...]

Contents 7 10 7 Modifying a User Accoun t 10 8 Creating a Mobile User Acc ount 10 9 Managing Home Folders 11 0 Administering Group Ac counts 111 Creating a Group Acc ount 11 2 Removing a Gr oup Account 11 3 Adding a U ser to a Group 11 4 Removing a User from a Group 11 6 Creating and Deleting Nested Group 11 7 Editing Group Reco rds 11 8 Creating a[...]

8 Contents 14 2 Disconnec ting AFP Users 14 3 Canceling a User Disconnect 14 4 Listing AFP Ser vice Statistics 14 5 V iewing AFP Log F iles 14 6 M anaging the NFS Ser vice 14 6 Star ting and Stopping NFS Ser vice 14 6 Check ing NFS Ser vice Status 14 6 V iewing NFS Ser vice Settings 14 6 Changing NFS S ervice Settings 14 7 M anaging the FTP Ser vic[...]

Contents 9 16 7 Pausing a Queue 16 7 Listing Jobs and Job Information 16 8 Holding a Job 16 9 Viewing Print Service Log File s 16 9 Viewing Cover P ages Chapter 1 1 1 7 1 W orking with NetBoot Ser vice and System Images 17 1 Understanding the NetBoot Ser vice 17 1 Star ting and Stopping NetBoot Ser vice 17 2 Check ing NetBoot Ser vice Status 17 2 V[...]

10 Contents 200 Obtaining an SSL Certificate 200 Importing an SSL Cer tificate into the Keychain 200 Accessing the Server Certificates 20 1 Creating a P assword F ile 202 Configuring Mailbox es 202 Enabling Sieve Scripting 203 Enabling Sieve Support Chapter 1 3 207 W orking with W eb T echnologies 207 Understanding W eb T echnology 208 Managing the[...]

Contents 11 225 Check ing the Status of DNS Ser vice 225 Viewing DNS S er vice Settings 226 Changing DNS Ser vice Settings 226 DNS Ser vice Settings 226 List of DNS ser veradmin Commands 226 Viewing the DNS Ser vice Log 226 Listing DNS Ser vice Statistics 227 Configuring IP F or warding 227 Managing the Firewall Service 228 Firewall Startup 228 Sta[...]

12 Contents 246 Enabling IP F ailover 247 Configuring IP F ailover 248 Enabling PPP Dial-In 248 Restoring the Default C onfiguration for Server Ser vices Chapter 1 5 25 1 W orking with Open Director y 25 1 Understanding Open Director y 25 1 Using General Director y T ools 25 1 T esting Y our Open Direc tory Configuration 25 2 Modifying a Director y[...]

Contents 13 27 4 Viewing Ser vice Logs 27 4 F orcing Q TSS to Rer ead its Pref erences 27 5 Preparing Older Home F olders for User Streaming 27 5 Configuring Streaming Security 27 5 Resetting the Streaming Server Admin User Name and P asswor d 276 C ontrolling Acc ess to Streamed Media 276 Creating an A ccess F ile 278 A ccessing P rotected Media 2[...]

14 Contents[...]

15 Prefac e About This Guide This guide describe s Mac OS X Ser vers command-line interface tools and commands, including the syntax, purpose, and parameters , as well as examples of usage and an y output that they generat e. This guide is written f or system administrators familiar with administering and managing ser vers , storage , and networks [...]

16 Preface About This Guide Using This Guide This guide describes commands that perform functions used to configure and manage Mac OS X computers. Chapters in this guide describe sets of commands that work f or specific aspects of the operating system. Use this guide to:  Learn which commands ar e available f or specific tasks  Learn how the c [...]

Preface About This Guide 17 Pa rameters Y ou Must Enter as Shown If you must enter a parameter as sho wn, it appears follo wing the command in the same font. For example: $ doit -w later -t 12:30 T o use the command in this example, enter the entire line as sho wn (without the $ and space). Pa rameter V alues Y ou Provide If you must provide a v al[...]

18 Preface About This Guide Getting Documentation Updates P eriodically , Apple posts revised guide s and solution papers. T o download the latest guides and solution papers in PDF format , go to the Mac OS X Ser ver documentation webpage: www.apple .com/server/documentation. Getting Additional Informa tion F or more information, consult these reso[...]

Preface About This Guide 19 Mac OS X Ser ver F ile Ser vices Administration for Version 1 0.4 or Later Share selected server volumes or folders among server clients using these protocols: AFP , NFS, FTP , and SMB/CIFS. Mac OS X Ser ver Prin t Ser vice Administration for Version 1 0.4 or Later Host shared printers and manage their associated queues [...]

20 Preface About This Guide Mac OS X Ser ver Xgrid Administration for Version 1 0.4 or Later Manage computational Xser ve clusters using the Xgrid application. Mac OS X Ser ver Glossary : Includes T erminology for Mac OS X Ser ver , Xserve, Xserve RAID, and Xsan Interpret terms used for server and storage products. This guide ... tells you how to:[...]

1 21 1 Ex ecuting C ommands In this chapter you will find out ho w to ex ecute commands and view online information about c ommands and tools. A command-line interface is a way for you t o manipulate your computer in situations where a graphical approach is not av ailable. The T erminal application is the M ac OS X gateway to the BSD c ommand-line [...]

22 Chapter 1 Executing Commands F or example, if you’ re using the default bash shell and the prompt displa ys as: server1:~ anne$ Where you are logged in t o a computer named “server1” as the user named “anne ,” and your current f older is anne ’ s home folder ( ~ ). Throughout this manual, wherever a command is shown as you might en t[...]

Chapter 1 Executing Commands 23 Modifying Flo w Con trol Many commands are capable of rec eiving text input from the user and printing text out to the console. They do so using standard pipe s , which are created by the shell and passed to the command aut omatically . The standard pipes include: Â stdin —The standard input pipe is the means thro[...]

24 Chapter 1 Executing Commands Using En vironment V ariables Some commands require the use of en vironment v ariables for their ex ecution. Environmen t variables ar e variables inherited b y all commands executed in the shell’ s context. T he shell itself uses envir onment variables t o store information, such as the name of the current user , [...]

Chapter 1 Executing Commands 25 Executing C ommands and Running T ools T o execute a command in the shell, you must enter the complet e pathname of the tool’ s executable file, followed by an y arguments , and then press the Return key . If a command is located in one of the shell’ s k nown folders , you can omit an y path information and just [...]

26 Chapter 1 Executing Commands Corr ecting T yping Errors T o correct a typing error before you pre ss Return to execute the c ommand, press L eft Arrow or Right Arrow to skip over parts of the command you don ’t want to change, press the Delete key to remov e characters, enter regular characters to insert them, and finally press Return to ex ec[...]

Chapter 1 Executing Commands 27 Important: As the r oot user , y ou have sufficien t privileges to do things that can cause your server to stop working properly . Don’ t execute c ommands as the root user unless you know what you ’ re doing . Logging in as an administrat or user and using sudo selectively might prevent y ou from making unintend[...]

28 Chapter 1 Executing Commands The follo wing crontab entry schedules a scan operation to run and produce a summary at 23:50 ev er y Sunday: 50 23 * * 0 /usr/local/vscanx --summary folder-name The following cr ontab entry schedules a scan operation to run on the uz folder at 1 0:1 5 a.m. every Saturday in accordanc e with options specified in a co[...]

Chapter 1 Executing Commands 29 When you use more or less , an information bar appears at the bottom of the scr een. When you see the bar , you can pre ss the Space bar to go to the next page, the B key to go back a page, or the Return key to scroll the file forward one line at a time. When you get to the end of a file , more will return you to the[...]

30 Chapter 1 Executing Commands[...]

2 31 2 C onnec ting to Remot e C omputers In this chapter you will find c ommands you can use to connect to remote comput ers. Connecting to remote comput ers helps you manage and configure r esources efficiently . This chapter c overs using SSH and T elnet to connect to remote computers. Understanding Secure Shell Secure Shell (SSH) lets you send [...]

32 Chapter 2 Connecting to Remote Computers Y ou should be aware of the f ollowing SSH tools:  sshd —Daemon that acts as a ser ver to all other commands  ssh —Primary user tool: remote shell, remote command , and port-for warding sessions  scp —Secure copy , a tool for a utomated file transfers  sftp —Secure FTP , a replacement for [...]

Chapter 2 Connecting to Remote Computers 33 Copy the re sultant public file, which contains the local computer’ s public key to the user ’ s home folder in .ssh/ on the remote c omputer . The next time you log in to the remote computer fr om the local computer you w on ’t need to ent er a password . Note: If you are using an Open Directory us[...]

34 Chapter 2 Connecting to Remote Computers What is an SSH Man-in-the-Middle Attack? An attacker may be able to get access t o your network and compromise pr oper routing information, such that packets intended for a remote c omputer are instead routed to the attacker who impersonates the r emote computer to the local comput er and the local comput[...]

Chapter 2 Connecting to Remote Computers 35 Connecting to a Remote C omputer Y ou can connect to a remote computer using SSH (secur e) or T elnet (non-secure). Using SSH Use the ssh tool to creat e a secure shell connection to a remote comput er . T o access a remot e computer using ssh : 1 Open T erminal. 2 Enter the f ollowing command to log in t[...]

36 Chapter 2 Connecting to Remote Computers Using T elnet Use the telnet tool to creat e a T elnet connection to a remote comput er . Beca use it isn ’t as secure as SSH, T elnet access is disabled by default. T o enable T elnet access: $ service telnet start T o disable T elnet access: $ service telnet stop Y ou are strongly advised not to enabl[...]

3 37 3 Installing Ser v er Soft war e and F inishing Basic S etup In this chapter you will find c ommands you can use to install, set up , and update Mac OS X Ser ver software on local or remote c omputers. Some computers come with Mac OS X Ser ver software already installed. Howev er , you might want to upgrade fr om a previous version, change a c[...]

38 Chapter 3 Installing Server Software and Finishing Basic Setup If the target computer is an Xserve with a built-in optical drive , start the computer using the first installation disc by follo wing the instructions for star ting from a system disc in the Xser ve User’ s Guide. If the target computer is an Xserve with no built-in optical drive [...]

Chapter 3 Installing Server Software and Finishing Basic Setup 39 Note: T o locate computers, you must have booted the comput er from the installation CD . T o list computers on the local netw ork: $ /System/Library/ServerSetup/sa_srchr 224.0.0.1 The sa_srchr tool uses the br oadcast address 22 4.0.0. 1 to request a re sponse (via sa_rspndr ) from [...]

40 Chapter 3 Installing Server Software and Finishing Basic Setup Y ou can also use diskutil to partition the volume and to set up mirroring. F or more information, see the diskutil man page or Chapter 7 , “ Working with Disks and V olumes ,” on page 83. Important: Don ’t st ore data on the hard disk partition where the operating system is in[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 41 Y ou can define generic setup data that can be used to set up any comput er . F or example, you might want to define generic setup data for a c omputer that’ s on order , or to configure 50 Xserve computers y ou want to be identically configur ed. Y ou can also save setup data that[...]

42 Chapter 3 Installing Server Software and Finishing Basic Setup  partial-IP-address-of-ser ver .plist—F or example, 1 0.0.plist (matches 1 0.0.0.4 and 1 0.0. 1 .2).  generic.plist—A file that any server will recognize , used to set up ser vers that need the same setup values . Ser ver Assistant use s the file to set up the computer with t[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 43 W ork ing with an Encr ypted Configur ation F ile If the setup data in the configuration file is encr ypted , make the passphrase av ailable to the target computer or comput ers. Y ou can supply the passphrase interactively using Ser ver Assistant , or you can pro vide it in a text f[...]

