krypted.com

Tiny Deathstars of Foulness

The NetBoot service allows administrators of OS X computers to leverage images hosted on a server to boot computers to a central location and put a new image on them, upgrade them and perform automations based on upgrades and images. Since the very first versions of OS X, the service has been called NetBoot. In the Server app, Apple provides a number of options surrounding the NetInstall service, based on Automator-style actions, now calling the service NetInstall.

The first step to configuring the NetInstall service is to decide what you want the service to do. There are three options available in System Image Utility (available under the Tools menu of the Server app in OS X Server):

  • Create a NetBoot Image: Allows Macs to boot over the network to a disk image hosted on a server.
  • Create a NetInstall Image: Leverage NetBoot as a boot disk so that an image hosted on a server can be used to run an OS X installer.
  • Create a NetRestore Image: Leverage NetBoot as a boot disk so that you can restore a computer that has been configured over a network. Use this option to restore an image that has been prepared.

For the purposes of this example, we’re going to use an OS X El Capitan (10.11) installer running Server 5 to boot an OS X computer over the network. The first step in doing so is to create a Network Disk Image of 10.9, or the 10.9 installation media (which is the Install OS X Mavericks bundle for this example). Before setting it up, download the Install OS X El Capitan installer app into the /Applications directory from the App Store.

Create An Image

To then set up the NetBoot disk image (you can’t start the NetInstall service until you give it an image to serve), often referred to as the NetBoot set, open the Server app and then click on System Image Utility from the Tools menu of OS X.

Screen Shot 2015-09-26 at 8.25.36 PM
When System Image Utility opens, click on the Install OS X El Capitan entry in the list of available sources and click Next.

Screen Shot 2015-09-26 at 8.26.52 PM

Then, in the list of options, click on NetBoot Image and then click on the Next button.

Screen Shot 2015-09-26 at 8.27.40 PM

At the License Agreement screen, click Agree.

Screen Shot 2015-09-26 at 8.28.52 PM

Then provide an account name, short name and password in the Image Settings screen. Also choose the language of the user and select if you want the account to log in automatically. Once provided, click Next.

Screen Shot 2015-09-26 at 8.30.28 PM
Next, select any profiles, packages or post-install scripts to run on the NetBoot image once created. Here, you can use a profile to deploy a printer, bind to Active Directory, or use a package to install software. Post-install scripts allow you to do pretty much anything you’d like to a system, provided it’s allowed by SIP.

Screen Shot 2015-09-26 at 8.31.54 PM

At the System Configuration screen, choose how you’d like systems to receive names. Here, you can provide a name as a base for computers to get a computer name or you can use a file to deploy names. In most cases, you should also check the box for “Match to client after install.” Click Next once you’ve selected how this should occur.

Screen Shot 2015-09-26 at 8.33.21 PM

At the Directory Servers screen, click on the plus sign if you’d like to bind the system to a particular directory server.

Screen Shot 2015-09-26 at 8.33.33 PM

In this example, we’re binding to ad.krypted.com. Also provide an account with access to bind to where you’re binding. In this case, we’re using the built-in admin account for Active Directory. Click Add once you’ve provided the appropriate directory server and credentials.

Screen Shot 2015-09-26 at 8.35.01 PM

At the Image Settings screen, provide a name for the image, as well as how the index number for the image is created. Note that each image should have a unique image index, so unless you’re storing your image on multiple servers, it’s best left at the defaults. Click Next.

Screen Shot 2015-09-26 at 8.36.53 PM

At the Supported Computer Models screen, you can choose which models of computer you don’t wish to support for this image. We’re not doing that here, but it’s useful, for example, if you’d like to preclude desktops from an image.

Screen Shot 2015-09-26 at 8.37.57 PM

At the Filter Clients By MAC Address, you can choose to explicitly allow or deny given MAC addresses for computers. We’re not going to do that as part of this workflow, so just click Next (unless of course you’d like to do that).

Screen Shot 2015-09-26 at 8.38.13 PM
Then, when prompted, select a location to store the Disk Image, provide any tags to be applied to the files that comprise the image and click on Save.

