krypted.com

Tiny Deathstars of Foulness

There’s a little article on the new Greylisting options in Snow Leopard Server at http://www.318.com/techjournal/mac-os-x-server/greylisting-and-snow-leopard-server/. Enjoy!

October 8th, 2009

Posted In: Mac OS X Server

Tags: , ,

Mac OS X Server comes with a number of DHCP options available; most notably the options available in the GUI. But what about options that aren’t available in the GUI, such as NTP. Well, using /etc/bootpd.plist, the same file we used to define servers allowed to relay, you can also define other options. These begin with the following keys that can be added into your property list:
  • dhcp_time_offset (option 2)
  • dhcp_router (option 3)
  • dhcp_domain_name_server (option 6)
  • dhcp_domain_name (option 15)
  • dhcp_network_time_protocol_servers (option 42)
  • dhcp_nb_over_tcpip_name_server (option 44)
  • dhcp_nb__over_tcpip_dgram_dist_server (option 45)
  • dhcp_nb_over_tcpip_node_type (option 46)
  • dhcp_nb_over_tcpip_scope (option 47)
  • dhcp_smtp_server (option 69)
  • dhcp_pop3_server (option 70)
  • dhcp_nntp_server (option 71)
  • dhcp_ldap_url (option 95)
  • dhcp_netinfo_server_address (option 112)
  • dhcp_netinfo_server_tag (option 113)
  • dhcp_url (option 114)
  • dhcp_domain_search (option 119)
  • dhcp_proxy_auto_discovery_url (option 252)
But you can also add options by their numerical identifier. To add them, add the following into your /etc/bootpd.plist file and then restart the DHCP service: <string>dhcp_option_120</string> <data> 192.168.210.7 </data>
In the above, you’d replace the option 120 (SIP) with the option you wish to use. Numbers correspond to options as follows:
0 – Pad
1 – Subnet Mask
3 – Router
4 – Time Server
5 – Name Server
6 – Domain Name Server
7 – Log Server
8 Quote Server
9 – LPR Server
10 – Impress Server
11 – Resource Location Server
12 – Host Name
13 – Boot File Size
14 – Merit Dump File
15 – Domain Name
16 – Swap Server
17 – Root Path
18 – Extensions Path
19 – IP Forwarding
20 – WAN Source Routing
21 – Policy Filter
22 – Maximum Datagram Reassembly Size
23 – Default IP Time-to-live
24 – Path MTU Aging Timeout
25 – Path MTU Plateau Table
26 – Interface MTU
27 – All Subnets are Local
28 – Broadcast Address
29 – Perform Mask Discovery
30 – Mask supplier
31 – Perform router discovery
32 – Router solicitation address
33 – Static routing table
34 – Trailer encapsulation.
35 – ARP cache timeout
36 – Ethernet encapsulation
37 – Default TCP TTL
38 – TCP keep alive interval
39 – TCP keep alive garbage
40 – Network Information Service Domain
41 – Network Information Servers
42 – NTP servers
43 – Vendor specific information
44 – NetBIOS over TCP/IP name server
45 – NetBIOS over TCP/IP Datagram Distribution Server
46 – NetBIOS over TCP/IP Node Type
47 – NetBIOS over TCP/IP Scope
48 – X Window System Font Server
49 – X Window System Display Manager
50 – Requested IP Address
51 – IP address lease time
52 – Option overload
53 – DHCP message type
54 – Server identifier
55 – Parameter request list
56 – Message
57 – Maximum DHCP message size
58 – Renew time value
59 – Rebinding time value
60 – Class-identifier
61 – Client-identifier
62 – NetWare over IP Domain Name
63 – NetWare over IP information
64 – Network Information Service Domain
65 – Network Information Service Servers
66 – TFTP server name
67 – Bootfile name
68 – Mobile IP Home Agent
69 – Simple Mail Transport Protocol Server
70 – Post Office Protocol Server
71 – Network News Transport Protocol Server
72 – Default World Wide Web Server
73 – Default Finger Server
74 – Default Internet Relay Chat Server
77 – User Class Information
78 – SLP Directory Agent
79 – SLP Service Scope
80 – Rapid Commit
81 – Fully Qualified Domain Name
82 – Relay Agent Information
83 – Internet Storage Name Service
85 – NDS servers
86 – NDS tree name
87 – NDS context
88 – BCMCS Controller Domain Name list
89 – BCMCS Controller IPv4 address list
90 – Authentication
91 – Client Last Transaction Time
92 – Associated IP
93 – Client System Architecture Type
94 – Client Network Interface Identifier
95 – LDAP, Lightweight Directory Access Protocol
97 – Client Machine Identifier
98 – Open Group User Authentication
100 – IEEE 1003.1 TZ String
101 – Reference to the TZ Database
112 – NetInfo Parent Server Address
113 – NetInfo Parent Server Tag
114- URL
116 – Auto-Configure
117 – Name Service Search
118 – Subnet Selection
119 – DNS domain search list
120 – SIP Servers DHCP Option
121 – Classless Static Route Option
123 – GeoConfiguration
124 – Vendor-Identifying Vendor Class
125 – Vendor-Identifying Vendor Specific
128 – TFPT Server IP address
129 – Call Server IP address
130 – Discrimination string
131 – Remote statistics server IP address
132 – 802.1P VLAN ID
133 – 802.1Q L2 Priority
134 – Diffserv Code Point
135 – HTTP Proxy for phone-specific applications
136 – PANA Authentication Agent
139 – IPv4 MoS
140 – IPv4 Fully Qualified Domain Name MoS
150 – TFTP server address
176 – IP Telephone
220 – Subnet Allocation
221 – Virtual Subnet Selection
252 – Proxy auto-discovery
254 – Private use
255 – End

October 6th, 2009

Posted In: Mac OS X Server, Mass Deployment, Network Infrastructure

Tags: , , , , , ,

By default the /Library/Preferences/com.apple.pcastserverd.plist allows basic, digest and Kerberos authentication. Attempts to authenticate will be made in the reverse order, respectively. This is pulled from the http_auth_type array, which you can see using the following command: serveradmin settings pcast You can then remove an entry and edit existing entries to change the supported mechanisms using serveradmin if you cannot stop the Podcast Producer service. If you can stop the service then the easiest way to edit the authentication mechanisms is to edit /Library/Preferences/com.apple.pcastserverd.plist directly. To do so, locate the http_auth_type key as you see it here: <key>http_auth_type</key> <array> <string>basic</string> <string>digest</string> <string>kerberos</string> </array> Here, remove each string that you no longer wish to support. Removing all except Kerberos will provide support for only Kerberos as an authentication mechanism.

October 6th, 2009

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , ,

In DNS, recursion references the process where a name server will make DNS queries to other name servers on behalf of client systems. Most name servers are simply DNS clients that cache information for a specified amount of time. Recursion is disabled by default on most name servers. In Mac OS X recursion is enabled for subnets local to the server only.
In environments where you wish to provide recursive queries you can enable recursion by opening Server Admin, clicking on the disclosure triangle for the server you will be configuring and then clicking on the DNS service. From here, click on the Settings icon in the Server Admin toolbar and then in the section for Accept recursive queries from the following networks you would click on the plus sign (+). In this field provide the IP address or netmask that you would like to enable recursion for. For example, if you’re enabling recursion for all computers on the 192.168.0.0 subnet and the subnet mask for those clients is 255.255.255.0 then you would enter:
192.168.0.0/24
This will allow recursion for those clients by updating the /etc/dns/options.conf.apple file. Alternatively you can edit the setting by hand yourself, but don’t do so using the /etc/dns/options.conf.apple file or you could introduce instability into the DNS service and Server Admin could overwrite your settings. Rather, edit the /etc/named.conf file. In named.conf add the following line in the options section:
allow-recursion {192.168.0.0/24;};
Overall, this is a fairly straight forward technical note, but there is an underlying theme that Apple is doing a really good job of leveraging an include methodology with regards to configuration files. Inside the /etc/named.conf, also in the options section, you’ll notice that there is a line that begins with include and specifies the path of the Server managed file, which uses the word apple at the end of it. This is mirrored in zone files as well. While not all open source services use this method for allowing different configurations in the GUI and the command line, I hope they all will at some point.

September 29th, 2009

Posted In: Mac OS X Server

Tags: , , , , , ,

Now that Mac OS X Server 10.6 has been out for a little while and the new features have able to sink in a bit, it seems like a good time to lay out what those new features are. While on the outside Mac OS X Server 10.6 has been described as a minor update outside of the whole 64-bit thing, it’s worth noting that it sports about as many new features as every version of Mac OS X Server that it follows. These include:
  1. NetRestore has been integrated with System Image Utility to facilitate easier creation of NetRestore NetBoot sets, allowing for asr-based restores (asr has not been given a GUI though)
  2. There’s now an option to enable and disable directory services binding discovery on servers
  3. Wide Area Bonjour support in the DNS service
  4. Mobile Access service has been added which allows you to proxy incoming connections for all the included groupware services through the server
  5. Push Notification service has been added to enhance iPhone integration with Mac OS X Server
  6. The mail server now uses Dovecot, which now has a GUI option in Server Admin and Server Preferences for relaying outgoing mail through a separate SMTP server
  7. Podcast Producer got a pretty big overhaul in Podcast Producer 2, making workflows easier to be created and managed with an assistant and making the server itself much easier to set up with another assistant
  8. Podcast Producer has been integrated ever-so-slightly with Final Cut Server workflows
  9. New 802.1x features in networksetup
  10. New command, mcxrefresh, used for refreshing managed preferences on clients
  11. Users now have a splash page that allows for a number of fairly self-service options including setting up easy-to-use mail rules
  12. A lot of GUI logic has been added; for example, when you promote to an Open Directory Master Server Admin checks existing bindings and if they are present provides a different prompt; also the toolbar in Directory Utility was cleaned up and DHCP supplied LDAP mysteriously removed
  13. You can use Server Preferences and the Server Admin/Workgroup Manager pseudo-interchangeably rather than switching between Standard, Workgroup and Advanced (that whole idea died with 10.5)
  14. GUI iChat Server federation to allow for multiple iChat servers for an organization
  15. Client & Server updates most likely to impact Server admins more than users:
  • You can now move journaling to a dedicated drive (ie – SSD) to offload potential IO performance bottlenecks
  • Directory Utility was moved to CoreServices and can now be accessed through the Accounts System Preference pane
  • Hard drive spaces now reported more accurately, changing the game in capacity planning for all those Nagios/Zenoss hooha’s
There’s also more, which I’ll write up as I get some of the details sorted out. If there’s a glaring omission please feel free to drop it into a comment!  🙂 Looking at the difference between 10.5 Server and 10.6 it seems this is a similar enhancement in terms of the number of new features. Some are more subtle but will allow for more agile development of features in subsequent releases.

September 24th, 2009

Posted In: Mac OS X Server

Tags: , , , ,

A short contribution I made to afp548 on the new mcxrefresh command in Snow Leopard. Check it out here.

September 12th, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

In Snow Leopard Server it seems that someone at Apple figured out that a bunch of people were building these weird triangle, or dual directory, thingies. So, if you bind a Mac OS X Server to Active Directory and then open Server Admin and then click on Open Directory you’ll see a button to Kerberize Services. Once you’ve Kerberized the services, if you click on the Change… button for Role you’ll see a different option than you normally see when setting an Open Directory Master. In the Choose Directory Role screen you’ll see a new screen that tells you that you’re connected to another directory. It will then ask if you want to remain connected and setup an Open Directory Master, remain connected and setup an Open Directory replica or whether you would like to disconnect from the existing directory service and go back to a standalone directory model (at which time you would re-run the Open Directory Assistant if this were the direction you were looking to go).
The Introductory Screen to the New Open Directory Setup Assistant

The Introductory Screen to the New Open Directory Setup Assistant

Overall, this is a great new addition and while technically there’s not much different going on here, it at a minimum shows that the developers are acknowledging that there are a number of different setup architectures and that Apple is trying to bring these into more of a supported type of environment.

September 3rd, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

In Mac OS X 10.6’s Open Directory, when you add ManagedClient to managed preferences you end up with two com.apple.mail entries (one suffixed with .managed). One is called com.apple.mail.managed, which is used for Mail for 10.5 and below and frankly doesn’t seem to be complete, so I’ve manually populated my environment with keys from 10.5 Server. The other is com.apple.mail, which now supports SSL, but only gives the drop-downl list for Always, showing no options in Once/Often. One thing that was a bit confusing to me is what Beau and I discovered to be a GUI bug, where when you click on a manifest and then click on Once, Often or Always, you have to click on the disclosure triangle in order to get the button to add a New Key. Given that there is a new service, Address Book, I would have expected to see a com.apple.addressbook, especially since the property list isn’t exactly welcoming for edits. But what I haven’t seen any mention of thus far in the manifests is Exchange 2007 support. No EWS strings, no nothin’. But all in all, I think it’s still coming together a bit and I look forward to seeing a cohesive vision of leveraging managed clients to automatically push out iCal, Address Book and Mail, no matter what service you’re using, to clients.

September 2nd, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment, Microsoft Exchange Server

Tags: , , ,

No, not another Snow Leopard post. Well, I suppose it kindof is actually. It’s a pseudo-official announcement that John Welch, Chris Barker and I will be teaming up to write a book on Snow Leopard Server. The book has been posted to Amazon.com and will hopefully be out by Valentines Day. That’s not to say that we will be responsible in any way shape or form for the results if you give your significant other this book for Valentines Day…

September 1st, 2009

Posted In: Mac OS X Server, Uncategorized

Tags: , , ,

Because people wanted less animation in the intro & outro I shortened them to a little less than half. Hope you enjoy:

September 1st, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , ,

Next Page »