krypted.com

Tiny Deathstars of Foulness

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mavericks Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mavericks Server (Server 3). File servers have shares. In OS X Mavericks Server we refer to these as Share Points. By default:
  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.
In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. Screen Shot 2013-10-05 at 9.33.49 PMIn our example configuration we’re going to disable the built-in share. To do so, click on Groups one time and then click on the minus button on the screen. Screen Shot 2013-10-05 at 9.34.51 PMAs mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. Screen Shot 2013-10-05 at 9.37.14 PMWhen you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”). Screen Shot 2013-10-05 at 9.38.49 PMAt the browse dialog, browse to the location of your iPad directory and then click on the Choose button. Screen Shot 2013-10-05 at 9.39.23 PMAt the File Sharing pane, double-click on the new iPads share. Screen Shot 2013-10-05 at 9.40.06 PMAt the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. Screen Shot 2013-10-05 at 9.40.47 PM The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. Screen Shot 2013-10-05 at 9.42.06 PMAs can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. Screen Shot 2013-10-05 at 9.46.18 PMTo connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change in Mavericks is that when you enter an address, the client connects over SMB. If you’d like to connect over AFP, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Users/admin/Public:smbName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/admin/Public:afpIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_group_id = "35DF29D6-D5F3-4F16-8F20-B50BCDFD8743" sharing:sharePointList:_array_id:/Users/admin/Public:mountedOnPath = "/" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_account_uuid = "51BC33DC-1362-489E-8989-93286B77BD4C" sharing:sharePointList:_array_id:/Users/admin/Public:path = "/Users/admin/Public" sharing:sharePointList:_array_id:/Users/admin/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:afpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeStandard\:GeneratedUID = "4646E019-352D-40D5-B62C-8A82AAE39762" sharing:sharePointList:_array_id:/Users/admin/Public:smbDirectoryMask = "755" sharing:sharePointList:_array_id:/Users/admin/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbCreateMask = "644" sharing:sharePointList:_array_id:/Users/admin/Public:ftpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:name = "administrator's Public Folder" To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = "afpserver/LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E@LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E" afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

October 23rd, 2013

Posted In: Uncategorized

Tags: , , , , , , , , , , , , , , , , , ,

Cumulus comes with a number of commands installed in /usr/local/Cumulus_Workgroup_Server. The assets can be in a shared directory location, such as an NFS mount mapped to /cumulus or /Volumes/Cumulus. But in the /usr/local/Cumulus_Workgroup_Server directory there are a number of commands that can be pretty useful. For example, the stop-admin, stop-cumulus, start-cumulus and start-admin commands can be used to restart the Cumulus using a simple ARD template: /usr/local/Cumulus_Workgroup_Server/stop-admin.sh /usr/local/Cumulus_Workgroup_Server/stop-cumulus.sh sleep 30 /usr/local/Cumulus_Workgroup_Server/start-cumulus.sh /usr/local/Cumulus_Workgroup_Server/start-admin.sh There are others, such as status.sh, which shows size of repository, PIDs, and the time running. The repair.sh can be used to repair the database and remove-admin.sh and remove-cumulus.sh can uninstall the admin console and cumulus servers respectively (danger, Will Robinson). The install-admin.sh and install-cumulus.sh scripts can also be used to install these items respectively. The bin directory contains daemons such as cumulusd and services information/cumulusrad. If you want to work with assets, you’ll probably need the Java SE JDK to run and then query the Tomcat server. This web application environment leverages Cumulus Java classes to provide the API that can then be scripted into various workflows, such as providing a site that queries images in the DAM and displays those matching a given pattern on a website. Overall, the scripting that can be done without the API is service control oriented, but with the API and a little SOAP you can pretty much grab or change almost anything you need to.

September 27th, 2013

Posted In: Mac OS X, Mac OS X Server, Network Infrastructure

Tags: , , , , , , ,

NFS has 3 settings in Lion Server: nbDaemons, the number of NFS daemons, useTCP, whether or not TCP is used and useUDP, whether or not udp is used. To disable UDP forces TCP: serveradmin settings nfs:useUDP = 0 Or to turn UDP back on: serveradmin settings nfs:useUDP = 1 To disable TCP if you’d rather just use UDP: serveradmin settings nfs:useTCP = 0 Or to turn TCP back on: serveradmin settings nfs:useTCP = 1

June 25th, 2012

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , ,

NFS is an old standby in the *nix world. It seems that it’s about as old as the hills and while it can be cranky at times, it’s pretty easy to setup, manage and use. Once it’s configured, you use it in a similar fashion as you do in Mac OS X Server. The client configuration is identical. To get started, let’s install the nfs-kernel-server, nfs-common and portmap packages on our Ubuntu 10.04 box:
apt-get install nfs-kernel-server nfs-common portmap
Then let’s create a directory to share (aka export):
mkdir /Homes
Then we need to define the permissions for /Homes (ends up similar in functionality to the export to option in Server Admin for Mac OS X Server users):
chown nobody:nogroup /Homes
Now, let’s open up /etc/exports and allow access to Homes by configuring it as an export. To do so, paste this line in at the bottom:
/Homes        192.168.210.0/24 (rw,sync,no_subtree_check)
In the above line, we’re defining the path to the directory, followed by the address(es) that access the export. This could just be one IP address, or it could be a range of IP addresses. The above CIDR allows all IP addresses from 192.168.210.1 to 192.168.210.254 to access the export. Now save and close the file and then run the exportfs command with the -a option (all) and you should be done with the server configuration portion:
exportfs -a
Next up, let’s port scan for nfs (port 2049) from Mac OS X using the stroke command:
/Applications/Utilities/Network Utility.app/Contents/Resources/stroke 192.168.210.254 2049 2049
Now, we need to verify that Mac OS X clients. From a client that can access the NFS server, open Disk Utility from /Applications/Utilities. Then, click on the File menu and select NFS Mounts… to bring up the NFS Mounts screen. From the NFS Mounts screen, click on the plus sign (+) and you will see an overlay with fields for Remote NFS URL: and Mount Location:. The Remote NFS URL: field will be nfs:// followed by the name or IP of your server followed by the name of the mount you just created. The Mount Location is going to be where on the client computer that you would like the folder to be. For most scenarios, /Volumes/ followed by the name of the mount will suffice. You can see how these shake out in the following screen: Click on Verify if it looks right and provided that the file system can be properly mounted then you’ll receive a message saying such. Then click on Save and you’re done: you should be able to browse and interact with it as needed.

November 23rd, 2010

Posted In: Mac OS X Server, Mass Deployment, Ubuntu

Tags: , , , , , , , , , , , , ,

In a number of environments, where SMB, AFP and other file sharing protocols are used with Mac OS X, Windows and Linux clients, there are a number of hidden files that Mac OS X leaves behind. For anyone who has managed an environment like this you’re likely to notice the .DS_Store files and potentially even have tried taking measures to get rid of them. However, try as you might they’re likely to have come back repeatedly. But you don’t have to live with them. You can tell your Windows clients not to show hidden files.  From Windows XP, open an explorer.exe window (Windows Explorer, also accessible by browsing any folder on the hard drive) and from here click on the View tab and then click on Do not show hidden files and folders.  For Vista and up, click on the Folder Options control panel and then choose the View tab and then click on Do not show hidden files and folders. But if this is proving unwieldy then you can tell each Mac OS X user account not to make them.  This isn’t to say that you should – this is how Mac OS X tracks the view and icon placements of a folder.  But if you need to get rid of them you need to get rid of them…  To do so you’re going to create a file called com.apple.desktopservices.plist in the ~/Library/Preferences of each user account that contains the following:
{ DSDontWriteNetworkStores = true; }
The easiest way to go about this is to simply run the following command for each user on each system:
defaults write com.apple.desktopservices DSDontWriteNetworkStores true
You can use the com.apple.desktopservices.plist as a managed preference, or for future users you can also go ahead and add the file to the user template by dropping it into /System/Library/User Template/English.lproj/Library/Preferences. While this will keep new .DS_Store files from being generated on network volumes (aka NetworkStores) it will not do so for local volumes, including those on an Xsan (since Xsan volumes are basically interpreted by the finder as a local volume in this context).  It’s also worth noting that you’ll probably need to reboot after you run these commands. Once you’ve disabled the creation of new .DS_Store files you’ll more than likely want to eliminate the ones that are already on your volume.  To do so, you can use the find command in conjunction with the -name flag and -exec flag followed by rm as follows (replacing /path/to/share with the path to your actual share):
find /path/to/share -name .DS_Store -exec rm {} ;
For the above command to process correctly you’ll need the account it’s run as to be able to access files in all folders of the tree where a .DS_Store file may exist.  If you find that new .DS_Store files are created after this is all complete, then look at the owner of the new files.  Typically you’ll find a user account was skipped and it’s the user who is listed as the owner of the new .DS_Store files.

May 24th, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment, Ubuntu, Unix, Xsan

Tags: , , , , , , , , ,

Did ya’ know you can Kerberize it?

February 2nd, 2008

Posted In: Mac OS X Server, Mac Security

Tags: ,