In case your Mac just isn’t emo enough for ya’, Apple’s provided us a cool little new feature in Yosemite called dark mode. No, this won’t cause Hellboy to leap forth from your MacBook Air. Well, maybe he’ll visit your MacBook Pro, but I haven’t tested that so please don’t quote me on that. Instead, you’ll get the nice new dark menu bar:
But that’s not all folks! Your dock will also get all dark and gothy!
To turn it on, just open the General System Preference pane and check the box for “Use dark menu bar and Dock”.
Enjoy! Oh, and if that’s not emo enough for you feel free to watch this sad emo love song video (yes, I googled for “sad emo” to find it; no, it’s not bookmarked; yes, I bought eyeliner after watching it; yes, then my high school self time travelled to present day and kicked the crap out of me; yes, I thanked him).
krypted October 5th, 2015
Posted In: Mac OS X
DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is 9.9.7-P2.
Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In OS X Server 5 (for El Capitan and Yosemite), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).
To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan
The output would show you information about the listed zone, usually including View data:
To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan
By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Use the delete verb to remove the data just created:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Or to delete that one www record earlier, just swap the add with a delete:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
- allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
- allow-recursion Takes one or more address match list entry.
- allow-update Takes one or more address match list entry.
- allow-query Takes one or more address match list entry.
- allow-query-cache Takes one or more address match list entry.
- forwarders Takes one or more IP addresses, e.g. 10.1.1.1
- directory Takes a directory path
- tkey-gssapi-credential Takes a kerberos service principal
- tkey-domain Takes a kerberos realm
- update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.
krypted October 5th, 2015
Posted In: Mac OS X Server
I wrote about using the smbutil for DFS in Lion awhile back. I haven’t needed to write anything else as it hadn’t changed since. The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):
smbutil statshares -m /Volumes/krypted
When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported.
Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:
smbutil statshares -a
Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.
krypted October 4th, 2015
A nifty little feature of nvram is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables:
If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args):
nvram -d boot-args
But, if you run the -c you’ll wipe them all:
krypted October 4th, 2015
Posted In: Mac OS X
The first thing you’ll want to do on any server is setup the networking for the computer. To do this, open the System Preferences and click on Network. You usually want to use a wired Ethernet connection on a server, but in this case we’ll be using Wi-Fi. Here, click on the Wi-Fi interface and then click on the Advanced… button.
At the setup screen for the interface, provide a good static IP address. Your network administrator can provide this fairly easily. Here, make sure you have an IP address and a subnet mask. Since we need to install the Server app from the Mac App Store, and that’s on the Internet, you’ll also need to include a gateway, which provides access to the Internet and using the DNS tab, the name servers for your Internet Service Provider (ISP).
Once you have provided a static IP address, verify that you can route to the Internet (e.g. open Safari and visit a website). Provided you can, the first step to installing OS X Server is to download the Server app from the Mac App Store. If you install an El Capitan machine (or Yosemite), you can then open the App Store app and search for Server. In the available apps, you’ll see the Server app from Apple. Here, click on Buy and let the app download. That was pretty easy, right. Well, the fun has just gotten started. Next, open the app.
When you first open the Server app, you’ll see the OS X Server screen. Here, you can click on the following options:
Click Continue to setup OS X Server on the machine you’re currently using. You’ll then be prompted for the licensing agreement from Apple. Here, check the box to “Use Apple services to determine this server’s Internet reachability” and click on Agree (assuming of course that you agree to Apple’s terms in the license agreement).
Installing OS X Server must be done with elevated privileges. At the prompt, enter the credentials for an account with administrative access and click on the Allow button.
The services are then configured as needed and the command line tools are made accessible. This can take some time, so be patient. When the app is finished with the automation portion of the configuration, you will be placed into the Server app for the first time. Your first order of business is to make sure that the host names are good on the computer. Here, first check the Host Name. If the name doesn’t resolve properly (forward and reverse) then you will likely have problems with the server at some point. Therefore, go ahead and click on Edit Host Name… Here, enter the fully qualified address that the server should have. In the DNS article, we’ll look at configuring a good DNS server, but for now, keep in mind that you’ll want your DNS record that points to the server to match what you enter here. And users will use this address to access your server, so use something that is easy to communicate verbally, when needed.
At the Change Host Name screen, click Next. At the “Accessing your Server” screen, click on Internet and then click on the Next button.
At the “Connecting to your Server” screen, provide the Computer Name and the Host Name. The Computer Name is what you will see when you connect to the server over Bonjour and what will be listed in the Sharing System Preference pane. The Host Name is the fully qualified host name (fqdn) of the computer. I usually like to take the computer name and put it in front of the domain name. For example, in the following screen, I have osxserver as the name of the computer and osxserver.krypted.com as the host name.
Once you have entered the names, click on the Finish button. You are then prompted to Change Host Name. Click on Change Host Name at this screen.
Next, let’s open Terminal and run changeip with the -checkhostname option, to verify that the IP and hostname match:
sudo changeip -checkhostname
Provided that the IP address and hostname match, you’ll see the following response.
sudirserv:success = “success”
If the IP address and hostname do not match, then you might want to consider enabling the DNS server and configuring a record for the server. But at this point, you’ve finished setting up the initial server and are ready to start configuring whatever options you will need on the server.
krypted October 4th, 2015
Posted In: Mac OS X Server
The directory services options in OS X has quietly been going through some slow changes over the past couple of years. Many of the tools we use to manage accounts look similar on the outside but sometimes work a little differently under the hood. Account information is still stored in the /var/db/dslocal/nodes directory. Here, the local directory service pulls files from within directories recursively when accountsd loads. You can still create a second instance of the local directory service by copying the Default directory. For example, here we’ll copy the Default directory node to a directory node called NEW:
sudo cp -prnv /var/db/dslocal/nodes/Default /var/db/dslocal/nodes/NEW
If you killall accountsd then wait (this is slower than doing a killall of DirectoryService was), you’ll then see and be able to use this new directory node:
sudo killall accountsd
This is one way to go about forklifting large collections of accounts from one system to another. The dsmemberutil account can still be used to obtain certain information from accounts. For example, you can check group membership by feeding in a uid with the -u option (here using the uid of 509) and a gid with the -g (here a gid of 10) option:
dsmemberutil checkmembership -u 509 -g 10
Each account still has a uuid. This can be obtained with -u for a user or -g for a group (ids):
dsmemberutil getuuid -u 509
And, you can use dsmemberutil to flush the directory services cache resolver, using the flushcache verb:
The files that comprise accounts can also be viewed and changed manually. Here, we’re going to just look at an account called charles:
sudo defaults read /var/db/dslocal/nodes/Default/users/charles.plist
If we used a tool like defaults, plistbuddy or plutil to manually augment one of these accounts, we’d also need to kill accountsd as we did earlier.
krypted October 3rd, 2015
Posted In: Uncategorized
There are a number of ways to create groups in OS X Server 5, running on Yosemite or El Capitan. The first is using the Server app, the second is using Workgroup Manager (which requires a little work to get working in El Capitan), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app.
Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.
Once changes have been made, click Done to commit the changes.
krypted October 3rd, 2015
Posted In: Mac OS X Server
By default, OS X now updates apps that are distributed through the Mac App Store (MAS). OS X Server is really just the Server app, sitting on the App Store. If the Server app is upgraded automatically, you will potentially experience some adverse side effects, especially if the app is running on a Metadata Controller for Xsan, runs Open Directory, or a major release of the Server app ships. Therefore, in this article we’re going to disable this otherwise sweet feature of OS X.
To get started, first open the System Preferences. From there, click on the App Store System Preference pane.
From the App Store System Preference pane, uncheck the following boxes:
Once disabled, you’ll need to keep on top of updates in the App Store manually. My recommendation is still to create an image of your server before each update.
krypted October 2nd, 2015
OS X Server, Server 5, El Capitan Server can have problems with Open Directory. Sometimes, you just need to reset your directory service. You can demote and restore the server if needed. But buyer beware, you may end up screwing things up while the directory server is being demoted and you’re restoring a backup. Or if you haven’t built out the directory server, you may end up just demoting the server and starting over. In this article, we’ll look at demoting the server.
To get started demoting the Open Directory master, first open the Server app and then click on Open Directory.
From the Open Directory screen, click on the minus button in the Servers section. When prompted to Delete the directory service, click on the Delete button.
Once the process is complete, you’ll be able to setup a new directory server, back at the initial Open Directory screen.
The logs will then show the following:
2015-09-08 04:41:24 +0000 slapconfig -destroyldapserver
2015-09-08 04:41:24 +0000 Deleting Cert Authority related data
2015-09-08 04:41:24 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2015-09-08 04:41:24 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 2842025604
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2015-09-08 04:41:44 +0000 Stopping LDAP server (slapd)
2015-09-08 04:41:46 +0000 Stopping password server
2015-09-08 04:41:51 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/alock.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2015-09-08 04:41:51 +0000 Removed directory at path /var/db/openldap/authdata.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.conf.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2015-09-08 04:41:55 +0000 Stopping password server
2015-09-08 04:41:55 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
Sep 7 23:43:23 osxserver com.apple.WebKit.WebContent: [23:43:23.061] <<<< VideoMentor >>>> videoMentorThreadForwardPlayback: (0x7fea1d938e40) startCursor PTS 0.033 > target startPTS 0.000; sending timestamp interval for that gap
krypted October 2nd, 2015
Posted In: Mac OS X Server
You’ve got Open Directory running and humming beautifully in OS X Server 5 (running on OS X Yosemite or OS X El Capitan). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like.
Create An Open Directory Archive
In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service.
Towards the bottom of the screen, click on the cog wheel icon.
At the menu, click Archive Open Directory Master…
When prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button.
At the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Archive button when you’re ready to proceed.
At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again.
Promote A Replica To A Master
Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in OS X Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu.
Here, click Promote Replica to Master.
At the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next. The Replica will become an archive. Once finished, remove any other replicas and repromote them.
Stop Open Directory
Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Click on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. The server is then stopped. To completely remove Open Directory from the old server, run the slapconfig command, followed by -destroyldapserver:
Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted. View the logs using cat for any other weirdness:
krypted October 1st, 2015
Posted In: Mac OS X Server