krypted.com

Tiny Deathstars of Foulness

Export macOS Server Data
We’re not going to import this, as it only takes a few seconds to configure new settings. Additionally, if you have outstanding services built on macOS Server, you might be able to pull this off without touching client systems. First, let’s grab  which protocols are enabled, running the following from Terminal:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:enabled

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled

Next, we’ll get the the IP ranges used so we can mimic those (or change them) in the new service:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges

Now let’s grab the DNS servers handed out so those can be recreated:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index

Finally, if you’re using L2TP, let’s grab the shared secret:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue

Once we have all of this information, we can configure the new server using the same settings. At this point, you can decide whether you want to dismantle the old server and setup a new one on the same IP address, or whether you’d rather just change your port forwards on your router/firewall.

Ports

Before we configure any VPN services, let’s talk about ports. The following ports need to be opened per The Official iVPN Help Docs (these are likely already open if you’re using a macOS Server to provide VPN services):
  • PPTP: TCP port 1723
  • L2TP: UDP ports 1701, 4500 and 500
  • Enable VPN pass-through on the firewall of the server and client if needed

openvpn
There are a number of ways to get a VPN Server installed on macOS. One would be to install openvpn:

sudo port -v install openvpn2

OpenVPN has a lot of sweet options, which you can read about at openvpn.net.

SoftEther
One of the other tools Apple mentioned is SoftEther. I decided not to cover it here because it uses Wine. And I’m not a fan of Wine. 

Or Use iVPN

That will require some work to get dependencies and some working with files and network settings. Another option would be to install iVPN from here, on the Mac App Store. You can install it manually as well, and if you do, you’ll need to pay separately through PayPal, which is what we’ll cover here.

Once installed, if you purchased the license separately, use the Enter Manually button to provide it.

At the Registration screen, make sure the name, email, and serial are entered exactly as you see them in the email you received.

At the Thank You screen, click OK.

At the EULA screen, click Accept assuming you accept the license agreement.

Configure iVPN
At the main screen, you’ll have a few options, which we’ll unpack here:
  • Use Directory Server: Allows you to use an LDAP or Active Directory connection to provide username and passwords to the service.
  • Use custom accounts: Allows you to manually enter accounts to provide username and passwords for clients to connect to the 
  • Shared Secret: The secret, or a second factor used with L2TP connection.
  • Allow 40-bit encryption keys: Allows clients to use lower levels of encryption. Let’s not do this.
  • IP Address Range: The beginning and ending IP that will be manually handed out to client computers. When configuring the range, take care not to enter a range of addresses in use by any other DHCP services on your network or you will end up with conflicts.
  • Basic DNS: Allows you to configure a primary and second DNS server to send to clients via DHCP when they connect to the VPN interface.
  • Advanced DNS: Allows you to configure DNS servers as well as Search Domains.
  • Configure Static Routes: Allows you to specify the interface and netmask used to access a given IP.
  • Export Configuration Profile: Exports a configuration profile. When imported into a Mac or iOS device, that profile automatically configures the connection to the PPTP or L2TP service you’ve setup.
  • VPN Host Name: Used for the configuration profile so a client system can easily find the server w

If you configure Directory Authentication, you’ll get prompted that it might be buggy. Click OK here.

The Directory Authentication screen allows you to choose which directory services to make available to PPTP or L2TP. If the system hasn’t been authenticated to a directory server, do so using the Users & Groups” System Preference pane.

Once you’ve chosen your directory service configuration, if you require a third DNS server, click on Advanced DNS and then enter it, or any necessary search-domains. Click Done when you’re finished.

Click the log button in the upper left-hand side to see the logs for the service. This is super-helpful when you start troubleshooting client connections or if the daemon stops for no good reason (other than the fact that you’re still running a VPN service on macOS Server and so the socket can’t bind to the appropriate network port).

Finally, you can also create a static route. Static routing provides a manually-configured routing entry, rather than information from a dynamic routing traffic, which means you can fix issues where a client can’t access a given IP because it’s using an incorrect network interface to access an IP.

Once everything is configure, let’s enter the publicly accessible IP address or DNS name of the server. Client computers that install the profile will then have their connection to the server automatically configured and will be able to test the connection.

