krypted.com

Tiny Deathstars of Foulness

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.

In Server.app

————-
Websites:
Check “Enable PHP web applications”

Install Java
————
Open /Applications/Utilities/Java Preferences.app
You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted.

Install Final Cut Server
————————
Run Final Cut Server installer.
Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates.

Check Configuration
——————-
1)
Check fcsvr user has been created:
dscl /Local/Default -search /Users RecordName fcsvr
Output should look something like this:
fcsvr RecordName = (
fcsvr
)

2)
Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server”
dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory
Output should look something like this:
NFSHomeDirectory: /Library/Application Support/Final Cut Server
If it doesn’t, caorrect it with this command:
sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server”

Customisations To Make It Work
——————————
A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place.

1)
An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the com.apple.FinalCutServer.settings.plist file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 2
If you’re being more daring and trying to work with an Active Directory, then you’ll want the following:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 1

2)
Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space.
sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf”

3)
Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd.
Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like:
sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf

4)
Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions.
So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c:
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteEngine On
RewriteRule .* – [F]
RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L]
</IfModule>
ORIGINAL_SOURCES: http://www.linkedin.com/groups/Has-anyone-been-able-get-138082%2ES%2E67319989?view=&srchtype=discussedNews&gid=138082&item=67319989&type=member&trk=eml-anet_dig-b_pd-ttl-cn&ut=2M3_ri588Lslo1

SPECIAL_MENTIONS: Matt Geller, David Colville

September 6th, 2012

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , , , , , , , , , , ,

I’ve done plenty of writing on the Application Layer Firewall (ALF) and the IP FireWall (IPFW) in OS X over the years. There will be more on ALF coming in “July” but in the meantime, there’s something I hadn’t written much about in Lion and that’s the pf implementation.

To get started, let’s look at the /etc/pf.conf configuration file that comprises pf:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Here, you can see that pf is configured with a number of anchors. An anchor is a collection of rules and tables. Basically, the anchor file being loaded is /etc/pf.anchors/com.apple. In here, we see some rules (without comments):

scrub-anchor "100.InternetSharing/*"
scrub-anchor "300.NetworkLinkConditioner/*"
nat-anchor "100.InternetSharing/*"
rdr-anchor "100.InternetSharing/*"
anchor "100.InternetSharing/*"
anchor "200.AirDrop/*"
anchor "250.ApplicationFirewall/*"
dummynet-anchor "300.NetworkLinkConditioner/*"
anchor "300.NetworkLinkConditioner/*"
anchor "400.AdaptiveFirewall/*"
load anchor "400.AdaptiveFirewall/" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"

These are mostly just allowing the Apple services to work with services enabled in the Sharing system preference pane, etc. The scrub options are pretty cool as it cleans dirty packets prior to passing them to their destination. To see how the rules are interpreted, let’s run pfctl with the -sa option, which shows all information/stats:

sudo pfctl -sa

Here we see information like stats on timeouts, limits to rules, etc. Let’s look at the rules specifically:

sudo pfctl -sr

Now let’s load a line below the previously called anchors in the first file:

pass in quick on lo0 all
pass out quick on lo0 all

This is going to always allow local traffic, which we need for a few internal processes. Then let’s block some stuff (after all, if we’re not filtering, why use a packet filter). First add the following to the pf.conf file to block all otherwise allowed incoming sockets:

block in all

And this one for outbound traffic:

block out all

Or to knock the two above lines out with one:

block all

Then to do something pretty straight forward, like allow incoming icmp traffic for en0:

pass in quick on en0 proto icmp

One more rule, to show how we’re going to pass and log data for data coming into en0 for both tcp and udp from anyone to the IP on that interface running 192.168.210.10 for port 548:

pass in log quick on en0 proto { tcp, udp } from any to 192.168.210.10 port 548 keep state

Of the above, tables allow you to define ranges and basically alias IPs. Anything in this section of pf.conf in angled (<>) brackets is a table that has been defined. You can also build a list, which allows multiple criteria to be defined for a given rule and macros, which are essentially arrays of IPs, ports, etc, designed to reduce the amount of typing you have to do if you’re building out a big configuration file. Once we’ve edited our configuration file, let’s run a quick sanity check on it:

sudo pfctl -v -n -f /etc/pf.conf

Now, provided we don’t get any crazy errors, let’s load pf with our rules (which also loads the anchors):

sudo pfctl -f /etc/pf.conf

Then let’s set pf to be verbose while we’re testing (we’ll turn it off later):

sudo pfctl -v

Then let’s enable pf:

sudo pfctl -e

The return code should be something along the lines of the following:

pf enabled

You can also add information on the fly. For example, to add a table of 127.0.0.0/24 call localsub:

