Tiny Deathstars of Foulness

The DNS service in macOS Server was simple to setup and manage. It’s a bit more manual in macOS without macOS Server. The underlying service that provides DNS is Bind. Bind will require a compiler to install, so first make sure you have the Xcode command line tools installed. To download Bind, go to ISC at From there, copy the installer locally and extract the tar file. Once that’s extracted, run the configure from within the extracted directory:

./configure --enable-symtable=none --infodir="/usr/share/info" --sysconfdir="/etc" --localstatedir="/var" --enable-atomic="no" --with-gssapi=yes --with-libxml2=no

Next, run make:


Then run make install:

make install

Now download a LaunchDaemon plist (I just stole this from the org.isc.named.plist on a macOS Server, which can be found at /Applications/ or downloaded using that link). The permissions for a custom LaunchDaemon need to be set appropriately:

chmod root:wheel /Library/LaunchDaemons/org.isc.named.plist

Then start it up and test it!

launchctl load -w /Library/LaunchDaemons/org.isc.named.plist

Now you can manage the server as we described at

April 11th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , ,

Backblaze is a great cloud and on-prem backup tool for Mac and Windows. You can download Backblaze at Once downloaded, extract the DMG and open the Backblaze Installer. 

At the Installer screen, enter your existing credentials or create a new account and click Install Now.

The drive will then be analyzed for backup.

By default, once the analysis is complete, the computer will immediately start backing up to the Backblaze cloud. Let’s click on the Settings button to configure how the Backblaze app will work.

This opens the Backblaze System Preference pane. At the Settings tab, you’ll see a list of drives to back up and an option to set when to receive warnings when the computer hasn’t completed a backup recently.

By default, performance is throttled so as not to cause your computer to run poorly. Click on the Performance tab. Here, you can disable that option, 

By default, backups run continuously, as files are altered. You can use the schedule screen to move backups to a specific time (e.g. at 1am every night). I personally like having continuous backups if you have enough bandwidth to account for them. 

By default, the whole system is not going to get backed up. Click Exclusions and you can see what will be skipped and disable some of the skips.

By default, backups are encrypted using public keys. I inherently trust the people at Backblaze. But I still use an encryption key to add an extra layer of security to my backups.

To set that, click on the Security tab.

At the Security screen, click on Enter Your Private Encryption Key.

Once you’ve got a good backup policy set. Click on the Reports screen to see what’s getting backed up!

April 10th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory services to provide.

To get started, open the Package Center and search for Directory. Click Install for the Directory Server and the package will be installed on the Synology.

When the setup is complete, open the Directory Server from the launcher available in the upper right hand corner of the screen. 

The LDAP server isn’t yet running as you need to configure a few settings before starting. At the Settings screen, you can enable the LDAP service by checking the box to “Enable LDAP Service” and providing the hostname (FQDN) of the service along with a password.

Once the service is configured, you’ll have a base DN and a bind DN. These are generated based on the name provided in that FQDN field. For example, if the FQDN is “”, its Base DN will be “dc=synology,dc=krypted,dc=com”. And the Bind DN would add a lookup starting a root, then moving into the users container and then the hostname: uid=root,cn=users,dc=synology,dc=krypted,dc=com

If this is for internal use, then it’s all setup. If you’ll be binding external services to this LDAP instance, make sure to open ports 389 (for LDAP) and/or 636 (for LDAP over SSL) as well. 

Once you have information in the service, you’ll want to back it up. Click on Backup and Restore. Then click on Configure.

At the Configure screen, choose a destination.

I prefer using a directory I can then backup with another tool. Once you have defined a place to store your backups using the Destination field, choose a maximum number of backups and configure a schedule for the backups to run (by default backups run at midnight). Then click OK. You now have a functional LDAP service. To create Groups, click on the Group in the left sidebar. 

Here, you can easily create groups by clicking on the Create button. At the wizard, provide a group name and then enter the name of a group (accounting in this example).

Click Next, then Apply to finish creating the group. One you have created your groups, click on User to start entering your users. Click Create. At the User Information screen, enter the name, a description if needed, and the password for a user. You can also restrict password changes and set an expiration for accounts. Click Next to create the user. 

At the next screen, choose what groups the new user will be in and click Next.

Enter any extended attributes at the next screen, if you so choose (useful for directories).

Click Next and then Apply.

For smaller workgroups, you now have a functional LDAP service! If you’d like a nice gui to access more options, look at FUM ( ), LAM ( ), LinID ( )or other tools. I wrote an article on LDAP SACLs awhile back, so I’ll try and track that down and update it for Synology soon!

April 5th, 2018

Posted In: Mac OS X Server, Synology

Tags: , , , , , , , , ,

/etc/Sudoers is a file that controls what happens when you use sudo. /etc/sudo_lecture is a file that Apple includes in macOS that tells your users that what they’re about to do is dangerous. You can enable a lecture, which will be displayed each time sudo is invoked. To turn on the lecture option in sudo, open /etc/sudoers and add the following two lines (if they’re not already there):

Defaults lecture=always
Defaults lecture_file = “/etc/sudo_lecture”

Then save the file and edit /etc/sudo_lecture. Apple has kindly included the following
Warning: Improper use of the sudo command could lead to data loss or the deletion of important system files. Please double-check your typing when using sudo. Type “man sudo” for more information. To proceed, enter your password, or type Ctrl-C to abort.
Let’s change this to:
Hack the planet.

Now save and open a new Terminal screen. Run sudo bash and viola, you will get your new message. Enjoy.

April 1st, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

DNS is an integral service to most modern networks. The Domain Name System, or DNS is comprised of hierarchical and decentralized Domain Name Servers, or DNS Servers. This is how we connect to computers and the websites that reside on computers by their names, rather than having to memorize the IP addresses of every single computer out there. So you get to type and come to my website instead of typing the IP address. Or more likely,, but just because my website is older, I’m not mad about that. No really…

So you have a macOS Server and you need to take your DNS records out of it and move them to another solution. Luckily, DNS on any operating system is one of the easiest to manage. So let’s start by dumping all of our DNS records:

/Applications/ list

    directory: /Library/Server/named
    allow-transfer: none 
                    allow-transfer: none 
                    allow-update: none 
                Resource Recs:
                Resource Recs:
                    no resource recs
                    allow-update: none 
                Resource Recs:
                    allow-transfer: none 
                    allow-update: none 
                Resource Recs:

Now that we have our records, let’s think of how to use them in the new server. In the above example, we list as a zone. And in that zone we have an A record for and a CNAME for that points to – but we don’t know where resolves to. Each of those domains has a corresponding file that starts with db. followed by the name of the domain in the /Library/Server/named directory. So we can cat the file as follows:

cat /Library/Server/named/       10800 IN SOA (
     10800 IN NS
     10800 IN MX 0       10800 IN A       10800 IN CNAME

Now we know the IP address that each record points to and can start building them out in other systems. If you only have 5-20 records, this is pretty quick and easy. If you have hundreds, then you’re in luck, as those db files per domain are portable between hosts. Some of the settings to look out for from macOS Server include:
  • Primary Zone: The DNS “Domain”. For example, would likely have a primary zone of
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
The settings for the domains are as follows:
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g.
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Now, let’s get to setting up the new server. We’ll open the Synology and then click on Package Center. Then we’ll click All in the sidebar and search for DNS, as you can see below.

Click Install and the service will be installed on your NAS. Once installed, use the menu item in the upper left corner of the screen to bring up DNS Manager. Here, you can create your first zone. We’ll recreate To get started, click on Create and then Master Zone.

At the Master Zone screen, select Forward Zone if you’re creating a zone with a name or Reverse Zone if you’re creating a zone for IP addresses to resolve back to names (or PTR records). Since is a name, we’ll select Forward Zone and then enter in the “Domain name” field. Enter the IP address of the NAS in the “Master DNS server” field and leave the serial format as-is unless you have a good reason not to.

There are some options to secure connectivity to the service as well: 
  • Limit zone transfer: Restrict this option only to slave servers for each zone.
  • Limit source IP service: Restrict this option only to hosts that should be able to lookup records for the zone (which is usually everyone so this isn’t often used).
  • Enable slave zone notification: Identify all the slave servers so they get a notification about changes to zone files and can update their files based on those on the server.
  • Limit zone update: Only specify other servers that are allowed to update the zone files on your server.
Click OK when you’ve configured the zone as you’d like.

Double-click the zone to load a list of records and create new ones. 

Click Create to see a list of record types:

Record types include the following:
  • A Type: Resolve a name to an IPv4 address
  • AAAA Type: Resolve a name to an IPv6 address
  • CNAME: Resolve a name to a name
  • MX: Define the mail server for a domain
  • NS: Define DNS servers for a domain
  • SPF: Define what mail servers are allowed to send mail from a domain
  • SRV: Service records (e.g. the Active Directory or Exchange server for a domain)
  • TXT: Text records
  • CAA: Define the Certificate Authorities (CAs) for a domain
Click A Type to create that record.

At the record screen, provide the hostname, along with the IP address that the name should resolve to. Notice that the TTL is a number of seconds. This is how many seconds before another DNS server expires their record. So when they cache them, they aren’t looking the records up against your server every time a client needs to resolve the address. I like the number provided, but when I’m about to move a service I’ll usually come back and reduce that a few days before the move. The nice thing about a high number of seconds before the next refresh though, is it can save on your bandwidth and on the bandwidth of the servers looking to yours to refresh their records. Once you’ve configured the record, click OK.

Click on Create and then CNAME. Enter the name that you’re pointing to another record (in this case CNAMEtest) in the Name: field and then the name that it’s pointing to (in this case in the Cononical Name: field. Click OK.

Now let’s get that MX record created. Click Create and select MX. Enter the name of the server you want to get mail (in this case will be our mail server. Then provide a TTL (I usually use lower numbers for mail servers), the priority (if this is the only server I usually use 0 but if there’s a backup then I’ll use a number like 20), and finally the name of the domain. Click OK.

You’ll you can see all of your records. I know that Apple was always tinkering with the Server app to make DNS records display differently, trying to hide the complexity. But to be honest, I always considered this type of view (which is standard amongst most network appliances) to be much more logical. That might be because I’m just used to looking at db files back in the pre-GUI days. But it makes sense to me. 

Notice in the sidebar, you have an option for Resolution. This is if the server is going to be used to resolve addresses upstream. What are those upstream servers. This is where you configure them. Don’t enable this option if the DNS server is only used by external clients to resolve names hosted on the server. Do use this if there will be clients on your network attempting to resolve against your server.

Use the Views option to configure bind views. We’ll cover this at some point, but since this article is getting a bit long, let’s just say that this is where you configure different zone files for different subnets based on the source of the subnet. Useful if you want to use the same DNS server to host external and internal addressing, and you want the internals to point to LAN addresses and the externals to point to WAN addresses.

Finally, if this DNS server will be providing services to external hosts, then point port 53 to the new server and set the name server record to the IP address on the WAN with the registrar.

March 31st, 2018

Posted In: Mac OS X Server, Synology

Tags: , , , , , , , ,

Don’t let the name fool you, RADIUS, or Remote Authentication Dial-In User Service is more widely used today than ever before. This protocol enables remote access to servers and networks and is frequently a fundamental building block of VPNs, wireless networks and other high-security services that have nothing to do with dialup bulletin boards from the 80s. 

I’ve run RADIUS services on Mac servers for years. But as that code starts to become stale and no longer supported, let’s look at running a basic RADIUS service on a network appliance, such as a Synology. To get started, open Package Manager, click All in the sidebar and then search for RADIUS. 

Click Install for the RADIUS service.

Once installed, open RADIUS Server from the application menu in the upper left hand corner of the screen.

The options aren’t like raccoon. You can select a port, choose a directory service (which covers the authentication and a bit of the authorization portions of RADIUS. Click Clients and then Add.

Here you can configure a shared secret for a client, and allow for the source IP and netmask. To grab your certificate for deployment to clients, open the Control Panel, then Security, then Certificate and export the .p12. If you’re using this RADIUS service to enable other services for Macs, you’ll likely then want to distribute that certificate in a profile. We’ll cover how to leverage RADIUS for other services in other articles.

March 31st, 2018

Posted In: Synology

Tags: , , , ,

Services that run on a Synology are constantly being updated. Software updates for the binaries and other artifacts can quickly and easily be updated. To do so, open the Synology web interface and then open Package Center. From Package Center, click Update for each or Update All to upgrade all services at once, as seen below.

You will then be prompted to verify that you want to run the update.

Any services that are being updated will restart and so end users might find those services unresponsive or have to log back in after the service comes back online.

March 27th, 2018

Posted In: Network Infrastructure, Small Business, Synology

Tags: , , , , , ,

The WD MyCloud is a pretty single-purpose device. It’s a disk with a network interface, and as with Direct Attached Storage, the MyCloud Network Attached Storage is pretty easy to connect to.

First, let’s look at connecting to the web interface via the menu item, where you can drag and drop files to the device. Once the device is configured, use the WD menu item to see your device. From there, click on the name of your device.

Alternatively, you could visit and sign into the web interface there. 

In both cases, you’ll see a list of files and then in the sidebar, you’ll see those options to configure settings, add integrations, view active its, and view photos that are on the device. 

From here, you can simply drag and drop files into the web page, just like with a box or dropbox account, but the files are stored on the device. Additionally, you can send a link to a file or folder. To do so, right-click on the object you wish to share and then click Share Link.

At the resulting screen, you’ll see a link. Click Copy to copy the link into your clipboard so you can paste it into an email.

You may also want other users to be able to log into your WD MyCloud. To allow them to do so, open Settings and click on Add User. Then provide the email address for the user and click on Send Invites.

Finally, you can also mount  the drive directly to computers. To do so, click on “Connect to Server” (or Command-K) from the Finder.

At the Connect to Server screen, enter the address of the server and click Connect. If you don’t know the address and you’re on the local network of the device. Additionally, if you have the menu item installed, you’ll see the device in the sidebar of your Mac. 

It’s worth noting that with the exception of the ability to share a link to a file or folder, the permissions on the device are pretty much wide open, as you can see below. Additionally, any files you bring into the device will end up with the same wide open permissions. And while you can change permissions on files, they’ll revert back. So if you will need more granular capabilities with file permissions, this might not be the device for you. This device is a very inexpensive way to do very small workgroups or home file sharing, but beyond that it could be too basic for a lot of business use cases. What I like about it though, is that it doesn’t pretend to be anything but what it is. And it does that very well, in a very easy-to-use way.

Now the MyCloud NAS comes with removable drives and a more robust interface. It’s still easy to use, but you can configure RAID levels, basic iSCSI functionality, and users. I still wouldn’t put this in front of large workgroups, but to replace a macOS Server for a small business, or as a basic NAS head, it’s a solid, easy-to-manage device.

March 19th, 2018

Posted In: Mac OS X, Mac OS X Server, Network Infrastructure

Tags: , , , ,

macOS might be the easiest platform to install MySQL on. To do so, simply download the MySQL installation package from the MySQL Download site. I like to use the third link (the DMG).

Screen Shot 2016-02-13 at 10.26.11 PM

Once downloaded, run the package. The package will ask you a few questions and you can easily just select the default choice during the installation process.

Screen Shot 2016-02-13 at 10.26.04 PM

Once installed, you’ll be prompted that a temporary password has been used for your MySQL instance.
Screen Shot 2016-02-13 at 10.26.52 PM

The password will get you in the first time, so you can change it. Once you have documented the password, open System Preferences and click on MySQL in the bottom row of System Preference Panes.

Screen Shot 2016-02-13 at 10.27.34 PM

Click Start MySQL Server and then when prompted, authenticate to the system. If you’d like to do this programmatically and don’t need the System Preference pane, you can do so with homebrew. If you have homebrew installed, simply run the brew command with the install verb and mysql as the package:

brew install mysql

Whichever way you install SQL, once installed, you’ll want to set the root password to something other than the intuitionally difficult to remember password provided at install time. To do so, first connect to the mysql instance now running on your computer. As the tools are installed in /usr/local/mysql/bin, run the following:

/usr/local/mysql/bin/mysql -u root

Then, set the password using the ALTER statement along with the USER option and then the username followed by IDENTIFIED BY and ultimately the password, as follows:

ALTER USER 'root'@'localhost' IDENTIFIED BY

Once done, you’ll then be able to connect to mysql normally.

March 18th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: ,

Next Page »