Configure Clients
If you configured the new server exactly as the old one and just forwarded ports to the new host, you might not have to do anything, assuming you’re using the same username and password store (like a directory service) on the back-end. If you didn’t, you can setup new interfaces with a profile. If you pushed out an old profile to configure those, I’d recommend removing it first if any settings need to change. To configure clients, we’ll install the new profile. When you open the profile on a client system (just double-click it to open it), you’ll see the Install dialog box. Here, click on Continue. 

Because the profile isn’t signed, you’ll then get prompted again (note: you can sign the profile using another tool, like an MDM or Apple Configurator). Click Continue.

Then enter the username that will be used to connect to the VPN and click the Install button.

The Profile can then be viewed and manually removed if needed. 

Click on the new iVPN entry in the Network System Preference pane. Here, you can enable 

Now that it’s easy, let’s click the VPN icon in the menu bar and then click on Connect iVPN to test the connection.

Once clients can connect, you can use the iVPN icon in the menu bar to monitor the status of clients.

March 14th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

macOS Server 5.4 running on High Sierra (macOS 10.13) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

To enable the adaptive firewall, use the -f option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

Alternatively, use the -X option to disable the Adaptive Firewall:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -X

Once run, you’ll receive an error similar to the following:

Sep  8 14:16:18  afctl[16987] <Notice>: Unloading the launchd job

Sep  8 14:16:18  afctl[16987] <Notice>: Setting the start behavior to disabled

Sep  8 14:16:18  afctl[16987] <Notice>: Clearing out the blacklist

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses deleted.

Once started, the most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d


You’ll receive no response on successful runs. When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88

Once run, you’ll get a message as follows:

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses added.

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and can also be enabled with the /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to force-stop the service outright, use launchctl:

launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for macOS Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued
Finally, there are scripts located in /Applications/Server.app/Contents/ServerRoot/usr/libexec that can be used to manage the firewall as well. These include ServerFirewallPromotion.sh (a simple bash script) and ServerFirewallServiceCleanser, a compiled binary.

September 26th, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , ,

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In macOS Server 5.4 for High Sierra, all of these are represented by a single ON button, so it really couldn’t be easier, once you can just enter email addresses into the Users section.

But then there’s the ecoysystem and the evil spammers. They’re totally the worst. Like ever. As the former systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only deep fried spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should plenty of chemically induced stamina, enough pills of other types to not be able to use that stamina, plenty of princes looking to donate large sums of money if only they can be helped out of their country (which should cost about $100,000 compared to a $5,000,000 payout, not a bad ROI, so DUH?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in the Server app running on Yosemite. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service.


Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.