44 Chapter 3 Installing Server Software and Finishing Basic Setup The following example sho ws the basic structure and contents of a configuration file for a computer with the f ollowing configuration: Â An administrator user named “ Administrator” (shor t name “ admin ”) with a user ID of 50 1 and the password “secret” Â A computer n[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 45 <string>0</string> <key>DefaultScript</key> <string>0</string> <key>ResID</key> <integer>0</integer> <key>ResName</key> <string>U.S.</string> <key>ScriptID</key> <integer>0</integ[...]

46 Chapter 3 Installing Server Software and Finishing Basic Setup <key>ServiceNTP</key> <dict> <key>HostNTP</key> <false/> <key>HostNTPServer</key> <string>Local</string> <key>UseNTP</key> <false/> </dict> <key>ServicesAutoStart</key> <dict> <ke[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 47 Storing a C onfiguration F ile in an Acc essible Loca tion Ser ver Assistant looks f or configuration files in the follo wing location: /Volumes/ vol /Auto Server Setup/ where vol is any device volume mounted in /V olumes. Devices you can use to pr ovide configuration files include: [...]

48 Chapter 3 Installing Server Software and Finishing Basic Setup Changing Ser ver Settings After initial setup , you can use a v ariety of commands to view or change Mac OS X Ser ver configuration settings and services. Using the serversetup T ool The serversetup tool is located in /S ystem/Library/S er verSetup . T o run it, you can enter the ful[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 49 Â The default certificate format f or SSLeay/OpenSSL is PEM. PEM format can contain private keys (RSA and DSA), public k eys (RSA and DSA), and (x509) certificates. I t stores data in Base64-encoded DER f ormat with ASCII header and footer lines which makes it suitable for text-made[...]

50 Chapter 3 Installing Server Software and Finishing Basic Setup T o validat e a server software serial number: $ sudo serversetup -verifyServerSerialNumber serialnumber watermarkinformation Displays 0 if the serial number is v alid , or 1 if the serial number is inv alid. Serial numbers generated for the server can be generated with watermarks so[...]

Chapter 3 Installing Server Software and Finishing Basic Setup 51 This create s an environmen t variable named command_line_install that automat es the update res ponses. See the softwareupdate man page for more information about the command. Moving a Ser ver T r y to place a ser ver in its final network location (subnet) bef ore setting it up for [...]

52 Chapter 3 Installing Server Software and Finishing Basic Setup[...]

4 53 4 Restar ting or Shutting Down a C omputer In this chapter you will find c ommands you can use to shut down or re star t a local or remote comput er . Computers often must be shut down or r estarted, whether locally or remotely , when installing new tools or making computer repairs. This chapter co vers the commands needed to shut down or rest[...]

54 Chapter 4 Restarting or Shutting Down a Computer Changing a Remote C omputer ’ s Star tup Disk Y ou can change a remote computer’ s star tup disk using SSH. T o change the startup disk: Log in to the r emote computer using SSH and ent er : $ bless -folder "/Volumes/ disk /System/Library/CoreServices" -setBoot F or information about[...]

Chapter 4 Restarting or Shutting Down a Computer 55 Monitoring and Restarting Critical Ser vices In earloier versions of Mac OS X, a daemon called watchdog monitored critical services and restarted them if they failed or quit unexpectedly after a computer restarted. The watchdog daemon relied on the configuration file watchdog .conf, located in /et[...]

56 Chapter 4 Restarting or Shutting Down a Computer[...]

5 57 5 Setting G eneral S yst em P ref erence s In this chapter you will find c ommands you can use to set system pref erence s, usually set using the System P refer ences graphical application. Y ou can use Mac OS X Ser ver to manage the work en vironment of Mac OS X users by defining preferenc es. Prefer ences are settings that customiz e and con[...]

58 Chapter 5 Setting General System Preferences Viewing or Changing the System Da te T o view the current sy stem date: $ sudo systemsetup -getdate or $ serversetup -getDate T o set the current sy stem date: $ sudo systemsetup -setdate mm:dd:yy or $ sudo serversetup -setDate mm/dd/yy Viewing or Changing the System Time T o view the current sy stem [...]

Chapter 5 Setting General System Preferences 59 T o enable or disable use of a network time server: $ sudo systemsetup -setusingnetworktime (on|off) T o view the current netw ork time server: $ sudo systemsetup -getnetworktimeserver T o specify a network time server: $ sudo systemsetup -setnetworktimeserver timeserver Viewing or Changing the Energy[...]

60 Chapter 5 Setting General System Preferences T o see if the system is set to re start af ter a system freez e: $ sudo systemsetup -getrestartfreeze T o set the system to re start af ter a system freeze: $ sudo systemsetup -setrestartfreeze (on|off) Changing the P ower Management Settings Y ou can use the pmset tool to change a v ariety of power [...]

Chapter 5 Setting General System Preferences 61 T o change the current startup disk: $ sudo systemsetup -setstartupdisk path Viewing or Changing the Sharing Settings Y ou can use the systemsetup tool to view or change Sharing settings. These can also be set using the Sharing pane of System P refer ences. Viewing or Changing Remote Login Settings Y [...]

62 Chapter 5 Setting General System Preferences Viewing and Changing the Login Settings Y ou can enable or disable the Restart and Shutdown buttons that appear in the login dialog. T o disable or enable the Restart and Shutdown buttons in the login dialog: $ sudo serversetup -setDisableRestartShutdown (0|1) 0 disables the buttons and 1 enables the [...]

6 63 6 Setting Network P ref erenc es In this chapter you will find c ommands you can use to change the network settings on a server . Mac OS X Ser ver provides c ommand-line control to manage servers in a mixed- platform en vironment and to c onfigure, deploy , and manage powerful network ser vices. These t ools make it easy to configure and maint[...]

64 Chapter 6 Setting Network Preferences Managing Network In ter face Informa tion This section describes commands you addr ess to a specific hardwar e device (for example, en0 ) or por t (for example , Built-in Ethernet ). If you prefer t o work with network port configurations following the approach used in the Network pref erences pane of Syst e[...]

Chapter 6 Setting Network Preferences 65 Viewing or Changing Media Settings T o view the media settings for a port: $ sudo networksetup -getMedia ( devicename |" portname ") T o list valid media settings f or a por t: $ sudo networksetup -listValidMedia ( devicename |" portname ") T o change the media settings for a port: $ sudo[...]

66 Chapter 6 Setting Network Preferences T o change the order of the port configurations: $ sudo networksetup -ordernetworkservices config1 config2 [ config3 ] [...] Managing T CP/IP S ettings T CP/IP is a set of layered pr otocols that allow shared applications betw een computers on a high-speed network. Y ou can use the following commands to chan[...]

Chapter 6 Setting Network Preferences 67 T o change a server ’ s IP address: 1 Run the changeip tool: $ changeip [( directory |-)] old-ip new-ip [ old-hostname new-hostname ] See the changeip man page for more inf ormation and examples. 2 Use the networksetup or serversetup tool (or the Network pane of S ystem P referenc es) to change the server [...]

68 Chapter 6 Setting Network Preferences T o list T CP/IP settings for a configur ation: $ sudo networksetup -getinfo "configuration" F or example, for Built-In Ethernet, the computer responds with the f ollowing output: $ networksetup -getinfo "Built-In Ethernet" Manual Configuration IP Address: 192.168.10.12 Subnet mask: 255.2[...]

Chapter 6 Setting Network Preferences 69 Viewing or Changing DNS Ser vers Y ou can use the serversetup tool to view and modify the Domain Name Ser ver (DNS) settings. T o view the DNS servers for port en0: $ serversetup -getDefaultDNSServer ( devicename |" portname ") T o change the DNS servers for port en0: $ sudo serversetup -setDefault[...]

70 Chapter 6 Setting Network Preferences Enabling T CP/IP Use the serversetup tool to enable or disable TCP/IP on a comput er . T o enable TCP/IP on a particular por t: $ serversetup -EnableTCPIP [( devicename |" portname ")] If you don ’t pro vide an interface, en0 is assumed. T o disable T CP/IP on a particular por t: $ serversetup -D[...]

Chapter 6 Setting Network Preferences 71 Configuring a Netw ork Interface Y ou can configure a network in terface for T CP/IP using ifconfig . This tool is used to bring the interface up or down and set the interface IP address and subnet mask. T o add an Ethernet int er face to a bond virtual device (pseudo device): $ ifconfig bond_interface_name [...]

72 Chapter 6 Setting Network Preferences T o display a bond sta tus: $ sudo networksetup -showBondStatus bond Managing Apple T alk Settings Apple T alk is a suite of protocols developed to implemen t file sharing, mail ser vice, and printing between A pple computers. Use the serversetup tool to enable or disable Apple T alk. T o enable Apple T alk [...]

Chapter 6 Setting Network Preferences 73 Installing SNMP T o use SNMP for monitoring or data collection, an SNMP agent ( snmpd ) must be running on the monitored Mac OS X Ser ver host computer . Mac OS X Server version 1 0. 1 .5 or later includes a version of SNMP (UCD-SNMP v . 4.2.3 or later). If you do not have the file /usr/sbin/snmpd , then SNM[...]

74 Chapter 6 Setting Network Preferences T o start SNMP on Mac OS X 1 0. 4 client computers b y modifying the hostconfig file: Mac OS X 1 0.4 client systems already ha ve the SNMPSERVER:=-NO- line in their hostconfig file by defa ult. 1 Open the /etc/hostconfig file . 2 Locate the line: SNMPSERVER=-NO- 3 Change NO to YES . 4 Save the file . Note: S[...]

Chapter 6 Setting Network Preferences 75 T o customize the data pr ovided by snmpd , you ma y add an snmpd .conf file using /usr/bin/snmpconf: $ sudo /usr/bin/snmpconf -i Y ou will then see a series of text menus. Mak e these choices in this order: 1 Select File: 1 (snmpd.conf ) 2 Select sec tion: 5 (System Inf ormation Setup) 3 Select sec tion: 1 [...]

76 Chapter 6 Setting Network Preferences T o gather SNMP information in bulk: $ sudo snmpwalk -v 1 -c public localhost This will list multiple entries of SNMP data similar t o the following output, where system name and location are defined in the snmp .conf file. SNMPv2-MIB::sysName.0 - system name SNMPv2-MIB::sysLocation.0 - system location SNMPv[...]

Chapter 6 Setting Network Preferences 77 T o enable or disable the FTP pro xy for a configuration: $ sudo networksetup -setftpproxystate " configuration " (on|off) Viewing or Changing W eb Pro xy S ettings T o view the web pro xy information for a configur ation: $ sudo networksetup -getwebproxy " configuration " T o set the web[...]

78 Chapter 6 Setting Network Preferences Viewing or Changing SOCKS Fir ewall P roxy Settings T o view the SOCKS firewall pro xy information for a configur ation: $ sudo networksetup -getsocksfirewallproxy " configuration " T o set the SOCKS firewall pro xy information for a configur ation: $ sudo networksetup -setsocksfirewallproxy "[...]

Chapter 6 Setting Network Preferences 79 Managing the Comput er , Host, and Bonjour Names These names ar e used by networking applications to identify a computer . Comput er Name The computer name is the local name of a comput er . This name is typically assigned to the computer when the operating system is installed . Use the serversetup tool to v[...]

80 Chapter 6 Setting Network Preferences Bonjour Name Bonjour , also known as zero-configuration networking, enables automatic disco very of computers , devices , and services on IP networks. Bonjour uses industr y-standard IP protocols to allo w devices to aut omatically discover each other without the need t o enter IP addre sses or configure DNS[...]

Chapter 6 Setting Network Preferences 81 Each item on the list is a piece of information st ored by configd , sor ted by type. Setup indicates information that has been r ead from a configuration file. State indicates information that repre sents the actual state of the computer . F ile indicates stored information as of the last time the configura[...]

82 Chapter 6 Setting Network Preferences T o view the current loca tions: $ scselect The computer will re spond with output similar to the f ollowing: Defined sets include: (* == current set) * 0 (Automatic) 1 (AirPort) 2 (Home Office) T o change the location, enter the number of the location listed that you w ant to switch to: $ scselect 1 In this[...]

7 83 7 W ork ing with Disks and V olumes In this chapter you will find c ommands that are used to initialize and te st disks and volume s. Computers use disks and partitions to store and organiz e data. This chapter covers the commands that are used to manage , configure, initialize, and test disks and volumes. Understanding Disks, Partitions, and [...]

84 Chapter 7 Working with Disks and Volumes Mounting V olumes Y ou can use the mount tool with parameters appropriate t o the type of file system you want to mount , or use one of these file-system–s pecific mount commands:  mount_afp for Apple F ile Protocol (AppleShar e) volumes  mount_cd9660 for ISO 9660 volume s  mount_cddafs for CD Dig[...]

Chapter 7 Working with Disks and Volumes 85 Displa ying Disk Information The df tool located in /bin is designed t o display fr ee disk space. In addition, df is a useful way to find out what your curr ent disk partitions are, how much space each one takes up , which block each partition star ts on, which devic e file is associated with each partit[...]

86 Chapter 7 Working with Disks and Volumes When enabled, diskspacemonitor uses information in a configuration file t o determine when to execut e aler t and recov er y scripts for reclaiming disk s pace: Â The configuration file is /etc/disks pacemonitor/diskspacemonit or .conf. It lets you specify how often you wan t to monitor disk space , and [...]

Chapter 7 Working with Disks and Volumes 87 The scripts use value s in the following configuration file s to determine whether and how to reclaim s pace: Â The script /etc/periodic/daily/600.daily .ser ver runs daily . Its configuration file is /etc/diskspacemonit or/daily .ser ver .conf . Â The script /etc/periodic/weekly/600.weekly .ser ver is [...]

88 Chapter 7 Working with Disks and Volumes T o list the disks currently known and a vailable on the computer: $ diskutil list If your system is an Xserve computer , you can use this command to det ermine which drive is in which bay . T o get mount info about a partition: $ diskutil info diskvol This command tells y ou the device file that corres p[...]

Chapter 7 Working with Disks and Volumes 89 T o format a Mac OS Extended v olume as case-sensitive HFS+: $ sudo diskutil eraseVolume "Case-sensitive HFS+" newvolname volume See the diskutil man page for more options and inf ormation about repairing and modifying disks. P ar titioning and F ormatting Disks Disk partitions are subsdivisions[...]

90 Chapter 7 Working with Disks and Volumes After a partition has been created on a device, the par tition needs to be formatted before the comput er will be able to store data on the device . Formatting a disk par tition creates the v olume and sets the file system. Labeling a Disk Once a disk is formatted , it needs t o be labeled. The disklabel [...]

Chapter 7 Working with Disks and Volumes 91 Managing Disk Journaling A robust file system journaling featur e is available t o enhance the av ailability and fault tolerance of servers and ser ver-attached storage devices . Journaling protects the integrity of the Mac OS Extended (HFS+) file system in the event of an unplanned shutdown or pow er fai[...]

92 Chapter 7 Working with Disks and Volumes /dev/disk0s9 on / (local, journaled) /dev/disk0s10 on /Volumes/OS 9.2.2 (local, journaled) Enabling Journaling When Y ou Erase a Disk Y ou can use the newfs_hfs tool to set up and enable journaling when you erase a disk. T o enable journaling when erasing a disk: $ newfs_hfs -J -v volname device Disabling[...]

Chapter 7 Working with Disks and Volumes 93 3 Restart your ser ver . T o enable Spotlight on your server: 1 Open /etc/hostconfig for editing as root. 2 Change the value of the spotlight parameter t o -YES- . Y ou can also set the value of the SPOTLIGHT parameter t o -YES- as follows: $ sudo /System/Library/ServerSetup/serversetup -setAutoStartSpotl[...]

94 Chapter 7 Working with Disks and Volumes Con trolling Spotlight Indexing By default, indexing of volumes in Mac OS X Ser ver is disabled. However , you can use the mdutil tool to enable or disable indexing on any v olume. T o enable indexing on a v olume: Run the mdutil tool as root and set the indexing status to on . $ sudo mdutil -i on volume [...]

Chapter 7 Working with Disks and Volumes 95 T o repair a failed mirror: $ diskutil repairMirror device slicenumber fromDisk toDisk Note: Xsan RAID volumes ha ve their own set of commands , which are described in an appendix of the Xsan administrators guide. See the appendix for informatian about the megaraid tool, used for managing a PCI RAID card.[...]

96 Chapter 7 Working with Disks and Volumes T o restor e a volume from an image: $ sudo asr -source compressedimage -target targetvolume -erase See the asr man page for command syntax, limitations, and image preparation instructions.[...]

8 97 8 W ork ing with Users and Groups In this chapter you will find c ommands you can use to set up and manage user and group accoun ts. With Mac OS X Ser ver , you can quickly create and administer accounts f or users and groups. There are sev eral command-line tools that facilitate working with the directory domains that hold these accounts . Un[...]

98 Chapter 8 Working with Users and Groups Administ ering and Creating A ccounts A user account store s data that Mac OS X Ser ver needs to validate the user’ s identity and provide services for the user . This section provides an overview of user accounts. User accounts , as well as gr oup accounts and computer lists , can be stored in any Open [...]

Chapter 8 Working with Users and Groups 99 T o create an local administr ator user with a specific UID and home f older: $ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP fullname shortname password uid homedirpath The name , short name, password , and UID must be en tered in the order shown. If the full name includes space s, ente[...]

100 Chapter 8 Working with Users and Groups T o find the GUID of the administrator user: > cd /Users/ > read adminusername GeneratedUID Checking a User ’ s Administrat or Privileges Use the serversetup tool to v erify the administrator privileges of a specific user . T o see if a user is a server administrator: $ sudo /System/Library/Server[...]

Chapter 8 Working with Users and Groups 101 Important: Pick a user ID that isn ’t on either list and that is greater than 50 1 . 50 1 is the user ID of the local administrator user that gets created when y ou install Mac OS X Ser ver . 2 Star t the dscl tool in interactive mode , specifying the computer you are using as the source of directory se[...]

102 Chapter 8 Working with Users and Groups dscl displays the settings f or your new user account , similar to the f ollowing output: apple-generateduid:1B2A3456-E7C8-9EC1-2345-678D912E3456 cn: anne johnson gidNumber: 99 HomeDirectory: /LDAPv3/ ipaddress /Users/ajohnson loginShell: /bin/bash objectClass: inetOrgPerson posixAccount shadowAccount app[...]

Chapter 8 Working with Users and Groups 103 Retreiving a User’ s GUID When a user account is created , the comput er generates a 1 28-bit integer called a globally unique identifier (GUID). T his is stored in the LDAP directory . T he GUID is used for permissions and for associating users with gr oup memberships. In command-line tools, you might [...]

104 Chapter 8 Working with Users and Groups 3 Authenticate as an administrat or by entering the f ollowing command , replacing adminusername with an administrator’ s user name, and entering that administrator’ s password when prompt ed: > auth adminusername 4 Delete the user account by en tering the following c ommand, replacing ajohnson wit[...]

Chapter 8 Working with Users and Groups 105 T o terminate all of a user ’ s processes: After disabling the user account, you need to kill all of the user ’ s active processes that are currently running on the dir ector y ser ver . 1 Make all processes clean up and exit by en tering the following c ommand, replacing ajohnson with the user name: [...]

106 Chapter 8 Working with Users and Groups Checking a Ser ver User ’ s Name, UID , or P assword Y ou can use the following commands t o check the name, UID , or password of a user in the ser ver’ s local director y domain. Note: These tasks apply only t o the local director y domain on the server . T o see if a full name is already in use: $ s[...]

Chapter 8 Working with Users and Groups 107 Modifying a User A ccount Y ou can change the value of an attribute in a user accoun t by using dscl . There are man y attributes that can be set f or users. T he following table describe s some of the user account attribute s you can modify using dscl : T o change a user account a ttribute to a new value[...]

108 Chapter 8 Working with Users and Groups Creating a Mobile U ser Accoun t Mobile accounts are netw ork accounts that hav e been set up to be accessible ev en when the user is not connected to the server where the account reside s. T he mobile account user is pro vided with a local home folder on the computer the user is logged in to . This funct[...]

Chapter 8 Working with Users and Groups 109 T o per form the post–login checks and refr eshes caches and caches the curr ent user’ s mcx_settings: Enter the f ollowing, replacing usershortname with the user ’ s shor t name. $ sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/ MCXCacher -U usershortname T o flush the cache: $ sudo [...]

110 Chapter 8 Working with Users and Groups T o create a home f older for users in the local domain: $ sudo createhomedir [(-a|-l|-n domain )] -u uid Y ou can also create a user’ s home folder using the serversetup tool. T o create a home f older for a particular user : $ sudo /System/Library/ServerSetup/serversetup -createHomedir uid The command[...]

Chapter 8 Working with Users and Groups 111 Creating a Group A ccoun t Y ou can create a new group accoun t by using dscl and other tools. When you create a group account via the command line , you must also set v alues for basic attribut es of a group account , such as short name and group ID. T o add a group accoun t: 1 Identify an unused group I[...]

112 Chapter 8 Working with Users and Groups 4 Authenticate as an administrat or by entering the f ollowing command , replacing adminusername with your administrator user name , and entering y our administrator password when prompt ed: > auth adminusername 5 Create a new group , replacing offic egroup with the new group accoun t’ s shor t name [...]

Chapter 8 Working with Users and Groups 113 3 Authenticate as an administrat or by entering the f ollowing command , replacing adminusername with your administrator user name , and entering y our administrator password when prompt ed: > auth adminusername 4 Remove the group b y entering the f ollowing command , replacing officegr oup with the gr[...]

114 Chapter 8 Working with Users and Groups 6 Review the new settings of the group by ent ering the following command , replacing officegroup with the group acc ount’ s shor t name: > read officegroup dscl displays the settings f or the group account , similar to the follo wing output: apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 cn[...]

Chapter 8 Working with Users and Groups 115 4 View the current members of the group by ent ering the following (replacing officegroup with the group acc ount’ s shor t name): > read officegroup dscl displays the settings f or the group account , similar to the follo wing output where the group named officegroup has users mchen , ajohnson , and[...]

116 Chapter 8 Working with Users and Groups 7 Quit dscl by entering: > quit Creating and Deleting Nested Gr oup Nested groups allow f or one group (child) to be a member of a second gr oup (parent), thus inheriting the permissions and attributes of the paren t group . All members of a nested group will become child members of the par ent group a[...]

Chapter 8 Working with Users and Groups 117 dscl displays the settings f or the group account , similar to the follo wing output where the group named parent group is shown as nested: apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 apple-group-nestedgroup:1A2B3456-C7D8-9EF1-2345-678G912H3456 cn: parentgroup gidNumber: 700 objectClass: posix[...]

118 Chapter 8 Working with Users and Groups This will prompt you f or your diradmin passwor d, which is much more secure than putting the password in the command y ou are sending. See the dseditgroup man page for more inf ormation. Creating a Group F older A group folder facilitate s the sharing of files between members of a group . Onc e you set u[...]

