Tiny Deathstars of Foulness

OS X Server supports running a traditional bind implementation of DNS. You can define a record for most any name, including,,, etc. You can use this to redirect subdomains. In this example, we’ll create an A Record to point to without breaking other subdomains. To get started, let’s use the DNS service in the Server app to create The reason for this is that OS X will then create a zone file for If we created instead, then OS X would automatically create, which would break the other subdomains. To do so, open Server app and click on the DNS Service. Then click on the plus sign to create a new record.

Screen Shot 2014-09-23 at 10.55.58 AM

Now, if you restart dns and ping you should see the referenced IP. To then change, we’d edit the zone file stored at /Library/Server/named/ This file will look like this when you first open it: 10800 IN SOA (
2014092301 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
10800 IN NS 10800 IN A

We’ll add an a record for 10801 IN A

Now, to change the apex record, you’d just replace the name you’ve been using with an @:

@ 10801 IN A

Good luck!

September 23rd, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure, sites, Ubuntu, Unix

Tags: , , , , , , , ,

Once upon a time, Server Admin was a tool that allowed Admins of OS X Server to look at settings for an OS X Server using a graphical tool. As Server Admin is no longer being used, we frequently find there are certain settings we need to find in the replacement Server app that just aren’t in graphical tools any longer. One of the settings that you need when integrating other systems is the search base. This defines the location that searches start when queries against the directory tree are run. When other systems are integrated into Open Directory they need to use this to be able to enumerate information from Open Directory.opendirectoryThe Mac doesn’t really support some of the more esoteric information that can be kept in other directory servers, such as OU= information, so it’s worth mentioning that by default the search base should be dc= followed by each element of the fqdn (and delimited by a ,) of your first Open Directory server. For example, if your first Open Directory Master for a realm was called odm.krypted.lan then the search base would have been “dc=odm,dc=krypted,dc=lan”. I’ve found that over the years realms are moved, hostnames changed, etc, so oftentimes the name doesn’t match the search base.

To find the search base, use the serveradmin command. The service is called dirserv and we’re looking for LDAPSettings:LDAPSearchBase, so the actual command to get this information would be:

serveradmin settings dirserv:LDAPSettings:LDAPSearchBase

The output will show the correct search base setting to use for heterogenous settings.

August 27th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.


Check “Enable PHP web applications”

Install Java
Open /Applications/Utilities/Java
You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted.

Install Final Cut Server
Run Final Cut Server installer.
Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates.

Check Configuration
Check fcsvr user has been created:
dscl /Local/Default -search /Users RecordName fcsvr
Output should look something like this:
fcsvr RecordName = (

Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server”
dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory
Output should look something like this:
NFSHomeDirectory: /Library/Application Support/Final Cut Server
If it doesn’t, caorrect it with this command:
sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server”

Customisations To Make It Work
A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place.

An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job:
sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 2
If you’re being more daring and trying to work with an Active Directory, then you’ll want the following:
sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 1

Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space.
sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf”

Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd.
Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like:
sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf

Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions.
So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [F]
RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L]

SPECIAL_MENTIONS: Matt Geller, David Colville

September 6th, 2012

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , , , , , , , , , , ,

There are four ways to create groups in Mountain Lion Server. The first is using the Server app, the second is using Workgroup Manager, the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app.

Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.

 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-“) to remove users from the group. You can also choose to use the following options:
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.

Once changes have been made, click Done to commit the changes.

September 2nd, 2012

Posted In: Mac OS X Server, Uncategorized

Tags: , , , , , , , , , , , , , , , , ,

In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows:

productsign --sign 'Developer ID Installer: 31415926535897932384626'
'/temp/Alpha.pkg' '/temp/Omega.pkg'

You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg:

spctl --assess --type install /temp/Omega.pkg

August 31st, 2012

Posted In: Mac OS X

Tags: , , , , , , ,

I’ve been doing a number of postings on how to use various features of the latest version of OS X Server. Given that WordPress is pretty much a reverse chronological listing of articles I’ve written, I thought I’d put together a listing of the pages that I’ve done for OS X Server 10.8 (Mountain Lion Server) in order to offer a more pedagogically aligned way of reading these posts. As such, here is the Table of Contents for these posts:


Managing the Server

Configuring Services


Command Line


August 28th, 2012

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , , , ,

Apple’s not going to slow down innovation just to make me happy. I get that. But what have I noticed most about the differences between Mountain Lion and Mountain Lion Server and their predecessors, and maybe what to do to get some of them back?

