krypted.com

Tiny Deathstars of Foulness

A nifty little feature of nvram is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables:

nvram -p

If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args):

nvram -d boot-args

But, if you run the -c you’ll wipe them all:

nvram -c

September 27th, 2017

Posted In: Mac OS X

Tags: , , , , ,

You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in High Sierra. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing.

Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. This, along with all of the operators remains static from 10.10 and on. To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option:

/usr/bin/profiles -P

If there are no profiles installed, you’ll see a message similar to the following: There are no configuration profiles installed As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option:

/usr/bin/profiles -L

If there aren’t any profiles in the System Domain, you’ll see a message similar to the following:

There are no configuration profiles installed in the system domain

You can remove all profiles using -D:

/usr/bin/profiles -D

You’ll then see a prompt to remove all profiles, enter y to do so or n to skip:

Are you sure you want to remove all device configuration profiles? [y/n]

The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile:

/usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig

To remove one from a server:

/usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot

The following installs HawkeyesTrickshot.mobileconfig from your desktop:

/usr/bin/profiles -I -F ~/Desktop/HawkeyesTrickshot.mobileconfig

If created in Profile Manager:

/usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot

You can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command got extensions for dealing with profiles as well. These include the available MCX Profile Extensions: -profileimport -profiledelete -profilelist [optArgs] -profileexport -profilehelp

To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user:

dscl -u diradmin -P moonknight 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

To delete that information for the given user, swap the profilelist extension with profiledelete:

dscl -u diradmin -P apple 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

If you would rather export all information to a directory called ProfileExports on the root of the drive:

dscl -u diradmin -P moonknight 192.168.210.201 profileexport . all -o /ProfileExports

In Yosemite we got a few new options (these are all still in 10.11 with no new operators), such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, as in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):
bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 charlesedge[5] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 _computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 There are 8 configuration profiles installed bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 _computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[7] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 There are 8 configuration profiles installed bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A profiles: verbose mode ON profiles: returned error: -204 fail
The -N option will re-run the DEP enrollment:

profiles -N

A list of command verbs found using “profiles -help”:

Command Verbs:
status – indicates if profiles are installed
list – list profile information
show – show expanded profile information
install – install profile
remove – remove profile
sync – synchronize installed configuration profiles with known users
renew – renew configuration profile installed certificate
version – display tool version number

Options: (not all options are meaningful for a command)
-type= – type of profile; either ‘configuration’,
‘provisioning’, ‘enrollment’, or ‘startup’
-user= – short user name
-identifier= – profile identifier
-path= – file path
-uuid= – profile UUID
-enrolledUser= – enrolled user name
-verbose – enable verbose mode
-forced – when removing profiles, automatically confirms requests
-all – select all profiles
-quiet – enable quiet mode

September 27th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

Note: before you do anything with clearing nvram, keep in mind that doing so clears any kext whitelisting you may have done previously!

macOS has the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvram followed by a -p option you’ll see all of the configured firmware variables:

nvram -p

The output would be as follows:

efi-boot-device-data %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%05%1c%01%01%06%00%00%00%03%12%0a%00%00%00%00%00%00%00%04%01*%00%02%00%00%00(@%06%00%00%00%00%00X%a8#:%00%00%00%00%eee6%da%00%0b%09G%82%c9%bd4wpQ%82%02%02%04%03$%00%f7%fct%be|%0b%f3I%91G%01%f4%04.hBw;%1a$%82%a3>D%92#%80%e9o%a9!%de%04%04%9a%00\%00A%003%000%006%00A%004%00F%00D%00-%00F%00F%00B%005%00-%003%00F%00A%002%00-%008%00D%00C%004%00-%00B%00F%007%003%00E%007%00F%003%008%00C%007%00E%00\%00S%00y%00s%00t%00e%00m%00\%00L%00i%00b%00r%00a%00r%00y%00\%00C%00o%00r%00e%00S%00e%00r%00v%00i%00c%00e%00s%00\%00b%00o%00o%00t%00.%00e%00f%00i%00%00%00%7f%ff%04%00

efi-boot-device <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>241A3B77-A382-443E-9223-80E96FA921DE</string></dict></dict><key>BLLastBSDName</key><string>disk1s2</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\A306A4FD-FFB5-3FA2-8DC4-BF73E7F38C7E\System\Library\CoreServices\boot.efi</string></dict></array>%00BootCampProcessorPstates %0c%00 bluetoothInternalControllerInfo %90%82%ac%05%00%000%14%f4\%89%adF%f prev-lang:kbd en:0 SystemAudioVolumeDB %e4
efi-apple-recovery <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia</string><key>IOPropertyMatch</key><dict><key>UUID</key><string>3D351489-745F-4434-89E0-DC914B49969F</string></dict></dict><key>BLLastBSDName</key><string>disk0s1</string></dict><dict><key>IOEFIDevicePathType</key><string>MediaFilePath</string><key>Path</key><string>\EFI\APPLE\FIRMWARE\MBP121_0171_B00.fd</string></dict></array>%00
previous-system-uuid A306A4FD-FFB5-3FA2-8DC4-BF73E7F38C7E
bluetoothActiveControllerInfo %90%82%ac%05%00%00%00%000%14%f4\%89%adF%fa
ALS_Data ^%0d%8a%8a%00%00%00%00
backlight-level %10%02
SystemAudioVolume G
LocationServicesEnabled %01

If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args): 


nvram -d boot-args

But, if you run the -c you’ll wipe them all:

nvram -c

September 27th, 2017

Posted In: Mac OS X

Tags: , ,

macOS Server has long had a VPN service to allow client computers to connect to a network even when they’re out of the home or office. And as with many a service on macOS Server, this is one of the easiest VPN servers you’ll ever setup. The server was once capable of running the two most commonly used VPN protocols: PPTP and L2TP. And while PPTP is still accessible via the command line, L2TP is now configured by default when you setup the server using the Server app.

Setting Up The VPN Service In macOS Server

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has a number of options available, as seen here.

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN.
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (macOS using the profiles command, iOS using Apple Configurator or both using Profile Manager).
  • Shared Secret: A passphrase that must be supplied by the client prior to getting a username and password prompt.
Once configured, open incoming ports on the router/firewall. While deprecated(ish) PPTP runs over port 1723. L2TP is a bit more complicated, running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629.

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn And to list the available options:

sudo serveradmin settings vpn

The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app:

vpn:vpnHost = "odr.krypted.com" vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.pptp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.pptp:enabled = no vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP" vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA" vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.255" vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4" vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0 vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP" vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp" vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret" vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <> vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.128" vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec" vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "Yq!XdGsVyAY?o;9jnj

To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10

By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn


Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO" vpn:readWriteSettingsVersion = 1 vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0 vpn:servers:com.apple.ppp.pptp:enabled = yes vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128" vpn:servers:com.apple.ppp.pptp:Type = "PPP" vpn:servers:com.apple.ppp.pptp:SubType = "PPTP" vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth" vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.l2tp:Type = "PPP" vpn:servers:com.apple.ppp.l2tp:enabled = yes vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0 vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP" vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth" vpn:servicePortsRestrictionInfo = _empty_array vpn:health = _empty_dictionary vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log" vpn:configured = yes vpn:state = "STOPPED" vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using:

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box.



Setting Up Client Computers

As you can see, configuring the VPN service in macOS Server 5.4 (running on High Sierra) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so on a Mac, open the Network System Preference pane.

From here, click on the plus sign (“+”) to add a new network service.



At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.



At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.



At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.

Conclusion

Setting Up the VPN service in macOS Server 5.4 is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

You can run High Sierra without converting a drive to apfs, Apple’s latest File System. However, you might encounter some odd behaviors, or want to take use of the enhancements in apfs. If you did a command line installation to skip the apfs conversion or are just trying to upgrade a volume that wasn’t converted during the upgrade process, 
  1. Boot the Mac into Recovery Mode by holding down the Command and R keys until you see the macOS Utilities screen.
  2. Open Disk utility.
  3. Choose your boot volume.
  4. Click on the Edit menu
  5. Click on Convert to APFS
  6. When prompted with “Would you like to convert <thenameofyourdrive> to APFS?” click on the Convert button.
  7. When the process is finished, click on the Done button.
And that’s it. Enjoy.

September 26th, 2017

Posted In: Mac OS X

Tags: , ,

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into macOS Server 5.4 on High Sierra is similar to the DHCP service that was included in Server 10.2 and 10.2 and from the good ‘ole Panther days. It’s pretty simple to use and transparent, just as DHCP services should be.

To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP.
 
At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list.
 
Each scope, or Network, will have the following options:
  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from 192.168.210.200 to 192.168.210.250 you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of 0.0.0.0 if you don’t configure this setting.
The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values.
 
Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in macOS, check out this article I did awhile back. So far, totally easy. Each time you make a change, the change updates a few different things.

First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NetBoot</key> <dict/> <key>Subnets</key> <array> <dict> <key>allocate</key> <true/> <key>dhcp_domain_name</key> <string>no-dns-available.example.com</string> <key>dhcp_domain_name_server</key> <array> <string>0.0.0.0</string> </array> <key>dhcp_domain_search</key> <array/> <key>dhcp_router</key> <string>192.168.210.1</string> <key>lease_max</key> <integer>3600</integer> <key>name</key> <string>192.168.210 Wi-Fi</string> <key>net_address</key> <string>192.168.210.0</string> <key>net_mask</key> <string>255.255.255.0</string> <key>net_range</key> <array> <string>192.168.210.200</string> <string>192.168.210.253</string> </array> <key>selected_port_name</key> <string>en0</string> <key>uuid</key> <string>B03BAE3C-AB79-4108-9E5E-F0ABAF32179E</string> </dict> </array> <key>allow</key> <array/> <key>bootp_enabled</key> <false/> <key>deny</key> <array/> <key>detect_other_dhcp_server</key> <false/> <key>dhcp_enabled</key> <false/> <key>old_netboot_enabled</key> <false/> <key>relay_enabled</key> <false/> <key>relay_ip_list</key> <array/> </dict> </plist>

Settings from this file include:
  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.
If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated:

serveradmin settings dhcp

The output indicates that

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = "192.168.210.1"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = "192.168.210.2"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = "255.255.255.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.200"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = "192.168.210.253"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = "192.168.210.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = ""
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:dhcp_domain_name = "no-dns-available.example.com"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:routers = _empty_dictionary
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "192.168.210.201"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1"
dhcp:logging_level = "MEDIUM"


Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course):

serveradmin settings dhcp:logging_level = "MEDIUM"

You can also change settings within a scope. For example, if you realized that you were already using 192.168.210.200 and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples):

serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.202"

You can also obtain some really helpful information using the fullstatus verb with serveradmin:

serveradmin fullstatus dhcp

This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc.

dhcp:state = "RUNNING"
dhcp:backendVersion = "10.11"
dhcp:timeOfModification = "2017-9-04 04:24:17 +0000"
dhcp:numDHCPActiveClients = 0
dhcp:timeOfSnapShot = "2017-9-04 04:24:19 +0000"
dhcp:dhcpLeasesArray = _empty_array
dhcp:logPaths:systemLog = "/var/log/system.log"
dhcp:numConfiguredStaticMaps = 1
dhcp:timeServiceStarted = "2017-9-04 04:24:17 +0000"
dhcp:setStateVersion = 1
dhcp:numDHCPLeases = 21
dhcp:readWriteSettingsVersion = 1


Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%% # hostname hwtype hwaddr ipaddr bootfile
a.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.230
b.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.240


You can start and stop the service either using the serveradmin command:

serveradmin stop dhcp serveradmin start dhcp

Or using the launchctl:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

You can also add DHCP Reservations, or static maps. To do so, click on the clients tab and then click on the plus sign (“+”). From here, you can add a hostname and IP address to a given MAC address in order to allow that MAC address to always be assigned the IP you’d like.



Finally, you can define DHCP options in /etc/bootp.plist. This process isn’t necessarily support, there is no GUI control for options, and options are not as widely used with devices as they once were. However, it’s absolutely an option if needed.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in macOS Server 5.4 (the Apple Server app running on 10.13/High Sierra). I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from macOS or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.



Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly. The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.



At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Click on Continue.



At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.

Note: You don’t have to get this perfect now as you can always edit these later.



At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.



Once the setup is finished, you’ll see the Setup complete modal. Here, you can click on Go to Wiki button.

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables  a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.



Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.



At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.



From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website, instead of creating a new page.



At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.



At the Upload File dialog, click on Choose File and then select a file to upload.

Click Upload when selected.

Then from the Finder of a macOS client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect. Eventually, the file(s) will display (it can take awhile according to your network speeds and how many files are in the directory). You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages.

Now that iOS devices can edit wikis and many of the traditional word processing options are available in the wiki editor, consider what the Wiki can be. Could it replace text editing apps for iOS? Could the Wiki allow for more collaborative documents than a Word or other document editor? Could it keep from getting eaten like the rest of the homework? Could the comments in the Wiki be a good way for teachers to have students write responses to materials? Could the Wiki and the document management features allow your workers to access human resources documents and employee manuals? I know plenty of tech firms that use wikis to track information about the systems they manage.

Once you have all of this information, upgrading can seem downright scary. But fear not, there’s Carbon Copy Cloner. And once you’ve cloned, there’s wikiadmin. When doing an upgrade in place, the Wiki service is pretty straight forward to upgrade, but in many cases, due to aging hardware, wiki services are moving from an older computer to a newer computer. This can be done in one of two ways. The first is to “migrate” the data by copying the Collaboration folder onto the new system. The second is to “export” and “import” the data. I usually recommend doing a migrate where possible, so we’ll start with that method.

Note: Before getting started, make sure that the directory services side of things is good. If a user or group lookup for an object that owns, edits or has commented on a wiki fails then that wiki probably shouldn’t be migrated. Use the dscl or id commands to confirm that lookups are functioning as intended.

To migrate wikis from one server to another, first copy the Collaboration directory to the new server. In this example, the directory has been dropped onto the desktop of the currently logged in user. To migrate the data once copied, use the wikiadmin command, along with the migration option. The option requires the path to the Collaboration folder, defined with -r, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration

When moving wikis, you can take the opportunity to get rid of a few you don’t want (such as that test wiki from way back when). Or administrators may just choose to move a single wiki to a new server in order to split the load across multiple hosts. When doing so, use the same command as earlier, along with the name of each wiki that is being moved, along with the -g option. For example, if moving the Legal wiki:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration -g Legal

The second way of moving wikis around is to export and then import them. To do so, first export wikis on the old server, using the wikiadmin command along with the export option, which requires an –exportPath option and needs to be done, on a wiki-by-wiki basis. So to export that Legal wiki to a file called LegalWikiTMP on the desktop:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin export -g Legal --exportPath ~/Desktop/LegalWikiTMP

Next, copy the wiki to the new server and import it, using the import option along with –importPath to identify where the file being imported is located. Using the same location, the command would then be:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin import -g Legal --importPath ~/Desktop/LegalWikiTMP

Note: The ability to import a wiki also allows for an API of sorts, as you can programmatically create wikis from other sources. The ability to export also provides a way to move into another wiki tool if you happen to outgrow the options provided in Server and need to move to something more robust.

There is another way to move wikis, using pg_dump, copying the data and then using pg_restore to import the data once you’ve created the tables.  This way is, in my opinion, the last resort if the standard wikiadmin commands aren’t working. In my experience, if I’m doing the migration this way then I’ve got other, bigger issues that I need to deal with as well.

These commands work best when the wiki service has been started so that the databases are fully built out. To start the wiki service from the command line, use the serveradmin command instead of the wikiadmin command. The serveradmin command is used with the start option and then wiki is used to indicate the wiki service, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start wiki

The service can also be stopped, swapping out the start option with a stop option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop wiki

In a few cases (this is the main reason I’m writing this article), the attachments to wikis don’t come over during a migration. To migrate the files that are used for QuickLook, downloading attachments, etc, use the serveradmin command to locate the directory that these objects are stored in:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings wiki:FileDataPath

The output identifies the directory where these objects are stored. Placing the contents in the same relative path as they are to the output of the same command on the target server usually results in restoring them. Once moved, use the fixPermissions option to repair the permissions of any files from the source (if any changes to account IDs are encountered such as an export/import rather than an archive/restore in OD this can lead to odd issues:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin fixPermissions

Also use the rebuildSearchIndex option with the wikiadmin command to fix any indexing, once the permissions have been repaired:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin rebuildSearchIndex

And finally use resetQuicklooks to clear any cached Quicklook representations of objects that have been inserted into a wiki and might not display properly using Quicklook (you know you might need to do this if they look fine when downloaded but look bad with Quicklook even though QuickLook on the server can view the files just fine):

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin resetQuicklooks

When done properly the migration can take awhile. Keep in mind that every tag, every article, every edit to every article and basically everything else is tracked inside the tables that you’re moving. While there might not be a ton of data in the Collaboration directory or in an export, all of the data needs to go to the right location. This can take a little time in environments that have a lot of articles, even if they’re really short articles…

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The changes in the Server app are pretty minimal in the macOS Server 5.4 version that we’re now looking at. All of the options from previous versions are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in macOS Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, macOS, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.
 
Then, click on the cog wheel icon below the list of records and click on Show All Records.
 
At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

 

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

 

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.


At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

Managing Records

All you have to do to start the DNS is click on the ON button (if it\u2019s not already started, that is). There\u2019s a chance that you won\u2019t want all of the records that are by default entered into the service. But leave it for now, until we\u2019ve covered what everything is. To list the various types of records:

","engine":"visual"}” data-block-type=”2″>
All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. Next, click on the cog wheel icon below the records list, and you’ll see a list of all the records and record types that are currently running on the server.

To list the various types of records:

Then, when you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
 

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes).
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/

Note: The above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan.

Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.


Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.


At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.


At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let\u2019s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

","engine":"visual"}” data-block-type=”2″>

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone.



Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you\u2019re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:

","engine":"visual"}” data-block-type=”2″> At the Secondary Zone screen, enter krypted.com as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field (actually, enter your domain name, not mine). Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option:

sudo serveradmin start dns
http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan
http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

Share:

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Uncategorized

Tags: , , , , , , ,

Open Directory has never been this easy to setup for a basic environment as it is in macOS Server 5.4 (for macOS 10.13 running on High Sierra). As with almost any previous version of macOS Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” I know, I know, you’ve been told that you didn’t have to do this kind of command line stuff any more… But really, you should – and if you don’t believe me, check out the contents of the attributes in the OD database… And besides, all you have to do is paste it in…

bash-3.2# sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/changeipchangeip -checkhostname

Which should respond as follows if all your DNS stuff is configured to match your host name:

dirserv:success = "success"

Initially, you no longer see Open Directory in the sidebar of the Server app. Simply click on the entry in View to see it. Then, to set up the Open Directory Master, click on the Open Directory service. From here, click on the ON button.

 
For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button.

 
Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list.

At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic.

 
Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information.

 
At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next.

 
At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back.

 
Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens.

 
Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted.

 
Click on the Edit… button and then the plus sign (“+”).

 
Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name.

 
It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it.

Next, use dscl to browse users and verify that you can see items in Open Directory as well as your local database. The following will do so, using your hostname in place of mine, and with your password:

dscl -u diradmin -P <PASSWORD> /LDAPv3/macosserver.krypted.com -read /Users/diradmin

Once configured and tested, the devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:

sudo slapconfig -backupdb /odbackups


The result will be a request for a password then a bunch of information about the backup:

bash-3.2# sudo slapconfig -backupdb /odbackups 2016-09-08 04:31:13 +0000 slapconfig -backupdb Enter archive password: 2016-09-08 04:31:17 +0000 1 Backing up LDAP database 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r" 2016-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r" 2016-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2016-09-08 04:31:18 +0000 2 Backing up Kerberos database 2016-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 3 Backing up configuration files 2016-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 Backed Up Keychain 2016-09-08 04:31:18 +0000 4 Backing up CA certificates 2016-09-08 04:31:18 +0000 5 Creating archive 2016-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups 2016-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7. 2016-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock.

To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)

sudo slapconfig -restoredb /odbackups

Both commands ask you for a password to encrypt and decrypt the disk image created by them.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , ,

The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported. Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

You’ll then see the SHARE, ATTRIBUTE TYPE, and VALUE for each share mounted. Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

« Previous PageNext Page »