krypted.com

Tiny Deathstars of Foulness

Getting started with Messages Server couldn’t really be easier. Messages Server in the OS X Yosemite version of the Server app uses the open source jabber project as their back-end code base (and going back, OS X has used jabber since the inception of iChat Server all the way through Server 3). The sqlite setup file is located at /Applications/Server.app/Contents/ServerRoot/private/var/jabberd directory and the autobuddy binary is at /Applications/Server.app/Contents/ServerRoot/usr/bin/jabber_autobuddy. The actual jabberd binary is also stored at /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd, where there are a couple of perl scripts used to migrate the service between various versions as well.

Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.

Messages1

Click on the Edit… button for the Permissions. Here, define which users and interfaces are allowed to use the service.

Once open, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and then click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates.

Messages2

At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin).

Messages3

To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button.
Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator:

sudo serveradmin fullstatus jabber

The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here:

jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:setStateVersion = 1
jabber:startedTime = ""
jabber:readWriteSettingsVersion = 1

There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows:

sudo serveradmin settings jabber:jabberdClientPortSSL = 8080

To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book:

sudo serveradmin settings jabber:savedChatsLocation = “/Volumes/Pegasus/Book”

To see a full listing of the options, just run settings with the jabber service:

sudo serveradmin settings jabber

The output lists each setting configurable:

jabber:dataLocation = "/Library/Server/Messages"
jabber:s2sRestrictDomains = no
jabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"
jabber:sslCAFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem"
jabber:jabberdClientPortTLS = 5222
jabber:sslKeyFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.concat.pem"
jabber:initialized = yes
jabber:enableXMPP = no
jabber:savedChatsArchiveInterval = 7
jabber:authLevel = "STANDARD"
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:jabberdClientPortSSL = 5223
jabber:requireSecureS2S = no
jabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"
jabber:enableSavedChats = no
jabber:enableAutoBuddy = no
jabber:s2sAllowedDomains = _empty_array
jabber:logLevel = "ALL"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:eventLogArchiveInterval = 7
jabber:jabberdS2SPort = 0

To stop the service:

sudo serveradmin stop jabber

And to start it back up:

sudo serveradmin start jabber

It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

October 19th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

The Time Machine service in Mountain Lion Server hasn’t changed much from the service in Lion Server. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane.

Click on the ON button to see a list of volumes to use as a destination for Time Machine backups. This should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the ON button, a list of volumes appears.

Here, click on the volume to save your backups to. In this case, it’s the internal hard drive; however, in most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click “Use for Backup” and the service will start. Don’t touch anything until the service starts. Once started, change the backup destination at any time using the Edit button.

Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule.

Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the sharing:sharePointList:_array_id:/Shared Items/Backups

sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups

The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as:

sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeStandard:GeneratedUID = "1B1C7CFB-2B95-4087-B28B-C786E9CD68E2"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:smbDirectoryMask = "0755"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbCreateMask = "0644"
sharing:sharePointList:_array_id:/Shared Items/Backups:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Shared Items/Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:name = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:ftpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsShared = no
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:timeMachineBackupUUID = "29B22ADA-97A3-46B2-9CB3-8EF9AFC9334E"
sharing:sharePointList:_array_id:/Shared Items/Backups:isTimeMachineBackup = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeNative:sharepoint_group_id = "59161FF9-78E7-4A41-B071-B6E60866694F"
sharing:sharePointList:_array_id:/Shared Items/Backups:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:mountedOnPath = "/"

Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command:

sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk"

Another way to see the share and attributes of the share is through the sharing command:

sharing -l

Which should show output similar to the following:

List of Share Points
name: Backups
path: /Shared Items/Backups
afp: {
name: Backups
shared: 1
guest access: 0
inherit perms: 0
}
ftp: {
name: Backups
shared: 0
guest access: 0
}
smb: {
name: Backups
shared: 0
guest access: 0
}

There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule).

One major difference between the Time Machine service and others is that there’s no specific serveradmin option for tm or tmutil (the Time Machine command line) or timemachine. Instead, most everything piggy-backs off the sharing service. Also, what I consider a major difference is that most other services now have generic names (e.g. Address Book is now called Contacts, iCal is now called Calendar, etc). The only services still using marketing terms as their names are really Profile Manager, Time Machine and Open Directory. I would expect these to eventually be called Profiles, Backup and Directory to keep the naming convention already started with the rest of the services.

I think that as a free aspect of OS X Server Time Machine Server is well worth the money for small workgroups. However, there are backup solutions from 3rd party vendors worth far more than their purchase price due to reduced disk capacity requirements (e.g. through deduplication), reduced overhead (e.g. by streamlining or accelerating traffic for the backup protocols, or even offloading all the work to the client systems) and allowing for more redundancy to backups (e.g. 2 targets). This additional logic can at first appear to come at a steep cost, but when you look at bandwidth, disk and other expenditures to get Time Machine server integrated it can be a challenge. Also, Time Machine is built to work via Bonjour, meaning that by virtue it’s then limited to smaller subnets. Time Machine Server is a great add-on, but many organizations may quickly outgrow it. Not all though, and so for a SoHo comprehensive server that needs to provide for client-based backups, OS X Server has a great feature in Time Machine.

While I found plenty to ramble on about in this article, nothing has really changed since the Lion iteration of the service. Mass deployment is still the same, as is client side configuration. One change is that the screen for the Time Machine Options on the client no longer has an option for managing Versions, as seen below.

August 1st, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

There are a number of ways to troubleshoot network connections on (or using) an iOS device. These can be common troubleshooting steps that you might run from the command line or a third party app on a desktop computer or they could be specific to testing the network environment for an iOS device. Some of these apps are even free.

Ping Lite
One of the most common tasks that most administrators routinely do to test both DNS resolution and connectivity is pinging something. Ping Lite comes with a function to show your IP, a ping tool, a tool to ping the subnet, the ability to run trace routes and for good measure a little telnet love as well. Not bad for the fat price of nothing. Developed by MochaSoft, Ping Lite is a must for anyone who does any kind of network troubleshooting, unless you’re paying good money for a more robust tool!

NSLookup
Ping Lite is a great tool for isolating whether you’re having connectivity problems to an IP address. However, if Exchange’s auto discover isn’t working or some other

Bonjour Browser
One of my favorite tools for finding things on the network, Bonjour is a multicast tool and what many of the features meant to be used in a home where zero configuration networking is important

Speed Test
I think that one of the more common tasks in troubleshooting network connections is to determine whether Internet speed is satisfactory. Satisfactory is a relative term. Both relative to the expected performance and relative to the perception of users. For example, the bandwidth that a user is getting on a device may exceed the expected performance based on the speed provided by the DSL, cable modem or other WAN connection provided. However, that speed may be less than what the user’s would like (one can never have enough bandwidth!).

ezShare
ezShare is a nice little tool that lets administrators log into shares of various types. The cool thing about this little tool is that you can connect via SSH, FTP, WebDAV, S3, Google Docs, Box.net, SMB/CIFS, or NFS. This allows you to test WebDAV from a different tool if you’re having a problem opening WebDAV connections from within Pages, test the speed of downloading a document from a FTP site, check Google Docs or Box.net connectivity and even see if that file server is available when users call in with problems connecting to SMB/CIFS shares on Windows servers.

Bonus App:
AirPort Utility
If you have an Apple AirPort acting as a WAP or the gateway to your office/home then this little app is awesome. Apple has eased the setup process for their Wireless Access Points to the point that you can set the entire thing up, change settings and even troubleshoot the odd connectivity issue without ever touching a desktop computer. AirPort Utility is also a great way to test whether you can connect to shares hosted by devices and update passwords on the fly.

February 13th, 2012

Posted In: iPhone

Tags: , , , , , , , , , , , , , , ,

The process that makes Bonjour work is mDNSResponder, located in /usr/sbin. /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist invokes mDNSResponder on boot. One of the easiest ways to troubleshoot issues you think are related to Bonjour is to temporarily disable the mDNSResponder:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

To enable it:

launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

In addition to basic starting and stopping of the mDNSResponder, when troubleshooting any service, one should always look at logs. Log events are logged to the standard syslog facility and so are available via Console. These are locate at /var/log/system.log. Searching for mDNSResponder errors in system.log can also be done from the command line using:

cat /var/log/system.log | grep mDNSResponder

Or interactively so you can watch errors as they appear:

tail -f /var/log/system.log | grep mDNSResponder

To see more information in system.log, send a SIGUSR1 to mDNSResponder using killall:

sudo killall -USR1 mDNSResponder

To then see packet-level information in system.log, send a SIGUSR2 to mDNSResponder:

sudo killall -USR2 mDNSResponder

To dump the state into system.log:

sudo killall -INFO mDNSResponder

mDNSResponder uses Mach port 5123. Each service that is Bonjour-enabled will register itself with mDNSResponder at that port and can be queried. These are similar to DNS records where they have a prefix for the service and a suffix of the TCP/IP type. For example, IPP Printing is _ipp._tcp, Remote Apple Events is _eppc._tcp., Remote Frame Buffer is _rfb._tcp., SSH is _ssh._tcp., SFTP is _sftp-ssh._tcp., Apple’s Home Sharing is called _home-sharing._tcp, iTunes Music Sharing is _afpovertcp._tcp. and AFP is _afpovertcp._tcp. As an example of UDP traffic, ARD is known as _net-assistant._udp.

To see which services are registered (and register services if you build a network service that needs one), use the mDNS command. The -B option for mDNS can be used to query a given namespace. For example, the _afpovertcp._tcp namespace can be queried using the following command:

mDNS -B _afpovertcp._tcp

This would result in the following output, showing all live instances that the system sees:

Timestamp     A/R Flags Domain                   Service Type             Instance Name

18:29:40.771  Add     0 local.                   _afpovertcp._tcp.        Krypted MacBook Air

To register services with Bonjour, use the -R operator and to lookup information about a given service instance, use the -L operator. The -L operator allows you to get a lot of information about a given object. Once you have found the object using the -B option you’ll have the Domain and Instance Name. These can be supplied to mDNS to get IPv4, IPv6, port number, and TXT records, which provide a bevy of options, such as information about printers and other services or objects. For example, Mac OS X automatically generates information about printers based on built-in OS information about those printers, such as staple support (Staple=F), collate support (Collate=T) and CUPS admin url’s (adminurl:http://<computer name>:631/printers/<printername>. Other services such as Home Sharing might make heavy use of Machine Name’s or iTunes Database IDs.

To use mDNS to obtain this extended output, use the mDNS command, along with the -L option, followed by the Instance Name (the instance name is defined by the service registering the instance and can be a printer name, a computer name, a GUID or whatever the vendor chooses to use. After the Instance Name, provide the address space (Service Type) and then the domain from the -B output. For example, to look at an HP 8565 shared from Krypted MacBook Air called “HP 8565 Krypted MacBook Air”, I would use:

mDNS -L "HP 8565 Krypted MacBook Air" _ipp._tcp local.

Other operators not in the man page, but available, include -E for finding recommended registration domains, -F for finding information about browsing domains, -A to test updates to records, -U to test updates to TXT records, -N to test updates to NULL records, -T to test adding big records, -M for multiple records and -I for immediately updating records rather than running through cache. Also available for querying is dns-sd, using identical syntax as mDNS and with the same output. Data regarding systems doesn’t always change dynamically. To reload information following changes, use the -flushcache option of dscacheutil:

dscacheutil -flushcache

When I have a chance I’ll try and look at multiple domain name spaces and registering text records as a part 2 of this article, but for now there’s a 2 year old who just woke up and is wanting a little attention (and deservedly so).

March 27th, 2011

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Based on a few messages I got after the article on building netatalk to host afp on Linux, it looks like building netatalk to host your shares just isn’t enough. I guess people still like Bonjour or something… In that case, let’s make this netatalk thingie announce itself to the world (er, your local network)!

Avahi is much simpler than netatalk, given that there’s none of this dhx nonsense preventing us from using aptitude (again, this whole thing is for Debian/Ubuntu and you’re gonna’ need to escalate those privileges):

aptitude install avahi-daemon

Then we’re gonna’ need to teach it about the whole afpd service we built, which is done in the manner that makes the least sense for Debian, xml. Create a new file called /etc/avahi/services/afpd.service:

touch /etc/avahi/services/afpd.service

Then paste the XML in there (assuming you’re running afp on port 548:

<?xml version=”1.0″ standalone=’no’?><!–*-nxml-*–>
<!DOCTYPE service-group SYSTEM “avahi-service.dtd”>
<service-group>
<name replace-wildcards=”yes”>%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
</service-group>

And now let’s kick that avahi daemon:

/etc/init.d/avahi-daemon restart

Not nearly as painful as netatalk, avahi makes for a very nice way to let Mac OS X clients know that your server is out there. OH, don’t forget to check that avahi is set in /etc/default/avahi-daemon (the AVAHI_DAEMON_START variable in there should be set to a 1).

November 13th, 2010

Posted In: Mac OS X Server, Ubuntu, Unix

Tags: , , , , ,

Flow is a nice little FTP client. But it also supports WebDAV and SFTP as well as Amazon’s S3 and mounting an iDisk from a Mobile Me account. Unlike JungleDisk it doesn’t seem to mount S3 as an actual disk in Mac OS X, but it can be used to take files from iDisk to S3, which is fairly interesting. Flow also supports discovering all of the local services over Bonjour, which can be pretty helpful. Overall, it’s a nice little application that’s pretty sleek and I look forward to seeing where they go with it.

August 26th, 2009

Posted In: Mac OS X, MobileMe

Tags: , , , , , , ,

May 21st, 2007

Posted In: Mac OS X

Tags: , ,