sudo pfctl -t localsub -T add 127.0.0.0/24

If you want to flush your rules later:

sudo pfctl -Fa -f /etc/pf.conf

To clear your stats:

sudo pfctl -z ; pfctl -si

Once we feel good about the pf configuration, set it to be quiet to keep the logs small and make it a little quicker:

sudo pfctl -q

And to disable pfctl when you’re done tinkeratin’:

sudo pfctl -d

And to watch what it’s doing:

ifconfig pflog0

Followed by

sudo tcpdump -v -n -e -ttt -i pflog0

Overall, pfctl is pretty straight forward to use. There is a really good post (thanks to @sacrilicious for pointing it out) at http://ikawnoclast.com/2012/04/using-the-lion-pf-firewall-with-the-emerging-threats-list.html for syncing the Emerging Threats anchor from emergingthreats.net. And of course, OpenBSDs pf page is the best source of information on the project, available here. There are a few limitations. The pf command is limited to one processor, so running a dedicated pf host on an 8 core machine is pretty much overkill. RAM is important as pf doesn’t use swap space. The more you pay for a card, the better a card you get, for the most part. Check out the Small Tree cards as they’re pretty efficient…

A few things I haven’t gotten working, the logging is kinda’ wonky. The antispoof protection seems odd (see the antispoof docs on the pf page), osfp (which might be other devices in my walled garden) and dummynet integration (which I have working w/ ipfw)… If I can get them working I’ll put together another post for that in my infinite amounts of free time. I also didn’t end up figuring out the upper limit for packets/rule lookups/table lookups per second… As I write more efficient tables I do more lookups and can therefore process packets faster. It’s annoying when I realize ***I*** am the bottleneck…

July 2nd, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , ,

Lion Server doesn’t have an option in the GUI for throttling the maximum number of users that can connect to the server via SMB. Nor does it have said option in the  serveradmin interface. If you run the following, you would have previously seen the required setting:

serveradmin settings smb

The required setting (if controlled via serveradmin) is MaxClients= followed by the number of clients that you want to be the max:

serveradmin settings smb:MaxClients=10

This is pretty easy stuff, but I have a point that goes beyond limiting the number of users. Not all of the settings that can be run through serveradmin are actually in the preferences any more. You can add more. Not that all of the ones from the developer documentation for the old smb code are still around, but a lot are. Another that a lot of people would want to use is to set the SMB Workgroup name in Lion Server:

serveradmin settings smb:Workgroup=SMBLOWS

You can also disable guest access by setting AllowGuestAccess to FALSE:

serveradmin settings smb:AllowGuestAccess=FALSE

Now, just because the option isn’t obvious doesn’t mean the server hasn’t already got a preconfigured setting. Running the AllowGuestAccess as follows will actually just show you that it defaults to on and most options, when specifically invoked, should provide the setting if it still exists:

serveradmin settings smb:AllowGuestAccess

Overall, there’s a lot you can do with a number of services. The options for many of these used to be a little easier to find, if you to see what some option from 10.6 allowed you to do that isn’t in the GUI in Lion or subsequent OSes that you miss, just look to the serveradmin command, make the change and see what preference changed. Who knows, that option might be available in Lion, even if it wasn’t available in the GUI…

June 8th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Windows Server

Tags: , , , , , , , , , , ,

MacSysAdmin has quickly become one of my favorite conferences to attend. I love the high level of technical acumen and the chance to row a canoe from Minneapolis to Gothenburg, Sweden, which is a serious workout, let me tell you! The 2012 lineup boasts one of the politest guys I know in Arek Dreyer, my coworker Zack Smith, Andrew Renz (of Code 42/CrashPlan fame), the well dressed (and spoken) Ed Marczak, the great Greg Neagle (Munki/Repasado/awesome guy), Alan Gordon’s alter-ego Alan Gordon, the JAMFerific Andrina Kelly, the ostentatious Duncan McCracken, Rick Wylie, Gary Larizza, Luis Giraldo in all his wireless awesomeness, Sébastien Tomasi (representing the file set goodness that is FileWave) and someone I told Tycho he simply had to add to the list of speakers after last years event was over, Per Olofsson (I’m sure my recommendation had little to do with his addition as he has plenty of merit, but I’m very excited to see him do his thing anyway). Oh and least of all, I’ll be there and hopefully my demos will work this year (or more likely be pre-recorded).


