Tag Archives: server.app

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

The New Caching Service In OS X Server

December 17, 2012 – 5:00 am

These days, new services get introduced in OS X Server during point releases. OS X now has a Software Caching server built to make updates faster. This doesn’t replace Apple’s Software Update Server mind you, it supplements. And, it’s very cool technology. “What makes it so cool” you might ask, given that Software Update Server has been around for awhile. Namely, the way that clients perform software update service location and distribution with absolutely no need (or ability) for centralized administration.

small payday loans

Let’s say that you have 200 users with Mac Minis and an update is released. That’s 200 of the same update those devices are going to download over your Internet connection, at up to 2 to 3 gigs per download. If you’re lucky enough to have eaten at the Varsity in Atlanta, just imagine trying to drink one of those dreamy orange goodnesses through a coffee stirrer. Probably gonna’ be a little frustrating. Suck and suck and suck and it’ll probably melt enough to make it through that straw before you can pull it through. For that matter, according to how fast your Internet pipe is, there’s a chance something smaller, like an update to Expensify will blow out that same network, leaving no room for important things, like updates to Angry Birds!

Now, let’s say you have an OS X Server running the new Caching service. In this case, the first device pulls the update down and each subsequent device uses the WAN address to determine where the nearest caching service is. If there’s one on the same subnet, provided the subnet isn’t a Class B or higher, then the client will attempt to establish a connection to the caching service. If it can and the update being requested is on that server then the client will pull the update from the server once the signature of the update is verified with Apple (after all, we wouldn’t want some funky cert getting in the way of our sucking). If the download is stopped it will resume after following the same process on a different server, or directly from Apple. The client-side configuration is automatic so provides a seamless experience to end users.

Pretty cool, eh? But you’re probably thinking this new awesomeness is hard as all heck to install. Well, notsomuch. There are a few options that can be configured, but the server is smart enough to do most of the work for you. Before you get started, you should:

Be running Mountain Lion with Server 2.2 or better.
Install an APNS certificate first, described in a previous article I wrote here.
Have an ethernet connection on the server.
Have a hard drive with at least 50GB free in the server.
The server must be in a Class C or smaller LAN IP scheme (no WAN IPs can be used with this service, although I was able to multihome with the WAN off while configuring the service)

Once all of the requirements have been met, you will need to install the actual Caching Service. To do so, open Server.app from the /Applications directory and connect to the server with which you would like to install the Caching service.

Click on Caching from the SERVICES section of the Server sidebar. Here, you have 3 options you can configure before starting the service. The first is which volume with which to place updates. This should typically be a Pegasus or other form of mass storage that is not your boot volume. Use the Edit… button to configure which volume will be used. By default, when you select that volume you’ll be storing the updates in the Library/Server/Caching/Data of that volume.

The next button is used to clear out the cache currently used on the server. Click Reset and the entire contents of the aforementioned Data directory will be cleared.

Next, configure the Cache Size. Here, you have a slider to configure about as much space as you’d like, up to “Unlimited”. You can also use the command line to do some otherwise unavailable numbers, such as 2TB.

Once you’ve configured the correct amount of space, click on the ON button to fire up the service. Once started, grab a client from the local environment and download an update. Then do another. Time both. Check the Data folder, see that there’s stuff in there and enjoy yourself for such a job well done.

Now, let’s look at the command line management available for this service. Using the serveradmin command you can summon the settings for the caching service, as follows:

sudo serveradmin settings caching

The settings available include the following results:

caching:ReservedVolumeSpace = 25000000000 caching:SingleMachineMode = no caching:Port = 0 caching:SavedCacheSize = 0 caching:CacheLimit = 0 caching:DataPath = "/Volumes/Base_Image/Library/Server/Caching/Data" caching:ServerGUID = "FB78960D-F708-43C4-A1F1-3E068368655D" caching:ServerRoot = "/Library/Server"