Screen Shot 2015-09-26 at 8.38.58 PM
The computer will then start creating the NetBoot set.

 

Setup The NetInstall Service

Once finished, it’s time to set up the NetInstall service in OS X Server. To get started, go back to the Server app.

Screen Shot 2015-09-26 at 8.39.33 PM
First, define which disk will host NetBoot Images. To do so, click on the Edit Storage Settings button. At the Storage Settings overlay, select the volume that Images will be hosted as well as the volume that Client Data will be hosted. The Image is what you are creating and the Client Data is dynamic data stored in images.

Screen Shot 2015-09-26 at 8.40.08 PM
If you only have one disk, as in this example, click on “Images & Client Data” for that disk. Then click on the OK button. Once you’ve selected a disk to store your image, we need to copy the disk image into the Library/NetBoot/NetBootSP0 folder of the disk used for images.

Screen Shot 2015-09-26 at 8.41.51 PM

Once in the appropriate folder, click on the Edit button for Network Interfaces and select the appropriate network interface you wish to serve images over, and click OK. Refresh the Server app (Command-R) and provided the image was created and moved into the /Library/NetBoot/NetBootSP0 directory of a volume set to host images, the image will appear in the images list, with a green indicator light.

Screen Shot 2015-09-26 at 9.04.37 PM

The green indicator light means the image is being served over the network. Double-click on an image.

Screen Shot 2015-09-26 at 9.04.41 PM
At the image settings screen, you can select NFS over the default HTTP protocol for “Make available over”.Note, you can also restrict access to the image to certain models of Apple computers and/or certain MAC addresses by using the “Image is visible to” and “Restrict access to this images” options respectively. Additionally, use the Make this image available for diskless booting option to allow computers without hard drives to boot to the image.

Screen Shot 2015-09-26 at 9.06.35 PM

Click on the OK button. Click on the image and then click on the cog-wheel icon. Click on “Use as Default Boot Image” to set an image to be the default images computers boot to when booting to NetBoot. Now, it’s as easy as clicking on the ON button. Do so to start the service.

Screen Shot 2015-09-26 at 9.07.10 PM
Once started, open a Terminal window. Here, let’s get a status of the service using the serveradmin fullstatus option (along with the service name, which is still netboot from the command line):

sudo serveradmin fullstatus netboot

The output of which shows the various components, logs and states of components:

netboot:state = "RUNNING"
netboot:stateTFTP = "RUNNING"
netboot:readWriteSettingsVersion = 1
netboot:netBootConnectionsArray = _empty_array
netboot:logPaths:netBootLog = "/var/log/system.log"
netboot:dhcpLeasesArray = _empty_array
netboot:stateDHCP = "STOPPED"
netboot:stateHTTP = "RUNNING"
netboot:serviceCanStart = 1
netboot:timeOfSnapshot = "2015-09-27 02:07:32 +0000"
netboot:stateNFS = "STOPPED"
netboot:stateImageArray:_array_index:0:_array_index:0 = 1
netboot:stateImageArray:_array_index:0:_array_index:1 = 0
netboot:stateImageArray:_array_index:0:_array_index:2 = 0
netboot:stateImageArray:_array_index:0:_array_index:3 = 1
netboot:stateImageArray:_array_index:0:_array_index:4 = 2
netboot:stateImageArray:_array_index:1:_array_index:0 = 0
netboot:stateImageArray:_array_index:1:_array_index:1 = 0
netboot:stateImageArray:_array_index:1:_array_index:2 = 0
netboot:stateImageArray:_array_index:1:_array_index:3 = 0
netboot:stateImageArray:_array_index:1:_array_index:4 = 2
netboot:stateImageArray:_array_index:2:_array_index:0 = 0
netboot:stateImageArray:_array_index:2:_array_index:1 = 0
netboot:stateImageArray:_array_index:2:_array_index:2 = 0
netboot:stateImageArray:_array_index:2:_array_index:3 = 0
netboot:stateImageArray:_array_index:2:_array_index:4 = 2
netboot:stateImageArray:_array_index:3:_array_index:0 = 0
netboot:stateImageArray:_array_index:3:_array_index:1 = 0
netboot:stateImageArray:_array_index:3:_array_index:2 = 0
netboot:stateImageArray:_array_index:3:_array_index:3 = 0
netboot:stateImageArray:_array_index:3:_array_index:4 = 2
netboot:servicePortsRestrictionInfo = _empty_array
netboot:netBootClientsArray = _empty_array
netboot:servicePortsAreRestricted = "NO"
netboot:setStateVersion = 1
netboot:startedTime = "2015-09-27 02:06:53 +0000"
netboot:stateAFP = "STOPPED"

