krypted.com

Tiny Deathstars of Foulness

OS X Server stores most logs in files that are in the /Library/Logs/ProfileManager directory. Logs are split up between php, devicemgrd.log, scep_helper.log, servermgr_devicemgr.log, profilemanager.log and others. In my experience, if there’s a lot of errors at first, or if the service doesn’t work, just reformat and start over. But, once a server is in production, you don’t want to re-enroll devices after you do that. So, as with all good error prodding, start with the logs to troubleshoot.

By default the logs can appear a bit anemic. You can enable more information by increasing the logging level. Here, we’ll shoot it up to 6, which can be done with the following command:

sudo debugDeviceMgr 6

Debug levels go all the way to 9, but at that point things get… Noisy. And to turn it back off, use:

sudo debugDeviceMgr 1

Basically, this command sets the required services in /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/ to debug mode as well as /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/com.apple.DeviceManagement.postgres-debug.plist and /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/com.apple.DeviceManagement.postgres.plist to configure debug mode. In other words, it touches a lot of services. And given how chatty some can be, only leave logging levels higher than I’d say 2 in the event of short-term troubleshooting.

December 29th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Servers can have problems. When they have problems, you need to grab logs and stuff. Ever wonder what Apple developers think is important, when it comes to logs and stuff? Try serverdiagnose!

serverdiagnose

Then hit the Enter (return) key. Then it collects some logs into a tgz. Why a tgz? No clue. But it ends up in /tmp. Notice the name as ServerLogs- followed by the hostname, then a date stamp (yearmonthday) and an underscore followed by a timestamp. Inside the tgz is /Library/Logs, /Library/Server, /tmp/dsdiagnose (a dump of OD debug logs), serverlogs_S3vKsy (configuration statuses), a couple of things from /var/db (the most important of which is PreviousSystemLogs), and /var/log.

November 9th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

The Time Machine service in macOS Server 5.2 hasn’t changed much from the service in previous operating systems. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane.

screen-shot-2016-09-29-at-8-56-29-pm

Click on the ON button to see the New Destination screen, used to configure a list of volumes as a destinations for Time Machine backups. The selection volume should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the Choose button, a list of volumes appears in a standard Finder selection screen.

screen-shot-2016-09-29-at-8-57-19-pm

Here, click on the volume to save your backups to in the sidebar. In most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click Choose and then if desired, limit the amount of storage on the volume to be used for backups. Click Create and a share called Backups is created and the service will start. Don’t touch anything until the service starts. Once started, add a backup destination at any time using the plus sign button (“+”) and defining another destination.

screen-shot-2016-09-29-at-8-57-40-pm

Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule.

screen-shot-2016-09-29-at-8-58-33-pm

Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the sharing:sharePointList:_array_id:, so for a path of /Volumes/New Volume 1/Shared Items/Backups use:

sudo serveradmin settings sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups

The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as:

sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:name = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isTimeMachineBackup = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeNative\:sharepoint_group_id = "F4610C2C-70CD-47CF-A75B-3BAFB26D9EF3"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:mountedOnPath = "/Volumes/New Volume 1"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeStandard\:GeneratedUID = "FAB13586-2A2A-4DB2-97C7-FDD2D747A0CD"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:path = "/Volumes/New Volume 1/Shared Items/Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsShared = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbDirectoryMask = "755"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsShared = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbCreateMask = "644"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:ftpName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:timeMachineBackupUUID = "844A1C43-61C9-4F99-91DE-C105EA95BD45"

Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command:

sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk"

Another way to see the share and attributes of the share is through the sharing command:

sharing -l

Which should show output similar to the following:

List of Share Points
name: Backups
path: /Shared Items/Backups
afp: {
name: Backups
shared: 1
guest access: 0
inherit perms: 0
}
ftp: {
name: Backups
shared: 0
guest access: 0
}
smb: {
name: Backups
shared: 0
guest access: 0
}

There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule). One major update from back in Mavericks Server is the addition of the timemachine service in the severadmin command line interface. To see the command line settings for Time Machine:

sudo serveradmin settings timemachine

The output shows that share info is displayed as with the sharing service, but you can also see the GUID assigned to each share that is a part of the backup pool of storage:

timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeStandard\:GeneratedUID = "FAB13586-2A2A-4DB2-97C7-FDD2D747A0CD"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsGuestAccessEnabled = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbDirectoryMask = "755"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbCreateMask = "644"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:nfsExportRecord = _empty_array
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:path = "/Volumes/New Volume 1/Shared Items/Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsGuestAccessEnabled = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:name = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:ftpName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsShared = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsShared = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:timeMachineBackupUUID = "844A1C43-61C9-4F99-91DE-C105EA95BD45"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isTimeMachineBackup = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:backupQuota = 0
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeNative\:sharepoint_group_id = "F4610C2C-70CD-47CF-A75B-3BAFB26D9EF3"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isIndexingEnabled = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:mountedOnPath = "/Volumes/New Volume 1"
Additionally you can also query for the service to verify it’s running using full status:
sudo serveradmin fullstatus timemachine
Which outputs something similar to the following:
timemachine:command = "getState"
timemachine:state = "RUNNING"

While I found plenty to ramble on about in this article, Mass deployment is still the same, as is client side configuration.

October 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Time Machine

Tags: , , , , , , , , , , , ,

Open Directory has never been this easy to setup for a basic environment as it is in macOS Server 5.2 (for macOS 10.12 on Sierra). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. And never has removing replicas been so difficult. No offense to the developers, but this whole idea that the screens and concepts that were being continually refined for a decade just need to be thrown out seems to have led to a few babies thrown out along with that OD bathwater. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch…

Anyway, rant over. Moving on. As with almost any previous version of macOS Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” I know, I know, you’ve been told that you didn’t have to do this kind of stuff any more. But really, you should – and if you don’t believe me, check out the contents of the attributes in the OD database…

bash-3.2# changeip -checkhostname
dirserv:success = "success"

To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button.

screen-shot-2016-09-25-at-9-58-14-pm

For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button.

screen-shot-2016-09-25-at-9-58-59-pm

Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list.

At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic.

screen-shot-2016-09-25-at-9-59-34-pm

Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information.

screen-shot-2016-09-25-at-10-00-17-pm

At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next.

screen-shot-2016-09-25-at-10-00-40-pm

At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back.

screen-shot-2016-09-25-at-10-01-20-pm

Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens.

screen-shot-2016-09-25-at-10-01-55-pm

Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane.

To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted.

screen-shot-2016-09-25-at-10-02-44-pm

Click on the Edit… button and then the plus sign (“+”).

screen-shot-2016-09-25-at-10-03-15-pm

Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name.

screen-shot-2016-09-25-at-10-03-43-pm

It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user.

Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:

sudo slapconfig -backupdb /odbackups

The result will be a request for a password then a bunch of information about the backup:

bash-3.2# sudo slapconfig -backupdb /odbackups
2016-09-08 04:31:13 +0000 slapconfig -backupdb
Enter archive password:
2016-09-08 04:31:17 +0000 1 Backing up LDAP database
2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r"
55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r"
55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r"
2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r"
2016-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r"
2016-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r"
2016-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r"
2016-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r"
tar: Removing leading '/' from member names
2016-09-08 04:31:18 +0000 2 Backing up Kerberos database
2016-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r"
2016-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r"
2016-09-08 04:31:18 +0000 3 Backing up configuration files
2016-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r"
2016-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r"
2016-09-08 04:31:18 +0000 Backed Up Keychain
2016-09-08 04:31:18 +0000 4 Backing up CA certificates
2016-09-08 04:31:18 +0000 5 Creating archive
2016-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups
2016-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7.
2016-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock.

To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)

sudo slapconfig -restoredb /odbackups

Both commands ask you for a password to encrypt and decrypt the disk image created by them.

October 4th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

Note: Currently the system is not working as intended on replicas. The replica will remove, but the Open Directory Master will not remove the replica from the Open Directory list. The process will fail in 10.12. I’ve filed a radar on this. You can archive and restore the master and then rebuilt the Open Directory tree.

The logs are as follows:

2016-09-08 04:17:58 +0000 slapconfig -destroyldapserver
2016-09-08 04:17:58 +0000 Deleting Cert Authority related data
2016-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2016-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949
2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2016-09-08 04:18:19 +0000 Stopping LDAP server (slapd)
2016-09-08 04:18:20 +0000 Stopping password server
2016-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2016-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata.
2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf.
2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2016-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.
2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2016-09-08 04:18:27 +0000 Stopping password server
2016-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2016-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 17th, 2016

Posted In: Mac OS X Server

Tags: , ,

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/Server.app/Contents/ServerRoot/usr/sbin/server. The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:

So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI.

So for shits and giggles I tried:

server setup

It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode.

Post your trip reports here! Can this be automated?

tardis:~ chapman$ sudo server setup
Password:
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman
Password: 

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$

I don’t know what the ‘unknown error’ was.

The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable:

#!/usr/bin/expect
set timeout 300
spawn server setup
expect "Press Return to view the software license agreement." { send \r }
expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
expect "User name:" { send "MYADMINUSERNAME\r" }
expect "Password:" { send "MYPASSWORD\r" }
interact

Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the Server.app on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

Encrypting a volume in OS X couldn’t be easier. In this article, we will look at three ways to encrypt OS X El Capitan volumes in OS X Server 5. The reason there are three ways is that booted volumes and non-booted volumes have different methods for enabling encryption.

Encrypting Attached Storage

For non-boot volumes, just control-click or right-click on them and then click on Encrypt “VOLUMENAME” where the name of the volume is in quotes.

Screen Shot 2015-09-25 at 10.29.58 PM

When prompted, provide an encryption password for the volume, verify that password and if you so choose, provide a hint.

Screen Shot 2015-09-25 at 10.30.59 PM

Once the encryption process has begun, the entry previously clicked on says Encrypting “VOLUMENAME” where the name of the volume is in quotes.

Before you can encrypt a volume from the command line you must first convert it to CoreStorage if it isn’t already. As volumes on external disks aren’t likely to be CoreStorage, let’s check using diskutil along with corestorage and then list:

diskutil corestorage list

Assuming your volume was already formatted with a non-corestorage format and isn’t listed, locate the volume and document the disk identifier (in this case disk2s3). Then, run diskutil corestorage along with the convert verb and the disk, as follows (no need to run this command if it’s already listed):

sudo diskutil corestorage convert disk2s3

The output should look similar to the following:

Started CoreStorage operation on disk2s3 Reco
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s3
Switching disk2s3 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 19D34AAA-498A-44FC-99A5-3E719D3DB6FB
Core Storage PV UUID: 2639E13A-250D-4510-889A-3EEB3B7F065C
Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31
Core Storage disk: disk4
Finished CoreStorage operation on disk2s3 Reco

Once converted, the LV UUID (LV is short for Logical Volume) can be used to encrypt the logical volume using a password of crowbar to unlock it:

sudo diskutil corestorage encryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar

The output is similar to the following:

Started CoreStorage operation on disk4 Reco
Scheduling encryption of Core Storage Logical Volume
Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31
Finished CoreStorage operation on disk4 Reco

According to the size, this process can take some time. Monitor the progress using the corestorage list option:

diskutil corestorage list

In all of these commands, replace core storage w/ cs for less typing. I’ll use the shortened version as I go. I know that we rarely change passwords, but sometimes it needs to happen. If it needs to happen on a core storage encrypted volume, this can be done from the command line or a script. To do so, use diskutil cs with the changevolumepassphrase option. We’ll use -oldpassphrase to provide the old password and -newpassphrase to provide the new passphrase.

diskutil cs changeVolumePassphrase FC6D57CD-15FC-4A9A-B9D7-F7CF26312E00 -oldpassphrase crowbar -newpassphrase hedeservedit

I continue to get prompted when I send the -newpassphrase, so I’ve taken to using stdin , using -stdinpassphrase. Once encrypted there will occasionally come a time for decrypting, or removing the encryption, from a volume. It’s worth noting that neither encrypting or decrypting requires erasing. To decrypt, use the decryptVolume verb, again with the -passphrase option:

diskutil cs decryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar

FileVault 2: Encrypting Boot Volumes

Boot volumes are configured a bit differently. This is namely because the boot volume requires FileVault 2, which unifies usernames and passwords with the encryption so that users enter one username and password rather than unlocking drives. To configure FileVault 2, open the Security & Privacy System Preference pane and then click on the FileVault tab. Click on the lock to make changes and then provide the password for an administrative account of the system. Then, click on “Turn On FileVault…”

Screen Shot 2015-09-26 at 10.00.24 PM

You’ll then be prompted to restart; do so to begin the encryption process.

Screen Shot 2015-09-26 at 10.01.50 PM

When prompted, choose whether to create a key or save the key to iCloud. In most cases, on a server, you’ll want to create a recovery key and save it to a very safe place.

Screen Shot 2015-09-26 at 10.05.26 PM

When prompted with the Recovery Key, document it and then click on Continue. Choose whether to restore the recovery key with Apple. If you will be storing the key with Apple then provide the AppleID. Otherwise, simply click the bullet for “Do not store the recovery key with Apple” and then click on the Continue button.

When prompted, click on Restart to reboot and be prompted for the first account that can unlock the FileVaulted system.

Screen Shot 2015-09-26 at 10.05.32 PM

Once encrypted, the FileVault tab in the Security & Privacy System Preference pane shows the encryption status, or percent during encryption.

That’s it. Managing FileVault 2 using the System Preferences is about as easy as it can get. But for those who require mass management, Apple has provided a tool called fdesetup for that as well.

Using fdesetup with FileVault 2

FileVault 2 now comes with a nifty configuration utility called fdesetup. To use fdesetup to encrypt the boot volume, first check FileVault’s status by entering the fdesetup command along with the –status option (wait, no — required any more!):

fdesetup status

As with most other commands, read the help page before starting to use just in case there are any changes to it between the writing of this article and when you kick off your automated encryption. Done using the help verb:

fdesetup help

After confirming FileVault is off, enable FileVault with the enable option, as follows:

sudo fdesetup enable

Unless additional parameters are specified, an interactive session prompts for the primary user’s short name and password. Once enabled, a Recovery key is returned by the fdesetup command. You can also cancel this by just hitting Control-C so we can look at more complicated iterations of the command. It should be recorded or otherwise stored, something easily done by mounting in a script (e.g. a write-only share in a script for key escrowing). If more complicated measures are needed, of course check out Cauliflower Vest at code.google.com. The fdesetup command is now at version 2.36:

fdesetup version

Now, if you run fdesetup and you’ve deployed a master keychain then you’re going to have a little more work to do; namely point the -keychain command at the actual keychain. For example:

sudo fdesetup enable -keychain /Library/Keychains/FileVaultMaster.keychain

To define a certificate:

sudo fdesetup enable -certificate /temp/filename.cer

Adding additional users other than the one who enabled fdesetup is a bit different than the first:

sudo fdesetup add -usertoadd robin

To remove users, just remove them with a remove verb followed by the -user option and the username:

sudo fdesetup remove -user robin

The remove and add options also offer using the -uuid rather than the username. Let’s look at Robin’s uid :

dscl . read /Users/robin GeneratedUID | cut -c 15-50

Yes, I used cut. If you have a problem with that then take your judgmental fuc… Nevermind. Take that GUID and plug it in as the uuid using the -uuid option. For example, to do so with the remove verb:

sudo fdesetup remove -uuid 31E609D5-39CF-4A42-9F24-CFA2B36F5532

Or for good measure, we can basically replicate -user w/ -uuid for a nice stupid human trick:

sudo fdesetup remove -uuid `dscl . read /Users/robin GeneratedUID | cut -c 15-50`

All of the fdesetup commands can be run interactively or using options to define the variables otherwise provided in the interactive prompt. These are defined well in the man page. Finally, let’s look at -defer. Using -defer, you can run the fdesetup tool at the next login, write the key to a plist and then grab it with a script of some sort later.

sudo fdesetup enable -defer /temp/fdesetupescrow.plist

Or define users concurrently (continuing to use the robin test user):

sudo fdesetup enable -user robin -defer /temp/fdesetupescrow.plist

FileVault accounts can also use accounts from Directory Services automatically. These need to synchronize with the Directory Service routinely as data is cached. To do so:

sudo fdesetup sync

This is really just scratching the surface of what you can do with fdesetup. The definitive source for which is the man page as well as a nicely done article by Rich Trouton.

Encrypting Time Machine Backups

The last full disk encryption to discuss is Time Machine. To encrypt Time Machine backups, use Time Machine’s System Preference pane. The reason for this being that doing so automatically maintains mounting information in the Operating System, rather than potentially having an encrypted drive’s password get lost or not entered and therefore not have backups run.

To enable disk encryption for Time Machine destinations, open the Time Machine System Preference pane and click on Select Backup Disk… From the backup disk selection screen, choose your backup target and then check the box for “Encrypt backups”. Then, click on Use Disk.

At the overlay screen, provide a backup password twice and if you would like, a hint as to what that password is. When you are satisfied with your passwords, click on the Encrypt Disk button.

Now, there are a couple of things to know here. 1. Don’t forget that password. 2. If you use an institutional FileVault Key then still don’t forget that password as it will not work. 3. Don’t forget that password…

Scripty CLI Stuff

We’ve always been able to enable FileVault using scripts thanks to fdesetup but now Apple’s taken some of the difficulty out of configuring recovery keys. This comes in the form of the changerecovery, haspersonalrecoverykey, hasinstitutionalkey, usingrecoverykey and validate recovery options. These options all revolve around one idea: make it easier to deploy centrally managed keys that can be used to unlock encrypted volumes in the event that such an action is required. There’s also a -recoverykey option, which indicates the number of the key if a recovery key is being used.

To use the fdesetup command to check whether a computer has a personal recovery key use the haspersonalrecoverykey verb, as follows:

fdesetup haspersonalrecoverykey

The output will be a simple true or false exit. To use the fdesetup command to check whether a computer has an institutional recovery key, use the hasinstitutionalrecoverykey verb, as follows:

fdesetup hasinstitutionalrecoverykey

To enable a specific personal recovery key, provide it using the changerecovery verb, as follows:

fdesetup changerecovery -personal

This is an interactive command, so when prompted, provide the appropriate personal key. The removerecovery verb can also be used to remove keys. And my favorite, validaterecovery is used to check on whether or not a recovery key will work to unlock a host; which can be tied into something like an extension attribute in Casper in order to store a key and then validate the key every week or 4. This helps to make sure that systems are manageable if something happens.

The enable verb also has a new -authrestart which does an authenticated reboot after enabling FileVault. Before using the -authrestart option, check that a system can actually run it by using fdesetup with the supportsauthrestart verb and it will exit on true or false.

Defer mode is nothing new, where FileVault waits until a user password is provided; however, a new verb is available called showdeferralinfo which shows information about deferral mode. This is most helpful as a sanity check so you don’t go running commands you already ran or doing things to systems that have already been provided with tasks to perform otherwise.

Conclusion

Encrypting data in OS X can take on other forms as well. The keychains encrypt passwords and other objects. Additionally, you can still create encrypted dmgs and many file types have built in encryption as well. But the gist is that Apple encrypts a lot. They also sandbox a lot and with the addition of gatekeeper are code signing a lot. But encrypting volumes and disks is mostly about physical security, which these types of encryption provide a substantial solution for.

While all this security might seem like a lot, it’s been in Apple’s DNA for a long time and really security is about layers and the Mac Systems Administrator batbelt needs a lot of items to allow us to adapt to the changing landscape of security threats. OS X is becoming a little more like iOS as can be expected and so I would suspect that encryption will become more and more transparent as time goes on. Overall, the options allow encrypting every piece of data that goes anywhere near a system. The mechanisms with which data is now encrypted are secure, as is the data at rest. Once data is decrypted, features like Gatekeeper and the application layer firewall supplement traditional network encryption to keep well secured.

October 10th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

The logs are as follows:

2015-09-08 04:17:58 +0000 slapconfig -destroyldapserver
2015-09-08 04:17:58 +0000 Deleting Cert Authority related data
2015-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2015-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2015-09-08 04:18:19 +0000 Stopping LDAP server (slapd)
2015-09-08 04:18:20 +0000 Stopping password server
2015-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2015-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2015-09-08 04:18:27 +0000 Stopping password server
2015-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2015-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

OS X Server 5 (El Capitan 10.11 or Yosemite 10.10) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d

When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to stop the service outright, use launchctl:

launchctl unload

/Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using.

There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):

  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

The latest Roundcube installer for OS X Server is now available at http://topicdesk.com/downloads/roundcube. This update, which provides a pretty awesome WebMail interface to OS X Server’s Mail Service provides the following:

  • One installer that supports all Mavericks and Yosemite
  • Roundcube WebMail 1.0.3 installed as a WebApp
  • Automatically Configured Plugins
  • Roundcube CardDav: Server-based address books
  • Roundcube Managesieve: Server-side mail filtering and vacation messages
  • PHP and Roundcube Config automatically configured for a typical Mac installation
  • sqllite database – we no longer use Postgres
  • Integration with the Mail Service running on OS X Server

December 17th, 2014

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

Next Page »