Chapter 8 Working with Users and Groups 119 Impor ting Users and Groups Y ou can use dsimport to import user and group accounts. into a folder . The dsimport tool permits logging at three levels with the -l swit ch. Y ou can use the dsimport tool to import any number of records from a flexible te xt–delimited file. See the dsimport man page for m[...]

120 Chapter 8 Working with Users and Groups Open Director y supports up to 200,000 records . F or a local NetInfo directory , make sure the file contains no more than 1 0,000 records. 2 Log in as the administrator of the dir ector y domain you want to import accounts into . 3 Use the dsimport tool to import users and groups. For example , to import[...]

Chapter 8 Working with Users and Groups 121  List of attributes F or user accounts , the list of attributes must include the f ollowing , although you can omit UID and PrimaryGroupID if you specify a starting UID and a default primar y group ID when you import the file:  RecordName (the user’ s shor t name)  P assword  UniqueID (the UID) [...]

122 Chapter 8 Working with Users and Groups Matt Mitchell:/bin/tcsh As these examples illustrate , you can use the prefix dsAttrTypeStandard: when referring to an attribut e, or you can omit the prefix. When y ou use W orkgroup Manager to export charac ter-delimited files , it uses the prefix in the generated file . When importing user passwords, y[...]

Chapter 8 Working with Users and Groups 123 Setting P ermissions T o control acce ss to your information, Mac OS X automatically sets permissions for disks, folders, and files. Y ou can only change permissions to items that you own. Be sure that the default permissions are appr opriate. For most purpose s, files should be accessible to the other me[...]

124 Chapter 8 Working with Users and Groups  The follo wing file (-) displays read , write , and executable permissions for owner (rwx), but no permissions for group (---) or others (---): -rwx------  The follo wing file (-) displays read and writ e, but no executable permissions for owner (rw-), group (rw-), and others (rw-): -rw-rw-rw-  The[...]

Chapter 8 Working with Users and Groups 125 This command affects the permissions on files and f olders created by programs that respect the Mac OS X NSUmask settings. Programs should follo w the value set for NSUmask, but there is no guarant ee that they will. Also , users can override their own NSUmask setting at any time. The changes t o the umas[...]

126 Chapter 8 Working with Users and Groups Changing the Owner Use the chown tool to change the owner of a file or f older . $ chown username fileorfolder T o change the owner of file1 to the user jdoe: $ chown jdoe file1 See the chown man page for more inf ormation. Changing the Group Use the chgrp tool to change the group of a file or f older . $[...]

Chapter 8 Working with Users and Groups 127 Securing the Root Accoun t Mac OS X Ser ver includes a root account like other UNIX-based systems . Initially , its password is set to that of the first administrat or account. Direct root login should not be allowed , because the logs cannot identify which administrator logged in. Instead, accounts with [...]

128 Chapter 8 Working with Users and Groups Note: There is a timeout v alue associated with the sudo tool. This value indicat es the number of minutes until the sudo t ool prompts for a passwor d again. The default value is 5 , which means that af ter issuing the sudo command and ent ering the correct password , additional sudo commands can be ente[...]

Chapter 8 Working with Users and Groups 129 5 If the computer did start up in single-user mode, restart the computer by issuing the command reboot . T hen repeat the previous steps f or putting the computer into command mode. Open Firmware prot ection can be violated if the user has physical access to the comput er; If the user changes the physical[...]

130 Chapter 8 Working with Users and Groups T o change a user ’ s password: $ pwpolicy -n /LDAPv3/ ipaddress -a adminusername -u usertochange -setpassword newpassword T o view the global password policy: $ pwpolicy -getglobalpolicy T o set the minimum password length to 5 char acters: $ pwpolicy -n /LDAPv3/ ipaddress -a adminusername -setglobalpo[...]

Chapter 8 Working with Users and Groups 131 T o set the password policy of an individual user to change their password: $ pwpolicy -n /LDAPv3/ ldap.apple.com -a adminusername -p adminpassword -u usertochange -setpolicy "newPasswordRequired= 1 " See the pwpolicy man page for more inf ormation. F inding User A ccount Inf ormation The lookup[...]

132 Chapter 8 Working with Users and Groups[...]

9 133 9 W ork ing with F ile Ser vice s In this chapter you will find c ommands you can use to cr eate share points and manage file services. Mac OS X Ser ver allows you to set up c entral network storage that is acce ssible to clients throughout your or ganization. Using native protocols, it delivers file services to heterogeneous clients on y our[...]

134 Chapter 9 Working with File Services Listing Share P oints T o list existing share points: $ sharing -l In the resulting list, there’ s a section of proper ties similar to the following f or each share point defined on the server ( 1 = yes, true, or enabled; 0 = false, no , or disabled). name: Share1 path: /Volumes/100GB afp: { name: Share1 s[...]

Chapter 9 Working with File Services 135 T o create a shar e point that uses AFP , FTP , and SMB/CIFS protocols: Enter the f ollowing command , replacing 1 00GB with the name of the volume containing the share poin t and Archive with the actual share point name: $ sharing -a /Volumes/ 100GB / Archive T o create a share poin t that appears differ en[...]

136 Chapter 9 Working with File Services Disabling a Share P oint T o disable a share point: $ sharing -r sharepointname Managing the AFP Ser vice Apple F iling Prot ocol (AFP) allows any Mac OS X comput er to access shared f olders on the ser ver . Mac OS X Ser ver uses Bonjour to pr ovide automatic disco very of AFP file ser vices , and shared di[...]

Chapter 9 Working with File Services 137 Changing AFP Settings Y ou can change AFP ser vice settings using the serveradmin tool. T o change a setting: $ sudo serveradmin settings afp: setting = value T o change sever al settings: $ sudo serveradmin settings afp: setting = value afp: setting = value afp: setting = value [...] Control-D List of AFP S[...]

138 Chapter 9 Working with File Services allowRootLogin Allow user to log in as root. Default = no attemptAdminAuth Allow an administrator user to masquerade as another user . Default = yes authenticationMode Authentication mode. Can be: standard kerberos standard_and_kerberos Default = "standard_and_kerberos" autoRestart Whether the AFP [...]

Chapter 9 Working with File Services 139 idleDisconnectTime Idle time (in minutes) allowed befor e disconnect. Default = 10 kerberosPrincipal Kerberos server principal name. Default = "afpserver" loggingAttributes: logCreateDir Record folder creations in the activity log. Default = yes loggingAttributes: logCreateFile Record file creation[...]

140 Chapter 9 Working with File Services List of AFP ser ver admin Commands In addition to the standard start , stop , status , and settings commands, you can use serveradmin to execut e the following service-specific AFP commands. See the examples in the following sections for details on ho w to use these commands . reconnectFlag Allow reconnect o[...]

Chapter 9 Working with File Services 141 Listing Connected Users Y ou can use the getConnectedUsers command with the serveradmin tool to r etrieve information about connected AFP users. In par ticular , you can use this command to retrieve the session IDs y ou need to disconnect or send messages to users . T o list connected users: $ sudo serveradm[...]

142 Chapter 9 Working with File Services Sending a Message to AFP Users Y ou can use the sendMessage command with the serveradmin tool to send a text message to connected AFP users. Users are specified by se ssion ID . T o send a message: $ sudo serveradmin command afp:command = sendMessage afp:message = " message-text " afp:sessionIDsArr[...]

Chapter 9 Working with File Services 143 The computer will repond with the f ollowing output: afp:command = "disconnectUsers" afp:messageSent = "<message>" afp:timeStamp = "<time>" afp:timerID = <disconnectID> <user listing> afp:status = <status> Canceling a U ser Disconnect Y ou can use t[...]

144 Chapter 9 Working with File Services The computer will re spond with the follo wing output: afp:command = "cancelDisconnect" afp:timeStamp = "<time>" afp:status = <status> Listing AFP Ser vice Statistics Y ou can use the serveradmin getHistory command to displa y a log of periodic samples of the number of connect[...]

Chapter 9 Working with File Services 145 Viewing AFP Log F iles Y ou can use tail or any other file listing tool to view the c ontents of the AFP service logs. T o view the latest entries in a log: $ tail log-file Y ou can use the getLogPaths command with the serveradmin tool to see where the current AFP error and activity logs are located . T o di[...]

146 Chapter 9 Working with File Services Managing the NFS Ser vice Network F ile System (NFS) is a file service used to provide file sharing to UNIX and Linux systems. With NFS, Mac OS X Ser ver can host data for UNIX application servers and provide int egration with enterprise UNIX storage device s. Suppor t for NFS file locking prevents overwriti[...]

Chapter 9 Working with File Services 147 Managing the FTP Ser vice Mac OS X Ser ver features a robust F ile T ransfer P rotocol (FTP) file service for Internet file sharing from any platf orm. The FTP protocol provide s the broadest compatibility across platforms , making it ideal for anonymous downloads or sharing files that ar e too large to be s[...]

148 Chapter 9 Working with File Services Changing FTP Ser vice Settings Y ou can change FTP ser vice settings using the serveradmin tool. T o change a setting: $ sudo serveradmin settings ftp: setting = value T o change sever al settings: $ sudo serveradmin settings ftp: setting = value ftp: setting = value ftp: setting = value [...] Control-D List[...]

Chapter 9 Working with File Services 149 bannerMessage Displays a banner message that appears when prompted to log in to the FTP . Cust omize to your own preference s. Default = "----------------------------------- This is the "Banner" message for the Mac OS X Server's FTP server process. FTP clients will receive this message im[...]

150 Chapter 9 Working with File Services List of FTP ser ver admin Commands Y ou can use the following commands with the serveradmin t ool to manage FTP ser vice. See the examples in the following sections for details on how to use the se commands. Viewing the FTP T ransfer L og Y ou can use tail or any other file-listing tool to view the c ontents[...]

Chapter 9 Working with File Services 151 Managing the SMB/CIFS Ser vice Mac OS X Ser ver offers int egration of Samba 3, a popular open-source project that delivers high-performance SMB/CIFS file and print services and Microsof t Windows NT domain ser vices f or Microsoft Windows clien ts. Suppor t for native service discovery protocols means that [...]

152 Chapter 9 Working with File Services Changing SMB/CIFS Ser vice Settings Y ou can change SMB/CIFS ser vice settings using the serveradmin tool. T o change a setting: $ sudo serveradmin settings smb: setting = value T o change sever al settings: $ sudo serveradmin settings smb: setting = value smb: setting = value smb:setting = value [...] Contr[...]

Chapter 9 Working with File Services 153 domain master Whether the server is providing Windows domain master browser service. Can be set to: yes | no This corresponds to the Domain Master Br owser checkbox in the Advanced pane of Window ser vice settings in the Ser ver Admin application. dos charset The code page being used. Can be set to: CP437 (L[...]

154 Chapter 9 Working with File Services max smbd processes The maximum allowed number of smbd server processes. Each connection uses its own smbd process, so this is the same as specifying the maximum number of SMB/CIFS connections. 0 means unlimited. This corresponds to the “maximum” client connections field in the Access pane of the Windows [...]

Chapter 9 Working with File Services 155 List of SMB/CIFS ser ver admin Commands Y ou can use these commands with the serveradmin tool to manage SMB/CIFS service. See the examples in the following sections for details on how t o use these commands. Listing SMB/CIFS Users Y ou can use the serveradmin getConnectedUsers command to retriev e informatio[...]

156 Chapter 9 Working with File Services Disconnecting SMB/CIFS Users Y ou can use the serveradmin disconnectUsers command to disconnect SMB/CIFS users. Users are specified by session ID . T o disconnect users: $ sudo serveradmin command smb:command = disconnectUsers smb:sessionIDsArray:_array_index:0 = sessionid1 smb:sessionIDsArray:_array_index:1[...]

