krypted.com

Tiny Deathstars of Foulness

DNS is DNS. And named is named. Except in macOS Server. Sometimes. The configuration files for the DNS services in macOS Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems.

The current version of BIND is BIND 9.9.7-P3 (Extended Support Version). This has been the case for a number of macOS Server versions, and can easily be located by doing a cat of the /Library/Server/named/.version file. 

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In macOS Server 5.2 (for Sierra), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear.

The verbs available include:
  • help: show help information
  • list: show the contents of configurations and zone files
  • add: create records and zones
  • delete: remove records and zones
To view data available in the service, use the list verb. Options available when using the list verb include:
  • –acl: show ACLs
  • –view: show BIND view data
  • –zone: show domains configured in the service
  • –rr: show resource records
  • –rrtype: show types of resource records
For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan

The output would show you information about the listed zone, usually including View data:

Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan

By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan


Or to delete that one www record earlier, just swap the add with a delete:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the best I’ve seen for managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

Additionally, you can manage bind in a variety of other ways. There are global settings exposed with the bind -v command:

bind -v


Which returns something similar to the following:

set bind-tty-special-chars on
set blink-matching-paren on
set byte-oriented off
set completion-ignore-case off
set convert-meta off
set disable-completion off
set enable-keypad off
set expand-tilde off
set history-preserve-point off
set horizontal-scroll-mode off
set input-meta on
set mark-directories on
set mark-modified-lines off
set mark-symlinked-directories off
set match-hidden-files on
set meta-flag on
set output-meta on
set page-completions on
set prefer-visible-bell on
set print-completions-horizontally off
set show-all-if-ambiguous off
set show-all-if-unmodified off
set visible-stats off
set bell-style audible
set comment-begin #
set completion-query-items 100
set editing-mode emacs
set keymap emacs

September 10th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

When running a DNS/BIND server on Linux or macOS, you can check the version number by running a simple named command with the -v option. named -v The output is as follows:
BIND 9.9.7-P3 (Extended Support Version)

September 11th, 2016

Posted In: Mac OS X, Unix

Tags: , , ,

You can find the version of the Server app that an OS X Server is running using the serveradmin command. To do so, run the serveradmin command followed by the -version option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin --version The output would be as follows: Version 15S5127

April 21st, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

There are a number of ways to see information about what version of Linux that you’re running on different cat /etc/lsb-release Which returns the distribution information, parsed as follows: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04.5 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu Precise Pangolin (LTS)" LSB_release can also be run as a command, as follows: lsb_release -a Which returns the following: No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Precise Pangolin (LTS) Release: 12.04.5 Codename: precise lab_release can be used as a command as well: cat /etc/issue.net Which returns: Ubuntu Precise Pangolin (development branch) In Debian, you can simply look at the version file: cat /etc/debian_version Which returns the following: wheezy/sid Or Red Hat Enterprise can also be located with /etc/issue.net: cat /etc/issue.net With many variants, including OS X, you can also use uname to determine kernel extensions, etc: uname -a The thing I’ve learned about Linux is that there’s always a better way to do things. So feel free to comment on your better way or favorite variant!

March 5th, 2015

Posted In: Ubuntu, Unix

Tags: , , , , , ,

OS X Yosemite running the Server comes with the /usr/sbin/serverinfo command (introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server. The first option indicates whether the Server app has been downloaded from the app store, which is the –software option: serverinfo --software When used, this option reports the following if the Server.app can be found: This system has server software installed. Or if the software cannot be found, the following is indicated: This system does NOT have server software installed. The –productname option determines the name of the software app: serverinfo --productname If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following: Server The –shortversion command returns the version of the Server app being used: serverinfo --shortversion The output will not indicate a build number, but instead the version of the app on the computer the command is run on: 3.5.5 To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option: serverinfo --buildversion The output shows the build of server, which doesn’t necessarily match the OS X build number: 14S274j Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option: serverinfo --configured The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server: This system has server software configured. You can also output all of the information into a single, easy to script against property list using the –plist option: serverinfo --plist The output is a list of each of the other options used: IsOSXServerVolume IsOSXServerVolumeConfigured IsServerHardware LocalizedServerProductName Server ServerBuildVersion 14S274j ServerPerformanceModeEnabled ServerVersion 3.5.5 The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot: serverinfo —prefix By default, the output is as follows, which is basically like a dirname of the ServerRoot: /Applications/Server.app/Contents/ServerRoot You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option: serverinfo --hardware The output simply indicates if the hardware shipped with OS X Server on it from Apple: This system is NOT running on server hardware. The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app: serverinfo --perfmode If the performance mode has not been enabled then the output will be as such: Server performance mode is NOT enabled. To enable performance mode, you can also use serverinfo. This is the only task that the command does that can make any changes to the system and as such is the only time you need to elevate privileges: sudo serverinfo —setperfmode 1 Or set the boolean value back to 0 to disable. sudo serverinfo —setperfmode 0

October 16th, 2014

Posted In: Mac OS X Server

Tags: , , , , , , , ,

In Mac OS X Lion, applications can make use of a feature to auto-save and version files. This feature locks files that are inactive for editing and when the file is unlocked then starts automatically saving versions. If you have a problem with the file you can then always step back to a previous version of the file. The feature is manifested in the title bar and the file menu of applications that make use of it. When you open a file, it can be locked. Viewing the file in the Finder also shows that it is locked. Clicking on locked provides the option to unlock. Once unlocked you can make changes as you normally would. The next time you save the file, a version is created. Hovering the mouse over the title of a file results in a disclosure triangle. clicking that results in some options otherwise located in the file menu.

Clicking on the Lock option again locks the file. Files inactive can automatically be locked as well. The Duplication option is similar to that of Save As. You are asked where you want to duplicate the file to. No versioning information is sent with the file. These same options are in the File menu as well.

The command-S will still save a file, and in fact now it does more and it saves a new version of the file (also done as part of the auto-save routine). The Revert to Saved options in the File menu and title bar menu will bring up an interface similar to that of Time Machine. You can navigate through here to find a version that you want to restore and restore your data. Versioning information is persistent across a restore. In fact, once restored, you can revert back to a more recent save than that which was restored. In my testing so far, versioning information is not always persistent across restores of files (works with Time Machine, doesn’t work with 3 other applications I’ve tested). But YMMV there as patches are introduced in (hopefully) the next few weeks. Versions data is stored in /.DocumentRevisions-V100. In the /.DocumentRevisions-V100/db-V1 directory is a sqlite database with information and pages files are stored in containers by UID of local users in the /.DocumentRevisions-V100/PerUID directory. Permissions here are owner of root, group of wheel and d–x–x–x. bash-3.2# cd /.DocumentRevisions-V100/ bash-3.2# ls -al total 0 d--x--x--x   7 root  wheel   238 Jul 18 22:39 . drwxr-xr-x  36 root  wheel  1292 Jul 28 23:24 .. drwx------   5 root  wheel   170 Jul 28 23:27 .cs drw-------   2 root  wheel    68 Jul 18 22:39 ChunkTemp d--x--x--x   3 root  wheel   102 Jul 18 22:39 PerUID drwx------   4 root  wheel   136 Jul 28 23:27 db-V1 drwx--x--x   2 root  wheel    68 Jul 18 22:39 staging Changing the permissions to 000 causes the feature to report no versions for the files but then you also cannot save changes to files. If you remove the .DocumentRevisions-V100 directory altogether it does not automatically recreate itself at the creation of a new document; however, it does not create itself initially until the first time you’re saving a document. Putting the directory structure back in place resolves any saving problems (is all this sounding a bit like how Spotlight indexes work to anyone???). Versioning is saved locally for files that are stored on network volumes. If you move a file that was versioned locally to a network volume and back then it will loose versioning information. If you open a file from a network share there is no versioning information in the file unless the local computer you are using had been used to make those versions. When you save a file stored on a network volume you are informed that the volume does not support permanent version storage. If you open the file and start editing it on another host and changes occur on both hosts (which the system will allow to happen) then at the next save you will get an alert that states that the file has been changed by another application. Clicking Save Anyway will overwrite changes from the other computer and Revert will revert to the last saved document or more likely error out with a complaint about permissions (even if those permissions are 777). Continuing to make changes on both hosts will eventually cause a “GSLibraryErrorDomain error 1” error code; however, the file will remain open so you can copy your changes off into another file. A few other points of information:
  • Initially I had read that Time Machine was required to make use of this feature. That is incorrect. It works perfectly well with Time Machine disabled. Having said this, the app does report a message about Time Machine but this can safely be disregarded.
  • Initially I had read that it saves data into the ~/Library/Saved Application State directory. That too is incorrect. The state of versions-enabled applications is saved there but not the data
  • Large (> 500 page files) will auto-save very slowly if you have made a lot of changes in them. This is due to the fact that versioning results in copy operations.
  • Root can traverse into other users version files.
  • I have found no way thus far to change the auto-save interval (will hopefully update this when I do).
  • Pasting graphics into large files is much slower than previous versions (but likely offset by the new ability to flip through versions of files).
  • Not all applications have built-in Versions options yet (e.g. Office) but I think most will at some point in the future.
You can still mv a file to a .zip, unzip it and extract images and raw index data; however the versioning information is not actually saved there. Scanning the file system for changes during a version change only nets the file itself and the temp file (nested within /tmp) as having been altered. The Apple Developer Library explains Versioning as follows:
In the applications that ship as part of Mac OS X v10.7, users no longer need to save documents explicitly or be concerned about losing unsaved changes. Document-based Cocoa applications can opt into this autosaving behavior with a simple override. With automatic saving enabled, the system automatically writes document data to disk as necessary so that data displayed in a document window is, in effect, always the same as the document data on disk. A file coordination mechanism maintains sequential access to files. (See “Mac OS X File Coordination.”) Applications that support automatic saving also support document version history browsing. To browse previous versions of a document, choose Browse All Versions from the pull-down menu at the right end of the menu bar.
For more on NSDocumentController here’s Apple’s page for that. Overall, Versions has taken me a little while to get used to. Especially in TextEdit. But I’ll take the latency in exchange for the ability to roll back changes. If you are rolling out Lion in a larger environment, you’re going to want to check out whether or not users expect this to persist across network shares, copying files to additional computers or even backups in many cases.

July 28th, 2011

Posted In: Mac OS X

Tags: , , , , , , , , , , , , , , ,

There are a lot of versions of the popular perl scripting language out there, and depending on what version you may have written a script with you might find that using a different version than the one that comes with an OS by default can have a drastic impact on a script. In Mac OS X you can change the default version of perl that the perl and a2p command will use. Before doing so you should check the version of perl being used by default, which can be done using the perl command, followed by the -v option:
perl -v
By default, the OS currently uses version 5.10.0. To change the version, you would use the defaults command to change the com.apple.versioner.perl defaults domain. You will add a key called Version with a string of the version you would like to use. For example, to switch to 5.8.8:
defaults write com.apple.versioner.perl Version -string 5.8.8
To change it back to 5.10.0:
defaults write com.apple.versioner.perl Version -string 5.10.0
You can also set perl to run in 32 bit mode:
defaults write com.apple.versioner.perl Prefer-32-Bit -boolean TRUE
To put it back:
defaults write com.apple.versioner.perl Prefer-32-Bit -boolean FALSE
Python provides the same functionality:
defaults write com.apple.versioner.python Version -string 2.6
Or to run Python in 32-bit mode:
defaults write com.apple.versioner.python Prefer-32-Bit -boolean TRUE

June 8th, 2010

Posted In: Mac OS X

Tags: , , , , , ,

Ever need to have a program check a file to tell you what version of Mac OS X you’re running to do a quick sanity check?  In /System/Library/CoreServices/SystemVersion.plist you’ll find a key for ProductVersion.  The value in this key is the version of Mac OS X you’re using.  Keep in mind that the path should be relative to the volume that houses the operating system.  Therefore, if you’re using a volume during imaging and you’re running a postflight or preflight script make sure you check the path relative to the operating system you’re augmenting.

January 15th, 2007

Posted In: Mac OS X, Mass Deployment

Tags: , , , ,