krypted.com

Tiny Deathstars of Foulness

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. And rightfully so. But many still need a terrestrial server and for predominantly Apple environments, a macOS Server running on Sierra isn’t exactly a bad idea (for many it is, so whatever there). There are a number of protocols built into macOS Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in macOS Server 5.2 running on top of a Sierra Mac.

Note: I’ve got another article looking into FTP a little further but those are basically the services that I’ll stick to here.

File servers have shares. In macOS Server 5.2 (and many other solutions), we refer to these as Share Points. The first step to setting up a file share is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.

screen-shot-2016-09-26-at-9-53-30-pm

If you’re just getting started, let’s go ahead and disable any built-in shares by clicking on the share and then clicking on the minus button (-) while the share is highlighted. When prompted to remove the share, click on the Remove button.

screen-shot-2016-09-26-at-9-54-00-pm

As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.

screen-shot-2016-09-26-at-9-54-18-pm

When you’ve disabled SMB for the last share, you’ve effectively disabled SMB. Click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory.

screen-shot-2016-09-26-at-9-55-18-pm

Then from the File Sharing pane in Server app, click on the plus sign (“+”).

screen-shot-2016-09-26-at-9-55-55-pm

At the browse dialog, browse to the location of your iPad directory and then click on the Choose button.

screen-shot-2016-09-26-at-9-56-16-pm

At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called “Allow only encrypted connections”. If you check this, you cannot use AFP and WebDAV.

screen-shot-2016-09-26-at-9-56-57-pm

At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.

screen-shot-2016-09-26-at-9-57-48-pm

The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.

If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.

screen-shot-2016-09-26-at-9-58-28-pm

As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in the Server app as an available Home Folder location for users in that directory service.

Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.

screen-shot-2016-09-26-at-9-59-28-pm

To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect.

The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command:

sharing -a <path> -A <share name>

So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:

sharing -a /Shares/Public -A PUBLIC

Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:

sharing -r PUBLIC

To then get a listing of shares you can use the following command:

sharing -l

You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:

sudo serveradmin settings sharing

Sharing settings include the following:

sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeStandard\:GeneratedUID = “54428C28-793F-4F5B-B070-31630FE045AD”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbDirectoryMask = “0755”
sharing:sharePointList:_array_id:/Shared Items/iPads:afpName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbCreateMask = “0644”
sharing:sharePointList:_array_id:/Shared Items/iPads:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shared Items/iPads:path = “/Shared Items/iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/iPads:name = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:ftpName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:serverDocsIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = “3A1C9DAD-806C-4917-A39F-9317B6F85CCD”
sharing:sharePointList:_array_id:/Shared Items/iPads:mountedOnPath = “/”
sharing:sharePointList:_array_id:/Shared Items/iPads:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Shares/Public:ftpIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:smbName = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shares/Public:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:isIndexingEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:dsAttrTypeStandard\:GeneratedUID = “80197252-1BC6-4391-AB00-C00EE64FD4F2”
sharing:sharePointList:_array_id:/Shares/Public:path = “/Shares/Public”
sharing:sharePointList:_array_id:/Shares/Public:smbIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:afpUseParentOwner = no
sharing:sharePointList:_array_id:/Shares/Public:afpName = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:ftpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:afpUseParentPrivs = no
sharing:sharePointList:_array_id:/Shares/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:name = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:ftpName = “Public-1”
sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeStandard\:GeneratedUID = “0D6AF0D1-BA70-4DD4-9256-AC1B51A2761F”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Users/krypted/Public:webDAVName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbDirectoryMask = “0755”
sharing:sharePointList:_array_id:/Users/krypted/Public:afpName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbCreateMask = “0644”
sharing:sharePointList:_array_id:/Users/krypted/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Users/krypted/Public:path = “/Users/krypted/Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Users/krypted/Public:name = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:ftpName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:serverDocsIsShared = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsShared = no
sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeNative\:sharepoint_group_id = “FF1970EF-0789-49C7-80B5-E9FCABDDBB49”
sharing:sharePointList:_array_id:/Users/krypted/Public:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:mountedOnPath = “/”

To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:

sudo serveradmin settings afp

AFP settings include:

afp:maxConnections = -1
afp:kerberosPrincipal = “afpserver/LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4@LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4”
afp:fullServerMode = yes
afp:allowSendMessage = yes
afp:maxGuests = -1
afp:activityLog = yes