 
At the configuration screen is a sparse number of settings:
  • Status: Indicates if the server is running.
  • Edit Permissions: Limits the IP addresses capable of connecting to the server.
  • Domains: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.
  • Mail Relay: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
  • Mailbox size: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Filtering: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet mail.krypted.com 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:startedTime = "" mail:setStateVersion = 1 mail:state = "STOPPED" mail:protocolsArray:_array_index:0:status = "ON" mail:protocolsArray:_array_index:0:kind = "INCOMING" mail:protocolsArray:_array_index:0:protocol = "IMAP" mail:protocolsArray:_array_index:0:state = "STOPPED" mail:protocolsArray:_array_index:0:service = "MailAccess" mail:protocolsArray:_array_index:0:error = "" mail:protocolsArray:_array_index:1:status = "ON" mail:protocolsArray:_array_index:1:kind = "INCOMING" mail:protocolsArray:_array_index:1:protocol = "POP3" mail:protocolsArray:_array_index:1:state = "STOPPED" mail:protocolsArray:_array_index:1:service = "MailAccess" mail:protocolsArray:_array_index:1:error = "" mail:protocolsArray:_array_index:2:status = "ON" mail:protocolsArray:_array_index:2:kind = "INCOMING" mail:protocolsArray:_array_index:2:protocol = "SMTP" mail:protocolsArray:_array_index:2:state = "STOPPED" mail:protocolsArray:_array_index:2:service = "MailTransferAgent" mail:protocolsArray:_array_index:2:error = "" mail:protocolsArray:_array_index:3:status = "ON" mail:protocolsArray:_array_index:3:kind = "OUTGOING" mail:protocolsArray:_array_index:3:protocol = "SMTP" mail:protocolsArray:_array_index:3:state = "STOPPED" mail:protocolsArray:_array_index:3:service = "MailTransferAgent" mail:protocolsArray:_array_index:3:error = "" mail:protocolsArray:_array_index:4:status = "OFF" mail:protocolsArray:_array_index:4:kind = "INCOMING" mail:protocolsArray:_array_index:4:protocol = "" mail:protocolsArray:_array_index:4:state = "STOPPED" mail:protocolsArray:_array_index:4:service = "ListServer" mail:protocolsArray:_array_index:4:error = "" mail:protocolsArray:_array_index:5:status = "ON" mail:protocolsArray:_array_index:5:kind = "INCOMING" mail:protocolsArray:_array_index:5:protocol = "" mail:protocolsArray:_array_index:5:state = "STOPPED" mail:protocolsArray:_array_index:5:service = "JunkMailFilter" mail:protocolsArray:_array_index:5:error = "" mail:protocolsArray:_array_index:6:status = "ON" mail:protocolsArray:_array_index:6:kind = "INCOMING" mail:protocolsArray:_array_index:6:protocol = "" mail:protocolsArray:_array_index:6:state = "STOPPED" mail:protocolsArray:_array_index:6:service = "VirusScanner" mail:protocolsArray:_array_index:6:error = "" mail:protocolsArray:_array_index:7:status = "ON" mail:protocolsArray:_array_index:7:kind = "INCOMING" mail:protocolsArray:_array_index:7:protocol = "" mail:protocolsArray:_array_index:7:state = "STOPPED" mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater" mail:protocolsArray:_array_index:7:error = "" mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log" mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:SMTP Log = "/var/log/mail.log" mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log" mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log" mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log" mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log" mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log" mail:imapStartedTime = "" mail:postfixStartedTime = "" mail:servicePortsRestrictionInfo = _empty_array mail:servicePortsAreRestricted = "NO" mail:connectionCount = 0 mail:readWriteSettingsVersion = 1 mail:serviceStatus = "DISABLED" To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com"

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:
  • mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

September 26th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , , , , ,

Push Notifications can be used in most every service that macOS Server 5.4 (for High Sierra) can run. Any service that requiring Push Notifications will often provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.


To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. Then click on the Settings screen and click on the checkbox for Notifications.


At the Settings screen for your server, click on the check-box for Apple Push Notifications (APN). Next, click on another screen and then click back to get the Edit Apple ID… button to appear. Click on Edit Apple ID…  



At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.
 

As you’ll see, if you’re editing a certificate, you’ll break any systems or services that use that certificate. For example, you would have to re-enroll all of your Profile Manager systems. Instead, use the Renew button whenever possible, prior to the expiration of certificates.  

When renewing certificates, you’ll provide the SAME AppleID and Password you used to generate the original certificate.
 

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. If you don’t have the credentials for the AppleID used to obtain the original certificate you can’t renew; in that scenario, open the same screen and click on the Change button. Once you have generated a certificate, you’ll then be able to see the certificate in the Apple certificates portal, but you’ll have to re-enroll devices if using Profile Manager.

September 26th, 2017

Posted In: Mac OS X

Tags: , , , , , ,

Clients discover the Apple Caching service bundled with macOS Server (and in the future macOS) automatically. You can create a text recored for _aaplcache._tcp on your DNS server. That would look
_aaplcache._tcp 518400 IN TXT “prs=192.168.50.100”
Name: _aaplcache._tcp with a type of TXT and a TTL of 518400 seconds. The prs is the address to be used and is set to a value using prs=192.168.50.100.

June 15th, 2017

Posted In: Mac OS X Server

Tags: , , , ,

I thought there might be an easier way to do this. So there’s this binary called serverrails that I assumed would install rails – no wait, actually it’s a ruby script that tells me to ‘gem install rails’ – which fails: cat `which serverrails` #!/usr/bin/ruby # Stub rails command to load rails from Gems or print an error if not installed. require 'rubygems' version = ">= 0" if ARGV.first =~ /^_(.*)_$/ and Gem::Version.correct? $1 then version = $1 ARGV.shift end begin gem 'railties', version or raise rescue Exception puts 'Rails is not currently installed on this system. To get the latest version, simply type:' puts puts ' $ sudo gem install rails' puts puts 'You can then rerun your "rails" command.' exit 0 end load Gem.bin_path('railties', 'rails', version) Given that doesn’t work, we can just do this the old fashioned way… First let’s update rails to 2.2 or 2.2.4 using rvm, so grab the latest rvm and install it into /usr/local/rvm: sudo curl -sSL https://get.rvm.io | bash -s stable --ruby Then fire it up: sudo source /etc/profile.d/rvm.sh Then install the latest ruby: sudo rvm install 2.2 Set it as default: sudo rvm use 2.2 –default Then run your gem install: gem install rails #thingsthatshouldbeautomatedandoddlyarenot

November 14th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

Servers can have problems. When they have problems, you need to grab logs and stuff. Ever wonder what Apple developers think is important, when it comes to logs and stuff? Try serverdiagnose! serverdiagnose Then hit the Enter (return) key. Then it collects some logs into a tgz. Why a tgz? No clue. But it ends up in /tmp. Notice the name as ServerLogs- followed by the hostname, then a date stamp (yearmonthday) and an underscore followed by a timestamp. Inside the tgz is /Library/Logs, /Library/Server, /tmp/dsdiagnose (a dump of OD debug logs), serverlogs_S3vKsy (configuration statuses), a couple of things from /var/db (the most important of which is PreviousSystemLogs), and /var/log.

November 9th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

The Time Machine service in macOS Server 5.2 hasn’t changed much from the service in previous operating systems. To enable the Time Machine service, open the Server app, click on Time Machine in the SERVICES sidebar. If the service hasn’t been enabled to date, the ON/OFF switch will be in the OFF position and no “Backup destination” will be shown in the Settings pane. screen-shot-2016-09-29-at-8-56-29-pm Click on the ON button to see the New Destination screen, used to configure a list of volumes as a destinations for Time Machine backups. The selection volume should be large enough to have space for all of the users that can potentially use the Time Machine service hosted on the server. When you click the Choose button, a list of volumes appears in a standard Finder selection screen. screen-shot-2016-09-29-at-8-57-19-pm Here, click on the volume to save your backups to in the sidebar. In most cases the Backup destination will be a mass storage device and not the boot volume of the computer. Once selected, click Choose and then if desired, limit the amount of storage on the volume to be used for backups. Click Create and a share called Backups is created and the service will start. Don’t touch anything until the service starts. Once started, add a backup destination at any time using the plus sign button (“+”) and defining another destination. screen-shot-2016-09-29-at-8-57-40-pm Time Machine Server works via Bonjour. Open the Time Machine System Preference pane and then click on the Select Backup Disk button from a client to see the server in the list of available targets, much as you would do with an Apple Time Capsule. screen-shot-2016-09-29-at-8-58-33-pm Under the hood, a backup share is creating in the file sharing service. To see the attributes of this share, use the serveradmin command followed by the settings option and then the sharing:sharePointList:_array_id:, so for a path of /Volumes/New Volume 1/Shared Items/Backups use: sudo serveradmin settings sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups The output indicates the options configured for the share, including how locking is handled, guest access disabled, generated identifiers and the protocols the backups share listens as:
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:name = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isTimeMachineBackup = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeNative\:sharepoint_group_id = "F4610C2C-70CD-47CF-A75B-3BAFB26D9EF3"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isIndexingEnabled = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:mountedOnPath = "/Volumes/New Volume 1"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeStandard\:GeneratedUID = "FAB13586-2A2A-4DB2-97C7-FDD2D747A0CD"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:path = "/Volumes/New Volume 1/Shared Items/Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsShared = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsGuestAccessEnabled = no
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbDirectoryMask = "755"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsShared = yes
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbCreateMask = "644"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:ftpName = "Backups"
sharing:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:timeMachineBackupUUID = "844A1C43-61C9-4F99-91DE-C105EA95BD45"
Once the service is running, administrators frequently fill up the target volume. To move data to another location, first stop the service and then move the folder (e.g. using mv). Once moved, use the serveradmin command to send settings to the new backup path. For example, to change the target to /Volumes/bighonkindisk, use the following command: sudo serveradmin settings sharing:sharePointList:_array_id:/Shared Items/Backups:path = "/Volumes/bighonkindisk" Another way to see the share and attributes of the share is through the sharing command: sharing -l Which should show output similar to the following: List of Share Points
name: Backups
path: /Shared Items/Backups
afp: {
name: Backups
shared: 1
guest access: 0
inherit perms: 0
}
ftp: {
name: Backups
shared: 0
guest access: 0
}
smb: {
name: Backups
shared: 0
guest access: 0
} There’s also a Bonjour service published that announces to other clients on the same subnet that the server can be used as a backup destination (the same technology used in a Time Capsule). One major update from back in Mavericks Server is the addition of the timemachine service in the severadmin command line interface. To see the command line settings for Time Machine: sudo serveradmin settings timemachine The output shows that share info is displayed as with the sharing service, but you can also see the GUID assigned to each share that is a part of the backup pool of storage:
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeStandard\:GeneratedUID = "FAB13586-2A2A-4DB2-97C7-FDD2D747A0CD"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsGuestAccessEnabled = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbDirectoryMask = "755"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbCreateMask = "644"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:nfsExportRecord = _empty_array
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:path = "/Volumes/New Volume 1/Shared Items/Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsGuestAccessEnabled = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:name = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:ftpName = "Backups"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:smbIsShared = no
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:afpIsShared = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:timeMachineBackupUUID = "844A1C43-61C9-4F99-91DE-C105EA95BD45"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isTimeMachineBackup = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:backupQuota = 0
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:dsAttrTypeNative\:sharepoint_group_id = "F4610C2C-70CD-47CF-A75B-3BAFB26D9EF3"
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:isIndexingEnabled = yes
timemachine:sharePointList:_array_id:/Volumes/New Volume 1/Shared Items/Backups:mountedOnPath = "/Volumes/New Volume 1" Additionally you can also query for the service to verify it’s running using full status: sudo serveradmin fullstatus timemachine Which outputs something similar to the following: timemachine:command = "getState"
timemachine:state = "RUNNING"
While I found plenty to ramble on about in this article, Mass deployment is still the same, as is client side configuration.

October 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Time Machine

Tags: , , , , , , , , , , , ,

Mac Server Services

 RhapsodyMac Server 1Server 10.2OS X Server 10.3OS X Server 10.4OS X Server 10.5Mountain Lion Server (10.6)Lion Server (10.7)Server 2 (10.8)Server 3 (10.9)Server 4 (10.10)Server 5 (10.11)macOS Server 5.2 (10.12)macOS Server 5.3 (10.13)
# of Services109131519242422182121212114
Apple File Sharing ServicesAppleShareAFPAFPAFPAFPAFPAFPAFPAFPAFPAFPAFPAFP*
NFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFSNFS
Web ServicesWebWebWebWebWebWebWebWebWebsitesWebsitesWebsitesWebsitesWebsitesWebsites
Directory ServersNetInfoNetInfoDirectory ServicesOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen DirectoryOpen Directory
NetBoot ServicesNetBootNetBootNetBootNetBootNetBootNetBootNetBootNetBootNetInstallNetInstallNetInstallNetInstallNetInstallNetInstall
FTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTPFTP
Windows File Sharing/SMBWindowsWindowsWindowsSMBSMBSMBSMBSMBSMBSMBSMB*
Mail ServicesMailMailMailMailMailMailMailMailMailMailMailMail
Name ServicesDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
DHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCPDHCP
VPNVPNVPNVPNVPNVPNVPNVPNVPNVPNVPNVPN
Software Update ServicesSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware UpdateSoftware Update
Chat/Messages/XMPPiChatiChatiChatiChatMessagesMessagesMessagesMessagesMessagesMessages
Shared Calendars/CalDAViCaliCaliCalCalendarCalendarCalendarCalendarCalendarCalendar
Wiki and BlogsWikiWikiWikiWikiWikiWikiWikiWikiWiki
Shared Contacts/CardDAVAddress BookAddress BookContactsContactsContactsContactsContactsContacts
Backup ServicesTime MachineTime MachineTime MachineTime MachineTime MachineTime Machine
Management ServicesProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile ManagerProfile Manager
Storage NetworkingXsanXsanXsanXsanXsanXsan
Content and Update Caching ServicesCachingCachingCachingCaching*
Continuous Development ServicesXcodeXcodeXcodeXcode
OG Management ServicesMacintosh ManagerMacintosh Manager
Web ObjectsWeb Objects (separate media)Web ObjectsWeb ObjectsWeb Objects
Web Application ServicesApplication ServerApplication ServerTomcatTomcat
Printing ServicesPrintPrintPrintPrintPrintPrint
QuickTime Streaming ServerQTSSQTSSQTSSQTSSQTSSQTSSQTSS
Routing ServicesNATNATNATNATNATNAT
High Performance Computing ServicesXgridXgridXgridXgrid
PodcastingPodcast ProducerPodcast ProducerPodcast
RADIUSRADIUSRADIUSRADIUS
Proxy ServicesMobile Access
Database ServingMySQL


* Services are now built into the client operating system, albeit with less finely grained controls.

October 14th, 2016

Posted In: Mac OS X Server

Tags: , , , , , ,

Getting started with Messages Server couldn’t really be easier. Messages Server in the macOS Server 5.2 version of the Server app uses the open source jabber project as their back-end code base. The jabber binary is located at /Applications/Server.app/Contents/ServerRoot/private/var/jabberd directory and the autobuddy binary is at /Applications/Server.app/Contents/ServerRoot/usr/bin/jabber_autobuddy. The actual jabberd binary is also stored at /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd, where there are a couple of perl scripts used to migrate the service between various versions as well. Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.  screen-shot-2016-09-27-at-11-03-18-am Click on the Edit… button for the Permissions. Here, define which users and interfaces are allowed to use the service. screen-shot-2016-09-27-at-11-03-45-am From Server app, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and provide the address for servers to federate to. screen-shot-2016-09-27-at-11-04-14-am Next, click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. screen-shot-2016-09-27-at-11-04-47-am You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates. At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin). screen-shot-2016-09-27-at-11-05-38-am To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button. Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator: sudo serveradmin fullstatus jabber The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here: jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "osxserver.krypted.lan"
jabber:hosts:_array_index:0 = "osxserver.krypted.lan"
jabber:setStateVersion = 1
jabber:startedTime = ""
jabber:readWriteSettingsVersion = 1 There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows: sudo serveradmin settings jabber:jabberdClientPortSSL = 8080 To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book: sudo serveradmin settings jabber:savedChatsLocation = “/Volumes/Pegasus/Book” To see a full listing of the options, just run settings with the jabber service: sudo serveradmin settings jabber The output lists each setting configurable:
jabber:dataLocation = “/Library/Server/Messages” jabber:s2sRestrictDomains = no jabber:jabberdDatabasePath = “/Library/Server/Messages/Data/sqlite/jabberd2.db” jabber:sslCAFile = “/etc/certificates/osxserver.krypted.com.31971C0C39DCBF4733FA671BCE3AF260769E4FB7.chain.pem” jabber:jabberdClientPortTLS = 5222 jabber:sslKeyFile = “/etc/certificates/osxserver.krypted.com.31971C0C39DCBF4733FA671BCE3AF260769E4FB7.concat.pem” jabber:initialized = yes jabber:enableXMPP = yes jabber:savedChatsArchiveInterval = 7 jabber:authLevel = “STANDARD” jabber:hostsCommaDelimitedString = “osxserver.krypted.com” jabber:jabberdClientPortSSL = 5223 jabber:requireSecureS2S = yes jabber:savedChatsLocation = “/Library/Server/Messages/Data/message_archives” jabber:enableSavedChats = yes jabber:enableAutoBuddy = no jabber:s2sAllowedDomains = _empty_array jabber:logLevel = “ALL” jabber:hosts:_array_index:0 = “osxserver.krypted.com” jabber:eventLogArchiveInterval = 7 jabber:jabberdS2SPort = 5269
To stop the service: sudo serveradmin stop jabber And to start it back up: sudo serveradmin start jabber It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

October 12th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , , , ,

Next Page »