krypted.com

Tiny Deathstars of Foulness

The NetBoot service allows administrators of OS X computers to leverage images hosted on a server to boot computers to a central location and put a new image on them, upgrade them and perform automations based on upgrades and images. Since the very first versions of OS X, the service has been called NetBoot. In the Server app, Apple provides a number of options surrounding the NetInstall service, based on Automator-style actions, now calling the service NetInstall. The first step to configuring the NetInstall service is to decide what you want the service to do. There are three options available in System Image Utility (available under the Tools menu of the Server app in OS X Server):
  • Create a NetBoot Image: Allows Macs to boot over the network to a disk image hosted on a server.
  • Create a NetInstall Image: Leverage NetBoot as a boot disk so that an image hosted on a server can be used to run an OS X installer.
  • Create a NetRestore Image: Leverage NetBoot as a boot disk so that you can restore a computer that has been configured over a network. Use this option to restore an image that has been prepared.
For the purposes of this example, we’re going to use an OS X El Capitan (10.11) installer running Server 5 to boot an OS X computer over the network. The first step in doing so is to create a Network Disk Image of 10.9, or the 10.9 installation media (which is the Install OS X Mavericks bundle for this example). Before setting it up, download the Install OS X El Capitan installer app into the /Applications directory from the App Store. Create An Image To then set up the NetBoot disk image (you can’t start the NetInstall service until you give it an image to serve), often referred to as the NetBoot set, open the Server app and then click on System Image Utility from the Tools menu of OS X. Screen Shot 2015-09-26 at 8.25.36 PM When System Image Utility opens, click on the Install OS X El Capitan entry in the list of available sources and click Next. Screen Shot 2015-09-26 at 8.26.52 PM Then, in the list of options, click on NetBoot Image and then click on the Next button. Screen Shot 2015-09-26 at 8.27.40 PM At the License Agreement screen, click Agree. Screen Shot 2015-09-26 at 8.28.52 PM Then provide an account name, short name and password in the Image Settings screen. Also choose the language of the user and select if you want the account to log in automatically. Once provided, click Next. Screen Shot 2015-09-26 at 8.30.28 PM Next, select any profiles, packages or post-install scripts to run on the NetBoot image once created. Here, you can use a profile to deploy a printer, bind to Active Directory, or use a package to install software. Post-install scripts allow you to do pretty much anything you’d like to a system, provided it’s allowed by SIP. Screen Shot 2015-09-26 at 8.31.54 PM At the System Configuration screen, choose how you’d like systems to receive names. Here, you can provide a name as a base for computers to get a computer name or you can use a file to deploy names. In most cases, you should also check the box for “Match to client after install.” Click Next once you’ve selected how this should occur. Screen Shot 2015-09-26 at 8.33.21 PM At the Directory Servers screen, click on the plus sign if you’d like to bind the system to a particular directory server. Screen Shot 2015-09-26 at 8.33.33 PM In this example, we’re binding to ad.krypted.com. Also provide an account with access to bind to where you’re binding. In this case, we’re using the built-in admin account for Active Directory. Click Add once you’ve provided the appropriate directory server and credentials. Screen Shot 2015-09-26 at 8.35.01 PM At the Image Settings screen, provide a name for the image, as well as how the index number for the image is created. Note that each image should have a unique image index, so unless you’re storing your image on multiple servers, it’s best left at the defaults. Click Next. Screen Shot 2015-09-26 at 8.36.53 PM At the Supported Computer Models screen, you can choose which models of computer you don’t wish to support for this image. We’re not doing that here, but it’s useful, for example, if you’d like to preclude desktops from an image. Screen Shot 2015-09-26 at 8.37.57 PM At the Filter Clients By MAC Address, you can choose to explicitly allow or deny given MAC addresses for computers. We’re not going to do that as part of this workflow, so just click Next (unless of course you’d like to do that). Screen Shot 2015-09-26 at 8.38.13 PM Then, when prompted, select a location to store the Disk Image, provide any tags to be applied to the files that comprise the image and click on Save. Screen Shot 2015-09-26 at 8.38.58 PM The computer will then start creating the NetBoot set.   Setup The NetInstall Service Once finished, it’s time to set up the NetInstall service in OS X Server. To get started, go back to the Server app. Screen Shot 2015-09-26 at 8.39.33 PM First, define which disk will host NetBoot Images. To do so, click on the Edit Storage Settings button. At the Storage Settings overlay, select the volume that Images will be hosted as well as the volume that Client Data will be hosted. The Image is what you are creating and the Client Data is dynamic data stored in images. Screen Shot 2015-09-26 at 8.40.08 PM If you only have one disk, as in this example, click on “Images & Client Data” for that disk. Then click on the OK button. Once you’ve selected a disk to store your image, we need to copy the disk image into the Library/NetBoot/NetBootSP0 folder of the disk used for images. Screen Shot 2015-09-26 at 8.41.51 PM Once in the appropriate folder, click on the Edit button for Network Interfaces and select the appropriate network interface you wish to serve images over, and click OK. Refresh the Server app (Command-R) and provided the image was created and moved into the /Library/NetBoot/NetBootSP0 directory of a volume set to host images, the image will appear in the images list, with a green indicator light. Screen Shot 2015-09-26 at 9.04.37 PM The green indicator light means the image is being served over the network. Double-click on an image. Screen Shot 2015-09-26 at 9.04.41 PM At the image settings screen, you can select NFS over the default HTTP protocol for “Make available over”.Note, you can also restrict access to the image to certain models of Apple computers and/or certain MAC addresses by using the “Image is visible to” and “Restrict access to this images” options respectively. Additionally, use the Make this image available for diskless booting option to allow computers without hard drives to boot to the image. Screen Shot 2015-09-26 at 9.06.35 PM Click on the OK button. Click on the image and then click on the cog-wheel icon. Click on “Use as Default Boot Image” to set an image to be the default images computers boot to when booting to NetBoot. Now, it’s as easy as clicking on the ON button. Do so to start the service. Screen Shot 2015-09-26 at 9.07.10 PM Once started, open a Terminal window. Here, let’s get a status of the service using the serveradmin fullstatus option (along with the service name, which is still netboot from the command line): sudo serveradmin fullstatus netboot The output of which shows the various components, logs and states of components: netboot:state = "RUNNING" netboot:stateTFTP = "RUNNING" netboot:readWriteSettingsVersion = 1 netboot:netBootConnectionsArray = _empty_array netboot:logPaths:netBootLog = "/var/log/system.log" netboot:dhcpLeasesArray = _empty_array netboot:stateDHCP = "STOPPED" netboot:stateHTTP = "RUNNING" netboot:serviceCanStart = 1 netboot:timeOfSnapshot = "2015-09-27 02:07:32 +0000" netboot:stateNFS = "STOPPED" netboot:stateImageArray:_array_index:0:_array_index:0 = 1 netboot:stateImageArray:_array_index:0:_array_index:1 = 0 netboot:stateImageArray:_array_index:0:_array_index:2 = 0 netboot:stateImageArray:_array_index:0:_array_index:3 = 1 netboot:stateImageArray:_array_index:0:_array_index:4 = 2 netboot:stateImageArray:_array_index:1:_array_index:0 = 0 netboot:stateImageArray:_array_index:1:_array_index:1 = 0 netboot:stateImageArray:_array_index:1:_array_index:2 = 0 netboot:stateImageArray:_array_index:1:_array_index:3 = 0 netboot:stateImageArray:_array_index:1:_array_index:4 = 2 netboot:stateImageArray:_array_index:2:_array_index:0 = 0 netboot:stateImageArray:_array_index:2:_array_index:1 = 0 netboot:stateImageArray:_array_index:2:_array_index:2 = 0 netboot:stateImageArray:_array_index:2:_array_index:3 = 0 netboot:stateImageArray:_array_index:2:_array_index:4 = 2 netboot:stateImageArray:_array_index:3:_array_index:0 = 0 netboot:stateImageArray:_array_index:3:_array_index:1 = 0 netboot:stateImageArray:_array_index:3:_array_index:2 = 0 netboot:stateImageArray:_array_index:3:_array_index:3 = 0 netboot:stateImageArray:_array_index:3:_array_index:4 = 2 netboot:servicePortsRestrictionInfo = _empty_array netboot:netBootClientsArray = _empty_array netboot:servicePortsAreRestricted = "NO" netboot:setStateVersion = 1 netboot:startedTime = "2015-09-27 02:06:53 +0000" netboot:stateAFP = "STOPPED" And to start the service when not running: sudo serveradmin start netboot There are also a number of settings available at the command line that are not in the graphical interface. For example, to allow writing to the NetBoot share: sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no Or to get more verbose logs: sudo serveradmin settings netboot:logging_level = "HIGH" To stop the service: sudo serveradmin stop netboot In the beginning of this article, I mentioned that ways to configure NetInstall images. I’ll cover NetInstall and NetRestore in later articles as they tend to be more involved workflow-wise than copying a volume into a Network Disk Image. But to end this one, many an old-school admin might wonder where all the settings went that used to be in the GUI. Well, serveradmin still maintains a lot of the older stuff. To see a list of all available settings, run serveradmin with the settings verb and then netboot: sudo serveradmin settings netboot If there was a feature you want to use (e.g. maximum users), you should see it in the resultant list: netboot:netBootFiltersRecordsArray = _empty_array netboot:netBootStorageRecordsArray:_array_index:0:sharepoint = yes netboot:netBootStorageRecordsArray:_array_index:0:clients = yes netboot:netBootStorageRecordsArray:_array_index:0:volType = "hfs" netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteSharepoint = no netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no netboot:netBootStorageRecordsArray:_array_index:0:path = "/" netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteClients = yes netboot:netBootStorageRecordsArray:_array_index:0:volName = "Macintosh HD" netboot:netBootPortsRecordsArray:_array_index:0:deviceAtIndex = "en5" netboot:netBootPortsRecordsArray:_array_index:0:nameAtIndex = "USB 10/100/1000 LAN" netboot:netBootPortsRecordsArray:_array_index:0:isEnabledAtIndex = yes netboot:logging_level = "MEDIUM" netboot:filterEnabled = no netboot:netBootImagesRecordsArray:_array_index:0:RootPath = "NetBoot.dmg" netboot:netBootImagesRecordsArray:_array_index:0:IsInstall = no netboot:netBootImagesRecordsArray:_array_index:0:Kind = "1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:0 = "MacBookAir6,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:1 = "MacBookAir5,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:2 = "MacBookAir7,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:3 = "MacBookAir2,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:4 = "MacBookAir5,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:5 = "MacBookAir4,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:6 = "MacBookAir4,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:7 = "MacBookAir6,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:8 = "MacBookAir7,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:9 = "MacBookAir3,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:10 = "MacBookAir3,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:11 = "MacBookPro5,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:12 = "MacBookPro9,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:13 = "MacBookPro6,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:14 = "MacBookPro6,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:15 = "MacBookPro8,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:16 = "MacBookPro11,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:17 = "MacBookPro7,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:18 = "MacBookPro11,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:19 = "MacBookPro10,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:20 = "MacBookPro12,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:21 = "MacBookPro11,4" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:22 = "MacBookPro11,5" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:23 = "MacBookPro3,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:24 = "MacBookPro4,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:25 = "MacBookPro8,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:26 = "MacBookPro10,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:27 = "MacBookPro5,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:28 = "MacBookPro5,5" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:29 = "MacBookPro5,4" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:30 = "MacBookPro5,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:31 = "MacBookPro9,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:32 = "MacBookPro11,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:33 = "MacBookPro8,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:34 = "iMac14,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:35 = "iMac9,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:36 = "iMac7,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:37 = "iMac12,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:38 = "iMac11,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:39 = "iMac14,4" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:40 = "iMac11,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:41 = "iMac13,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:42 = "iMac15,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:43 = "iMac12,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:44 = "iMac8,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:45 = "iMac10,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:46 = "iMac13,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:47 = "iMac14,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:48 = "iMac14,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:49 = "iMac13,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:50 = "iMac11,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:51 = "Macmini5,3" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:52 = "Macmini5,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:53 = "Macmini4,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:54 = "Macmini5,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:55 = "Macmini3,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:56 = "Macmini6,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:57 = "Macmini6,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:58 = "Macmini7,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:59 = "MacBook8,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:60 = "MacBook7,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:61 = "MacBook5,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:62 = "MacBook6,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:63 = "MacBook5,2" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:64 = "MacPro3,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:65 = "MacPro5,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:66 = "MacPro4,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:67 = "MacPro6,1" netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:68 = "Xserve3,1" netboot:netBootImagesRecordsArray:_array_index:0:Description = "NetBoot of OS X 10.11 (15A178w) Install (9.12 GB)." netboot:netBootImagesRecordsArray:_array_index:0:Name = "NetBoot of Install OS X 10.11 El Capitan" netboot:netBootImagesRecordsArray:_array_index:0:imageType = "netboot" netboot:netBootImagesRecordsArray:_array_index:0:Index = 3089 netboot:netBootImagesRecordsArray:_array_index:0:osVersion = "10.11" netboot:netBootImagesRecordsArray:_array_index:0:BackwardCompatible = no netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = no netboot:netBootImagesRecordsArray:_array_index:0:EnabledSystemIdentifiers = _empty_array netboot:netBootImagesRecordsArray:_array_index:0:Language = "Default" netboot:netBootImagesRecordsArray:_array_index:0:BootFile = "booter" netboot:netBootImagesRecordsArray:_array_index:0:IsDefault = no netboot:netBootImagesRecordsArray:_array_index:0:Type = "HTTP" netboot:netBootImagesRecordsArray:_array_index:0:Architectures = "4" netboot:netBootImagesRecordsArray:_array_index:0:IsEnabled = yes netboot:netBootImagesRecordsArray:_array_index:0:pathToImage = "/Library/NetBoot/NetBootSP0/NetBoot of Install OS X 10.11 El Capitan.nbi/NBImageInfo.plist" netboot:afpUsersMax = "50" Boot to Your NetBoot Image Next, you’ll want to have a computer boot to the NetBoot image you just created. Once upon a time, you would use the bless command to select a path to an image that you wanted to boot to in order to do so. Or you’d just boot holding down the N key and let the system pick an image. As of OS X 10.11, due to SIP restrictions, you’ll use the csrutil command to set a NetBoot address. To do so, run csrutil followed by the netboot option and then the add verb, followed by an address. In the following example, we’ll set the system to boot to the NetBoot server at 10.0.0.10: csrutil netboot add 10.0.0.10 Once you’ve finished any NetBoot workflows, use the remove verb to remove that address: csrutil netboot remove 10.0.0.10 And to list any available NetBoot servers, use the list verb: csrutil netboot list Overall, all of this usually takes me a good 10 minutes of work, plus maybe up to half an hour of waiting for an image to create. You can use NetBoot to remotely boot systems, or NetInstall to remotely install systems. There are lots of articles out there (including here) on how to make sure clients can access these images over a network client, so I won’t rehash

October 7th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into OS X Server 3, installed on Yosemite running the Server app (aka Yosemite frickin’ server) is easy-to-use and fast. It’s pretty transparent, just as DHCP services should be. To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP.

DHCP1

At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see DHCP leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list.

DHCP2

Each scope, or Network, will have the following options:

  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from 192.168.210.200 to 192.168.210.250 you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of 0.0.0.0 if you don’t configure this setting.

The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values.

DHCP3

Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in OS X, check out this article I did awhile back.

So far, totally easy. Each time you make a change, the change updates a few different things. First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.:





NetBoot

Subnets


allocate

dhcp_domain_name
no-dns-available.example.com
dhcp_domain_name_server

0.0.0.0

dhcp_domain_search

dhcp_router
192.168.210.1
lease_max
3600
name
192.168.210 Wi-Fi
net_address
192.168.210.0
net_mask
255.255.255.0
net_range

192.168.210.200
192.168.210.253

selected_port_name
en0
uuid
B03BAE3C-AB79-4108-9E5E-F0ABAF32179E


allow

bootp_enabled

deny

detect_other_dhcp_server

dhcp_enabled

old_netboot_enabled

relay_enabled

relay_ip_list




Settings from this file include:

  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the immediately below with en0 . For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the and immediately after the entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated:

serveradmin settings dhcp

The output indicates that:

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = "192.168.210.1"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = "192.168.210.2"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = "255.255.255.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.200"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = "192.168.210.253"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = "192.168.210.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = ""
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:dhcp_domain_name = "no-dns-available.example.com"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:routers = _empty_dictionary
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "192.168.210.201"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1"
dhcp:logging_level = "MEDIUM"

Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course):

serveradmin settings dhcp:logging_level = "MEDIUM"

You can also change settings within a scope. For example, if you realized that you were already using 192.168.210.200 and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples):

serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.202"

You can also obtain some really helpful information using the fullstatus verb with serveradmin:

serveradmin fullstatus dhcp

This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc.

dhcp:state = "RUNNING"
dhcp:backendVersion = "10.5"
dhcp:timeOfModification = "2014-10-04 04:24:17 +0000"
dhcp:numDHCPActiveClients = 0
dhcp:timeOfSnapShot = "2014-10-04 04:24:19 +0000"
dhcp:dhcpLeasesArray = _empty_array
dhcp:logPaths:systemLog = "/var/log/system.log"
dhcp:numConfiguredStaticMaps = 1
dhcp:timeServiceStarted = "2014-10-04 04:24:17 +0000"
dhcp:setStateVersion = 1
dhcp:numDHCPLeases = 21
dhcp:readWriteSettingsVersion = 1

Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%%
# hostname hwtype hwaddr ipaddr bootfile
a.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.230
b.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.240

You can start and stop the service either using the serveradmin command:

serveradmin stop dhcp
serveradmin start dhcp

Or using the launchctl:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist
sudo ; /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

On the clients, you can then use ifconfig followed by the getpacket verb and then an interface connected to the same network as the DHCP server in order to see the information supplied by the dhcp service, including the system that provided the DHCP lease to the client computers.

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , , , ,

Most Meraki appliances come with DHCP enabled on the WAN interface. Once you connect to the Internet through such a configuration you can claim the device using your Meraki account and then configure it. However, what if the Internet connection at your location won’t actually work with a DHCP WAN address. If you need to configure a static WAN address in order for your appliance to connect to the Internet then you’ll need to first connect an Ethernet cable to a LAN port of your appliance and your computer and make sure to disable any other interfaces on your computer. Also configure the network settings to use DHCP. Then open a web browser and connect to the built-in web service using http://setup.meraki.com which redirects to the device when accessed. At this point, you may encounter an issue where the page doesn’t load. If that happens, check to see if you can ping 192.168.0.1. 192.168.0.1 is the default IP address of the appliances. If so, load that address in the browser instead. Screen Shot 2013-11-20 at 7.12.37 PM Click Uplink configuration. When prompted for the username and password, use admin as the username and then the serial number of the device as the password unless a password has already been assigned to the device. Screen Shot 2013-11-20 at 7.12.43 PM The Uplink Configuration page loads so you can configure the WAN information. Screen Shot 2013-11-20 at 7.15.58 PMChoose Static in the IP Assignment field. Screen Shot 2013-11-20 at 7.16.15 PM Once configured, save your changes and the device should then update to the Meraki cloud.

November 21st, 2013

Posted In: Network Infrastructure

Tags: , , , , , , , , ,

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible. Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in Mavericks Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage. Setting Up The VPN Service In Mavericks Server (Server 3) To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:
  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol
Screen Shot 2013-10-06 at 9.32.33 PMThe VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN Screen Shot 2013-10-06 at 9.36.54 PM
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.Screen Shot 2013-10-06 at 9.37.45 PM
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.Screen Shot 2013-10-06 at 9.38.16 PM
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).
Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629. Using The Command Line I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required: sudo serveradmin start vpn And to stop the service: sudo serveradmin stop vpn And to list the available options: sudo serveradmin settings vpn The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app: vpn:vpnHost = "mavserver.pretendco.lan" vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = _empty_array vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.pptp:enabled = yes vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP" vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA" vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE" vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.240" vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.254" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4" vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0 vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = _empty_array vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP" vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp" vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret" vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <> vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.224" vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.239" vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec" vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "yaright" To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no To configure how long a client can be idle prior to being disconnected: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10 By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200 To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option: sudo serveradmin fullstatus vpn Which returns output similar to the following: vpn:servicePortsAreRestricted = "NO" vpn:readWriteSettingsVersion = 1 vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0 vpn:servers:com.apple.ppp.pptp:enabled = yes vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128" vpn:servers:com.apple.ppp.pptp:Type = "PPP" vpn:servers:com.apple.ppp.pptp:SubType = "PPTP" vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth" vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.l2tp:Type = "PPP" vpn:servers:com.apple.ppp.l2tp:enabled = yes vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0 vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP" vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth" vpn:servicePortsRestrictionInfo = _empty_array vpn:health = _empty_dictionary vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log" vpn:configured = yes vpn:state = "STOPPED" vpn:setStateVersion = 1 Security folk will be stoked to see that the shared secret is shown in the clear using: vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind" Configuring Users For VPN Access Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar. Screen Shot 2013-10-06 at 9.42.08 PMAt the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services. Screen Shot 2013-10-06 at 9.41.39 PM At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. Screen Shot 2013-10-06 at 9.42.58 PM Setting Up Client Computers As you can see, configuring the VPN service in Mavericks Server (OS X Server 2.2) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service. Screen Shot 2013-10-06 at 9.43.32 PMAt the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create. Screen Shot 2013-10-06 at 9.44.18 PMAt the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings. Screen Shot 2013-10-06 at 9.44.53 PMAt the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection. Conclusion Setting Up the VPN service in OS X Mavericks Server is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into Mavericks at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

October 23rd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , , , , , , ,

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into OS X Server 3, installed on Mavericks Server is easy-to-use and fast. It’s pretty transparent, just as DHCP services should be. To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP. 1 At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list. 2 Each scope, or Network, will have the following options:
  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from 192.168.210.200 to 192.168.210.250 you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of 0.0.0.0 if you don’t configure this setting.
3 The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values. 4 Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in OS X, check out this article I did awhile back. So far, totally easy. Each time you make a change, the change updates a few different things. First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NetBoot</key> <dict/> <key>Subnets</key> <array> <dict> <key>allocate</key> <true/> <key>dhcp_domain_name</key> <string>no-dns-available.example.com</string> <key>dhcp_domain_name_server</key> <array> <string>0.0.0.0</string> </array> <key>dhcp_domain_search</key> <array/> <key>dhcp_router</key> <string>192.168.210.1</string> <key>lease_max</key> <integer>3600</integer> <key>name</key> <string>192.168.210 Wi-Fi</string> <key>net_address</key> <string>192.168.210.0</string> <key>net_mask</key> <string>255.255.255.0</string> <key>net_range</key> <array> <string>192.168.210.200</string> <string>192.168.210.253</string> </array> <key>selected_port_name</key> <string>en0</string> <key>uuid</key> <string>B03BAE3C-AB79-4108-9E5E-F0ABAF32179E</string> </dict> </array> <key>allow</key> <array/> <key>bootp_enabled</key> <false/> <key>deny</key> <array/> <key>detect_other_dhcp_server</key> <false/> <key>dhcp_enabled</key> <false/> <key>old_netboot_enabled</key> <false/> <key>relay_enabled</key> <false/> <key>relay_ip_list</key> <array/> </dict> </plist> Settings from this file include:
  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.
If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated: serveradmin settings dhcp The output indicates that dhcp:static_maps = _empty_array dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = "" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = "192.168.210.1" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = "192.168.210.2" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = "255.255.255.0" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = "" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.200" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600 dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = "" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = "192.168.210.253" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = "192.168.210.0" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan" dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = "" dhcp:subnet_defaults:logVerbosity = "MEDIUM" dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE" dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE" dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET" dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE" dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE" dhcp:subnet_defaults:dhcp_domain_name = "no-dns-available.example.com" dhcp:subnet_defaults:WINS_node_type = "NOT_SET" dhcp:subnet_defaults:routers = _empty_dictionary dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW" dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM" dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH" dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "192.168.210.201" dhcp:subnet_defaults:selected_port_key = "en0" dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0" dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0" dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0" dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1" dhcp:logging_level = "MEDIUM" Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course): serveradmin settings dhcp:logging_level = "MEDIUM" You can also change settings within a scope. For example, if you realized that you were already using 192.168.210.200 and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples): serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.202" You can also obtain some really helpful information using the fullstatus verb with serveradmin: serveradmin fullstatus dhcp This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc. dhcp:state = "RUNNING" dhcp:backendVersion = "10.5" dhcp:timeOfModification = "2013-10-04 04:24:17 +0000" dhcp:numDHCPActiveClients = 0 dhcp:timeOfSnapShot = "2013-10-04 04:24:19 +0000" dhcp:dhcpLeasesArray = _empty_array dhcp:logPaths:systemLog = "/var/log/system.log" dhcp:numConfiguredStaticMaps = 1 dhcp:timeServiceStarted = "2013-10-04 04:24:17 +0000" dhcp:setStateVersion = 1 dhcp:numDHCPLeases = 21 dhcp:readWriteSettingsVersion = 1 Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry: %% # hostname hwtype hwaddr ipaddr bootfile a.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.230 b.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.240 You can start and stop the service either using the serveradmin command: serveradmin stop dhcp serveradmin start dhcp Or using the launchctl: sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

October 22nd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here: MacSysAdmin_Windows The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here: MacSysAdmin_iOS If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.

September 13th, 2012

Posted In: public speaking

Tags: , , , , , , , , , , , ,

With the DHCP service no longer in the Server apps provided by Apple (for the most part), it’s important to look at alternative solutions to host the service. The DHCP Service in Windows Server is a Role that a Windows Server can fill that dynamically assigns IP addresses to client computers requesting addresses. The DHCP Role is easily added using the Server Manager application, available in the Administrative Tools menu of the Start Menu. Once opened, click on the Add Roles button. At the Select Server Roles screen, locate DHCP Server and then check the box for it, which will allow you to click on the Next button. At the DHCP Server screen, click on Next. At the Select Network Connection Bindings screen, check the box for each network interface that will be available to DHCP to host DHCP scopes (a scope being a range of addresses that the server will host. Click on Next. At the Specify IPv4 DNS Server Settings screen, enter the name of the search domain to be assigned in the “Parent domain” field. Then provide the ip address for the first DNS server that is provided to clients in the “Preferred DNS server IPv4 address” field. Click on Next once the appropriate DNS information has been provided. If you are using “WINS servers click on WINS is required for applications on this network” and then click on the Next button. At the “Add or Edit DHCP Scopes” screen, click on the Add… button to provide the first DHCP scope for the environment. At the Add Scope screen, enter the following information:
  • Scope name: A friendly name for the DHCP scope (e.g. Marketing Subnet)
  • Starting IP address: The first IP address in the scope of addresses provided
  • Ending IP address: The last IP address in the scope of addresses provided (note that you cannot overlap pools and that
  • Subnet type: Select a type of scope being created (note that this changes the lease times)
  • Activate this scope: Check this box to make the scope available immediately
  • Subnet mask: The subnet mask used by clients of the scope
  • Default gateway: The router for the scope being created
Once you’re satisfied with your settings, click OK. Next, select whether DHCP will be provided for IPv6 and click on Next. If IPv6 is supported, enter the address of an IPv6 based DNS service. Click Next. Next, integrate DHCP with Active Directory (to disable, use the “Skip authorization of this DHCP server in AD DS”) by either allowing the service to use the credentials of the currently logged in user or using the Specify button to provide a different user account. Click Next. At the Summary screen, verify the settings are as intended and then click on Next.The role is then installed and if you selected to do so the service is started as well. There are a lot of steps here, but if you’re new to Windows Server, don’t let that intimidate you. It’s a wizard and normally takes me a little less than 5 minutes, about what we grew to expect from OS X Server.

September 11th, 2012

Posted In: Windows Server

Tags: , , , , , , , ,

I did an article some time ago about how DHCP leases work. From that, I’ve gotten a number of questions about why, after you click on Renew DHCP Lease in the Network System Preference pane, you sometimes see the information until you get a new lease. You can also reset the lease from the command line, which does not usually show you a new lease in the GUI immediately. To reset the DHCP lease from the command line, use ipconfig: ipconfig set en0 BOOTP ipconfig set en0 DHCP If the information is displayed on the screen, then it has to be stored somewhere, right? When your system sends an acceptance for a lease, the leases are then stored in /var/db/dhcpclient/leases. These are stored in standard property list form using the interface, followed by the MAC address of the interface followed by .plist. For example, if your MAC address is en0-1,10:9a:cc:ab:5d:ac then the lease would cat as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IPAddress</key> <string>192.168.210.94</string> <key>LeaseLength</key> <integer>86400</integer> <key>LeaseStartDate</key> <date>2011-05-31T15:36:59Z</date> <key>PacketData</key> <data> AgEGAMHrfCMAAAAAAAAAAMCo0l4AAAAAAAAAABCa3atdrAAAAAAAAAAAAAD/AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A MwQAAVGANAEDAwTAqNIBBghEV02CRFdIgv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>RouterHardwareAddress</key> <data> AAaxLwVA </data> <key>RouterIPAddress</key> <string>192.168.210.1</string> </dict> </plist> The keys in this file make it easier to script figuring out a few things about your active leases, such as when they’re going to expire, when the lease was accepted or even whether or not the system has a lease (especially when it shouldn’t have a lease). But they can cause misreporting. If the information seems “stuck” in the System Preferences pane you can then rm the dhcp lease file. Note: If the RouterIPAddress cannot be reached, the lease will be delayed in processing, causing the lease to appear to take a long time to be obtained even though it’s looping to hopefully find a more appropriate lease with a RouterIPAddress that can be reached. For anyone who uses a shell script to reset their IP address, I recommend using the following as the full script, rather than the two lines most commonly used (where $leasefile is the name of your lease file): ipconfig set en0 BOOTP ipconfig set en0 DHCP rm /var/db/dhcpclient/leases/$leasefile Being the nerd I am, I called mine ipcfg.exe and end with an echo of the IP: ipconfig getifaddr en0 Finally, a very effective way I’ve seen people reset leases that are seriously stuck is to swap locations and then swap back. Let’s say your users generally use the “Automatic” location and you have one called “TEMP”. You can use the scselect command to see locations and switch between them. So to switch to TEMP, we would simply: scselect TEMP And then to select Automatic again: scselect Automatic Now be careful with this last little tidbit. As if you have TEMP and don’t have any interfaces active and are running remotely then you might have some walking (or driving) around to do…

May 31st, 2011

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , ,

Apple recently announced the end of the Apple Xserve. The data center is a funny thing, and being such rack space is critical to most who spend a lot of time there. Many of the previous Xserve customers will continue to buy Mac Pro’s and use them in racks as tall Xserves. Others will purchase Mac Mini’s and use them for certain situations. But many will move on to using the same iron in the data center that they use for everything else, finding a way to duplicate or replace the functionality that was previously in the Xserve with something else. Server Admin is not going to run on Linux. But you can get kinda’ close and if you really miss the GUI for DNS (not likely) and the other services (possible and in some cases highly likely) then you can hax0r the stuff to look as much like Server Admin as you want. In fact, given the number of developers and the open source nature, the tools available on Linux are likely to even blow away what you could do before. However, there’s a much steeper learning curve and that’s why many (not all) in the Xserve camp have stuck it out with Apple all these years. The easiest and most mature of the solutions that can be used here is Webmin. We’re going to look at installing Webmin on an old Dell Dimension 5150 that’s running Ubuntu Server 10. Warning, there’s gonna’ be some command line here to get ya’ started, but feel free to cut and paste. First up, install the webmin dependencies. Dependencies are to many the most frustrating thing about working with Open Source software. But never fear, the Webmin team has posted their dependencies as perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime and libio-pty-perl. So, let’s install those with elevated privileges, using apt-get:
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl
Next, let’s install Webmin itself. Download Webmin:
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.520_all.deb
If that fails, check the version at the Webmin site and re-run using the correct URL, listed on the site. Once you’ve downloaded, it’s time to install. One of the reasons (in my opinion) that Ubuntu is so popular is that like Apple they use a package-type of format for installers. Therefore, think of the dpkg command like the installer command in Mac OS X when used with the –install or -i operator. So assuming your working directory is where you downloaded that package to (*.deb)
dpkg -i webmin_1.520_all.deb
Once it’s finished fire up a web browser and go to port 10000 on your box. You should be prompted to authenticate, which can be done using root as the username and the root password of your box as the password. Once done, go to the module page or search for a third party module if the package you’d like isn’t include, and download the modules you need. I’m not a huge fan of Webmin, but I’ve heard a lot of talk about “wouldn’t it be great if there were something similar to Server Admin”. Well, the way Roles work in Windows Server is similar and Windows Server can pretty much do anything (include make me coffee). If you are averse to Microsoft servers and/or paying per CAL for licensing, plugging modules into Webmin is pretty darn close as well. Looking at services included in Mac OS X Server, Webmin can manage FTP (Frox/WU-FTP/ProFTPd), NFS, Samba, SSH, SpamAssassin, Squid, Apache (and Webalizer), VPN (PPP/PPTP/IPsec), Mail (Dovecot/Postfix/Sendmail/Procmail/Majordomo), database (MySQL/PostgreSQL), Shorewall, LDAP w/ Kerberos, DHCP, Bind, Jabber, CVS/Subversion, VNC and even Bacula (replacing that Time Machine server concept). You have way more choices (which isn’t always a good thing). Sure, Webmin is not nearly as pretty as Server Admin and it has many of the same issues of interpreting what are in config files and developing a WTF complex if you make a change in one place vs. the other. But it can also manage VMs and do a lot of other things (ie – monitoring). I still prefer Mac OS X Server for a lot of things, but if someone adds Netatalk (trivial), ports the Apple .schema file in and DAViCal/CardDAV, you’ve got a new version of spaghetti open source pretty similar to Server Admin. A little CSS and you can even make it look just like Server Admin. Not everyone is going to want to use Ubuntu. I personally end up using Redhat more than I do any other flavor of Linux. For Redhat users, getting Webmin installed is actually even easier. Simply run rpm, specifying the package and you’re off to the races:
rpm -U webmin-1.520-1.noarch.rpm
Finally, I really and truly do not condone a knee-jerk reaction to Apple’s decision to terminate the Xserve. Unless Sarah Connor can do something about it I don’t think it’s coming back. If you absolutely have to move certain services to a different 1U box, then here ya’ go. Otherwise, stay with those new MacPro Servers, you’ll be happier with them in the long run!

November 7th, 2010

Posted In: Ubuntu, Unix

Tags: , , , , , , , , , , , ,

DHCP provides IP addresses to clients. DHCP is critical to a number of Mac OS X Server technologies, most notably with NetBoot. In doing so, communications are comprised of 4 steps: Discovery, Offer, Acceptance, and Acknowledgment. In the Discovery step, a computer that needs an IP address sends a broadcast request to the environment. These typically remain local, although most routers will allow for configuring the gateway in such a way that UDP traffic is forwarded on to other subnets. The request also includes all of the options that the client will need, with options being anything beyond an IP address, each potential option with a numerical identifier per this list (defined in various RFPs). In the second step, any DHCP servers that received the request will issue an offer, which includes a number of DHCP options, such as a subnet mask (option 1), a gateway (option 3), DNS servers (option 6), amount of time a lease is valid for (option 51), the IP of the DHCP server making the offer (option 54). For example, WINS is two options, 44 & 46 (server and type respectively) that can be provided to clients as is LDAP (option 95). Available options are determined based on any reservations that may have been filed. For example, if an IP address has been reserved for a specific MAC address then the IP will always be the IP reserved. Because environments can have multiple DHCP servers the Transaction ID will determine which offer to accept. The servers that issued an offer will hold the IP address from the offer until they receive the response that another offer is being accepted and then move those back into their pool of available IP addresses. In step 3, Acceptance, the DHCP client will notify the server whose lease it accepts in the form of a DHCP Request, and those whose lease it will pass on. The Acceptance is actually a request for the IP address that is being held for the MAC address in question. Based on the Acceptance, the options are then applied in an acknowledgement sent back to the client from the server that it indeed has the IP address and all of the pertinent options required. All of this typically happens in under a second and therefore, you plug in your computer and it gets an IP address; unless you’re running wireshark to look at what’s happening beneath the scene you typically just assume that that’s all there is to it… The most powerful part of DHCP though is in the options, which shows that great thought was given to the protocol when it was conceived. These extensions provide for anything from NTP servers to SMTP servers provided that the client and the server support the implementation.

October 6th, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment, Unix, Windows XP

Tags: , , , , , , ,

Next Page »