Chapter 9 Working with File Services 157 Updating Share P oint Information After you make a change to an SMB/CIFS share point using the sharing t ool, you need to update the SMB/CIFS service information. T o update SMB/CIFS share point inf ormation: $ sudo serveradmin command smb:command = syncPrefs Viewing SMB/CIFS Ser vice Logs Y ou can use tail [...]

158 Chapter 9 Working with File Services Using chmod to Modify A CLs Using chmod, you can add and delete ACEs for a file or a f older . Her e are a few of the parameters to be used with ACLs: The follo wing are some of the common permissions you can assign to file s: The follo wing are the permissions applicable to folders: T o grant a user writ e [...]

Chapter 9 Working with File Services 159 T o view the ACL of a file: Enter the f ollowing command , replacing file1 with the name of the file: $ ls -le file1 The output should look like the following: -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser 1: guest deny read 2: user1 allow write See the chmod man page for more inf ormation.[...]

160 Chapter 9 Working with File Services[...]

10 161 10 W ork ing with the Prin t Ser vic e In this chapter you will find c ommands you can use to configure and manage the prin t ser vice. The print service in Mac OS X Ser ver lets you share network and dir ect-connect printers among clients on y our network. The print service also includes suppor t for managing print queues , monitoring print[...]

162 Chapter 10 Working with the Print Service CUPS includes both the System V ( lp ) and Berkeley ( lpr ) printing commands. CUPS supports many different file f ormats, including PostScript and image file s, so you can print most files directly from the command line . The CUPS log files , located in /v ar/log/cups, include the following: Â access_[...]

Chapter 10 Working with the Print Service 163 Checking the Status of Print Service T o see summary status of print ser vice: $ sudo serveradmin status print T o see detailed status of print service: $ sudo serveradmin fullstatus print Viewing Print Service Settings T o list print service configuration settings: $ sudo serveradmin settings print T o[...]

164 Chapter 10 Working with the Print Service Prin t Ser vice Settings Use the following paramet ers with the serveradmin tool to change settings for the print service. The log size limits apply to all CUPS logs: Â /var/log/cups/error_log (CUPS general me ssage log ) Â /var/log/cups/access_log (CUPS acc ess log) Â /var/log/cups/error_log (CUPS p[...]

Chapter 10 Working with the Print Service 165 Queue Data Arra y Print service settings include an array of value s for each existing print queue . The arra y is a set of parameters that define value s for each queue. The array of sharing services has been expanded to include IPP . This is the same ser vice as Mac OS X version 1 0.3 printer sharing [...]

166 Chapter 10 Working with the Print Service The following is an example of a queue arra y parameter block: print:queuesArray:_array_id:my_printer:quotasEnforced = no print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:service = "LPR" print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:sharingEna ble = no prin[...]

Chapter 10 Working with the Print Service 167 Listing Queues Y ou can use the serveradmin getQueues command to list print service queues. $ sudo serveradmin command print:command = getQueues P ausing a Queue Y ou can use the serveradmin setQueueState command to pause or r elease a queue. T o pause a queue: $ sudo serveradmin command print:command =[...]

168 Chapter 10 Working with the Print Service F or each job , the command lists:  Document name  Document size  Job ID  Submitting user  Submitting host  Job name  Job state  Job priority Holding a Job Y ou can use the serveradmin setJobState command to hold or release a job . T o hold a job: $ sudo serveradmin command print:command[...]

Chapter 10 Working with the Print Service 169 Viewing Print Service Log F iles Y ou can use tail or any other file-listing tool to view the c ontents of the prin t ser vice logs. T o view the latest entries in a log: $ tail log-file The follo wing are the log files for the P rint Service: Â /var/log/cups/error_log (CUPS general me ssage log) Â /v[...]

170 Chapter 10 Working with the Print Service[...]

11 171 11 W ork ing with NetBoot Ser vice and Sy stem Image s In this chapter you will find c ommands you can use to configure and manage the NetBoot Ser vice and system images. NetBoot is used to host a standard operating system and application configuration on all of the clients in a network from the server .This chapter describes the commands us[...]

172 Chapter 11 Working with NetBoot Service and System Images Checking NetBoot Ser vice Status T o see if NetBoot service is running: $ sudo serveradmin status netboot T o see complete NetBoot status: $ sudo serveradmin fullstatus netboot Viewing NetBoot Settings T o list all NetBoot service settings: $ sudo serveradmin settings netboot Changing Ne[...]

Chapter 11 Working with NetBoot Service and System Images 173 Changing General Netboot Ser vice Settings NetBoot allows client comput ers to start up from an operating system image stored on your server . Use the f ollowing parameters with the serveradmin tool t o change settings for the NetBoot service. Storage Recor d Array A volume parameter arr[...]

174 Chapter 11 Working with NetBoot Service and System Images F ilters Record Arr ay An array of the follo wing values appears in the NetBoot service settings for each computer explicitly allow ed or denied access to images st ored on the ser ver . Image Record Arra y An array of the follo wing values appears in the NetBoot service settings for eac[...]

Chapter 11 Working with NetBoot Service and System Images 175 P or t Re cord Ar ray An array of the follo wing items is included in the NetBoot service settings for each network port on the ser ver set to deliver images . Enabling NetBoot 1 .0 for Older NetBoot Clients If you want older computers , such as tray-loading i Mac or P ower Macintosh G3 [...]

176 Chapter 11 Working with NetBoot Service and System Images W ork ing with System Image s A boot image is a file that looks and acts like a mountable disk or volume. NetBoot boot images contain the syst em software needed to act as a star tup disk for client computers across the netw ork. An installation image is a special boot image that boots t[...]

Chapter 11 Working with NetBoot Service and System Images 177 T o split an image int o three segments: $ hdiutil segment -segmentSize 10m -o /tmp/aseg 30m.dmg This creates thr ee separate files: aseg.dmg , aseg.002.dmg par t, and aseg.003.dmg par t. T o conv ert an image to a CD-R expor t image with a .toast extention: $ hdiutil convert master.dmg [...]

178 Chapter 11 Working with NetBoot Service and System Images T o configure a clien t to receiv e a multicast stream: $ sudo asr -source asr://<hostname> -target <targetvol> -erase The client will rec eive the multicast stream from <hostname> and sa ve it to a client. Add -erase to o verwrite any existing image. Passing -erase wit[...]

12 179 12 W ork ing with the Mail Ser vice In this chapter you will find c ommands you can use to manage the mail ser vice. Mac OS X Ser ver provides a full c omplement of tools for setting up and managing email ser vice for y our users. Y ou can use the commands described in this chapter to control the individual componen ts that make up the mail [...]

180 Chapter 12 Working with the Mail Service The spool files f or P ostfix are located in /var/spool/postfix and the log file is /var/log/ mail.log. See www .postfix.org for more inf ormation about postfix. Cy r u s Cyrus was dev eloped at Carnegie Mellon University with the purpose of creating a highly scalable enterprise mail system f or use in s[...]

Chapter 12 Working with the Mail Service 181 Managing the Mail Ser vice Mac OS X Ser ver ships with some powerful tools to help administer you mail service. The follo wing sections describe basic mail ser vice functions. Star ting and Stopping Mail Ser vice T o start mail ser vice: $ sudo serveradmin start mail T o stop mail service: $ sudo servera[...]

182 Chapter 12 Working with the Mail Service Mail Ser vice Settings Use the following paramet ers with the serveradmin tool to change settings for the mail ser vice. Par ameter ( mail: ) Description postfix:message_size_limit Default = 10240000 postfix:readme_directory Default = no postfix:double_bounce_sender Default = "double-bounce" po[...]

Chapter 12 Working with the Mail Service 183 postfix:lmtp_sasl_password_maps Default = no postfix:smtp_sasl_password_maps Default = no postfix:qmgr_clog_warn_time Default = "300s" postfix:smtp_sasl_auth_enable Default = no postfix:smtp_skip_4xx_greeting Default = yes postfix:smtp_skip_5xx_greeting Default = yes postfix:stale_lock_time Def[...]

184 Chapter 12 Working with the Mail Service postfix:lmtp_connect_timeout Default = "0s" postfix:strict_7bit_headers Default = no postfix:unknown_hostname_reject_code Default = 450 postfix:virtual_alias_domains Default = "$virtual_alias_maps" postfix:lmtp_sasl_auth_enable Default = no postfix:queue_directory Default = "/pri[...]

Chapter 12 Working with the Mail Service 185 postfix:mail_spool_directory Default = "/var/mail" postfix:mailbox_delivery_lock Default = "flock" postfix:disable_dns_lookups Default = no postfix:mailbox_command_maps Default = "" postfix:default_destination_concurrency _limit Default = 20 postfix:2bounce_notice_recipient [...]

186 Chapter 12 Working with the Mail Service postfix:trigger_timeout Default = "10s" postfix:newaliases_path Default = "/usr/bin/ newaliases" postfix:default_rbl_reply Default = "$rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}" postfix:alias_database Default = [...]

Chapter 12 Working with the Mail Service 187 postfix:fallback_transport Default = 0 postfix:owner_request_special Default = yes postfix:default_transport Default = "smtp" postfix:biff Default = yes postfix:relay_domains_reject_code Default = 554 postfix:smtpd_delay_reject Default = yes postfix:lmtp_quit_timeout Default = "300s" [...]

188 Chapter 12 Working with the Mail Service postfix:debug_peer_level Default = 2 postfix:in_flow_delay Default = "1s" postfix:smtpd_junk_command_limit Default = 100 postfix:program_directory Default = "/usr/libexec/ postfix" postfix:smtp_quit_timeout Default = "300s" postfix:smtp_mail_timeout Default = "300s"[...]

Chapter 12 Working with the Mail Service 189 postfix:myhostname Default = "<hostname>" postfix:default_minimum_delivery_slots Default = 3 postfix:recipient_canonical_maps Default = no postfix:hash_queue_depth Default = 1 postfix:hash_queue_names:_array_index:0 Default = "incoming" postfix:hash_queue_names:_array_index:1 De[...]

190 Chapter 12 Working with the Mail Service postfix:strict_8bitmime Default = no postfix:virtual_transport Default = "virtual" postfix:berkeley_db_create_buffer_size Default = 16777216 postfix:broken_sasl_auth_clients Default = no postfix:home_mailbox Default = no postfix:content_filter Default = "" postfix:forward_path Default[...]

Chapter 12 Working with the Mail Service 191 postfix:bounce_notice_recipient Default = "postmaster" postfix:smtp_connect_timeout Default = "30s" postfix:fault_injection_code Default = 0 postfix:unknown_client_reject_code Default = 450 postfix:virtual_minimum_uid Default = 100 postfix:fast_flush_domains Default = "$relay_dom[...]

192 Chapter 12 Working with the Mail Service imap:pop_auth_clear Default = no imap:imapidresponse Default = yes imap:sasl_auto_transition Default = no imap:mupdate_port Default = "" imap:admins:_array_index:0 Default = "cyrus" imap:plaintextloginpause Default = 0 imap:popexpiretime Default = 0 imap:pop_auth_any Default = no imap[...]

Chapter 12 Working with the Mail Service 193 imap:autocreatequota Default = 0 imap:allowanonymouslogin Default = no imap:pop_auth_apop Default = yes imap:partition-default Default = "/var/spool/imap" imap:imap_auth_cram_md5 Default = no imap:mupdate_password Default = "" imap:idlesocket Default = "/var/imap/socket/ idle&quo[...]

194 Chapter 12 Working with the Mail Service Mail ser ver admin Commands Y ou can use the following commands with the serveradmin t ool to manage mail ser vice. Listing Mail Ser vice Statistics Y ou can use the serveradmin getHistory command to displa y a log of periodic samples of the number of user connections and the data throughput. Samples are[...]

Chapter 12 Working with the Mail Service 195 mail:samplesArray:_array_index: i :v n = <sample> mail:samplesArray:_array_index: i :t = <time> mail:v1Legend = "connections" afp:currentServerTime = <servertime> Viewing the Mail Ser vice L ogs Y ou can use tail or any other file-listing tool to view the c ontents of the mail[...]

196 Chapter 12 Working with the Mail Service Backing Up the Mail File s When talking about mail-related backup, IMAP mailboxe s are the first thing that come to mind. Aside from the IMAP folders , you might want to back up the configuration files for both C yrus and P ostfix. T he value of backing up the configuration files is clear: it will save y[...]

Chapter 12 Working with the Mail Service 197 The largest database is the mailbo x folders. Each mailbox folder c ontains the following files: Â Message files—There is one file per me ssage. T he file name of each message is the message ’ s UID follow ed by a period. The UID is a unique ID that is given t o each message. Â cyrus.header—This [...]

198 Chapter 12 Working with the Mail Service Setting Up SSL for Mail Ser vice Mail ser vice requires some configuration t o provide Secure Sockets Layer (SSL) connections automatically . The basic steps are as follows: Â Generate a Certificate Signing Request (CSR) and create a keychain. Â Obtain an SSL certificate from an issuing authority . Â [...]

Chapter 12 Working with the Mail Service 199 8 Enter b when prompted t o specify how this certificate will be used, and then press Return. Enter cert/key usage (s=signing, b=signing AND encrypting): 9 Enter s when prompted t o select a signature algorithm, and then press Return. ...Generating key pair... Please specify the algorithm with which your[...]

200 Chapter 12 Working with the Mail Service Obtaining an SSL Certificate After generating a CSR and a keychain, you continue configuring mail service for automatic SSL connections by purchasing an SSL c er tificate from a certificate authority such as V erisign or Thawte. Y ou can do this by completing a form on the certificate authority ’ s web[...]

Chapter 12 Working with the Mail Service 201 T o list the cer tificates st ored in the Sy stem keychain: $ certadmin list By default, certadmin will print the “Common Name ” field of each cer tificate separated by newlines. Adding the option -x or --xml will print the certificate list to screen as an xml propert y list (plist). T o export the g[...]

202 Chapter 12 Working with the Mail Service Configuring Mailbo x es The mail service keeps track of incoming email messages with a small database (BerkeleyDB 4.2.52), but the database doesn ’t con tain the messages themselves . The mail ser vice store s each message as a separate file in a mail folder f or each user . This is the user ’ s mail[...]

Chapter 12 Working with the Mail Service 203 The folder is o wned by the mail service, so users normally don ’t have access to it and can ’t put their scripts there f or mail processing . For security purposes, users and administrators upload their scripts to a Sieve pr ocess (timsieved) which transports the scripts to the mail process f or use[...]

204 Chapter 12 Working with the Mail Service Self-Defined Forwarding Script #-------- # This is a sample script to illustrate how Sieve could be used # to let users handle their own mail forwarding needs. # Read the comments following the pound/hash to find out what the # script is doing. #--------- # # No need to add any extension. 'redirect&[...]

Chapter 12 Working with the Mail Service 205 # put it in my inbox fileinto "INBOX"; } # End of script Sieve Scripting Re sources Sieve ’ s complete syntax, commands, and arguments are found in IETF RFC 3 028 located on the W eb at www .ietf.org/rfc/r fc3 028.txt?number=3028. Other information about Sieve and a sample script archive can [...]

206 Chapter 12 Working with the Mail Service[...]

13 207 13 W ork ing with W eb T echnologies In this chapter you will find c ommands you can use to configure and manage w eb ser vices and w eb components of your server . W eb technologies in Mac OS X Server consist of several components that pro vide a flexible and scalable ser ver en vironment. This chapter cov ers the commands that are used to [...]

208 Chapter 13 Working with Web Technologies Apache web server version 2.0 files are in the /opt/apache2 f older . The main configuration file for the A pache web server is /etc/httpd/httpd.conf . The Apache web server ( httpd ) reads this file during startup. In addition, Mac OS X Ser ver maintains a configuration file f or each website it hosts. [...]

Chapter 13 Working with Web Technologies 209 T o list a group of settings: Y ou can list a group of settings that hav e par t of their names in common by typing only as much of the name as you want, stopping at a colon ( : ), and t yping an asterisk ( * ) as a wildcard for the remaining parts of the name. For example: $ sudo serveradmin settings we[...]

210 Chapter 13 Working with Web Technologies W eb ser veradmin Commands Y ou can use the following commands with the serveradmin t ool to manage web ser vice. Listing Hosted Sites Y ou can use the serveradmin getSites command to displa y a list of the sites hosted b y the ser ver , along with basic settings and status. T o list sites: $ sudo server[...]

Chapter 13 Working with Web Technologies 211 T o list samples: $ sudo serveradmin command web:command = getHistory web:variant = statistic web:timeScale = scale Control-D The computer re sponds with the follo wing output: web:nbSamples = <samples> web:samplesArray:_array_index:0:v n = <sample> web:samplesArray:_array_index:0:t = <tim[...]

212 Chapter 13 Working with Web Technologies Example Script for A dding a W ebsite The follo wing script shows how you can use serveradmin to add a w ebsite to the ser ver’ s web ser vice configuration. T he script uses two files: Â addsite —The script you run. It accepts values for the site ’ s IP address, por t number , ser ver name , and [...]

Chapter 13 Working with Web Technologies 213 web:Sites:_array_id:_ipaddr:_port__servername:ErrorDocument:_array_index:0: StatusCode = 404 web:Sites:_array_id:_ipaddr:_port__servername:ErrorDocument:_array_index:0: Document = "/nwesite_notfound.html" web:Sites:_array_id:_ipaddr:_port__servername:LogLevel = "warn" web:Sites:_ar[...]

214 Chapter 13 Working with Web Technologies W ork ing with Application Ser vers and Jav a With the built-in JBoss application ser ver and full support for JSPs , Java Ser vlets and SOAP , Mac OS X Ser ver provides a complet e solution for hosting Jav a 2 Platform Enterprise Edition (J2EE) applications. I t also features pow er ful deployment tools[...]

Chapter 13 Working with Web Technologies 215 T o start JBoss, enter the f ollowing: /Library/JBoss/3.2/bin/run.sh -c deploy-standalone When you use this command , the system updates the Application Ser ver pane of Ser ver Admin to r eflect the status of JBoss. Sometimes , howev er , you might need to click Refresh to show the c onfiguration changes[...]

216 Chapter 13 Working with Web Technologies T o set the root password: $ sudo /usr/bin/mysqladmin shutdown $ sudo /usr/bin/mysqld_safe --skip-grant-tables --skip-networking & $ sudo /usr/bin/mysqladmin -u root flush-privileges password new-password When you set up MySQL service for the first time, make sure to set up a password for the MySQL r[...]

14 217 14 W ork ing with Network Ser vices In this chapter you will find c ommands you can use to configure and manage DHCP , DNS, F irewall, NA T , and VPN ser vices in Mac OS X Ser ver . Mac OS X Ser ver network services add administrative and managerial capabilities to basic networking protocols. This chapter de scribes the commands used to conf[...]

218 Chapter 14 Working with Network Services inetd and xinetd each have their o wn configuration files. inetd uses one file, inetd.conf, to map a given service to its executable . All standard ser vices that inetd handles are already listed in the file . xinetd, on the other hand , uses a diff erent configuration file for each service it provides. [...]

Chapter 14 Working with Network Services 219 Changing DHCP Ser vice Settings T o see a list of av ailable service settings: $ sudo serveradmin settings dhcp Also see “DHCP Ser vice Settings” on this page and “DHCP Subnet Settings Array” on page 22 0. T o change a single DHCP setting: $ sudo serveradmin settings dhcp: setting = value T o cha[...]

220 Chapter 14 Working with Network Services DHCP Subnet Settings Array An array of the settings listed in the f ollowing table is included in the DHCP service settings for each subnet you define . Y ou can add a subnet to the DHCP configuration by using serveradmin to add an array of the se settings. About Subnet IDs In an actual list of settings,[...]

Chapter 14 Working with Network Services 221 lease_time_secs Lease time in seconds. Default = "3600" Corresponds to the L ease Time pop-up menu and field in the General pane of the subnet settings in the Ser ver Admin application. net_address The IPv4 network address for the subnet. net_mask The subnet mask for the subnet. Corresponds to [...]

222 Chapter 14 Working with Network Services Adding a DHCP Subnet Y ou may already ha ve a subnet for each port you enabled when you installed and set up the ser ver . Y ou can use the serveradmin settings command to check for subnets that the ser ver set up for y ou (see “ Viewing DHCP Ser vice Settings” on page 2 1 8). Y ou can use the server[...]

Chapter 14 Working with Network Services 223 Adding a DHCP Static Map A static DHCP map allows you to map a s pecific IP address to a comput er based on the Ethernet (MAC) addr ess. Y ou can use the serveradmin tool to add a static map to the DHCP configuration. T o add a static map: $ sudo serveradmin settings dhcp:static_maps:_array_id: host name[...]

224 Chapter 14 Working with Network Services T o create a sta tic map: $ sudo serveradmin settings dhcp:static_maps:_array_id:examplehost/9681BABD-3329-402E-A7AB-F0C3608E231D = create dhcp:static_maps:_array_id:examplehost/9681BABD-3329-402E-A7AB- F0C3608E231D:ip_address = "1.2.3.4" dhcp:static_maps:_array_id:examplehost/9681BABD-3329-402[...]

Chapter 14 Working with Network Services 225 T o display the log pa th: $ sudo serveradmin command dhcp:command = getLogPaths The computer will re spond with the follo wing output: dhcp:systemLog = <system-log> Managing the DNS Ser vice The Domain Name System (DNS) is a distributed database that maps IP addr esses to domain names so your clie[...]

226 Chapter 14 Working with Network Services Changing DNS Ser vice Settings Y ou can use serveradmin to modify your server ’ s DNS configuration. However , you ’ll probably find it more straightforward to work directly with DNS and BIND using the standard tools and techniques de scribed in the many books on the subject. (See, for example, DNS a[...]

Chapter 14 Working with Network Services 227 dns:queriesArray:_array_index:4:value = -1 dns:queriesArray:_array_index:5:name = "SOA_QUERIES" dns:queriesArray:_array_index:5:value = -1 dns:queriesArray:_array_index:6:name = "TXT_QUERIES" dns:queriesArray:_array_index:6:value = -1 dns:nxdomain = 0 dns:nxrrset = 0 dns:reloadedTime [...]

228 Chapter 14 Working with Network Services F irewall Startup Although the firewall is treated as a service by the Ser ver Admin application, it is not implemented by a running pr ocess like other ser vices. It is simply a set of behaviors in the kernel, controlled b y the ipfw and sysctl tools. T o star t and stop the firewall, the Ser ver Admin [...]

Chapter 14 Working with Network Services 229 Changing F irewall Service Settings T o change a setting: $ sudo serveradmin settings ipfilter: setting = value T o change sever al settings: $ sudo serveradmin settings ipfilter: setting = value ipfilter: setting = value ipfilter: setting = value [...] Control-D F irewall Service Settings Use the follow[...]

230 Chapter 14 Working with Network Services ipfilter Groups with Rules Arr ay An array of the follo wing settings is included in the ipfilter settings for each defined IP address group . These arrays aren ’t par t of a standard ipfw configuration, but are created by the Server Admin application to implement the IP A ddress groups in the General [...]

