Tiny Deathstars of Foulness

Open Server, click Help, then click Server Help. You can then search and browse for information about things you’d like to accomplish using the Help Center.

Screen Shot 2013-11-05 at 4.16.18 PM

Now, click the arrow for each service for information about configuring that service. You will see an arrow for each service.

Screen Shot 2013-11-05 at 4.17.19 PM

Click the arrow for more information on that specific service.

November 9th, 2013

Posted In: Mac OS X Server

Tags: , , , , ,

Installing Mavericks Server is about as easy as installing Keynote. First, open the Mac App Store and search for OS X Server. Then, click the button to buy the software, or if you’ve already purchased the software click on the Install button.

Screen Shot 2013-11-05 at 2.50.39 PMThe Server app downloads to your /Applications directory which you can watch happen by watching the status in LaunchPad.

Screen Shot 2013-11-05 at 2.55.21 PM

Once the download is finished, click on the Server app in LaunchPad or open the Server app to start the initial configuration wizard.

Screen Shot 2013-11-05 at 3.01.46 PM

When you first click on the Server app, you will be prompted to setup your server. Click Continue.

Screen Shot 2013-11-05 at 3.02.26 PMAgree to the licensing agreement by clicking Agree.

Screen Shot 2013-11-05 at 3.04.07 PMAuthenticate with an administrative password if prompted.

Screen Shot 2013-11-05 at 3.04.52 PMServices are prepared. Be patient, there are literally big physical cog wheels turning in your computers head right about now.

Screen Shot 2013-11-05 at 3.05.41 PMThe Server Tutorials screen opens. Read them all or you can’t use the server. Actually, you can just close this screen, although they’re well done and you should read them.

Screen Shot 2013-11-05 at 3.06.59 PMOnce you close the screen, you’ll be in the app and your server install is complete. Well, kinda’. In articles on services I go into fixing host names and the such. But if this is a pretty basic server you’re all done.

Note: Now, before you make fun of how simple this is, note that there’s an item on an outline and this article is completing one of the items in my outline. Thank you for your judgement. -the mgmt

November 8th, 2013

Posted In: Mac OS X Server

Tags: , , , , ,

Mavericks Server comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the Server app (Server 3). To configure alerts in Mavericks Server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

Screen Shot 2013-10-04 at 8.30.47 PM

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Screen Shot 2013-10-04 at 8.29.40 PM

Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard.

Screen Shot 2013-10-04 at 8.40.33 PM

Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.

Finally, as with previous versions of OS X Server, Mavericks Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is in the following example):

snmpwalk -On -v 1 -c COMMUNITY

October 23rd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. SNMP allows for remote monitoring of a server. You can also connect to a server using the Server app running on a client computer. To enable all of these except SNMP, open the Server app (Server 3), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter.

Screen Shot 2013-10-05 at 9.18.55 AM

All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in OS X Mavericks Server (Server 2.2). To do so, use the serveradmin command.

To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

Screen Shot 2013-10-05 at 9.15.00 AM

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app.

To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary.

Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run. 

To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin:

sudo serveradmin settings info:enableRemoteAdministration = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

October 22nd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , ,

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into OS X Server 3, installed on Mavericks Server is easy-to-use and fast. It’s pretty transparent, just as DHCP services should be. To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP.


At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list.


Each scope, or Network, will have the following options:

  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from to you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of if you don’t configure this setting.


The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values.


Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in OS X, check out this article I did awhile back.