And to start the service when not running:

sudo serveradmin start netboot

There are also a number of settings available at the command line that are not in the graphical interface. For example, to allow writing to the NetBoot share:

sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no

Or to get more verbose logs:

sudo serveradmin settings netboot:logging_level = "HIGH"

To stop the service:

sudo serveradmin stop netboot

In the beginning of this article, I mentioned that ways to configure NetInstall images. I’ll cover NetInstall and NetRestore in later articles as they tend to be more involved workflow-wise than copying a volume into a Network Disk Image. But to end this one, many an old-school admin might wonder where all the settings went that used to be in the GUI. Well, serveradmin still maintains a lot of the older stuff. To see a list of all available settings, run serveradmin with the settings verb and then netboot:

sudo serveradmin settings netboot

If there was a feature you want to use (e.g. maximum users), you should see it in the resultant list:

netboot:netBootFiltersRecordsArray = _empty_array
netboot:netBootStorageRecordsArray:_array_index:0:sharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:0:clients = yes
netboot:netBootStorageRecordsArray:_array_index:0:volType = "hfs"
netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteSharepoint = no
netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no
netboot:netBootStorageRecordsArray:_array_index:0:path = "/"
netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteClients = yes
netboot:netBootStorageRecordsArray:_array_index:0:volName = "Macintosh HD"
netboot:netBootPortsRecordsArray:_array_index:0:deviceAtIndex = "en5"
netboot:netBootPortsRecordsArray:_array_index:0:nameAtIndex = "USB 10/100/1000 LAN"
netboot:netBootPortsRecordsArray:_array_index:0:isEnabledAtIndex = yes
netboot:logging_level = "MEDIUM"
netboot:filterEnabled = no
netboot:netBootImagesRecordsArray:_array_index:0:RootPath = "NetBoot.dmg"
netboot:netBootImagesRecordsArray:_array_index:0:IsInstall = no
netboot:netBootImagesRecordsArray:_array_index:0:Kind = "1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:0 = "MacBookAir6,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:1 = "MacBookAir5,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:2 = "MacBookAir7,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:3 = "MacBookAir2,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:4 = "MacBookAir5,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:5 = "MacBookAir4,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:6 = "MacBookAir4,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:7 = "MacBookAir6,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:8 = "MacBookAir7,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:9 = "MacBookAir3,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:10 = "MacBookAir3,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:11 = "MacBookPro5,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:12 = "MacBookPro9,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:13 = "MacBookPro6,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:14 = "MacBookPro6,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:15 = "MacBookPro8,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:16 = "MacBookPro11,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:17 = "MacBookPro7,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:18 = "MacBookPro11,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:19 = "MacBookPro10,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:20 = "MacBookPro12,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:21 = "MacBookPro11,4"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:22 = "MacBookPro11,5"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:23 = "MacBookPro3,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:24 = "MacBookPro4,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:25 = "MacBookPro8,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:26 = "MacBookPro10,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:27 = "MacBookPro5,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:28 = "MacBookPro5,5"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:29 = "MacBookPro5,4"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:30 = "MacBookPro5,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:31 = "MacBookPro9,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:32 = "MacBookPro11,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:33 = "MacBookPro8,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:34 = "iMac14,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:35 = "iMac9,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:36 = "iMac7,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:37 = "iMac12,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:38 = "iMac11,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:39 = "iMac14,4"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:40 = "iMac11,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:41 = "iMac13,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:42 = "iMac15,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:43 = "iMac12,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:44 = "iMac8,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:45 = "iMac10,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:46 = "iMac13,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:47 = "iMac14,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:48 = "iMac14,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:49 = "iMac13,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:50 = "iMac11,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:51 = "Macmini5,3"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:52 = "Macmini5,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:53 = "Macmini4,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:54 = "Macmini5,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:55 = "Macmini3,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:56 = "Macmini6,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:57 = "Macmini6,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:58 = "Macmini7,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:59 = "MacBook8,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:60 = "MacBook7,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:61 = "MacBook5,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:62 = "MacBook6,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:63 = "MacBook5,2"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:64 = "MacPro3,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:65 = "MacPro5,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:66 = "MacPro4,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:67 = "MacPro6,1"
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:68 = "Xserve3,1"
netboot:netBootImagesRecordsArray:_array_index:0:Description = "NetBoot of OS X 10.11 (15A178w) Install (9.12 GB)."
netboot:netBootImagesRecordsArray:_array_index:0:Name = "NetBoot of Install OS X 10.11 El Capitan"
netboot:netBootImagesRecordsArray:_array_index:0:imageType = "netboot"
netboot:netBootImagesRecordsArray:_array_index:0:Index = 3089
netboot:netBootImagesRecordsArray:_array_index:0:osVersion = "10.11"
netboot:netBootImagesRecordsArray:_array_index:0:BackwardCompatible = no
netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = no
netboot:netBootImagesRecordsArray:_array_index:0:EnabledSystemIdentifiers = _empty_array
netboot:netBootImagesRecordsArray:_array_index:0:Language = "Default"
netboot:netBootImagesRecordsArray:_array_index:0:BootFile = "booter"
netboot:netBootImagesRecordsArray:_array_index:0:IsDefault = no
netboot:netBootImagesRecordsArray:_array_index:0:Type = "HTTP"
netboot:netBootImagesRecordsArray:_array_index:0:Architectures = "4"
netboot:netBootImagesRecordsArray:_array_index:0:IsEnabled = yes
netboot:netBootImagesRecordsArray:_array_index:0:pathToImage = "/Library/NetBoot/NetBootSP0/NetBoot of Install OS X 10.11 El Capitan.nbi/NBImageInfo.plist"
netboot:afpUsersMax = "50"

Boot to Your NetBoot Image

Next, you’ll want to have a computer boot to the NetBoot image you just created. Once upon a time, you would use the bless command to select a path to an image that you wanted to boot to in order to do so. Or you’d just boot holding down the N key and let the system pick an image. As of OS X 10.11, due to SIP restrictions, you’ll use the csrutil command to set a NetBoot address. To do so, run csrutil followed by the netboot option and then the add verb, followed by an address. In the following example, we’ll set the system to boot to the NetBoot server at 10.0.0.10:

csrutil netboot add 10.0.0.10

Once you’ve finished any NetBoot workflows, use the remove verb to remove that address:

csrutil netboot remove 10.0.0.10

And to list any available NetBoot servers, use the list verb:

csrutil netboot list

Overall, all of this usually takes me a good 10 minutes of work, plus maybe up to half an hour of waiting for an image to create. You can use NetBoot to remotely boot systems, or NetInstall to remotely install systems. There are lots of articles out there (including here) on how to make sure clients can access these images over a network client, so I won’t rehash

October 7th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

I wrote about using the smbutil for DFS in Lion awhile back. I haven’t needed to write anything else as it hadn’t changed since. The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported.

Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.

October 4th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , ,

There are a number of ways to create groups in OS X Server 5, running on Yosemite or El Capitan. The first is using the Server app, the second is using Workgroup Manager (which requires a little work to get working in El Capitan), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app.

Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.

 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
Screen Shot 2015-09-07 at 11.59.07 PM
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Screen Shot 2015-09-07 at 11.59.07 PM
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
 Screen Shot 2015-09-08 at 12.00.18 AM
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-“) to remove users from the group. You can also choose to use the following options:
  • Mailing Lists: Lists that are connected to the group.
  • Members: The users that are part of the group
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.
  • Keywords: Keywords/tags to help locate users.
  • Notes: Notes about users.

Once changes have been made, click Done to commit the changes.

October 3rd, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

OS X Server, Server 5, El Capitan Server can have problems with Open Directory. Sometimes, you just need to reset your directory service. You can demote and restore the server if needed. But buyer beware, you may end up screwing things up while the directory server is being demoted and you’re restoring a backup. Or if you haven’t built out the directory server, you may end up just demoting the server and starting over. In this article, we’ll look at demoting the server.

To get started demoting the Open Directory master, first open the Server app and then click on Open Directory.

Screen Shot 2015-09-07 at 11.40.19 PM

From the Open Directory screen, click on the minus button in the Servers section. When prompted to Delete the directory service, click on the Delete button.

Screen Shot 2015-09-07 at 11.40.19 PM

Once the process is complete, you’ll be able to setup a new directory server, back at the initial Open Directory screen.

Screen Shot 2015-09-07 at 11.41.58 PM

The logs will then show the following:

2015-09-08 04:41:24 +0000 slapconfig -destroyldapserver
2015-09-08 04:41:24 +0000 Deleting Cert Authority related data
2015-09-08 04:41:24 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2015-09-08 04:41:24 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 2842025604
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2015-09-08 04:41:44 +0000 Stopping LDAP server (slapd)
2015-09-08 04:41:46 +0000 Stopping password server
2015-09-08 04:41:51 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/alock.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2015-09-08 04:41:51 +0000 Removed directory at path /var/db/openldap/authdata.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.conf.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2015-09-08 04:41:51 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2015-09-08 04:41:55 +0000 Stopping password server
2015-09-08 04:41:55 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
Sep 7 23:43:23 osxserver com.apple.WebKit.WebContent[1064]: [23:43:23.061] <<<< VideoMentor >>>> videoMentorThreadForwardPlayback: (0x7fea1d938e40) startCursor PTS 0.033 > target startPTS 0.000; sending timestamp interval for that gap

October 2nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

Configuring Calendar Server in OS X Server 5 (running on El Capitan or Yosemite) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in OS X Server (Server 5), open the Server application and click on Calendar in the SERVICES section of the sidebar.

Screen Shot 2015-09-10 at 8.46.34 AM

Once open, click on Enable invitations by email to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.

Screen Shot 2015-09-10 at 8.47.49 AM

At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.

Screen Shot 2015-09-10 at 8.48.19 AM

At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.

Screen Shot 2015-09-10 at 8.48.58 AM

At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.

Screen Shot 2015-09-10 at 8.50.07 AM

There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar

There are a number of settings for the Calendar service, including the following:

calendar:DefaultLogLevel = “info”
calendar:EnableAPNS = yes
calendar:EnableSSL = yes
calendar:DirectoryAddressBook:params:queryUserRecords = yes
calendar:DirectoryAddressBook:params:queryPeopleRecords = yes
calendar:EnableSearchAddressBook = yes
calendar:HTTPPort = 80
calendar:AccountingCategories:HTTP = no
calendar:AccountingCategories:Implicit Errors = no
calendar:AccountingCategories:iTIP = no
calendar:AccountingCategories:migration = no
calendar:AccountingCategories:AutoScheduling = no
calendar:AccountingCategories:iSchedule = no
calendar:AccountingCategories:iTIP-VFREEBUSY = no
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:EnableCardDAV = no
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com”
calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com”
calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver”
calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v”
calendar:Scheduling:iMIP:Sending:Port = 587
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com”
calendar:Scheduling:iMIP:Receiving:Type = “imap”
calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver”
calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v”
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:SSLPrivateKey = “”
calendar:LogLevels = _empty_dictionary
calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data”
calendar:ServerRoot = “/Library/Server/Calendar and Contacts”
calendar:SSLCertificate = “”
calendar:EnableCalDAV = no
calendar:Notifications:Services:APNS:Enabled = yes
calendar:SSLPort = 443
calendar:RedirectHTTPToHTTPS = yes
calendar:SSLAuthorityChain = “”
calendar:ServerHostName = “osxserver.krypted.com”

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008

For HTTPS:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar

Or to stop it:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar

Or to get the status:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar

Full status indicates that the three services are running:

calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account screen, click on Add CalDAV Account radio button and click Continue.

Screen Shot 2015-09-10 at 10.47.30 AM

CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.

Screen Shot 2015-09-10 at 10.50.48 AM

Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…

Screen Shot 2015-09-10 at 10.58.02 AM

At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with.

Screen Shot 2015-09-10 at 10.59.05 AM

Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.

Screen Shot 2015-09-10 at 11.00.46 AM

Click on the Delegation tab to view any accounts you’ve been given access to.

Screen Shot 2015-09-10 at 11.01.10 AM

Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in El Capitan Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

OS X Server 5, running on El Capitan or Yosemite, comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the 5th version of the Server app. To configure alerts on the server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

Screen Shot 2015-09-08 at 12.32.32 AM

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Screen Shot 2015-09-08 at 12.33.13 AM

Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard.

Screen Shot 2015-09-08 at 12.34.08 AM

Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.

Finally, as with previous versions of OS X Server, EL Capitan Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is org.net-snmp.snmpd, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is 192.168.210.99 in the following example):

snmpwalk -On -v 1 -c COMMUNITY 192.168.210.99

September 29th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

The logs are as follows:

2015-09-08 04:17:58 +0000 slapconfig -destroyldapserver
2015-09-08 04:17:58 +0000 Deleting Cert Authority related data
2015-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2015-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2015-09-08 04:18:19 +0000 Stopping LDAP server (slapd)
2015-09-08 04:18:20 +0000 Stopping password server
2015-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2015-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2015-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2015-09-08 04:18:27 +0000 Stopping password server
2015-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2015-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

OS X has an application called Contacts. OS X Server 5, running on Yosemite or El Capitan, has a service called Contacts. While the names might imply very different things that they do, you’ll be super-surprised that the two are designed to work with one another. The Contacts service is based on CardDAV, a protocol for storing contact information on the web, retrievable and digestible by client computers. However, there is a layer of Postgres-based obfuscation between the Contacts service and CardDAV. The Contacts service is also a conduit with which to read information from LDAP and display that information in the Contacts client, which is in a way similar to how the Global Address List (GAL) works in Microsoft Exchange.

I know I’ve said this about other services in OS X Server, but the Contacts service couldn’t be easier to configure. First, you should be running Open Directory and you should also have configured Apple Push Notifications. To setup Push Notifications, have an Apple ID handy and click on the Contacts entry in the SERVICES section of Server app.

Screen Shot 2015-09-10 at 8.13.53 AM

Click the Edit Notifications button to configure the Apple Push Notification settings for the computer. When prompted, click on Enable Push Notifications.

Screen Shot 2015-09-10 at 8.15.49 AM

If prompted, provide the username and password for the Apple ID and then click on Finish.
To enable the Contacts service, open the Server app and then click on Contacts in the SERVICES section of the List Pane. From here, use the “Include directory contacts in search” checkbox to publish LDAP contacts through the service, or leave this option unchecked and click on the ON button to enable the service.

Screen Shot 2015-09-10 at 8.19.12 AM

The Contacts service then starts and once complete, a green light appears beside the Contacts entry in the List Pane. To configure a client open the Contacts application on a client computer and use the Preferences entry in the Contacts menu to bring up the Preferences screen. From here, click the Accounts menu and then click on Add Accounts.

Screen Shot 2015-09-10 at 8.19.36 AM

At the Add Account screen, scroll down and click Add Other Account… to bring up an expanded menu of account types.

Screen Shot 2015-09-10 at 8.20.32 AM

Click Add a CardDAV account.

Screen Shot 2015-09-10 at 8.21.10 AM

At the “Add a CardDAV Account” screen, enter the email address and password of the user. Auto discovery doesn’t always work, so you might end up using the manual button to add the account using the server’s address. Alternatively, if you’ve mapped CardDAV to custom ports, you may use the advanced option to have paths and ports available.

Screen Shot 2015-09-10 at 8.24.03 AM

When the account is finished creating, you can click on the account again to see the settings used. Otherwise, close the Preferences/Accounts screen and then view the list of Contacts. Click on View and then Show Groups. This will show you the name of the servers that you’re connected to in the sidebar. There won’t be any contacts yet, so click on the plus sign to verify you have write access to the server.

Screen Shot 2015-09-10 at 8.27.44 AM
Next, let’s get access to the LDAP-based contacts. To do so, bring up the Add Account screen again and this time select LDAP Account from the Account Type field.

Screen Shot 2015-09-10 at 8.29.02 AM

Provide the name or IP address of the server and then the port that LDAP contacts are available over (the defaults, 389 and 636 with SSL are more than likely the settings that you’ll use. Then click on the Continue button.

At the Account Settings screen, provide the name that will appear in the Contacts app for the account in the Description field and then enter the search base in the Search base field. To determine the search base, use the serveradmin command. The following command will output the search base:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dirserv:LDAPSettings:LDAPSearchBase

Then set Authentication to simple and provide the username and password to access the server for the account you are configuring. The list then appears.

The default port for the Contacts service is 8443, as seen earlier in the configuration of the client. To customize the port, use the serveradmin command to set addressbook settings for BindSSLPorts to edit the initial array entry, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:SSLPort = 8443

The default location for the files used by the Contacts service is in the /Library/Server/Calendar and Contacts directory. To change that to a folder called /Volumes/Pegasys/CardDAV, use the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:ServerRoot = "/Volumes/Pegasys/CardDAV"

When changing the ServerRoot, you’ll likely need to change the DataRoot, which is usually the Data directory immediately underneath the ServerRoot. To do so, run serveradmin and put the DataRoot entry under the addressbook settings:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:DataRoot = "/Volumes/Pegasys/CardDAV/Data"

The service is then stopped with the serveradmin command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop addressbook

And started with the serveradmin command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start addressbook

And whether the service is running, along with the paths to the logs can be obtained using the fullstatus command with serveradmin:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus addressbook

The output of which should be as follows:

status addressbook
addressbook:state = “RUNNING”
addressbook:setStateVersion = 1
addressbook:readWriteSettingsVersion = 1

If you’re easily amused, run the serveradmin settings for calendar and compare them to the serveradmin settings for addressbook:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar

By default, the Contacts server allows basic authentication. We’ll just turn that off real quick:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled = no

And then let’s see what it is in addressbook:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

OS X Server 5, running on El Capitan or Yosemite, comes complete with lots of awesome features to help you get up and running, started and owning the configuration of Apple Servers. One such is the built-in options to help manage your servers. Open Server, click Help, then click Server Help. You can then search and browse for information about things you’d like to accomplish using the Help Center.

Screen Shot 2015-09-08 at 11.33.57 PM

Now, click the arrow for each service for information about configuring that service. You will see an arrow for each service.

Click the arrow for more information on that specific service.

And just like that, simple and easy-to-use documentation, available live on OS X Server. You will, of course, need to be online to use it effectively.

September 27th, 2015

Posted In: Mac OS X Server

Tags: , , , ,

OS X Server 5 dropped last week. It’s the first time I’ve seen an OS X Server version drop before an OS release. I’m guessing there was an impetus to get it out the door before OS X 10.11 ships, so that caching and software update servers can facilitate quicker adoption and tools like Profile Manager will work on 0-day. But, there are some funny issues that are popping up. One of these is OS X Server usurping some ports that would otherwise potentially be used by other tools. Notably for Casper administrators, this includes port 8443. So here are some issues I’ve seen with Apache in the latest OS X Server.

Ports are in use that shouldn’t be

This is of particular interest to people running Tomcat sites (e.g. Casper admins). If you have a 3rd party service that isn’t loading, you may find that a port is already in use. For example, let’s say that you’re trying to start a JSS on port 8443. Well, let’s say you run stroke and you see this (when the JSS is stopped):

/System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke 127.0.0.1 8443 8443

And let’s say you get this response (again, with the JSS stopped):

Open TCP Port:      8443      pcsync-https

Well, that means that the server has probably just totally ganked port 8443 for that funky new proxy thing. In /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf there are a few new funny things due to proxy services (that whole proxy folder is new btw). One of which is the fact that the server listens on some ports you might not mean for it to listen on, by default including 80, 443, 8008, 8800, 8443, and 8843. The server always had a default site listening on ports 80 and 443, but now Caldav response is using 8443 for a Virtual Host for the CalendarServer that redirects to /webcal on port 443. Arg. There are a few things you can do to correct this. One would be to comment out one of the lines for the listeners. For this, find the line that reads:

listen 8443

And replace it with:

#listen 8443

This would likely spawn some errors in your apache logs when the virtual hosts that also use 8443 try and load. So you’ll likely also want to comment out the virtual host section of the file. For this, look for <VirtualHost *:8443> to that virtual hosts </VirtualHost> and comment out the whole section. Another option, if you do actually want to use the server as a calendar server as well, might be to replace the asterisk in the definition with an IP address or hostname, which would bind that port to a specific IP address or hostname.

This would be true if you have something using 8008, 8800 (think Kerio), etc.

Also, consider that there’s a /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites*.conf entry. For 5.03 and 5.04, this isn’t an issue, but any time you see an include like that, you could be loading up multiple includes in the future. Which could introduce additional tasks. Also, keep in mind that you’ll want to keep a backup of this file handy. It’s in a place in your system where Apple can change things in the file without any concern around customizations you previously made in the file. Therefore, in a subsequent software update, you may need to restore that file.

You don’t get prompted that there’s a new version of OS X Server

When you install OS X Server 5, the next time you open the Server app, you should get prompted that the Server app has been replaced and then go through a little assistant. If you don’t, reboot, throw the Server.app in the trash, redownload and reopen the app. That should take care of that issue.

Certificates don’t get migrated

The /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf file will have a number of certificates. These include SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile. In /etc/certificates, you’ll have some certificates. For example, on my server, I have:

4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.cert.pem
4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.chain.pem
4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.concat.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.cert.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.chain.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.concat.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.key.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.cert.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.chain.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.concat.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.key.pem

One is built based on the promotion of OD, another is a fallback, and the one with the funny GUID in front of it is usually the one that you’d use when defining these fields. If OS X Server doesn’t see the correct pem files that it’s expecting it will just create new ones. The old ones are still there. So, if a service like Profile Manager is totally busted, you can backup the /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf and edit the path to the certificates in the file to correct them. Reboot and see if Profile Manager fires up. On one machine, I also had to trash the Server app again and install it again, but just pointing the paths to the correct location worked for the most part (also, note that I had to use the full path of a file rather than just the name of the file). Oh, don’t forget, this would need to be done for each virtual host with an offending certificate chain.

 

Apache binds ports to all IPs

A final issue I’ll point out is that servers that I’d customized the IP that Apache listens on needed to be reconfigured. This is done in the see /Library/Server/Web/Config/Apache2/httpd_server_app.conf configuration file. Here, look for a line for Listen. It will be commented out as so:

#Listen 12.34.56.78:80

If you want to only have a given port listen on a given IP, use that section of that file to customize how the listener should operate. For example, if you have an IP on your machine of 10.0.0.100 and you only want port 80 listening on that port, use the following

Listen 10.0.0.100:80

Conclusion

Overall, I would say that if you haven’t upgraded to Server 5 on a Yosemite system, that I’d hold off. There are some funny kinks that need to be worked out and I’d hate to be the one figuring some of this out if I wasn’t planning on a funky upgrade session (e.g. if I had a limited downtime window).

September 22nd, 2015

Posted In: JAMF, Java, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Next Page »