Don’t change the caching:ServerRoot setting on the server. This is derived from the root of the global ServerRoot. Also, the ServerGUID setting is configured automatically when connecting to Apple and so should not be set manually. When you configured that Volume setting, you set the caching:DataPath option. You can make this some place completely off, like:

sudo serveradmin settings caching:DataPath = "/Library/Server/NewCaching/NewData"

Now let’s say you wanted to set the maximum size of the cache to 800 gigs:

sudo serveradmin settings caching:CacheLimit = 812851086070

To customize the port used:

sudo serveradmin settings caching:Port = 6900

The server reserves a certain amount of filesystem space for the caching service. This is the only service I’ve seen do this. By default, it’s about 25 gigs of space. To customize that to let’s say, ‘around’ 50 gigs:

sudo serveradmin settings caching:ReservedVolumeSpace = 50000000000

To stop the service once you’ve changed some settings:

sudo serveradmin stop caching

To start it back up:

sudo serveradmin start caching

Once you’ve started the Caching service in OS X Server and familiarized yourself with the serveradmin caching options, let’s look at the status options. I always use fullstatus:

sudo serveradmin fullstatus caching

Returns the following:

caching:Active = yes caching:state = "RUNNING" caching:Port = 57466 caching:CacheUsed = 24083596 caching:TotalBytesRequested = 24083596 caching:CacheLimit = 0 caching:RegistrationStatus = 1 caching:CacheFree = 360581072384 caching:StartupStatus = "OK" caching:CacheStatus = "OK" caching:TotalBytesReturned = 24083596 caching:CacheDetails:.pkg = 24083596

The important things here:

An Active setting of “yes” means the server’s started.
The state is “STARTED” or “STOPPED” (or STARTING if it’s in the middle).
The TCP/IP port used 57466 by default. If the caching:Port setting earlier is set to 0 this is the port used by default.
The CacheUsed is how much space of the total CacheLimit has been used.
The RegistrationStatus indicates whether the server is registered via APNS for the service with Apple.
The CacheFree setting indicates how much space on the drive can be used for updates.
The caching:TotalBytesRequested option should indicate how much data has been requested from clients while the caching:TotalBytesReturned indicates how much data has been returned to clients.

Look into the /Library/Server/Caching/Config/Config.plist file to see even more information, such as the following:

<key>LastConfigURL</key> <string>http://suconfig.apple.com/resource/registration/v1/config.plist</string> <key>LastPort</key> <integer>57466</integer> <key>LastRegOrFlush</key> <date>2012-12-16T04:33:13Z</date>

There are also a number of other keys that can be added to the Config.plist file including CacheLimit, DataPath, Interface, ListenRanges, LogLevel, MaxConcurrentClients, Port and ReservedVolumeSpace. These are described further at http://support.apple.com/kb/HT5590.

As you can see, this provides the host name of the server and path on that server that the Caching server requires access to, the last port connected to and the last date that the contents were flushed.

In the Data directory that we mentioned earlier is a SQLite database, called AssetInfo.db. In this database, a number of files are mentioned. These are in a file hierarchy also in that Data directory. Client systems access data directly from that folder.

Finally, the Server app contains a log that is accessed using the Logs option in the Server app sidebar. If you have problems with the service, information can be accessed here (use the Caching Service Log to access Caching logs).

The Caching Service uses the AssetCache service, located at

/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache,

then starts as the new user _assetcache user. It’s LaunchDaemon is at

/Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.AssetCache.plist.

Note: In my initial testing it appeared that after rebooting devices, that iOS updates were being cached; however, several have reported that this is not yet possible. I’ll try and replicate and report my findings later.

Tags Caching Server, caching service, Config.plist, Flush, ios, iPad, LastPort, logs, MAC, mountain lion server, OS X Server 2.2, server.app, serveradmin, Software Update Server, Software Updates, sqlite | Permalink | Comments Off

Mac OS X Mac OS X Server Mass Deployment

Enable Server Side File Tracking in OS X Mountain Lion Server

August 16, 2012 – 5:00 am

Mobile Home Directory synchronizing in OS X Server environments is used to synchronize the home folder of clients with a copy that lives on the server, so users can roam between computers with their desktop, documents and preferences following them from machine to machine. Server Side File Tracking creates and keeps a copy of the sync database on client machines and servers, comparing the two databases when synchronizing rather than scanning directories for all the synced files each time a synchronization occurs. In environments with synchronizing Mobile Home Directories, Server Side File Tracking (SSFT) can help reduce the amount of time required for syncs. Server Side File Tracking is disabled by default in OS X Mountain Lion Server and cannot be enabled from the Server app. To enable Server Side File Tracking (aka – FileSyncAgent), use the following command:

sudo serveradmin settings info:enableFileSyncAgent = yes

To then turn it back off, if you so choose:

sudo serveradmin settings info:enableFileSyncAgent = no

Logs are then stored in ~/Library/Logs/FileSyncAgent/FileSyncAgentVerbose.log if you need further information. Note that TCP port 2336 needs to be open for the FileSync Agent to connect over ssh on port 2336 to the server; however, ssh doesn’t need to be enabled on the standard port 22 but mobile users must have access to the SSH SACL.

Tags database, filesyncagent, Mac OS X Server, OS X Server, port, server side file tracking, server.app, slow sync, SSFT, ssh, sync errors | Permalink | Comments Off

Enabling ARD, SSH & SNMP On Mountain Lion Server Using serveradmin

August 14, 2012 – 6:00 am

The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in OS X Mountain Lion Server. To do so, use the serveradmin command.

To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

The Server app will also have the “Enable screen sharing and remote management” option checked.

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

Tags ARD, dedicate system resources, mountain lion, os x mountain lion server, performance mode, Remote Desktop, server.app, serveradmin settings, Sharing, snmp, ssh | Permalink | Comments (8)

Mac OS X Server

Using Wikis & WebDAV in OS X Mountain Lion

August 7, 2012 – 5:05 am

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in Mountain Lion. I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from OS X or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.

Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly.

The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.

At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Click on Continue.

At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.

Note: You don’t have to get this perfect now as you can always edit these later.

At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.

Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.

At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.

From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website.

At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.

At the Upload File dialog, click on Choose File and then select a file to upload. Click Upload when selected.

Then from the Finder of an OS X client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect.

Eventually, the file(s) will display. You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages. Overall, the ability to edit, upload and view documents from the Wiki is a great new feature in OS X Mountain Lion Server, worthy of checking out if you haven’t already!

Tags appearance, create new wiki, create wiki page, edit, mountain lion, mountain lion server, os x, server, server admin, server.app, webdav, wiki | Permalink | Comments (3)

Mac OS X Mac OS X Server Mac Security

Setting Up The Mail Service in Mountain Lion Server

July 31, 2012 – 5:00 am

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mount Lion Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.

As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should be fairly well hung, have chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail… The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:

Static IP address. The WAN (and LAN probably) address should be static.
Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…

Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on the name of the server in the HARDWARE section of the sidebar. Then click on the Settings tab and then the Edit button beside the SSL Certificate entry. Here, use the Certificate drop-down list for each protocol to select the appropriate certificate to be used for the service.

Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.

At the configuration screen is a sparse number of settings:

Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.
Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.

Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet mail.krypted.com 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:setStateVersion = 1 mail:readWriteSettingsVersion = 1 mail:connectionCount = 0 mail:servicePortsRestrictionInfo = _empty_array mail:protocolsArray:_array_index:0:status = "ON" mail:protocolsArray:_array_index:0:kind = "INCOMING" mail:protocolsArray:_array_index:0:protocol = "IMAP" mail:protocolsArray:_array_index:0:state = "RUNNING" mail:protocolsArray:_array_index:0:error = "" mail:protocolsArray:_array_index:1:status = "ON" mail:protocolsArray:_array_index:1:kind = "INCOMING" mail:protocolsArray:_array_index:1:protocol = "POP3" mail:protocolsArray:_array_index:1:state = "RUNNING" mail:protocolsArray:_array_index:1:error = "" mail:protocolsArray:_array_index:2:status = "ON" mail:protocolsArray:_array_index:2:kind = "INCOMING" mail:protocolsArray:_array_index:2:protocol = "SMTP" mail:protocolsArray:_array_index:2:state = "RUNNING" mail:protocolsArray:_array_index:2:error = "" mail:protocolsArray:_array_index:3:status = "ON" mail:protocolsArray:_array_index:3:kind = "OUTGOING" mail:protocolsArray:_array_index:3:protocol = "SMTP" mail:protocolsArray:_array_index:3:state = "RUNNING" mail:protocolsArray:_array_index:3:error = "" mail:protocolsArray:_array_index:4:status = "ON" mail:protocolsArray:_array_index:4:kind = "INCOMING" mail:protocolsArray:_array_index:4:protocol = "Junk_mail_filter" mail:protocolsArray:_array_index:4:state = "STOPPED" mail:protocolsArray:_array_index:4:error = "" mail:protocolsArray:_array_index:5:status = "ON" mail:protocolsArray:_array_index:5:kind = "INCOMING" mail:protocolsArray:_array_index:5:protocol = "Virus_scanner" mail:protocolsArray:_array_index:5:state = "STOPPED" mail:protocolsArray:_array_index:5:error = "" mail:startedTime = "2012-07-30 18:14:26 +0000" mail:logPaths:IMAP Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:Server Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:POP Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:SMTP Log = "/var/log/mail.log" mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log" mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log" mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log" mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log" mail:imapStartedTime = "2012-07-30 18:14:26 +0000" mail:servicePortsAreRestricted = "NO" mail:state = "RUNNING" mail:postfixStartedTime = "2012-07-30 18:14:49 +0000"

To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com"

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:

mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients
mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers

The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

Tags configure, Mac OS X Server, mail, mail groups, Mail Server, mountain lion, os x mountain lion server, postfix, roundcube, server.app, serveradmin, webmail, wiki | Permalink | Comments (31)

Missing Server.app Settings for AFP

June 9, 2012 – 7:43 pm

Earlier, I wrote an article on enabling some of the settings in SMB that are now unavailable in the GUI, but were still available from the command line. I have now decided to go ahead an document some of the ones for AFP that have been removed during the transition to the Server app. The first to mention is maximum connections. There are a number of reasons that throttling maximum afp connections can be handy. The serveradmin afp setting for it is maxConnections, which by default is set to -1, indicating unlimited. To set this to 500, one would run:

serveradmin settings afp:maxConnections = 500

The second setting to mention is greetings. The default is to send a greeting each time a user connects if one is enabled. I find that just sending the greeting once satisfies the policy most environments would have around such things. I’ve also found that enough environments setup greetings that I’ve had to do this enough times that it’s fresh in my memory. Therefore, to configure, use Server.app to setup a greeting and then run the following command:

serveradmin settings afp:sendGreetingOnce = yes

Another thing that many environments are going to want is activity logs. By default these are disabled. To enable:

serveradmin settings afp:activityLog = yes

And the setting for how frequently to roll those activity logs is gone from the GUI as well. To edit that (let’s just set it to 2 weeks instead of the default of 1 week):

serveradmin settings afp:activityLogTime = 14

The checkboxes for each type of activity to log are gone, so to access each (by default these are all enabled, so enabling the activity log turns them all on, therefore we’ll just disable here, even though as it seems the server team is well aware of, if you use one most use all:

serveradmin settings afp:loggingAttributes:logOpenFork = no serveradmin settings afp:loggingAttributes:logCreateDir = no serveradmin settings afp:loggingAttributes:logLogin = no serveradmin settings afp:loggingAttributes:logLogout = no serveradmin settings afp:loggingAttributes:logDelete = no serveradmin settings afp:loggingAttributes:logCreateFile = no

Note: Activity logs are still by IP address rather than userID

Error logs don’t roll (setting of 0), so to set them to do so (again using 14):

serveradmin settings afp:errorLogTime = 14

The disconnect idle users option is also now gone. To enable it:

serveradmin settings afp:idleDisconnectOnOff = yes

This doesn’t edit the tickle time, but then, that was never presented in the GUI anyway (it controls how frequently a client who’s connected via afp checks into the server). To customize the disconnect message:

serveradmin settings afp:idleDisconnectMsg = "Did you fall asleep there bub?"

And of course, you might need to customize the number of hours before a user is considered idle:

serveradmin settings afp:idleDisconnectTime = 1

To globally disable guest access:

serveradmin settings afp:guestAccess = no

And to allow the root user to log into afp:

serveradmin settings afp:allowRootLogin = yes

Finally, to access the masquerade as a user option for administrative accounts, which I’m not sure I like, but which some do:

serveradmin settings afp:attemptAdminAuth = yes

Tags admin, administrator, AFP, afp settings, diradmin, enable activity log, first attempt, first connection only, lion server, login greeting, logs, Mac OS X Server, masquerade as admin user, missing afp settings, os x lion server, server.app, serveradmin settings afp, set time out, SMB | Permalink | Comments (5)

Mac OS X Mac OS X Server Mac Security Mass Deployment Windows Server

Limiting The Number of Windows Users in Lion Server (aka How-to of hidden serveradmin settings)

June 8, 2012 – 8:07 pm

Lion Server doesn’t have an option in the GUI for throttling the maximum number of users that can connect to the server via SMB. Nor does it have said option in the serveradmin interface. If you run the following, you would have previously seen the required setting:

serveradmin settings smb

The required setting (if controlled via serveradmin) is MaxClients= followed by the number of clients that you want to be the max:

serveradmin settings smb:MaxClients=10

This is pretty easy stuff, but I have a point that goes beyond limiting the number of users. Not all of the settings that can be run through serveradmin are actually in the preferences any more. You can add more. Not that all of the ones from the developer documentation for the old smb code are still around, but a lot are. Another that a lot of people would want to use is to set the SMB Workgroup name in Lion Server:

serveradmin settings smb:Workgroup=SMBLOWS

You can also disable guest access by setting AllowGuestAccess to FALSE:

serveradmin settings smb:AllowGuestAccess=FALSE

Now, just because the option isn’t obvious doesn’t mean the server hasn’t already got a preconfigured setting. Running the AllowGuestAccess as follows will actually just show you that it defaults to on and most options, when specifically invoked, should provide the setting if it still exists:

serveradmin settings smb:AllowGuestAccess

Overall, there’s a lot you can do with a number of services. The options for many of these used to be a little easier to find, if you to see what some option from 10.6 allowed you to do that isn’t in the GUI in Lion or subsequent OSes that you miss, just look to the serveradmin command, make the change and see what preference changed. Who knows, that option might be available in Lion, even if it wasn’t available in the GUI…

Tags 10.7, 10.8, configuring maximum clients, Lion, mountain lion, server.app, setting wins, SMB, Snow Leopard, windows, Windows Server, Workgroup | Permalink | Comments Off

Mac OS X Mac OS X Server

Creating Users in Lion Server

August 5, 2011 – 9:17 pm

Create OS X Server Users

Tags Create Users, lion server, Mac OS X Server, server.app | Permalink | Comments Off

Krypted.com

Tag Archives: server.app

The New Caching Service In OS X Server

Enable Server Side File Tracking in OS X Mountain Lion Server

Using Wikis & WebDAV in OS X Mountain Lion

Setting Up The Mail Service in Mountain Lion Server

Limiting The Number of Windows Users in Lion Server (aka How-to of hidden serveradmin settings)

Creating Users in Lion Server

Like Using Mac OS X Lion Server

Tag Archives: server.app

Share:

Share:

Share:

Share:

Share:

Share:

Share:

Share: