I’d written an efi version checker. But the lovely Andrew Seago texted me one that’s better than mine. So I present it here:
current_efi_version=`/usr/libexec/efiupdater | grep "Raw" | cut -d ':' -f2 | sed 's/ //'`
echo "current_efi_version $current_efi_version"
latest_efi_version=`ls -La /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists/ | grep "$current_efi_version"`
echo "latest_efi_version $latest_efi_version"
if [ "$latest_efi_version" == "" ]; then
echo "EFI FAILED"
echo "EFI PASSED"
krypted November 2nd, 2017
Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Uncategorized
efi checker, high sierra, MAC, macos
The full guide for managing macOS Server 5.4 running on High Sierra is now available at http://krypted.com/guides/macos-server-5-3-high-sierra/
Imma take a nap now. See ya’ when 5.6 ships!
krypted September 29th, 2017
Posted In: Uncategorized
You’ve got Open Directory running and humming beautifully in macOS Server 5.4 (running on macOS High Sierra). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like.
Create An Open Directory Archive
In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service.
Towards the bottom of the screen, click on the cog wheel icon.
At the menu, click Archive Open Directory Master…
When prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button.
At the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Archive button when you’re ready to proceed.
At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again.
Promote A Replica To A Master
Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in macOS Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu.
Here, click Promote Replica to Master.
At the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next.
The Replica will become an archive. Once finished, remove any other replicas and repromote them.
Stop Open Directory
Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Click on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. The server is then stopped. To completely remove Open Directory from the old server, run the slapconfig command, followed by -destroyldapserver:
Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted. View the logs using cat for any other weirdness:
krypted September 26th, 2017
Posted In: Uncategorized
The changes in the Server app are pretty minimal in the macOS Server 5.4 version that we’re now looking at. All of the options from previous versions are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in macOS Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, macOS, Linux and even Zoe-R.
The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.
Then, click on the cog wheel icon below the list of records and click on Show All Records.
At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.
Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.
Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.
At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.
All you have to do to start the DNS is click on the ON button (if it\u2019s not already started, that is). There\u2019s a chance that you won\u2019t want all of the records that are by default entered into the service. But leave it for now, until we\u2019ve covered what everything is. To list the various types of records:
All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. Next, click on the cog wheel icon below the records list, and you’ll see a list of all the records and record types that are currently running on the server.
To list the various types of records:
Then, when you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes).
Note: The above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan.
Click Done to commit the changes or create the new record.
Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.
Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.
As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.
At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.
At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.
Setting Up Secondary Servers
Now let\u2019s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.
Setting Up Secondary Servers
Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone.
Managing DNS From The Command Line
Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you\u2019re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:
At the Secondary Zone screen, enter krypted.com as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field (actually, enter your domain name, not mine). Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).
Managing DNS From The Command Line
Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files.
To start the service, use the start option:
sudo serveradmin start dns
http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):
http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here