CC.0395.SUS4AdminGuideCvr 11/13/02 11:19 AM Page 1 Mac OS X Server Administrator’s Guide For version 10.2.
LL0395.Book Page 2 Wednesday, November 20, 2002 11:44 AM K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. The Apple logo is a trademark of Apple Computer, Inc.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.Book Page 13 Wednesday, November 20, 2002 11:44 AM P R E F A C E How to Use This Guide What’s Included in This Guide This guide consists primarily of chapters that tell you how to administer individual Mac OS X Server services: m Chapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X Server’s services and takes you on a tour of its administration applications.
LL0395.Book Page 14 Wednesday, November 20, 2002 11:44 AM m Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage their day-to-day working environments. m Chapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP) service, which lets you dynamically allocate IP addresses to the computers used by server users.
LL0395.Book Page 15 Wednesday, November 20, 2002 11:44 AM Most chapters end with a section called “Where to Find More Information.” This section points you to Web sites and other reference material containing more information about the service. Setting Up Mac OS X Server for the First Time If you haven’t installed and set up Mac OS X Server, do so now. m Refer to Getting Started With Mac OS X Server, the document that came with your software, for instructions on server installation and setup.
LL0395.
LL0395.Book Page 17 Wednesday, November 20, 2002 11:44 AM C H A P T E R 1 1 Administering Your Server Mac OS X Server is a powerful server platform that delivers a complete range of services to users on the Internet and local network: m You can connect users to one another, using services such as mail and file sharing.
LL0395.Book Page 18 Wednesday, November 20, 2002 11:44 AM Password Security You can choose from several user authentication options, ranging from Mac OS X Server’s Open Directory Password Server to Kerberos or Lightweight Directory Access Protocol (LDAP). Password Server lets you implement password policies and supports a wide variety of client protocols.
LL0395.Book Page 19 Wednesday, November 20, 2002 11:44 AM Open Directory Services User and group information is used by your server to authenticate users and authorize their access to services and files. Information about other network resources is used by your server to make printers and other devices available to particular users. To access this information, the server retrieves it from centralized data repositories known as directory domains.
LL0395.Book Page 20 Wednesday, November 20, 2002 11:44 AM High Availability To maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and reclaiming disk space, automatically restarting malfunctioning services, and automatically restarting the server following a power failure. You can also configure IP failover. IP failover is a way to set up a standby server that will take over if the primary server fails.
LL0395.Book Page 21 Wednesday, November 20, 2002 11:44 AM Highlighting Individual Services This section highlights individual Mac OS X Server services and tells you where in this guide to find more information about them. Directory Services Directory services let you use a central data repository for user and network information your server needs to authenticate users and give them access to services.
LL0395.Book Page 22 Wednesday, November 20, 2002 11:44 AM Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X computer. Password Validation Open Directory gives you several options for validating a user’s password: m You can use a value stored as a readable attribute in the user’s account. The account can be stored in a directory domain residing on Mac OS X Server or on another vendor’s directory server, such as an LDAP or Active Directory server.
LL0395.Book Page 23 Wednesday, November 20, 2002 11:44 AM File Services Mac OS X Server makes it easy to share files using the native protocols of different kinds of client computers. Mac OS X Server includes four file services: m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems.
LL0395.Book Page 24 Wednesday, November 20, 2002 11:44 AM m fine-grain access controls for managing client connections and guest access m automatic disconnect of idle clients after a period of inactivity AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not on the local network to access NFS volumes via a secure, authenticated AFP connection. It also lets Mac OS 9 clients access NFS file services on traditional UNIX networks.
LL0395.Book Page 25 Wednesday, November 20, 2002 11:44 AM FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic file conversion, allowing users to request compressed or decompressed versions of information on the server. FTP is considered to be an insecure protocol, since user names and passwords are distributed across the Internet in clear text.
LL0395.Book Page 26 Wednesday, November 20, 2002 11:44 AM Web service also includes support for Web-based Distributed Authoring and Versioning ( WebDAV ). With WebDAV capability, your client users can check out Web pages, make changes, and then check the pages back in while the site is running. In addition, Mac OS X users can use a WebDAV-enabled Web server as if it were a file server.
LL0395.Book Page 27 Wednesday, November 20, 2002 11:44 AM Client Management You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X clients. Preferences you define for individual users, groups of users, and computers provide your Macintosh users with a consistent desktop, application, and network appearance regardless of the Macintosh computer to which they log in.
LL0395.Book Page 28 Wednesday, November 20, 2002 11:44 AM m Network Install is an excellent solution for operating system migrations, installing software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers. m You can define custom installation images for various departments in an organization, such as marketing, engineering, and sales. With Network Install you don’t need to insert multiple CDs to configure a system.
LL0395.Book Page 29 Wednesday, November 20, 2002 11:44 AM You will use DNS if you use SMTP mail service or if you want to create subdomains within your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t have an Internet service provider (ISP) who handles DNS for your network, you can set up a DNS server on your Mac OS X Server. You’ll find more information about DNS in Chapter 14, “DNS Service.
LL0395.Book Page 30 Wednesday, November 20, 2002 11:44 AM You can deliver live and prerecorded media over the Internet to both Macintosh and Windows users, or relay streamed media to other streaming servers. You can provide unicast streaming, which sends one stream to each individual client, or multicast streaming, which sends the stream to a group of clients. For more information about QTSS, refer to the QuickTime Web site: www.apple.
LL0395.
LL0395.
LL0395.Book Page 33 Wednesday, November 20, 2002 11:44 AM Administering a Server From Different Computers You can use the server applications to manage the local server or to manage a remote server, including headless servers. You can also manage Mac OS X Servers remotely from an administrator computer. An administrator computer is a Mac OS X computer onto which you have installed the server applications from the disc named Mac OS X Server Administration Tools.
LL0395.Book Page 34 Wednesday, November 20, 2002 11:44 AM You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to use the application, see Chapter 2, “Directory Services.” Directory Access Directory Access is the primary application for setting up a Mac OS X computer’s connections with directory domains as well as defining the computer’s search path. Unlike Open Directory Assistant, Directory Access does not create directory domains.
LL0395.Book Page 35 Wednesday, November 20, 2002 11:44 AM Major Workgroup Manager Tasks After login, the user account window appears, with lists of user, group, and computer accounts in the server’s local directory domain. Here is how to get started with the major tasks you’ll be performing with this application: m To administer user, group, or computer accounts, click the Accounts icon in the toolbar.
LL0395.Book Page 36 Wednesday, November 20, 2002 11:44 AM Click the service modules arranged on the Server Settings tabs to choose commands that let you work with individual services: m For administering file and print services, select the File & Print tab to access modules. m For administering mail and Web service, select the Internet tab to access modules. m For administering IP Firewall, DHCP, NetBoot, DNS, and SLP DA services, select the Network tab to access modules.
LL0395.Book Page 37 Wednesday, November 20, 2002 11:44 AM m To customize the Server Status toolbar, choose Customize Toolbar from the View menu. m To retrieve online information, use the Help menu. It provides help for server administrators about Server Status as well as other Mac OS X Server topics. Macintosh Manager You use Macintosh Manager to administer client management for Mac OS 8 and 9 client computers.
LL0395.Book Page 38 Wednesday, November 20, 2002 11:44 AM m Use the Export Items and Import Items buttons to manage different lists of Xserve servers you want to monitor. The Merge Items button lets you consolidate lists into one. m The system identifier lights on the front and back of an Xserve server light when service is required. Use Server Monitor to understand why the lights are on.
LL0395.Book Page 39 Wednesday, November 20, 2002 11:44 AM Where to Find More Information Regardless of your server administration experience, you may want to take advantage of the wide range of Apple customer training courses. To learn more, go to train.apple.com If You’re New to Server and Network Management If you want to learn more about Mac OS X Server, see the Mac OS X Server Web site: www.apple.com/macosx/server/ Online discussion groups can put you in touch with your peers.
LL0395.
LL0395.Book Page 41 Wednesday, November 20, 2002 11:44 AM C H A P T E R 2 2 Directory Services Directory services provide a central repository for information about the systems, applications, and users in an organization. In education and enterprise environments, directory services are the ideal way to manage users and computing resources. Organizations with as few as 10 people can benefit by deploying directory services. Directory services can be doubly beneficial.
LL0395.Book Page 42 Wednesday, November 20, 2002 11:44 AM The Open Directory architecture also includes Open Directory Password Server. A Password Server can securely store and validate the passwords of users who want to log in to client computers on your network or use other network resources that require authentication. A Password Server can also enforce such policies as password expiration and minimum length.
LL0395.Book Page 43 Wednesday, November 20, 2002 11:44 AM Processes running on Mac OS X computers can use directory services to save information in a directory domain. For example, when you set up a user account, the application that you use to do this has directory services store information about the user in a directory domain. m On a computer with Mac OS X version 10.2, you use the My Account pane or the Accounts pane of System Preferences to set up user accounts that are valid only on the one computer.
LL0395.Book Page 44 Wednesday, November 20, 2002 11:44 AM Data Consolidation For years, UNIX systems have stored administrative information in a collection of files located in the /etc directory. This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer read its files when they need administrative information. If you’re experienced with UNIX, you probably know about the files in the /etc directory—group, hosts, hosts.eq, passwd, and so forth.
LL0395.Book Page 45 Wednesday, November 20, 2002 11:44 AM Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a process needs the location of a user’s home directory, the process simply has Open Directory retrieve the information. Open Directory finds the requested information and then returns it, insulating the process from the details of how the information is stored.
LL0395.Book Page 46 Wednesday, November 20, 2002 11:44 AM Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a system administrator from one location.
LL0395.Book Page 47 Wednesday, November 20, 2002 11:44 AM m Folder and file access. After logging in successfully, a user can access files and folders. Mac OS X uses another data item from the user record—the user ID (UID)—to determine the user’s access privileges for a file or folder that the user wants to access. When a user accesses a folder or file, the file system compares this user’s UID to the UID assigned to the folder or file.
LL0395.Book Page 48 Wednesday, November 20, 2002 11:44 AM For example, when you define a user by using the Accounts module of Workgroup Manager, you are creating a user record (a record of the user’s record type). The settings that you configure for the user—short name, full name, home directory location, and so on—become values of attributes in the user record. The user record and the values of its attributes reside in a directory domain.
LL0395.Book Page 49 Wednesday, November 20, 2002 11:44 AM In fact, Open Directory can provide information about network services both from service discovery protocols and from directory domains. To accomplish this, Open Directory simply asks all its sources of information for the type of information requested by a Mac OS X process.
LL0395.Book Page 50 Wednesday, November 20, 2002 11:44 AM m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in mixed environments m NetInfo, the Apple directory services protocol for Mac OS X The directory services of Mac OS X version 10.2—Open Directory—can also store and retrieve administrative data that resides in existing directory domains on other servers.
LL0395.Book Page 51 Wednesday, November 20, 2002 11:44 AM After login, the user may choose Connect To Server from the Go menu and connect to a file server on a computer running Mac OS X Server. In this case, Open Directory on the server searches for the user’s record in the server’s local directory domain. If the server’s local directory domain has a record for the user (and the user types the correct password), the server grants the user access to the file services.
LL0395.Book Page 52 Wednesday, November 20, 2002 11:44 AM Similarly, you can make network resources such as printers visible to certain computers by setting up printer records in a shared domain accessed by those computers. For example, graphic artists in a company might need to access color printers, while copy center personnel need to use high-speed laser printers.
LL0395.Book Page 53 Wednesday, November 20, 2002 11:44 AM While some devices may need to be used only by specific departments, other resources, such as personnel forms, may need to be shared by all employees. You could make a folder of those forms available to everybody by setting up a share point for the folder in another shared domain that all computers can access.
LL0395.Book Page 54 Wednesday, November 20, 2002 11:44 AM Shared Data in Existing Directory Domains Some organizations—such as universities and worldwide corporations—maintain user information and other administrative data in directory domains on UNIX or Windows servers. Open Directory can be configured to search these non-Apple domains as well as shared Open Directory domains of Mac OS X Servers.
LL0395.Book Page 55 Wednesday, November 20, 2002 11:44 AM Two-Level Hierarchies The simplest hierarchy is a two-level hierarchy: Shared directory domain Local directory domain Here’s a scenario in which a two-level hierarchy might be used: Shared domain Local domain on English department’s computer Local domain on Math department’s computer Local domain on Science department’s computer Each department (English, Math, Science) has its own computer.
LL0395.Book Page 56 Wednesday, November 20, 2002 11:44 AM While local domains reside on their respective servers, a shared domain can reside on any Mac OS X Server accessible from the local domain’s computer. In this example, the shared domain can reside on any server accessible from the departmental servers.
LL0395.Book Page 57 Wednesday, November 20, 2002 11:44 AM More Complex Hierarchies Open Directory also supports multilevel domain hierarchies. Complex networks with large numbers of users may find this kind of organization useful, although it’s much more complex to administer.
LL0395.Book Page 58 Wednesday, November 20, 2002 11:44 AM You can affect an entire network or just a group of computers by choosing the domain in which to publish administrative data. The higher the administrative data resides in a directory domain hierarchy, the fewer places it needs to be changed as users and system resources change. Probably the most important aspect of directory services for administrators is planning directory domains and hierarchies.
LL0395.Book Page 59 Wednesday, November 20, 2002 11:44 AM If the local domain does not contain the user’s record, Open Directory goes to the next directory domain in the search policy. Is the user defined here? Graduates domain No Local domain If the second directory domain also does not contain the user’s record, Open Directory searches the remaining directory domains in the search policy one by one until it searches the last shared domain.
LL0395.Book Page 60 Wednesday, November 20, 2002 11:44 AM Next the automatic search policy looks at the binding of shared NetInfo domains. The computer’s local domain may be bound to a shared NetInfo domain, which may in turn be bound to another shared NetInfo domain, and so on. The NetInfo binding, if any, constitutes the second part of the automatic search policy. See “Configuring NetInfo Binding” on page 106 for additional information.
LL0395.Book Page 61 Wednesday, November 20, 2002 11:44 AM Directory Domain Planning Keeping information in shared directory domains gives you more control over your network, allows more users access to the information, and makes maintaining the information easier for you. But the amount of control and convenience depends on the effort you put into planning your shared domains.
LL0395.Book Page 62 Wednesday, November 20, 2002 11:44 AM Larger, more complex organizations can benefit from a deeper directory domain hierarchy. Students domain Undergraduates domain Campus domain Graduates domain Employees domain Faculty domain Controlling Data Accessibility Hierarchies that contain several shared domains let you make directory information visible only to subsets of a network’s computers.
LL0395.Book Page 63 Wednesday, November 20, 2002 11:44 AM You’ll want to try to make each directory domain applicable to all the computers that use it so you don’t have to change or add information in multiple domains. In the education hierarchy example, all students may have user records in the Students domain and all employees may have accounts in the Employees domain.
LL0395.Book Page 64 Wednesday, November 20, 2002 11:44 AM Authentication is part of the process by which your server determines whether it should grant access to a user, computer, or program. Usually, access requires two tests: authentication and authorization. For authentication, the requester must prove identity, usually by providing a password.
LL0395.Book Page 65 Wednesday, November 20, 2002 11:44 AM Password Server Authentication Methods A Password Server supports many different methods of authenticating users for login and other network services, including CRAM-MD5, APOP, SMB-NT, SMB-LAN Manager, DHX, and Digest-MD5. A Password Server is able to support a wide range of authentication methods because it is based on the Simple Authentication and Security Layer (SASL) standard.
LL0395.Book Page 66 Wednesday, November 20, 2002 11:44 AM APOP Authentication Method APOP is used by many email programs. It encodes passwords when they are sent over the network, and stores them in a recoverable form on the server. It offers good security during network transmission. A malicious user may be able to obtain passwords by gaining access to the server and decoding the password file, although doing this would be very difficult.
LL0395.Book Page 67 Wednesday, November 20, 2002 11:44 AM m Mac OS 8.1–8.6 client computers that have file server volumes mount automatically during startup should use AppleShare Client version 3.8.3. Digest-MD5 Authentication Method Digest-MD5 is used by the Mac OS X login window, many email programs, and some LDAP software. This authentication method encodes passwords when they are sent over the network, and stores them in a scrambled form on the server.
LL0395.Book Page 68 Wednesday, November 20, 2002 11:44 AM The Password Server must remain available to provide authentication services. If the Password Server goes down, password validation cannot occur. Therefore, backing up the Password Server is important. Overview of Directory Services Tools The following applications help you set up and manage directory domains and Password Servers. m Open Directory Assistant.
LL0395.Book Page 69 Wednesday, November 20, 2002 11:44 AM Step 2: Set up Open Directory domains and Password Servers Create shared directory domains on the Mac OS X Servers that you want to host them, and set up an Open Directory Password Server on a Mac OS X Server that hosts a shared directory domain. If you will be setting up more than one Mac OS X Server, start by setting up the Mac OS X Server that will have the Password Server.
LL0395.Book Page 70 Wednesday, November 20, 2002 11:44 AM Before You Begin Before setting up directory services for the first time: m Understand why clients need directory data, as discussed in the first several sections of this chapter. m Assess your server access requirements. Identify which users need to access your Mac OS X Servers. Users whose information can be managed most easily on a server should be defined in a shared Open Directory domain on a Mac OS X Server.
LL0395.Book Page 71 Wednesday, November 20, 2002 11:44 AM Always remember: directory information is authoritative. It vitally affects everyone whose computers use it. Setting Up an Open Directory Domain and Password Server You must thoughtfully decide how to set up Open Directory domains and a Password Server before you set up user accounts and have your Mac OS X Server provide services to users. To decide how to set up Open Directory domains and a Password Server, ask yourself the following questions.
LL0395.Book Page 72 Wednesday, November 20, 2002 11:44 AM To configure how your server works with directory information and a Password Server: 1 Open the Open Directory Assistant application. It is located in the /Applications/Utilities folder. 2 Enter the connection and authentication information for the Mac OS X Server that you want to configure, then click Connect. For Address, enter the DNS name or IP address of the server that you want to configure.
LL0395.Book Page 73 Wednesday, November 20, 2002 11:44 AM For Password, enter the password for the user name you entered. 3 Click the right arrow to get to the Location step, and then select the setting that indicates the server is at its permanent network location. If a server is in a temporary location, you can’t configure the server to get directory services from another server.
LL0395.Book Page 74 Wednesday, November 20, 2002 11:44 AM If you select Static IP Address, you must enter the IP address or DNS name of the Mac OS X Server whose LDAP domain you want your server to use. You must also enter a search base, which is a set of text items that tell your server where to look for directory information on the LDAP server.
LL0395.Book Page 75 Wednesday, November 20, 2002 11:44 AM Hosting a Shared Directory Domain With a Password Server Using the Open Directory Assistant application, you can set up a Mac OS X Server to provide directory information and authentication information to other systems. The Mac OS X Server provides directory information by hosting a shared Open Directory domain. In addition, the server provides authentication information by hosting a Password Server.
LL0395.Book Page 76 Wednesday, November 20, 2002 11:44 AM 5 Go to the Configure step, where you specify how other computers can access the server’s shared Open Directory domain. Other computers can always access the server’s shared domain via NetInfo. Select “Enable LDAP support on this server” if you want other computers to be able to access the server’s shared domain via LDAP as well.
LL0395.Book Page 77 Wednesday, November 20, 2002 11:44 AM Hosting a Shared Directory Domain and Using an Existing Password Server Using the Open Directory Assistant application, you can set up a Mac OS X Server to provide directory information to other systems while it obtains authentication information from another system. The Mac OS X Server provides directory information by hosting a shared Open Directory domain. This server obtains authentication information from another server’s Password Server.
LL0395.Book Page 78 Wednesday, November 20, 2002 11:44 AM 5 Go to the Configure step, where you specify how other computers can access the server’s shared Open Directory domain. Other computers can always access the server’s shared domain via NetInfo. Select “Enable LDAP support on this server” if you want other computers to be able to access the server’s shared domain via LDAP as well.
LL0395.Book Page 79 Wednesday, November 20, 2002 11:44 AM If you create user accounts without a Password Server and later reconfigure your Mac OS X Server to host or use a Password Server, you will have to reset the user passwords to use the Password Server.
LL0395.Book Page 80 Wednesday, November 20, 2002 11:44 AM 6 Advance to the Security step and select “Password and authentication information will be stored and accessed locally in user records.” 7 In the onscreen Finish Up step, click Go Ahead to configure the server with the displayed settings.
LL0395.Book Page 81 Wednesday, November 20, 2002 11:44 AM 4 Advance to the Directory Use step, and then select the option “The server will use a nonshared local directory.” 5 Go to the first Security step and select “Password and authentication information will be provided to other systems.” 6 Advance to the next Security step. Open Directory Assistant displays the short name of the user account that will become an administrator of the Password Server.
LL0395.Book Page 82 Wednesday, November 20, 2002 11:44 AM If your Mac OS X Server currently gets directory information from another server and you change to getting directory information only from the local directory domain, user records and other information that is stored in the other server’s shared directory domain will no longer be available. The user records and other information will still exist in the other shared directory domain, but your Mac OS X Server will not access them.
LL0395.Book Page 83 Wednesday, November 20, 2002 11:44 AM For User Name, enter the user name of an administrator of the Password Server. This administrator is a domain administrator for the directory domain with which the Password Server is associated, and the administrator’s password is validated using that Password Server. For more information on Password Server administrators, see “Assigning Administrator Rights for a Password Server” on page 201 of Chapter 3, “Users and Groups.
LL0395.Book Page 84 Wednesday, November 20, 2002 11:44 AM To configure a server to use only its own non-shared local directory domain with no Password Server: 1 Open the Open Directory Assistant application. It is located in the /Applications/Utilities folder. 2 Enter the connection and authentication information for the Mac OS X Server that you want to configure, then click Connect. For Address, enter the DNS name or IP address of the server that you want to configure.
LL0395.Book Page 85 Wednesday, November 20, 2002 11:44 AM After making sure that no servers or client computers are using a shared Open Directory domain, you can delete it by using Open Directory Assistant. Warning When you delete a directory domain, all user account information and other administrative data that it contains is lost.
LL0395.Book Page 86 Wednesday, November 20, 2002 11:44 AM Configuring Open Directory Service Protocols Open Directory uses many protocols to access administrative data in directory domains and discover services on the network. You can enable or disable each of the protocols individually by using the Directory Access application. The protocols include m AppleTalk, the legacy Mac OS protocol for file and print services. AppleTalk is configured automatically.
LL0395.Book Page 87 Wednesday, November 20, 2002 11:44 AM 4 Click Apply. Configuring SMB Service Discovery You can configure how Mac OS X uses the Server Message Block (SMB) protocol to discover Windows file servers on the network.
LL0395.Book Page 88 Wednesday, November 20, 2002 11:44 AM You can configure the authentication search policy for a Mac OS X Server or other Mac OS X computer by using the Directory Access application. You can use the same application to configure the computer’s contacts search policy. (The Open Directory Assistant application also configures the authentication search policy of a Mac OS X Server, but does not offer as many options as Directory Access.
LL0395.Book Page 89 Wednesday, November 20, 2002 11:44 AM Note: Make sure the computer has been configured to access the LDAP servers, Active Directory servers, NetInfo domains, and BSD configuration files that you want to add to the search policy. For instructions, see the subsequent sections of this chapter. To define a custom search policy for the computer: 1 In Directory Access, click the Authentication tab or the Contacts tab.
LL0395.Book Page 90 Wednesday, November 20, 2002 11:44 AM Changing Basic LDAPv3 Settings You can use the Directory Access application to change basic settings for accessing LDAPv3 servers, including the shared Open Directory domains of Mac OS X Servers: m Enable or disable use of LDAPv3 servers supplied by DHCP. m Reveal an intermediate level of LDAPv3 information and options.
LL0395.Book Page 91 Wednesday, November 20, 2002 11:44 AM 4 From the Location pop-up menu, choose the network location that you want to see, or use Automatic. 5 Click Show Options or Hide Options. Configuring Access to Existing LDAPv3 Servers On a Mac OS X computer that is not configured to access an LDAPv3 server automatically via DHCP, you can manually configure access to one or more LDAPv3 servers. You can do the following: m Create server configurations and enable or disable them individually.
LL0395.Book Page 92 Wednesday, November 20, 2002 11:44 AM 7 Click the pop-up menu next to the DNS name or IP address and choose a mapping template or choose From Server. Before you can use Workgroup Manager to create users on a non-Apple LDAPv3 server that uses RFC 2307 (UNIX) mappings, you must edit the mapping of the Users record type. For instructions, see “Editing RFC 2307 Mapping to Enable Creating Users” on page 97. 8 Enter the search base for your LDAPv3 server and click OK.
LL0395.Book Page 93 Wednesday, November 20, 2002 11:44 AM Duplicating an LDAPv3 Configuration You can use Directory Access to duplicate an LDAPv3 server configuration. After duplicating a configuration, you can change its settings. To duplicate an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure.
LL0395.Book Page 94 Wednesday, November 20, 2002 11:44 AM Changing an LDAPv3 Configuration’s Connection Settings You can use Directory Access to change the connection settings for an LDAPv3 server configuration. To change the connection settings of an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure.
LL0395.Book Page 95 Wednesday, November 20, 2002 11:44 AM Note: The mapping of Mac OS X attributes can be different for each record type. Mac OS X has separate LDAPv3 mappings for each record type. When mapping Mac OS X user attributes to a read/write LDAPv3 directory domain (an LDAPv3 domain that is not read-only), the LDAPv3 attribute mapped to RealName must not be the same as the first attribute in a list of LDAPv3 attributes mapped to RecordName.
LL0395.Book Page 96 Wednesday, November 20, 2002 11:44 AM To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAPv3 object class that you want to change in the “Map to __ items in list” and edit it. Specify whether to use all or any of the listed LDAPv3 object classes by using the pop-up menu above the list. To remove a mapping for a record type, select the record type in the Record Types and Attributes List.
LL0395.Book Page 97 Wednesday, November 20, 2002 11:44 AM Mapping Config Record Attributes for LDAPv3 Directory Domains If you want to store information for managed Mac OS X users in an LDAPv3 directory domain, make sure you map the following attributes of the Config record type: RealName and DataStamp.
LL0395.Book Page 98 Wednesday, November 20, 2002 11:44 AM You can find out the object classes of existing user records on the LDAPv3 server by using the UNIX tool ldapsearch in a Terminal window. The following example would display the object classes for a user record whose cn attribute is “Leonardo da Vinci:” ldapsearch -x -h ldapserver.example.
LL0395.Book Page 99 Wednesday, November 20, 2002 11:44 AM In addition, you can edit, duplicate, or delete an Active Directory server configuration. You can also change the connection settings and customize the mappings of an Active Directory server configuration. The procedures for all these tasks are the same for Active Directory servers as for LDAPv3 servers. For instructions, see “Configuring Access to Existing LDAPv3 Servers” on page 91.
LL0395.Book Page 100 Wednesday, November 20, 2002 11:44 AM Setting Up an Active Directory Server If you want a Mac OS X computer to get administrative data from an Active Directory server, the data must exist on the Active Directory server in the format required by Mac OS X. You may need to add, modify, or reorganize data on the Active Directory server. You must make the necessary modifications by using tools on the Active Directory server.
LL0395.Book Page 101 Wednesday, November 20, 2002 11:44 AM m Create an LDAPv2 server configuration. For instructions, see “Creating an LDAPv2 Server Configuration” on page 101. m Change LDAPv2 server access settings as needed. For instructions, see “Changing LDAPv2 Server Access Settings” on page 102. m Edit LDAPv2 search bases and data mappings as needed. For instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 103. m Make sure the LDAPv2 server is included in a custom search policy.
LL0395.Book Page 102 Wednesday, November 20, 2002 11:44 AM In the Name field, enter a descriptive name for the LDAPv2 server. In the Address field, enter the LDAPv2 server’s DNS name or IP address. 6 Click the Access tab, then change the access settings as needed. For detailed instructions, see “Changing LDAPv2 Server Access Settings” on page 102. 7 Click the Records tab and for any Mac OS X record type listed on the left, edit the LDAPv2 search base as needed on the right.
LL0395.Book Page 103 Wednesday, November 20, 2002 11:44 AM Select “Use the username and password below” if Open Directory should not connect anonymously. Enter the distinguished name (for example, cn=admin, cn=users, dc=example, dc=com) and password that Open Directory should use to establish an LDAPv2 server connection. Ensure that the LDAPv2 server is configured to accept any name and password you specify.
LL0395.Book Page 104 Wednesday, November 20, 2002 11:44 AM Select Groups in the Record Type list. Then edit the “Maps to” value to specify a search base on the LDAPv2 server that provides group information. The default search base for the Groups record type is ou=groups, o=company name. As needed, select other items in the Record Types list and edit their “Maps to” values to specify a search base on the LDAPv2 server that specifies the appropriate information.
LL0395.Book Page 105 Wednesday, November 20, 2002 11:44 AM If other items in the Data Type column will be retrieved from the LDAPv2 server, select them one by one. When you select an item, edit the “Maps to” value to identify one or more LDAPv2 attributes that store the appropriate information. 7 Click OK, then close the window and click Save. Using NetInfo Domains Your Mac OS X Server can be part of a hierarchy of shared NetInfo domains.
LL0395.Book Page 106 Wednesday, November 20, 2002 11:44 AM 3 Click the right arrow to get to the Location step, and then select the setting that indicates the server is at its permanent network location. You cannot set up a shared NetInfo domain on a server that is in a temporary location. 4 Advance to the Directory Use step, and then select the option to provide directory information to other servers. 5 Go to the Configure step, where you may select the option to enable LDAP support.
LL0395.Book Page 107 Wednesday, November 20, 2002 11:44 AM m With DHCP binding, a DHCP server automatically supplies the address and NetInfo tag of the shared NetInfo domain. To use DHCP binding, the DHCP server must be configured to supply a NetInfo parent’s address and tag. For instructions, see “Setting NetInfo Options for a Subnet” on page 508 in Chapter 11, “DHCP Service.” m With broadcast binding, the computer locates a shared NetInfo domain by sending out an IP broadcast request.
LL0395.Book Page 108 Wednesday, November 20, 2002 11:44 AM To add a machine record to a parent NetInfo domain: 1 Open NetInfo Manager on the computer where the parent domain resides, then open the domain. 2 Click the lock and authenticate using the name and password of an administrator for the directory domain. To authenticate in NetInfo Manager, you must use an administrator account with a basic password. NetInfo Manager can’t authenticate an administrator account that uses Password Server.
LL0395.Book Page 109 Wednesday, November 20, 2002 11:44 AM 4 To change the value of an existing port property, double-click the value in the Value(s) column and make the change. 5 To delete a port property, select it and choose Delete from the Edit menu. 6 To add a property, choose New Property from the Directory menu and proceed as follows. If you want to use one port for both TCP and UDP packets, double-click new_property and change it to “port.
LL0395.Book Page 110 Wednesday, November 20, 2002 11:44 AM Utility Description nigrep Searches all NetInfo domains for all instances of a string you specify. nicl Creates, reads, or manages NetInfo data.
LL0395.Book Page 111 Wednesday, November 20, 2002 11:44 AM /etc/master.passwd /etc/group /etc/hosts /etc/fstab You can specify different BSD configuration files by editing the DSFFPlugin.plist file. This file contains structured text in XML format and is known as a property list or plist. You can edit this file with a text editor, but the Property List Editor application makes the job easier. Property List Editor is specifically designed to work with plist files.
LL0395.Book Page 112 Wednesday, November 20, 2002 11:44 AM If Directory Access displays an error message saying “Plug-in configuration application / Developer/Applications/Property List Editor.app is missing,” then you need to install the Property List Editor application in the folder “/Developer/Applications” on your computer’s hard drive.
LL0395.Book Page 113 Wednesday, November 20, 2002 11:44 AM 7 When you finish, save and close the file. Field name Purpose AlternateRecordNameIndex (optional) An index that can be used as a second field to be searched as the record name CommentChar (optional) A string that contains the hexadecimal ASCII code of a character to be used to denote comment lines. This character must appear at the beginning of any line that is to be interpreted as a comment. Typically this character is # (hexadecimal 23).
LL0395.Book Page 114 Wednesday, November 20, 2002 11:44 AM Setting Up Data in BSD Configuration Files If you want a Mac OS X computer to get administrative data from BSD configuration files, the data must exist in the files and must be in the format required by Mac OS X. You may need to add, modify, or reorganize data in the files. Mac OS X cannot write data to BSD configuration files, so you must make the necessary modifications by using a text editor or other tools.
LL0395.Book Page 115 Wednesday, November 20, 2002 11:44 AM Editing BSD Configuration Files of Remote Computers You can’t use the Directory Access application on your computer to connect to another computer and then edit its BSD configuration files remotely. Instead, you must go to the remote computer and edit its BSD configuration files locally. After using Directory Access to connect to a remote computer, you can click the Services tab, select BSD Configuration Files, and click Configure.
LL0395.Book Page 116 Wednesday, November 20, 2002 11:44 AM Backing Up and Restoring Directory Services Files You can back up the following directory services data: m Open Directory domain data: Information associated with Open Directory domains is stored in files that reside in /var/db/netinfo/. Back up the entire directory.
LL0395.Book Page 117 Wednesday, November 20, 2002 11:44 AM C H A P T E R 3 3 Users and Groups User and group accounts play a fundamental role in a server’s day-to-day operations: m A user account stores data Mac OS X Server needs to validate a user’s identity and provide services for the user, such as access to particular files on the server and preferences that various services use. m A group account offers a simple way to manage a collection of users with similar needs.
LL0395.Book Page 118 Wednesday, November 20, 2002 11:44 AM How User Accounts Are Used When you define a user’s account, you specify the information needed to prove the user’s identity: user name, password, and user ID. Other information in a user’s account is needed by various services—to determine what the user is authorized to do and perhaps to personalize the user’s environment.
LL0395.Book Page 119 Wednesday, November 20, 2002 11:44 AM After login, the user can connect to a remote Mac OS X computer if the user’s account can be located within the search policy of the remote computer. Connect to Mac OS X Server Directory domains in search policy If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account.
LL0395.Book Page 120 Wednesday, November 20, 2002 11:44 AM m A non-Apple LDAP server can be used to validate the password. Directory services Password Server User account Kerberos server Password provided can be validated using value stored in account. Password can also be validated using value stored on another server on the network.
LL0395.Book Page 121 Wednesday, November 20, 2002 11:44 AM Directory and File Access by Other Users The UID, in conjunction with a group ID, is also used to control access by users who are members of particular groups. Every user belongs to a primary group. The primary group ID for a user is stored in his user account. When a user accesses a directory or file and the user is not the owner, the file system checks the file’s group privileges.
LL0395.Book Page 122 Wednesday, November 20, 2002 11:44 AM Any user who has a user account in a directory domain can be made an administrator of that domain. You can control the extent to which a directory domain administrator can change account data stored in a domain. For example, you may want to set up directory domain privileges so that your network administrator can add and remove user accounts, but other users can change the information for particular users.
LL0395.Book Page 123 Wednesday, November 20, 2002 11:44 AM Mail account settings let you enable and disable the user’s access to mail services running on a particular Mac OS X Server. You can also manage such account characteristics as how to handle automatic message arrival notification. Settings for Mac OS X mail service are configured using Server Settings, as Chapter 9, “Mail Service,” describes. Resource Usage Disk, print, and mail quotas can be stored in a user account.
LL0395.Book Page 124 Wednesday, November 20, 2002 11:44 AM You can grant administration privileges for a group folder to a user. A group folder administrator has owner privileges for the group folder and can use the Finder to change group folder attributes. Workgroups When you define preferences for a group it is known as a workgroup. A workgroup provides you with a way to manage the working environment of group members. Any preferences you define for a Mac OS X workgroup are stored in the group account.
LL0395.Book Page 125 Wednesday, November 20, 2002 11:44 AM Groups, Primary Groups, and Workgroups As noted earlier, when you define preferences for a group, the group is known as a workgroup. A primary group is the user’s default group. As “Directory and File Access by Other Users” on page 121 describes, primary groups can expedite the checking done by the Mac OS X file system when a user accesses a file.
LL0395.Book Page 126 Wednesday, November 20, 2002 11:44 AM Predefined Accounts The following table describes the user accounts that are created automatically when you install Mac OS X Server (unless otherwise indicated). 126 Chapter 3 Predefined user name Short name UID Use Anonymous FTP User ftp 98 The user name given to anyone using FTP as an anonymous user.
LL0395.Book Page 127 Wednesday, November 20, 2002 11:44 AM Predefined user name Short name UID Use Unprivileged User nobody -2 This user was originally created so that system services don’t have to run as System Administrator. Now, however, service-specific users, such as World Wide Web Server, are often used for this purpose. World Wide Web Server www 70 The nonprivileged user that Apache uses for its processes that handle requests.
LL0395.Book Page 128 Wednesday, November 20, 2002 11:44 AM Predefined group name Group ID Use sshd 75 The group for the sshd child processes that process network data. staff 20 The default group into which UNIX users are traditionally placed. sys 3 This group has no specific meaning. tty 4 A group that owns special files, such as the device file associated with an SSH or telnet user. unknown 99 The group used when the system doesn’t know about the hard disk.
LL0395.Book Page 129 Wednesday, November 20, 2002 11:44 AM Step 1: Before you begin, do some planning See “Before You Begin” on page 132 for a list of items to think about before you start creating a large number of users and groups. Step 2: Set up directory domains in which user and group accounts will reside Make sure you have created any directory domain in which you’ve decided to store user and group accounts.
LL0395.Book Page 130 Wednesday, November 20, 2002 11:44 AM Step 4: Configure server search policies so servers can find user and group accounts Make sure that the search policy of any server that needs to access user and group information to provide services for particular users is configured to do so. Chapter 2, “Directory Services,” tells you how to set up search policies.
LL0395.Book Page 131 Wednesday, November 20, 2002 11:44 AM For details about all the settings for a group account, see “Working With Member Settings for Groups” on page 169 through “Working With Group and Computer Preferences” on page 175. Step 7: Set Up Client Computers Make sure that the directory services of Mac OS X computers are set up so they can access user accounts at login.
LL0395.Book Page 132 Wednesday, November 20, 2002 11:44 AM Before You Begin Before setting up user and group accounts for the first time: m Identify the directory domains in which you will store user and group account information. If you have an Active Directory or LDAP server already set up, you might be able to take advantage of existing records.
LL0395.Book Page 133 Wednesday, November 20, 2002 11:44 AM You may want to store home directories for users with last names from A to F on one computer, G to J on another, and so on. Or you may want to store home directories on a Mac OS X Server but store user and group accounts on an Active Directory or LDAP server. Pick a strategy before creating users. You can move home directories, but if you do, you may need to change a large number of user records.
LL0395.Book Page 134 Wednesday, November 20, 2002 11:44 AM Administering User Accounts This section describes how to administer user accounts stored in various kinds of directory domains. Where User Accounts Are Stored User accounts, as well as group accounts and computer accounts, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs to access the account.
LL0395.Book Page 135 Wednesday, November 20, 2002 11:44 AM Creating Read-Write LDAPv3 User Accounts You can create a user account on a non-Apple LDAPv3 server if it has been configured for write access. To create an LDAPv3 user account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to use the LDAP server for user accounts.
LL0395.Book Page 136 Wednesday, November 20, 2002 11:44 AM Working With Read-Only User Accounts You can use Workgroup Manager to review information for user accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files.
LL0395.Book Page 137 Wednesday, November 20, 2002 11:44 AM You can use Workgroup Manager to edit the user name of an account stored in a directory domain residing on Mac OS X Server or in a non-Apple LDAPv3 directory domain, or to review the user name in any directory domain accessible from the server you are using. To work with the user name using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open.
LL0395.Book Page 138 Wednesday, November 20, 2002 11:44 AM Typically, short names contain eight or fewer characters. You can use Workgroup Manager to edit the short name of an account stored in a directory domain on Mac OS X Server or a non-Apple LDAPv3 directory domain or to review the short name in any directory domain accessible from the server you are using.
LL0395.Book Page 139 Wednesday, November 20, 2002 11:44 AM Consider an example that consists of three shared directory domains. Tony Smith has an account in the Students domain, and Tom Smith has an account in the root domain. Both accounts contain the short name “tsmith” and the password “smitty.
LL0395.Book Page 140 Wednesday, November 20, 2002 11:44 AM If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domain, the Students domain’s record for Tony would be masked. Tony’s local domain should offer a name/password combination that distinguishes it from the Students domain’s record. If the Students domain is not accessible (when Tony works at home, for example), he can log in using the local name and continue using his computer.
LL0395.Book Page 141 Wednesday, November 20, 2002 11:44 AM When Tom attempts to access MyDoc, Mac OS X searches the login hierarchy for user records with short names that match those associated with AllStudents. Tom’s user record is found because it resides in the login hierarchy, and the UID in the record is compared with Tom’s login UID. They match, so Tom is allowed to read MyDoc, even though he’s not actually a member of AllStudents.
LL0395.Book Page 142 Wednesday, November 20, 2002 11:44 AM Defining Passwords See “Understanding Password Validation” on page 193 for details about setting up and managing passwords. Assigning Administrator Rights for a Server A user who has server administration privileges can control most of the server’s configuration settings and use applications, such as Server Status, that require a user to be a member of the server’s admin group.
LL0395.Book Page 143 Wednesday, November 20, 2002 11:44 AM 6 Click Privileges to specify what the user should be able to administer in the domain. By default, the user has no directory domain privileges. 7 To work with privileges to change user, group, or computer accounts, click the Users, Groups, or Computers tab, respectively. 8 Select a checkbox to indicate whether you want the user to be able to change account and/or preference settings.
LL0395.Book Page 144 Wednesday, November 20, 2002 11:44 AM You can use Workgroup Manager to define login settings of an account stored in a NetInfo or LDAPv3 directory domain or to review login settings in any directory domain accessible from the server you are using. To work with login settings using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open.
LL0395.Book Page 145 Wednesday, November 20, 2002 11:44 AM Working With Group Settings for Users Group settings identify the groups a user is a member of. In Workgroup Manager, use the Groups tab in the user account window to work with group settings. See “Administering Group Accounts” on page 167 for information on administering groups. Defining a User’s Primary Group A primary group is the group to which a user belongs by default.
LL0395.Book Page 146 Wednesday, November 20, 2002 11:44 AM To open the account, click the Accounts button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Groups tab. 3 Click Add to open a drawer listing the groups defined in the directory domain you are working with.
LL0395.Book Page 147 Wednesday, November 20, 2002 11:44 AM Working With Home Settings for Users Home settings describe a user’s home directory attributes. See “Administering Home Directories” on page 152 for information about using and setting up home directories. Working With Mail Settings for Users You can create a Mac OS X Server mail service account for a user by specifying mail settings for the user in the user’s account.
LL0395.Book Page 148 Wednesday, November 20, 2002 11:44 AM To open the account, click the Accounts button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Mail tab. 3 Selecting the Enabled button enables the user to use mail service. 4 The Mail Server field contains the DNS name or IP address of the server to which the user’s mail should be routed.
LL0395.Book Page 149 Wednesday, November 20, 2002 11:44 AM Working With Print Settings for Users Print settings associated with a user’s account define the ability of a user to print to accessible Mac OS X Server print queues for which print service enforces print quotas. “Enforcing Quotas for a Print Queue” on page 342 tells you how to set up quota-enforcing print queues.
LL0395.Book Page 150 Wednesday, November 20, 2002 11:44 AM To set up a quota that applies to all queues, go to step 3. Alternatively, to set up quotas for specific print queues, go to step 4. 3 Click “All Queues,” then specify the maximum number of pages the user should be able to print in a certain number of days for any print queue enforcing quotas. 4 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue for which you want to define a user quota.
LL0395.Book Page 151 Wednesday, November 20, 2002 11:44 AM Working With Managed Users See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for information about how you can make a user a managed user, which lets you set up preferences for the user. Defining a Guest User You can set up some services to support “anonymous” users, who can’t be authenticated because they do not have a valid user name or password.
LL0395.Book Page 152 Wednesday, November 20, 2002 11:44 AM Disabling a User Account To disable a user account, you can m delete the account (see “Deleting a User Account” on page 151) m change the user’s password to an unknown value (see “Defining Passwords” on page 142) Administering Home Directories A home directory is a folder for a user’s personal use. Mac OS X also uses the home directory, for example, to store system preferences and managed user settings for Mac OS X users.
LL0395.Book Page 153 Wednesday, November 20, 2002 11:44 AM Types of Home Directories The following table contrasts local, network, and advanced home directories and tells you where to find out more about how to set them up.
LL0395.Book Page 154 Wednesday, November 20, 2002 11:44 AM Distributing Home Directories Across Multiple Servers The following illustration depicts using one Mac OS X Server for storing user accounts and two other Mac OS X Servers for storing AFP home directories. Mac OS X Servers User accounts Home directories A thru M Home directories N thru Z When a user logs in, he or she is authenticated using an account stored in a shared directory domain on the accounts server.
LL0395.Book Page 155 Wednesday, November 20, 2002 11:44 AM When a user restarts his or her computer and logs in using the account in the shared domain, the home directory is created automatically on the appropriate server and is visible on the user’s computer. Defining No Home Directory You can use Workgroup Manager to avoid creating a home directory for a user whose account is stored in a NetInfo or LDAPv3 directory domain. By default, new users have no home directory.
LL0395.Book Page 156 Wednesday, November 20, 2002 11:44 AM Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different from other share points. See “Setting Disk Quotas” on page 166 for more information. 3 Using the Finder, create the folder you want to use as the share point if required. 4 In Workgroup Manager, click Sharing to set up the folder as an AFP share point. Use the All tab to select the folder.
LL0395.Book Page 157 Wednesday, November 20, 2002 11:44 AM You can use Workgroup Manager to define a network home directory for a user whose account is stored in a NetInfo or LDAPv3 directory domain or to review home directory information in any directory domain accessible from the server you are using. To create an AFP network home directory using Workgroup Manager: 1 In Workgroup Manager, open the account in the shared directory domain you want to work with if it is not already open.
LL0395.Book Page 158 Wednesday, November 20, 2002 11:44 AM Use Workgroup Manager to enable guest access for the share point. Click the Protocols tab and make sure that “Apple File Settings, ” “Share this item using AFP,” and “Allow AFP guest access” are selected. 6 Define the share point’s automounting settings. Click the Automount tab. On the pop-up menu, select the shared domain in which the user’s record resides, then click the lock to log in as domain administrator.
LL0395.Book Page 159 Wednesday, November 20, 2002 11:44 AM To create an NFS network home directory using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Accounts button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the home directory information, click the lock to be authenticated, then select the user in the user list.
LL0395.Book Page 160 Wednesday, November 20, 2002 11:44 AM 6 Define the share point’s automounting settings. Click the Automount tab. On the pop-up menu, select the shared domain in which the user’s record resides, then click the lock to log in as domain administrator. Select “Automount this item to clients in domain.” Select “Mount dynamically in /Network/Servers/” and “Use NFS Protocol.” Click Save. 7 Click Accounts, then select the user in the user list. 8 Click the Home tab, then select Network.
LL0395.Book Page 161 Wednesday, November 20, 2002 11:44 AM To create an advanced AFP home directory using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Accounts button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the home directory information, click the lock to be authenticated, then select the user in the user list.
LL0395.Book Page 162 Wednesday, November 20, 2002 11:44 AM 6 Define the share point’s automounting settings. Click the Automount tab. On the pop-up menu, select the shared domain in which the user’s record resides, then click the lock to log in as domain administrator. Select “Automount this item to clients in domain.” Select “Mount dynamically in /Network/Servers/,” and “Use AFP.” Click Save. 7 Click Accounts, then select the user in the user list. 8 Click the Home tab, then select Advanced.
LL0395.Book Page 163 Wednesday, November 20, 2002 11:44 AM Defining an Advanced Home Directory for NFS Access In Workgroup Manager, you can customize a user’s NFS home directory settings using the Advanced home directory option. You’ll want to customize home directory settings when m You want the user’s home directory to reside in directories not immediately below the home directory share point. For example, you may want to organize home directories into several subdirectories within a share point.
LL0395.Book Page 164 Wednesday, November 20, 2002 11:44 AM Use the pop-up menus next to the fields to specify privileges. For the owner, select Read & Write. For Group and Everyone, select Read Only. Click Save. 5 Set up access to the share point. Click the Protocols tab. Leave the default Apple File Settings selected; it facilitates automatic home directory creation. Select “NFS Export Settings” from the pop-up list.
LL0395.Book Page 165 Wednesday, November 20, 2002 11:44 AM Using createhomedir to Create Home Directories You can use the createhomedir command-line tool to create AFP or NFS home directories for one or more users on the server where you run the tool. Here are the parameters that createhomedir accepts.
LL0395.Book Page 166 Wednesday, November 20, 2002 11:44 AM Setting Disk Quotas You can limit the disk space a user can consume to store files he or she owns in the partition where his home directory resides. This quota does not apply to the home directory share point or to the home directory, but to the entire partition within which the home directory share point and the home directory reside.
LL0395.Book Page 167 Wednesday, November 20, 2002 11:44 AM Administering Group Accounts This section describes how to administer group accounts stored in various kinds of directory domains. Where Group Accounts Are Stored Group accounts, as well as user accounts and computer accounts, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs to access the account.
LL0395.Book Page 168 Wednesday, November 20, 2002 11:44 AM Creating Read-Write LDAPv3 Group Accounts You can create a group account on a non-Apple LDAPv3 server if it has been configured for write access. To create an LDAPv3 group account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to use the LDAP server for group accounts.
LL0395.Book Page 169 Wednesday, November 20, 2002 11:44 AM Working With Read-Only Group Accounts You can use Workgroup Manager to review information for group accounts stored in readonly directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files.
LL0395.Book Page 170 Wednesday, November 20, 2002 11:44 AM To add users to a group using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open the account, click the Accounts button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the group in the group list. 2 Click the Members tab.
LL0395.Book Page 171 Wednesday, November 20, 2002 11:44 AM m A short group name can contain as many as 255 Roman characters. However, for clients using Mac OS X version 10.1.5 and earlier, the short group name must be 8 characters or fewer.
LL0395.Book Page 172 Wednesday, November 20, 2002 11:44 AM 2 In the Group ID field on the Members tab, review or edit the ID. Before saving a new group ID, Workgroup Manager checks to ensure that it is unique in the directory domain you are using. Working With Folder Settings for Groups You can set up a folder for use by members of a particular group.
LL0395.Book Page 173 Wednesday, November 20, 2002 11:44 AM 5 In the Owner Name field, enter the name of the user you want to own the group folder so he or she can act as group folder administrator. The group folder owner will be given Read/Write access to the group folder. Click Users to choose an owner from a list of users in the current directory domain. 6 Click Save. The group folder and three folders in it (Library, Documents, and Public/Drop Box) will be created automatically overnight.
LL0395.Book Page 174 Wednesday, November 20, 2002 11:44 AM To set up an advanced group folder: 1 On the server where you want the group folder to reside, create a folder that will serve as the share point for the group folder. 2 In Workgroup Manager, connect with the server in step 1 and click the Sharing button. 3 Click the All tab, then navigate to and select the folder you created in step 1. 4 In the General tab, select “Share this item and its contents.” 5 Ignore the owner privileges for now.
LL0395.Book Page 175 Wednesday, November 20, 2002 11:44 AM If the server is remote, establish an SSH session. “Secure Shell (SSH) Command” on page 591 tells you how. 14 Type “sudo /usr/sbin/CreateGroupFolder.” Enter your password if prompted. Set up access to the group folder for users who log in as a group member. There are several options. You can automate a group member’s access to the group folder when the user logs in: m You can set up Dock preferences to make the group folder visible in the Dock.
LL0395.Book Page 176 Wednesday, November 20, 2002 11:44 AM Finding User and Group Accounts In Workgroup Manager, user and group accounts are listed in tabs at the left side of the Workgroup Manager window. Workgroup Manager preferences affect the lists. Choose Preferences from the Workgroup Manager menu to control whether system users and groups are listed and the order in which items are listed. To work with one or more of the accounts listed, select them.
LL0395.Book Page 177 Wednesday, November 20, 2002 11:44 AM To list accounts in search path domains of the server you are working with: 1 In Workgroup Manager, log in to a server whose search policy contains the directory domains of interest. 2 Choose Search Path from the At pop-up menu. User accounts residing in all directory domains in the search path are listed in the user tab, and group accounts are listed in the group tab. 3 To work with a particular account, select it.
LL0395.Book Page 178 Wednesday, November 20, 2002 11:44 AM Finding Specific Users and Groups in a List After you have displayed a list of users or groups in Workgroup Manager, you can filter the list to find particular users or groups of interest. To filter items in the list of accounts: 1 After listing accounts, select the user or group tab. 2 In the pop-up menu above the account list, select an option to describe what you want to find.
LL0395.Book Page 179 Wednesday, November 20, 2002 11:44 AM Using Presets Presets are Workgroup Manager account templates. They let you set up initial attributes for new accounts you create using Workgroup Manager. Presets can be used only during account creation. If you change a preset after it has been used to create an account, accounts already created using the preset are not updated to reflect those changes.
LL0395.Book Page 180 Wednesday, November 20, 2002 11:44 AM Using Presets to Create New Accounts To create a new account using a preset: 1 Open Workgroup Manager on a server configured to access the Mac OS X directory domain or non-Apple LDAPv3 directory domain in which the preset will be used to create the new account. 2 Click the Accounts button. 3 Use the At pop-up menu to open the directory domain in which you want the new account to reside.