October 10th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , , ,

You can disable the Connect to Server menu in OS X. This can be done via MDM or using defaults. To do so with the defaults command, send a ProhibitConnectTo key into com.apple.finder as True and then restart the Finder, as follows using the defaults command:

defaults write com.apple.finder ProhibitConnectTo -bool true ; killall Finder

To undo:

defaults write com.apple.finder ProhibitConnectTo -bool false

September 4th, 2016

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. But many still need a terrestrial server and for predominantly Apple environments, a Server app running on OS X El Capitan isn’t exactly a bad idea. There are a number of protocols built into OS X Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Server running El Capitan or Yosemite.

Note: I’ve got another article looking into FTP a little further but those are basically the services that I’ll stick to here.

File servers have shares. In OS X Server, Server app 5 (for Yosemite and El Capitan), we refer to these as Share Points. The first step to setting up a file share is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.

Screen Shot 2015-09-07 at 10.22.02 PM

If you’re just getting started, let’s go ahead and disable any built-in shares by clicking on the share and then clicking on the minus button (-) while the share is highlighted. When prompted to remove the share, click on the Remove button.

Screen Shot 2015-09-07 at 10.23.01 PM

As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.

Screen Shot 2015-09-07 at 10.24.10 PM

When you’ve disabled SMB for the last share, you’ve effectively disabled SMB. Click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory.

Screen Shot 2015-09-07 at 10.37.40 PM

Then from the File Sharing pane in Server app, click on the plus sign (“+”).

Screen Shot 2015-09-07 at 10.38.28 PM

At the browse dialog, browse to the location of your iPad directory and then click on the Choose button.

Screen Shot 2015-09-07 at 10.40.16 PM

At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called “Allow only encrypt connections”. If you check this, you cannot use AFP and WebDAV.

Screen Shot 2015-09-07 at 10.40.38 PM

At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.

Screen Shot 2015-09-07 at 10.41.27 PM

The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.

If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.

Screen Shot 2015-09-07 at 10.42.14 PM

As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service.

Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.

Screen Shot 2015-09-07 at 10.42.41 PM

To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect.

The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command:

sharing -a <path> -A <share name>

So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:

sharing -a /Shares/Public -A PUBLIC

Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:

sharing -r PUBLIC

To then get a listing of shares you can use the following command:

sharing -l

You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:

sudo serveradmin settings sharing

Sharing settings include the following:

sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeStandard\:GeneratedUID = “54428C28-793F-4F5B-B070-31630FE045AD”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbDirectoryMask = “0755”
sharing:sharePointList:_array_id:/Shared Items/iPads:afpName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbCreateMask = “0644”
sharing:sharePointList:_array_id:/Shared Items/iPads:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shared Items/iPads:path = “/Shared Items/iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/iPads:name = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:ftpName = “iPads”
sharing:sharePointList:_array_id:/Shared Items/iPads:serverDocsIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = “3A1C9DAD-806C-4917-A39F-9317B6F85CCD”
sharing:sharePointList:_array_id:/Shared Items/iPads:mountedOnPath = “/”
sharing:sharePointList:_array_id:/Shared Items/iPads:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Shares/Public:ftpIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:smbName = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shares/Public:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:isIndexingEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:dsAttrTypeStandard\:GeneratedUID = “80197252-1BC6-4391-AB00-C00EE64FD4F2”
sharing:sharePointList:_array_id:/Shares/Public:path = “/Shares/Public”
sharing:sharePointList:_array_id:/Shares/Public:smbIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:afpUseParentOwner = no
sharing:sharePointList:_array_id:/Shares/Public:afpName = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:ftpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shares/Public:afpUseParentPrivs = no
sharing:sharePointList:_array_id:/Shares/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Shares/Public:name = “Public-1”
sharing:sharePointList:_array_id:/Shares/Public:ftpName = “Public-1”
sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeStandard\:GeneratedUID = “0D6AF0D1-BA70-4DD4-9256-AC1B51A2761F”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Users/krypted/Public:webDAVName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbDirectoryMask = “0755”
sharing:sharePointList:_array_id:/Users/krypted/Public:afpName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbCreateMask = “0644”
sharing:sharePointList:_array_id:/Users/krypted/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Users/krypted/Public:path = “/Users/krypted/Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Users/krypted/Public:name = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:ftpName = “Public”
sharing:sharePointList:_array_id:/Users/krypted/Public:serverDocsIsShared = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsShared = no
sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeNative\:sharepoint_group_id = “FF1970EF-0789-49C7-80B5-E9FCABDDBB49”
sharing:sharePointList:_array_id:/Users/krypted/Public:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Users/krypted/Public:mountedOnPath = “/”