  1. Podcast Producer: I am going to just put it out there. I liked Podcast Producer. I hope it shows back up in the future, even though I’m controlling my expectations. As someone who deals with a lot of video, there are a number of features that were really helpful to me, with or without Xgrid. I’ve replaced the command line aspects with tools such as ffmpeg, which we used in addition to at times, but some of the ways that pcastaction did things were really elegant comparably. On the graphical side, much of the functionality is available in the various sites that produce video streams and of course, there’s always YouTube. Either way, in regards to Mountain Lion Server, this represents one of the most substantial changes for those of us that deal with video.
  2. DHCP: I know, I know… I wrote an article on how to keep using DHCP. That doesn’t mean that the lack of GUI options is any less irritating. Every time I manually edit a config file that should have a GUI front-end it makes me ornery. Not that I’m not always ornery, but that’s not the point here…
  3. RSS: This is more of a client thing. But and Safari used to give me the ability to quickly and easily look at RSS feeds and handled them in a way that was very streamlined with my experience across the rest of the operating system. I am now using more and more Google Reader along with tools like Reeder, but I liked the fact that everything I needed for RSS madness was installed on even the test systems I used
  4. X11: I know, I know… Use XQuartz. It was nice having it built in though…
  5. Web Sharing: I guess the answer here is to just buy OS X Server. You can still fire up the LaunchDaemon and use Apache, but it’s a bit of a challenge. And the version in Server isn’t identical to Apache in Mountain Lion. There are two ways I’ve handled this. The first is to install Mountain Lion Server and then use the command `webpromotion demote` to switch the Apache configuration back to that of a client computer. The second is to fire up the LaunchDaemon directly using launchctl. If you’d like, there are also a number of free and/or 3rd party web servers, such as MAMP.
  6. Negative Mode: Well, I covered this already, and while the keystroke was gone, the feature never was – but here’s how to fix. Also, @sacrilicious turned me on to nocturne, which is pretty cool as well!
  7. iCal, Address Book and NetBoot: Actually, they’re now called Calendar, Contacts and NetInstall respectively. But still there. I actually like the renaming a lot, so I guess I don’t really miss any of them.
  8. Radius: OK, it’s there. Just command line only (unless you’re using an Apple AirPort). Maybe I should write an article about radius…
  9. The Server command line options: Actually, they just moved to a relative path to /Applications/, as I mentioned here.
  10. Server Admin: I was going to say FTP, then I remembered it’s back. And then I remembered I never missed it in the first place. But dropping the remainder of the GUI tools for servers represents a bit of a challenge, mostly in figuring out how to do a few of the minor things, like enabling Server Side File Tracking, etc.

August 23rd, 2012

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , , , , ,

Time is a very important aspect of OS X Server, as it has been since the early days. Time is so important that if you see network time server, NTP or 5 minutes as the answer on an Apple exam, you should just pick that one, as it’s invariably correct. The traditional way to configure time zones and Network Time Servers is to use systemsetup command. Before you set a time zone, run the following to see a list of all available time zones, use the -listtimezones option in systemsetup:

sudo systemsetup -listtimezones

To set the time zone, pick one and use the -settimezone option in systemsetup:

sudo systemsetup -settimezone "America/Chicago"

To check the current time, then run -gettime:

sudo systemsetup -gettime

The -settime option can then be used to set the time, although it’s invariably better to set the time zone automatically with a network time protocol (NTP) server, using the -setnetworktimeserver option:

sudo systemsetup -setnetworktimeserver

You would then need to turn using NTP servers on, using -setusingnetworktime option and setting the value there to on

sudo systemsetup -setusingnetworktime on

Now let’s look at a different way to do this. Run the following, in OS X Server:

sudo serveradmin settings info:timeZone = "America/New_York"

That shouldn’t work. Now ya’ know, OS X Server isn’t fully matured yet, so they’ll get around to it… But what does work is setting the NTP server and enabling NTP services. To enable NTP:

sudo serveradmin settings info:ntpTimeServe = yes

To set the NTP server:

info:ntpServerName = ""

Note: The NTP server must be accessible when set.

August 18th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , ,

You’re out surfing in the morning before work and you return to your car, put all your crap away and just want to sit on the beach for an hour getting caught up on work. You bust out your laptop and it’s just a little too bright with the rays of the morning sun not only causing the fan of your computer to kick into high gear but also causing you not to be able to see the screen. Do you get up and leave? Do you sacrifice the sound of the morning waves and the breeze of the ocean air?

Well, the fans are going to run when it’s hot out. But you can do something about that glare. In OS X Mountain Lion, the Invert Colors feature (which I’ve always called Negative Mode) has a disabled keyboard shortcut by default now. We all know this is the coolest feature in the entire OS, so let’s enable it again.

Each time you use it, you could open the Accessibility System Preference pane and check the box for Invert colors. But, it’s crucial Command-Option-Control-8 opens it, because at the end of the day I’m lazy.

To enable the keyboard shortcuts, open the Keyboard System Preference pane and click on the Keyboard Shortcuts tab. Then, scroll down to Invert colors and check the box. Viola, more helpful to a trip to the beach than swinging by a Tommy Bahama store the night before!

To enable the shortcuts (aka symbolic hotkeys) via the command line (so I can lazily put this into my imaging workflow at home), see this article.

August 17th, 2012

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , ,

Next Page »