The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here:
The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here:
If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.
Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.
In Server.app
————-
Websites:
Check “Enable PHP web applications”Install Java
————
Open /Applications/Utilities/Java Preferences.app
You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted.Install Final Cut Server
————————
Run Final Cut Server installer.
Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates.Check Configuration
——————-
1)
Check fcsvr user has been created:
dscl /Local/Default -search /Users RecordName fcsvr
Output should look something like this:
fcsvr RecordName = (
fcsvr
)2)
Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server”
dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory
Output should look something like this:
NFSHomeDirectory: /Library/Application Support/Final Cut Server
If it doesn’t, caorrect it with this command:
sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server”Customisations To Make It Work
——————————
A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place.1)
An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the com.apple.FinalCutServer.settings.plist file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 2
If you’re being more daring and trying to work with an Active Directory, then you’ll want the following:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 12)
Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space.
sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf”3)
Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd.
Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like:
sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf4)
Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions.
So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c:
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteEngine On
RewriteRule .* – [F]
RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L]
</IfModule>
ORIGINAL_SOURCES: http://www.linkedin.com/groups/Has-anyone-been-able-get-138082%2ES%2E67319989?view=&srchtype=discussedNews&gid=138082&item=67319989&type=member&trk=eml-anet_dig-b_pd-ttl-cn&ut=2M3_ri588Lslo1SPECIAL_MENTIONS: Matt Geller, David Colville
In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows:
productsign --sign 'Developer ID Installer: 31415926535897932384626'
'/temp/Alpha.pkg' '/temp/Omega.pkg'
You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg:
spctl --assess --type install /temp/Omega.pkg
I’ve been doing a number of postings on how to use various features of the latest version of OS X Server. Given that WordPress is pretty much a reverse chronological listing of articles I’ve written, I thought I’d put together a listing of the pages that I’ve done for OS X Server 10.8 (Mountain Lion Server) in order to offer a more pedagogically aligned way of reading these posts. As such, here is the Table of Contents for these posts:
Introduction
Managing the Server
Configuring Services
Troubleshooting
Command Line
Misc
Yes, it’s about a month or two into the OS cycle and there’s now a 10.8.1. So it’s time to announce the name and image that will be used with the next OS. We’re down to Ocelot, Serval and Bobcat. Therefore, I would think that 10.9 will be… Drumroll…
Mac OS X 10.9 – Bobcat
BOBCAT! And from some Chinese factories I’ve been smuggled pictures of what the box that contains the disks will look like. It’s a little retro (disks are now retro btw). And I mean, Police Academy 2 era retro. But think of the startup sounds the OS could make. Think of how much people would want that face beaming back at them during the startup process. Just think of all the endless possibilities just in Police Academy 2 through 4! This is going to be an amazing year.
As proof, see the previous versions of OS X and their cats:
Note: Since Puma and Cheetah were internal codenames, perhaps they’ll be recycled)
Time is a very important aspect of OS X Server, as it has been since the early days. Time is so important that if you see network time server, NTP or 5 minutes as the answer on an Apple exam, you should just pick that one, as it’s invariably correct. The traditional way to configure time zones and Network Time Servers is to use systemsetup command. Before you set a time zone, run the following to see a list of all available time zones, use the -listtimezones option in systemsetup:
sudo systemsetup -listtimezones
To set the time zone, pick one and use the -settimezone option in systemsetup:
sudo systemsetup -settimezone "America/Chicago"
To check the current time, then run -gettime:
sudo systemsetup -gettime
The -settime option can then be used to set the time, although it’s invariably better to set the time zone automatically with a network time protocol (NTP) server, using the -setnetworktimeserver option:
sudo systemsetup -setnetworktimeserver time.krypted.com
You would then need to turn using NTP servers on, using -setusingnetworktime option and setting the value there to on
sudo systemsetup -setusingnetworktime on
Now let’s look at a different way to do this. Run the following, in OS X Server:
sudo serveradmin settings info:timeZone = "America/New_York"
That shouldn’t work. Now ya’ know, OS X Server isn’t fully matured yet, so they’ll get around to it… But what does work is setting the NTP server and enabling NTP services. To enable NTP:
sudo serveradmin settings info:ntpTimeServe = yes
To set the NTP server:
info:ntpServerName = "time.krypted.com"
Note: The NTP server must be accessible when set.
The Time Machine service in Mountain Lion Server hasn’t changed much from the service in Lion Server. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane.
Click on the ON button to see a list of volumes to use as a destination for Time Machine backups. This should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the ON button, a list of volumes appears.
Here, click on the volume to save your backups to. In this case, it’s the internal hard drive; however, in most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click “Use for Backup” and the service will start. Don’t touch anything until the service starts. Once started, change the backup destination at any time using the Edit button.
Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule.
Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the sharing:sharePointList:_array_id:/Shared Items/Backups
sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups
The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as:
sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeStandard\:GeneratedUID = "1B1C7CFB-2B95-4087-B28B-C786E9CD68E2"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:smbDirectoryMask = "0755"
sharing:sharePointList:_array_id:/Shared Items/Backups:afpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbCreateMask = "0644"
sharing:sharePointList:_array_id:/Shared Items/Backups:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Shared Items/Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseStrictLocking = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Shared Items/Backups:name = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbInheritPermissions = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:ftpName = "Backups"
sharing:sharePointList:_array_id:/Shared Items/Backups:smbIsShared = no
sharing:sharePointList:_array_id:/Shared Items/Backups:afpIsShared = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:timeMachineBackupUUID = "29B22ADA-97A3-46B2-9CB3-8EF9AFC9334E"
sharing:sharePointList:_array_id:/Shared Items/Backups:isTimeMachineBackup = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:smbUseOplocks = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:dsAttrTypeNative\:sharepoint_group_id = "59161FF9-78E7-4A41-B071-B6E60866694F"
sharing:sharePointList:_array_id:/Shared Items/Backups:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Shared Items/Backups:mountedOnPath = "/"
Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command:
sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk"
Another way to see the share and attributes of the share is through the sharing command:
sharing -l
Which should show output similar to the following:
List of Share Points
name: Backups
path: /Shared Items/Backups
afp: {
name: Backups
shared: 1
guest access: 0
inherit perms: 0
}
ftp: {
name: Backups
shared: 0
guest access: 0
}
smb: {
name: Backups
shared: 0
guest access: 0
}
There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule).
One major difference between the Time Machine service and others is that there’s no specific serveradmin option for tm or tmutil (the Time Machine command line) or timemachine. Instead, most everything piggy-backs off the sharing service. Also, what I consider a major difference is that most other services now have generic names (e.g. Address Book is now called Contacts, iCal is now called Calendar, etc). The only services still using marketing terms as their names are really Profile Manager, Time Machine and Open Directory. I would expect these to eventually be called Profiles, Backup and Directory to keep the naming convention already started with the rest of the services.
I think that as a free aspect of OS X Server Time Machine Server is well worth the money for small workgroups. However, there are backup solutions from 3rd party vendors worth far more than their purchase price due to reduced disk capacity requirements (e.g. through deduplication), reduced overhead (e.g. by streamlining or accelerating traffic for the backup protocols, or even offloading all the work to the client systems) and allowing for more redundancy to backups (e.g. 2 targets). This additional logic can at first appear to come at a steep cost, but when you look at bandwidth, disk and other expenditures to get Time Machine server integrated it can be a challenge. Also, Time Machine is built to work via Bonjour, meaning that by virtue it’s then limited to smaller subnets. Time Machine Server is a great add-on, but many organizations may quickly outgrow it. Not all though, and so for a SoHo comprehensive server that needs to provide for client-based backups, OS X Server has a great feature in Time Machine.
While I found plenty to ramble on about in this article, nothing has really changed since the Lion iteration of the service. Mass deployment is still the same, as is client side configuration. One change is that the screen for the Time Machine Options on the client no longer has an option for managing Versions, as seen below.
Of the new features in Mountain Lion, one I have already started to love is the fact that when you’re copying folders, you see a status in the Finder screen that lists the folders. This allows me to do a bunch of Finder level copies and rather than tile out the screens that I’m using to copy, I can just watch them from the parent folder. Sometimes it’s the little things…
Gatekeeper is the new feature of OS X that controls what types of apps can be opened. To configure Gatekeeper, open the Security & Privacy System Preference pane. Click on the General tab and unlock to make changes. Here, you’ll see “Allow applications downloaded from:” along with the following 3 options:
Configuring Gatekeeper in Mountain Lion
Configuring Gatekeeper is as easy as selecting one of these options. Now, under the hood, the state of Gatekeeper is kept in /var/db/SystemPolicy-prefs.plist. There’s only one option there, though: enabled. So you could try and run defaults to disable Gatekeeper: defaults write /var/db/SystemPolicy-prefs enabled no. However, doing so is not really going to provide all the options available in the GUI. To configure the options, Apple has provided spctl, a command line tool used to manage Gatekeeper. In it’s simplest form, Gatekeeper can be enabled using the –master-enable and –master-disable options, which are pretty straight forward. Use –master-enable to enable Gatekeeper:
spctl --master-enable
And then use –master-disable to disable Gatekeeper:
spctl --master-disable
Whether Gatekeeper (assessments) is enabled or disabled can be returned using the –status option:
spctl --status
The -a option is used to assess an application to see if it will open or not:
spctl -a /Applications/GitHub.app
If an application passes and has a rule available then you’ll get no response. If there’s no rule for the application, you’ll get a response that:
/Applications/GarageBuy.app: unknown error 99999=1869f
You add rules about apps using the –add option. Each app gets a label, defined with the –label option. For example, to add GitHub:
spctl --add --label "GitHub" /Applications/GitHub.app
To then enable access to GitHub:
spctl --enable --label "GitHub"
Or disable:
spctl --disable --label "GitHub"
As with most things, there’s actually a rub. spctl doesn’t always work. I’ve had more than a few issues with getting the labels to apply just right. Sometimes the -a will report back that an app is rejected and it will still open. I think this is first gen technology and that prior to relying on it that it would be a really good idea to test very thoroughly before deploying.
I love Notification Center on my phone. I think it’s great to receive a simple list of items that have changed since the last time I looked at the phone. I can also quickly dismiss the screen so the fact that there’s often 20 or more items in the list when I’ve been sitting at my computer for 10 minutes and not looking at the phone doesn’t really bum me out much.
In Mountain Lion, Notification Center comes to the Mac. What I’ve grown to love on the iPhone, I’m not sold on for OS X. You see, the alerts that pop up on the screen are great for a phone, because if you’re looking at your phone (hopefully not while driving) then you’re likely multitasking. Since most mobile solutions are so great for multi-tasking, many of us have gotten used to multi-tasking on our mobile devices and then plugging into a keyboard when we need to do something that requires focus. Or at least that’s my workflow.
By default, Notification Center assumes the same level of multi-tasking is done on desktops as on mobile devices. But with some tuning, Notification Center can be even more useful. For example, when I’m writing I like to cut down the distractions. Doing so helps me to stay focused. And when I’m trying to keep the distractions down, there are certain things that should still jar me out of my otherwise focused state. By default, Notification Center pops up alerts on my screen that tell me that things have happened with some of my apps, such as I got an email, a calendar event is prompting or there was a tweet about me. But Notification Center allows me to configure what kinds of alerts I want to see. For example, I might want an alert about a Reminder to come through and not have tweets pop up on my screen while I’m writing. To disable one of the applications allowed to pop up an alert on the screen, open the Notifications System Preference pane and find the application in the list provided.
Then select None to disable notifications. The default setting for each app is to provide what is known as a Banner. A Banner is a prompt that informs users that an event has occurred with a supported app and then goes away. You can also set each app to provide an Alert, which is a banner that doesn’t go away on its own but must be clicked on to disappear.
You can also configure options that make Notifications a little more useful. These are configured per app and include the following:
Overall, I think it’s really awesome that I now have a feature that is very iOS-centric sitting right here on my Mac. I do think it’s a bit verbose by default, but then, that’s my workflow – the developers are probably targeting the people who feel multi-tasking is healthy on every single computing device you touch. I don’t necessarily agree, but I dig it anyway. So me and my 2 apps that still have notifications enable are going to use this feature, if a bit less verbosely than most!
Archive