krypted.com

Tiny Deathstars of Foulness

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mavericks Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mavericks Server (Server 3). File servers have shares. In OS X Mavericks Server we refer to these as Share Points. By default:
  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.
In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. Screen Shot 2013-10-05 at 9.33.49 PMIn our example configuration we’re going to disable the built-in share. To do so, click on Groups one time and then click on the minus button on the screen. Screen Shot 2013-10-05 at 9.34.51 PMAs mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. Screen Shot 2013-10-05 at 9.37.14 PMWhen you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”). Screen Shot 2013-10-05 at 9.38.49 PMAt the browse dialog, browse to the location of your iPad directory and then click on the Choose button. Screen Shot 2013-10-05 at 9.39.23 PMAt the File Sharing pane, double-click on the new iPads share. Screen Shot 2013-10-05 at 9.40.06 PMAt the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. Screen Shot 2013-10-05 at 9.40.47 PM The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. Screen Shot 2013-10-05 at 9.42.06 PMAs can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. Screen Shot 2013-10-05 at 9.46.18 PMTo connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change in Mavericks is that when you enter an address, the client connects over SMB. If you’d like to connect over AFP, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Users/admin/Public:smbName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/admin/Public:afpIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_group_id = "35DF29D6-D5F3-4F16-8F20-B50BCDFD8743" sharing:sharePointList:_array_id:/Users/admin/Public:mountedOnPath = "/" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_account_uuid = "51BC33DC-1362-489E-8989-93286B77BD4C" sharing:sharePointList:_array_id:/Users/admin/Public:path = "/Users/admin/Public" sharing:sharePointList:_array_id:/Users/admin/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:afpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeStandard\:GeneratedUID = "4646E019-352D-40D5-B62C-8A82AAE39762" sharing:sharePointList:_array_id:/Users/admin/Public:smbDirectoryMask = "755" sharing:sharePointList:_array_id:/Users/admin/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbCreateMask = "644" sharing:sharePointList:_array_id:/Users/admin/Public:ftpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:name = "administrator's Public Folder" To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = "afpserver/LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E@LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E" afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

October 23rd, 2013

Posted In: Uncategorized

Tags: , , , , , , , , , , , , , , , , , ,

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mountain Lion Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mountain Lion Server. File servers have shares. In OS X Mountain Lion Server we refer to these as Share Points. By default:
  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.
In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. In our example configuration we’re going to disable the Groups share. To do so, click on Groups one time and then click on the minus button on the screen. As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. When you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”). At the browse dialog, browse to the location of your iPad directory and then click on the Choose button. At the File Sharing pane, double-click on the new iPads share. At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. Once you have provided all of the appropriate users access to the share, go back to the settings for the share and scroll to the bottom of the screen. Here, you have the option to set which protocols the share is accessible through (AFP, SMB & WebDAV) as well as make the share accessible to guests (only do this if the share should be publicly accessible) and make the share an option for home folders. Click Done once you’ve configured the share appropriately. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a -A So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can use the sharing command to enable FTP for various share points. To do so, enable FTP using the Server app and then use the instructions at this site to manage FTP on shares: http://krypted.com/mac-os-x/ftp-on-lion-server. You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

August 8th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , ,

Public Folders in Mobile Me can be password protected. They can also be set as Read Only, using the iDisk tab of the MobileMe System Preference pane. Here, in a section called Your iDisk Public Folder you will see an option to Allow others to: and you will be able to set this to Read only or Read and Write. If you set it to Read only then while users will be able to see the files you store on your iDisk they will not be able to alter them. If you set it to Read and Write then other users will be able to upload to your Public Folder. But if you check that box for Password-protect your public folder then you might wonder just what username and password combination to use. Well, the password is simple enough, just click on the Set Password button. But the username… Click on the link listed in the Preference pane and you’ll be asked not just for a password but also for a user name. It’s public. Simple enough, but who’d have guessed. Obviously you can also use your actual MobileMe username and password, but most users aren’t going to want to hand that out to others. When you provide others with access then you will tell them to do one of two things. #1, open http://public.me.com/ followed by your username. When they are prompted they’ll enter public for the user name and then the password you set as the password. The other way is from a Mac, click on the Finder, then click on Go, then click on iDisk, then click on Other User’s Public Folder. Here they’ll be prompted for a username and password. That too is the username public followed by the password you entered in the System Preference pane. In order to upload and download files you will have an easier time of it, assuming that the MobileMe System Preference pane already has your username and password stored. All you have to do is click on the Go menu, then click on iDisk and then click on My iDisk. Or, use the keystroke combo of Command-Shift-I. In your iDisk you’ll see a folder called Public, which should mirror what others see in your iDisk.

May 18th, 2009

Posted In: Mac OS X

Tags: , , , , ,