Chapter 14 Working with Network Services 231 The unmodified ipfw .conf file: # ipfw.conf.default - Installed by Apple, never modified by Server Admin app # # ipfw.conf - The servermgrd process (the back end of Server Admin app) # creates this from ipfw.conf.default if it's absent, but does not modify # it. # # Administrators can place custom i[...]

232 Chapter 14 Working with Network Services T o disallow any c onnection from the entire cracker .evil.org network to my host: 1 Ping cracker .evil.org to determine its IP address. $ ping cracker.evil.org PING cracker.evil.org (123.45.67.10): 56 data types 64 bytes from 123.45.67.10: icmp_seq=0 ttl=52 time=24.953 ms 64 bytes from 123.45.67.10: icm[...]

Chapter 14 Working with Network Services 233 ipfilter:rules:_array_id:1111:readOnly = yes ipfilter:rules:_array_id:1111:source-port = "" Control-D ipfilter Rules Arra y An array of the follo wing settings is included in the ipfilter settings for each defined firewall rule. In an actual list of settings, <rule> is replaced with a rul[...]

234 Chapter 14 Working with Network Services Viewing Fire wall Ser vice Log Y ou can use tail or any other file listing tool to view the c ontents of the ipfilter ser vice log . T o view the latest entries in the log: $ tail log-file Y ou can use the serveradmin getLogPaths command to see where the curr ent ipfilter ser vice log is located . T o di[...]

Chapter 14 Working with Network Services 235 Star ting and Stopping NA T S er vice T o start NA T ser vice: $ sudo serveradmin start nat T o stop NA T ser vice: $ sudo serveradmin stop nat Checking the Status of NA T Ser vice T o see summary status of NA T service: $ sudo serveradmin status nat T o see detailed status of NA T ser vice: $ sudo serve[...]

236 Chapter 14 Working with Network Services NA T Ser vice Settings Use the following paramet ers with the serveradmin tool to change settings for NA T ser vice. NA T ser ver admin Commands Y ou can use the following commands with the serveradmin t ool to manage NA T ser vice. Par ameter ( nat: ) Description deny_incoming yes|no Default = no . log_[...]

Chapter 14 Working with Network Services 237 P or t Mapping Y ou can configure port mapping by adding a redirect_port directive to the configuration file passed to the natd proce ss. Y ou can accomplish this by editing the plist version of the configuration file /etc/nat/nat d.plist. This file is in turn processed b y the serveradmin tool, and used[...]

238 Chapter 14 Working with Network Services T o display the log pa th: $ sudo serveradmin command nat:command = getLogPaths The computer will re spond with the follo wing output: nat:natLog = <nat-log> Managing the VPN Ser vice Vir tual Privat e Network ( VPN) is two or more computers or networks (nodes) connected by a privat e link of encr [...]

Chapter 14 Working with Network Services 239 Changing VPN S er vice Settings T o change a setting: $ sudo serveradmin settings vpn: setting = value T o change sever al settings: $ sudo serveradmin settings vpn: setting = value vpn: setting = value vpn: setting = value [...] Control-D List of VPN Service Settings Use the following paramet ers with t[...]

240 Chapter 14 Working with Network Services com.<name>.ppp.l2tp: IPv4:DestAddressRanges Default = _empty_array com.<name>.ppp.l2tp: IPv4:OfferedRouteMasks Default = _empty_array com.<name>.ppp.l2tp: IPv4:OfferedRouteAddresses Default = _empty_array com.<name>.ppp.l2tp: IPv4:OfferedRouteTypes Default = _empty_array com.<n[...]

Chapter 14 Working with Network Services 241 com.<name>.ppp.pptp: Server:VerboseLogging Default = 1 com.<name>.ppp.pptp: Server:MaximumSessions Default = 128 com.<name>.ppp.pptp: Server:LogFile Default = "/var/log/ppp/vpnd.log" com.<name>.ppp.pptp: IPv4:DestAddressRanges Default = _empty_array com.<name>.ppp.[...]

242 Chapter 14 Working with Network Services List of VPN serveradmin C ommands Y ou can use the following commands with the serveradmin t ool to manage VPN ser vice. Viewing the VPN Ser vice Log Y ou can use tail or any other file listing tool to view the c ontents of the VPN ser vice log. T o view the latest entries in the log: $ tail log-file Y o[...]

Chapter 14 Working with Network Services 243 T o display the log pa th: $ sudo serveradmin command vpn:command = getLogPaths The computer will re spond with the follo wing output: vpn:vpnLog = <vpn-log> Site-to-Site VPN Site-to-site VPN is implemented by the daemon vpnd, which is in turn a wrapper around the racoon daemon and the setkey tool.[...]

244 Chapter 14 Working with Network Services  The form of IPSec security to use (certificate or shared-secret). Before choosing certificate-based authentication, ensure that at least one certificate is currently installed on the ser ver . s2svpnadmin will displa y a list of currently installed certificates and prompt the user to choose one of the[...]

Chapter 14 Working with Network Services 245 Setting Up IP F ailover IP failover allows a sec ondar y ser ver to acquire the IP addr ess of a primary ser ver if the primar y server ceases to function. Once the primary ser ver returns to normal operation, the secondary ser ver relinquishes the IP address. This allows y our website to r emain availab[...]

246 Chapter 14 Working with Network Services Email notification is sent when the secondary ser ver detects a failover condition or a network anomaly , and when the IP address is r elinquished back to the primary ser ver . Enabling IP F ailover Y ou enable IP failover by adding c ommand lines to the file /etc/hostc onfig on the primar y and the seco[...]

Chapter 14 Working with Network Services 247 Configuring IP F ailov er Y ou configure failov er behavior using scripts. The scripts must be executable (f or example, shell scripts, Perl, compiled C code, or executable AppleScripts). Y ou place these scripts in /Library/IPF ailover/ IP_addre ss on the secondar y server . Y ou need to create a f olde[...]

248 Chapter 14 Working with Network Services F or example, your secondary ser ver may per form other services on the network, such as running a statistical analysis application and distributed image processing software . A pre acquisition script quits the running applications to free up the CPU f or the W eb ser ver . A post acquisition script star[...]

Chapter 14 Working with Network Services 249 T o restor e the DHCP ser vice to its default c onfiguration: 1 Remove the subnet configuration fr om the /config/dhcp folder in the local NetInf o database by using the nicl tool: $ sudo nicl . -delete /config/dhcp 2 Remove the static Ethernet / IP A ddress static maps from the /machine s folder in the [...]

250 Chapter 14 Working with Network Services T o restor e the VPN service to its default configuration: Rename the com.apple.RemoteA ccessServers.plist file located in the /Librar y/Pr eferences/S ystemConfiguration/ f older . T o restor e the SERVERMGR_MAIL ser vice to it’ s default configura tion: Rename these two files: Â /etc/MailSer vicesOt[...]

15 251 15 W ork ing with Open Director y In this chapter you will find c ommands used to configur e and manage the Open Director y ser vice. Open Director y is the standards-based directory and network authentication services architecture used by Mac OS X and Mac OS X Ser ver . In Mac OS X Ser ver , Open Director y relies on open sourc e technologi[...]

252 Chapter 15 Working with Open Directory Modifying a Director y Domain Y ou can use the dscl tool to create , modify , or delete director y information in a director y domain. T esting Open Director y Plug-ins Y ou can use the dsperfmonitor tool to check the performance of the protocol-s pecific plug-ins used by Open Directory . I t can list the [...]

Chapter 15 Working with Open Directory 253 Managing OpenLDAP Open Director y uses OpenLDAP , the open sourc e implementation of LDAP , to pr ovide director y services for mixed-platf orm environmen ts. A common language for director y access lets you c onsolidate information from diff erent platf orms and define a single name space f or all network[...]

254 Chapter 15 Working with Open Directory The slapd_macosx.conf file con tains an entry for the root user of the LDAP database, the directive rootdn . T his root user is not the same as the root user in the local NetInfo database, but rather it is a user who has total control ov er all data inside the LDAP database—access contr ols do not apply [...]

Chapter 15 Working with Open Directory 255 Idle Rebinding Options The follo wing two LDAPv3 plug-in parameters are document ed in the Open Director y administration guide. The parameters are used in the file /library/preferences/ director yservice/DSLDAPv3PlugInConfig.plist. Delay Rebind This parameter specifie s how long the LDAP plug-in waits bef[...]

256 Chapter 15 Working with Open Directory T o avoid this error , include the -x option when you enter the command . For example: $ ldapsearch -h 192.168.100.1 -b "dc=example,dc=com" -x The -x option forc es ldapsearch to use simple authen tication instead of SASL. The -x option also works on the other LDAP tools . ldapsearch can also be [...]

Chapter 15 Working with Open Directory 257 ibm-serverId: 71d3fb40-c90a-1028-9ef7-8e62f6ed25ed ibm-supportedacimechanisms: 1.3.18.0.2.26.3 ibm-supportedacimechanisms: 1.3.18.0.2.26.2 vendorname: International Business Machines (IBM) vendorversion: 5.1 ibm-sslciphers: N/A ibm-supportedcapabilities: 1.3.18.0.2.32.1 ibm-supportedcapabilities: 1.3.18.0.[...]

258 Chapter 15 Working with Open Directory After you get that, you can search for a rec ord with a command like this: $ ldapsearch -LLL -x -h xtra.apple.com -b "dc=apple,dc=com" uid=ajohnson uid cn dn: uid=ajohnson,cn=users,dc=apple,dc=com uid: ajohnson cn: Anne Johnson Using LDIF F iles Lightweight Directory Interchange F ormat (LDIF) is[...]

Chapter 15 Working with Open Directory 259 Additional Inf ormation About LDAP The LDAP server in Mac OS X Ser ver is based on OpenLDAP . A dditional information about OpenLDAP , including an administrator’ s guide, is av ailable at www .openldap .org . Managing NetInfo NetInfo is the built-in Mac OS X director y ser vice used for the local direct[...]

260 Chapter 15 Working with Open Directory Managing Open Director y P asswor ds When a user ’ s account has a passwor d type of Open Director y , the user can be authenticated b y Kerberos or the Open Directory Passw ord Ser ver . Kerberos is a network authen tication system that uses credentials issued b y a trusted server . The Open Directory P[...]

Chapter 15 Working with Open Directory 261 Kerberos and Ap ple Single Sign-On Built into Open Directory is a robust authentication server that uses MIT ’ s Kerberos Key Distribution Cent er (KDC)—providing strong a uthentication with support for secure single sign-on. That means users need authenticate only once , with a single user name and pa[...]

262 Chapter 15 Working with Open Directory Principal Managemen t Mac OS X Ser ver uses MIT ’ s Kerberos administration architecture f or principal management. T he Kerberos administration daemon kadmind is res ponsible for making changes to the Kerberos database . Aside from Open Dir ector y , kadmind is lar gely manipulated by kadmin and kadmin.[...]

Chapter 15 Working with Open Directory 263 Using kadmin to kerberize a service kadmin can be used to kerberize additional services, depending on your specific configuration requiremen ts. While Mac OS X Ser ver kerberizes man y ser vices f or you, you can use Kerberos command-line t ools to kerberize additional services with Open Directory Kerberos[...]

264 Chapter 15 Working with Open Directory F inding Network Informa tion The lookupd daemon acts as an information broker and cache. It is called by various routines in the Syst em framework to find information about user acc ounts, groups, printers , email aliases and distribution lists , computer names , Internet addresses , and several other kin[...]

Chapter 15 Working with Open Directory 265 See the dseditgroup man page for more inf ormation. Adding or Remo ving LDAP Ser ver Configur ations dsconfigldap allows you to add or r emove LDAP server configurations in director y ser vices. T o add an LDAP server: $ dsconfigldap -v -a myldap.example.com T o remov e an LDAP server: $ dsconfigldap -v -r[...]

