krypted.com

Tiny Deathstars of Foulness

macOS Server 5.4 running on High Sierra (macOS 10.13) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

To enable the adaptive firewall, use the -f option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

Alternatively, use the -X option to disable the Adaptive Firewall:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -X

Once run, you’ll receive an error similar to the following:

Sep  8 14:16:18  afctl[16987] <Notice>: Unloading the launchd job

Sep  8 14:16:18  afctl[16987] <Notice>: Setting the start behavior to disabled

Sep  8 14:16:18  afctl[16987] <Notice>: Clearing out the blacklist

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses deleted.

Once started, the most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d


You’ll receive no response on successful runs. When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88

Once run, you’ll get a message as follows:

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses added.

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and can also be enabled with the /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to force-stop the service outright, use launchctl:

launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for macOS Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued
Finally, there are scripts located in /Applications/Server.app/Contents/ServerRoot/usr/libexec that can be used to manage the firewall as well. These include ServerFirewallPromotion.sh (a simple bash script) and ServerFirewallServiceCleanser, a compiled binary.

September 26th, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , ,

Web Services in macOS Server, Linux and most versions of Unix are provided by Apache, an Open Source project that much of the Internet owes its origins to. Apache owes its name to the fact that it’s “a patchy” service. These patches are often mods, or modules. Configuring web services is as easy in macOS Server 5.2, running on Sierra (10.12), as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button. screen-shot-2016-09-29-at-10-53-42-pm After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane. screen-shot-2016-09-29-at-10-54-07-pm Provided the stock macOS Server page loads, you are ready to use macOS Server as a web server. screen-shot-2016-09-29-at-10-54-49-pm Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server added web apps, which we’ll briefly review later in this article as well, as those continue in Mavericks Server, Yosemite Server, El Capitan Server and ultimately macOS Server 5.2 for Sierra.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server. screen-shot-2016-09-29-at-10-56-17-pm Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following:
  • Domain Name: The name the site is accessible from. The default sites do not have this option as they are accessible from all names that resolve to the server.
  • IP Address: The IP address the site listens on. Any means the site is available from every IP address the server is configured to use. The default websites do not have this option as they are accessible from all addresses automatically
  • Port: By default, sites without SSL run on port 80 on all network interfaces, and sites with SSL run on port 443 on all network interfaces. Use the Port field to use custom ports (e.g., 8080). The default sites do not have this option as they are configured to use 80 and 443 for default and SSL-based communications respectively.
  • SSL Certificate: Loads a list of SSL certificates installed using Keychain or the SSL Certificate option in the Settings pane of the Server application
  • Store Site Files In: The directory that the files that comprise the website are stored in. These can be placed into the correct directory using file shares or copying using the Finder. Click on the drop-down menu and then select Other to browse to the directory files are stored in.
  • Who Can Access: By default Anyone (all users, including unauthenticated guests) can access the contents of sites. Clicking on Anyone and then Customize… brings up the “Restrict access to the following folders to a chosen group” screen, where you can choose web directories and then define groups of users who can access the contents.
  • Additional Domains: Click on the Edit… button to bring up a simple list of domain names the the site also responds for (e.g. in addition to krypted.com, add www.krypted.com).
  • Redirects: Click on the Edit… button to bring up a list of redirects within the site. This allows configuring redirects to other sites. For example, use /en to load english.krypted.com or /cn to load china.krypted.com).
  • Aliases: Click on the Edit… button to load a list of aliases. This allows configuring redirects to folders within the same server. For example, /en loads /Library/Server/Web/Data/Sites/Default
  • Index Files: Click on the Edit… button to bring up a list of pages that are loaded when a page isn’t directly indicated. For example, when visiting krypted.com, load the wp.php page by default.
  • Advanced Options: The remaining options are available by clicking on the “Edit Advanced Settings…” button.
screen-shot-2016-09-29-at-10-56-43-pm The Advanced Option include the following:
  • Enable Server Side Includes: Allows administrators to configure leveraging includes in web files, so that pieces of code can be used across multiple pages in sites.
  • Allow overrides using .htaccess files: Using a .htaccess file allows administrators to define who is able to access a given directory, defining custom user names and passwords in the hidden .htaccess file. These aren’t usually required in an OS X Server web environment as local and directory-based accounts can be used for such operations. This setting enables using custom .htaccess files instead of relying on Apple’s stock web permissions.
  • Allow folder listing: Enables folder listings on directories of a site that don’t have an Index File (described in the non-Advanced settings earlier).
  • Allow CGI execution: Enables CGI scripts for the domain being configured.
  • Use custom error page: Allows administrators to define custom error pages, such as those annoying 404 error pages that load when a page can’t be found
