Mac OS X Server Command-Line Administration For Version 10.
K Apple Computer, Inc. © 2006 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc.
1 Contents Preface 15 16 16 16 16 16 17 17 18 18 About This Guide Using This Guide Understanding Notation Conventions Summary Commands and Other Terminal Text Command Parameters and Options Default Settings Commands Requiring Root Privileges Getting Documentation Updates Getting Additional Information Chapter 1 21 21 22 23 23 24 25 26 26 26 26 26 27 27 28 28 Executing Commands Opening Terminal Specifying Files and Folders Modifying Flow Control Redirecting Input and Output Using Environment Variables
34 34 35 35 36 What is an SSH Man-in-the-Middle Attack? Controlling Access to SSH Service Connecting to a Remote Computer Using SSH Using Telnet Chapter 3 37 37 38 39 39 40 40 40 41 43 43 47 47 48 48 48 49 49 50 51 Installing Server Software and Finishing Basic Setup Installing Server Software Locating Computers for Installation Specifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Installing from Multiple CDs Restarting After Installation Automating Server Setup
Chapter 6 59 59 60 60 61 61 61 61 62 Viewing or Changing Sleep Settings Viewing or Changing Automatic Restart Settings Changing the Power Management Settings Viewing or Changing the Startup Disk Settings Viewing or Changing the Sharing Settings Viewing or Changing Remote Login Settings Viewing or Changing Apple Event Response Viewing or Changing the International Settings Viewing and Changing the Login Settings 63 63 64 64 64 65 65 65 65 65 66 66 67 69 70 70 70 72 72 73 73 74 75 76 76 77 77 77 77 78 78 7
79 79 80 80 81 Computer Name Hostname Bonjour Name Managing Preference Files and the Configuration Daemon Changing Network Locations Chapter 7 83 83 83 84 84 85 85 86 87 89 89 90 90 90 91 91 91 92 92 92 92 93 94 94 95 Working with Disks and Volumes Understanding Disks, Partitions, and the File System Mounting and Unmounting Volumes Mounting Volumes Unmounting Volumes Displaying Disk Information Monitoring Disk Space Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Re
Chapter 9 107 108 109 110 111 112 113 114 116 117 118 118 119 120 123 123 124 125 126 126 126 126 127 127 128 129 131 Modifying a User Account Creating a Mobile User Account Managing Home Folders Administering Group Accounts Creating a Group Account Removing a Group Account Adding a User to a Group Removing a User from a Group Creating and Deleting Nested Group Editing Group Records Creating a Group Folder Viewing the Workgroup a User Selects at Login Importing Users and Groups Creating a Character-Delimi
Chapter 10 8 142 143 144 145 146 146 146 146 146 147 147 147 147 147 148 148 150 150 150 151 151 151 151 152 152 155 155 156 156 157 157 157 158 Disconnecting AFP Users Canceling a User Disconnect Listing AFP Service Statistics Viewing AFP Log Files Managing the NFS Service Starting and Stopping NFS Service Checking NFS Service Status Viewing NFS Service Settings Changing NFS Service Settings Managing the FTP Service Starting FTP Service Stopping FTP Service Checking FTP Service Status Viewing FTP Servic
167 167 168 169 169 Pausing a Queue Listing Jobs and Job Information Holding a Job Viewing Print Service Log Files Viewing Cover Pages Chapter 11 171 171 171 172 172 172 173 173 174 174 175 176 176 176 176 177 177 178 Working with NetBoot Service and System Images Understanding the NetBoot Service Starting and Stopping NetBoot Service Checking NetBoot Service Status Viewing NetBoot Settings Changing NetBoot Settings Changing General Netboot Service Settings Storage Record Array Filters Record Array Imag
200 200 200 201 202 202 203 Obtaining an SSL Certificate Importing an SSL Certificate into the Keychain Accessing the Server Certificates Creating a Password File Configuring Mailboxes Enabling Sieve Scripting Enabling Sieve Support Chapter 13 207 207 208 208 208 208 209 209 209 210 210 210 210 212 213 214 214 214 215 Working with Web Technologies Understanding Web Technology Managing the Web Service Starting and Stopping Web Service Checking Web Service Status Viewing Web Settings Changing Web Sett
225 225 226 226 226 226 226 227 227 228 228 228 228 229 229 230 233 233 234 234 234 235 235 235 235 236 236 237 237 238 238 238 238 239 239 242 242 243 243 244 245 245 245 Checking the Status of DNS Service Viewing DNS Service Settings Changing DNS Service Settings DNS Service Settings List of DNS serveradmin Commands Viewing the DNS Service Log Listing DNS Service Statistics Configuring IP Forwarding Managing the Firewall Service Firewall Startup Starting and Stopping Firewall Service Checking the Status
246 247 248 248 Enabling IP Failover Configuring IP Failover Enabling PPP Dial-In Restoring the Default Configuration for Server Services Chapter 15 251 251 251 251 252 252 252 252 253 253 254 255 255 258 259 259 259 260 260 261 263 263 264 264 265 265 Working with Open Directory Understanding Open Directory Using General Directory Tools Testing Your Open Directory Configuration Modifying a Directory Domain Testing Open Directory Plug-ins Registering URLs with SLP Changing Open Directory Service Set
274 274 275 275 275 276 276 278 278 278 278 279 279 Viewing Service Logs Forcing QTSS to Reread its Preferences Preparing Older Home Folders for User Streaming Configuring Streaming Security Resetting the Streaming Server Admin User Name and Password Controlling Access to Streamed Media Creating an Access File Accessing Protected Media Adding User Accounts and Passwords Adding or Deleting Groups Making Changes to the User or Group File Manipulating QuickTime and MP4 Movies Creating Reference Movies Chapte
Contents
Preface About This Guide This guide describes Mac OS X Servers command-line interface tools and commands, including the syntax, purpose, and parameters, as well as examples of usage and any output that they generate. This guide is written for system administrators familiar with administering and managing servers, storage, and networks. Beneath the interface of Mac OS X is a core operating system commonly known as Darwin. Darwin integrates a number of technologies, most importantly Mach 3.
Using This Guide This guide describes commands that perform functions used to configure and manage Mac OS X computers. Chapters in this guide describe sets of commands that work for specific aspects of the operating system. Use this guide to:  Learn which commands are available for specific tasks  Learn how the commands work, and how to execute them  Review examples of command usage Understanding Notation Conventions The following conventions are used throughout this book.
Parameters You Must Enter as Shown If you must enter a parameter as shown, it appears following the command in the same font. For example: $ doit -w later -t 12:30 To use the command in this example, enter the entire line as shown (without the $ and space). Parameter Values You Provide If you must provide a value, its placeholder is italicized and has a name that indicates what you need to provide.
Getting Documentation Updates Periodically, Apple posts revised guides and solution papers. To download the latest guides and solution papers in PDF format, go to the Mac OS X Server documentation webpage: www.apple.com/server/documentation. Getting Additional Information For more information, consult these resources: Read Me documents—Important updates and special information. Look for them on the server discs. Man pages (developer.apple.
This guide ... tells you how to: Mac OS X Server File Services Administration for Version 10.4 or Later Share selected server volumes or folders among server clients using these protocols: AFP, NFS, FTP, and SMB/CIFS. Mac OS X Server Print Service Administration for Version 10.4 or Later Host shared printers and manage their associated queues and print jobs. Mac OS X Server System Imaging and Software Update Administration for Version 10.
This guide ... tells you how to: Mac OS X Server Xgrid Administration for Version 10.4 or Later Manage computational Xserve clusters using the Xgrid application. Mac OS X Server Interpret terms used for server and storage products.
1 Executing Commands 1 In this chapter you will find out how to execute commands and view online information about commands and tools. A command-line interface is a way for you to manipulate your computer in situations where a graphical approach is not available. The Terminal application is the Mac OS X gateway to the BSD command-line interface (UNIX shell command prompt). Each window in Terminal contains a complete execution context, called a shell, that is separate from all other execution contexts.
For example, if you’re using the default bash shell and the prompt displays as: server1:~ anne$ Where you are logged in to a computer named “server1” as the user named “anne,” and your current folder is anne’s home folder (~). Throughout this manual, wherever a command is shown as you might enter it, the prompt is abbreviated as $. Specifying Files and Folders Most commands operate on files and folders, the locations of which are identified by paths.
Modifying Flow Control Many commands are capable of receiving text input from the user and printing text out to the console. They do so using standard pipes, which are created by the shell and passed to the command automatically. The standard pipes include: Â stdin—The standard input pipe is the means through which data enters a command. By default, this is data entered by the user from the command-line interface. You can also redirect the output from files or other commands to stdin.
Using Environment Variables Some commands require the use of environment variables for their execution. Environment variables are variables inherited by all commands executed in the shell’s context. The shell itself uses environment variables to store information, such as the name of the current user, the name of the host computer, and the paths to any commands. You can also create environment variables and use them to control the behavior of your command without modifying the command itself.
Executing Commands and Running Tools To execute a command in the shell, you must enter the complete pathname of the tool’s executable file, followed by any arguments, and then press the Return key. If a command is located in one of the shell’s known folders, you can omit any path information and just enter the command name. The list of known folders is stored in the shell’s PATH environment variable and includes the folders containing most of the command-line tools.
Correcting Typing Errors To correct a typing error before you press Return to execute the command, press Left Arrow or Right Arrow to skip over parts of the command you don’t want to change, press the Delete key to remove characters, enter regular characters to insert them, and finally press Return to execute the command. To ignore what you have entered and start again, press Control–U.
Important: As the root user, you have sufficient privileges to do things that can cause your server to stop working properly. Don’t execute commands as the root user unless you know what you’re doing. Logging in as an administrator user and using sudo selectively might prevent you from making unintended changes. Terminating Commands To terminate the currently running command, enter Control-C. This keyboard shortcut sends an abort signal to the command.
The following crontab entry schedules a scan operation to run and produce a summary at 23:50 every Sunday: 50 23 * * 0 /usr/local/vscanx --summary folder-name The following crontab entry schedules a scan operation to run on the uz folder at 10:15 a.m. every Saturday in accordance with options specified in a configuration file conf1: 15 10 * * 6 /usr/local/vscanx --load /usr/local/conf1 /uz The following crontab entry schedules a scan operation to run at 8:45 a.m.
When you use more or less, an information bar appears at the bottom of the screen. When you see the bar, you can press the Space bar to go to the next page, the B key to go back a page, or the Return key to scroll the file forward one line at a time. When you get to the end of a file, more will return you to the prompt and less will wait for you to press the Q key to quit. Several third-party Mac OS X applications are available for viewing formatted man pages in scrollable windows.
Chapter 1 Executing Commands
2 Connecting to Remote Computers 2 In this chapter you will find commands you can use to connect to remote computers. Connecting to remote computers helps you manage and configure resources efficiently. This chapter covers using SSH and Telnet to connect to remote computers. Understanding Secure Shell Secure Shell (SSH) lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer.
You should be aware of the following SSH tools:  sshd—Daemon that acts as a server to all other commands  ssh—Primary user tool: remote shell, remote command, and port-forwarding sessions  scp—Secure copy, a tool for automated file transfers  sftp—Secure FTP, a replacement for FTP Password-Less Logins Using SSH Keys The standard method of SSH authentication is supplying login credentials in the form of a user name and password.
Copy the resultant public file, which contains the local computer’s public key to the user’s home folder in .ssh/ on the remote computer. The next time you log in to the remote computer from the local computer you won’t need to enter a password. Note: If you are using an Open Directory user account and have already logged in using the account, you do not have to supply a pasword for SSH login.
What is an SSH Man-in-the-Middle Attack? An attacker may be able to get access to your network and compromise proper routing information, such that packets intended for a remote computer are instead routed to the attacker who impersonates the remote computer to the local computer and the local computer to the remote computer. Here’s a typical scenario: A user connects to the remote computer using SSH.
Connecting to a Remote Computer You can connect to a remote computer using SSH (secure) or Telnet (non-secure). Using SSH Use the ssh tool to create a secure shell connection to a remote computer. To access a remote computer using ssh: 1 Open Terminal. 2 Enter the following command to log in to the remote computer, and then press Return: $ ssh -l username server where username is the name of an administrator user on the remote computer and server is the name or IP address of the remote computer.
Using Telnet Use the telnet tool to create a Telnet connection to a remote computer. Because it isn’t as secure as SSH, Telnet access is disabled by default. To enable Telnet access: $ service telnet start To disable Telnet access: $ service telnet stop You are strongly advised not to enable Telnet. When you log in using Telnet, your login information, user name, and password are passed along the Internet in clear text. In fact, your entire Telnet session is also passed along the Internet in clear text.
3 Installing Server Software and Finishing Basic Setup 3 In this chapter you will find commands you can use to install, set up, and update Mac OS X Server software on local or remote computers. Some computers come with Mac OS X Server software already installed. However, you might want to upgrade from a previous version, change a computer configuration, automate software installation, or completely refresh your server environment.
If the target computer is an Xserve with a built-in optical drive, start the computer using the first installation disc by following the instructions for starting from a system disc in the Xserve User’s Guide. If the target computer is an Xserve with no built-in optical drive, you can start it in target disk mode and insert the installation disc into the optical drive on your administrator computer.
Note: To locate computers, you must have booted the computer from the installation CD. To list computers on the local network: $ /System/Library/ServerSetup/sa_srchr 224.0.0.1 The sa_srchr tool uses the broadcast address 224.0.0.1 to request a response (via sa_rspndr) from all computers ready for installation or setup. The response from a ready computer would come from sa_rspndr running on a computer started up from the Mac OS X Server installation CD.
You can also use diskutil to partition the volume and to set up mirroring. For more information, see the diskutil man page or Chapter 7, “Working with Disks and Volumes,” on page 83. Important: Don’t store data on the hard disk partition where the operating system is installed. If you must store additional software or data on the system partition, consider mirroring the drive. With this approach, you won’t risk losing data if you need to reinstall or upgrade system software.
You can define generic setup data that can be used to set up any computer. For example, you might want to define generic setup data for a computer that’s on order, or to configure 50 Xserve computers you want to be identically configured. You can also save setup data that’s specifically tailored for a particular computer. Important: When you perform an upgrade installation, saved setup data is used and overwrites existing server settings.
 partial-IP-address-of-server.plist—For example, 10.0.plist (matches 10.0.0.4 and 10.0.1.2).  generic.plist—A file that any server will recognize, used to set up servers that need the same setup values. Server Assistant uses the file to set up the computer with the matching address, name, or serial number. If Server Assistant cannot find a file named for a particular computer, it will use the file named generic.plist.
Working with an Encrypted Configuration File If the setup data in the configuration file is encrypted, make the passphrase available to the target computer or computers. You can supply the passphrase interactively using Server Assistant, or you can provide it in a text file. To provide a passphrase in a file: 1 Create a new text file and enter the passphrase for the saved setup file on the first line. 2 Save the file using one of the following names.
The following example shows the basic structure and contents of a configuration file for a computer with the following configuration: Â An administrator user named “Administrator” (short name “admin”) with a user ID of 501 and the password “secret” Â A computer name and host name of “server1.example.
0 DefaultScript 0 ResID 0 ResName U.S. ScriptID 0 NetworkInterfaces ActiveAT ActiveTCPIP DNSDomains example.com DNSServers 192.168.100.
ServiceNTP HostNTP HostNTPServer Local UseNTP ServicesAutoStart ARD Apache FTP File IChat Mail NetBoot QTSS SMB SWUPD WebDAV Weblog XgridA <
Storing a Configuration File in an Accessible Location Server Assistant looks for configuration files in the following location: /Volumes/vol/Auto Server Setup/ where vol is any device volume mounted in /Volumes.
Changing Server Settings After initial setup, you can use a variety of commands to view or change Mac OS X Server configuration settings and services. Using the serversetup Tool The serversetup tool is located in /System/Library/ServerSetup. To run it, you can enter the full path: $ /System/Library/ServerSetup/serversetup -getAllPort If you want to use the tool to perform several commands, you can change your working folder and enter a shorter command: $ cd /System/Library/ServerSetup $ .
 The default certificate format for SSLeay/OpenSSL is PEM. PEM format can contain private keys (RSA and DSA), public keys (RSA and DSA), and (x509) certificates. It stores data in Base64-encoded DER format with ASCII header and footer lines which makes it suitable for text-made transfers between computers. For some tools, you need the certificate in plain DER format. You can convert a PEM file (cert.pem) into the corresponding DER file (cert.der) with the following command: $ openssl x509 -in cert.
To validate a server software serial number: $ sudo serversetup -verifyServerSerialNumber serialnumber watermarkinformation Displays 0 if the serial number is valid, or 1 if the serial number is invalid. Serial numbers generated for the server can be generated with watermarks so that they can be tracked to a specific company, group, or individual.
This creates an environment variable named command_line_install that automates the update responses. See the softwareupdate man page for more information about the command. Moving a Server Try to place a server in its final network location (subnet) before setting it up for the first time. If you’re concerned about unauthorized or premature access, you can set up a firewall to protect the server while you’re finishing its configuration.
Chapter 3 Installing Server Software and Finishing Basic Setup
4 Restarting or Shutting Down a Computer 4 In this chapter you will find commands you can use to shut down or restart a local or remote computer. Computers often must be shut down or restarted, whether locally or remotely, when installing new tools or making computer repairs. This chapter covers the commands needed to shut down or restart a local or remote computer. Restarting a Computer You can use the reboot or shutdown -r command to restart a computer at a specific time.
Changing a Remote Computer’s Startup Disk You can change a remote computer’s startup disk using SSH. To change the startup disk: Log in to the remote computer using SSH and enter: $ bless -folder "/Volumes/disk/System/Library/CoreServices" -setBoot Parameter Description disk The name of the disk that contains the desired startup volume. For information about using SSH to log in to a remote computer, see “Sending Commands to a Remote Computer” on page 28.
Monitoring and Restarting Critical Services In earloier versions of Mac OS X, a daemon called watchdog monitored critical services and restarted them if they failed or quit unexpectedly after a computer restarted. The watchdog daemon relied on the configuration file watchdog.conf, located in /etc. In Mac OS X Server version 10.4, watchdog has been replaced by launchd. The launchd daemon manages other daemons, both for the computer as a whole and for individual users.
Chapter 4 Restarting or Shutting Down a Computer
5 Setting General System Preferences 5 In this chapter you will find commands you can use to set system preferences, usually set using the System Preferences graphical application. You can use Mac OS X Server to manage the work environment of Mac OS X users by defining preferences. Preferences are settings that customize and control a user’s computer experience.
Viewing or Changing the System Date To view the current system date: $ sudo systemsetup -getdate or $ serversetup -getDate To set the current system date: $ sudo systemsetup -setdate mm:dd:yy or $ sudo serversetup -setDate mm/dd/yy Viewing or Changing the System Time To view the current system time: $ sudo systemsetup -gettime or $ serversetup -getTime To change the current system time: $ sudo systemsetup -settime hh:mm:ss or $ sudo serversetup -setTime hh:mm:ss Viewing or Changing the System Time Z
To enable or disable use of a network time server: $ sudo systemsetup -setusingnetworktime (on|off) To view the current network time server: $ sudo systemsetup -getnetworktimeserver To specify a network time server: $ sudo systemsetup -setnetworktimeserver timeserver Viewing or Changing the Energy Saver Settings You can use the systemsetup tool to view or change a server’s energy saver settings. These can also be changed using the Energy Saver pane of System Preferences.
To see if the system is set to restart after a system freeze: $ sudo systemsetup -getrestartfreeze To set the system to restart after a system freeze: $ sudo systemsetup -setrestartfreeze (on|off) Changing the Power Management Settings You can use the pmset tool to change a variety of power management settings, including:  Display dim timer  Disk spindown timer  System sleep timer  Wake on network activity  Wake on modem activity  Restart after power failure  Dynamic processor speed change  Reduce
To change the current startup disk: $ sudo systemsetup -setstartupdisk path Viewing or Changing the Sharing Settings You can use the systemsetup tool to view or change Sharing settings. These can also be set using the Sharing pane of System Preferences. Viewing or Changing Remote Login Settings You can use SSH to log in to a remote server if remote login is enabled.
Viewing and Changing the Login Settings You can enable or disable the Restart and Shutdown buttons that appear in the login dialog. To disable or enable the Restart and Shutdown buttons in the login dialog: $ sudo serversetup -setDisableRestartShutdown (0|1) 0 disables the buttons and 1 enables the buttons.
6 Setting Network Preferences 6 In this chapter you will find commands you can use to change the network settings on a server. Mac OS X Server provides command-line control to manage servers in a mixedplatform environment and to configure, deploy, and manage powerful network services. These tools make it easy to configure and maintain core network services, while providing the advanced features and functionality required by experienced IT professionals.
Managing Network Interface Information This section describes commands you address to a specific hardware device (for example, en0) or port (for example, Built-in Ethernet). If you prefer to work with network port configurations following the approach used in the Network preferences pane of System Preferences, see the commands in “Managing Network Port Configurations” on page 65.
Viewing or Changing Media Settings To view the media settings for a port: $ sudo networksetup -getMedia (devicename|"portname") To list valid media settings for a port: $ sudo networksetup -listValidMedia (devicename|"portname") To change the media settings for a port: $ sudo networksetup -setMedia (devicename|"portname") subtype [option1] [option2] [...
To change the order of the port configurations: $ sudo networksetup -ordernetworkservices config1 config2 [config3] [...] Managing TCP/IP Settings TCP/IP is a set of layered protocols that allow shared applications between computers on a high-speed network. You can use the following commands to change the TCP/IP settings of a server. Changing a Server’s IP Address Changing a server’s IP address isn’t as simple as changing the TCP/IP settings.
To change a server’s IP address: 1 Run the changeip tool: $ changeip [(directory|-)] old-ip new-ip [old-hostname new-hostname] Parameter Description directory If the server is an Open Directory master or replica, or is connected to a folder system, you must include the path to the folder domain (folder directory domain). For a standalone server, enter “-” instead. old-ip The current IP address. new-ip The new IP address. old-hostname (optional) The current DNS host name of the server.
To list TCP/IP settings for a configuration: $ sudo networksetup -getinfo "configuration" For example, for Built-In Ethernet, the computer responds with the following output: $ networksetup -getinfo "Built-In Ethernet" Manual Configuration IP Address: 192.168.10.12 Subnet mask: 255.255.0.0 Router: 192.18.10.
Viewing or Changing DNS Servers You can use the serversetup tool to view and modify the Domain Name Server (DNS) settings. To view the DNS servers for port en0: $ serversetup -getDefaultDNSServer (devicename|"portname") To change the DNS servers for port en0: $ sudo serversetup -setDefaultDNSServer (devicename|"portname") server1 [server2] [...
Enabling TCP/IP Use the serversetup tool to enable or disable TCP/IP on a computer. To enable TCP/IP on a particular port: $ serversetup -EnableTCPIP [(devicename|"portname")] If you don’t provide an interface, en0 is assumed. To disable TCP/IP on a particular port: $ serversetup -DisableTCPIP [(devicename|"portname")] If you don’t provide an interface, en0 is assumed.
Configuring a Network Interface You can configure a network interface for TCP/IP using ifconfig. This tool is used to bring the interface up or down and set the interface IP address and subnet mask. To add an Ethernet interface to a bond virtual device (pseudo device): $ ifconfig bond_interface_name bondev physical_interface The bond_interface_name is the name of the pseudo device and the physical_interface is the actual Ethernet interface you want to associate with the pseudo device, for example, en0.
To display a bond status: $ sudo networksetup -showBondStatus bond Managing AppleTalk Settings AppleTalk is a suite of protocols developed to implement file sharing, mail service, and printing between Apple computers. Use the serversetup tool to enable or disable AppleTalk. To enable AppleTalk on a particular port: $ serversetup -EnableAT [(devicename|"portname")] If you don’t provide an interface, en0 is assumed.
Installing SNMP To use SNMP for monitoring or data collection, an SNMP agent (snmpd) must be running on the monitored Mac OS X Server host computer. Mac OS X Server version 10.1.5 or later includes a version of SNMP (UCD-SNMP v. 4.2.3 or later). If you do not have the file /usr/sbin/snmpd, then SNMP is not installed. Mac OS X Server version 10.1.4 or earlier require that SNMP be built and installed. Mac OS X Server v10.1.5 or later Admin CDs include the SNMP package on the CD used to install UCDSNMP 4.2.
To start SNMP on Mac OS X 10.4 client computers by modifying the hostconfig file: Mac OS X 10.4 client systems already have the SNMPSERVER:=-NO- line in their hostconfig file by default. 1 Open the /etc/hostconfig file. 2 Locate the line: SNMPSERVER=-NO- 3 Change NO to YES. 4 Save the file. Note: Systems running Mac OS X Server version 10.3 or earlier will need to have the line added.
To customize the data provided by snmpd, you may add an snmpd.conf file using /usr/bin/snmpconf: $ sudo /usr/bin/snmpconf -i You will then see a series of text menus. Make these choices in this order: 1 Select File: 1 (snmpd.
To gather SNMP information in bulk: $ sudo snmpwalk -v 1 -c public localhost This will list multiple entries of SNMP data similar to the following output, where system name and location are defined in the snmp.conf file. SNMPv2-MIB::sysName.0 - system name SNMPv2-MIB::sysLocation.0 - system location SNMPv2-MIB::sysUpTime.0 - time in 1/100ths of a second since the last system start To retrieve specific SNMP management values, use the snmpget tool as shown in the following examples.
To enable or disable the FTP proxy for a configuration: $ sudo networksetup -setftpproxystate "configuration" (on|off) Viewing or Changing Web Proxy Settings To view the web proxy information for a configuration: $ sudo networksetup -getwebproxy "configuration" To set the web proxy information for a configuration: $ sudo networksetup -setwebproxy "configuration" domain portnumber To enable or disable the web proxy for a configuration: $ sudo networksetup -setwebproxystate "configuration" (on|off) Viewin
Viewing or Changing SOCKS Firewall Proxy Settings To view the SOCKS firewall proxy information for a configuration: $ sudo networksetup -getsocksfirewallproxy "configuration" To set the SOCKS firewall proxy information for a configuration: $ sudo networksetup -setsocksfirewallproxy "configuration" domain portnumber To enable or disable the SOCKS firewall proxy for a configuration: $ sudo networksetup -setsocksfirewallproxystate "configuration" (on|off) Viewing or Changing Proxy Bypass Domains To list the
Managing the Computer, Host, and Bonjour Names These names are used by networking applications to identify a computer. Computer Name The computer name is the local name of a computer. This name is typically assigned to the computer when the operating system is installed. Use the serversetup tool to view or modify the computer name.