266 Chapter 15 Working with Open Directory[...]

16 267 16 W ork ing with QuickTime Streaming Ser ver In this chapter you will find c ommands you can use to configure and manage the Quick Time Streaming Ser ver ser vice. Streaming is the delivery of media, such as movies and live pr esentations, over a network in real time . A streaming server sends the media to a client computer , which plays th[...]

268 Chapter 16 Working with QuickTime Streaming Server Star ting and Stopping the Q TSS Ser vice T o start QTSS service: $ sudo serveradmin start qtss or $ sudo quicktimestreamingserver T o see a list of quicktimestreamingserver tool options: $ sudo quicktimestreamingserver -h T o stop Q TSS service: $ sudo serveradmin stop qtss Checking QTSS Servi[...]

Chapter 16 Working with QuickTime Streaming Server 269 T o change sever al settings: $ sudo serveradmin settings qtss: setting = value qtss: setting = value qtss: setting = value [...] Control-D Q TSS Settings Use the following paramet ers with the serveradmin tool to change settings for the Q TSS ser vice. Descriptions of Settings T o see descript[...]

270 Chapter 16 Working with QuickTime Streaming Server modules:_array_id:QTSSAccessModule: modAccess_usersfilepath Default = "/Library/Quick TimeStreaming/Config/ qtusers" modules:_array_id:QTSSAdminModule: AdministratorGroup Default = "admin " modules:_array_id:QTSSAdminModule: Authenticate Default = yes modules:_array_id:QTSSA[...]

Chapter 16 Working with QuickTime Streaming Server 271 modules:_array_id:QTSSMP3StreamingModule: mp3_streaming_enabled Default = yes modules:_array_id:QTSSReflectorModule: allow_broadcasts Default = yes modules:_array_id:QTSSReflectorModule: allow_non_sdp_urls Default = yes modules:_array_id:QTSSReflectorModule: BroadcasterGroup Default = "bro[...]

272 Chapter 16 Working with QuickTime Streaming Server Managing Q TSS Y ou can use the following commands with the serveradmin t ool to manage the Q TSS ser vice. Listing Curren t C onnections Y ou can use the serveradmin getConnectedUsers command to retriev e information about Q TSS connections. T o list connected users: $ sudo serveradmin command[...]

Chapter 16 Working with QuickTime Streaming Server 273 Viewing QT SS Ser vice Statistics Y ou can use the serveradmin getHistory command to displa y a log of periodic samples of the number of connections and the data throughput. Samples are taken once each minute. T o list samples: $ sudo serveradmin command qtss:command = getHistory qtss:variant =[...]

274 Chapter 16 Working with QuickTime Streaming Server Viewing Ser vice Logs Y ou can use tail or any other file listing tool to view the c ontents of the Q TSS ser vice logs. T o view the latest entries in a log: $ tail log-file Y ou can use the serveradmin getLogPaths command to see where the curr ent Q TSS error and activity logs are located. T [...]

Chapter 16 Working with QuickTime Streaming Server 275 Preparing Older Home F olders for User Streaming If you want to enable Q TSS home f older streaming for home f olders created using an earlier version of Mac OS X Ser ver (befor e version 1 0.3), you need to set up the necessary streaming media folder in each user ’ s home folder . Y ou can u[...]

276 Chapter 16 Working with QuickTime Streaming Server Con trolling Acc ess to Streamed Media Y ou can set up authentication to c ontrol client acc ess to streamed media files . T wo schemes of a uthentication are supported: basic and digest. By default, the server uses the more secure digest a uthentication. Y ou can also control pla ylist access [...]

Chapter 16 Working with QuickTime Streaming Server 277 T erms not in angle brackets are keywords. Anything in angle brackets is inf ormation you supply . Save the acc ess file as plain text (not as .r tf or any other file f ormat). Y ou can use these additional user tags: Â valid-user is any user defined in the qtusers file . The statement require[...]

278 Chapter 16 Working with QuickTime Streaming Server Acce ssing Prot ected Media Users must hav e Quick Time 5 or later to access a media file f or which digest authentication is enabled . I f your streaming server is set up to use basic authen tication, users need Quick Time 4. 1 or later . Users must enter their user names and passw ords to vie[...]

Chapter 16 Working with QuickTime Streaming Server 279 Manipulating Quick Time and MP4 Movie s Y ou can use the qtmedia tool to manipulate Quick Time and MP4 movies. Y ou can add hint tracks, prepare for “fast-start,” and edit annotations. F or more inf ormation, run the qtmedia tool to displa y the command-line options. Creating Ref erence Mo [...]

280 Chapter 16 Working with QuickTime Streaming Server[...]

17 281 17 C onfiguring Sy stem L ogging In this chapter you will find c ommands you can use to configure and manage syst em logging. Logging S ystem E vents Logs are t ext files that form a record of what has occurr ed on the system, much like a journal. Configuring the L og F ile Log files ar e maintained in the /Library/Logs/ and /var/log/ folder[...]

282 Chapter 17 Configuring System Logging The facility and priority are separated by a single period, and these are separated from the action by one or more tabs. Wildcar ds (“*”) may also be used in the configuration file. The following example line logs all me ssages of any facility or priority to the file /var/log/all.log: *.* /var/log/all.l[...]

Chapter 17 Configuring System Logging 283 Remote Logg ing Using remote logging in addition to local logging is str ongly recommended for an y ser ver system, because local logs can easily be altered if the system is compr omised. Several security issues must also be considered when making the decision to use remote logging . First, the syslog proce[...]

284 Chapter 17 Configuring System Logging This format is the IPv4 addr ess with a mask bit length. Optionally , the service can be a name or number of the UDP port the source packet must belong to. When using the -a option, do not omit the masklen portion, as the defa ult masklen may be very small and the corres ponding matching addresses c ould, t[...]

285 Appendix PCI RAID Card C ommand Refer ence In this appendix you will find inf ormation about the megaraid command , used for managing a PCI RAID C ard . The megaraid tool uses are described in the follo wing table, along with parameter explanations. megaraid -alarm -on | -off | -silence T urns the alarm on, off , or to silence. When the alarm i[...]

286 Appendix PCI RAID Card Command Reference megaraid -create R0 | R1 | R5 -drive { 0 1 2 3 } [-stripesize n ] [-size x ] [-writecache enable | disable ] [-readahead on | off | adaptive ] [-iopolicy direct | cached ] [-log file ] Creates a logical drive and adds it to the existing configuration. T he RAID level and participating physical drives ’[...]

Appendix PCI RAID Card Command Reference 287 Note: See the megaraid man page for more inf ormation. Y ou can also use all megaraid commands with a [-log file ] parameter , which logs all the displa yed information with date and time in the file you specify .[...]

288 Appendix PCI RAID Card Command Reference[...]

289 Glossary Glossar y This glossary defines terms and spells out abbreviations you ma y encounter while working with online help or the various ref erence manuals for Mac OS X Server . Reference s to terms defined elsewhere in the glossary appear in italics. administrator A user with server or directory domain administration privileges. Administra[...]

290 Glossary DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribut e IP addresses to clien t computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address fr om the DHCP ser ver it finds. The DHCP server checks for an av ailable IP address and sends it to the clie[...]

Glossary 291 FTP File T ransf er Prot ocol. A protoc ol that allows computers to transf er files over a network. FTP clients using any operating system that supports FTP can connect to a file ser ver and download files , depending on their access privileges. Most Internet browsers and a number of freeware applications can be used to acce ss an FTP [...]

292 Glossary IP subnet A portion of an IP network, which ma y be a physically independent netw ork segment, that shares a network address with other portions of the network and is identified by a subnet number . ISP Internet service provider . A business that sells Internet acc ess and often provides web hosting for ec ommerce applications as well [...]

Glossary 293 mail host The computer that pro vides your mail service. managed client A user , gr oup, or computer whose access privileges and/or preferenc es are under administrative con trol. managed network T he items managed clients are allow ed to “see ” when they click the Network icon in a F inder window . Administrators con trol this set[...]

294 Glossary NFS Network F ile System. A client/ser ver prot ocol that uses Internet P rotoc ol (IP) to allow remote users to acc ess files as though they wer e local. NFS exports shared volumes to c omputers according to IP addre ss, rather than user name and password. nfsd daemon An NFS server process that runs continuously behind the sc enes and[...]

Glossary 295 presets Initial default attribut es you specify f or new accounts you cr eate using W orkgroup Manager . Y ou can use presets only during account creation. primary group A user ’ s default group. The file system uses the ID of the primary group when a user accesses a file he or she doesn ’t own. primary group ID A unique number tha[...]

296 Glossary SDP Session Description Pr otocol. A text file used with QuickTime Streaming Server that provides inf ormation about the format, timing, and authorship of a live streaming broadcast and gives the user’ s computer instructions for tuning in. search path See search policy . search policy A list of director y domains searched by a Mac O[...]

Glossary 297 static IP address An IP addre ss that’ s assigned to a computer or device once and is never changed . subnet A grouping on the same network of client c omputers that are organiz ed by location (differen t floors of a building, for example) or by usage (all eighth-grade students, for example). T he use of subnets simplifies administra[...]

298 Glossary virtual user An alternate email address (short name) for a user . Similar to an alias, but it inv olves creating another user accoun t. VPN Vir tual Privat e Network. A network that uses encr yption and other technologies to provide secur e communications over a public netw ork, typically the Internet. VPNs are generally cheaper than r[...]

299 Index Index A ab tool 213 access 36 accounts 97 administrator 98 group 110 mobile user 108 modifying user 107 removing users 103 securing 126 ACL (access control list) 157 addsite script 212 AFP (Apple Filing Protocol) canceling user disconnect 143 changing service settings 137 checking service status 136 disconnecting users 142 listing connect[...]

300 Index DHCP (Dynamic Host Configuration Protocol) adding a subnet 222 changing service settings 219 checking service status 218 service settings 219 set server to use 68 starting service 218 static map 223 stopping service 218 viewing service logs 224 viewing service settings 218 dial-in service, PPP 248 DirectoryServiceAttributes 252 DirectoryS[...]

Index 301 K kadmind daemon 262 kadmin tool 262 kdb5_util tool 261 kdcsetup tool 261 Kerberos 261 backing up 261 principal management 262 tools and utilities 261 kerberosautoconfig tool 261 keychain 198 killall tool 105, 283 kill tool 74, 274 known_hosts file 33 krb5kdc tool 262 L launchd daemon 55 LDAP (Lightweight Directory Access Protocol) 253 an[...]

302 Index Network File System. See NFS network interface, settings 64 network port configurations 65 settings 64 networksetup tool 47, 57, 64 network time server 57, 58 newfs tool 90 NFS (Network File System) changing service settings 146 checking service status 146 starting and stopping service 146 viewing service settings 146 nicl tool 249, 259 n[...]

Index 303 S s2svpnadmin tool 243 sa_srchr tool 39 SASL used by ldapsearch 255 scheduling tasks 27 scp tool 32 scripts adding a website 212 scselect tool 82 scutil tool 80 Secure Shell (SSH) 31 man-in-the-middle attack 34 using 35 Secure Sockets Layer. See SSL serial number, server software 49 server configuration file example 44 naming 41, 42 savin[...]

304 Index viewing VPN service logs 242 viewing Web service logs 210 TCP/IP settings 66, 68 telnet tool 36 Terminal application 21 terminating commands 27 throughput. See statistics time, viewing or changing 57, 58 time server 57, 58 time zone 57, 58 tools for remote configuration dscl 47 networksetup 47 systemsetup 47 U umount tool 84 user administ[...]