Net Stats & Windows Server

Windows Server tracks the sessions that have been authenticated into the system, those that have been timed out, those that have errored, kb sent/received, response time, errors, permission problems, password problems, files opened, print job spooling and buffers quickly and easily. Simply use the net command we’ve all been using for 20 years, followed by stats or statistics: net statistics When prompted choose server or workstation. In this case, we’ll use Server. net statistics Server Here’s the output from a new server: Screen Shot 2013-12-01 at 11.21.50 PM And if you’re trying to troubleshoot client/server communications, keep in mind that you can look at much of this on the workstation side as well, but from the client perspective: net statistics Workstation Screen Shot 2013-12-01 at 11.23.34 PM

Configure A Mavericks File Server

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mavericks Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mavericks Server (Server 3). File servers have shares. In OS X Mavericks Server we refer to these as Share Points. By default:
  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.
In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. Screen Shot 2013-10-05 at 9.33.49 PMIn our example configuration we’re going to disable the built-in share. To do so, click on Groups one time and then click on the minus button on the screen. Screen Shot 2013-10-05 at 9.34.51 PMAs mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. Screen Shot 2013-10-05 at 9.37.14 PMWhen you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”). Screen Shot 2013-10-05 at 9.38.49 PMAt the browse dialog, browse to the location of your iPad directory and then click on the Choose button. Screen Shot 2013-10-05 at 9.39.23 PMAt the File Sharing pane, double-click on the new iPads share. Screen Shot 2013-10-05 at 9.40.06 PMAt the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. Screen Shot 2013-10-05 at 9.40.47 PM The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. Screen Shot 2013-10-05 at 9.42.06 PMAs can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. Screen Shot 2013-10-05 at 9.46.18 PMTo connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change in Mavericks is that when you enter an address, the client connects over SMB. If you’d like to connect over AFP, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Users/admin/Public:smbName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/admin/Public:afpIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_group_id = "35DF29D6-D5F3-4F16-8F20-B50BCDFD8743" sharing:sharePointList:_array_id:/Users/admin/Public:mountedOnPath = "/" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_account_uuid = "51BC33DC-1362-489E-8989-93286B77BD4C" sharing:sharePointList:_array_id:/Users/admin/Public:path = "/Users/admin/Public" sharing:sharePointList:_array_id:/Users/admin/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbIsGuestAccessEnabled = yes sharing:sharePointList:_array_id:/Users/admin/Public:afpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeStandard\:GeneratedUID = "4646E019-352D-40D5-B62C-8A82AAE39762" sharing:sharePointList:_array_id:/Users/admin/Public:smbDirectoryMask = "755" sharing:sharePointList:_array_id:/Users/admin/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/admin/Public:smbCreateMask = "644" sharing:sharePointList:_array_id:/Users/admin/Public:ftpName = "administrator's Public Folder" sharing:sharePointList:_array_id:/Users/admin/Public:name = "administrator's Public Folder" To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = "afpserver/LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E@LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E" afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

Disable ACLs for SMB

I had a pretty strange issue recently with how QuickBooks works with Samba. The fix was to disable ACLs for SMB. While this seems like a silly issue for silly software, it’s worth noting the fix. Before doing so, it’s worth mentioning that defaults write /Library/Preferences/SystemConfiguration/ AclsEnabled -bool NO If yore having saving issues from QuickBooks and this doesn’t fix your issue I’d immediately switch back: sudo defaults write /Library/Preferences/SystemConfiguration/ AclsEnabled -bool YES

Delegating DirAdmin to Windows Clients

The default behavior of a Windows Server NT4 through 2008 based domain is to allow a Domain Admin account to manage Windows clients. A number of environments have been moving over to using the PDC emulator on Mac OS X as a means of replacing aging Windows servers. One of the biggest annoyances is that the Open Directory administrative accounts they use to bind the Windows computers to are not local administrators. When you bind Mac OS X to Active Directory you can specify which Active Directory groups are administrators of Mac OS X client systems so you would imagine you can do the same thing on an OS X Server providing directory services to Windows computers. You can. This comes into play based on Samba Relative Identifiers (SMBRID). When you create a group you need to add an attribute for SMBRID. You can do this in Workgroup Manager or using dscl: If you notice, we used the SMBRID of 512.  You could also use any of the following to emulate the corresponding Windows functionality:
  • Domain Administrator – 500
  • Domain Guest – 501
  • Domain KRBTGT – 502
  • Domain Admins – 512
  • Domain Users – 513
  • Domain Guests – 514
  • Domain Computers – 515
  • Domain Controllers – 516
  • Domain Certificate Admins – 517
  • Domain Schema Admins – 518
  • Domain Enterprise Admins – 519
  • Domain Policy Admins – 520
  • Builtin Admins – 544
  • Builtin users – 545
  • Builtin Guests – 546
  • Builtin Power Users – 547
  • Builtin Account Operators – 548
  • Builtin System Operators – 549
  • Builtin Print Operators – 550
  • Builtin Backup Operators – 551
  • Builtin Replicator – 552
  • Builtin RAS Servers – 553
You can create a group per required SMBRID.  Once done, you can add users into the groups and delegate administrative access in this fashion, emulating many of the options that stem from the Windows NT 4 PDC emulation features of Samba, included in Mac OS X Server’s implementation.  But if you do this, don’t go updating your smb package manually.  I’ve found that when I update fully that the SMBRID is no longer supported and I break permission delegation.

SMB: Name Mangling

Windows 3.x and earlier used what was known as an 8.3 naming scheme, meaning that files had eight places for a name, three for an extension and a dot in the middle.  Name decorating is programatically how Windows 3.x and DOS clients interact with files that have more than 8 characters followed by a dot and then three characters for a file extension.  Those of us who can remember doing mass migrations of data from Windows 3.x to Windows 9x and/or NT will remember well the naming changes that had to happen to maintain backwards compatibility during this trying time.  Especially if we had been using *nix boxen to store our shares.  And you put SMB: in the title of this post, right Charles?  Well, Samba doesn’t use the term name decorating – instead they use name mangling, which is honestly a bit more accurate a representation.  Essentially, Samba presents file names to clients  and shortens, or mangles them to normalize the data for presentation (for example, using a dir command with a network volume as your working directory.  For example, you have mapped H to a Samba box using the net use command.  You have a document called H:Document.doc: you cd to the h: drive and you see H:DOCUME~1.doc.  Samba uses name mangling for backwards compatibility and provided you don’t have any Windows for Workgroups clients or previous then you should be able to disable it.  However, if you don’t want to disable it due to some random problems you might be having, then you could do some troubleshooting and experiment with the other options provided in relation to name mangling.  For starters, ‘mangle case’ is a per share setting, which allows mangling but only in mixed case environments (although in modern computing aren’t most environments mixed case…).  You could also increase the number of names allowed to keep on a local mangling stack.  Basically, this stack simply counts up in the event of files that have names too long for the local operating system to handle yet also have the same first six characters in the name.  Because everyone assumed this would happen rarely and because it can slow down processes this item is set to 50 by default but can be updated in your [Global] section using ‘mangling stack’.  It’s also sometimes helpful crossing platforms to look at what happens with the mangling character itself, the ~.  You can swap this out with something different, like ! or maybe for us Mac users something a bit more *nix friendly like an _.  Either way, you aren’t stuck with a ~.  Finally, if you’re really froggy you can create what is known as a mangling map using oddly enough the ‘mangling map’ per-share setting in Samba.   Name mangling isn’t just an issue you see with samba.  You can physically take a drive and move it and see issues that way.  I’ve also seen them in other systems, such as Netatalk, but not for some time…

Samba 4: A Poor Mans Active Directory

Today I pulled down the Samba 4 binaries and installed it using the instructions the developers are slowly building on the Samba 4 wiki. Overall it was a fairly painless experience, although I do believe I have a couple of bug reports to file (not surprising considering it is not out yet). Overall I found the process to be far easier than it has been in the past. The Samba team seems to realize that in order for Samba 4 to compete with Active Directory that it needs to integrate really well in the *nix server ecosystem. For example, like Active Directory you can choose to have Samba integrate into your DNS infrastructure. However, the instructions call for manually editing gssapi to get bind to accept the updates from Samba. The instructions also end up having you comb through comments in the config files, a potentially daunting process. But once it was done I found the service records typically required for an Active Directory environment to be built out for me and easily managed. One place where things are really well done is the integration between Samba 4 and the Active Directory administration tools. The wiki clearly explains how to install the tools and then use them to manage objects and policies within their version of Active Directory. There is also the promise of upcoming SWAT integration but it is not yet ready for production so from a GUI standpoint you’ll still need to use the Windows tools. However, SWAT is somewhat available and allows for easy GUI administration without reverting to Microsoft tools for a number of items. The further development and integration of SWAT or a different product (which is more likely it seems) will likely be critical to divorcing Samba 4 from Windows administration tools and having it prosper more fully in the community. While the Samba team promises a more consistent and tightly integrated relationship between OpenLDAP and Samba, this is one place where the code doesn’t seem to be finished. For example, the documentation is still fairly non-existent, but supposedly you can leverage OpenLDAP to do multi-master replication with Samba. This represents a great feature that kills a lot of potential Samba rollouts, but not yet clear in terms of implementation. This extends to Kerberos for single sign on. I thought I was able to get it to work, but alas, I was mistaken. I’ll keep trying to figure this piece out and hopefully report back more on it in the future. The new ntp signing feature is nice, although if you have clients that do not support ntp signing then this can be a bit of a cause of concern. Windows clients worked easily, right out of the box. I ended up using ntp authentication without an issue as opposed to signing and was able to get Mac OS X to use the ntp server, with a little configuration of the ntp.conf file on the Mac. However, once bound I had to create a few service records to get Mac OS X to go ahead and join the domain properly. One thing I can say is that if you are interested in Active Directory you might just learn more about Active Directory in building out a Samba 4 infrastructure than you will likely learn by taking the Active Directory certifications. The reason for this is that you will begin to better understand what is going on in the back end. If you cannot bind a Mac OS X client to your faux Active Directory and you, let’s say, fire up Wireshark to try and figure out why, you’ll notice that something is missing: maybe it’s repeated attempts to enumerate something, throwing DNS requests all over the place. In order to fix it you will suddenly need to understand what each of those records is there for and what settings to populate them with. Likewise, you might find that you understand what FSMO roles are really for when you have to essentially integrate a completely different piece of technology for each of them. This kind of research will teach you more than you might know… Overall, if you are going to put something like Samba 4 in production right now you might have a lot of growing pains. When it’s ready and it’s released then for Active Directory (or potential Active Directory) environments that don’t use the full compliment of Windows services it might very well be worth considering. However, currently it doesn’t support Exchange or other items that require extending an LDAP schema and so you might end up with a considerable amount of manual schema extensions in order to garner said support. The lack of a comprehensive set of GUI tools will keep a lot of Windows administrators away from Samba 4, but when their executives compare the steep cost of CALs to an open source tool then I’m guessing that some are going to start projects to determine if Samba 4 can work for them. Note: None of this would make and build properly in Mac OS X. I did all of my testing on a Red Hat VM using the source downloaded from the following: rsync -avz samba-master

Mac OS X Server: Cached Logon and Windows PDC Clients

When using Mac OS X Server as a PDC you may find that you need to tell a Windows system to cache login (aka logon) information for longer than the Windows system allows by default. In an Active Directory environment it is fairly straight forward to deploy this type of setting through a GPO; however, the policy settings for an NT4 style PDC environment (aka – via SMB) won’t necessarily allow you to perform this task. To do so you might need to fire up the registry (or script an event in the login script to do so) and edit the following key with a Value (in terms of login attempts) between 1 and 50: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrent VersionWinlogon ValueName: CachedLogonsCount Data Type: REG_SZ Values: 0 - 50