  • Make these web apps available on this website: A somewhat advanced setting, loads items into the webapps array, which can be viewed using the following command:  sudo serveradmin settings web:definedWebApps
Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites. The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Yosemite Server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service: sudo serveradmin start web To stop the service(s): sudo serveradmin stop web And to see the status: sudo serveradmin fullstatus web Fullstatus returns the following information:
web:health = _empty_dictionary web:readWriteSettingsVersion = 1 web:apacheVersion = “2.2” web:servicePortsRestrictionInfo = _empty_array web:startedTime = “2016-09-26 02:38:57 +0000” web:apacheState = “RUNNING” web:statusMessage = “” web:ApacheMode = 2 web:servicePortsAreRestricted = “NO” web:state = “RUNNING” web:setStateVersion = 1
While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started. To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service: sudo serveradmin settings web The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:
web:defaultSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSite:serverName = “” web:defaultSite:realms = _empty_dictionary web:defaultSite:redirects = _empty_array web:defaultSite:enableServerSideIncludes = no web:defaultSite:networkAccesses = _empty_array web:defaultSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSite:webApps = _empty_array web:defaultSite:sslCertificateIdentifier = “” web:defaultSite:fullSiteRedirectToOtherSite = “https://%{SERVER_NAME}” web:defaultSite:allowFolderListing = no web:defaultSite:serverAliases = _empty_array web:defaultSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_.conf” web:defaultSite:aliases = _empty_array web:defaultSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSite:allowAllOverrides = no web:defaultSite:identifier = “67127006” web:defaultSite:port = 34580 web:defaultSite:allowCGIExecution = no web:defaultSite:serverAddress = “127.0.0.1” web:defaultSite:requiresSSL = no web:defaultSite:proxies = _empty_dictionary web:defaultSite:errorDocuments = _empty_dictionary
The second section is per-site settings, with an array entry for each site:
web:customSites:_array_index:0:documentRoot = “/Library/Server/Web/Data/Sites/blog.krypted.com” web:customSites:_array_index:0:serverName = “blog.krypted.com” web:customSites:_array_index:0:realms = _empty_dictionary web:customSites:_array_index:0:redirects = _empty_array web:customSites:_array_index:0:enableServerSideIncludes = no web:customSites:_array_index:0:networkAccesses = _empty_array web:customSites:_array_index:0:customLogPath = “/var/log/apache2/access_log” web:customSites:_array_index:0:webApps = _empty_array web:customSites:_array_index:0:sslCertificateIdentifier = “” web:customSites:_array_index:0:fullSiteRedirectToOtherSite = “” web:customSites:_array_index:0:allowFolderListing = no web:customSites:_array_index:0:serverAliases = _empty_array web:customSites:_array_index:0:errorLogPath = “/var/log/apache2/error_log” web:customSites:_array_index:0:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_blog.krypted.com.conf” web:customSites:_array_index:0:aliases = _empty_array web:customSites:_array_index:0:directoryIndexes:_array_index:0 = “index.html” web:customSites:_array_index:0:directoryIndexes:_array_index:1 = “index.php” web:customSites:_array_index:0:directoryIndexes:_array_index:2 = “default.html” web:customSites:_array_index:0:allowAllOverrides = no web:customSites:_array_index:0:identifier = “67127002” web:customSites:_array_index:0:port = 34580 web:customSites:_array_index:0:allowCGIExecution = no web:customSites:_array_index:0:serverAddress = “127.0.0.1” web:customSites:_array_index:0:requiresSSL = no web:customSites:_array_index:0:proxies = _empty_dictionary web:customSites:_array_index:0:errorDocuments = _empty_dictionary web:dataLocation = “/Library/Server/Web/Data”
The next section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:
web:definedWebApps:_array_index:0:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:0:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_ACSServer.conf” web:definedWebApps:_array_index:0:requiredModuleNames:_array_index:0 = “mod_rewrite.so” web:definedWebApps:_array_index:0:startCommand = “” web:definedWebApps:_array_index:0:sslPolicy = 1 web:definedWebApps:_array_index:0:requiresSSL = no web:definedWebApps:_array_index:0:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:0:launchKeys:_array_index:0 = “com.apple.AccountsConfigService” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:path = “/AccountsConfigService/api/” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:urls:_array_index:0 = “http://localhost:31415/AccountsConfigService/api” web:definedWebApps:_array_index:0:preflightCommand = “” web:definedWebApps:_array_index:0:stopCommand = “” web:definedWebApps:_array_index:0:name = “com.apple.webapp.ACSServer” web:definedWebApps:_array_index:0:displayName = “” web:definedWebApps:_array_index:1:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:1:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webauth.conf” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:1:startCommand = “” web:definedWebApps:_array_index:1:sslPolicy = 4 web:definedWebApps:_array_index:1:requiresSSL = no web:definedWebApps:_array_index:1:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:1:launchKeys = _empty_array web:definedWebApps:_array_index:1:proxies:/auth:path = “/auth” web:definedWebApps:_array_index:1:proxies:/auth:urls:_array_index:0 = “http://localhost:4444/auth” web:definedWebApps:_array_index:1:preflightCommand = “” web:definedWebApps:_array_index:1:stopCommand = “” web:definedWebApps:_array_index:1:name = “com.apple.webapp.auth” web:definedWebApps:_array_index:1:displayName = “” web:definedWebApps:_array_index:2:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:2:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webcalssl.conf” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:2:startCommand = “” web:definedWebApps:_array_index:2:sslPolicy = 1 web:definedWebApps:_array_index:2:requiresSSL = no web:definedWebApps:_array_index:2:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:2:launchKeys = _empty_array web:definedWebApps:_array_index:2:proxies = _empty_dictionary web:definedWebApps:_array_index:2:preflightCommand = “” web:definedWebApps:_array_index:2:stopCommand = “” web:definedWebApps:_array_index:2:name = “com.apple.webapp.calendar” web:definedWebApps:_array_index:2:displayName = “” web:definedWebApps:_array_index:3:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:3:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_changepassword.conf” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:3:startCommand = “” web:definedWebApps:_array_index:3:sslPolicy = 4 web:definedWebApps:_array_index:3:requiresSSL = no web:definedWebApps:_array_index:3:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:3:launchKeys = _empty_array web:definedWebApps:_array_index:3:proxies:/changepassword:path = “/changepassword” web:definedWebApps:_array_index:3:proxies:/changepassword:urls:_array_index:0 = “http://localhost:4444/changepassword” web:definedWebApps:_array_index:3:preflightCommand = “” web:definedWebApps:_array_index:3:stopCommand = “” web:definedWebApps:_array_index:3:name = “com.apple.webapp.changepassword” web:definedWebApps:_array_index:3:displayName = “” web:definedWebApps:_array_index:4:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:4:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_shared.conf” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:1 = “xsendfile_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:2 = “headers_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:3 = “expires_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:4 = “deflate_module” web:definedWebApps:_array_index:4:startCommand = “” web:definedWebApps:_array_index:4:sslPolicy = 0 web:definedWebApps:_array_index:4:requiresSSL = no web:definedWebApps:_array_index:4:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:4:launchKeys:_array_index:0 = “com.apple.collabd.expire” web:definedWebApps:_array_index:4:launchKeys:_array_index:1 = “com.apple.collabd.notifications” web:definedWebApps:_array_index:4:proxies:/collabdproxy:path = “/collabdproxy” web:definedWebApps:_array_index:4:proxies:/collabdproxy:urls:_array_index:0 = “http://localhost:4444/svc” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:path = “/__collabd/streams/activity” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:urls:_array_index:0 = “http://localhost:4444/streams/activity” web:definedWebApps:_array_index:4:preflightCommand = “” web:definedWebApps:_array_index:4:stopCommand = “” web:definedWebApps:_array_index:4:name = “com.apple.webapp.collabd” web:definedWebApps:_array_index:4:displayName = “” web:definedWebApps:_array_index:5:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:5:includeFiles = _empty_array web:definedWebApps:_array_index:5:requiredModuleNames = _empty_array web:definedWebApps:_array_index:5:startCommand = “” web:definedWebApps:_array_index:5:sslPolicy = 0 web:definedWebApps:_array_index:5:requiresSSL = no web:definedWebApps:_array_index:5:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:5:launchKeys:_array_index:0 = “com.apple.DeviceManagement.dmrunnerd” web:definedWebApps:_array_index:5:launchKeys:_array_index:1 = “com.apple.DeviceManagement.php-fpm” web:definedWebApps:_array_index:5:proxies = _empty_dictionary web:definedWebApps:_array_index:5:preflightCommand = “” web:definedWebApps:_array_index:5:stopCommand = “” web:definedWebApps:_array_index:5:name = “com.apple.webapp.devicemgr” web:definedWebApps:_array_index:5:displayName = “” web:definedWebApps:_array_index:6:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:6:includeFiles = _empty_array web:definedWebApps:_array_index:6:requiredModuleNames:_array_index:0 = “php5_module” web:definedWebApps:_array_index:6:startCommand = “” web:definedWebApps:_array_index:6:sslPolicy = 0 web:definedWebApps:_array_index:6:requiresSSL = no web:definedWebApps:_array_index:6:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:6:launchKeys = _empty_array web:definedWebApps:_array_index:6:proxies = _empty_dictionary web:definedWebApps:_array_index:6:preflightCommand = “” web:definedWebApps:_array_index:6:stopCommand = “” web:definedWebApps:_array_index:6:name = “com.apple.webapp.php” web:definedWebApps:_array_index:6:displayName = “” web:definedWebApps:_array_index:7:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:7:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_webdavsharing.conf” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:0 = “rewrite_module” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:1 = “bonjour_module” web:definedWebApps:_array_index:7:startCommand = “” web:definedWebApps:_array_index:7:sslPolicy = 0 web:definedWebApps:_array_index:7:requiresSSL = no web:definedWebApps:_array_index:7:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:7:launchKeys = _empty_array web:definedWebApps:_array_index:7:proxies = _empty_dictionary web:definedWebApps:_array_index:7:preflightCommand = “” web:definedWebApps:_array_index:7:stopCommand = “” web:definedWebApps:_array_index:7:name = “com.apple.webapp.webdavsharing” web:definedWebApps:_array_index:7:displayName = “” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:1 = “com.apple.webapp.auth” web:definedWebApps:_array_index:8:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_wiki.conf” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:8:startCommand = “” web:definedWebApps:_array_index:8:sslPolicy = 0 web:definedWebApps:_array_index:8:requiresSSL = no web:definedWebApps:_array_index:8:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:8:launchKeys:_array_index:0 = “com.apple.collabd.preview” web:definedWebApps:_array_index:8:launchKeys:_array_index:1 = “com.apple.collabd.quicklook” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:path = “/__collabd/preview” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:urls:_array_index:0 = “http://localhost:4444/preview” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:path = “/wiki/files/upload” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:urls:_array_index:0 = “http://localhost:4444/upload_file” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:path = “/wiki/files/download” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:urls:_array_index:0 = “http://localhost:4444/files” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:path = “/wiki/ipad” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:urls = _empty_array web:definedWebApps:_array_index:8:proxies:/wiki:path = “/wiki” web:definedWebApps:_array_index:8:proxies:/wiki:urls:_array_index:0 = “http://localhost:4444/app-context/wiki” web:definedWebApps:_array_index:8:preflightCommand = “” web:definedWebApps:_array_index:8:stopCommand = “” web:definedWebApps:_array_index:8:name = “com.apple.webapp.wiki” web:definedWebApps:_array_index:8:displayName = “” web:definedWebApps:_array_index:9:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:9:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_wsgi.conf” web:definedWebApps:_array_index:9:requiredModuleNames:_array_index:0 = “wsgi_module” web:definedWebApps:_array_index:9:startCommand = “” web:definedWebApps:_array_index:9:sslPolicy = 0 web:definedWebApps:_array_index:9:requiresSSL = no web:definedWebApps:_array_index:9:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:9:launchKeys = _empty_array web:definedWebApps:_array_index:9:proxies = _empty_dictionary web:definedWebApps:_array_index:9:preflightCommand = “” web:definedWebApps:_array_index:9:stopCommand = “” web:definedWebApps:_array_index:9:name = “com.apple.webapp.wsgi” web:definedWebApps:_array_index:9:displayName = “Python &quot;Hello World&quot; app at /wsgi” web:definedWebApps:_array_index:10:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:10:includeFiles:_array_index:0 = “/Library/Developer/XcodeServer/CurrentXcodeSymlink/Contents/Developer/usr/share/xcs/httpd_xcs.conf” web:definedWebApps:_array_index:10:requiredModuleNames = _empty_array web:definedWebApps:_array_index:10:startCommand = “” web:definedWebApps:_array_index:10:sslPolicy = 4 web:definedWebApps:_array_index:10:requiresSSL = no web:definedWebApps:_array_index:10:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:10:launchKeys = _empty_array web:definedWebApps:_array_index:10:proxies = _empty_dictionary web:definedWebApps:_array_index:10:preflightCommand = “” web:definedWebApps:_array_index:10:stopCommand = “” web:definedWebApps:_array_index:10:name = “com.apple.webapp.xcode” web:definedWebApps:_array_index:10:displayName = “” web:definedWebApps:_array_index:11:requiredWebAppNames:_array_index:0 = “com.example.webapp.myotherwebapp” web:definedWebApps:_array_index:11:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_myinclude.conf” web:definedWebApps:_array_index:11:requiredModuleNames:_array_index:0 = “mystuff_module” web:definedWebApps:_array_index:11:startCommand = “/usr/local/bin/startmywebapp” web:definedWebApps:_array_index:11:sslPolicy = 0 web:definedWebApps:_array_index:11:requiresSSL = no web:definedWebApps:_array_index:11:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:11:launchKeys:_array_index:0 = “com.example.mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:path = “/mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:0 = “http://localhost:3000” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:1 = “http://localhost:3001” web:definedWebApps:_array_index:11:preflightCommand = “/usr/local/bin/preflightmywebapp” web:definedWebApps:_array_index:11:stopCommand = “/usr/local/bin/stopmywebapp” web:definedWebApps:_array_index:11:name = “com.example.mywebapp” web:definedWebApps:_array_index:11:displayName = “MyWebApp”
The final section defines the settings used for the default sites as well as a couple of host based settings:
web:defaultSecureSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSecureSite:serverName = “” web:defaultSecureSite:realms = _empty_dictionary web:defaultSecureSite:redirects = _empty_array web:defaultSecureSite:enableServerSideIncludes = no web:defaultSecureSite:networkAccesses = _empty_array web:defaultSecureSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSecureSite:webApps = _empty_array web:defaultSecureSite:sslCertificateIdentifier = “odr.krypted.com.32A9706448BDB45B120A91470FA866A5C61BD342” web:defaultSecureSite:fullSiteRedirectToOtherSite = “” web:defaultSecureSite:allowFolderListing = no web:defaultSecureSite:serverAliases = _empty_array web:defaultSecureSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSecureSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf” web:defaultSecureSite:aliases = _empty_array web:defaultSecureSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSecureSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSecureSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSecureSite:allowAllOverrides = no web:defaultSecureSite:identifier = “67127004” web:defaultSecureSite:port = 34543 web:defaultSecureSite:allowCGIExecution = no web:defaultSecureSite:serverAddress = “127.0.0.1” web:defaultSecureSite:requiresSSL = yes web:defaultSecureSite:proxies = _empty_dictionary web:defaultSecureSite:errorDocuments = _empty_dictionary web:mainHost:keepAliveTimeout = 15.000000 web:mainHost:maxClients = “256”
Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/0000_any_80_blog.krypted.com.conf being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:
ServerName www2.krypted.com
ServerAdmin admin@example.com
DocumentRoot "/Library/Server/Web/Data/Sites/blog.krypted.com"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log SSLEngine Off SSLCipherSuite “ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM” SSLProtocol -ALL +SSLv3 +TLSv1 SSLProxyEngine On SSLProxyProtocol -ALL +SSLv3 +TLSv1 Options All -Indexes -ExecCGI -Includes +MultiViews AllowOverride None DAV Off Deny from all ErrorDocument 403 /customerror/websitesoff403.html
The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command: sudo serveradmin command web:command=restoreFactorySettings The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. For example, in this article I look at overriding some ports for some virtual sites that might conflict with other sites on your systems. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

October 18th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

macOS Server has long had a VPN service to allow client computers to connect to a network even when they’re out of the office. The server was once capable of running the two most commonly used VPN protocols: PPTP and L2TP. And while PPTP is still accessible via the command line, L2TP is now configured by default when you setup the server using the Server app. Setting Up The VPN Service In OS X Server To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has a number of options available, as seen here. screen-shot-2016-09-29-at-9-07-47-pm The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN.
screen-shot-2016-09-29-at-9-08-19-pm
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
screen-shot-2016-09-29-at-9-08-57-pm
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
screen-shot-2016-09-29-at-9-09-43-pm
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (macOS using the profiles command, iOS using Apple Configurator or both using Profile Manager).
  • Shared Secret: A passphrase that must be supplied by the client prior to getting a username and password prompt.
Once configured, open incoming ports on the router/firewall. While deprecated(ish) PPTP runs over port 1723. L2TP is a bit more complicated, running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629. Using The Command Line I know, I’ve described ways to manage these services from the command line before. The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required: sudo serveradmin start vpn And to stop the service: sudo serveradmin stop vpn And to list the available options: sudo serveradmin settings vpn The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app: vpn:vpnHost = "odr.krypted.com" vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.pptp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.pptp:enabled = no vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP" vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA" vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.255" vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4" vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0 vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP" vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp" vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret" vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <> vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.128" vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec" vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "Yq!XdGsVyAY?o;9jnj[X" To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no To configure how long a client can be idle prior to being disconnected: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10 By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200 To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option: sudo serveradmin fullstatus vpn Which returns output similar to the following: vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "STOPPED"
vpn:setStateVersion = 1 Security folk will be stoked to see that the shared secret is shown in the clear using: vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue Configuring Users For VPN Access Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar. screen-shot-2016-09-29-at-9-14-23-pm At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services. screen-shot-2016-09-29-at-9-14-44-pm At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box. screen-shot-2016-09-29-at-9-15-02-pm Setting Up Client Computers As you can see, configuring the VPN service in macOS Server 5.2 (running on Sierra) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so on a Mac, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service. screen-shot-2016-09-29-at-9-17-20-pm At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create. screen-shot-2016-09-29-at-9-18-33-pm At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings. screen-shot-2016-09-29-at-9-18-05-pm At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection. Conclusion Setting Up the VPN service in macOS Server 5.2 is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

October 16th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Mac Server Services

 RhapsodyMac Server 1Server 10.2OS X Server 10.3OS X Server 10.4OS X Server 10.5Mountain Lion Server (10.6)Lion Server (10.7)Server 2 (10.8)Server 3 (10.9)Server 4 (10.10)Server 5 (10.11)macOS Server 5.2 (10.12)macOS Server 5.3 (10.13)
# of Services109131519242422182121212114
Apple File Sharing ServicesAppleShareAFPAFPAFPAFPAFPAFPAFPAFPAFPAFPAFPAFP*
NFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFS
Web ServicesWebWebWebWebWebWebWebWebWebsitesWebsitesWebsitesWebsitesWebsitesWebsites
Directory ServersNetInfoNetInfoDirectory ServicesOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen Directory
NetBoot ServicesNetBootNetBootNetBootNetBootNetBootNetBootNetBootNetBootNetInstallNetInstallNetInstallNetInstallNetInstallNetInstall
FTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTP
Windows File Sharing/SMBWindowsWindowsWindowsSMBSMBSMBSMBSMBSMBSMBSMB*
Mail ServicesMailMailMailMailMailMailMailMailMailMailMailMail
Name ServicesDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
DHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCP
VPNVPNVPNVPNVPNVPNVPNVPNVPNVPNVPNVPN
Software Update ServicesSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware Update
Chat/Messages/XMPPiChatiChatiChatiChatMessagesMessagesMessagesMessagesMessagesMessages
Shared Calendars/CalDAViCaliCaliCalCalendarCalendarCalendarCalendarCalendarCalendar
Wiki and BlogsWikiWikiWikiWikiWikiWikiWikiWikiWiki
Shared Contacts/CardDAVAddress BookAddress BookContactsContactsContactsContactsContactsContacts
Backup ServicesTime MachineTime MachineTime MachineTime MachineTime MachineTime Machine
Management ServicesProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile Manager
Storage NetworkingXsanXsanXsanXsanXsanXsan
Content and Update Caching ServicesCachingCachingCachingCaching*
Continuous Development ServicesXcodeXcodeXcodeXcode
OG Management ServicesMacintosh ManagerMacintosh Manager
Web ObjectsWeb Objects (separate media)Web ObjectsWeb ObjectsWeb Objects
Web Application ServicesApplication ServerApplication ServerTomcatTomcat
Printing ServicesPrintPrintPrintPrintPrintPrint
QuickTime Streaming ServerQTSSQTSSQTSSQTSSQTSSQTSSQTSS
Routing ServicesNATNATNATNATNATNAT
High Performance Computing ServicesXgridXgridXgridXgrid
PodcastingPodcast ProducerPodcast ProducerPodcast
RADIUSRADIUSRADIUSRADIUS
Proxy ServicesMobile Access
Database ServingMySQL


* Services are now built into the client operating system, albeit with less finely grained controls.

October 14th, 2016

Posted In: Mac OS X Server

Tags: , , , , , ,

The changes in the Server app were far more substantial in the El Capitan version (OS X Server 5) than in the macOS Server 5.2 version that we’re now looking at. All of the options from OS X are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES. screen-shot-2016-09-27-at-11-13-27-am Then, click on the cog wheel icon below the list of records and click on Show All Records. screen-shot-2016-09-27-at-11-14-02-am At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records. screen-shot-2016-09-27-at-11-16-06-am Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes. screen-shot-2016-09-27-at-11-18-24-am Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting. screen-shot-2016-09-27-at-11-18-58-am

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
screen-shot-2016-09-27-at-11-19-20-am

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

 screen-shot-2016-09-27-at-11-19-59-am
These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a macOS Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records. Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/
Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name. Screen Shot 2015-09-08 at 10.29.37 PM
Note that the above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan. Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records. Screen Shot 2015-09-08 at 10.31.46 PM

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.

Screen Shot 2015-09-08 at 10.33.11 PM

At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

screen-shot-2016-09-27-at-11-21-17-am

At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone. screen-shot-2016-09-27-at-12-25-31-pm
At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option: sudo serveradmin start dns
To stop the service, use the stop option: sudo serveradmin stop dns
To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option: sudo serveradmin fullstatus dns
A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command: sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes
Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output): sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan
Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server: sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no
The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly. While serveradmin is one way to edit zone data, it isn’t the only way, you can also use the dnsconfig options described in http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone): cat /var/named/db.krypted.xsan
Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish. Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file: tail -f /Library/Logs/named.log
Also, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

October 13th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

macOS Sierra (10.12) running the Server app has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for macOS Server 5.2 called serversetup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in OS X Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python. And the scripts tend to change year over year/release over release. The easiest way to view logs is to use the Server app, clicking on Logs in the sidebar. The dropdown at the bottom of the screen provides quick access to service-based logs. Screen Shot 2015-09-25 at 8.47.29 PM One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of macOS Server intend for certain tasks to occur. However, you can also use the Console app from /Applications/Utilities, as with any other Mac, to look at standard logs. Screen Shot 2015-09-25 at 8.48.50 PM Looking At Services This is also where I learned that Apple had put an Open Directory backup script in /Applications/Server.app/Contents/ServerRoot/usr/libexec/server_backup/opendirectorybackup (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book: sudo serveradmin settings addressbook:DefaultLogLevel = “warn” This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base: sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd And the following, which sets the file name in that directory: sudo serveradmin settings addressbook:ErrorLogFile=error.log You can change either by changing what comes after the = sign. Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following: sudo serveradmin settings afp:errorLogPath = “/Library/Logs/AppleFileService/AppleFileServiceError.log” The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using: sudo serveradmin settings afp:activityLogPath = “/Library/Logs/AppleFileService/AppleFileServiceAccess.log” The activity log is disabled by default and enabled using the command: sudo serveradmin settings afp:activityLog = yes The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs. The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs: sudo serveradmin settings calendar:DefaultLogLevel = “warn” This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base: sudo serveradmin settings calendar:LogRoot=/var/log/caldavd And the following, which sets the file name in that directory: sudo serveradmin settings calendar:ErrorLogFile=error.log You can changing either by changing what comes after the = sign. Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/80-devicemgrmigration.sh ) point to any increased logging during migration. The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging: sudo slapconfig -enableslapdlog The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower. By default Messages, or iChat Server, logs a lot. See the following for what is logged: sudo serveradmin settings jabber:logLevel = “ALL” Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via: cat /Applications/Server.app/Contents/ServerRoot/private/etc/jabberd/c2s.xml The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. Global log locations are controlled using the mail:global:service_data_path key, which indicates a path that logs are stored in (as usual many of these are in /Library/Server): sudo serveradmin settings mail:global:service_data_path = "/Library/Server/Mail" To see the virus database logging levels (which should usually be set to warn): sudo serveradmin settings mail:postfix:virus_db_log_level To see the spamassassin logging levels: sudo serveradmin settings mail:postfix:spam_log_level To see the actual postfix logging level: sudo serveradmin settings mail:postfix:log_level To enable timestamps on logs: sudo serveradmin settings mail:imap:logtimestamps = yes To set the dovecot logging to info: sudo serveradmin settings mail:imap:log_level = “info” To set increased logging per function that dovecot performs, see the config files in /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/conf.d, each of which has a logging section to do so. The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM): sudo serveradmin settings netboot:logging_level = “HIGH” The Postgres service uses a log directory, configured with postgres:log_directory: sudo serveradmin settings postgres:log_directory = “/Library/Logs/PostgreSQL” The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output. The Xsan service logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data. The smb service has a file /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist with a key for log level that can be used for more verbose output of the service. The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:LogFile = “/var/log/ppp/vpnd.log” By default, verbose logging is enabled, which you can see with: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs: sudo serveradmin settings web:defaultSite:customLogPath Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information. Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure OS X  Server’s built-in web service to conform to the standards of most modern web log analyzers. Conclusion Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

October 5th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , ,

By default, OS X now updates apps that are distributed through the Mac App Store (MAS). OS X Server is really just the Server app, sitting on the App Store. If the Server app is upgraded automatically, you will potentially experience some adverse side effects, especially if the app is running on a Metadata Controller for Xsan, runs Open Directory, or a major release of the Server app ships. Therefore, in this article we’re going to disable this otherwise sweet feature of OS X. To get started, first open the System Preferences. From there, click on the App Store System Preference pane. Screen Shot 2015-09-24 at 8.25.39 AM From the App Store System Preference pane, uncheck the following boxes:
  • Automatically Check For Updates: Unchecking this box disables the download in the background option and the installation of app updates.
  • Automatically Download Apps Purchased on Other Macs: If you buy an upgrade, you could accidentally install that upgrade on production servers you don’t intend to install the upgrade on.
Once disabled, you’ll need to keep on top of updates in the App Store manually. My recommendation is still to create an image of your server before each update.  

October 2nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

There are four ways to create users in OS X Server 5, running on El Capitan or Yosemite. The first is using the Server app, the second is using Workgroup Manager (which barely works in OS X El Capitan and won’t install in El Capitan by default), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating users in the Server app. To do so, open the Server app and connect to your server. Then click on the Users entry in the ACCOUNTS list. The list of users is displayed, based on the directory domain(s) being browsed. A directory domain is a repository of account data, which can include local users, local network users and users in a shared directory service such as Open Directory and Active Directory. Screen Shot 2015-09-07 at 11.51.54 PM The drop-down list allows you to see objects that are stored locally as well as on a shared directory server. Therefore, clicking All Users will show all of the accounts accessible by the system. Click on the plus sign to create a new account. At this point, if the server has been promoted to an Open Directory Master, the account will be a local network account, with no way of choosing a different location to store the account in the Server app. Screen Shot 2013-10-05 at 8.52.44 PM When prompted, provide the following information about the new user:
  • Full Name: Usually the first and last name of the user.
  • Account Name: A shorter representation of that name with no spaces or special characters.
  • Email address: The email address to use if the account is going over quotas, has calendar invitations sent, or used for email hosted on the server, etc.
  • Password: The password the user will use to access services on the server.
  • Verify: The password a second time to make sure there are no spelling errors.
  • Allow user to administer this server: Optional field that grants the user administrative access to the server.
  • Home Folder: Optional field that by default creates local home directories for users that use the account but that also allows you to select a directory shared using the File Sharing service as a location for home folders. Each user in OS X has a home folder, this option defines whether that folder will reside on their computer or on a central server.
  • Limit Disk Usage To: Define the amount of space an account can take up on servers.
  • Keywords: Keywords, or tags, for the user.
  • Notes: Any notes you want to enter into the user record.
Note: Optionally, you can also drag an image onto the image shown in the New User screen if you’d like the user to have an avatar.
Once the account details are as you would like, click on the Done button. The account will then be displayed in the list of available accounts. You can still create local accounts but must do so in the Users & Groups System Preference pane, through Workgroup Manager or through the command line. If the server has not been made an Open Directory server then you would be creating local users through the Server app. Once the account is created, highlight it and click on the cog wheel icon below the list of accounts. Here, you have the option to edit the account you just created, edit their access to services hosted on the server, configure email information and change their password. Screen Shot 2015-09-07 at 11.55.01 PM Click Edit User. Here, you have two new features. You can add the user to groups and use the checkbox for “log in” to disable the account. Screen Shot 2015-09-07 at 11.55.41 PM Click Cancel and then using the cog wheel menu again, click on Edit Access to Services. Here, uncheck each service that the user should not have access to. If the service isn’t running then it’s not a big deal. You can highlight multiple accounts concurrently and then use this option to disable services for users en masse.

September 30th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

OS X Server 5, running on El Capitan or Yosemite, comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the 5th version of the Server app. To configure alerts on the server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab. Screen Shot 2015-09-08 at 12.32.32 AM At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server. Screen Shot 2015-09-08 at 12.33.13 AM
Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard. Screen Shot 2015-09-08 at 12.34.08 AM Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.
Finally, as with previous versions of OS X Server, EL Capitan Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is org.net-snmp.snmpd, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is 192.168.210.99 in the following example): snmpwalk -On -v 1 -c COMMUNITY 192.168.210.99

September 29th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. But many still need a terrestrial server and for predominantly Apple environments, a Server app running on OS X El Capitan isn’t exactly a bad idea. There are a number of protocols built into OS X Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Server running El Capitan or Yosemite. Note: I’ve got another article looking into FTP a little further but those are basically the services that I’ll stick to here. File servers have shares. In OS X Server, Server app 5 (for Yosemite and El Capitan), we refer to these as Share Points. The first step to setting up a file share is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. Screen Shot 2015-09-07 at 10.22.02 PM If you’re just getting started, let’s go ahead and disable any built-in shares by clicking on the share and then clicking on the minus button (-) while the share is highlighted. When prompted to remove the share, click on the Remove button. Screen Shot 2015-09-07 at 10.23.01 PM As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. Screen Shot 2015-09-07 at 10.24.10 PM When you’ve disabled SMB for the last share, you’ve effectively disabled SMB. Click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Screen Shot 2015-09-07 at 10.37.40 PM Then from the File Sharing pane in Server app, click on the plus sign (“+”). Screen Shot 2015-09-07 at 10.38.28 PM At the browse dialog, browse to the location of your iPad directory and then click on the Choose button. Screen Shot 2015-09-07 at 10.40.16 PM At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called “Allow only encrypt connections”. If you check this, you cannot use AFP and WebDAV. Screen Shot 2015-09-07 at 10.40.38 PM At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. Screen Shot 2015-09-07 at 10.41.27 PM The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. Screen Shot 2015-09-07 at 10.42.14 PM As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. Screen Shot 2015-09-07 at 10.42.41 PM To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeStandard\:GeneratedUID = “54428C28-793F-4F5B-B070-31630FE045AD” sharing:sharePointList:_array_id:/Shared Items/iPads:smbName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Shared Items/iPads:afpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Shared Items/iPads:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shared Items/iPads:path = “/Shared Items/iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:name = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Shared Items/iPads:ftpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseOplocks = yes sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = “3A1C9DAD-806C-4917-A39F-9317B6F85CCD” sharing:sharePointList:_array_id:/Shared Items/iPads:mountedOnPath = “/” sharing:sharePointList:_array_id:/Shared Items/iPads:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Shares/Public:ftpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:smbName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shares/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Shares/Public:dsAttrTypeStandard\:GeneratedUID = “80197252-1BC6-4391-AB00-C00EE64FD4F2” sharing:sharePointList:_array_id:/Shares/Public:path = “/Shares/Public” sharing:sharePointList:_array_id:/Shares/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:afpUseParentOwner = no sharing:sharePointList:_array_id:/Shares/Public:afpName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:ftpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:afpUseParentPrivs = no sharing:sharePointList:_array_id:/Shares/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:name = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:ftpName = “Public-1” sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeStandard\:GeneratedUID = “0D6AF0D1-BA70-4DD4-9256-AC1B51A2761F” sharing:sharePointList:_array_id:/Users/krypted/Public:smbName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:webDAVName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Users/krypted/Public:afpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Users/krypted/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/krypted/Public:path = “/Users/krypted/Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:name = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Users/krypted/Public:ftpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsShared = no sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseOplocks = yes sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeNative\:sharepoint_group_id = “FF1970EF-0789-49C7-80B5-E9FCABDDBB49” sharing:sharePointList:_array_id:/Users/krypted/Public:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Users/krypted/Public:mountedOnPath = “/” To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = “afpserver/LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4@LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4” afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes

September 26th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

Next Page »