So far, totally easy. Each time you make a change, the change updates a few different things. First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>192.168.210 Wi-Fi</string>

Settings from this file include:

  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is to
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated:

serveradmin settings dhcp

The output indicates that

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = ""
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:dhcp_domain_name = ""
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:routers = _empty_dictionary
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = ""
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1"
dhcp:logging_level = "MEDIUM"

Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course):

serveradmin settings dhcp:logging_level = "MEDIUM"

You can also change settings within a scope. For example, if you realized that you were already using and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples):

serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = ""

You can also obtain some really helpful information using the fullstatus verb with serveradmin:

serveradmin fullstatus dhcp

This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc.

dhcp:state = "RUNNING"
dhcp:backendVersion = "10.5"
dhcp:timeOfModification = "2013-10-04 04:24:17 +0000"
dhcp:numDHCPActiveClients = 0
dhcp:timeOfSnapShot = "2013-10-04 04:24:19 +0000"
dhcp:dhcpLeasesArray = _empty_array
dhcp:logPaths:systemLog = "/var/log/system.log"
dhcp:numConfiguredStaticMaps = 1
dhcp:timeServiceStarted = "2013-10-04 04:24:17 +0000"
dhcp:setStateVersion = 1
dhcp:numDHCPLeases = 21
dhcp:readWriteSettingsVersion = 1

Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

# hostname hwtype hwaddr ipaddr bootfile
a.krypted.lan 1 00:00:00:aa:bb:cc
b.krypted.lan 1 00:00:00:aa:bb:cc

You can start and stop the service either using the serveradmin command:

serveradmin stop dhcp
serveradmin start dhcp

Or using the launchctl:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist
sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

October 22nd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

Previously I’ve written a little here and there about using FileVault and more specifically scripting things around Filevault. The fdesetup command that enables FileVault for OS X clients from the command line got a few new options in OS X 10.9 Mavericks.

We’ve always been able to enable FileVault using scripts thanks to fdesetup but now Apple’s taken some of the difficulty out of configuring recovery keys. This comes in the form of the changerecovery, haspersonalrecoverykey, hasinstitutionalkey, usingrecoverykey and validate recovery options. These options all revolve around one idea: make it easier to deploy centrally managed keys that can be used to unlock encrypted volumes in the event that such an action is required. There’s also a -recoverykey option, which indicates the number of the key if a recovery key is being used.

To use the fdesetup command to check whether a computer has a personal recovery key use the haspersonalrecoverykey verb, as follows:

fdesetup haspersonalrecoverykey

The output will be a simple true or false exit. To use the fdesetup command to check whether a computer has an institutional recovery key, use the hasinstitutionalrecoverykey verb, as follows:

fdesetup hasinstitutionalrecoverykey

To enable a specific personal recovery key, provide it using the changerecovery verb, as follows:

fdesetup changerecovery -personal

This is an interactive command, so when prompted, provide the appropriate personal key. The removerecovery verb can also be used to remove keys. And my favorite, validaterecovery is used to check on whether or not a recovery key will work to unlock a host; which can be tied into something like an extension attribute in Casper in order to store a key and then validate the key every week or 4. This helps to make sure that systems are manageable if something happens.

The enable verb also has a new -authrestart which does an authenticated reboot after enabling FileVault. Before using the -authrestart option, check that a system can actually run it by using fdesetup with the supportsauthrestart verb and it will exit on true or false.

Defer mode is nothing new, where FileVault waits until a user password is provided; however, a new verb is available called showdeferralinfo which shows information about deferral mode. This is most helpful as a sanity check so you don’t go running commands you already ran or doing things to systems that have already been provided with tasks to perform otherwise.

Overall, there’s a lot of really enterprise-friendly options new in Mavericks that those who do larger-scale deployments of Mavericks will be interested in using!

October 22nd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , , , , ,

DNS is DNS. And named is named. Except in OS X Server. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems.

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In Mavericks Server (Server 3), a new command is available at /Applications/ called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).

To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/ list --zone=pretendco.lan

The output would show you information about the listed zone, usually including View data:

allow-transfer: none
allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see mavserver.pretendco.lan:

/Applications/ list --rr=mavserver.pretendco.lan

By default views are enabled and a view called is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (– to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of

/Applications/ add --zone=pretendco.lan --rr=www A

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/ add --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/ delete --zone=krypted.lan

Or to delete that one www record earlier, just swap the add with a delete:

/Applications/ delete --zone=pretendco.lan --rr=www A

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):

  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g.
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)

Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

October 22nd, 2013

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , , , , , , ,