krypted.com

Tiny Deathstars of Foulness

Server comes with a command called RoomsAdminTool located at /Applications/Server.app/Contents/ServerRoot/usr/bin/RoomsAdminTool. This tool can list available rooms using a -l flag: RoomsAdminTool -l You can also create new rooms, using the following format, where krypted is the name of the room, the persistent option means the room is, er, persistent. The description option indicates a description used for the room. RoomsAdminTool -n krypted -c persistent yes description "This room is for friends of krypted only” To then delete the room, use the -d option: RoomsAdminTool -n krypted -d Add the -v to do it all verbosely. There are lots of other options as well, as follows (from the man page): Valid Configuration Keys and Values:
KEYVALID VALUESDESCRIPTION
descriptionstringA short description for the room
passwordstringDefine a password for room entry. An empty string implies no password required.
membersOnlyyes | noOnly room members are allowed to enter the room.
subjectLockedyes | noAre non-moderators and non-admins prevented from setting the room subject
logFormatDisabled | Text | XHTMLDisable room logging, or enable it using Text or XHTML.
maxUsersinteger; 0 for unlimitedSet the maximum allowed occupants for the room.
moderatedyes | no Make the room "moderated".
nonAnonymousyes | noIf "yes", only moderators/owners can discover occupants' real JIDs.
persistentyes | noPersistent rooms stay open until they are explicitly destroyed and their configuration survives service restarts, unlike non-persistent rooms.
privateMessagesAllowedyes | no Whether or not occupants can exchange private messages within the room.
roomPublicyes | no Defines whether the room be discovered by anyone
subjectstringSet a room subject/topic
usersCanInviteyes | no Defines whether occupants can invite other users to enter the room
addOwnervalid JabberIDMake the specified user a room owner (ex.: admin@krypted.com). Rooms can have multiple owners.
removeOwnervalid JabberIDRemove the specified user from the room owner list
addAdminvalid JabberIDMake the specified user a room admin
removeAdminvalid JabberIDRemove the specified user from the room admin list
addMembervalid JabberIDMake the specified user a room member
removeMembervalid JabberIDRemove the specified user from the room member list
addOutcastvalid JabberIDMake the specified user a room outcast (banned from public rooms)
removeOutcastvalid JabberIDRemove the specified user from the room outcast list
Ultimately, if you’d like to do Student Information System (SIS) integration, or wait for an AD/OD group and then programmatically generate rooms, this is how you’d do it.

November 7th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

Configuring Calendar Server in macOS Server 5 (running on Sierra) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in macOS Server 5.2, first open the Server application and click on Calendar in the SERVICES section of the sidebar. screen-shot-2016-09-29-at-8-41-21-pm Once open, click on Enable invitations by email to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. screen-shot-2016-09-29-at-8-41-47-pm At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. screen-shot-2016-09-29-at-8-42-04-pm At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. screen-shot-2016-09-29-at-8-42-23-pm At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. screen-shot-2016-09-29-at-8-43-31-pm There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:DefaultLogLevel = “info” calendar:EnableAPNS = yes calendar:EnableSSL = yes calendar:DirectoryAddressBook:params:queryUserRecords = yes calendar:DirectoryAddressBook:params:queryPeopleRecords = yes calendar:EnableSearchAddressBook = yes calendar:HTTPPort = 80 calendar:AccountingCategories:HTTP = no calendar:AccountingCategories:Implicit Errors = no calendar:AccountingCategories:iTIP = no calendar:AccountingCategories:migration = no calendar:AccountingCategories:AutoScheduling = no calendar:AccountingCategories:iSchedule = no calendar:AccountingCategories:iTIP-VFREEBUSY = no calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:EnableCardDAV = no calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Receiving:Type = “imap” calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:SSLPrivateKey = “” calendar:LogLevels = _empty_dictionary calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data” calendar:ServerRoot = “/Library/Server/Calendar and Contacts” calendar:SSLCertificate = “” calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLPort = 443 calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = “” calendar:ServerHostName = “odr.krypted.com” One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar Or to stop it: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar Or to get the status: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account screen, click on Add CalDAV Account radio button and click Continue. screen-shot-2016-09-29-at-8-44-39-pm CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. screen-shot-2016-09-29-at-8-45-37-pm Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar… screen-shot-2016-09-29-at-8-46-09-pm At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with. Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. screen-shot-2016-09-29-at-8-49-16-pm Click on the Delegation tab to view any accounts you’ve been given access to. screen-shot-2016-09-29-at-8-49-34-pm Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in Server 5.2 is one of the easiest to configure on Sierra. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 14th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , ,

The changes in the Server app were far more substantial in the El Capitan version (OS X Server 5) than in the macOS Server 5.2 version that we’re now looking at. All of the options from OS X are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES. screen-shot-2016-09-27-at-11-13-27-am Then, click on the cog wheel icon below the list of records and click on Show All Records. screen-shot-2016-09-27-at-11-14-02-am At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records. screen-shot-2016-09-27-at-11-16-06-am Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes. screen-shot-2016-09-27-at-11-18-24-am Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting. screen-shot-2016-09-27-at-11-18-58-am

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:
  • Primary Zone: The DNS “Domain”. For example, www.krypted.com would likely have a primary zone of krypted.com.
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.
screen-shot-2016-09-27-at-11-19-20-am

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

 screen-shot-2016-09-27-at-11-19-59-am
These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using a macOS Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records. Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/
Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name. Screen Shot 2015-09-08 at 10.29.37 PM
Note that the above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan. Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records. Screen Shot 2015-09-08 at 10.31.46 PM

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.

Screen Shot 2015-09-08 at 10.33.11 PM

At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

screen-shot-2016-09-27-at-11-21-17-am

At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone. screen-shot-2016-09-27-at-12-25-31-pm
At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option: sudo serveradmin start dns
To stop the service, use the stop option: sudo serveradmin stop dns
To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option: sudo serveradmin fullstatus dns
A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command: sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes
Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output): sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan
Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server: sudo serveradmin settings dns:views:_array_id:com.apple.ServerAdmin.DNS.public:primaryZones:_array_id:krypted.xsan:bonjourRegistration = no
The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly. While serveradmin is one way to edit zone data, it isn’t the only way, you can also use the dnsconfig options described in http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone): cat /var/named/db.krypted.xsan
Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish. Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file: tail -f /Library/Logs/named.log
Also, see http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

October 13th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. And rightfully so. But many still need a terrestrial server and for predominantly Apple environments, a macOS Server running on Sierra isn’t exactly a bad idea (for many it is, so whatever there). There are a number of protocols built into macOS Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in macOS Server 5.2 running on top of a Sierra Mac. Note: I’ve got another article looking into FTP a little further but those are basically the services that I’ll stick to here. File servers have shares. In macOS Server 5.2 (and many other solutions), we refer to these as Share Points. The first step to setting up a file share is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. screen-shot-2016-09-26-at-9-53-30-pm If you’re just getting started, let’s go ahead and disable any built-in shares by clicking on the share and then clicking on the minus button (-) while the share is highlighted. When prompted to remove the share, click on the Remove button. screen-shot-2016-09-26-at-9-54-00-pm As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. screen-shot-2016-09-26-at-9-54-18-pm When you’ve disabled SMB for the last share, you’ve effectively disabled SMB. Click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. screen-shot-2016-09-26-at-9-55-18-pm Then from the File Sharing pane in Server app, click on the plus sign (“+”). screen-shot-2016-09-26-at-9-55-55-pm At the browse dialog, browse to the location of your iPad directory and then click on the Choose button. screen-shot-2016-09-26-at-9-56-16-pm At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called “Allow only encrypted connections”. If you check this, you cannot use AFP and WebDAV. screen-shot-2016-09-26-at-9-56-57-pm At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. screen-shot-2016-09-26-at-9-57-48-pm The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. screen-shot-2016-09-26-at-9-58-28-pm As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. screen-shot-2016-09-26-at-9-59-28-pm To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeStandard\:GeneratedUID = “54428C28-793F-4F5B-B070-31630FE045AD” sharing:sharePointList:_array_id:/Shared Items/iPads:smbName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Shared Items/iPads:afpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Shared Items/iPads:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shared Items/iPads:path = “/Shared Items/iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:name = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Shared Items/iPads:ftpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseOplocks = yes sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = “3A1C9DAD-806C-4917-A39F-9317B6F85CCD” sharing:sharePointList:_array_id:/Shared Items/iPads:mountedOnPath = “/” sharing:sharePointList:_array_id:/Shared Items/iPads:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Shares/Public:ftpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:smbName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shares/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Shares/Public:dsAttrTypeStandard\:GeneratedUID = “80197252-1BC6-4391-AB00-C00EE64FD4F2” sharing:sharePointList:_array_id:/Shares/Public:path = “/Shares/Public” sharing:sharePointList:_array_id:/Shares/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:afpUseParentOwner = no sharing:sharePointList:_array_id:/Shares/Public:afpName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:ftpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:afpUseParentPrivs = no sharing:sharePointList:_array_id:/Shares/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:name = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:ftpName = “Public-1” sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeStandard\:GeneratedUID = “0D6AF0D1-BA70-4DD4-9256-AC1B51A2761F” sharing:sharePointList:_array_id:/Users/krypted/Public:smbName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:webDAVName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Users/krypted/Public:afpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Users/krypted/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/krypted/Public:path = “/Users/krypted/Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:name = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Users/krypted/Public:ftpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsShared = no sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseOplocks = yes sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeNative\:sharepoint_group_id = “FF1970EF-0789-49C7-80B5-E9FCABDDBB49” sharing:sharePointList:_array_id:/Users/krypted/Public:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Users/krypted/Public:mountedOnPath = “/” To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = “afpserver/LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4@LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4” afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes

October 10th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , , ,

DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in macOS Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is BIND 9.9.7-P3 (Extended Support Version). Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In macOS Server 5.2 (for Sierra), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones). To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan The output would show you information about the listed zone, usually including View data: Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none  To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201 You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan Use the delete verb to remove the data just created: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan Or to delete that one www record earlier, just swap the add with a delete: /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201 Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the best I’ve seen for managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

October 5th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

OS X Server 5.2, running on Sierra, comes complete with lots of awesome features. And these features are made easier with some documentation to help you get up and running, started and owning the configuration of Apple Servers. One such is the built-in options to help manage your servers. Open Server, click Help, then click Server Help. You can then search and browse for information about things you’d like to accomplish using the Help Center.

screen-shot-2016-09-25-at-7-31-59-pm

Now, click the arrow for each service for information about configuring that service. And just like that, simple and easy-to-use documentation, available live on OS X Server, guiding you to accessing the features you need. You will need to be online to use it effectively, as this information is updated using official help documentation.

September 30th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

I wrote about using the smbutil for DFS in Lion awhile back. I haven’t needed to write anything else as it hadn’t changed since. The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported. Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.

September 26th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , ,

The first thing you’ll want to do on any server is get all software updates installed on the server (done using the App Store app). Then setup the networking for the computer so you’re not changing IP addresses and stuff like that, once the server is installed. To do so, open System Preferences (aka the Settings app, some day) and click on the Network System Preference pane. You will almost always want to use a wired Ethernet connection on a server, but in this case we’ll be using Wi-Fi. Here, click on the Wi-Fi interface and then click on the Advanced… button. Screen Shot 2015-09-07 at 10.03.11 PM At the setup screen for the interface, provide a good static IP address. Your network administrator can provide this fairly easily. Here, make sure you have an IP address and a subnet mask. Since we need to install the Server app from the Mac App Store, and that’s on the Internet, you’ll also need to include a gateway, which provides access to the Internet and using the DNS tab, the name servers for your Internet Service Provider (ISP). Screen Shot 2015-09-07 at 10.05.40 PM Once you have provided a static IP address, verify that you can route to the Internet (e.g. open Safari and visit a website). Provided you can, the first step to installing OS X Server is to download the Server app from the Mac App Store. Open the App Store app and search for Server. In the available apps, you’ll see the Server app from Apple. Here, click on Buy and/or Get (if you already own the Server app) and then let the app download. That was pretty easy, right. Well, the fun has just gotten started. Next, open the app. When you first open the Server app, you’ll see the OS X Server screen. Here, you can click on the following options:
  • This Mac: Installs the server on the Mac you’re using.
  • Other Mac: Shows a list of Macs with the Server app that can be remotely configured. Choosing another system does not complete the setup process on the system you’re working on at the moment.
  • Cancel: Stops the Server app setup assistant and closes the Server App.
  • Continue: Continues installing the Server app on the computer you are using.
  • Help: Brings up the OS X Server manual.
screen-shot-2016-09-25-at-3-46-45-pm Click Continue to setup OS X Server on the machine you’re currently using. You’ll then be prompted for the licensing agreement from Apple. Here, check the box to “Use Apple services to determine this server’s Internet reachability” and click on Agree (assuming of course that you agree to Apple’s terms in the license agreement). screen-shot-2016-09-25-at-3-51-26-pm Installing OS X Server must be done with elevated privileges. At the prompt, enter the credentials for an account with administrative access and click on the Allow button. screen-shot-2016-09-25-at-3-52-26-pm The services are then configured as needed and the command line tools are made accessible. This can take some time, so be patient. screen-shot-2016-09-25-at-3-52-54-pm When the app is finished with the automation portion of the configuration, you will be placed into the Server app for the first time. Your first order of business is to make sure that the host names are good on the computer. Here, first check the Host Name. If the name doesn’t resolve properly (forward and reverse) then you will likely have problems with the server at some point. Therefore, go ahead and click on Edit Host Name… Here, enter the fully qualified address that the server should have. In the DNS article, we’ll look at configuring a good DNS server, but for now, keep in mind that you’ll want your DNS record that points to the server to match what you enter here. And users will use this address to access your server, so use something that is easy to communicate verbally, when needed. screen-shot-2016-09-25-at-3-53-55-pm At the Change Host Name screen, click Next. At the “Accessing your Server” screen, click on Internet and then click on the Next button. screen-shot-2016-09-25-at-3-54-32-pm At the “Connecting to your Server” screen, provide the Computer Name and the Host Name. The Computer Name is what you will see when you connect to the server over Bonjour and what will be listed in the Sharing System Preference pane. The Host Name is the fully qualified host name (fqdn) of the computer. I usually like to take the computer name and put it in front of the domain name. For example, in the following screen, I have osxserver as the name of the computer and osxserver.krypted.com as the host name. screen-shot-2016-09-25-at-3-55-20-pm Once you have entered the names, click on the Finish button. You are then prompted to Change Host Name. Click on Change Host Name at this screen. Next, let’s open Terminal and run changeip with the -checkhostname option, to verify that the IP and hostname match: sudo changeip -checkhostname Provided that the IP address and hostname match, you’ll see the following response. sudirserv:success = “success” If the IP address and hostname do not match, then you might want to consider enabling the DNS server and configuring a record for the server. But at this point, you’ve finished setting up the initial server and are ready to start configuring whatever options you will need on the server.

September 26th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

By default, the Software Update Service, long a part of OS X Server, is hidden. This indicates the service is not likely to be long for this world. However, many an organization still likes to leverage cooling off periods for their Mac fleet. To see the service, once you’ve installed the Server app, open the Server app and then from the View menu, select Software Update. screen-shot-2016-09-25-at-2-56-57-pm You’ll then see the Software Update service. If you click off of the service and close the app, it will be hidden again. If you enable the service, you will then see it each time you open the Server app. We’ll get into enabling the Software Update service in a bit. screen-shot-2016-09-25-at-2-57-14-pm Enjoy.

September 25th, 2016

Posted In: Mac OS X Server

Tags: , , , , , ,

The Caching Server in OS X Server 5.2 (for Sierra) does content, apps, and software updates. The Software Update service is hidden by default indicating it will likely be removed from the Server app in a future update, although when is kinda’ up in the air. The Software Update service can still be enabled for now, which we’ll look at later. The Caching service on the Server app works like a proxy. When 10 of your users download that latest Nicholas Sparks book and movie, you only sacrifice your WAN pipe to download it once, and the other 9 people piggy-back off that. And when 10.12.1 ships, you only need to download it over the WAN once, and the other local users will pull off that spiffy Caching server sitting in your office. Pretty sweet, right? So, how do you use this ultra-complicated service? It looks and feels kinda’ like an iPad app. Which is to say that as far as server stuffs go, this thing is pretty darn easy to use. To get started, open the Server app and then click on the Caching service in the sidebar of the Server app. screen-shot-2016-09-22-at-12-54-08-pm Here, click on the ON button. OMG, so hard. But wait, there’s more! Click on that Change Location button and you can select a larger volume for your updates that are cached. You’ll likely wanna’ do this because the entire series of the HBO drama OZ is kinda’ big (and yes, creepy, but really well written)… If you do change the location, you’ll see a window to change the volume you’re caching to. That’s pretty much it. Other than the waiting for the updates to move. By default, the Caching service allows for unlimited space. Use the spiffy slider to reduce the total amount of space that the service can occupy on the hard drive. This can be a good thing if it happens to be your boot volume and there are other more mission critical services hosted on that thing. Overall, this all seems pretty straight forward. So what else might you need to know. In case you get a corrupt asset, or in case your volume fills up, there’s a Reset button, to reset the cache. screen-shot-2016-09-25-at-3-00-54-pm The service can be controlled from the command line as well. To start it, use the serveradmin command along with the start verb and the service name (oddly, that’s caching). sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start caching To stop the service, use the stop verb along with the service name: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop caching To see a list of settings, use the settings verb with the service name: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching The settings are as follows, mostly available in the Server app: caching:ReservedVolumeSpace = 25000000000 caching:CacheLimit = 350000000000 caching:ServerRoot = "/Library/Server" caching:ServerGUID = "DEE63BBB-9F32-428B-B717-E3941F82E2DC" caching:DataPath = "/Library/Server/Caching/Data" caching:LocalSubnetsOnly = yes caching:Port = 0 One setting you might choose to change is the reserved volume space, as this can keep you from getting the service started on smaller volumes. In the above example, the setting is 250 gigs. To change that to 100 gigs: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:ReservedVolumeSpace = 10000000000 A new setting in Server 5.2 for macOS Sierra is defining other servers that can access your Caching server. This is like providing a proxy for a proxy. Basically if your devices can cache updates onto the server from other servers then the updates are caching much faster than if your server caches the updates from Apple. This is called Peering Permissions. To define Peering Permissions, click on the Edit Peering Permissions… button. screen-shot-2016-09-25-at-3-04-08-pm At the Caching screen, click on Only Local Subnets if you want to let the server identify which subnets are local, or Only Some Networks to define which ranges of addresses have servers that can cache content and update from your server. screen-shot-2016-09-25-at-3-05-53-pm Click on the plus sign to add a network and then click on “Create a new network” screen-shot-2016-09-25-at-3-06-55-pm At the Create A New Network screen, provide a name and then the first and last IP screen-shot-2016-09-25-at-3-07-57-pm Click Create and then add all of the appropriate subnets. Click OK when you’re done. Restart the service and viola, you’re finished.

September 24th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , , , ,

Next Page »