To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:

sudo serveradmin settings afp

AFP settings include:

afp:maxConnections = -1
afp:kerberosPrincipal = “afpserver/LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4@LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4”
afp:fullServerMode = yes
afp:allowSendMessage = yes
afp:maxGuests = -1
afp:activityLog = yes

September 26th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

The serverctl command can be used to start and stop services in OS X Server. Use serverctl with a list verb to show a list of services:

serverctl list

Grab a service (without the quotes) and feed it back into serverctl with the enable option and a service= option to identify the service:

serverctl enable service=com.apple.servermgrd.xcode

Or disable, using the disable verb:

serverctl disable service=com.apple.servermgrd.xcode

July 2nd, 2015

Posted In: Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. But many still need a terrestrial server and for predominantly Apple environments, a Server app running on OS X Yosemite isn’t exactly a bad idea. There are a number of protocols built into OS X Yosemite Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Yosemite running the Server app.

Note: I’ve got another article looking into FTP a little further but those are basically what I’ll stick to here.

File servers have shares. In OS X Yosemite Server we refer to these as Share Points. By default:

• File Sharing has some built-in Share Points that not all environments will require.
• Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
• Each share has permissions that Apple provides which will work for some but not all.

In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.

Files1

If you’re just getting started, let’s go ahead and disable the built-in share by clicking on Groups in the list of shares and then clicking on the minus button on the screen.

As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.

Files2

When you’ve disabled SMB, click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory.

Files3

Then from the File Sharing pane in Server app, click on the plus sign (“+”).

Files4

At the browse dialog, browse to the location of your iPad directory and then click on the Choose button.

Files5

At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called Encrypt connections. If you check this, you cannot use AFP and WebDAV.

Files6

At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.

Files7

The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.

If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.

Files8

As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service.

Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.

Files9

To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect.

The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command:

sharing -a -A

So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:

sharing -a /Shares/Public -A PUBLIC

Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:

sharing -r PUBLIC

To then get a listing of shares you can use the following command:

sharing -l

You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:

sudo serveradmin settings sharing

Sharing settings include the following:

sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbName = "iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:webDAVName = "iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbEncrypted = no
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbDirectoryMask = "0755"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:afpName = "iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbCreateMask = "0644"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:path = "/Volumes/Macintosh HD/Shared Items/iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:name = "iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:ftpName = "iPads"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbIsShared = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:afpIsShared = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:webDAVIsShared = yes
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = "E500829F-6589-4A34-9D3B-C7FDC71400B4"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:mountedOnPath = "/"
sharing:sharePointList:_array_id:/Volumes/Macintosh HD/Shared Items/iPads:isIndexingEnabled = no

To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:

sudo serveradmin settings afp

AFP settings include:

afp:maxGuests = -1
afp:afpTCPPort = 548
afp:clientSleepTime = 24
afp:replyCacheQuantum = 32
afp:maxConnections = -1
afp:sendGreetingOnce = no
afp:reconnectTTLInMin = 1440
afp:clientSleepOnOff = yes
afp:loginGreeting = ""
afp:errorLogPath = "/Library/Logs/AppleFileService/AppleFileServiceError.log"
afp:errorLogTime = 0
afp:activityLogTime = 7
afp:errorLogSize = 1000
afp:kerberosPrincipal = "afpserver/LKDC:SHA1.5776019F497F854DBA581884DE3A1AC7BBF69E22@LKDC:SHA1.5776019F497F854DBA581884DE3A1AC7BBF69E22"
afp:recon1SrvrKeyTTLHrs = 168
afp:idleDisconnectOnOff = no
afp:reconnectFlag = "no_admin_kills"
afp:activityLog = yes
afp:reconnectKeyLocation = "/private/etc/AFP.conf"
afp:loginGreetingTime = 1315436086
afp:adminGetsSp = yes
afp:fullServerMode = yes
afp:idleDisconnectMsg = ""
afp:updateHomeDirQuota = yes
afp:activityLogPath = "/Library/Logs/AppleFileService/AppleFileServiceAccess.log"
afp:authenticationMode = "standard_and_kerberos"
afp:admin31GetsSp = no
afp:shutdownThreshold = 3
afp:TCPQuantum = 1048576
afp:allowSendMessage = yes
afp:idleDisconnectTime = 10
afp:loggingAttributes:logOpenFork = yes
afp:loggingAttributes:logDelete = yes
afp:loggingAttributes:logCreateDir = yes
afp:loggingAttributes:logLogin = yes
afp:loggingAttributes:logLogout = yes
afp:loggingAttributes:logCreateFile = yes
afp:tickleTime = 30
afp:specialAdminPrivs = no
afp:noNetworkUsers = no
afp:idleDisconnectFlag:adminUsers = yes
afp:idleDisconnectFlag:registeredUsers = yes
afp:idleDisconnectFlag:usersWithOpenFiles = yes
afp:idleDisconnectFlag:guestUsers = yes
afp:recon1TokenTTLMins = 10080
afp:guestAccess = yes
afp:allowRootLogin = no
afp:activityLogSize = 1000
afp:afpServerEncoding = 0
afp:createHomeDir = yes

To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

October 16th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , , , , , , ,

Sorry for shouting. I keep hearing people mention that they can’t upgrade to OS X Mavericks, or Mavericks Server because they need AFP. Well, the change that came in Mavericks isn’t that AFP was deprecated. Maybe it doesn’t get to call shotgun any more when running out to the car, but it’s still there.

The sharing output, which shows afp:

List of Share Points
name: Charles Edge’s Public Folder
path: /Users/krypted/Public
afp: {
name: Charles Edge’s Public Folder
shared: 1
guest access: 1
inherit perms: 0
}

The Connect to Server over afp:

Screen Shot 2013-10-24 at 11.06.42 AM

SMB is now the default protocol. Therefore, if you open a Connect to Server dialog and don’t prefix the string with afp:// then you will automagically connect over smb. Either way, we can clearly see more development is going into SMB than afp. However, afp isn’t dead yet. Sure, badly burned, shot in the arm, broken leg, etc.

October 24th, 2013

Posted In: Mac OS X

Tags: , , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mavericks Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mavericks Server (Server 3).

File servers have shares. In OS X Mavericks Server we refer to these as Share Points. By default:

  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.

In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.

Screen Shot 2013-10-05 at 9.33.49 PMIn our example configuration we’re going to disable the built-in share. To do so, click on Groups one time and then click on the minus button on the screen.

Screen Shot 2013-10-05 at 9.34.51 PMAs mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.

Screen Shot 2013-10-05 at 9.37.14 PMWhen you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”).

Screen Shot 2013-10-05 at 9.38.49 PMAt the browse dialog, browse to the location of your iPad directory and then click on the Choose button.

Screen Shot 2013-10-05 at 9.39.23 PMAt the File Sharing pane, double-click on the new iPads share.

Screen Shot 2013-10-05 at 9.40.06 PMAt the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.

Screen Shot 2013-10-05 at 9.40.47 PM

The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.

If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.

Screen Shot 2013-10-05 at 9.42.06 PMAs can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service.

Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.

Screen Shot 2013-10-05 at 9.46.18 PMTo connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change in Mavericks is that when you enter an address, the client connects over SMB. If you’d like to connect over AFP, enter afp:// in front of the address and then click Connect.

The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command:

sharing -a <path> -A <share name>

So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:

sharing -a /Shares/Public -A PUBLIC

Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:

sharing -r PUBLIC

To then get a listing of shares you can use the following command:

sharing -l

You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:

sudo serveradmin settings sharing

Sharing settings include the following:

sharing:sharePointList:_array_id:/Users/admin/Public:smbName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Users/admin/Public:afpIsGuestAccessEnabled = yes
sharing:sharePointList:_array_id:/Users/admin/Public:isIndexingEnabled = no
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_group_id = "35DF29D6-D5F3-4F16-8F20-B50BCDFD8743"
sharing:sharePointList:_array_id:/Users/admin/Public:mountedOnPath = "/"
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_account_uuid = "51BC33DC-1362-489E-8989-93286B77BD4C"
sharing:sharePointList:_array_id:/Users/admin/Public:path = "/Users/admin/Public"
sharing:sharePointList:_array_id:/Users/admin/Public:smbIsShared = yes
sharing:sharePointList:_array_id:/Users/admin/Public:smbIsGuestAccessEnabled = yes
sharing:sharePointList:_array_id:/Users/admin/Public:afpName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeStandard\:GeneratedUID = "4646E019-352D-40D5-B62C-8A82AAE39762"
sharing:sharePointList:_array_id:/Users/admin/Public:smbDirectoryMask = "755"
sharing:sharePointList:_array_id:/Users/admin/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Users/admin/Public:smbCreateMask = "644"
sharing:sharePointList:_array_id:/Users/admin/Public:ftpName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:name = "administrator's Public Folder"

To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:

sudo serveradmin settings afp

AFP settings include:

afp:maxConnections = -1
afp:kerberosPrincipal = "afpserver/LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E@LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E"
afp:fullServerMode = yes
afp:allowSendMessage = yes
afp:maxGuests = -1
afp:activityLog = yes

To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

October 23rd, 2013

Posted In: Uncategorized

Tags: , , , , , , , , , , , , , , , , , ,

OS X Mavericks has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in Mountain Lion Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data, such as /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/30-ipfwmigrator. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python.

Additionally, there’s a directory /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/ that is full of scripts for migrating services in OS X Server, helpful for even services that have been seemingly deprecated.

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur. One such example is /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/loggather.sh, used to grab logs. Here, you can learn the locations of certain logs as well as rudimentary stackshot commands. This is where I started calling stackshot before I did Server installs (or during), using the following command, which creates a custom text file containing :
“/usr/libexec/stackshot -i -f /Library/Logs/ServerSetup_StackShot_KRYPTED.txt”
This is also where I learned that I can tail /tmp/SetupLogs.tgz during some installs to be able to watch what’s going on during the installation process:

tail -f /tmp/SetupLogs.tgz

Looking At Each Service

This is also where I learned that Apple had put an Open Directory backup script in /Applications/Server.app/Contents/ServerRoot/usr/libexec/server_backup/opendirectorybackup (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign.

Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = “/Library/Logs/AppleFileService/AppleFileServiceError.log”

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = “/Library/Logs/AppleFileService/AppleFileServiceAccess.log”

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs.

The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.

Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/80-devicemgrmigration.sh ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = “ALL”

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/Server.app/Contents/ServerRoot/private/etc/jabberd/c2s.xml

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. Global log locations are controlled using the mail:global:service_data_path key, which indicates a path that logs are stored in (as usual many of these are in /Library/Server):

sudo serveradmin settings mail:global:service_data_path = "/Library/Server/Mail"

To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging to info:

sudo serveradmin settings mail:imap:log_level = “info”

To set increased logging per function that dovecot performs, see the config files in /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/conf.d, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = “HIGH”

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = “/Library/Logs/PostgreSQL”

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The Xsan service logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:LogFile = “/var/log/ppp/vpnd.log”

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure Mountain Lion Server’s built-in web service to conform to the standards of most modern web log analyzers.

Conclusion

Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

October 22nd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , , ,

OS X Mountain Lion has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in Mountain Lion Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data, such as /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/30-ipfwmigrator. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python.

Additionally, there’s a directory /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/ that is full of scripts for migrating services in OS X Server, helpful for even services that have been seemingly deprecated.

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur. One such example is /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/loggather.sh, used to grab logs. Here, you can learn the locations of certain logs as well as rudimentary stackshot commands. This is where I started calling stackshot before I did Server installs (or during), using the following command, which creates a custom text file containing :

/usr/libexec/stackshot -i -f /Library/Logs/ServerSetup_StackShot_KRYPTED.txt

This is also where I learned that I can tail /tmp/SetupLogs.tgz during some installs to be able to watch what’s going on during the installation process:

tail -f /tmp/SetupLogs.tgz

Looking At Each Service

This is also where I learned that Apple had put an Open Directory backup script in /Applications/Server.app/Contents/ServerRoot/usr/libexec/server_backup/opendirectorybackup (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = "warn"

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign.

Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = "/Library/Logs/AppleFileService/AppleFileServiceError.log"

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = "/Library/Logs/AppleFileService/AppleFileServiceAccess.log"

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs.

The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = "warn"

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.

Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/80-devicemgrmigration.sh ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = "ALL"

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/Server.app/Contents/ServerRoot/private/etc/jabberd/c2s.xml

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging:

sudo serveradmin settings mail:imap:log_level = "warn"

To set increased logging per function that dovecot performs, see the config files in /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/conf.d, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = "HIGH"

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = "/Library/Logs/PostgreSQL"

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The san service (Xsan) logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:LogFile = "/var/log/ppp/vpnd.log"

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure Mountain Lion Server’s built-in web service to conform to the standards of most modern web log analyzers.

Conclusion

Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

August 21st, 2012

Posted In: Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , ,

The Time Machine service in Mountain Lion Server hasn’t changed much from the service in Lion Server. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane.

Click on the ON button to see a list of volumes to use as a destination for Time Machine backups. This should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the ON button, a list of volumes appears.

Here, click on the volume to save your backups to. In this case, it’s the internal hard drive; however, in most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click “Use for Backup” and the service will start. Don’t touch anything until the service starts. Once started, change the backup destination at any time using the Edit button.

Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule.

Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the sharing:sharePointList:_array_id:/Shared Items/Backups

sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups

The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as:

sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeStandard:GeneratedUID = "1B1C7CFB-2B95-4087-B28B-C786E9CD68E2"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:smbDirectoryMask = "0755"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbCreateMask = "0644"
sharing:sharePointList:_array_id:/Shared Items/Backups:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Shared Items/Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:name = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:ftpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsShared = no
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:timeMachineBackupUUID = "29B22ADA-97A3-46B2-9CB3-8EF9AFC9334E"
sharing:sharePointList:_array_id:/Shared Items/Backups:isTimeMachineBackup = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeNative:sharepoint_group_id = "59161FF9-78E7-4A41-B071-B6E60866694F"
sharing:sharePointList:_array_id:/Shared Items/Backups:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:mountedOnPath = "/"

Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command:

sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk"

Another way to see the share and attributes of the share is through the sharing command:

sharing -l

Which should show output similar to the following:

List of Share Points
name: Backups
path: /Shared Items/Backups
afp: {
name: Backups
shared: 1
guest access: 0
inherit perms: 0
}
ftp: {
name: Backups
shared: 0
guest access: 0
}
smb: {
name: Backups
shared: 0
guest access: 0
}

There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule).

One major difference between the Time Machine service and others is that there’s no specific serveradmin option for tm or tmutil (the Time Machine command line) or timemachine. Instead, most everything piggy-backs off the sharing service. Also, what I consider a major difference is that most other services now have generic names (e.g. Address Book is now called Contacts, iCal is now called Calendar, etc). The only services still using marketing terms as their names are really Profile Manager, Time Machine and Open Directory. I would expect these to eventually be called Profiles, Backup and Directory to keep the naming convention already started with the rest of the services.

I think that as a free aspect of OS X Server Time Machine Server is well worth the money for small workgroups. However, there are backup solutions from 3rd party vendors worth far more than their purchase price due to reduced disk capacity requirements (e.g. through deduplication), reduced overhead (e.g. by streamlining or accelerating traffic for the backup protocols, or even offloading all the work to the client systems) and allowing for more redundancy to backups (e.g. 2 targets). This additional logic can at first appear to come at a steep cost, but when you look at bandwidth, disk and other expenditures to get Time Machine server integrated it can be a challenge. Also, Time Machine is built to work via Bonjour, meaning that by virtue it’s then limited to smaller subnets. Time Machine Server is a great add-on, but many organizations may quickly outgrow it. Not all though, and so for a SoHo comprehensive server that needs to provide for client-based backups, OS X Server has a great feature in Time Machine.

While I found plenty to ramble on about in this article, nothing has really changed since the Lion iteration of the service. Mass deployment is still the same, as is client side configuration. One change is that the screen for the Time Machine Options on the client no longer has an option for managing Versions, as seen below.

August 1st, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Next Page »