Many of the same speakers from last year, but all fresh content. More important than the speakers, the attendees are fun to be around and impressive (I sure wish that H1 Visas were easier to come by in the US). I can’t think of a group of people I’d rather be around! The most important aspect, the content, will be focusing on large scale Mac administration, with sprinklings of Mac servers and other oddities. A great overall look and feel to the program. Even a little iOS in there…

The conference will again be held at Folkets Hus, in Göteborg, Sweden. The dictator will again be the enigmatic Tycho, who always facilitates a great event. After last year, I left there wishing I could stay for a few more weeks with that brain trust! It really is an impressive collection of people and I hope to see you there!

May 7th, 2012

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, public speaking

Tags: , , , , , , ,

I usually don’t like to discuss books (except in person with friends/colleagues) very much until I have an ISBN number. Well, here it is! My next book is going to address what I consider the most important challenge to Apple Server nerds like myself: can a server really be installed off the app store with no technical skills? I also tackle the meaning of life (somewhere on page 42) in this book, but that’s not nearly as interesting a topic… I am about 80 percent done with it and it should be out within the next 5 to 6 weeks. One of the things that really impresses me about O’Reilly is how fast they can turn my work around, due to their automated publishing environment (if you’ve never written a book in DocBook/XML, you might want to try a chapter or two before you sign a contract as it is nothing like writing in Word or Pages!).

Now that it has an ISBN, the book can now be found on Amazon using the link below. Again, it won’t be out for a few weeks, but it will be fully updated to 10.7.2 and will cover Profile Manager/MDM, the new Podcast Producer and of course Time Machine Server. I go into round tripping WebDAV data w/ iPad/Pages and other oddities specific to iOS as well. Oh, and I added a special appendix on FTP for those still living in the 90s (complete with flannel and greasy hair)!

BTW, the animal is not a Lion, ’cause it was taken…

October 28th, 2011

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , ,

Lion comes with this nifty option called AirDrop, which allows users to share files directly. In many environments, this represents a perceived security risk (whether real or not) and must be disabled. To disable AirDrop:

defaults write com.apple.NetworkBrowser DisableAirDrop -boolean YES

To turn it back on:

defaults write com.apple.NetworkBrowser DisableAirDrop -boolean NO

This is done per-user and so can also be done via Managed Preferences, profiles and/or at imaging time.

September 10th, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

Ever since upgrading to Lion I’ve been making a few slight changes in workflow. One such change, which I’m still on the fence about, is to switch from reading man pages in a tiled Terminal screen, to reading them in a browser window.

It seems like a small thing, but I spend a lot of time switching between terminal screens or using screen to switch between sessions. Bwana allows you to read a man page from within a browser.

Simply load download the Bwana app into your /Applications directory and wait a few seconds. Then open a browser window and look for a man page. For example:

man:dsconfigad

Now, you may notice that you can’t actually click on the link above and have the link open as it would if you typed the information into the browser manually. You could also use man://dsconfigad to access a man page, but you still cannot refer to those from other sites. You can open those urls using terminal:

open man://dsconfigad

To see an index of all pages, enter the following in Safari:

man:index

To reindex:

man:index_refresh

July 31st, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

Ever need to automate changes to image files? Maybe a LaunchAgent that would watch a specific folder and resize png files that were dropped in there, or a little script that sanitized images as they came in to be a specific size (e.g. Poster Frames)? Well, sips is a little tool built into OS X that can help immensely with this. It will even convert that png to a jpeg or pict to png. Let’s look at using sips. First up, let’s just get the width and height of an image file:

sips --getProperty pixelHeight /Shared/tmpimages/1.png
sips --getProperty pixelWidth /Shared/tmpimages/1.png

Or for dpi:

sips --getProperty dpiHeight /Shared/tmpimages/1.png
sips --getProperty dpiWidth /Shared/tmpimages/1.png

Or to get the format:

sips --getProperty format Shared/tmpimages/1.png

Now let’s set the property, where the property is format, using the -o option to output a copy of the file to different location:

sips --setProperty format jpeg /Shared/tmpimages/1.png -o /Shared/imageoutput/1.jpeg

Pretty nifty so far. Now, let’s resize an image using the -z option:

sips /Shared/tmpimages/1.png -z 44 70 -o /Shared/imageoutput/converted.png

There’s lots more you can do with sips. It also happens to be built into OS X in the /usr/bin folder. Call on it for general still image manipulation. It’s quick and easily scriptable and best of all, a useful tool that can save lots of manual time converting images.

July 24th, 2011

Posted In: Mac OS X

Tags: , , , , , , , , ,

OK, by now I’m sure everyone has heard that OS X Server is a download off the App Store. For a whoppin’ $50 you get the OS that was once called “Open Source Made Easy” until someone at Apple realized that GPLv3 might mean that Open Source doesn’t always mean “free as in beer”. Wait, did I say that out loud? Point is, there are bigger changes here than just moving the server to the App Store.

There are also some pretty big changes to the GUI of OS X Server. The first and most obvious is the LoginWindow, which is different in OS X in general. It obviously looks different. The ability to click on the items above the username and password is gone. You can still see indicators of green and orange in the username field to indicate directory service availability though, which was one of the bigger things we’ve used that for over the past few years.

Once downloaded, the Server app will be in the /Applications directory, in Launchpad and useable. But the Server Admin tools are a separate (free) download from the Apple downloads page. This is a nice nickel and dime way of keeping the Server app small. Once installed, note that if you open About this Mac, the OS does reflect that you are running Mac OS X Server Lion (not OS X Server Lion btw for all you marketing nerds), so it is actually a registered different version of the operating system.

Now open up Workgroup Manager. The Inspector option in Workgroup Manager is gone. Actually, this is kinda’ true. The option is greyed out in the Workgroup Manager prefs (com.apple.WorkgroupManager.plist) but easily enabled using defaults to add the -dict for “Application Preferences” with a key of “Show \”All Records\” Tab” set to a value of 1. But more importantly, there’s now a tool called the Directory Editor that is part of Directory Utility (still located at /System/Library/CoreServices). It looks a lot like the Inspector, but it’s a bit more appropriate for local stuff.

Now open up Server Admin. Most of the services are gone. We’re left with nat (does anyone really still use OS X Server as a border device?!?!) and a few other services that were either too boring to get moved to the Server app or too unwanted. Expect these to disappear one by one if there are future releases of OS X Server. In fact, if OS X Server is $50 I’d say building a better DHCP (that maybe has a GUI for DHCP options and other cool stuff) or a better DNS is a worthy of a $10 or $20 app on the app store. After all, given the Mini platform it seems a decent platform as a network appliance in that fashion… But back to it.

Now go into Server. Wow. Super easy. The only challenging thing in here is Profile Manager. And the only challenging thing about it is that it a) most people aren’t going to let it build Open Directory for them (but should) and b) some people are going to get stumped when asked for a username and password for a developer account. Get yourself an Apple ID with a developer cert and Profile Manager will be really easy to use, especially if you’re used to working with Workgroup Manager to build Managed Preference manifests. Once in, if you will even note that you can assign specific defaults domains and push keys to clients. Of course, the big thing here is the wipe. The most important thing to note about that is that the clients need to run FileVault and there’s not a great mass deploy strategy for that yet (IMHO).

While I said Profile Manager could be challenging, there are some really cool things waiting for people to start hacking away at. The fist is scripting profile creation and management. Profiles are stored in /var/db/ConfigurationProfiles/Store. Much to the chagrin of 3rd party MDM developers, this solution works great for OS X and iOS. Much to the delight of MDM developers, the whole App Store look and feel that someone like JAMF has is still something that really sets them apart and the ability to have Casper assist you with managing those VPP keys is what will be the crazy huge value add that it will continue to bring to the table. Having said that, a lot of smaller organizations can now use Profile Manager where they might have just used iPhone Config Utility before.

Profiles can be pushed out in a number of ways. The user can download it out of the goodness of their heart. In iOS you’re kinda’ stuck with that deployment methodology. But not in OS X. Help comes in the form of the profiles command, located in /usr/sbin. Profiles is explained further in this other post of mine here.

The serveradmin app (serveradmin list shows a few less results than it used to), slap* commands and other tools server admins are used to are all still there. There’s a better webmail (much, much better), Wiki’s are a little different (not much), NFS (kinda’) and FTP are gone, Podcast Producer keeps getting easier, the twisted stuff (iCal and Address Book Server) is the same as it was in Snow Leopard and Server app gets more functional whereas Server Admin gets less functional. Server got a little easier. Or at least on the outside. But presumably it can, given that it’s likely to be asked to do less than it once was moving forward.

But as with previous versions of OS X Server, there are a lot of settings under the hood that aren’t exposed in any app. Let’s look at the devicemgr service, which is Profile Manager in the GUI:

sudo serveradmin settings devicemgr

One thing I do find interesting is the inclusion of postgres in serveradmin but not in Server app or Server Admin. MySQL is gone, but postgres is there.

You’ll also see settings like mdm_acl and user_timeout that can be pretty helpful (which is why they’re in there in the first place) but aren’t in the GUI. I’m all for keeping GUI’s clean, not giving admins the ability to easily enable something they shouldn’t and keeping away from having screens and screens of rolling settings. So for the most part I’m OK with this. My point with this paragraph (and every paragraph should have a point even though I forget that sometimes) is that if there’s a setting you need that you think got taken out or if there’s a setting that would be cool to have, check serveradmin settings and see if it’s there before just taking the Server app’s word for it…

July 20th, 2011

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , ,