krypted.com

Tiny Deathstars of Foulness

Getting started with Messages Server couldn’t really be easier. Messages Server in the macOS Server 5.2 version of the Server app uses the open source jabber project as their back-end code base. The jabber binary is located at /Applications/Server.app/Contents/ServerRoot/private/var/jabberd directory and the autobuddy binary is at /Applications/Server.app/Contents/ServerRoot/usr/bin/jabber_autobuddy. The actual jabberd binary is also stored at /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd, where there are a couple of perl scripts used to migrate the service between various versions as well. Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.  screen-shot-2016-09-27-at-11-03-18-am Click on the Edit… button for the Permissions. Here, define which users and interfaces are allowed to use the service. screen-shot-2016-09-27-at-11-03-45-am From Server app, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and provide the address for servers to federate to. screen-shot-2016-09-27-at-11-04-14-am Next, click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. screen-shot-2016-09-27-at-11-04-47-am You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates. At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin). screen-shot-2016-09-27-at-11-05-38-am To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button. Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator: sudo serveradmin fullstatus jabber The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here: jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "osxserver.krypted.lan"
jabber:hosts:_array_index:0 = "osxserver.krypted.lan"
jabber:setStateVersion = 1
jabber:startedTime = ""
jabber:readWriteSettingsVersion = 1 There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows: sudo serveradmin settings jabber:jabberdClientPortSSL = 8080 To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book: sudo serveradmin settings jabber:savedChatsLocation = “/Volumes/Pegasus/Book” To see a full listing of the options, just run settings with the jabber service: sudo serveradmin settings jabber The output lists each setting configurable:
jabber:dataLocation = “/Library/Server/Messages” jabber:s2sRestrictDomains = no jabber:jabberdDatabasePath = “/Library/Server/Messages/Data/sqlite/jabberd2.db” jabber:sslCAFile = “/etc/certificates/osxserver.krypted.com.31971C0C39DCBF4733FA671BCE3AF260769E4FB7.chain.pem” jabber:jabberdClientPortTLS = 5222 jabber:sslKeyFile = “/etc/certificates/osxserver.krypted.com.31971C0C39DCBF4733FA671BCE3AF260769E4FB7.concat.pem” jabber:initialized = yes jabber:enableXMPP = yes jabber:savedChatsArchiveInterval = 7 jabber:authLevel = “STANDARD” jabber:hostsCommaDelimitedString = “osxserver.krypted.com” jabber:jabberdClientPortSSL = 5223 jabber:requireSecureS2S = yes jabber:savedChatsLocation = “/Library/Server/Messages/Data/message_archives” jabber:enableSavedChats = yes jabber:enableAutoBuddy = no jabber:s2sAllowedDomains = _empty_array jabber:logLevel = “ALL” jabber:hosts:_array_index:0 = “osxserver.krypted.com” jabber:eventLogArchiveInterval = 7 jabber:jabberdS2SPort = 5269
To stop the service: sudo serveradmin stop jabber And to start it back up: sudo serveradmin start jabber It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

October 12th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , , , ,

ChronoSync is one of those tools that’s been in the Mac community for a long time (rightfully so). It’s been a little while since I got the chance to really tinker around with ChronoSync so I thought I’d do a little article on what I got to find during my tinkerations. To get started with ChronoSync, go to their website at http://www.econtechnologies.com/chronosync/overview.html. Next, we’re going to walk through the most basic of setups (and you can get all kinds of complicated from there if you’d like!). Once you’ve downloaded, ChronoSync, run the installer from the disk image that was downloaded. Screen Shot 2015-01-31 at 11.50.13 AM Then walk through the installer, basically following the defaults (unless you’d like to install to a volume other than your boot volume). Screen Shot 2015-01-31 at 11.50.15 AM Once the installer is finished, open the app and register the product. Screen Shot 2015-01-31 at 11.53.16 AM Once registered, you’ll see a nice screen giving you a few options. We’re going to create a single plan (synchronizer document) to backup a single source to a single target. To do so, click on the option to “Create a new synchronizer document”. Screen Shot 2015-01-31 at 11.53.55 AM At the Setup screen, you have a right and left column. When I used to do a lot of manual migrations, I would always always  always line up my source on the left and my target on the right (or invariably you risk data loss by copying in the wrong direction), so the workflow in ChronoSync has always made sense to me. Because a lot of the data I use needs root access, I’m going to select “Local Volumes (Admin access)” in the “Connect to” field and then use the Choose button to select my actual source. Repeat that process in the Right Target section of the screen. Screen Shot 2015-01-31 at 11.54.10 AM The default action that will be performed is to backup from the left to the right targets (the term target referring to the folder, not that it’s a source or target in the backup operation). Click into the Operation field to bring up a list of the options that can be performed between your left and right targets. Screen Shot 2015-01-31 at 12.10.07 PM The option I’m selecting is “Synchronize Bidirectional” as this is an article about syncing data. The other options are pretty well defined in the manual, but it’s worth mentioning that the Bootable Mirror options are especially useful. Once you’ve set the type of sync, you can also use the Options menu to define some pretty granular settings for your sync. For the purposes of this sync, which brings over server shares, I’m going to leave Conflict resolution set to Ask User and use the custom option under the Special File/Folder Handling section to enable the “Verify copied data” option and “Preserve Comments” option. Note that if you’re doing this on servers and would like to stop a service (such as postgres) before a sync and start it after, you can use the scripts section of this screen. You can also configure notifications, sending emails when syncs have errors, or every time there’s a sync. Screen Shot 2015-01-31 at 12.17.43 PM Click Rules to build inclusion/exclusion rules (for example, I don’t often sync things like operating system and software installers since I can just go download them again, pretty easily). Click Archive in the sidebar if you’d like to remove files based on a trigger (e.g. if it’s been removed from the source, archive it, etc). Next, you can simply click Synchronize to run an immediate sync of the files and folders you’ve defined in your Sync Document. Or, you can click Add to Schedule to define when you’d like to run your Synchronization Documents. There, less than 5 minutes and we’ve got a pretty advanced sync going. Use the Log button to see how everything went. And remember, always verify that the archives and backups are running on a good schedule. For example, I like to have at least a weekly cadence to make sure that media one each side of a sync can still open. It helps me sleep better.

January 31st, 2015

Posted In: Kerio, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

One way to automatically archive objects from Outlook is to use rules. To do so, first create a folder on your local computer (e.g. Archived). Then, from the Tools menu, select Rules. Create a rule by clicking on the plus sign (let’s just call it Archiving) and then click Date Received in the “When a new message arrives: section. Configure the middle field as “is Greater than or equal to” and then configure the number of days (e.g. 90 or 180). In the “Do the following:” section, choose “Move message” and then choose the archive folder you created in the previous step. Finally, check the box for Enabled and you’ve got a pretty simple automated rule to move messages off your Exchange server and onto your local computer. To move existing mail, click Rules from the Message menu and then click on the name of the rule. Once done, click on the Outlook menu and then click on Preferences. Click General and then in the Folder list section, check the box for “Hide On My Computer folders”. The only problem with this method is that mail is just getting dumped into a folder on your local computer. Mail is searchable, but not stored in a .pst file as with the old school keep it on a mapped drive method frequently used with Outlook for Windows. These folders can be exported into .mbox files by dragging a folder to the desktop. The maximum size of the file is 2.15 gigs. The .mbox file can then be imported using the Import option under the File menu and then clicking on the .mbox file in question. Another, more automated and old fashioned way to archive mail is to use Outlook Email Archive X, a tool that takes care of much of the tasks you just did. This tool, from softhing.com, is available at http://www.softhing.com/oeax.html. I like Outlook Email Archive X because I can drop emails back into outlook because they’re stored in .eml files. These are also indexed using Spotlight. To install Outlook Email Archive X, extract the dmg from the downloader. Then drag the OEAX folder to the /Applications folder. Modern Exchange and Office 365 instances provide archival options, as do tools such as GFI. Outlook is pretty much AppleScriptable. So you should be able to automate this stuff if you so choose if you don’t have access to any of the other tools. Good luck!

September 7th, 2013

Posted In: Mac OS X, Mac OS X Server, Mass Deployment, Microsoft Exchange Server

Tags: , , , ,

I don’t believe in upgrading major operating systems for servers in place. There, I said it. If I’m doing an upgrade from Snow Leopard to Lion, I’m about 99.9% of the time going to do so with a clean install. Before I do so, I’m going to export all the data from my old server and when I’m done with the fresh, clean, loving installation, I’m going to import that data back into my server. Actually, before I import the data, I’m going to install all of the point releases, application updates and security patches. That’s my process for production servers. Open Directory isn’t very different. I Archive and Restore servers as often as I reinstall, upgrade or even downgrade Open Directory Masters. I treat Replicas differently: mostly in that I don’t treat them at all. Instead I clean install them and just re-promote them once my Master is back in place. If I have any schema extensions or other mods I’ll just sync those myself prior to promotion. I trust my process, it’s worked for me for more years than I care to admit. Before You Upgrade Archiving Open Directory data is a pretty straight forward process. Open Server Admin from /Applications/Server and then click on the Open Directory service. From here, Click on the Choose… button for Archive in: and select a location to store the Open Directory data. Then, click Archive and provide a password. Pretty easy so far. Now, check your Kerberos Realm, IP address and hostname on the server. For the IP address, you can take screen shots of the Network System Preference pane, or pipe the output of ifconfig to a text file. For the hostname, I don’t trust the GUI of OS X (no offense to the excellent UX developers employed at Apple). Therefore, use scutil for the names. Also, we’ll want that Kerberos information. I usually just grab that from my Server Admin Open Directory screen. Finally, we’re also going to get the OD policies using slapconfig again. In sequence, these commands would be: ifconfig > ~/Desktop/mytextfile scutil --get HostName >> ~/Desktop/mytextfile scutil --get ComputerName >> ~/Desktop/mytextfile scutil --get LocalHostName >> ~/Desktop/mytextfile sudo slapconfig -getmasterconfig >> ~/Desktop/mytextfile sudo slapconfig -getmacosxodpolicy >> ~/Desktop/mytextfile Also, backup any certificates, custom service principals you may have installed or other service data or data data that is needed on the host, if any. Installation Once you’ve got all of the important stuff backed up and know what you’re going to call the server moving forward, it’s time to install the operating system. If the server came with a Lion operating system pre-installed, skip this part. Use a Lion computer to create a recovery partition using the Recovery Disk Assistant. Once you have a valid recovery partition (on a thumb drive for now), boot to it on the server you are upgrading and wipe the system through Disk Utility. This step is probably pretty scary. And it should be. Make sure all your data is backed up before you do it. By the way, if you haven’t copied the mytextfile then think long and hard about whether there’s anything else missing before you start the reformat process on that drive (I seem to have to learn all of my lessons the hard way)… I also like to have a clone of the system as a back-out plan, just in case there are any problems with the upgrade. It adds a little latency but I’ve had to revert a few times with these upgrades, and having that clone sure beats pulling an all nighter… Once wiped, Choose the Reinstall Lion option and install the operating system. Then install all available patches (10.7.3 or higher is very, very important, btw). Once installed, use the App Store to buy Lion Server and install it, but don’t open it just yet. Remember those commands from earlier. When possible, Open Directory upgrades the smoothest when the IP address and host name are the same. Therefore, look at your mytextfile. Setup the IP information the same as it was, verifying against ifconfig and then use the first host name from the scutil output to configure the HostName (using mdm.krypted.com as my example): sudo scutil --set HostName mdm.krypted.com Then the second host name: sudo scutil --set ComputerName mdm.krypted.com And finally, the third: sudo scutil --set LocalHostName mdm Now check changeip: sudo changeip -checkhostname If it gives you the all clear, you’re ready to proceed. Next, download the Server Admin tools from Apple at http://support.apple.com/kb/DL1488. Provided that the installation is good, the host names match up in scutil and the IP address is the same as it was, open the Server app for the first time (from /Applications). The server will install the various components that complete the installation. Once installed, click on the Next Steps drawer and verify that the host name is good. If it is, you should see a message similar to the one below. Promotion Now promote your server. It’s going to be tempting to use Server Admin or slapconfig. If you use slapconfig you will regret it unless you use the new options supplied by Apple. Why? Because the Server app gracefully creates SSL certificates used in directory services binding; certificates that are not created with the old style slapconfig commands. Given that I’ve not seen complete documentation for slapconfig (many of the options required for correct scripted promotion in Lion aren’t actually in the man page), I’d just use the GUI for now (and if you don’t like using a GUI, then I challenge you to build OpenLDAP, Kerberos and all the other components setup by the Server app from source – that might cure the CLI snobbiness we all have from time to time). Also, be careful with how you promote/demote – this article outlines some reasons not to use slapconfig -destroyldapserver any more. From the Server app, click on Users in the Server sidebar. Here, you’ll notice that all of the accounts that are listed are black busts of users. Groups are similar. So far, all users created are automatically local users. If that’s not what you want, remove any of those accounts prior to continuing. Click on Manage Network Accounts… to bring up the Configure Network Users and Groups wizard. Click Next at the introductory screen. Then provide the Directory Administrator information (e.g. diradmin with a password of diradmin for the security conscious) and click on Next. At the Organization Information enter the information you want on the SSL certificate that is automatically generated for Open Directory. This includes the Organization Name and Admin Email address (this might not be enough information for some SSL providers, but it’s a good start) and click on Next. At the Confirm Settings screen, verify your information is as intended and then click on Set Up. The Open Directory Master is created. Once created, all new users will have the same icon as the local users, with the exception of a globe to indicate they are network accounts. Now check your logs to make sure everything installed smoothly. Importing Users, Groups and Computers Provided that the host name and IP address are the same on your server, importing the data back into Open Directory couldn’t be easier. Open Server Admin and then click on Open Directory and then on Archive in the top icon bar. Here, click on Choose and browse to the dmg you created when backing up the server. Click Restore and enter the password previously supplied. You can also import users from within the Server app. Now that your users are back, it’s time to make sure they’re a member of the groups that provide access to services. These are hidden by default, so in the Server app, use the Show System Accounts option under the View menu or if you’d rather use Workgroup Manager use Show System Records under the View menu to see the groups. Each service has a different group name. For example, Profile Manager is the Profile Manager ACL (or com.apple.access_devicemanagement for the short name) group. Add each user into the group that needs access to these services, click Save and you’re ready to bind some clients! Binding Clients Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted. Click on the Edit… button and then the plus sign (“+”). Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name. It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. Good luck!

February 15th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Final Cut Server has an option to archive and restore assets. When archiving an asset, the asset will be moved to a file system path that is represented by the device ID. The archival and restore can be done using the steps shown in this video:
The process of archival and restore can be kicked off from the command line, which will initiate the movement of the asset. To archive an asset, you will use the archive verb with the fcsvr_client tool. This will require you to provide the asset ID number along with the device that you will be archiving the asset to. For example, to archive an asset with an ID of 318 to a device with an ID of 8 you will use the following command:
fcsvr_client archive /asset/318 /dev/8
Once archived, the asset can be easily restored provided that it is still in the archive path that it was backed up to. So assuming that the asset is still on /dev/8 you could use the following command to restore the asset (the device path is implied as it is tracked in the metadata that corresponds to the asset ID:
fcsvr_client restore /asset/318
If archiving and restoring, it is never a bad idea to log that the action was sent to the queue. For example, if the asset ID were a variable of ASSET and the device had an ID of DEV then you could use the following to log that the automation had been fired off:
fcsvr_client archive /asset/$ASSET /dev/$DEV /usr/bin/logger “Asset $ASSET is being copied to device $DEV”

June 7th, 2010

Posted In: Final Cut Server

Tags: , , , , , ,

There is a new archives page. This allows you to view the entire history of the site by date or quickly search through titles. Well, I guess I shouldn’t say quickly; given the number of posts the archives page takes a good bit of time to load… Oh and in case I forgot to mention this earlier, I totally changed the color scheme of the whole site, converted most of the graphics to png (so they should load faster) and disabled a few “features” that I had created that were bogging it down. Running faster and I think possibly looking less vampiric.

December 22nd, 2009

Posted In: sites

Tags: ,