LL0395.Book Page 181 Wednesday, November 20, 2002 11:44 AM To change a preset: 1 Open Workgroup Manager on the server where the preset has been defined. 2 Click the Accounts button. 3 From the Presets pop-up menu, choose the preset you want to change. 4 After completing your changes, choose Save Preset from the Presets pop-up menu. You can also change a preset while using it to create a new account by changing any of the fields defined by the preset, then saving the preset.
LL0395.Book Page 182 Wednesday, November 20, 2002 11:44 AM This section describes how to prepare files for importing and how to conduct import and export operations using Workgroup Manager and dsimportexport. Understanding What You Can Import The user and group account attributes you can import vary with the kind of import file: m XML files created with Mac OS X Server 10.1 or earlier (see page 189) m XML files created with AppleShare IP 6.
LL0395.Book Page 183 Wednesday, November 20, 2002 11:44 AM 6 Select one of the Duplicate Handling options to indicate what to do when the short name of an account being imported matches that of an existing account. “Overwrite existing record” overwrites any existing record in the directory domain. “Ignore new record” ignores an account in the import file. “Add to empty fields” merges data from the import file into the existing account when the data is for an attribute that currently has no value.
LL0395.Book Page 184 Wednesday, November 20, 2002 11:44 AM Using Workgroup Manager to Export Users and Groups You can use Workgroup Manager to export user and group accounts from a NetInfo or LDAPv3 directory domain into a character-delimited file that you can import into a different NetInfo or LDAPv3 directory domain.
LL0395.Book Page 185 Wednesday, November 20, 2002 11:44 AM -p imports accounts from an XML file formatted as “Using XML Files Created With AppleShare IP 6.3” on page 190 describes. file names the file from which you want to import accounts, including the path to the file. For example, “/tmp/Import1”. directoryDomain is the full path to the NetInfo or LDAPv3 directory domain into which you want to import the accounts. For a NetInfo domain, you might type “NetInfo/root/someDomain”.
LL0395.Book Page 186 Wednesday, November 20, 2002 11:44 AM -s startingUID specifies the starting UID to use when importing from an ASIP XML file or a characterdelimited file that contains new user accounts with no UIDs specified. You can omit this argument if all the accounts in the import file contain UIDs, but use it if some or all of the accounts do not contain UIDs. For example, -s 559 assigns UIDs to imported users starting at 559 and incrementing by one for each new user.
LL0395.Book Page 187 Wednesday, November 20, 2002 11:44 AM -y ipAddress is the IP address of a remote Mac OS X Server from which the directory domain is visible. -V adds the version number of dsimportexport to the log file. -h displays usage information for dsimportexport. -err displays error information.
LL0395.Book Page 188 Wednesday, November 20, 2002 11:44 AM Using dsimportexport to Export Users and Groups You can use dsimportexport to export user and group accounts from NetInfo or LDAPv3 directory domains into a character-delimited file that you can import into a different Mac OS X or non-Apple LDAPv3 directory domain. Here are the parameters that dsimportexport accepts when exporting user and group accounts.
LL0395.Book Page 189 Wednesday, November 20, 2002 11:44 AM -yrpwd password is the password for logging in to a remote Mac OS X Server identified in the -y parameter. -y ipAddress is the IP address of a remote Mac OS X Server from which the directory domain is visible. -V adds the version number of dsimportexport to the log file. -h displays usage information for dsimportexport. -err displays error information.
LL0395.Book Page 190 Wednesday, November 20, 2002 11:44 AM m Apple mail data m ara (Apple Remote Access; this data is ignored) The following group account attributes might be present in these XML files: m m m m other members’ short names Using XML Files Created With AppleShare IP 6.3 You can use the Web & File Admin application to create an export file on an AppleShare IP 6.
LL0395.Book Page 191 Wednesday, November 20, 2002 11:44 AM Using Character-Delimited Files You can create a character-delimited file by using Workgroup Manager or dsimportexport to export accounts in NetInfo or LDAPv3 directory domains into a file. You can also create a character-delimited file by hand or by using a database or spreadsheet application. The first record in the file must characterize the format of each account in the file. There are three options: m Write a full record description.
LL0395.
LL0395.Book Page 193 Wednesday, November 20, 2002 11:44 AM Using the StandardUserRecord Shorthand When the first record in a character-delimited import file contains “StandardUserRecord,” the record description assumed is 0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Users 7 RecordName Password UniqueID PrimaryGroupID RealName NFSHomeDirectory UserShell An example user account looks like this: jim:Adl47E$:408:20:J. Smith, Jr., M.D.
LL0395.Book Page 194 Wednesday, November 20, 2002 11:44 AM m Using LDAP bind authentication with a non-Apple LDAPv3 directory server. Directory services Password Server User account Kerberos server Password provided can be validated using value stored in account. Password can also be validated using value stored on another server on the network. Directory server Clients needing password validation, such as login window and the AFP server, call Mac OS X directory services.
LL0395.Book Page 195 Wednesday, November 20, 2002 11:44 AM Contrasting Password Validation Options Here are the pros and cons of the options for validating a user’s password: m Storing a password in the user’s account. This approach, referred to as the “basic” password validation strategy, is the default strategy. It is the simplest and fastest strategy, since it does not depend on another infrastructure for password validation.
LL0395.Book Page 196 Wednesday, November 20, 2002 11:44 AM See “Using a Password Server” on page 200 for details about this strategy. m Using a Kerberos server. This option is not supported by all services but offers the opportunity to integrate into existing Kerberos environments. As in the case of the Password Server, if the Kerberos server is unavailable, users whose passwords are verified using it are unable to use your server. See “Using Kerberos” on page 205 for details about this strategy.
LL0395.Book Page 197 Wednesday, November 20, 2002 11:44 AM m A zero-length password is not recommended; Password Server and some systems (such as LDAP bind) do not support a zero-length password. For maximum compatibility with computers and services your users might use, use ASCII passwords. Using Authentication Manager Authentication Manager, available since Mac OS X Server version 10.
LL0395.Book Page 198 Wednesday, November 20, 2002 11:44 AM Authentication Manager may be of interest if you are using it on a version 10.1 server that you want to upgrade to version 10.2 or if you need to support AFP clients prior to version 3.8.3. See “Using Authentication Manager” on page 197 for more information. Local Windows hash provides SMB authentication support for a local NetInfo domain. It is intended for Windows personal file sharing, but can also be used on your server.
LL0395.Book Page 199 Wednesday, November 20, 2002 11:44 AM Enabling Basic Password Validation for a User Basic password validation is the simplest form of password validation. It relies on a readable version of a user’s password, stored in the user account. Only the first 8 characters are used for password validation.
LL0395.Book Page 200 Wednesday, November 20, 2002 11:44 AM A very effective way to thwart password hacking is to use good passwords. A password should contain letters, numbers, and symbols in combinations that won’t be easily guessed by unauthorized users. Passwords should not consist of actual words. Good passwords might include digits and symbols (such as # or $). Or they might consist of the first letter of all the words in a particular phrase. Use both uppercase and lowercase letters.
LL0395.Book Page 201 Wednesday, November 20, 2002 11:44 AM m The password, stored in recoverable or hashed form. The form depends on the network authentication protocols enabled for the Password Server (using Open Directory Assistant). If APOP is enabled, the Password Server stores a recoverable (encrypted) password. Otherwise, only hashes of the passwords are stored. m Data about the user that is useful for Server Status logging, such as the short name. m Password policy data.
LL0395.Book Page 202 Wednesday, November 20, 2002 11:44 AM 4 On the Advanced tab, choose “Password Server” from the “User Password Type” pop-up menu if it is not already selected. 5 If the user’s password is currently being validated using a different strategy, you will be prompted to enter and verify a new password. If you are working with a new user, enter the password on the Basic tab in the Password field, then reenter it in the Verify field.
LL0395.Book Page 203 Wednesday, November 20, 2002 11:44 AM 5 On the Advanced tab, click Options to set up the user’s password policy. If you select the “Disable login as of ” option, enter a date in mm/dd/yyyy format; for example, 02/22/2004. Click OK when you are finished specifying options. If you use a policy that requires user password changing, remember that not all protocols support changing passwords.
LL0395.Book Page 204 Wednesday, November 20, 2002 11:44 AM 3 Select the user in the list. 4 On the Advanced tab, choose Basic from the “User Password Type” pop-up menu. You will be prompted to enter and verify a new password. 5 Click Save. 6 Repeat steps 3 through 5 for other users in the domain as required. 7 If the Password Server you want to discontinue using is used to validate passwords of users in other domains, repeat steps 1 through 6 for each additional domain.
LL0395.Book Page 205 Wednesday, November 20, 2002 11:44 AM Using Kerberos If you already use Kerberos to authenticate users, you can use Kerberos to validate passwords for the following services of Mac OS X Server version 10.2 and later: m Login window m Mail service m FTP m AFP server and client These services have been “Kerberized.” Only services that have been Kerberized can use Kerberos to validate a user.
LL0395.Book Page 206 Wednesday, November 20, 2002 11:44 AM The following illustration summarizes these activities. Note that the service and the client in this picture may be the same entity (such as login window) or two different entities (such as a mail client and the mail server). Key Distribution Center (KDC) 4 6 Kerberized service 2 3 Client 5 1 1 The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with realms to access authentication data.
LL0395.Book Page 207 Wednesday, November 20, 2002 11:44 AM 2 Create user accounts for each of the same users in directory domains accessible from Mac OS X computers on which Kerberized services will be used. Set the password type to Basic, and specify passwords that will never be used to authenticate the users.
LL0395.Book Page 208 Wednesday, November 20, 2002 11:44 AM Enabling Kerberos Authentication for FTP Use Server Settings to enable FTP server support for Kerberos. See Chapter 5, “File Services,” for details. Enabling Kerberos Authentication for Login Window Use this procedure on each Mac OS X client computer you want to use Kerberos at login: To set up Kerberos login authentication: 1 Place the edu.mit.Kerberos configuration file in /Library/Preferences/.
LL0395.Book Page 209 Wednesday, November 20, 2002 11:44 AM To enable LDAP bind user authentication using Workgroup Manager: 1 Make sure the account for a user whose password you want to validate using LDAP bind resides on an LDAPv3 server in the search path of the Mac OS X computer that needs to validate the password. See Chapter 2, “Directory Services,” for information about configuring LDAPv3 server connections.
LL0395.Book Page 210 Wednesday, November 20, 2002 11:44 AM Supporting Client Computers Validating Windows User Passwords See “Providing Secure Authentication for Windows Users” on page 197. Setting Up Search Policies on Mac OS X Client Computers Mac OS X client computer search policies must be set up so that accounts and shared resources (such as network file servers and printers) are visible from the Mac OS X computer.
LL0395.Book Page 211 Wednesday, November 20, 2002 11:44 AM m You can make other users Password Server administrators after setting up a Password Server. Make sure they have an account in the directory domain associated with the Password Server. Make them domain administrators for the directory domain, and make sure their passwords are validated using the Password Server.
LL0395.Book Page 212 Wednesday, November 20, 2002 11:44 AM You Can’t Assign Server Administrator Privileges In order to assign server administrator privileges to a user for a particular server, first log in to that server in Workgroup Manager.
LL0395.Book Page 213 Wednesday, November 20, 2002 11:44 AM m Refer to the KDC log (kdc.log) for information that can help you solve problems. Incorrect setup information such as wrong configuration file names can be detected using the logs. m Make sure all your configuration files are complete and correct. For example, make sure the keytab file on your server has the principals of interest in it.
LL0395.
LL0395.Book Page 215 Wednesday, November 20, 2002 11:44 AM C H A P T E R 4 4 Sharing The Sharing module of Workgroup Manager lets you share information with clients of the Mac OS X Server and control access to shared information by assigning access privileges. You share information by designating share points. A share point is a folder, hard disk (or hard disk partition), or CD that you make accessible over the network. It’s the point of access at the top level of a group of shared items.
LL0395.Book Page 216 Wednesday, November 20, 2002 11:44 AM Note: QuickTime Streaming Server and WebDAV have their own privileges settings. For information about QTSS, refer to the QTSS online help and the QuickTime Web site (www.apple.com/quicktime/products/qtss/). You’ll find information on Web privileges in “Understanding WebDAV” on page 359. Explicit Privileges Share points and the shared items contained in share points (including both folders and files) have their own individual privileges.
LL0395.Book Page 217 Wednesday, November 20, 2002 11:44 AM Everyone Everyone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors. Privileges Hierarchy If a user is included in more than one category of users, each of which has different privileges, these rules apply: m Group privileges override Everyone privileges. m Owner privileges override Group privileges.
LL0395.Book Page 218 Wednesday, November 20, 2002 11:44 AM Share Points in the Network Globe The Network globe on OS X clients represents the Darwin /Network directory. By default, the Network globe contains the following four folders: m Applications m Library m Servers m Users You can mount share points into any of these folders. See “Automounting Share Points” on page 225 for instructions. Static Versus Dynamic Linking Share points can be automounted statically or dynamically.
LL0395.Book Page 219 Wednesday, November 20, 2002 11:44 AM Step 1: Read “Before You Begin” Read “Before You Begin” on page 219 for issues you should consider before sharing information on your network. Step 2: Locate or create the information you want to share Decide which volumes, partitions, folders, and CDs you want to share. You may want to move some folders and files to different locations before setting up sharing.
LL0395.Book Page 220 Wednesday, November 20, 2002 11:44 AM Conversely, you might want to set up share points using a single protocol even though you have different kinds of clients. For example, if almost all of your clients are UNIX users and just a couple are Mac OS clients, you may want to share items using only NFS in order to keep your setup simple.
LL0395SH Page 221 Wednesday, November 20, 2002 12:18 PM m Set privileges for Everyone to None for files and folders that guest users should not access. Items with this privilege setting can be accessed only by the item’s owner or group. m Put all files available to guests in one folder or set of folders. Assign the Read Only privilege to the Everyone category for that folder and each file within it.
LL0395.Book Page 222 Wednesday, November 20, 2002 11:44 AM 3 Click the General tab. 4 Select “Share this item and its contents.” Change the owner and group of the shared item by typing names into those fields or by dragging names from the Users & Groups drawer. You can open the drawer by clicking “Users & Groups.” User and group lists are automatically refreshed at the rate specified in the Workgroup Manager preferences.
LL0395.Book Page 223 Wednesday, November 20, 2002 11:44 AM 7 Choose a default permissions option for new files and folders. Select “Use Standard UNIX behavior” if you want new or copied items to retain their original privileges, and inherit the user and group ID of the user that created or copied the item. Select “Inherit permissions from parent” if you want new or copied items to have the same access privileges as the enclosing item. Note: Do not use this option with sharepoints used as home directories.
LL0395.Book Page 224 Wednesday, November 20, 2002 11:44 AM 4 Select the “Share this item using FTP” option. 5 Select “Allow FTP guest access” to allow FTP users with guest access to use this item. For greater security, do not select this item. 6 Enter a name in the “Custom FTP name” field if you want the share point to appear with a name different from its real one. 7 Click Save. Sharing (Exporting) Items Using Network File System (NFS) You can export share points to UNIX clients using NFS.
LL0395.Book Page 225 Wednesday, November 20, 2002 11:44 AM Automounting Share Points You can mount share points automatically on client computers using automounts. You can set up an automount to mount statically or dynamically. A static automount is mounted on a client computer at the time the computer starts up, in the directory you specify. A dynamic automount is made available through the client’s /Network/Servers directory, but is not actually mounted on the client computer until the user opens it.
LL0395.Book Page 226 Wednesday, November 20, 2002 11:44 AM Resharing NFS Mounts as AFP Share Points Resharing NFS mounts (NFS volumes that have been exported to the Mac OS X Server) as AFP share points allows clients to access NFS volumes using the secure authentication of an AFP connection. Resharing NFS mounts also allows Mac OS 9 clients to access NFS file services on traditional UNIX networks.
LL0395.Book Page 227 Wednesday, November 20, 2002 11:44 AM name: server:/test/lab1 vfstype: nfs dir: /nfs_reshares/myshare Click the lock when finished. In the Confirm Changes dialog box, click Update this copy to save your changes. 6 Restart the computer to enable the static mount.
LL0395.Book Page 228 Wednesday, November 20, 2002 11:44 AM Browsing Server Disks You can view the folders (but not files) located on servers using the Sharing module of Workgroup Manager. To browse the folders on a share point or server: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab to browse the folders of shared items, or click the All tab to browse all the folders on the local server.
LL0395.Book Page 229 Wednesday, November 20, 2002 11:44 AM 4 Click the Protocols tab and use the pop-up menu to see the protocol settings for the item. 5 Click the Automount tab to see the automount settings. Changing Share Point Owner and Privilege Settings You use the Workgroup Manager to view and change the owner and privileges for a share point. To change privileges for a share point: 1 In Workgroup Manager, click Sharing.
LL0395.Book Page 230 Wednesday, November 20, 2002 11:44 AM 2 Click the Share Points tab and select the NFS export (share point) you want to change. 3 Click the Protocols tab and choose NFS Export Settings from the pop-up menu. 4 Select an IP address from the list and click Remove. 5 Click Save. Creating a Drop Box A drop box is a shared folder to which others can copy files, but cannot view the drop box contents. Note: You should create drop boxes only within AFP share points.
LL0395.Book Page 231 Wednesday, November 20, 2002 11:44 AM Alternatively, you can choose View Directories from the Server menu. 2 Use a root user name and password to log in. If you are not logged in as a root user, you cannot make changes using Workgroup Manager. If possible, you should upgrade servers on your network to use Mac OS X Server version 10.2 or later.
LL0395.
LL0395.Book Page 233 Wednesday, November 20, 2002 11:44 AM C H A P T E R 5 5 File Services File services enable clients of the Mac OS X Server to access files, applications, and other resources over a network. Mac OS X Server includes four distinct file services: m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems.
LL0395.Book Page 234 Wednesday, November 20, 2002 11:44 AM You must configure and turn on file services in order for clients to be able to access shared information—the volumes and folders that you designate as share points—as described in Chapter 4, “Sharing.” You must also turn on Windows services if you want to share network printers using Windows Printing (SMB). Print service is described in Chapter 7, “Print Service,” on page 335.
LL0395.Book Page 235 Wednesday, November 20, 2002 11:44 AM Client Computer Requirements For information on client computer requirements, see “Supporting Client Computers” on page 272. Setup Overview Here is an overview of the basic steps for setting up file services. Step 1: Read “Before You Begin” Read “Before You Begin” on page 233 for issues you should consider before setting up file services.
LL0395.Book Page 236 Wednesday, November 20, 2002 11:44 AM Apple File Service Apple file service allows Macintosh client users to connect to your server and access folders and files as if they were located on the user’s own computer. If you are familiar with AppleShare IP 6.3, you will find that Apple file service in Mac OS X Server functions in the same way. It uses a new version of the Apple Filing Protocol (AFP), version 3.1, which supports new features such as Unicode file names and 64-bit file sizes.
LL0395.
LL0395.Book Page 238 Wednesday, November 20, 2002 11:44 AM The name you enter here must be unique among all computers connected to the network. If you leave this field blank, the server will register itself on the network using its IP address and the server’s DNS name will show in this field. 5 Select “Start Apple File Service on system startup” to ensure that file services will be available if the server is restarted after a power failure or other unexpected event.
LL0395.Book Page 239 Wednesday, November 20, 2002 11:44 AM 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab. 4 Choose the authentication method you want to use: Standard, Kerberos, or Any Method. For information about Kerberos authentication, see “Kerberos Authentication” on page 236. 5 Select “Enable Guest access” if you want to allow unregistered users to access the file server.
LL0395.Book Page 240 Wednesday, November 20, 2002 11:44 AM 3 Click the Logging tab. 4 Select “Enable Access log” if you want to create an access log. The access log stores information about any of the events you select. 5 Select “Archive every __ days” and type the number of days to specify how often the log file contents are saved to an archive. The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file.
LL0395.Book Page 241 Wednesday, November 20, 2002 11:44 AM Although the server disconnects clients when they become idle or go to sleep, the clients’ sessions are maintained for the specified period. When a user resumes work within that time, the client is reconnected with no apparent interruption. If a longer period elapses, open files are closed and any unsaved work is lost.
LL0395.Book Page 242 Wednesday, November 20, 2002 11:44 AM Managing Apple File Service This section tells you how to perform day-to-day management tasks for Apple file service once you have it up and running. Viewing Apple File Service Status You use Server Status to check the status of all Mac OS X Server devices and services.
LL0395.Book Page 243 Wednesday, November 20, 2002 11:44 AM Stopping Apple File Service Important When you stop Apple file service, connected users may lose unsaved changes in open files. To stop Apple file service: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Stop Apple File Service. 3 Enter the length of time you want to wait before file service stops.
LL0395.Book Page 244 Wednesday, November 20, 2002 11:44 AM Enable Browsing With Network Service Location You can register your Apple file server with Network Service Locator (NSL) to allow users to find the server by browsing through available servers. Otherwise, users must type the server’s host name or IP address. To register with NSL: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service.
LL0395.Book Page 245 Wednesday, November 20, 2002 11:44 AM 6 Click Save. Turning On Access Logs for Apple File Service The access log can record any time a user logs in or out, opens a file, creates a file or folder, or deletes a file or folder. To turn on access logs: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Logging tab and select “Enable access log.” 4 Select the events that you want Apple file service to log.
LL0395.Book Page 246 Wednesday, November 20, 2002 11:44 AM You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting is 7 days. 7 Click Save. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 594. Disconnecting a User From the Apple File Server You use Server Status to disconnect users from the Apple file server.
LL0395.Book Page 247 Wednesday, November 20, 2002 11:44 AM Allowing Guest Access to the Apple File Server Guests are users who can see information on your server without using a name or password to log in. For better security, do not allow guest access. To enable guest access: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab and select “Enable Guest access.
LL0395.Book Page 248 Wednesday, November 20, 2002 11:44 AM Windows Services Windows services in Mac OS X Server provide four native services to Windows clients.
LL0395.Book Page 249 Wednesday, November 20, 2002 11:44 AM In addition, you can improve the user experience by following these guidelines: m Use comparable versions of application software on both platforms. m Modify files only with the application they were created in. m Limit Windows file names to 31 characters (the limit for Mac OS 8 and Mac OS 9 clients). m Don’t use symbols or characters with accents in the names of shared items.
LL0395.Book Page 250 Wednesday, November 20, 2002 11:44 AM Configuring Windows Services General Settings You use the General pane to set identifying information about your Windows server and to enable automatic startup. To configure Windows General settings: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the General tab. 4 In the Server Name field, type the server name you want users to see when they connect.
LL0395.Book Page 251 Wednesday, November 20, 2002 11:44 AM 2 Click Windows and choose Configure Windows Services. 3 Click the Access tab. 4 Select “Allow Guest access” only if you want to allow people who are not registered users to use Windows file sharing. This is a convenient way to provide occasional users with access to files and other items for which the appropriate privileges have been set. For better security, do not select this option.
LL0395.Book Page 252 Wednesday, November 20, 2002 11:44 AM Events logged None Minimal Verbose When browser name registration occurs No Yes Yes Access events (each time a file is opened, modified, read, and so on) No No Yes You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 594.
LL0395.Book Page 253 Wednesday, November 20, 2002 11:44 AM Managing Windows Services This section tells you how to perform day-to-day management tasks for Windows services once you have the services up and running. Stopping Windows Services When you stop Windows services, connected users will lose any information they haven’t saved. Important To stop Windows services: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Stop Windows Services.
LL0395.Book Page 254 Wednesday, November 20, 2002 11:44 AM Checking Windows Services Status You use Server Status to check the status of all Mac OS X Server devices and services. To view Windows services status: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select Windows in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name.
LL0395.Book Page 255 Wednesday, November 20, 2002 11:44 AM 2 Click Windows and choose Configure Windows Services. 3 Click the Neighborhood tab, then select Master Browser or Domain Master Browser. Select Master Browser to let clients browse for and locate servers in a single subnet. Select Domain Master Browser to let clients browse for and locate servers across your network (subnets). 4 Click Save.
LL0395.Book Page 256 Wednesday, November 20, 2002 11:44 AM 3 Click the Connections tab and select the user you want to disconnect. 4 Click the Disconnect button. Allowing Guest Access in Windows Services Guests are users who can see information on your server without using a name or password to log in. For better security, do not allow guest access. To enable guest access to the server: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services.
LL0395.Book Page 257 Wednesday, November 20, 2002 11:44 AM Secure FTP Environment Most FTP servers provide a restricted directory environment that confines FTP users to a specific area within a server. Users can see directories and data only in this area, so the server is kept quite secure. Users cannot access volumes mounted outside this restricted area. Symbolic links and aliases don’t reach across the boundaries set within the server.
LL0395.Book Page 258 Wednesday, November 20, 2002 11:44 AM FTP Root and Share Points The “FTP Root and Share Points” user environment gives access—for both real and anonymous users—to the FTP root and any FTP share points to which the users have access privileges, as shown in the following figure.
LL0395.Book Page 259 Wednesday, November 20, 2002 11:44 AM Home Directory With Share Points When the user environment option is set to “Home Directory with Share Points,” real users log in to their home directories and have access to the FTP root by means of a symbolic link automatically created in their home directories. Users access other FTP share points through symbolic links in the FTP root. As always, access to the FTP share points is controlled by user access privileges.
LL0395.Book Page 260 Wednesday, November 20, 2002 11:44 AM Home Directory Only In the Restricted user environment, real users are confined to their home directories and do not have access to the FTP root or other FTP share points, as shown in the following illustration.
LL0395.Book Page 261 Wednesday, November 20, 2002 11:44 AM The table below shows common file extensions and the type of compression they designate. File extension What it means .gz DEFLATE compression .Z UNIX compress .bin MacBinary encoding .tar UNIX tar archive .tZ UNIX compressed tar archive .tar.Z UNIX compressed tar archive .crc UNIX checksum file .dmg Mac OS X disk image Custom FTP Root For increased security, Mac OS X Server lets you create a custom FTP root.
LL0395.Book Page 262 Wednesday, November 20, 2002 11:44 AM Restrictions on Anonymous FTP Users (Guests) Enabling anonymous FTP poses a security risk to your server and data because you open your server to users that you do not know. The access privileges you set for the files and folders on your server are the most important way you can keep information secure. Anonymous FTP users are only allowed to upload files into a special directory named “uploads” in the FTP root.
LL0395.Book Page 263 Wednesday, November 20, 2002 11:44 AM Step 6: Create an “uploads” folder for FTP users (optional) If you enabled anonymous access in Step 2, you may want to create a folder for anonymous users to upload files. The folder must be named “uploads.” It is not a share point, but must have appropriate access privileges. See “Creating an Uploads Folder for Anonymous Users” on page 266.
LL0395.Book Page 264 Wednesday, November 20, 2002 11:44 AM Configuring FTP Access Settings The Access settings let you specify the number of real and anonymous users. To configure the FTP Access settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Access tab. 4 Enter a value in the “Allow a maximum of __ real users” field to set the maximum number of registered users who can connect to your server at the same time.
LL0395.Book Page 265 Wednesday, November 20, 2002 11:44 AM 6 Click Save. Configuring FTP Advanced Settings The Advanced settings allow you to specify a custom FTP root. A custom FTP root creates a higher level of security by isolating the files accessible through FTP from the main directory of the server. To configure the FTP Advanced settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab.
LL0395.Book Page 266 Wednesday, November 20, 2002 11:44 AM Setting Up Anonymous FTP Service You can allow guests to log in to your FTP server with the user name “ftp” or “anonymous.” They do not need a password to log in, but they will be prompted to enter their email addresses. For better security, do not enable anonymous access. To set up anonymous FTP service: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP. 3 Click the Access tab.
LL0395.Book Page 267 Wednesday, November 20, 2002 11:44 AM 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab. 4 Choose the type of user environment you want to provide. The “FTP Root and Share Points” environment sets up the Users directory as a share point. Real users log in to their home directories, if they are available within the restricted environment. Both real and anonymous users can see other users’ home directories in a share point.
LL0395.Book Page 268 Wednesday, November 20, 2002 11:44 AM Displaying Banner and Welcome Messages to Users FTP service in Mac OS X Server allows you to create certain messages that you can send to real users and to anonymous FTP users when they log in to your server. Some FTP clients may not display the message in an obvious place, or they may not display it at all. For example, the FTP client Fetch displays a banner message in the “RemoteHostname Messages” window.
LL0395.Book Page 269 Wednesday, November 20, 2002 11:44 AM You use the NFS module of Server Settings to configure and manage NFS service. You also use the Sharing module of Workgroup Manager to set privileges and access levels for the share points or folders you want to export. Before You Set Up NFS Service Be sure to consider the security implications of exporting in NFS before you set up NFS service.
LL0395.Book Page 270 Wednesday, November 20, 2002 11:44 AM Step 3: Create share points and share them using NFS Use the Sharing module of Workgroup Manager to specify the share points that you want to export (share) using NFS. You must explicitly configure a share point to use NFS in order for NFS users to be able to access the share point.
LL0395.Book Page 271 Wednesday, November 20, 2002 11:44 AM Managing NFS Service This section tells you how to perform day-to-day management tasks for NFS service once you have it up and running. Stopping NFS Service When the server starts up, a startup script checks to see if any NFS exports have been defined; if so, NFS starts automatically. If NFS is not running and you add exports, wait a few seconds for the service to launch. When the service is running, a globe appears on the service icon.
LL0395.Book Page 272 Wednesday, November 20, 2002 11:44 AM Supporting Client Computers This section describes the client computer requirements for using Mac OS X file services. Supporting Mac OS X Clients Apple file service requires the following Mac OS X system software: m Mac OS X version 10.2 m TCP/IP connectivity m AppleShare 3.7 or later Go to the Apple support Web site at www.apple/support/ to find out the latest version of AppleShare client software supported by Mac OS X.
LL0395.Book Page 273 Wednesday, November 20, 2002 11:44 AM To set a Mac OS X client computer to mount a server volume automatically: 1 Choose “Connect to Server” from the Finder’s Go menu to mount the volume on the client computer. 2 Open System Preferences and click the Login tab. 3 Click Add, then locate the Recent Servers folder and double-click the volume you want automatically mounted. The volume is added to the list of items in the Recent Servers folder in the user’s home Library folder.
LL0395.Book Page 274 Wednesday, November 20, 2002 11:44 AM Connecting to the Apple File Server in Mac OS 8 or Mac OS 9 Apple file service does not support AppleTalk connections, so clients need to use TCP/IP to access file services. You can use AppleTalk to find Apple file servers, but the connection must be made using TCP/IP. To connect to the Apple file server in Mac OS 8 or Mac OS 9: 1 Open the Chooser and click Server IP Address.
LL0395.Book Page 275 Wednesday, November 20, 2002 11:44 AM Using the Network Neighborhood to Connect to the Windows Server Before trying to connect to the server from a Windows client computer, find out the workgroup or domain of both the client computer and the file server. You can find the workgroup name of a Windows client computer in the computer’s Network Neighborhood window.
LL0395.Book Page 276 Wednesday, November 20, 2002 11:44 AM m Make sure the file server is running. You can use a “pinging” utility to check whether the server is operating. m If the user is searching for the server via AppleTalk (in the Chooser), make sure you’ve enabled browsing over AppleTalk in the Access pane of the Apple File Server Settings window, and that AppleTalk is active on both the server and the user’s computer.
LL0395.Book Page 277 Wednesday, November 20, 2002 11:44 AM User Can’t Log in to the Windows Server m If you are using Password Server to authenticate users, check to make sure that it is configured correctly. See “Setting Up an Open Directory Domain and Password Server” on page 71. m If you have user accounts created in a previous version of Mac OS X Server (version 10.1 or earlier) that are still configured to use Authentication Manager, make sure that Authentication Manager is enabled.
LL0395.Book Page 278 Wednesday, November 20, 2002 11:44 AM Clients Can’t Connect to the FTP Server m See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. Anonymous FTP Users Can’t Connect m Verify that anonymous access is turned on. m See if the maximum number of anonymous user connections has been reached.
LL0395.Book Page 279 Wednesday, November 20, 2002 11:44 AM C H A P T E R 6 6 Client Management: Mac OS X Workgroup Manager provides network administrators with a centralized method of managing Mac OS X workstations, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they are beginners in a classroom or advanced users in an office.
LL0395.Book Page 280 Wednesday, November 20, 2002 11:44 AM This chapter summarizes certain aspects of Mac OS X client management, describes how to set up Mac OS X computer accounts using Workgroup Manager, and gives details about using managed preferences to customize and control the Mac OS X user experience.
LL0395.Book Page 281 Wednesday, November 20, 2002 11:44 AM Finding Applications Applications can be stored locally on the computer’s hard disk or on a server in a share point. If applications are stored locally, users can find them in the Applications folder. If applications are stored on a server, the user must connect to the server in order to locate and use the applications.
LL0395.Book Page 282 Wednesday, November 20, 2002 11:44 AM Client Computer Hardware Requirements m Macintosh computer with a G3 processor or better (except original PowerBook G3 or upgraded PowerPC processors) m 128 megabytes (MB) of physical random access memory (RAM) m 1.5 gigabytes (GB) of disk space available Administrator Computer Software Requirements m Mac OS X Server v. 10.
LL0395.Book Page 283 Wednesday, November 20, 2002 11:44 AM Designating Administrators For Mac OS X clients, the server administrator has the greatest amount of control over other users and their privileges. The server administrator can create users, groups, and computer accounts and assign settings, privileges, and managed preferences for them.
LL0395.Book Page 284 Wednesday, November 20, 2002 11:44 AM Setting Up Group Accounts Although Mac OS X users are not required to be added to group accounts in order to be managed, groups are still very important for efficient and effective client management. For example, you can use groups to provide users with the same access privileges to media, printers, and volumes. For more information about how to create group accounts using Workgroup Manager, see “Administering Group Accounts” on page 167.
LL0395.Book Page 285 Wednesday, November 20, 2002 11:44 AM Creating a Computer Account You can use a computer account to assign the same privileges and preferences to multiple computers. You can add up to 2000 computers to a computer account. To set up a computer list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to open the directory domain where you want to store the new account, then click Accounts. 3 Click the lock and enter your user name and password.
LL0395.Book Page 286 Wednesday, November 20, 2002 11:44 AM 2 Use the At pop-up menu to open the directory domain where you want to create computer accounts using presets, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 To create a new preset from a blank account, first create a new computer account. To create a preset using data in an existing computer account, open the account.
LL0395.Book Page 287 Wednesday, November 20, 2002 11:44 AM Adding Computers to an Existing Computer Account You can easily add more computers to an existing list. However, you cannot add computers to the Guest Computers list. To add additional computers to a list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want, then click Accounts. 3 Click the lock and enter your user name and password.
LL0395.Book Page 288 Wednesday, November 20, 2002 11:44 AM 7 Change information in the information fields as needed, then click Save. Moving a Computer to a Different Computer Account Occasionally, you may want to group computers differently. Workgroup Manager lets you conveniently move computers from one list to another. Computers cannot belong to more than one list, and you cannot move computers to the Guest Computers account. To move a computer from one list to another: 1 Open Workgroup Manager.
LL0395.Book Page 289 Wednesday, November 20, 2002 11:44 AM Deleting a Computer Account If you no longer need an any computers listed in a computer account, you can delete the entire account. You cannot delete the Guest Computers account. Warning You cannot undo this action. To delete a computer account: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts.
LL0395.Book Page 290 Wednesday, November 20, 2002 11:44 AM Managing Guest Computers If an unknown computer (one that isn’t already in a computer account) connects to your network and attempts to access services, that computer is treated as a “guest.” Settings chosen for the Guest Computers account apply to these unknown, or “guest,” computers. Using the Guest Computers account is not recommended for large numbers of computers. Most of your computers should belong to regular computer lists.
LL0395.Book Page 291 Wednesday, November 20, 2002 11:44 AM If you do not select settings or preferences for the Guest Computers account, guest computers are not managed. However, if the person using the computer has a Mac OS X Server user account with managed user or group preferences, those settings still apply when the user connects to your network and logs in. If the user has an administrator account on the computer, he or she can choose not to be managed at login.
LL0395.Book Page 292 Wednesday, November 20, 2002 11:44 AM Making Computers Available to All Users If you want, you can make computers in a list available to any user in any group account you set up. To make computers available to all users: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab.
LL0395.Book Page 293 Wednesday, November 20, 2002 11:44 AM 8 If you want to show only certain workgroups to users during login, select “Restrict to groups below,” and add groups to the list. 9 Click Save. Managing Portable Computers It is important to plan how you want to manage portable computers that have access to your network. This section gives suggestions for managing portable computers used by either multiple users or an individual user.
LL0395.Book Page 294 Wednesday, November 20, 2002 11:44 AM Portable Computers With One Primary Local User There are two ways set up portable computers for a single user. m The user does not have administrator privileges, but has a local account. Set up a local administrator account on the computer (do not give the user any information about this account), then set up a local account for the user.
LL0395.
LL0395.Book Page 296 Wednesday, November 20, 2002 11:44 AM About the Preferences Cache Only local user accounts use a preference cache. The preference cache is created on the local hard drive when a user logs in. The cache stores only preferences for the computer account to which that computer belongs and preferences for groups associated with that computer, but this can influence how a user is managed offline.
LL0395.Book Page 297 Wednesday, November 20, 2002 11:44 AM To empty the managed preferences cache: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Click the Computers tab and select a computer account from the list. 5 Click Cache, then click “Empty the Cache.
LL0395.Book Page 298 Wednesday, November 20, 2002 11:44 AM The overrides described above do not apply to settings in the Items pane of the Applications preference, the Dock Items pane, the Printer List pane, or the Login Items pane. For these settings, a user’s final settings are a combinations of settings for the user, the computer being used, and the group chosen at login. This is what we call an “additive” result. The Printing preference is useful for illustrating an additive result.
LL0395.Book Page 299 Wednesday, November 20, 2002 11:44 AM Managing User Preferences You can manage preferences for individual users as needed. However, if you have large numbers of users, it may be more efficient to manage most preferences by group and computer instead. You might want to manage preferences at the user level only for specific individuals, such as directory domain administrators, teachers, or technical staff. You should also consider which preferences you want to leave under user control.
LL0395.Book Page 300 Wednesday, November 20, 2002 11:44 AM 4 Select a group account in the account list. 5 Click the icon for the preference you want to manage. 6 In each tab for that preference, choose a management setting. Then select preference settings or fill in information you want to use. Some management settings are not available for some preferences, and some preferences are not available to some types of accounts.
LL0395.Book Page 301 Wednesday, November 20, 2002 11:44 AM If you adjust a mixed-state setting, every account will have the new setting you choose. For example, suppose you select three group accounts that each have different settings for the Dock size. When you look at the Dock Display preference pane for these accounts, the Dock Size slider is centered and has a dash on it. If you change the position of the Dock Size slider to Large, all selected accounts will have a large-size Dock.
LL0395.Book Page 302 Wednesday, November 20, 2002 11:44 AM Creating a List of Approved Applications You need to provide access to the applications you want users to open. To do this, use Items settings for the Applications preference and create a list of “approved” applications. If an application is not on the list, a user cannot open it. You can, however, allow applications to open “helper applications” that are not listed.
LL0395.Book Page 303 Wednesday, November 20, 2002 11:44 AM 8 Click Apply Now. Managing Application Access to Helper Applications Sometimes, applications need to use “helper applications” for tasks they cannot complete themselves. For example, if a user tries to open a Web link in an email message, the email application might need to open a Web browser application to display the Web page.
LL0395.Book Page 304 Wednesday, November 20, 2002 11:44 AM Managing Access to System Preferences Using the System Preferences pane of the Applications preference, you can select which preferences you want users to be able to see in System Preferences on the client computer. When you show an item in System Preferences, a user can open the preference, but may or may not be able to change its settings.
LL0395.Book Page 305 Wednesday, November 20, 2002 11:44 AM Making Classic Start Up After a User Logs In If users often need to work with applications that run in Classic, it is convenient to have Classic start up immediately after a user logs in. To start Classic after login: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password.
LL0395.Book Page 306 Wednesday, November 20, 2002 11:44 AM Classic Advanced Preferences Advanced preference settings for Classic let you control items in the Apple menu, Classic sleep settings, and the user’s ability to turn off extensions or rebuild Classic’s desktop file during startup. Allowing Special Actions During Restart You can allow users to perform special actions, such as turning off extensions or rebuilding Classic’s desktop file, when they restart computers.
LL0395.Book Page 307 Wednesday, November 20, 2002 11:44 AM Preventing Access to the Chooser and Network Browser If you don’t want users to have access to the Chooser or Network Browser in Classic, you can remove these items from the Apple menu. To remove the Chooser and Network Browser from the Apple menu: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password.
LL0395.Book Page 308 Wednesday, November 20, 2002 11:44 AM To adjust Classic sleep settings: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Classic preference icon. 5 Click Advanced and set the management setting to Always.
LL0395.Book Page 309 Wednesday, November 20, 2002 11:44 AM 8 If you want items in the Dock to be magnified when a user moves the pointer over them, select the Magnification checkbox, then adjust the slider. Magnification is useful if you have many items in the Dock. 9 If you don’t want the Dock to be visible all the time, select “Automatically hide and show the Dock.” When the user moves the pointer to the edge of the screen where the Dock is located, the Dock pops up automatically.
LL0395.Book Page 310 Wednesday, November 20, 2002 11:44 AM Providing Easy Access to Group Folders After you have set up a group volume, you can make it easy for users to locate the group directory by placing an alias in the user’s Dock. The group directory contains the group’s Library folder, Documents folder, and Public folder (including a Drop Box). If you need help setting up a group share point, see “Working With Folder Settings for Groups” on page 172.
LL0395.Book Page 311 Wednesday, November 20, 2002 11:44 AM 4 Select a user, group, or computer account in the account list, then click the Dock preference icon. 5 Click Dock Items, then set the management setting to Always. 6 Deselect “Users may add and remove additional Dock items.” 7 Click Apply Now. Managing Finder Preferences Finder Preferences allow you to control various aspects of Finder menus and windows.
LL0395.Book Page 312 Wednesday, November 20, 2002 11:44 AM To set Finder window preferences: 1 Open Workgroup Manager and click Preferences. 2 Select a user, group, or computer account in the account list, then click the Finder preference icon. 3 Click the Preferences tab and select a management setting (Once or Always). 4 Under “New Finder window shows,” specify the items you want to display.
LL0395.Book Page 313 Wednesday, November 20, 2002 11:44 AM In order to use additional Simplified Finder features, an administrator can use Workgroup Manager to m Add applications you want to provide to users via the Items pane in the Applications preference. Aliases to the applications appear in the user’s My Applications folder the next time that user logs in. m Add additional items to the user’s Dock using the Dock Items pane of the Dock preference.
LL0395.Book Page 314 Wednesday, November 20, 2002 11:44 AM 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click the Preferences tab and select a management setting (Once or Always). 6 Deselect “Show warning before emptying the Trash.” 7 Click Apply Now. Finder Commands Preferences Commands in Finder menus and the Apple menu allow users to easily connect to servers or restart the computer, for example.
LL0395.Book Page 315 Wednesday, November 20, 2002 11:44 AM 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Commands and set the management setting to Always. 6 Deselect “Connect to Server.” 7 Click Apply Now. Controlling User Access to Folders Users can open a specific folder by using the “Go to Folder” command in the Finder’s Go menu and providing the folder’s path name.
LL0395.Book Page 316 Wednesday, November 20, 2002 11:44 AM Hiding the Burn Disc Command in the Finder On computers with appropriate hardware, users can “burn discs” (write information to recordable CDs or DVDs). If you don’t want users to have this privilege, you can hide the Burn Disc command in the Finder’s File menu. To hide the Burn Disc command: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.
LL0395.Book Page 317 Wednesday, November 20, 2002 11:44 AM As an additional preventive measure, you can also remove the Restart and Shut Down buttons from the login window using settings for Login preferences. See “Managing Login Preferences” on page 320 for instructions. Finder Views Preferences Finder Views allow you to adjust the arrangement and appearance of items on a user’s desktop, in Finder windows, and in the top-level directory of the computer.
LL0395.Book Page 318 Wednesday, November 20, 2002 11:44 AM Default View settings control the overall appearance of all Finder windows. Computer View settings control the view for the top-level computer directory showing hard disks and disk partition, external hard disks, mounted volumes, and removable media (such as CDs or floppy disks). To set preferences for the default and computer views: 1 Open Workgroup Manager.
LL0395.Book Page 319 Wednesday, November 20, 2002 11:44 AM Managing Internet Preferences Internet preferences let you set email and Web browser options. Setting Email Preferences Email settings let you specify a preferred email application and supply information for the email address, incoming mail server, and outgoing mail server. To set email preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.
LL0395.Book Page 320 Wednesday, November 20, 2002 11:44 AM 8 Type a URL for the Search Page. 9 Type a folder location for storing downloaded files, or click Set to browse for a folder. 10 Click Apply Now. Managing Login Preferences Use Login preferences to set user login options, provide password hints, and control the user’s ability to restart and shut down the computer from the login screen. You can also mount the group volume or make applications open automatically after a user logs in.
LL0395.Book Page 321 Wednesday, November 20, 2002 11:44 AM Deciding How a User Logs In Depending on the settings you choose, a user will see either a name and password text field or a list of users in the login window. These settings apply only to computer accounts. To set up how a user logs in: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password.
LL0395.Book Page 322 Wednesday, November 20, 2002 11:44 AM 3 Click the lock and enter your user name and password. 4 Select a computer account in the account list, then click the Login preference icon. 5 Click Login Options and set the management setting to Always. 6 Select “Show password hint after 3 attempts to enter a password.” 7 Click Apply Now. Preventing Restarting or Shutting Down the Computer at Login Normally, the Restart and Shut Down buttons appear in the login window.
LL0395.Book Page 323 Wednesday, November 20, 2002 11:44 AM A user can suppress automatic application opening by holding down the Shift key during login. Do not release the Shift key until the startup is complete and the Finder appears on the Desktop. To make applications open automatically: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password.
LL0395.Book Page 324 Wednesday, November 20, 2002 11:44 AM 4 Select a group account in the account list, then click the Login preference icon. 5 Click Login Items. 6 Set the management setting to Always. 7 Click “Add group share point.” 8 Click Apply Now. When the user logs in, the computer connects to the group share point with the user name and password given at login.
LL0395.Book Page 325 Wednesday, November 20, 2002 11:44 AM Select the Allow checkbox next to CDs & CD-ROMs to let users access music, data, or applications on compact discs. To restrict access to compact discs, select Require Authentication to require an administrator user name and password. To prevent access to all compact discs, deselect Allow. 6 Choose settings for DVDs. Select the Allow checkbox next to DVDs to let users access movies and other information on digital video discs.
LL0395.Book Page 326 Wednesday, November 20, 2002 11:44 AM To prevent users from recording information to compact discs or DVD-R discs, deselect Allow. 8 Click Apply Now. Media Access Other Media Preferences Settings in the Other Media pane affect internal hard disks and external disks other than CDs or DVDs.
LL0395.Book Page 327 Wednesday, November 20, 2002 11:44 AM If you select the Read-Only checkbox, users can view the contents of external disks but cannot modify them or save files on external disks. 9 Click Apply Now. Ejecting Items Automatically When a User Logs Out On computers used by more than one person, such as in a computer lab, users may sometimes forget to take their personal media with them when they leave.
LL0395.Book Page 328 Wednesday, November 20, 2002 11:44 AM Making Printers Available to Users To give users access to printers, you first need to set up a printer list. Then, you can allow specific users or groups to use printers in that list. You can also make printers available to computers. A user’s final list of printers is a combination of printers available to the user, the group selected at login, and the computer being used. To create a printer list for users: 1 Open Workgroup Manager.
LL0395.Book Page 329 Wednesday, November 20, 2002 11:44 AM 6 Click Printer List. 7 If you want only administrators to modify the printer list, select “Require an administrator password.” 8 If don’t want any user to modify the printer list, deselect “Allow users to add printers to the Printer list.” 9 Click Apply Now. Restricting Access to Printers Connected to a Computer In some situations, you want only certain users to print to a printer connected directly to their computers.
LL0395.Book Page 330 Wednesday, November 20, 2002 11:44 AM To set the default printer: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Set the management setting to Always. This setting applies to all Printing preference options.
LL0395.Book Page 331 Wednesday, November 20, 2002 11:44 AM I Can’t Enforce Default Web Settings If you manage Internet preferences using Workgroup Manager and set up a default Web browser, a default home page or search page, or a specific location to store downloaded files, some applications may not accept these settings. You may need to set a default home page using the application’s own preference settings instead.
LL0395.Book Page 332 Wednesday, November 20, 2002 11:44 AM Users Cannot Add Printers to a Printer List Users are able to add printers to the list of printers in Print Center if you select Always as the management setting for Printer preferences and select “Allow user to add printers to the printer list.” However, when a user tries to print a document from an application, any printer the user added does not appear in the list of available printers.
LL0395.Book Page 333 Wednesday, November 20, 2002 11:44 AM Users See a Message About an Unexpected Error When you manage Classic preferences and try to use the Extensions Manager, File Sharing, and Software Update control panels, you may see a message that says “The operation could not be completed. An unexpected error occurred (error code 1016).” This message indicates that an administrator has restricted access to the item the user attempted to use.
LL0395.
LL0395.Book Page 335 Wednesday, November 20, 2002 11:44 AM C H A P T E R 7 7 Print Service Print service lets you share network printers with clients of the Mac OS X Server. You share printers by setting up print queues for them. When users submit print jobs to a shared printer, the jobs are automatically sent to the printer’s queue, where they are held until the printer becomes available or criteria you set up have been met.
LL0395.Book Page 336 Wednesday, November 20, 2002 11:44 AM What Printers Can Be Shared? Mac OS X Server supports PostScript-compatible printers connected to your network using AppleTalk or the Line Printer Remote (LPR) protocol. Mac OS X Server also supports PostScript-compatible printers connected directly to your server by means of a Universal Serial Bus (USB) connection.
LL0395.
LL0395.Book Page 338 Wednesday, November 20, 2002 11:44 AM Step 2: Start up and configure print service Use Server Settings to start up and configure print service. Print service configuration lets you set options that apply to all print queues that you are sharing—for example, starting print service automatically when the server starts up. See “Starting Up and Configuring Print Service” on page 339.
LL0395.Book Page 339 Wednesday, November 20, 2002 11:44 AM Before You Begin Before you set up print service, determine which protocols are used for printing by client computers. When you configure a print queue, you will need to enable each of the required protocols. Print service supports the following protocols: m AppleTalk m Line Printer Remote (LPR) m Server Message Block (SMB) See “Setting Up Printing on Client Computers” on page 343.
LL0395.Book Page 340 Wednesday, November 20, 2002 11:44 AM If you choose None, print jobs sent to the default queue will not be accepted by the server (and therefore will not be printed). 7 Select “Server log” if you want to archive the print service log file. Specify how often (by entering the number of days) you want to archive the current log and start a new one. 8 Select “Queue logs” if you want to archive the print queues’ log files.
LL0395.Book Page 341 Wednesday, November 20, 2002 11:44 AM You’ll probably need to change the queue name if users who print to your queues have restrictions on printer names they can use. For example, some LPR clients do not support names that contain spaces, and some Windows clients restrict names to 12 characters. Queue names shared via LPR or SMB should not contain characters other than A – Z, a – z, 0 – 9, and “_” (underscore).
LL0395.Book Page 342 Wednesday, November 20, 2002 11:44 AM The Open Directory printer is named using the queue name defined in the Print module of Server Settings. LPR clients do not support names that contain spaces, and some Windows clients restrict names to 12 characters. Queue names shared via LPR or SMB should not contain characters other than A – Z, a – z, 0 – 9, and “_” (underscore). AppleTalk queue names cannot be longer than 32 bytes (which may be fewer than 32 typed characters).
LL0395.Book Page 343 Wednesday, November 20, 2002 11:44 AM Setting Up Printing on Client Computers Mac OS X Clients Mac OS X users must add shared print queues to their Print Center printer lists before they can use the queues. Mac OS X supports both AppleTalk and LPR printers. Users can also add print queues in Open Directory domains accessible from the Mac OS X computer. If a Mac OS X client is having trouble printing, see “Solving Problems” on page 354.
LL0395.Book Page 344 Wednesday, November 20, 2002 11:44 AM Mac OS 8 and Mac OS 9 Clients Mac OS 8 and 9 support both AppleTalk and LPR printers. Users can set up printing to a server print queue by using the Chooser for AppleTalk printers or Desktop Printer Utility for LPR printers. (The Desktop Printer Utility is usually located in the LaserWriter Software folder in the Apple Extras folder or in the Utilities folder in the Applications folder.
LL0395.Book Page 345 Wednesday, November 20, 2002 11:44 AM Windows Clients To enable printing by Windows users who submit jobs using SMB, make sure Windows services are running and that one or more print queues are available for SMB use. See “Starting Windows Services” on page 252 and “Adding Printers” on page 340. All Windows computers—including Windows 95, Windows 98, Windows Millennium Edition (ME), and Windows XP—support SMB for using printers on the network.
LL0395.Book Page 346 Wednesday, November 20, 2002 11:44 AM Stopping Print Service You use the File & Print pane in Server Settings to stop print service. To stop print service: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Stop Print Service. Setting Print Service to Start Automatically You can set print service to start automatically when the server starts up.
LL0395.Book Page 347 Wednesday, November 20, 2002 11:44 AM Putting a Print Queue on Hold (Stopping a Print Queue) To prevent jobs in a queue from printing, put the print queue on hold. Printing of all jobs waiting to print is postponed. New jobs are still accepted but won’t be printed until you start the queue again and the jobs ahead of it (of the same or higher priority) are printed.
LL0395.Book Page 348 Wednesday, November 20, 2002 11:44 AM Note: If you change the name of a print queue that has already been shared, print jobs sent by users to the old queue name will not be printed. Users will need to set up their computers again to use the queue with its new name. 5 Select the protocols used for printing by your client computers. If you select “Windows printing (SMB),” make sure Windows services are running. See “Starting Windows Services” on page 252.
LL0395.Book Page 349 Wednesday, November 20, 2002 11:44 AM Selecting a Default Print Queue Specifying a default print queue simplifies setup for printing from client computers to LPR print queues. Users can choose to print to the default queue rather than having to enter the IP address of a specific queue. To select a default print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Configure Print Service.
LL0395.Book Page 350 Wednesday, November 20, 2002 11:44 AM The Queue Monitor window displays all the current print jobs in priority order. It also indicates the current status of the active (printing) job, the name of the user who submitted each job, and the number of pages and sheets in each job. The number of pages is the number of pages in the document.
LL0395.Book Page 351 Wednesday, November 20, 2002 11:44 AM To restart a print job: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Release. The job is returned to the print queue and is printed after all other jobs in the queue with the same priority.
LL0395.Book Page 352 Wednesday, November 20, 2002 11:44 AM 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Set Priority. 5 Select the priority you want to assign to the job. Urgent jobs are printed first, then Normal jobs, and finally Low jobs. The job is printed after any other job in the queue with the same priority.
LL0395.Book Page 353 Wednesday, November 20, 2002 11:44 AM Viewing Print Logs Print service has two kinds of logs: print service and print queue. Print service logs record such events as when print service was started and stopped and when a print queue was put on hold. Separate logs for each print queue record individual print jobs, including such information as which users submitted jobs for particular printers and the size of the jobs. You can view the print service logs using Server Status.
LL0395.Book Page 354 Wednesday, November 20, 2002 11:44 AM Deleting Print Log Archives The log files are stored in /Library/Logs/PrintService. You can clear out unwanted archive files by deleting them from this directory using the Finder. You can also use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 594. Solving Problems Try these suggestions to solve or avoid printing problems.
LL0395.Book Page 355 Wednesday, November 20, 2002 11:44 AM m Make sure the printer is turned on and that there are no problems with the printer itself (out of paper, paper jams, and so on). m Review the print logs for additional information. Open Server Status, select Print under the server name in the Devices & Services list, and click the Logs tab.
LL0395.
LL0395.Book Page 357 Wednesday, November 20, 2002 11:44 AM C H A P T E R 8 8 Web Service Web service in Mac OS X Server offers an integrated Internet server solution. Web service is easy to set up and manage, so you don’t need to be an experienced Web administrator to set up multiple Web sites and configure and monitor your Web server. Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web server responds to requests for HTML Web pages stored on your site.
LL0395.Book Page 358 Wednesday, November 20, 2002 11:44 AM Before You Begin This section provides information you need to know before you set up Web service for the first time. You should read this section even if you are an experienced Web administrator, as some features and behaviors may be different from what you expect. Configuring Web Service You can use Server Settings to set up and configure the most frequently used features of Web service.
LL0395.Book Page 359 Wednesday, November 20, 2002 11:44 AM Hosting More Than One Web Site You can host more than one Web site simultaneously on your Web server. Depending on how you configure your sites, they may share the same domain name, IP address, or port. The unique combination of domain name, IP address, and port identifies each separate site. Your domain names must be registered with the domain name authority (InterNIC).
LL0395.Book Page 360 Wednesday, November 20, 2002 11:44 AM You can avoid this problem by carefully setting access privileges for the site files using the Sharing module of Server Settings. Mac OS X Server uses a predefined group named “www,” which contains the Apache processes. You need to give the www group read and write access to files within the Web site. You also need to assign these files read and write access by the Web site administrator (owner) and None (no access) to Everyone.
LL0395.Book Page 361 Wednesday, November 20, 2002 11:44 AM MIME type mappings are divided into two subfields separated by a forward slash, such as “text/plain.” Mac OS X Server includes a list of default MIME type mappings. You can edit these and add others. When you specify a MIME type as a response, the server identifies the type of data requested and sends the response you specify.
LL0395.Book Page 362 Wednesday, November 20, 2002 11:44 AM Step 3: Assign privileges for your Web site The Apache process running on the server must have access to the Web site’s files and folders. To allow this access, Mac OS X Server creates a group named “www,” made up of the Apache processes. You need to give the www group read-only access to files within your Web site so that it can transfer those files to browsers when users connect to the site.
LL0395.Book Page 363 Wednesday, November 20, 2002 11:44 AM Starting or Stopping Web Service You start and stop Web service from the Server Settings application. To start or stop Web service: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Start Web Service or Stop Web Service. If you stop Web service, users connected to any Web site hosted on your server are disconnected immediately. Always use Server Settings to start and stop the Web server.
LL0395.Book Page 364 Wednesday, November 20, 2002 11:44 AM 4 Click Add to add a new mapping, or select a mapping and click Edit, Duplicate, or Delete. (If you choose Delete, you’ve finished.) 5 Type the file suffix that describes the type of data in files handled by this mapping. 6 Choose a Web server response from the Response pop-up menu. If you choose “Return file as MIME type,” enter the MIME type you want to return. 7 Click Save.
LL0395.Book Page 365 Wednesday, November 20, 2002 11:44 AM The range for maximum simultaneous connections is zero to 9999. The default maximum is 500, but you can set the number as high or as low as you want, taking into consideration the desired performance of your server. 4 Click Save, then restart Web service. Setting Up Proxy Caching for Web Service A proxy lets users check a local server for frequently used files. You can use a proxy to speed up response times and reduce network traffic.
LL0395.Book Page 366 Wednesday, November 20, 2002 11:44 AM To block Web sites: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Proxy tab and select Enable Proxy. 4 Type the URL of the Web site you want to block in the Add field and click Add. Or click Import to import a list of Web sites. 5 Click Save, then restart Web service.
LL0395.Book Page 367 Wednesday, November 20, 2002 11:44 AM Setting Up WebDAV for a Web Server Web-based Distributed Authoring and Versioning (WebDAV ) allows you or your users to make changes to Web sites while the sites are running. If you enable WebDAV, you also need to assign access privileges for the sites and for the Web folders. To enable WebDAV: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service.
LL0395.Book Page 368 Wednesday, November 20, 2002 11:44 AM 3 On the General pane, click “Start Tomcat at system startup.” 4 Click Save, then restart the server. To verify that Tomcat is running, use a Web browser to access port 9006 of your Web site by entering the URL for your site followed by :9006 (see the URL below). http://example.com:9006 If Tomcat is running, accessing port 9006 will display the default Tomcat home page.
LL0395.Book Page 369 Wednesday, November 20, 2002 11:44 AM To view the log files: 1 In Server Status, click Web under your server. 2 Click the Logs tab. 3 Select the log you want to view in the top portion of the pane. You can enable an access log and an error log for each site on the server. See “Enabling Access and Error Logs for a Web Site” on page 373 for more information.
LL0395.Book Page 370 Wednesday, November 20, 2002 11:44 AM Setting Up the Documents Folder for Your Web Site To make files available through a Web site, you put the files in the Documents folder for the site. To organize the information, you can create folders inside the Documents folder. The folder is located in this directory: /Library/WebServer/Documents In addition, each registered user has a Sites folder in the user’s own home directory.
LL0395.Book Page 371 Wednesday, November 20, 2002 11:44 AM Enabling a Web Site on a Server Before you can enable a Web site, you must create the content for the site and set up your site folders. To enable the Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab, then click Add. 4 Type the fully qualified DNS name of your Web site in the Name field. 5 Enter the IP address and port number (any number up to 8999) for the site.
LL0395.Book Page 372 Wednesday, November 20, 2002 11:44 AM 5 In the General pane, type a name in the Default Document Name field. A file with this name must be in the Web site folder. 6 Click Save, then restart Web service. Note: The Default Document Name field can have more than one entry. Any file name containing a space must be enclosed in quotes. Each entry must be separated by a space.
LL0395.Book Page 373 Wednesday, November 20, 2002 11:44 AM You can also improve server performance by disabling the access and error logs. Enabling Access and Error Logs for a Web Site You can set up error and access logs for individual Web sites that you host on your server. However, enabling the logs can slow server performance. To enable access and error logs for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab.
LL0395.Book Page 374 Wednesday, November 20, 2002 11:44 AM 8 Select “Enable detailed folder listings.” 9 Click Save, then restart Web service. Connecting to Your Web Site Once you configure your Web site, it’s a good idea to view the site with a Web browser to verify that everything appears as intended. To make sure a Web site is working properly: 1 Open a Web browser and type the Web address of your server. You can use either the IP address or the DNS name of the server.
LL0395.Book Page 375 Wednesday, November 20, 2002 11:44 AM Setting Access for WebDAV-Enabled Sites You create realms to provide security for Web sites. Realms are locations within a site that users can view or make changes to when WebDAV is enabled. When you define a realm, you can assign browsing and authoring privileges to users for the realm. To add users and groups to a realm: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service, then click the Sites tab.
LL0395.Book Page 376 Wednesday, November 20, 2002 11:44 AM To enable a CGI for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a Web site in the list and click Edit. 5 On the options pane, select “Enable CGI execution.” 6 Click Save, then restart Web service.
LL0395.Book Page 377 Wednesday, November 20, 2002 11:44 AM AddHandler server-parsed shtml AddType text/html shtml If your SSI files use a file extension other than .shtml, you should add that type to the mime_macosxserver.types file. You can add MIME types in Server Settings from the MIME Types tab. The changes take effect when you restart Web service. Monitoring Web Sites You can use the Sites pane to check the status of your Web sites.
LL0395.Book Page 378 Wednesday, November 20, 2002 11:44 AM Enabling SSL Before you can enable Secure Sockets Layer (SSL) protection for a Web site, you have to obtain the proper certificates. For more information, see “Setting Up Secure Sockets Layer (SSL) Service” on page 383. To set up SSL for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site and click Edit.
LL0395.Book Page 379 Wednesday, November 20, 2002 11:44 AM #LoadModule php4_module #AddModule mod_php4.c 3 /usr/libexec/httpd/libphp4.so Save the changes and close the file. The changes take effect when you restart Web service. WebMail WebMail adds basic email functions to your Web site. If your Web service hosts more than one Web site, WebMail can provide access to mail service on any or all of the sites. The mail service looks the same on all sites.
LL0395.Book Page 380 Wednesday, November 20, 2002 11:44 AM Users log into WebMail with the name and password they use for logging in to regular mail service. WebMail does not provide its own authentication. For more information on mail service users, see “Supporting Mail Users” on page 429 in Chapter 9, “Mail Service.” When users log in to WebMail, their passwords are sent over the Internet in clear text (not encrypted) unless the Web site is configured to use SSL.
LL0395.Book Page 381 Wednesday, November 20, 2002 11:44 AM 4 In the Terminal application, use a text editor to edit /etc/httpd/httpd_macosxserver.conf and add the following line: Include /etc/httpd/httpd_squirrelmail.conf Where you add this line depends on whether your server hosts multiple Web sites and whether you want all or some hosted Web sites to have WebMail. If your server hosts only one Web site or you want all Web sites to have WebMail, add the “Include” line outside all blocks.
LL0395.Book Page 382 Wednesday, November 20, 2002 11:44 AM m Sent Folder is the name of the IMAP folder where mail service puts messages after sending them. The default is Sent Messages. m Draft Folder is the name of the IMAP folder where mail service puts the user’s draft messages. The default is Drafts. You can configure these and other settings—such as which mail server provides mail service for WebMail—by running an interactive Perl script in a Terminal window, with root privileges.
LL0395.Book Page 383 Wednesday, November 20, 2002 11:44 AM Setting Up Secure Sockets Layer (SSL) Service If you want to provide secure transactions on your server, such as allowing users to purchase items from a Web site, you should set up Secure Sockets Layer (SSL) protection. SSL lets you send encrypted, authenticated information across the Internet. If you want to allow credit card transactions through a Web site, for example, you can protect the information that’s passed to and from that site.
LL0395.Book Page 384 Wednesday, November 20, 2002 11:44 AM m m m m Organizational name: The organization to which your domain name is registered. Organizational unit: Usually something similar to a department name. Common name of your Web server: The DNS name, such as server.apple.com. Email address: The email address to which you want the certificate sent. The file “csr.pem” is generated from the information you provided. 7 At the prompt, type the following, then press Return. cat csr.
LL0395.Book Page 385 Wednesday, November 20, 2002 11:44 AM 5 Select Enable Secure Socket Layer (SSL). 6 Click Edit Certificate File and paste the text from your certificate file (the certificate you obtained from the issuing authority) in the text field, then click Save. 7 Click Edit Key File and paste the text from your key file (the file key.pem, which you set up earlier) in the text field, then click Save. 8 Click Edit CA Certificate File and paste the text from the ca.crt file in the text field.
LL0395.Book Page 386 Wednesday, November 20, 2002 11:44 AM m If the module came with your Web server, check the Apache documentation for that module and make sure the module is intended to work the way you expected. m If you installed the module, check the documentation that came with the Web module to make sure it is installed correctly and is compatible with your server software. For more information on supported Apache modules for Mac OS X Server, see this Web site: www.apache.
LL0395.Book Page 387 Wednesday, November 20, 2002 11:44 AM m To index a folder’s contents, choose Get Info from the file menu. Note: You must be logged in as root for the index to be copied to the Web directory in order to be searchable by a browser. Clients must add .sherlock to your Web site’s URL to access a page that allows them to search your site. For example: http://www.example.com/.
LL0395.Book Page 388 Wednesday, November 20, 2002 11:44 AM PHP: Hypertext Preprocessor PHP lets you handle dynamic Web content by using a server-side HTML-embedded scripting language resembling C. Web developers embed PHP code within HTML code, allowing programmers to integrate dynamic logic directly into an HTML script rather than write a program that generates HTML. PHP provides CGI capability and supports a wide range of databases. Unlike client-side JavaScript, PHP code is executed on the server.
LL0395.
LL0395.
LL0395.Book Page 391 Wednesday, November 20, 2002 11:44 AM C H A P T E R 9 9 Mail Service Mail service in Mac OS X Server allows network users to send and receive email over your network or across the Internet. Mail service sends and receives email using the standard Internet mail protocols: Internet Message Access Protocol (IMAP), Post Office Protocol (POP), and Simple Mail Transfer Protocol (SMTP). Mail service also uses a Domain Name System (DNS) service to determine the address of outgoing mail.
LL0395.Book Page 392 Wednesday, November 20, 2002 11:44 AM Mail Service Protocols A standard mail setup uses SMTP to send outgoing email and POP and IMAP to receive incoming email. Mac OS X Server includes an SMTP service and a combined POP and IMAP service. You may find it helpful to take a closer look at the three email protocols. ron@example.edu The Internet Out In Mail server for school.com Out In Mail server for example.
LL0395.Book Page 393 Wednesday, November 20, 2002 11:44 AM Internet Message Access Protocol (IMAP) Internet Message Access Protocol (IMAP) is the solution for people who need to receive mail from more than one computer. IMAP is a client-server mail protocol that allows users to access their mail from anywhere on the Internet. Users can send and read mail with a number of IMAP-compliant email clients.
LL0395.Book Page 394 Wednesday, November 20, 2002 11:44 AM How Mail Service Uses SSL The mail service supports secure IMAP connections with mail client software that requests them. If a mail client requests a Secure Sockets Layer (SSL) connection, the mail service can automatically comply. The mail service still provides non-SSL (unencrypted) connections to clients that do not request SSL. The configuration of each mail client determines whether it connects with SSL or not.
LL0395.Book Page 395 Wednesday, November 20, 2002 11:44 AM Mail service uses an additional folder if you turn on the option to use an alternate mail transfer agent, such as the UNIX Sendmail program. The alternate mail transfer agent delivers mail for users of your Apple mail service to the /var/mail folder. This is the standard UNIX mail delivery location. Mail for each user is stored in standard UNIX mailbox format in a file with the user’s name.
LL0395.Book Page 396 Wednesday, November 20, 2002 11:44 AM What Mail Service Can Do About Junk Mail You can configure your mail service to decrease the volume of unsolicited mail, also known as junk mail and spam. You can take steps to block spam that is sent to your mail users. You can also take steps to prevent senders of junk mail from using your server as a relay point. A relay point or open relay is a server that unselectively receives and forwards all mail addressed to other servers.
LL0395.Book Page 397 Wednesday, November 20, 2002 11:44 AM SMTP Authentication and Restricted SMTP Relay Combinations The following table describes the results of using SMTP authentication and restricted SMTP relay in various combinations. SMTP authentication Restricted SMTP relay On Off All mail servers must authenticate before your mail service will accept any mail for relay or delivery.Your local mail users must also authenticate to send mail.
LL0395.Book Page 398 Wednesday, November 20, 2002 11:44 AM What Mail Service Doesn’t Do Mail service provided by Mac OS X Server does not support m mailing lists m virtual domains (user@example1.com and user@example2.
LL0395.Book Page 399 Wednesday, November 20, 2002 11:44 AM Setup Overview You can have mail service set up and started as part of the Mac OS X Server installation process. An option for setting up mail service appears in the Setup Assistant application, which runs automatically at the conclusion of the installation process.
LL0395.Book Page 400 Wednesday, November 20, 2002 11:44 AM m If you use Mac OS X Server to provide DNS service, create your own MX records as described in “Using DNS With Mail Service” on page 554 in Chapter 14, “DNS Service.” m If you do not set up an MX record for your mail server, your server may still be able to exchange mail with some other mail servers. Some mail servers will find your mail server by looking in DNS for your server’s A record.
LL0395.Book Page 401 Wednesday, November 20, 2002 11:44 AM m “Limiting Junk Mail” on page 421 m “Working With Undeliverable Mail” on page 425 Step 7: Set up accounts for mail users Each person who wants mail service must have a user account in a directory domain accessible by your mail service. The short name of the user account is the mail account name and is used to form the user’s mail address.
LL0395.Book Page 402 Wednesday, November 20, 2002 11:44 AM m If your server will provide mail service over the Internet, you need a registered domain name. You also need to determine whether your ISP will create your MX records or you will create them in your own DNS service. m Identify the people who will use your mail service but don’t already have user accounts in a directory domain accessible to your mail service. You will have to create user accounts for these mail users.
LL0395.Book Page 403 Wednesday, November 20, 2002 11:44 AM Requiring or Allowing Kerberos Authentication You can choose to require, allow, or disallow the Kerberos authentication method for all SMTP, IMAP, and POP mail service. Before enabling Kerberos authentication for mail service, you must integrate Mac OS X with a Kerberos server. For instructions, see “Integrating Mac OS X With a Kerberos Server” on page 206 in Chapter 3, “Users and Groups.
LL0395.Book Page 404 Wednesday, November 20, 2002 11:44 AM If a domain name in this list does not have an MX record, only your mail service recognizes it. External mail sent to this domain name will be returned. You should place domain names without MX records in this list only as a time saver for local (internal) mail. Changing Protocol Settings for Mail Service You can change the settings for all protocols that your mail service uses. These may include SMTP, IMAP, POP, and NotifyMail.
LL0395.Book Page 405 Wednesday, November 20, 2002 11:44 AM For detailed instructions, see “Setting Up SSL for Mail Service” on page 614 of Chapter 17, “Tools for Advanced Administrators.” Working With Settings for Incoming Mail You can change settings that affect mail coming to users of your mail service, including mail your users receive from one another. The mail service has settings for limiting incoming message size, deleting incoming messages automatically, and notifying users who have new mail.
LL0395.Book Page 406 Wednesday, November 20, 2002 11:44 AM Notifying Users Who Have New Mail Rather than require each user to periodically check for new mail, the mail service can notify users when they have new mail. To do this, you set your mail service to use the NotifyMail protocol. To set your mail service to use NotifyMail: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable NotifyMail.
LL0395.Book Page 407 Wednesday, November 20, 2002 11:44 AM 3 Click the Protocols tab and select Enable POP3, if it is not already checked. 4 Click POP3 Options. 5 Select “Require APOP authentication” and click Save. Changing the POP Response Name You can change the DNS name that your POP mail service sends back to a user’s mail client software when the client initiates a POP connection. To change the POP response name: 1 In Server Settings, click the Internet tab.
LL0395.Book Page 408 Wednesday, November 20, 2002 11:44 AM The mail service has settings for requiring secure IMAP authentication, changing the IMAP response name, using case-sensitive IMAP folder names, controlling IMAP connections per user, terminating idle IMAP connections, and changing the IMAP port number. All these settings are described in this section.
LL0395.Book Page 409 Wednesday, November 20, 2002 11:44 AM To allow case-sensitive IMAP folder names: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Select “Use case-sensitive IMAP folder names” and click Save.
LL0395.Book Page 410 Wednesday, November 20, 2002 11:44 AM Changing the IMAP Port Number The default port for incoming IMAP connections is 143. You can change this port number, but you’ll need to change the port number for IMAP client computers as well. Make sure you don’t change to a port number already in use by another service or operation. To change the IMAP port number: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service.
LL0395.Book Page 411 Wednesday, November 20, 2002 11:44 AM 4 Choose “Limit to local users” from the pop-up menu, then click Save. If you limit outgoing mail to local users, all the options in the Outgoing Mail pane are disabled because they are not relevant to local outgoing mail. Suspending Outgoing Mail Service You can prevent the mail service from sending new outgoing mail. You could do this to isolate a problem, or to prevent conflicts with another mail service running on your network.
LL0395.Book Page 412 Wednesday, November 20, 2002 11:44 AM Note: If you configure your mail service to require CRAM-MD5, mail users’ accounts must be set to use a Password Server that has CRAM-MD5 enabled. To require SMTP authentication: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and choose Apple Mail Service SMTP from the pop-up menu. 4 Click SMTP Options.
LL0395.Book Page 413 Wednesday, November 20, 2002 11:44 AM m The incoming and outgoing SMTP response names are typically the same. m The incoming and outgoing response names should match the DNS name that another server would get by doing a reverse DNS lookup of your server’s IP address. m If your server connects to the Internet via an Internet gateway or router that uses Network Address Translation (NAT), your server effectively has the IP address of the Internet gateway or router.
LL0395.Book Page 414 Wednesday, November 20, 2002 11:44 AM Changing the Outgoing SMTP Port Number You can change the port number that your SMTP service uses when attempting to send outgoing mail to other servers. The standard port for outgoing SMTP connections is 25. You can change this port number, but do so carefully. If you use a nonstandard outgoing SMTP port, your server will be unable to deliver outgoing mail to other servers unless they use this nonstandard port for their incoming SMTP mail.
LL0395.Book Page 415 Wednesday, November 20, 2002 11:44 AM To configure Sendmail to start automatically every time the system starts up, you need root privileges; edit the /etc/hostconfig file, find the line containing MAILSERVER, and make it read as follows: MAILSERVER=-YES- To keep Sendmail from starting when the system starts up, change the line to the following: MAILSERVER=-NO- The Sendmail program will not operate if the permissions of the root directory are changed.
LL0395.Book Page 416 Wednesday, November 20, 2002 11:44 AM Working With the Mail Database The mail database keeps track of messages for all mail service users. Mail service stores messages in separate files.
LL0395.Book Page 417 Wednesday, November 20, 2002 11:44 AM 3 Click the General tab, select “Use alternate mail store location,” and enter the path of the location where you want the mail files to be stored. The mail database and message files must all be in a folder named AppleMailServer; this folder may be located anywhere. Thus, the path you enter must end with AppleMailServer.
LL0395.Book Page 418 Wednesday, November 20, 2002 11:44 AM 4 In Server Settings, click the Internet tab, click Mail Service, and choose Start Mail Service. Configuring Automatic Mail Deletion If disk space is limited on your server, you can have read and unread mail automatically deleted from your server at specified times. If you choose this option, you should let your users know how long their messages will remain on the server before being deleted.
LL0395.Book Page 419 Wednesday, November 20, 2002 11:44 AM To configure administrator access to the database: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Select Allow IMAP Administrator Access and optionally change the port number. 6 Click Save.
LL0395.Book Page 420 Wednesday, November 20, 2002 11:44 AM m when mail service connections time out This section describes how to change these settings. Specifying DNS Lookup for Mail Service You can specify the type of DNS records you want your mail service to use when it looks up the server for an address of an outgoing message, such as user@example.com. Your mail service can look up another server by requesting m Only an MX list. An MX list consists of one or more MX records for an Internet domain.
LL0395.Book Page 421 Wednesday, November 20, 2002 11:44 AM Select “Respect ‘Time to Live’ (TTL) DNS Settings” if you want to use the default settings of the DNS service. Ordinarily, your mail service resends mail repeatedly until it makes a connection with the server at the destination. TTL specifies how long your mail service continues requesting connection information from DNS before giving up and generating a nondelivery report. 5 Click Save.
LL0395.Book Page 422 Wednesday, November 20, 2002 11:44 AM m Log and optionally reject an SMTP connection from a server whose DNS name doesn’t match a reverse-lookup of its IP address. For instructions, see “Checking for Mismatched SMTP Server Name and IP Address” on page 423. m Reject SMTP connections from servers that are blacklisted as open relays by an Open Relay Behavior-modification System (ORBS) server. For instructions, see “Rejecting Mail From Blacklisted Senders” on page 424.
LL0395.Book Page 423 Wednesday, November 20, 2002 11:44 AM Rejecting SMTP Connections From Specific Servers Your mail service can reject non-authenticated SMTP connections from servers on a disapproved-servers list that you create. Only someone who has an account with a CRAMMD5 or Kerberos password on your server can send your users mail or relay mail through your server from a disapproved server.
LL0395.Book Page 424 Wednesday, November 20, 2002 11:44 AM 5 Click Save. Your SMTP mail service may be unable to do a successful reverse-lookup of a server that identifies itself in a nonstandard way. Specifically, the SMTP service can determine the server name in a HELO command that doesn’t deviate too much from standard form. The SMTP service can determine the server name and do a reverse-lookup from HELO commands like the following: helo mail.example.com helo I am mail.example.
LL0395.Book Page 425 Wednesday, November 20, 2002 11:44 AM Allowing SMTP Relay for a Backup Mail Server If your network has more than one mail server, one can be designated as a backup server to deliver mail in case the primary server goes down. (Backup mail servers are designated by MX records.) A backup mail server may need to relay SMTP mail. You can set your server to ignore SMTP relay restrictions when accepting mail as a backup server for another mail server.
LL0395.Book Page 426 Wednesday, November 20, 2002 11:44 AM Forwarding Undeliverable Incoming Mail You can have mail service forward messages that arrive for unknown local users to another person or a group in your organization. Whoever receives forwarded mail that’s incorrectly addressed (with a typo in the address, for example) can forward it to the correct recipient. If forwarding of these undeliverable messages is disabled, they are returned to sender.
LL0395.Book Page 427 Wednesday, November 20, 2002 11:44 AM Sending Nondelivery Reports to Postmaster When a user on your network sends mail that can’t be delivered, a nondelivery report is sent back to the user. If for some reason the report can’t be delivered, you can set up mail service to send the report to the postmaster account. Be sure you’ve set up a user account named “postmaster.
LL0395.Book Page 428 Wednesday, November 20, 2002 11:44 AM Viewing Connected Mail Users The Server Status application can list the users who are currently connected to the mail service. For each user, you see the user name, IP address of the client computer, type of mail account (IMAP or POP), number of connections, and the connection length. To view a list of mail users who are currently connected: 1 In Server Status, select Mail in the Devices & Services list. 2 Click the Connections tab.
LL0395.Book Page 429 Wednesday, November 20, 2002 11:44 AM Reclaiming Disk Space Used by Mail Service Logs Mac OS X Server automatically reclaims disk space used by mail service logs when they reach a certain size or age. If you are comfortable using the Terminal application and UNIX command-line tools, you can change the criteria that determine when disk space is reclaimed.
LL0395.Book Page 430 Wednesday, November 20, 2002 11:44 AM Email client software Mac OS X Server Example Host name Mail server Mail host Mail server’s full DNS name or IP address, as used when you log in to the server in Server Settings mail.example.com 192.168.50.1 Email address User’s short name, followed by the @ symbol, followed by one of the following: m Server’s Internet domain (if the mail server has an MX record in DNS) m Mail server’s full DNS name m Server’s IP address steve@example.
LL0395.Book Page 431 Wednesday, November 20, 2002 11:44 AM Performance Tuning Mail service needs to act very fast for a short period of time. Mail service sits idle until a user wants to read or send a message, and then it needs to transfer the message immediately. Therefore, mail service does not put a heavy continuous demand on the server; it puts intense but brief demands on the server.
LL0395.Book Page 432 Wednesday, November 20, 2002 11:44 AM An incremental backup of the mail service folder can be fast and efficient. If you use a thirdparty application to back up the mail service folder incrementally, the only files copied are the small database file and the message files that are new or changed since the last backup.
LL0395.Book Page 433 Wednesday, November 20, 2002 11:44 AM For more information about Sendmail, see this Web site: www.sendmail.org You can find out more about servers that filter junk mail at this Web site: www.ordb.org For technical details about how mail protocols work, see these RFC documents: m POP: RFC 1725 m IMAP: RFC 2060 m SMTP: RFC 821 and RFC 822 For simple explanations about mail service, see this Web site: www.whatis.com Search for any technical term to find a simple explanation of the term.
LL0395.
LL0395.Book Page 435 Wednesday, November 20, 2002 11:44 AM C H A P T E R 10 Client Management: Mac OS 9 and OS 8 10 Macintosh Manager provides network administrators with a centralized method of managing Mac OS 9 and Mac OS 8 client computers, controlling access to software and removable media, and providing a consistent, personalized experience for users.
LL0395.Book Page 436 Wednesday, November 20, 2002 11:44 AM Transition Strategies for Macintosh Manager If you are migrating to Macintosh Manager 2.2.2 from an earlier version, you can do a simple upgrade to the new Macintosh Manager. Functionality remains much the same, but you may notice some differences in how Macintosh Manager stores certain items.
LL0395.Book Page 437 Wednesday, November 20, 2002 11:44 AM Depending upon the computer being used, the network configuration, and access privileges, the user may have access to various resources such as printers, applications, and volumes. Settings for the computer, the workgroup, and the user determine the final set of privileges and preferences that define the user experience for an individual.
LL0395.Book Page 438 Wednesday, November 20, 2002 11:44 AM Finding Applications Approved applications for Panels and Restricted Finder workgroups are located in the “Items for workgroup name” folder inside the user’s home directory. For users in a Finder workgroup, applications are stored in the client computer’s Applications folder or Applications (Mac OS 9) folder.
LL0395.Book Page 439 Wednesday, November 20, 2002 11:44 AM Administrator Computer Requirements Software m Mac OS X Server (with Macintosh Manager administrator software) installed If you want to access the administrator software on a nonserver computer, you can also install only the Macintosh Manager administrator software (the computer must use either Mac OS X version 10.2 or Mac OS 9.2 as the operating system).
LL0395.Book Page 440 Wednesday, November 20, 2002 11:44 AM To set up an administrative client computer: 1 Make sure the computer meets minimum requirements. 2 Make sure the system software is either Mac OS X or Mac OS 9.2. 3 Make sure necessary applications are installed. 4 Set up printer access using either Print Center (for Mac OS X) or Desktop Printer Utility (for Mac OS 9). 5 Install Macintosh Manager administrator and client software.
LL0395.Book Page 441 Wednesday, November 20, 2002 11:44 AM 3 Restart the computer. To stop managing Mac OS 8 client computers, remove the Multiple Users startup extension from the System Folder and restart the computer. For computers using Mac OS 8.6, a user in the Finder environment can access the Startup Disk control panel. Disable the control panel with Extensions Manager before you use Macintosh Manager with those computers.
LL0395.Book Page 442 Wednesday, November 20, 2002 11:44 AM When a user connects to a Macintosh Manager server, the client computer should use the same language software that was used during any previous connections.
LL0395.Book Page 443 Wednesday, November 20, 2002 11:44 AM Macintosh Manager’s design prevents users from renaming Macintosh Manager files or changing the file type or creator. In addition, the Macintosh Manager extension is not affected if a computer is restarted with extensions off, and users cannot disable the Macintosh Manager extension by moving it or turning it off.
LL0395.Book Page 444 Wednesday, November 20, 2002 11:44 AM m Multi-User Items file: This file contains an archive of the files currently inside the MultiUser Items folder. Do not open or modify the file. If it is deleted, it is created again the next time you use Macintosh Manager. m Printers folder: This folder contains files that represent the desktop printers you set up in Macintosh Manager. A file is created for each desktop printer used by a Macintosh Manager workgroup.
LL0395.Book Page 445 Wednesday, November 20, 2002 11:44 AM For more information about Directory Services, see Chapter 2, “Directory Services.” User ID Groups Computer lists Users Computer lists Users Workgroup Manager data Groups Directory services Macintosh Manager data Shared information User name and password Macintosh Manager uses the user ID to verify and obtain a user’s user name and password through Directory Services and to find the user’s home directory.
LL0395.Book Page 446 Wednesday, November 20, 2002 11:44 AM How Macintosh Manager Works With Home Directories You can set up home directory locations when you create user accounts. If a user doesn’t have a home directory, he or she will not be able to log in. Mac OS 9 and Mac OS 8 managed clients mount the user’s home directory automatically when a user logs in. The user is the owner of his or her own home directory and has full access to its contents.
LL0395.Book Page 447 Wednesday, November 20, 2002 11:44 AM Using the MMLocalPrefs Extension If some applications create excess network activity, storing preferences locally may help decrease the overall burden on your network. You can install the MMLocalPrefs extension on Mac OS 9 computers to allow Macintosh Manager to store and access user preferences locally. Using the MMLocalPrefs extension may increase login and logout times because user preferences need to be copied to and from the local hard disk.
LL0395.Book Page 448 Wednesday, November 20, 2002 11:44 AM Setting Up Mac OS 9 or Mac OS 8 Managed Clients The following steps provide an overview of the initial setup process for managing clients in Macintosh Manager. Detailed information and tasks related to each part of the process are contained in other sections of this chapter as indicated by page references. Step 1: Make sure Macintosh Manager services are available In the General pane of Server Settings, click the Macintosh Manager service icon.
LL0395.Book Page 449 Wednesday, November 20, 2002 11:44 AM Step 7: Create computer lists Computer lists let you group computers and apply the same settings to all the computers. You can use a template to apply settings to a computer list. The All Other Computers account lets you provide managed network access to computers that aren’t in a computer list. For more information about using computer lists, see “Setting Up Computer Lists” on page 476.
LL0395.Book Page 450 Wednesday, November 20, 2002 11:44 AM 2 Choose Preferences from the Macintosh Manager menu (in Mac OS X) or choose Preferences from the File menu (in Mac OS 9). 3 Select settings for sorting users (by either name or type). 4 Select settings for sorting workgroups (by either name or environment). 5 Select a format for reports exported to a text file (using either tabs or commas to separate information fields).
LL0395.Book Page 451 Wednesday, November 20, 2002 11:44 AM Importing All Users If you have a small number of users in your Mac OS X Server database, you may want to import them to Macintosh Manager all at once. You can import up to 10,000 users with the Import All feature. To import all users: 1 In Macintosh Manager, click Users. 2 Click Import All. An individual Macintosh Manager user account is created for each imported user.
LL0395.Book Page 452 Wednesday, November 20, 2002 11:44 AM To collect user information in a text file: 1 Make sure each user in the file already exists in directory services. Information for missing users is ignored. 2 Make sure each line of user information is separated by a hard return. If you have multiple items of user information on each line, make sure the items are separated by either commas or tabs. 3 Make sure the file is saved as plain text and has “.txt” at the end of the file name.
LL0395.Book Page 453 Wednesday, November 20, 2002 11:44 AM 4 Select the kinds of search information you want to use. If you select Comment, you can find users that have certain words in their comment fields. Providing Quick Access to Unimported Users If you want to allow user access to a managed network without having to set up user accounts, you can use the All Other Users feature, or you can set up a guest user account.
LL0395.Book Page 454 Wednesday, November 20, 2002 11:44 AM Providing Access to Unimported Mac OS X Server Users After you enable the All Other Users feature, Macintosh Manager creates the All Other Users account and makes it available in the Imported Users list. You can treat the All Other Users account like any other user account with its own workgroup and settings, with a few exceptions: m Computer checkout is not allowed. m Working offline at a client computer is not allowed.
LL0395.Book Page 455 Wednesday, November 20, 2002 11:44 AM 3 Click Users, and select Guest in the Imported Users list. In the Basic and Advanced panes, select the settings you want to use. 4 Click Workgroups. Create a workgroup for the Guest account, or select an existing workgroup and add Guest to the Workgroup Members list in the Members pane. 5 Provide access to computers by making one or more lists of computers available to these workgroups. 6 Click Save.
LL0395.Book Page 456 Wednesday, November 20, 2002 11:44 AM About Workgroup Administrators Workgroup administrators can add or modify user accounts and workgroups according to privileges assigned to them. Regardless of privileges, they cannot change a user’s type or change access settings, and they cannot create Finder workgroups. Workgroup administrators also have access to shared folders, such as hand-in folders, which can be used to collect documents from users.
LL0395.Book Page 457 Wednesday, November 20, 2002 11:44 AM Working With User Settings This section describes basic and advanced user settings and how to use them. Available settings in the Advanced pane vary depending upon the user type. All users have the same options available for basic settings regardless of user type. Changing Basic User Settings Name, short name, and ID information is imported with each user. This information cannot be changed in Macintosh Manager.
LL0395.Book Page 458 Wednesday, November 20, 2002 11:44 AM Granting a User System Access Users who have system access can access all items on a client computer, including the Finder and the System Folder. Grant system access to specific users, such as workgroup administrators or technical support staff, only if necessary. Macintosh Manager administrators always have system access. To allow system access for a user: 1 In Macintosh Manager, click Users, and then click Advanced.
LL0395.Book Page 459 Wednesday, November 20, 2002 11:44 AM 3 Select “Set user storage quota to __ K” and type the maximum amount of storage space to allow in kilobytes (1024 kilobytes = 1 megabyte). When you set a storage quota, keep in mind the amount of space available and the number of users who will share it. 4 To allow a user to save files even if he or she exceeds the set quota, select “Only warn user if they exceed this limit.” 5 Click Save.
LL0395.Book Page 460 Wednesday, November 20, 2002 11:44 AM Types of Workgroup Environments Workgroups can have one of three types of desktop environments. All three types have some optional settings in common. Important differences are described below. m Finder workgroups have the standard Mac OS desktop. The System Folder and Applications folder are not automatically protected, but you can choose to protect them.
LL0395.Book Page 461 Wednesday, November 20, 2002 11:44 AM Using a Template to Apply Workgroup Settings You can use a template to quickly create several workgroups that have the same settings. Once you modify the template, each new workgroup you create will have the template settings. You can make additional changes to the workgroup after it is created. Note: Once you set up a template, you cannot reset it to its original state. You can, however, change template settings any time you want.
LL0395.Book Page 462 Wednesday, November 20, 2002 11:44 AM 4 To add new members, select one or more users in the Available Users list and click Add. To remove members, select members in the Workgroup Members list, and click Remove. 5 Click Save. Using Items Settings Items settings let you make files and applications on client computers available to workgroup members.
LL0395.Book Page 463 Wednesday, November 20, 2002 11:44 AM Making Items Available to Panels or Restricted Finder Workgroups If you choose to allow access to only specific items, the items appear in the Approved Items list. Macintosh Manager creates an alias for each item in the list. Aliases for approved items appear either on a panel for Panels workgroups or in a folder on the desktop for Restricted Finder workgroups.
LL0395.Book Page 464 Wednesday, November 20, 2002 11:44 AM Making Items Available to Individual Users In some cases, you may want to make specific documents or applications available to individual users. For example, a user working on a special video project may require a videoediting application that other workgroup members don’t need. To make items available to a specific user: m Place the items in the user’s home directory.
LL0395.Book Page 465 Wednesday, November 20, 2002 11:44 AM Preventing Applications From Altering Files Enforcing file-level security prevents applications from writing to protected folders and files, but it may cause some older applications to report disk errors or have problems opening. If you don’t enforce file-level security, applications can write information (for example, temporary data or preferences) wherever necessary.
LL0395.Book Page 466 Wednesday, November 20, 2002 11:44 AM 3 Select “Take Screen Shots,” then click Save. If disk space is a concern, you may not want to enable this feature. Allowing Users to Open Applications From a Disk If you use a list of “approved items” (applications or scripts) that users can access, users in a Panels or Restricted Finder workgroup cannot open applications on removable media (for example, floppy disks) unless you allow it. Finder workgroups do not have this restriction.
LL0395.Book Page 467 Wednesday, November 20, 2002 11:44 AM 3 Select each menu item you want workgroup members to be able to use, then click Save. Sharing Information in Macintosh Manager Macintosh Manager provides a number of ways to share information among users or workgroups by using different types of shared folders. Most shared folders are created inside the group documents volume. Some folders are created automatically, but others must be created by the administrator.
LL0395.Book Page 468 Wednesday, November 20, 2002 11:44 AM Folder Access Privileges Macintosh Manager allows four levels of access privileges for workgroup folders: Access setting What it means Read Only Users can view and open items in the folder, but they cannot modify them, and they cannot “write to” the folder. For example, they cannot save a file in the folder. Write Only Users cannot view or open items in the folder, but they can write information to the folder.
LL0395.Book Page 469 Wednesday, November 20, 2002 11:44 AM 2 Click Workgroups, then click Privileges. 3 Select one or more workgroups in the Workgroups list. 4 In the Privileges section, set “Workgroup shared folder” to Read & Write, then click Save. If you want to prevent users from changing the documents in the workgroup shared folder, you can lock each document. Setting Up a Hand-In Folder A hand-in folder works like a drop box.
LL0395.Book Page 470 Wednesday, November 20, 2002 11:44 AM Providing Access to Server Volumes If workgroup members need to use files and applications that are not stored on the Macintosh Manager server, you can mount volumes automatically when users log in. Even if you don’t set up a server volume to mount automatically, users can still connect to it if they have access to the network and have an account on (or guest access to) that server.
LL0395.Book Page 471 Wednesday, November 20, 2002 11:44 AM Using Printers Settings Printers settings let you control access to workgroup printers and limit the number of pages printed. Some settings are available only if you select “Allow members to use only the following Desktop Printers.” Making Printers Available to Workgroups Before you can make a printer available to a workgroup, the printer must appear in the Available Printers list.
LL0395.Book Page 472 Wednesday, November 20, 2002 11:44 AM Restricting Access to Printers You can restrict access to a printer by removing it from the Selected Printers list or by requiring a password to use it. To restrict access to a printer: 1 In Macintosh Manager, click Workgroups, and then click Printers. 2 Make sure “Allow members to use only the following Desktop Printers” is selected. 3 Select a printer in the Selected Printers list.
LL0395.Book Page 473 Wednesday, November 20, 2002 11:44 AM 3 Click Save. Setting Up a System Access Printer If the printer you want to use doesn’t support desktop printing software, you can make the printer available as a system access printer. The system access printer becomes the default printer for the selected workgroup. Users who can see the Chooser can select any printer visible to them.
LL0395.Book Page 474 Wednesday, November 20, 2002 11:44 AM Using Options Settings Options settings are used to set up a group documents folder, create a login message for workgroups, set startup and login events, and allow users in Panels or Restricted Finder workgroups to eject CDs. Choosing a Location for Storing Group Documents You can use a group documents location to store folders and files you would like to make available to everyone in a workgroup.
LL0395.Book Page 475 Wednesday, November 20, 2002 11:44 AM To open items at startup: 1 Before you enable the Startup Items option for Macintosh Manager clients, make sure you place the items you want to open at startup in the correct location. On Mac OS 9 computers, place items in the user's personal Startup Items folder located on the server at /Library/Classic/Startup Items inside the user's home directory. Do not place items in the local Mac OS 9 System Folder.
LL0395.Book Page 476 Wednesday, November 20, 2002 11:44 AM Setting Up Computer Lists You can use Macintosh Manager to manage computers by grouping several computers together and choosing settings for them. Once you create a list of computers you want to manage, you can select workgroups that are allowed to use them, and you can customize control settings, security settings, and login settings for each list. Checkout features are used to manage portable computers such as iBooks.
LL0395.Book Page 477 Wednesday, November 20, 2002 11:44 AM 3 Choose the settings you want to use in each pane of the Computers pane, then click Save. Duplicating a Computer List You can easily create a computer list with the same settings as one you have already created. A duplicate list doesn’t contain any computers because a computer cannot be in more than one list, but the settings are the same as the original.
LL0395.Book Page 478 Wednesday, November 20, 2002 11:44 AM 2 Select a computer list, then set one of the login options explained in the steps that follow. 3 Select “Disabled--Ask User” to allow the user to choose to shut down the computer, go to the Finder (if the user has an administrator password), or pick a new Macintosh Manager server. 4 Select “Disabled--Go to Finder” to take the user to the Finder automatically.
LL0395.Book Page 479 Wednesday, November 20, 2002 11:44 AM Using Control Settings Control settings are used to set email settings in addition to options that affect the clock, hard disk name, and automatic disconnect. Disconnecting Computers Automatically to Minimize Network Traffic While a computer is connected to a network, even if no user is logged in, it looks for updates to databases on the server at regular intervals. On very large networks, you may notice delays in client response.
LL0395.Book Page 480 Wednesday, November 20, 2002 11:44 AM To use a specific hard disk name: 1 In Macintosh Manager, click Computers, and then click Control. 2 Select a computer list, then select “Force computer hard disk name to __” and type in the name you want to use (for example, Macintosh HD). 3 Click Save. If you have difficulty using Macintosh Manager to specify a hard disk name for computers, make sure file sharing is turned off on the client computers.
LL0395.Book Page 481 Wednesday, November 20, 2002 11:44 AM Idle logout occurs when there is no user activity (such as typing or using the mouse) for a specified period of time. For example, suppose you enable idle logout after 15 minutes. A user logs in, works for a while, and then decides to leave the computer and go have a snack, but doesn’t log out. After 15 minutes, the user returns and must enter a user name and password again to gain access.
LL0395.Book Page 482 Wednesday, November 20, 2002 11:44 AM To allow access to only specific CDs or DVDs: 1 In Macintosh Manager, make sure you have already set up a list of approved discs and items in the CD-ROMs pane of the Global pane. See “Using Global CD-ROM Settings” on page 490 for instructions. 2 Click Computers, then click Security and select a computer list. 3 Select “Access approved CD-ROMs only.
LL0395.Book Page 483 Wednesday, November 20, 2002 11:44 AM Allowing Users to Work Offline If the Macintosh Manager server or a user’s home directory is not available, you can still allow offline computer use. The user must log in, but the Macintosh Manager server is not available. If the home directory is not available, users may not be able to save their documents. To allow users to work offline: 1 In Macintosh Manager, click Computers. 2 Click Security and select a computer list.
LL0395.Book Page 484 Wednesday, November 20, 2002 11:44 AM If you want NetBoot client computers to choose a different Macintosh Manager server, remove the DNSPlugin extension from the NetBoot image. Allowing Users to Force-Quit Applications If you allow users to force-quit applications, they can press Command-Option-Esc to force an application to quit. Note: Allowing this option may pose a security risk. To allow users to force-quit: 1 In Macintosh Manager, click Computers.
LL0395.Book Page 485 Wednesday, November 20, 2002 11:44 AM 2 Click Log-In and select a computer list. 3 Select “Users choose their name from a list (1-2000 users)” to use the list option. If you do not want administrator names to appear in the list, select “List displays users only (no administrators).” 4 If you do not want to use a list, select “Users type their name.” 5 Click Save. Creating Login Messages for Computers You can create two types of messages for computers.
LL0395.Book Page 486 Wednesday, November 20, 2002 11:44 AM Managing Portable Computers It is important to plan how you want to manage portable computers that have access to your network. This section gives suggestions for managing portable computers and tells you how to use Macintosh Manager’s checkout feature. Portable Computers With Network Users You can let users share specific portable computers, such as those in an iBook Wireless Mobile Lab.
LL0395.Book Page 487 Wednesday, November 20, 2002 11:44 AM 3 Select “These computers can be Checked Out” and then select one of the checkout options in the steps that follow. 4 Select “All users are allowed to Check Out these computers” to allow this option. 5 Select “Allow only the following users to Check Out these computers” to restrict checkout to a list of specific users. Then, select users in the Available Users list and click Add to make them allowed users.
LL0395.Book Page 488 Wednesday, November 20, 2002 11:44 AM Setting the Number of Items in a Report You can set the maximum number of log entries to show in Macintosh Manager reports. Note: The Connected Users report will show only up to 300 log entries, even if the maximum number of log entries you set is greater than 300. To set how many log entries are tracked: 1 In Macintosh Manager, click Global, and then click Security. 2 In the text box next to “Maximum number of log entries,” type a number.
LL0395.Book Page 489 Wednesday, November 20, 2002 11:44 AM 2 If “Users can change their passwords” is selected, deselect it. 3 Click Save. Note: In order to use Password Server with Macintosh Manager, users must be able to change their passwords. If you plan to use Password Server, make sure the “Users can change their passwords” option is selected.For more information about Password Server, see “Using a Password Server” on page 200.
LL0395.Book Page 490 Wednesday, November 20, 2002 11:44 AM Netscape ƒ (cache folder inside is deleted) Newswatcher Preferences RealAudio Player Preferences StuffIt Expander Preferences To set how Mac OS 8 user preferences are copied: 1 In Macintosh Manager, click Global, and then click Security. 2 Select one of these options: To copy all preference items, select “Copy entire Preferences folder.” To copy only certain preference items, select “Copy only Internet or administrator-defined preferences.
LL0395.Book Page 491 Wednesday, November 20, 2002 11:44 AM Managing Preferences You can use the Managed Preferences folder to customize how application preferences and system preferences are handled to meet your particular needs and goals. For example, you can make sure that users always start out with a specific set of preferences or that some userset preferences are never overridden. A Managed Preferences folder is created on the workgroup data volume the first time any member of a workgroup logs in.
LL0395.Book Page 492 Wednesday, November 20, 2002 11:44 AM 3 Create any preferences you want to place in the Initial Preferences folder. 4 Copy the preferences you created to the Initial Preferences folder on the group documents volume. 5 In the Finder, select the Initial Preferences folder and press Command-I to open the Show Info window. 6 Choose Sharing from the Show pop-up menu. 7 Select “Share this item and its contents” and make sure the privileges are correct.
LL0395.Book Page 493 Wednesday, November 20, 2002 11:44 AM m Mac OS 9 clients: When a user logs in, Macintosh Manager compares preference folders and files in the /Library/Classic folder of a user’s home directory to items in the Forced Preferences folder. Macintosh Manager deletes any matching items from the user’s folder and replaces them with preferences from the Forced Preferences folder.
LL0395.Book Page 494 Wednesday, November 20, 2002 11:44 AM When you use Preserved Preferences, this is what happens during login and logout on a Mac OS 8 client: m When a user logs in: Macintosh Manager scans the Preserved Preferences folder and builds a list containing the names of the files and folders inside. Macintosh Manager automatically adds the names of the preferences that are always copied to create a combined list.
LL0395.Book Page 495 Wednesday, November 20, 2002 11:44 AM The table below lists certain preferences that are always copied, and other preferences that are never copied. You do not have to include any of these preferences in the Preserved Preferences folder.
LL0395.Book Page 496 Wednesday, November 20, 2002 11:44 AM 7 Select “Use preferences from home folder.” 8 Click Apply Now. Alternatively, you can do the following on each Mac OS X client. Open System Preferences, click Classic, then click Advanced and select “Use preferences from home folder.” Solving Problems This section describes some problems you may encounter while using Macintosh Manager and provides troubleshooting tips and possible solutions.
LL0395.Book Page 497 Wednesday, November 20, 2002 11:44 AM Some Printers Don’t Appear in the Available Printers List When you make printers available to client computers, Macintosh Manager creates desktop printers for your Mac OS 9 clients. The Mac OS X version of the Macintosh Manager administrator application creates only LaserWriter desktop printers.
LL0395.Book Page 498 Wednesday, November 20, 2002 11:44 AM Macintosh Manager client computers can, however, use AppleTalk for service discovery. If your network has AppleTalk zones, users on Mac OS 8 computers may need to select the zone where the server resides. On Mac OS 9 computers, use the Network Browser to make sure you are connected to the server. The User’s Computer Freezes If the computer’s system software is earlier than Mac OS 9, be sure file sharing is turned off.
LL0395.Book Page 499 Wednesday, November 20, 2002 11:44 AM You can create a folder called “Other Applications•” and then put the Applications folder (and all of its contents) inside. The Other Applications• folder must reside in the client computer’s Applications folder. If the client computer is running Mac OS 9.1 or later, the Applications folder is called “Applications (Mac OS 9).” Users Can’t Drag and Drop Between Applications In most cases, Macintosh Manager does not allow the drag-and-drop feature.
LL0395.
LL0395.Book Page 501 Wednesday, November 20, 2002 11:44 AM C H A P T E R 11 DHCP Service 11 Dynamic Host Configuration Protocol (DHCP) service lets you administer and distribute IP addresses to client computers from your server. When you configure the DHCP server, you assign a block of IP addresses that can be made available to clients. Each time a client computer starts up, it looks for a DHCP server on your network. If a DHCP server is found, the client computer then requests an IP address.
LL0395.Book Page 502 Wednesday, November 20, 2002 11:44 AM Before You Set Up DHCP Service Before you set up DHCP service, read this section for information about creating subnets, assigning static and dynamic IP addresses, locating your server on the network, and avoiding reserved IP addresses. Creating Subnets Subnets are groupings of computers on the same network that simplify administration. You can organize subnets any way that is useful to you.
LL0395.Book Page 503 Wednesday, November 20, 2002 11:44 AM Locating the DHCP Server When a client computer looks for a DHCP server, it broadcasts a message. If your DHCP server is on a different subnet from the client computer, you must make sure the routers that connect your subnets can forward the client broadcasts and the DHCP server responses. If you have a relay agent or a router on your network that can relay BootP communications, it will work for DHCP.
LL0395.Book Page 504 Wednesday, November 20, 2002 11:44 AM To create subnets: 1 In Server Settings, click the Network tab, click DHCP/NetBoot, and choose Configure DHCP/ NetBoot. If you configured ports in the Setup Assistant, you see the port information in the Subnets pane. (The list of subnet address ranges shown is extracted from the host’s local NetInfo database. It is initially set to one subnet address range for each active Ethernet port.
LL0395.Book Page 505 Wednesday, November 20, 2002 11:44 AM Managing DHCP Service This section describes how to set up and manage DHCP service on Mac OS X Server. Starting and Stopping DHCP Service Follow these steps when starting or stopping DHCP. To start or stop DHCP service: 1 In Server Settings, click the Network tab. 2 Click DHCP/NetBoot and choose Start DHCP or Stop DHCP. As the service is starting up or shutting down, a globe flashes on the DHCP/NetBoot icon.
LL0395.Book Page 506 Wednesday, November 20, 2002 11:44 AM 7 Select “LDAP over SSL” if you wish LDAP information to be encrypted with SSL. SSL must be enabled on your server to use this option. 8 Click Apply to add the server to the LDAP Servers list at the top of the pane. The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy. 9 Click New to clear the entry fields and enter additional LDAP server information.
LL0395.Book Page 507 Wednesday, November 20, 2002 11:44 AM 2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot. 3 Select a subnet address range and click Edit. 4 Enter a number in the Lease Time field and choose a value from the pop-up menu. 5 Click Save. Click Use Defaults to use the default subnet address range for this port. The default range includes all valid addresses for the port, based on its IP address and subnet mask.
LL0395.Book Page 508 Wednesday, November 20, 2002 11:44 AM Addresses must be contiguous, and they can’t overlap. 6 Enter the subnet mask and router for this subnet, then click Save. Click Use Defaults to use the default subnet address range for this port. The default range includes all valid addresses for the port, based on its IP address and subnet mask. To use the Mac OS X Server as the gateway for the subnet, enter the server IP address in the router field.
LL0395.Book Page 509 Wednesday, November 20, 2002 11:44 AM You need to know the file name of the NetInfo database (or NetInfo tag) you want to use and the IP address of the server that hosts that database (or domain). The NetInfo tag is “network” if the domain was created using NetInfo Domain Setup. To set NetInfo options for a subnet: 1 In Server Settings, click the Network tab. 2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot. 3 Select a subnet and click Edit. 4 Click the NetInfo tab.
LL0395.Book Page 510 Wednesday, November 20, 2002 11:44 AM To view the DHCP or NetBoot client list: 1 In Server Status, locate your server in the Devices & Services list and select DHCP-NetBoot under the server entry. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the DHCP Clients or NetBoot Clients tab. Click Refresh to update the list. Click any column heading to sort the list by different criteria.
LL0395.Book Page 511 Wednesday, November 20, 2002 11:44 AM C H A P T E R 12 NetBoot 12 NetBoot lets you start up Macintosh client computers from disk images stored on servers running Mac OS X Server. A disk image is a file that looks and acts like a mountable disk or volume. NetBoot disk images contain system software that can be used as a startup disk by client computers on the network.
LL0395.Book Page 512 Wednesday, November 20, 2002 11:44 AM Mac OS X Server includes the following CDs containing applications and files specific to NetBoot: m Mac OS X Server Administration Tools CD In the NetBoot, Network Install folder you’ll find Network Image Utility (in the Image Creation folder) and PackageMaker and Property List Editor (in the Image Manipulation folder). m NetBoot, Mac OS 9 CD About NetBoot.
LL0395.Book Page 513 Wednesday, November 20, 2002 11:44 AM These are estimates for the number of clients supported. See “Capacity Planning” on page 515 for a more detailed discussion of the optimal system and network configurations to support the number of clients you have. NetBoot is not supported over wireless connections. Client Computer Requirements Any Macintosh computer that can run Mac OS 9.2.
LL0395.Book Page 514 Wednesday, November 20, 2002 11:44 AM To update a Mac OS X disk image, see “Updating an Existing Mac OS X NetBoot Disk Image” on page 527. To update Mac OS 9 disk images, see “Modifying a Mac OS 9 Disk Image” on page 530. Ethernet Support on Client Computers NetBoot is supported only over the built-in Ethernet connection. Multiple Ethernet ports are not supported on client computers. Network Requirements Recent Macintosh computers use NetBoot version 2.
LL0395.Book Page 515 Wednesday, November 20, 2002 11:44 AM Capacity Planning The number of NetBoot client computers you can connect to your server depends on how your server is configured, the server’s hard disk space, and a number of other factors. In planning for your server and network needs, consider these factors: m Ethernet speed: 100Base-T or faster connections are required for both client computers and the server.
LL0395.Book Page 516 Wednesday, November 20, 2002 11:44 AM Inside NetBoot This section describes how NetBoot is implemented on Mac OS X Server—including information on the protocols, files, directory structures, and configuration details that support the NetBoot functionality. NetBoot Image Folder The NetBoot image folder contains the startup disk image file, a boot file that the firmware uses to begin the startup process, and other files required to start up a client computer over the network.
LL0395.Book Page 517 Wednesday, November 20, 2002 11:44 AM Mac OS 9 NetBoot image folder (MacOS9.2.2.nbi) File or folder Description Mac OS ROM Boot file NetBoot HD.img System startup image file Application HD.img Application image file NBImageInfo.plist Property list file Backup Folder created by NetBoot Desktop Admin for the backup image You use NetBoot Desktop Admin to modify the Mac OS 9 NBI folder. The utility lets you change the image file (NetBoot HD.
LL0395.Book Page 518 Wednesday, November 20, 2002 11:44 AM Mac OS 9 property list Property Type Description BootFile String Name of boot ROM file: Mac OS ROM. Index Number 1–4095 is a local image unique to the server. 4096–65535 is a duplicate, identical image stored on multiple servers for load balancing. IsDefault Boolean True specifies this image file as the default. IsEnabled Boolean Sets whether the image is available to NetBoot (or Network Image) clients.
LL0395.Book Page 519 Wednesday, November 20, 2002 11:44 AM Boot Server Discovery Protocol (BSDP) NetBoot uses an Apple-created extension based on DHCP called Boot Server Discovery Protocol (BSDP). This protocol implements a method of discovering NetBoot servers on a network. NetBoot clients obtain their IP information from a DHCP server and their NetBoot information from BSDP. BSDP offers built-in support for load balancing. See “Load Balancing” on page 537.
LL0395.Book Page 520 Wednesday, November 20, 2002 11:44 AM If the mount point specified by path is directly bootable, you don’t need to specify image. Examples: m server3:/Images/OSX/Jaguar:Jag_10_2.dmg (points to the image file Jag_10_2.dmg in /Images/OSX/Jaguar on the host server3) m 172.16.12.20:/Images/OS_X/Jaguar (specifies a directly bootable mount point on a server identified by IP address) The associated boot files (booter, mach.macosx, and mach.macosx.kext) and the property list file (NBImageInfo.
LL0395.Book Page 521 Wednesday, November 20, 2002 11:44 AM Security You can secure access to NetBoot service on a case-by-case basis using the hardware address of specific computers to which you specifically allow or deny access. A client computer’s hardware address is automatically added to the NetBoot Filtering list when the client starts up using NetBoot and is, by default, enabled to use NetBoot. See “Filtering NetBoot Client Connections” on page 536.
LL0395.Book Page 522 Wednesday, November 20, 2002 11:44 AM Setup Overview Here is an overview of the basic steps for setting up NetBoot: Step 1: Evaluate and update your network, servers, and client computers as necessary The number of client computers you can support using NetBoot is determined by the number of servers you have, how they are configured, hard disk storage capacity, and other factors. See “Capacity Planning” on page 515.
LL0395.Book Page 523 Wednesday, November 20, 2002 11:44 AM Step 2: Create disk images for client computers You can set up both Mac OS 9 disk images and Mac OS X disk images for client computers to start up from. A preconfigured Mac OS 9 image is supplied with Mac OS X Server on the NetBoot, Mac OS 9 CD. The Mac OS 9 disk image can be modified.
LL0395.Book Page 524 Wednesday, November 20, 2002 11:44 AM You can set up NetBoot in the following ways: Clients running Mac OS 9: Use the Startup Disk control panel to select a startup disk image on the server, then restart the computer. See “Selecting a NetBoot Startup Image (from Mac OS 9)” on page 539. Note: You must update the Startup Disk control panel on client computers running Mac OS 9 from their local hard disks in order to be able to view NetBoot disk images in the control panel.
LL0395.Book Page 525 Wednesday, November 20, 2002 11:44 AM Setting Up NetBoot This section describes how to enable NetBoot on a Mac OS X server and how to create and edit NetBoot disk images. Creating a Mac OS X Disk Image Use Network Image Utility to set up one or more Mac OS X NetBoot disk images. Network Image Utility creates a disk image from the files on a Mac OS X installation disc. Have an install CD ready—you’ll need to insert the disc during this procedure.
LL0395.Book Page 526 Wednesday, November 20, 2002 11:44 AM Installing Classic on a Mac OS X Disk Image You install Classic onto a Mac OS X image by copying a Mac OS 9.2.2 system folder into an “unlocked” NetBoot image. You must also select the Mac OS X image and start Classic using the System 9 preference pane to complete the integration of Classic into the image. Do not try to install Classic onto Network Install disk images. This procedure for installing Classic only works for NetBoot disk images.
LL0395.Book Page 527 Wednesday, November 20, 2002 11:44 AM Updating an Existing Mac OS X NetBoot Disk Image You can apply a Mac OS X system update to an existing NetBoot image so that your clients start up from the latest available system. You can download Mac OS system updates from www.apple.com/support. To update an image using these instructions, you must have been logged in to the server as the root user when you created the image.
LL0395.Book Page 528 Wednesday, November 20, 2002 11:44 AM Creating a Mac OS X NetBoot Image From an Existing System If you already have a client computer set up to suit your users, you can use Disk Copy to create a NetBoot image that is based on that client’s configuration. You need an external FireWire hard disk or a second partition on the client’s hard disk where you can create the image. You cannot create the image on a volume over the network.
LL0395.Book Page 529 Wednesday, November 20, 2002 11:44 AM Add all of these properties, classes, and values: m BootFile, String, booter m Index, Number, m IsDefault, Boolean, Yes or No m IsEnabled, Boolean, No m IsInstall, Boolean, No m Name, String, m RootPath, String, m Type, String, NFS Save the file with the name NBImageInfo.
LL0395.Book Page 530 Wednesday, November 20, 2002 11:44 AM Modifying a Mac OS 9 Disk Image To install software on or change the preconfigured Mac OS 9 disk image, you need to start up from a NetBoot client computer, connect to the NetBoot server volume, and open the NetBoot Desktop Admin program. Your changes are not available to you or other users until after the NetBoot client computer running NetBoot Desktop Admin restarts the last time.
LL0395.Book Page 531 Wednesday, November 20, 2002 11:44 AM Be sure the disk image has enough space for the software you want to install. However, increase the size of an image only as much as needed. You cannot reduce the size of an image without reverting to a smaller backup copy. 7 Install the software or make changes to the system configuration. Make sure to install the latest updates for the system software.
LL0395.Book Page 532 Wednesday, November 20, 2002 11:44 AM Specifying the Default NetBoot Disk Image The default disk image is the NetBoot disk image used when a user starts a client computer using the N key. See “Starting Up Using the N Key” on page 540. If you’ve created more than one startup disk image, use the Configure DHCP/NetBoot pane to select the default startup image.
LL0395.Book Page 533 Wednesday, November 20, 2002 11:44 AM Configuring NetBoot on Your Server You use DHCP/NetBoot module of Server Settings to configure your Mac OS X Server to provide NetBoot services to client computers. Note: In the previous release of Mac OS X Server, “Static” was referred to as NB 1.0 and “Dynamic” as NB 2.0. To configure NetBoot: 1 Open Server Settings and click the Network tab. 2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
LL0395.Book Page 534 Wednesday, November 20, 2002 11:44 AM Starting NetBoot on Your Server You turn on NetBoot by starting DHCP. Note: You must also enable one or more images on your server before client computers can use NetBoot. To start DHCP: 1 Open Server Settings and click the Network tab. 2 Click DHCP/NetBoot and choose Start DHCP Service. Enabling NetBoot Disk Images You must enable one or more disk images on your server to make the images available to client computers for NetBoot startups.
LL0395.Book Page 535 Wednesday, November 20, 2002 11:44 AM Managing NetBoot This section describes how to manage the ongoing use of a NetBoot installation. Turning Off NetBoot The best way to prevent clients from using NetBoot on the server is to disable NetBoot service on all Ethernet ports. Note: You can also stop NetBoot by disabling all disk images on the server. To disable NetBoot on Ethernet ports: 1 Open Server Settings and click the Network tab.
LL0395.Book Page 536 Wednesday, November 20, 2002 11:44 AM Monitoring the Status of Mac OS 9 NetBoot Clients Server Status lets you monitor all services on a Mac OS X server. To monitor NetBoot service: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select AppleFile in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name.
LL0395.Book Page 537 Wednesday, November 20, 2002 11:44 AM Load Balancing NetBoot provides a significant benefit to those system administrators tasked with maintaining a large number of Macintosh computers by having all of those computers boot from the same system software image. This feature, however, makes it critical that the NetBoot server remain available to the client computer relying upon it.
LL0395.Book Page 538 Wednesday, November 20, 2002 11:44 AM Using Share Points to Spread the Shadow Image Load By default, NetBoot creates share points for client shadow images on all server volumes in order to spread the load across multiple drive mechanisms. You can use Workgroup Manager to see these share points. They are named NetBootSPx where x is the share point number— the share points are numbered starting with zero.
LL0395.Book Page 539 Wednesday, November 20, 2002 11:44 AM After the client computer has started up, you can use the Startup Disk control panel (Mac OS 9) or preference pane (Mac OS X) to select the NetBoot disk images as the default startup disk for the client. That way you no longer need to use the N key method to start up the client from the server. Removing the system software from client computers gives you additional control over users’ environments.
LL0395.Book Page 540 Wednesday, November 20, 2002 11:44 AM Starting Up Using the N Key You can use this method to start up any supported client computer from a NetBoot disk image. When you start up with the N key, the client computer starts up from the default NetBoot disk image. (If there are multiple servers present, then the client starts up from the default image of the first server to respond.
LL0395.Book Page 541 Wednesday, November 20, 2002 11:44 AM Solving Problems A NetBoot Client Computer Won’t Start Up m Sometimes a computer may not start up immediately because other computers are putting a heavy demand on the network. Wait a few minutes and try starting up again. m Make sure that all the cables are properly connected and that the computer and server are getting power. m If you installed memory or an expansion card in the client computer, make sure it is installed properly.
LL0395.
LL0395.Book Page 543 Wednesday, November 20, 2002 11:44 AM C H A P T E R 13 Network Install 13 Network Install lets you install Mac OS X system software and other software onto client computers over the network. Network Install is similar to NetBoot, but instead of using startup disk images, client computers start up from installer disk images. An installer disk image looks and behaves like an installer CD.
LL0395.Book Page 544 Wednesday, November 20, 2002 11:44 AM Before You Set Up Network Install Review the first part of Chapter 12, “NetBoot,” for system requirements and other information that applies to both NetBoot and Network Install. Image Size Each installer image you create uses 1.4 GB of disk space. Setup Overview Follow these basic steps to create and enable an installer disk image. Step 1: Start the DHCP/NetBoot service Network Install uses the DHCP/NetBoot service on your server.
LL0395.Book Page 545 Wednesday, November 20, 2002 11:44 AM Setting Up Network Install This section tells you how to create installer disk images and enable them on your server. Creating a Network Install Disk Image To create installer images, use the Network Image Utility. You can find this application on the Mac OS X Server Administration Tools CD that comes with Mac OS X Server. Look in the folder /NetBoot, Network Install/Image Creation.
LL0395.Book Page 546 Wednesday, November 20, 2002 11:44 AM Enabling an Installer Disk Image You must enable an installer disk image on your server to make it available to client computers on the network. You must also start DHCP on the server before client computers can use Network Install. See “Starting NetBoot on Your Server” on page 534. If an installer disk image is the only image you enable, it will become the default NetBoot image.
LL0395.Book Page 547 Wednesday, November 20, 2002 11:44 AM About Packages If you plan to use Network Install to install application software or other files, you’ll need to group the applications or files into a special file called a package. A package is a collection of compressed files and related information used to install software onto a computer. The contents of a package are contained within a single file, which has the extension “.pkg”. The following table shows the components of a package file.
LL0395.Book Page 548 Wednesday, November 20, 2002 11:44 AM For more information on creating packages, open PackageMaker and choose PackageMaker Help, PackageMaker Release Notes, or Package Format Notes from the Help menu. After creating the packages, copy them to your installer image and update the associated configuration file (which depends on the image type). See “Adding Packages to an OS Install Image” on page 548 or “Adding Packages to a Custom Package Install Image” on page 549.
LL0395.Book Page 549 Wednesday, November 20, 2002 11:44 AM Adding Packages to a Custom Package Install Image To add application or file packages to an installer image that does not contain system software (a custom package install image), copy your packages or metapackage into the image, then create a file named rc.cdrom.packagePath containing the name of the package or metapackage and put the file in the image folder /private/etc.
LL0395.Book Page 550 Wednesday, November 20, 2002 11:44 AM Automating Installation of an OS Image To install Mac OS software (along with any packages you add) with limited or no interaction from the client computer, use the Network Image Utility to create an automated install image, then update the associated configuration file and enable the image. To set up an OS image for automated installation: 1 Create a new image using the Network Image Utility.
LL0395.Book Page 551 Wednesday, November 20, 2002 11:44 AM About the minstallconfig.xml File Automated installs use information in this file to control how the installation proceeds. So, for example, to set up a completely automated install with no user interaction, you need to make sure this file contains the information that a user on the client computer would otherwise provide. The minstallconfig.xml file is located in the installer image in /private/etc.
LL0395.Book Page 552 Wednesday, November 20, 2002 11:44 AM Selecting a Network Install Image (From a Mac OS X client) If the client computer is running Mac OS X version 10.2 or later, use the Startup Disk System Preferences pane to select a NetBoot startup disk image. To select a Network Install image from Mac OS X: 552 Chapter 13 1 Open System Preferences and select Startup Disk. 2 Choose the network disk image you want to use to start up the computer. 3 Click Restart.
LL0395.Book Page 553 Wednesday, November 20, 2002 11:44 AM C H A P T E R 14 DNS Service 14 When your clients want to connect to a network resource such as a Web or file server, they typically request it by its domain name (such as www.example.com) rather than by its IP address (such as 192.168.12.12). The Domain Name System (DNS) is a distributed database that maps IP addresses to domain names so your clients can find the resources by name rather than by numerical address.
LL0395.Book Page 554 Wednesday, November 20, 2002 11:44 AM Before You Set Up DNS Service This section contains information you should consider before setting up DNS on your network. The issues involved with DNS administration are complex and numerous. You should only set up DNS service on your network if you are an experienced DNS administrator. DNS and BIND You should have a thorough understanding of DNS before you attempt to set up your own DNS server.
LL0395.Book Page 555 Wednesday, November 20, 2002 11:44 AM If you want to change your mail server or redirect mail, you have to notify potential senders of a new address for your users. Or, you can create an MX record for each domain that you want handled by your mail server and direct the mail to the correct computer. When you set up an MX record, you should include a list of all possible computers that can receive mail for a domain.
LL0395.Book Page 556 Wednesday, November 20, 2002 11:44 AM For example, a server in a domain would be host1.example.com, a server in a subdomain would be host2.good.example.com. The DNS server for example.com keeps track of information for its subdomains, such as host (or computer) names, static IP addresses, aliases, and mail exchangers. The range of IP addresses for use with a given domain must be clearly defined before setup.
LL0395.Book Page 557 Wednesday, November 20, 2002 11:44 AM To start or stop DNS service: 1 In Server Settings, click the Network tab. 2 Click DNS Service and choose Start DNS or Stop DNS. When the service is turned on, a globe appears on the DNS Service icon. The service may take a moment to start (or stop). Viewing DNS Log Entries DNS service creates entries in the system log for error and alert messages.
LL0395.Book Page 558 Wednesday, November 20, 2002 11:44 AM m Canonical Name (CName): Asks for the “real name” of a server when given a “nickname” or alias. For example, mail.apple.com might have a canonical name of MailSrv473.apple.com. m Pointer (PTR): Asks for the domain name of a given IP address (reverse lookup). m Mail Exchanger (MX): Asks which computer in a zone is used for email.
LL0395.Book Page 559 Wednesday, November 20, 2002 11:44 AM Zone Data Files Zone data files consist of paired address files and reverse lookup files. Address records link host names (host1.example.com) to IP addresses. Reverse lookup records do the opposite, linking IP addresses to host names. Address record files are named after your domain name– for example, db.example.com. Reverse lookup file names look like part of an IP address, such as db.192.168.12.
LL0395.Book Page 560 Wednesday, November 20, 2002 11:44 AM 3 In the “Go to the folder:” sheet, enter “/etc” (no quotation marks) and click the Go button. 4 Locate the file named.conf and rename it named.conf.OLD. 5 Open TextEdit located in /Applications. 6 Copy the contents of /usr/share/named/examples/db.10.0.1.sample into a new file. Save the file as /var/named/db.10.0.1. 7 Copy the contents of /usr/share/named/examples/db.example.com.sample into a new file. Save the file as /var/named/db.
LL0395.Book Page 561 Wednesday, November 20, 2002 11:44 AM Check Your Configuration To verify the steps were successful, open Terminal, located in /Applications/Utilities and enter the following commands (substituting the local domain name for “example.com” if different): nslookup server.example.com nslookup 10.0.1.
LL0395.Book Page 562 Wednesday, November 20, 2002 11:44 AM If it’s unlikely that your local area network will ever be connected to the Internet and you want to use TCP/IP as the protocol for transmitting information on your network, it’s possible to set up a “private” TCP/IP network. When you set up a private network, you choose IP addresses from the blocks of IP addresses that the IANA (Internet Assigned Numbers Authority) has reserved for private intranets: m 10.0.0.0–10.255.255.255 (10/8 prefix) m 172.
LL0395.Book Page 563 Wednesday, November 20, 2002 11:44 AM C H A P T E R 15 Firewall Service 15 Firewall service is software that protects the network applications running on your Mac OS X Server. Turning on firewall service is similar to erecting a wall to limit access. Firewall service scans incoming IP packets and rejects or accepts these packets based on the set of filters you create.
LL0395.Book Page 564 Wednesday, November 20, 2002 11:44 AM The picture below illustrates this process. Is there a filter for port 80? Locate the Any Port filter with the most specific range that includes the address 10.221.41.33. No Yes A computer with IP address 10.221.41.33 attempts to connect to the server over the Internet (port 80). The server begins looking for filters. Is there a filter containing IP address 10.221.41.33? Yes What does the filter specify? Deny Allow Connection is made.
LL0395.Book Page 565 Wednesday, November 20, 2002 11:44 AM Before You Set Up Firewall Service When you start firewall service, the default configuration denies access to all incoming packets from remote computers. This provides the highest level of security. You can then add new IP filters to allow server access to those clients who require access to services. First, think about the services that you want to provide on your server.
LL0395.Book Page 566 Wednesday, November 20, 2002 11:44 AM The segments in a mask go from general to specific, so the earlier a zero appears in the segments of the subnet mask, the wider the resulting range of addresses. A subnet mask of 255.255.255.255 is the narrowest and indicates a single IP address. Any value except 255 in a segment of the subnet mask must be followed by zero segments.
LL0395.Book Page 567 Wednesday, November 20, 2002 11:44 AM IP Address Precedence If you create multiple filters for a port number, the filter that contains the most specific address range has precedence. The table below illustrates how this works. If a request comes in from an address that falls within the range specified on the first line, access is allowed. If the request doesn’t fall within that address range, the second line is checked. The last line, All, denies access.
LL0395.Book Page 568 Wednesday, November 20, 2002 11:44 AM Block Junk Mail To reject email from a junk mail sender with an IP address of 17.128.100.0 and accept all other Internet email: Access Port IP address Deny 25 (SMTP) 17.128.100.0 Allow 25 (SMTP) All Set up very specific address ranges in filters you create to block incoming SMTP mail. For example, if you set a filter on port 25 to deny mail from all addresses, you will prevent any mail from being delivered to your users.
LL0395.Book Page 569 Wednesday, November 20, 2002 11:44 AM Step 2: Add filters to the IP filter list Read “Before You Set Up Firewall Service” on page 565 to learn how IP filters work and how to create them. To add IP filters: 1 In Server Settings, click the Network tab. 2 Click Firewall and choose Show Firewall List. 3 Click New and create a filter. For more information about creating a new filter, see “Creating an IP Filter” on page 570.
LL0395.Book Page 570 Wednesday, November 20, 2002 11:44 AM To set firewall service to start automatically each time your computer starts up: 1 In Server Settings, click the Network tab. 2 Click Firewall and choose Configure Firewall. 3 Select “Start Firewall at system startup,” then click Save. Editing IP Filters If you edit a filter after turning on firewall service, your changes affect connections already established with the server.
LL0395.Book Page 571 Wednesday, November 20, 2002 11:44 AM 7 If you choose “a range of IP addresses,” enter a subnet mask or click Use My Subnet to use the computer’s subnet mask. The resulting address range is displayed at the bottom of the window. 8 Click Save. Searching for IP Filters You can use the Find button in the IP Filter List window to search for filters that match specific criteria. For example, you may want to see what filters you have set up for a specific IP address.
LL0395.Book Page 572 Wednesday, November 20, 2002 11:44 AM To configure firewall service: 1 In Server Settings, click the Network tab. 2 Click Firewall and choose Configure Firewall. 3 Select “Start Firewall at system startup” if you want the service to start whenever the server starts up. 4 Select “Send rejection to client if connection is denied” if you want your server to respond to denied connection attempts (this is on by default).
LL0395.Book Page 573 Wednesday, November 20, 2002 11:44 AM Log Example 2 Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0 This entry shows that firewall service used rule 100 to allow the remote client at 10.221.41.33:721 to access the server 192.168.12.12 on the LPR printing port 515 via Ethernet port 0. Log Example 3 Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152 192.168.12.
LL0395.Book Page 574 Wednesday, November 20, 2002 11:44 AM UDP ports above 1023 are allocated dynamically by certain services, so their exact port numbers may not be determined in advance. To set up UDP port filters: 1 In Server Settings, click the Network tab. 2 Click Firewall and choose Configure Firewall. 3 Click the Advanced tab and select “Apply filters in IP filter list to UDP ports.” 4 Click “all UDP ports” or enter a range of port numbers to filter in the “in range” fields.
LL0395.Book Page 575 Wednesday, November 20, 2002 11:44 AM 5 Click Save, then restart firewall service. Any IP filters you create allow NetInfo access for the IP addresses you specify. By default, NetInfo dynamically chooses a TCP or UDP port from the 600 through 1023 range, but you can configure a shared domain to be accessible using one port or using a port for TCP and a second port for UDP packets.
LL0395.Book Page 576 Wednesday, November 20, 2002 11:44 AM 5 Click Save, then restart firewall service. Denial-of-service attacks are somewhat rare, so make these settings only if you think your server may be vulnerable to an attack. If you don’t send rejection replies to clients, some clients may retry connections, resulting in server congestion. Also, if you deny ICMP echo replies, services that use pinging to locate network services will be unable to detect your server.
LL0395.Book Page 577 Wednesday, November 20, 2002 11:44 AM Rule number Used by firewall module for 63500 Allowing user-specified TCP and UDP packets to access ports needed for NetInfo shared domains. You can configure NetInfo to use a static port or to dynamically select a port from 600 through 1023. Then use the Configure Firewall window to allow all or specific clients to access those ports. 64000–65000 User-defined filters for Any Port.
LL0395.Book Page 578 Wednesday, November 20, 2002 11:44 AM For more information, consult the man pages for ipfw. Port Reference The following tables show the TCP and UDP port numbers commonly used by Mac OS X computers and Mac OS X Servers. These ports can be used when you are setting up your IP filters. Note: See www.faqs.org/rfcs to view the RFCs referenced in the tables.
LL0395.
LL0395.
LL0395.
LL0395.Book Page 582 Wednesday, November 20, 2002 11:44 AM Where to Find More Information Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If you are a novice server administrator, you’ll probably find some of the background information in an RFC helpful. If you are an experienced server administrator, you can find all the technical details about a protocol in its RFC document.
LL0395.Book Page 583 Wednesday, November 20, 2002 11:44 AM C H A P T E R 16 SLP DA Service 16 Service Location Protocol Directory Agent (SLP DA) provides structure to the services (or resources) available on a network and gives users easy access to them. Anything that can be accessed using a URL—including file servers, WebDAV servers, NFS servers, printers, and personal Web servers—can be a network service.
LL0395.Book Page 584 Wednesday, November 20, 2002 11:44 AM Step 1: Define scopes To define scopes, you need to decide how you want to organize the computers on your network. A scope can be a logical grouping of computers, such as all computers used by the production department, or a physical grouping, such as all computers located on the first floor. You can define a scope as part or all of your network.
LL0395.Book Page 585 Wednesday, November 20, 2002 11:44 AM 1 In the Registered Services window, click New Service. 2 In the Add Proxied Service dialog, choose the scope and add the service you want. For more information about adding services to a scope, see “Registering a Service With SLP DA” on page 586. Step 6: Start SLP DA service To start SLP DA service: 1 Click SLP Service. 2 Choose Start SLP DA. When the service is turned on, a globe appears on the service icon.
LL0395.Book Page 586 Wednesday, November 20, 2002 11:44 AM 5 Double-click a service to see more detailed information about the service. You can change the way the list is sorted by clicking a column heading. Creating New Scopes in SLP DA Service Scopes are groups of services available on the network, organized in a way that works best for your network. To create a new scope and add services to it: 1 In Server Settings, click the Network tab. 2 Click SLP Service and choose Show Registered Services.
LL0395.Book Page 587 Wednesday, November 20, 2002 11:44 AM Deregistering Services in SLP DA Service If a service is no longer available to network clients, you must manually remove the service from the SLP DA registered service list. To deregister a service: 1 In Server Settings, click the Network tab. 2 Click SLP Service and choose Show Registered Services. 3 Select a service and click Remove. Setting Up Logs for SLP DA Service SLP DA errors are logged automatically in the system log file.
LL0395.Book Page 588 Wednesday, November 20, 2002 11:44 AM Using the Attributes List Services may advertise their presence on the network along with a list of attributes. These attributes are listed as a string encoding that follows a specific format. Directory agents use the attributes list to help match client requests with appropriate services. Here is an example of an attributes list for a network printer named Amazon. It’s an LPR printer located in the Research scope.
LL0395.Book Page 589 Wednesday, November 20, 2002 11:44 AM C H A P T E R 17 Tools for Advanced Administrators 17 This chapter describes tools and techniques intended for use by experienced server administrators. The following table summarizes them.
LL0395.
LL0395.Book Page 591 Wednesday, November 20, 2002 11:44 AM The percent symbol (%) is called the prompt. It indicates that you can enter a command. Press the Return key after you type a command. Depending on what you typed, you could see a list of information followed by another prompt, or your command will execute and give you some type of feedback and a prompt, or you will receive no feedback and another prompt. No feedback usually means that the command was executed properly.
LL0395.Book Page 592 Wednesday, November 20, 2002 11:44 AM Opening an SSH Session Open an SSH session and log in to a remote server when you manage the remote server using command-line tools. To open an SSH session and log in to the server: 1 Open Terminal. 2 At the prompt, type ssh, then a hyphen, the flag “l” (lower case L, for “login”) followed by the user name of an administrator of the remote server and the server’s IP address or host name.
LL0395.Book Page 593 Wednesday, November 20, 2002 11:44 AM Understanding Key Fingerprints The first time you log in to a server using SSH, your local computer adds a “fingerprint” from the remote server to a list of known remote host computers and displays a message: The authenticity of host ‘192.168.12.12’ can’t be established. RSA key fingerprint is a8:0d:27:63:74:00:f1:04:bd:6a:e4:0d:a3:47:a8:f7.
LL0395.Book Page 594 Wednesday, November 20, 2002 11:44 AM createhomedir Use createhomedir to create AFP or NFS home directories for one or more users. m This tool is especially useful just after creating a large number of users you want to have a home directory. m Using createhomedir is the only way to automate the creation of NFS home directories. See “Using createhomedir to Create Home Directories” on page 165 for more information about createhomedir.
LL0395.Book Page 595 Wednesday, November 20, 2002 11:44 AM There are several additional parameters you can specify. Refer to comments in the configuration files for information about all the parameters and how to set them. The scripts ignore all log files except those for which at least one threshold is present in the configuration file. To configure the scripts on a server from a remote Mac OS X computer, open a Terminal window and log in to the remote server using ssh.
LL0395.Book Page 596 Wednesday, November 20, 2002 11:44 AM m If you want to provide your own alert and recovery scripts, you can. Put your alert script in /etc/diskspacemonitor/action/alert.local and your recovery script in /etc/diskspacemonitor/action/recovery.local. Your scripts will be executed before the default scripts when the thresholds are reached. To configure the scripts on a server from a remote Mac OS X computer, open a Terminal window and log in to the remote server using SSH.
LL0395.Book Page 597 Wednesday, November 20, 2002 11:44 AM Using installer Here are the parameters that installer accepts.
LL0395.Book Page 598 Wednesday, November 20, 2002 11:44 AM -plist formats the installer tool’s output into an XML file, which is sent by default to StdOut. You use this parameter with -pkginfo and -volinfo. -file pathToFile specifies the path to an XML file containing parameter information. This file can be used instead of the command-line parameters and supersedes any parameters on the command-line (for example, “installer -file /temp/configfile.plist”).
LL0395.Book Page 599 Wednesday, November 20, 2002 11:44 AM Full Operating System Installation If you have to install the operating system on a remote Mac OS X Server, you can use the installer tool to do so. To use installer to install a full operating system: 1 Insert a bootable CD and start up the server from the CD. ( You can’t install an operating system onto the current startup volume.
LL0395.Book Page 600 Wednesday, November 20, 2002 11:44 AM 6 Type one of these commands to restart the server: /sbin/reboot /sbin/shutdown -r softwareupdate You use softwareupdate to find new versions of software and install them on a remote server. To use softwareupdate: 1 Open Terminal on a Mac OS X Server or administrator computer and log in to the remote server using SSH. 2 At the prompt, type “softwareupdate”. Available updates are listed.
LL0395.Book Page 601 Wednesday, November 20, 2002 11:44 AM Working With Server Identity and Startup You can use systemsetup to set information about a remote server and specify how to handle its startup: m To set the computer name, which is used by file sharing and AppleTalk, type “systemsetup -setcomputername ”. m To retrieve the current startup disk for the server, type “systemsetup -getstartupdisk”. Type “systemsetup -liststartupdisks” to list all available disks.
LL0395.Book Page 602 Wednesday, November 20, 2002 11:44 AM networksetup Use networksetup to configure network services on a remote Mac OS X Server. A network service is a complete collection of settings for a specific network hardware port. “Built-in Ethernet” is an example of a network service. You may have one or several network services for a given hardware port.
LL0395.Book Page 603 Wednesday, November 20, 2002 11:44 AM Retrieving Your Server’s Network Configuration You can use networksetup to find out about the network services on a remote server: m To display a list of network services in the order in which they are contacted for a connection along with the corresponding ports and devices, type “networksetup listnetworkserviceorder”. An asterisk (*) next to a service means the service is inactive.
LL0395.Book Page 604 Wednesday, November 20, 2002 11:44 AM Managing Network Services You can use networksetup to create or rename network services, turn them on or off, remove them, and change the order in which they’re contacted. This application is also useful for displaying the names of hardware ports: m To display all hardware port names, type “networksetup -listallhardwareports”.
LL0395.
LL0395.Book Page 606 Wednesday, November 20, 2002 11:44 AM SNMP support in Mac OS X Server is turned off by default. To turn it on, use TextEdit or another application to edit the /etc/hostconfig file on the server. If you turn SNMP on, you should run the snmpconf command to enter site-specific information, such as system location and admin email address. Type “man snmpconf ” in a Terminal window to learn about snmpconf. You can find SNMP information and tools on the Net-SNMP Home Page, located at www.
LL0395.Book Page 607 Wednesday, November 20, 2002 11:44 AM Note: IP failover only allows a secondary server to acquire a primary server’s IP address. You need additional software tools such as rsync to provide capabilities such as mirroring the primary server’s data on the secondary server. See rsync’s man pages for more information. Requirements IP failover is not a complete solution, rather one tool you can use to increase your server’s availability to your clients.
LL0395.Book Page 608 Wednesday, November 20, 2002 11:44 AM Normal operation and failover operation are illustrated in the following two diagrams. Normal Operation Network Hub 100.0.0.11 100.0.0.10 en0 en1 Primary server (Web server) en0 Crossover Cable en1 10.0.0.2 10.0.0.1 Secondary server (mirrors primary content, but not running Web server software) Failover Operation Network Hub 100.0.0.10 and 100.0.0.11) 100.0.0.10 en0 Primary server (Web server) 10.0.0.
LL0395.Book Page 609 Wednesday, November 20, 2002 11:44 AM Enabling IP Failover You enable IP failover by adding command lines to the file /etc/hostconfig on the primary and the secondary server. Be sure to enter these lines exactly as shown with regard to spaces and punctuation marks. Before enabling IP Failover, verify on both servers that the port used for the public network appears at the top of the Network Port Configurations list in the Network pane of System Preferences.
LL0395.Book Page 610 Wednesday, November 20, 2002 11:44 AM 7 Reconnect the primary server to the private network, wait fifteen seconds, then reconnect the primary server to the public network. 8 Verify that the secondary server relinquishes the primary server’s public IP address. Always be sure that the primary server is up and functioning normally before you activate IP failover on the secondary server.
LL0395.Book Page 611 Wednesday, November 20, 2002 11:44 AM m m m m PreAcq–run before acquiring IP address from primary server PostAcq–run after acquiring IP address from primary server PreRel–run before relinquishing IP address back to primary server PostRel–run after relinquishing IP address back to primary server You may have more than one script at each stage. The scripts in each prefix group are run in the order their file names would appear in a directory listing using the ls command.
LL0395.Book Page 612 Wednesday, November 20, 2002 11:44 AM When you enable journaling on a disk, a continuous record of changes to files on the disk is maintained in the journal. If your server stops running because of a power failure or some other problem, when you restart the server the journal is used to restore the disk to a known good state. Although you may experience loss of user data that was buffered at the time of the failure, the file system is returned to a consistent state.
LL0395.Book Page 613 Wednesday, November 20, 2002 11:44 AM 5 To disable journaling, select the Information tab, then click Remove Journaling. Enabling Journaling Using diskutil or newfs_hfs You can use diskutil or newfs_hfs from the command line to enable journaling. To enable journaling using command-line tools: 1 Log in to the server whose disk you want to set up for journaling as an administrator. 2 Make sure the server is in a quiescent state. 3 Open the Terminal application.
LL0395.Book Page 614 Wednesday, November 20, 2002 11:44 AM To disable journaling for a volume called MyDisk, type “sudo /usr/sbin/diskutil disableJournal /Volumes/MyDisk”. Repairing a Journaled Volume You can check and repair a journaled volume using fsck_hfs from the command line. To repair a journaled disk: 1 Log in to the server with the journaling disk as an administrator. 2 Make sure the server is in a quiescent state. 3 Open the Terminal application.
LL0395.Book Page 615 Wednesday, November 20, 2002 11:44 AM 3 In the New Keychain Passphrase dialog that appears, enter a passphrase or password for the keychain you are creating; enter the password or passphrase a second time to verify it; and click OK. Remember this passphrase, because later you must supply it again. 4 When “Enter key and certificate label:” appears in the Terminal window, type a one-word key, a blank space, and a one-word certificate label; then press Return.
LL0395.Book Page 616 Wednesday, November 20, 2002 11:44 AM 10 Type y when asked to confirm the selected algorithm, then press Return. You have selected algorithm RSA with SHA1. OK (y/anything)? 11 Enter a phrase or some random text when prompted to enter a challenge string, then press Return. ...creating CSR...
LL0395.Book Page 617 Wednesday, November 20, 2002 11:44 AM Importing an SSL Certificate Into the Keychain To import an SSL certificate into a keychain, use the command-line tool certtool. This continues the configuration of mail service for automatic SSL connections. 1 Log in to the server as root. 2 Open the Terminal application. 3 Go to the directory where the saved certificate file is located.
LL0395.Book Page 618 Wednesday, November 20, 2002 11:44 AM 6 In the Terminal application, change the access privileges to the passphrase file so only root can read and write to this file. Do this by typing the following two commands, pressing Return after each one: cd /private/var/root/Library/Keychains/ chmod 600 certkc.pass The mail service of Mac OS X Server 10.2 can now use SSL for secure IMAP connections. 7 Log out as root.
LL0395.
LL0395.Book Page 620 Wednesday, November 20, 2002 11:44 AM 10 If the server has a shared NetInfo domain, enter the following command line in the Terminal application to set the Authentication Manager password for root user account of the shared domain, where the domain’s NetInfo tag is “network:” sudo NeST -settimpassword network root When typing this command line, substitute the root user’s actual password for .
LL0395.Book Page 621 Wednesday, November 20, 2002 11:44 AM A P P E N D I X A A Data Requirements of Mac OS X Directory Services This appendix specifies the standard record types and attributes of Mac OS X directory services. (Mac OS X directory services attributes are also called data types.) The following list summarizes the specifications in this appendix: User Data That Mac OS X Server Uses (p. 622) Standard Attributes in User Records (p. 623) Format of MailAttribute in User Records (p.
LL0395.Book Page 622 Wednesday, November 20, 2002 11:44 AM User Data That Mac OS X Server Uses The following table describes how your Mac OS X Server uses data from user records in directory domains. Consult this table to determine the attributes, or data types, that your server’s various services expect to find in user records of directory domains.
LL0395.Book Page 623 Wednesday, November 20, 2002 11:44 AM Standard Attributes in User Records The following table specifies facts about the standard attributes, or data types, found in user records of Mac OS X data services. Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL0395.Book Page 624 Wednesday, November 20, 2002 11:44 AM Mac OS X user attribute 624 Appendix A Format Sample values NFSHomeDirectory: local file system path to the user’s home directory UTF-8 text /Network/Servers/example/Users/K-M/Tom King Non-zero length. Maximum 255 bytes.
LL0395.Book Page 625 Wednesday, November 20, 2002 11:44 AM Mac OS X user attribute Format Sample values MailAttribute: a user’s mail service configuration (refer to “Format of MailAttribute in User Records” on page 629 for information on individual fields in this structure) Structured text kAttributeVersion Apple Mail 1.0 kAutoForwardValue user@example.
LL0395.Book Page 626 Wednesday, November 20, 2002 11:44 AM Mac OS X user attribute Format AdminLimits the privileges allowed by Workgroup Manager to a user that can administer the directory domain UTF-8 XML plist, single value Password: the user’s password UNIX crypt Picture: file path to a recognized graphic file to be used as a display picture for the user UTF-8 text Maximum 255 bytes. Comment: any documentation you like UTF-8 text John is in charge of product marketing.
LL0395.Book Page 627 Wednesday, November 20, 2002 11:44 AM Mac OS X user attribute Format Sample values AuthenticationAuthority: describes the user’s authentication methods, such as Password Server or basic (crypt); not required for a user with only a basic password; absence of this attribute signifies legacy authentication (crypt and Authentication Manager, if it is available).
LL0395.
LL0395.Book Page 629 Wednesday, November 20, 2002 11:44 AM Format of MailAttribute in User Records Ensure that the MailAttribute of each user record that your server will retrieve from an LDAP or Active Directory server is in the format described in the following table. If any field contains an incorrect value, the MailAttribute is ignored (in other words, treated as if MailAccountState were “Off ”).
LL0395.Book Page 630 Wednesday, November 20, 2002 11:44 AM User record MailAttribute field 630 Appendix A Format Sample values AutoForwardValue A required field only if MailAccountState has the value “Forward.” The value must be a valid RFC 822 email address. kAutoForwardValue user@example.com NotificationState An optional keyword describing whether to notify the user whenever new mail arrives.
LL0395.Book Page 631 Wednesday, November 20, 2002 11:44 AM User record MailAttribute field Format Sample values SeparateInboxState An optional caseinsensitive keyword indicating whether the user manages POP and IMAP mail using different inboxes. If provided, it must be set to one of these values: “OneInbox” or “DualInbox.” If this value is missing, the value “OneInbox” is assumed.
LL0395.Book Page 632 Wednesday, November 20, 2002 11:44 AM Standard Attributes in Group Records The following table specifies facts about the standard attributes, or data types, found in group records of Mac OS X data services. Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services. Mac OS X group attribute 632 Appendix A Format Sample values RecordName: name associated with a group ASCII characters A–Z, a– z, 0–9, _ Science Science_Dept Science.
LL0395.Book Page 633 Wednesday, November 20, 2002 11:44 AM Mac OS X group attribute Format Sample values Member: same data as GroupMembership but each is used by different services of Mac OS X Server ASCII characters A–Z, a– z, 0–9, _,- bsmith, jdoe Can be an empty list (normally for users’ primary group).
LL0395.Book Page 634 Wednesday, November 20, 2002 11:44 AM Standard Attributes in Computer Records The following table specifies facts about the standard attributes, or data types, found in computer records of Mac OS X data services. Computer records associate the hardware address of a computer’s Ethernet interface with a name for the computer. The name is part of a computer list record (much as a user is in a group).
LL0395.Book Page 635 Wednesday, November 20, 2002 11:44 AM Standard Attributes in Computer List Records The following table specifies facts about the standard attributes, or data types, found in computer list records of Mac OS X data services. A computer list record identifies a group of computers (much as a group record identifies a collection of users). Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL0395.Book Page 636 Wednesday, November 20, 2002 11:44 AM Standard Attributes in Mount Records The following table specifies facts about the standard attributes, or data types, found in mount records of Mac OS X data services. Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL0395.Book Page 637 Wednesday, November 20, 2002 11:44 AM Standard Attributes in Config Records The following table specifies facts about the standard attributes, or data types, found in config records of Mac OS X data services. Mac OS X Server version 10.2 uses two types of config records: m The mcx_cache record always has the RecordName of mcx_cache. It also uses RealName and DataStamp to determine whether the cache should be updated or the server settings ignored.
LL0395.
LL0395.
LL0395.Book Page 640 Wednesday, November 20, 2002 11:44 AM m In another scenario, a Mac OS X Server hosts AFP home directories for Mac OS X users whose accounts are stored in an Active Directory domain. When users log in to Mac OS X client computers, they are authenticated using Active Directory information and their home directories are mounted. After login is complete, they can access their home directories from the Finder by choosing Home from the Go menu or clicking Home in a Finder window.
LL0395.Book Page 641 Wednesday, November 20, 2002 11:44 AM Step 1: Connect to Mac OS X Server After logging in to a Mac OS 9 or Mac OS X computer, the user requests an Apple file service connection with Mac OS X Server. First, the user identifies the server, usually by using the Chooser on a Mac OS 9 computer or choosing Connect to Server from the Go menu on a Mac OS X computer. Then the user authenticates with Apple file service by entering a name and password. 10.43.12.40 bigmac.corp.apple.
LL0395.Book Page 642 Wednesday, November 20, 2002 11:44 AM In this example, the user records reside in an Active Directory domain on a Windows 2000 server. The name of the Windows server is supergirl.corp.apple.com, and its IP address is 10.43.12.172. A search base indicates the location of the user records in the Active Directory domain. Step 3: Access files The user sees a list of accessible share points and selects the ones of interest. Selected share points are mounted on the user’s desktop.
LL0395.
LL0395.Book Page 644 Wednesday, November 20, 2002 11:44 AM The following figure illustrates this scenario. A user has access to his or her home directory on Mac OS X Server after logging in to a Mac OS X computer and being authenticated using Active Directory information.
LL0395.Book Page 645 Wednesday, November 20, 2002 11:44 AM In this example, the user and mount records reside in an Active Directory domain on a Windows 2000 server. Search bases indicate the locations of user records and mount records in the Active Directory domain. Step 2: Request authorization to mount the home directory The Mac OS X client computer then sends the user’s information to the Mac OS X Server hosting the home directory. The client requests authorization to mount the home directory. 10.43.
LL0395.Book Page 646 Wednesday, November 20, 2002 11:44 AM Step 4: Access the home directory The home directory is now mounted and visible on the user’s computer in the Mac OS X Finder, and login is complete. The home directory appears under the name of the Mac OS X Server in the Servers directory of the Network Globe. In this example, the home directory appears under /Network/Servers/bigmac/Homes.
LL0395.Book Page 647 Wednesday, November 20, 2002 11:44 AM The following tables summarize the Active Directory data needed to support the AFP file server scenario.
LL0395.
LL0395.Book Page 649 Wednesday, November 20, 2002 11:44 AM Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the “Mac OS X Server Administrator’s Guide.” References to terms defined elsewhere in the glossary appear in italics. A, B A user with server or directory domain administration privileges. Administrators are always members of the predefined “admin” group.
LL0395.Book Page 650 Wednesday, November 20, 2002 11:44 AM A script or program that adds dynamic functions to a Web site. A CGI sends information back and forth between a Web site and an application that provides a service for the site. For example, if a user fills out a form on the site, a CGI could send the message to an application that processes the data and sends a response back to the user.
LL0395.Book Page 651 Wednesday, November 20, 2002 11:44 AM An IP address that is assigned for a limited period of time or until the client computer no longer needs the IP address. dynamic IP address everyone Any user who can log in to a file server: a registered user or guest, an anonymous FTP user, or a Web site visitor. export The Network File System (NFS) term for sharing. F, G A “screening” method used to control access to your server.
LL0395.Book Page 652 Wednesday, November 20, 2002 11:44 AM I, J, K IANA (Internet Assigned Numbers Authority) An organization responsible for allocating IP addresses, assigning protocol parameters, and managing domain names. A message control and error-reporting protocol used between host servers and gateways. For example, some Internet software applications use ICMP to send a packet on a round-trip between two hosts to determine round-trip times and discover problems on the network.
LL0395.Book Page 653 Wednesday, November 20, 2002 11:44 AM M mail host The computer that provides your mail service. A user, group, or computer whose access privileges and/or preferences are under administrative control. managed client System or application preferences that are under administrative control. Server Manager allows administrators to control settings for certain system preferences for Mac OS X managed clients.
LL0395.Book Page 654 Wednesday, November 20, 2002 11:44 AM A client/server protocol that uses TCP/IP to allow remote users to access files as though they were local. NFS exports shared volumes to computers according to IP address, rather than user name and password. Network File System (NFS) The process of installing systems and software on Mac OS X client computers over the network. Software installation can occur with an administrator attending the installations or completely unattended.
LL0395.Book Page 655 Wednesday, November 20, 2002 11:44 AM A storage place for computer preferences and preferences for groups associated with that computer. Cached preferences help you manage local user accounts on portable computers. preferences cache Initial default attributes you specify for new accounts you create using Server Manager. You can use presets only during account creation. presets A user’s default group.
LL0395.Book Page 656 Wednesday, November 20, 2002 11:44 AM A list of directory domains searched by a Mac OS X computer when it needs configuration information; also the order in which domains are searched. Sometimes called a search path. search policy A file, hidden from regular system and application software, used by NetBoot to write system-related information while a client computer is running off a serverbased system disk image.
LL0395.Book Page 657 Wednesday, November 20, 2002 11:44 AM T A method used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. IP takes care of handling the actual delivery of the data, and TCP takes care of keeping track of the individual units of data (called packets) into which a message is divided for efficient routing through the Internet. TCP (Transmission Control Protocol) The official reference implementation for Java Servlet 2.
LL0395.Book Page 658 Wednesday, November 20, 2002 11:44 AM W A live authoring environment that allows client users to check out Web pages, make changes, and then check them back in while a site is running. WebDAV (Web-based Distributed Authoring and Versioning) WebDAV realm A region of a Website, usually a folder or directory, that is defined to provide access for WebDAV users and groups. wildcard A range of possible values for any segment of an IP address.
LL0395.Book Page 659 Wednesday, November 20, 2002 11:44 AM Index A access logs Active Directory 240 access privileges about 120, 215 of Active Directory users 641, 645 administrator 216 copying 228 directory services and 47 everyone 217 explicit vs.
LL0395.
LL0395.Book Page 661 Wednesday, November 20, 2002 11:44 AM attributes list 588 404 260 BCC (blind carbon copies) authentication .
LL0395.Book Page 662 Wednesday, November 20, 2002 11:44 AM bsdpd_clients file client computers, Mac OS 8 and 9 determining client NetBoot server 537 role and location 520 setting up printing 344 client computers, Mac OS 9 selecting NetBoot startup image 539 C client computers, Mac OS X CA certificate 383 cache. See DNS cache cache.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.Book Page 669 Wednesday, November 20, 2002 11:44 AM Internet Gateway Multicast Protocol See IGMP Internet Message Access Protocol (IMAP) See IMAP Internet servers.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.Book Page 674 Wednesday, November 20, 2002 11:44 AM adding to OS install image 548 Microsoft Active Directory.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395.
LL0395IX.
LL0395.
LL0395.