Bonjour Name Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry-standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers. Specifically, Bonjour enables automatic IP address assignment without a DHCP server, name-to-address translation without a DNS server, and service discovery without a directory server.
Each item on the list is a piece of information stored by configd, sorted by type. Setup indicates information that has been read from a configuration file. State indicates information that represents the actual state of the computer. File indicates stored information as of the last time the configuration file was updated. Using scutil, you can view data in the keys. First you must get the data, and then you can show the data. For example: > get State:/Network/Interface/en0/IPv4 > d.
To view the current locations: $ scselect The computer will respond with output similar to the following: Defined sets include: (* == current set) * 0 (Automatic) 1 (AirPort) 2 (Home Office) To change the location, enter the number of the location listed that you want to switch to: $ scselect 1 In this example, the network location will switch to AirPort.
7 Working with Disks and Volumes 7 In this chapter you will find commands that are used to initialize and test disks and volumes. Computers use disks and partitions to store and organize data. This chapter covers the commands that are used to manage, configure, initialize, and test disks and volumes.
Mounting Volumes You can use the mount tool with parameters appropriate to the type of file system you want to mount, or use one of these file-system–specific mount commands:  mount_afp for Apple File Protocol (AppleShare) volumes  mount_cd9660 for ISO 9660 volumes  mount_cddafs for CD Digital Audio format (CDDA) volumes  mount_hfs for Apple Hierarchical File System (HFS) volumes  mount_msdos for PC MS-DOS volumes  mount_nfs for Network File System (NFS) volumes  mount_smbfs for Server Message Block
Displaying Disk Information The df tool located in /bin is designed to display free disk space. In addition, df is a useful way to find out what your current disk partitions are, how much space each one takes up, which block each partition starts on, which device file is associated with each partition, and where each partition is mounted.
When enabled, diskspacemonitor uses information in a configuration file to determine when to execute alert and recovery scripts for reclaiming disk space: Â The configuration file is /etc/diskspacemonitor/diskspacemonitor.conf. It lets you specify how often you want to monitor disk space, and specify thresholds to use for determining when to take the actions in the scripts.
The scripts use values in the following configuration files to determine whether and how to reclaim space: Â The script /etc/periodic/daily/600.daily.server runs daily. Its configuration file is /etc/diskspacemonitor/daily.server.conf. Â The script /etc/periodic/weekly/600.weekly.server is intended to run weekly, but is currently empty. Its configuration file is /etc/diskspacemonitor/weekly.server.conf. Â The script /etc/periodic/monthly/600.monthly.server is intended to run monthly, but is currently empty.
To list the disks currently known and available on the computer: $ diskutil list If your system is an Xserve computer, you can use this command to determine which drive is in which bay. To get mount info about a partition: $ diskutil info diskvol Parameter Description diskvol Device name (for example, disk0s9) for the partition. This command tells you the device file that corresponds to the mounted partition (or device name) you specify.
To format a Mac OS Extended volume as case-sensitive HFS+: $ sudo diskutil eraseVolume "Case-sensitive HFS+" newvolname volume Parameter Description newvolname The name given to the reformatted, case-sensitive volume. volume The path to the existing volume to be reformatted. For example: /Volumes/HFSPlus See the diskutil man page for more options and information about repairing and modifying disks.
After a partition has been created on a device, the partition needs to be formatted before the computer will be able to store data on the device. Formatting a disk partition creates the volume and sets the file system. Labeling a Disk Once a disk is formatted, it needs to be labeled. The disklabel tool manipulates “Apple Label” partition metadata.
Managing Disk Journaling A robust file system journaling feature is available to enhance the availability and fault tolerance of servers and server-attached storage devices. Journaling protects the integrity of the Mac OS Extended (HFS+) file system in the event of an unplanned shutdown or power failure, and maximizes uptime by expediting repairs to the affected volumes when the computer restarts.
/dev/disk0s9 on / (local, journaled) /dev/disk0s10 on /Volumes/OS 9.2.2 (local, journaled) Enabling Journaling When You Erase a Disk You can use the newfs_hfs tool to set up and enable journaling when you erase a disk. To enable journaling when erasing a disk: $ newfs_hfs -J -v volname device Parameter Description volname The name you want the new disk volume to have. device The device name of the disk.
3 Restart your server. To enable Spotlight on your server: 1 Open /etc/hostconfig for editing as root. 2 Change the value of the spotlight parameter to -YES-. You can also set the value of the SPOTLIGHT parameter to -YES- as follows: $ sudo /System/Library/ServerSetup/serversetup -setAutoStartSpotlight 1 3 Restart your server. Performing Spotlight Searches Mac OS X provides the ability to view the metadata of a file and perform Spotlight searches from the command line.
Controlling Spotlight Indexing By default, indexing of volumes in Mac OS X Server is disabled. However, you can use the mdutil tool to enable or disable indexing on any volume. To enable indexing on a volume: Run the mdutil tool as root and set the indexing status to on. $ sudo mdutil -i on volume To disable indexing on a volume: Run the mdutil tool as root and set the indexing status to off. $ sudo mdutil -i off volume See the mdutil man page for more information.
To repair a failed mirror: $ diskutil repairMirror device slicenumber fromDisk toDisk Parameter Description device Device file. slicenumber Specifies the slice number to replace. fromDisk Specifies the mirror source. toDisk Specifies the repaired mirror destination. Note: Xsan RAID volumes have their own set of commands, which are described in an appendix of the Xsan administrators guide. See the appendix for informatian about the megaraid tool, used for managing a PCI RAID card.
To restore a volume from an image: $ sudo asr -source compressedimage -target targetvolume -erase See the asr man page for command syntax, limitations, and image preparation instructions.
8 Working with Users and Groups 8 In this chapter you will find commands you can use to set up and manage user and group accounts. With Mac OS X Server, you can quickly create and administer accounts for users and groups. There are several command-line tools that facilitate working with the directory domains that hold these accounts. Understanding Accounts There are three kinds of accounts you can set up with Workgroup Manager: user accounts, group accounts, and computer lists.
Administering and Creating Accounts A user account stores data that Mac OS X Server needs to validate the user’s identity and provide services for the user. This section provides an overview of user accounts. User accounts, as well as group accounts and computer lists, can be stored in any Open Directory domain accessible from any Mac OS X computer.
To create an local administrator user with a specific UID and home folder: $ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP fullname shortname password uid homedirpath The name, short name, password, and UID must be entered in the order shown. If the full name includes spaces, enter it in quotes. The command displays a 0 if successful, or a 1 if the full name, short name, or UID is already in use or if the UID you specified is less than 100.
To find the GUID of the administrator user: > cd /Users/ > read adminusername GeneratedUID Checking a User’s Administrator Privileges Use the serversetup tool to verify the administrator privileges of a specific user. To see if a user is a server administrator: $ sudo /System/Library/ServerSetup/serversetup -isAdministrator shortname The command displays a 0 if the user is an administrator, or a 1 if the user is not an administrator.
Important: Pick a user ID that isn’t on either list and that is greater than 501. 501 is the user ID of the local administrator user that gets created when you install Mac OS X Server. 2 Start the dscl tool in interactive mode, specifying the computer you are using as the source of directory service data. Use the dscl tool to create a nonadministrator user account.
dscl displays the settings for your new user account, similar to the following output: apple-generateduid:1B2A3456-E7C8-9EC1-2345-678D912E3456 cn: anne johnson gidNumber: 99 HomeDirectory: /LDAPv3/ipaddress/Users/ajohnson loginShell: /bin/bash objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensible object organizationalPerson top person sn: ajohnson uid: ajohnson uidNumber: 1234 AppleMetaNodeLocation: /LDAPv3/ipaddress GeneratedUID:1B2A3456-E7C8-9EC1-2345-678D912E3456 LastName: johnson
Retreiving a User’s GUID When a user account is created, the computer generates a 128-bit integer called a globally unique identifier (GUID). This is stored in the LDAP directory. The GUID is used for permissions and for associating users with group memberships. In command-line tools, you might see a GUID referred to as a GeneratedUID.
3 Authenticate as an administrator by entering the following command, replacing adminusername with an administrator’s user name, and entering that administrator’s password when prompted: > auth adminusername 4 Delete the user account by entering the following command, replacing ajohnson with the user account’s short name: > delete ajohnson 5 Quit dscl by entering: > quit A user account usually has a matching group of the same name.
To terminate all of a user’s processes: After disabling the user account, you need to kill all of the user’s active processes that are currently running on the directory server. Warning: Unconditionally killing all of a user’s processes will cause the user to lose any unsaved data. 1 Make all processes clean up and exit by entering the following command, replacing ajohnson with the user name: $ sudo killall -TERM -u ajohnson 2 Wait a few seconds to allow the previous command to execute.
Checking a Server User’s Name, UID, or Password You can use the following commands to check the name, UID, or password of a user in the server’s local directory domain. Note: These tasks apply only to the local directory domain on the server. To see if a full name is already in use: $ sudo /System/Library/ServerSetup/serversetup -verifyRealName "longname" The command displays a 1 if the name is already in use, or a 0 if it isn’t.
Modifying a User Account You can change the value of an attribute in a user account by using dscl. There are many attributes that can be set for users. The following table describes some of the user account attributes you can modify using dscl: Attribute Description apple-generateduid User id generated by the system. cn User’s common name. homeDirectory Location of the user’s Home Folder. loginShell User’sTerminal shell. sn User’s sir name. LastName User’s last name.
Creating a Mobile User Account Mobile accounts are network accounts that have been set up to be accessible even when the user is not connected to the server where the account resides. The mobile account user is provided with a local home folder on the computer the user is logged in to. This functionality reduces network traffic and improves overall performance. You can use the MCXCacher tool to create a mobile account from the command line.
To perform the post–login checks and refreshes caches and caches the current user’s mcx_settings: Enter the following, replacing usershortname with the user’s short name. $ sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/ MCXCacher -U usershortname To flush the cache: $ sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/ MCXCacher -f To dirty the cache so that it will be refreshed at the next login: $ sudo /System/Library/CoreServices/mcxd.
To create a home folder for users in the local domain: $ sudo createhomedir [(-a|-l|-n domain)] -u uid You can also create a user’s home folder using the serversetup tool. To create a home folder for a particular user: $ sudo /System/Library/ServerSetup/serversetup -createHomedir uid The command displays a 1 if the user ID you specify doesn’t exist. Mounting a User’s Home Folder You can use mnthome to mount a user’s home folder.
Creating a Group Account You can create a new group account by using dscl and other tools. When you create a group account via the command line, you must also set values for basic attributes of a group account, such as short name and group ID. To add a group account: 1 Identify an unused group ID by entering the following command to display a list of assigned group IDs.
4 Authenticate as an administrator by entering the following command, replacing adminusername with your administrator user name, and entering your administrator password when prompted: > auth adminusername 5 Create a new group, replacing officegroup with the new group account’s short name and specify the group ID, replacing 600 with the primary group ID.
3 Authenticate as an administrator by entering the following command, replacing adminusername with your administrator user name, and entering your administrator password when prompted: > auth adminusername 4 Remove the group by entering the following command, replacing officegroup with the group account’s short name: > delete officegroup 5 Quit dscl by entering: > quit Adding a User to a Group You can add users to a group using the dscl tool.
6 Review the new settings of the group by entering the following command, replacing officegroup with the group account’s short name: > read officegroup dscl displays the settings for the group account, similar to the following output: apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 cn: officegroup gidNumber: 600 MemberUid: mchen ajohnson bmiller objectClass: posixGroup apple-group extensibleObject top AppleMetaNodeLocation: /LDAPv3/ipaddress GeneratedUID:4B3A5678-E9C1-2EC3-4567-891D234E5678 GroupM
4 View the current members of the group by entering the following (replacing officegroup with the group account’s short name): > read officegroup displays the settings for the group account, similar to the following output where the group named officegroup has users mchen, ajohnson, and bmiller as members: dscl apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 cn: officegroup gidNumber: 600 MemberUid: mchen ajohnson bmiller objectClass: posixGroup apple-group extensibleObject top AppleMetaNodeLocati
7 Quit dscl by entering: > quit Creating and Deleting Nested Group Nested groups allow for one group (child) to be a member of a second group (parent), thus inheriting the permissions and attributes of the parent group. All members of a nested group will become child members of the parent group as well. You can create a nested group by using the dseditgroup tool with the -a option, which adds the group record to the parent group.
dscl displays the settings for the group account, similar to the following output where the group named parentgroup is shown as nested: apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 apple-group-nestedgroup:1A2B3456-C7D8-9EF1-2345-678G912H3456 cn: parentgroup gidNumber: 700 objectClass: posixGroup apple-group extensibleObject top AppleMetaNodeLocation: /LDAPv3/ipaddress GeneratedUID:4B3A5678-E9C1-2EC3-4567-891D234E5678 NestedGroups:1A2B3456-C7D8-9EF1-2345-678G912H3456 PasswordPlus:******** PrimaryG
This will prompt you for your diradmin password, which is much more secure than putting the password in the command you are sending. See the dseditgroup man page for more information. Creating a Group Folder A group folder facilitates the sharing of files between members of a group. Once you set up a group folder in Workgroup Manager you need to use the CreateGroupFolder tool to create the actual group folder. Group folders should be created on the server that hosts the group folders.
Importing Users and Groups You can use dsimport to import user and group accounts. into a folder. The dsimport tool permits logging at three levels with the -l switch. You can use the dsimport tool to import any number of records from a flexible text–delimited file. See the dsimport man page for more information. See the Open Directory administration guide for a list of record types and attributes. This guide also describes how to edit permitted attributes for each record type for use in an LDAP folder.
Open Directory supports up to 200,000 records. For a local NetInfo directory, make sure the file contains no more than 10,000 records. 2 Log in as the administrator of the directory domain you want to import accounts into. 3 Use the dsimport tool to import users and groups. For example, to import a file generated by Workgroup Manager named ”sample” and export it into the LDAPv3 directory located at 192.168.2.2, use the following command: $ dsimport -g sample /LDAPv3/192.168.2.
 List of attributes For user accounts, the list of attributes must include the following, although you can omit UID and PrimaryGroupID if you specify a starting UID and a default primary group ID when you import the file:  RecordName (the user’s short name)  Password  UniqueID (the UID)  PrimaryGroupID  RealName (the user’s full name) In addition, you can include:  UserShell (the default shell)  NFSHomeDirectory (the path to the user’s home folder)  Other user data types, described in the Open Dire
Matt Mitchell:/bin/tcsh As these examples illustrate, you can use the prefix dsAttrTypeStandard: when referring to an attribute, or you can omit the prefix. When you use Workgroup Manager to export character-delimited files, it uses the prefix in the generated file.
Setting Permissions To control access to your information, Mac OS X automatically sets permissions for disks, folders, and files. You can only change permissions to items that you own. Be sure that the default permissions are appropriate. For most purposes, files should be accessible to the other members of your group. If you have private or confidential information, the default permissions of the files may allow others to see it.
 The following file (-) displays read, write, and executable permissions for owner (rwx), but no permissions for group (---) or others (---): -rwx------  The following file (-) displays read and write, but no executable permissions for owner (rw-), group (rw-), and others (rw-): -rw-rw-rw-  The following file (-) displays read, write, and executable permissions for owner (rwx), but only read and executable for group (r-x) and others (r-x): -rwxr-xr-x  The following file (-) displays read, write, and
This command affects the permissions on files and folders created by programs that respect the Mac OS X NSUmask settings. Programs should follow the value set for NSUmask, but there is no guarantee that they will. Also, users can override their own NSUmask setting at any time. The changes to the umask settings take effect at next login. Warning: Setting permissions to group, or all, will allow any private, or confidential information in these folders to be visible to others.
Changing the Owner Use the chown tool to change the owner of a file or folder. $ chown username fileorfolder Parameter Description username The user who will become the owner of the file. fileorfolder The name of the file or folder to change. To change the owner of file1 to the user jdoe: $ chown jdoe file1 See the chown man page for more information. Changing the Group Use the chgrp tool to change the group of a file or folder.
Securing the Root Account Mac OS X Server includes a root account like other UNIX-based systems. Initially, its password is set to that of the first administrator account. Direct root login should not be allowed, because the logs cannot identify which administrator logged in. Instead, accounts with administrator privileges should be used for login, and then the sudo tool used to perform actions as root.
Note: There is a timeout value associated with the sudo tool. This value indicates the number of minutes until the sudo tool prompts for a password again. The default value is 5, which means that after issuing the sudo command and entering the correct password, additional sudo commands can be entered for 5 minutes without reentering the password. This value is set in the /etc/sudoers file. See the sudo and sudoers man pages for more information.
5 If the computer did start up in single-user mode, restart the computer by issuing the command reboot. Then repeat the previous steps for putting the computer into command mode. Open Firmware protection can be violated if the user has physical access to the computer; If the user changes the physical memory configuration of the computer and then resets the PRAM 3 times (holding down Option-P-R during boot), the Open Firmware password will be disabled.
To change a user’s password: $ pwpolicy -n /LDAPv3/ipaddress -a adminusername -u usertochange -setpassword newpassword Parameter Description ipaddress Location of the LDAP directory. adminusername User name of an administrator. usertochange User name of the user whose password is changing. newpassword The password the user is changing to.
To set the password policy of an individual user to change their password: $ pwpolicy -n /LDAPv3/ldap.apple.com -a adminusername -p adminpassword -u usertochange -setpolicy "newPasswordRequired=1" Parameter Description ldap.apple.com Location of the LDAP directory. adminusername User name of an administrator. adminpassword The administrator password (omit this to prompt for the password) usertochange User name of the user whose password is changing.
Chapter 8 Working with Users and Groups
9 Working with File Services 9 In this chapter you will find commands you can use to create share points and manage file services. Mac OS X Server allows you to set up central network storage that is accessible to clients throughout your organization.
Listing Share Points To list existing share points: $ sharing -l In the resulting list, there’s a section of properties similar to the following for each share point defined on the server (1 = yes, true, or enabled; 0 = false, no, or disabled).
Parameter Description guestflags A group of three flags indicating which protocols allow guest access. The flags are written as a three-digit binary number with the digits representing, from left to right, AFP, FTP, and SMB/CIFS. 1=guests allowed, 0=guests not allowed. inheritflags A group of two flags indicating whether new items in AFP or SMB/ CIFS share points inherit the ownership and access permissions of the parent folder.
Disabling a Share Point To disable a share point: $ sharing -r sharepointname Parameter Description sharepointname The current name of the share point. Managing the AFP Service Apple Filing Protocol (AFP) allows any Mac OS X computer to access shared folders on the server. Mac OS X Server uses Bonjour to provide automatic discovery of AFP file services, and shared disks don’t unmount after extended periods of inactivity.
Changing AFP Settings You can change AFP service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings afp:setting = value Parameter Description setting An AFP service setting. To see a list of available settings, enter $ sudo serveradmin settings afp or see “List of AFP Settings” on page 137. value An appropriate value for the setting. Enclose text strings in double quotes (for example: "text string").
Parameter (afp:) Description allowRootLogin Allow user to log in as root. Default = no attemptAdminAuth Allow an administrator user to masquerade as another user. Default = yes authenticationMode Authentication mode. Can be: standard kerberos standard_and_kerberos Default = "standard_and_kerberos" autoRestart Whether the AFP service should restart automatically when abnormally terminated. Default = yes clientSleepOnOff Allow client computers to sleep.
Parameter (afp:) Description idleDisconnectTime Idle time (in minutes) allowed before disconnect. Default = 10 kerberosPrincipal Kerberos server principal name. Default ="afpserver" loggingAttributes: logCreateDir Record folder creations in the activity log. Default = yes loggingAttributes: logCreateFile Record file creations in the activity log. Default = yes loggingAttributes: logDelete Record file deletions in the activity log.
Parameter (afp:) Description reconnectFlag Allow reconnect options. Can be set to: none all no_admin_kills Default = "all" reconnectTTLInMin Time-to-live (in minutes) for a disconnected session waiting reconnection. Default = 1440 registerAppleTalk Advertise the server using AppleTalk NBP. Default = yes registerNSL Advertise the server using Bonjour. Default = yes sendGreetingOnce Send the login greeting only once. Default = no shutdownThreshold Don’t modify. Internal use only.
Command (afp:command=) Description sendMessage Send a text message to connected AFP users. See “Sending a Message to AFP Users” on page 142. syncSharePoints Update share point information after changing settings. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service needs to be restarted. See “Using the serveradmin Tool” on page 48.
Value returned by getConnectedUsers (afp:usersArray:_array_index::) Description The share point the user is accessing. An integer that identifies the user session. State of the service. Sending a Message to AFP Users You can use the sendMessage command with the serveradmin tool to send a text message to connected AFP users. Users are specified by session ID.
Parameter Description minutes-until The number of minutes between the time the command is executed and the users are disconnected. sessionidn The session ID of a user you want to disconnect. To list the session IDs of connected users, use the getConnectedUsers command. See “Listing Connected Users” on page 141.
The computer will respond with the following output: afp:command = "cancelDisconnect" afp:timeStamp = "
Value displayed by getHistory Description The total number of samples listed.
Managing the NFS Service Network File System (NFS) is a file service used to provide file sharing to UNIX and Linux systems. With NFS, Mac OS X Server can host data for UNIX application servers and provide integration with enterprise UNIX storage devices. Support for NFS file locking prevents overwriting files while others are accessing them. NFS service can be used to mount NFS volumes and reshare them over AFP with Mac OS X and Mac OS 9 clients.
Managing the FTP Service Mac OS X Server features a robust File Transfer Protocol (FTP) file service for Internet file sharing from any platform. The FTP protocol provides the broadest compatibility across platforms, making it ideal for anonymous downloads or sharing files that are too large to be sent over email. Mac OS X Server improves the security of FTP service with Kerberos authentication. It also supports automatic resumption of disconnected FTP file transfers.
Changing FTP Service Settings You can change FTP service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings ftp:setting = value Parameter Description setting An FTP service setting. To see a list of available settings, enter $ sudo serveradmin settings ftp or see “List of FTP Service Settings” on this page. value An appropriate value for the setting.
Parameter (ftp:) Description bannerMessage Displays a banner message that appears when prompted to log in to the FTP. Customize to your own preferences. Default = "----------------------------------This is the "Banner" message for the Mac OS X Server's FTP server process. FTP clients will receive this message immediately before being prompted for a name and password. PLEASE NOTE: Some FTP clients may exhibit problems if you make this file too long.
Parameter (ftp:) Description showWelcomeMessage Default = yes welcomeMessage Displays a welcome message that appears after you log in to the FTP. Customize to your own preferences. Default = "------------------------------------This is the "Welcome" message for the Mac OS X Server's FTP server process. FTP clients will receive this message right after a successful log in.
Managing the SMB/CIFS Service Mac OS X Server offers integration of Samba 3, a popular open-source project that delivers high-performance SMB/CIFS file and print services and Microsoft Windows NT domain services for Microsoft Windows clients. Support for native service discovery protocols means that Mac OS X Server computers appear in the My Network Places window (Windows XP and 2000) or the Network Neighborhood window (Windows 95, 98, or ME) just like a Windows server.
Changing SMB/CIFS Service Settings You can change SMB/CIFS service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings smb:setting = value Parameter Description setting An SMB/CIFS service setting. To see a list of available settings, enter $ sudo serveradmin settings smb or see “List of SMB/CIFS Service Settings” on page 152. value An appropriate value for the setting.
Parameter (smb:) Description domain master Whether the server is providing Windows domain master browser service. Can be set to: yes | no This corresponds to the Domain Master Browser checkbox in the Advanced pane of Window service settings in the Server Admin application. dos charset The code page being used.
Parameter (smb:) Description max smbd processes The maximum allowed number of smbd server processes. Each connection uses its own smbd process, so this is the same as specifying the maximum number of SMB/CIFS connections. 0 means unlimited. This corresponds to the “maximum” client connections field in the Access pane of the Windows service settings in the Server Admin application. netbios name The server’s NetBIOS name. Can be set to a maximum of 15 bytes of UTF-8 characters.
List of SMB/CIFS serveradmin Commands You can use these commands with the serveradmin tool to manage SMB/CIFS service. See the examples in the following sections for details on how to use these commands. Command (smb:command=) Description disconnectUsers Disconnect SMB/CIFS users. See “Disconnecting SMB/CIFS Users” on page 156. getConnectedUsers List users currently connected to an SMB/CIFS service. See “Listing SMB/CIFS Users” on page 155. getHistory List connection statistics.
Disconnecting SMB/CIFS Users You can use the serveradmin disconnectUsers command to disconnect SMB/CIFS users. Users are specified by session ID. To disconnect users: $ sudo serveradmin command smb:command = disconnectUsers smb:sessionIDsArray:_array_index:0 = sessionid1 smb:sessionIDsArray:_array_index:1 = sessionid2 smb:sessionIDsArray:_array_index:2 = sessionid3 [...] Control-D Parameter Description sessionidn The session ID of a user you want to disconnect.
Updating Share Point Information After you make a change to an SMB/CIFS share point using the sharing tool, you need to update the SMB/CIFS service information. To update SMB/CIFS share point information: $ sudo serveradmin command smb:command = syncPrefs Viewing SMB/CIFS Service Logs You can use tail or any other file-listing tool to view the contents of the SMB/CIFS service logs.
Using chmod to Modify ACLs Using chmod, you can add and delete ACEs for a file or a folder.
To view the ACL of a file: Enter the following command, replacing file1 with the name of the file: $ ls -le file1 The output should look like the following: -rw-r--r--+ 1 juser wheel owner: juser 1: guest deny read 2: user1 allow write 0 Apr 28 14:06 file1 See the chmod man page for more information.
Chapter 9 Working with File Services
10 Working with the Print Service 10 In this chapter you will find commands you can use to configure and manage the print service. The print service in Mac OS X Server lets you share network and direct-connect printers among clients on your network. The print service also includes support for managing print queues, monitoring print jobs, extensive logging, and using print quotas. This chapter covers the commands needed to view, modify, or change the print service settings.
CUPS includes both the System V (lp) and Berkeley (lpr) printing commands. CUPS supports many different file formats, including PostScript and image files, so you can print most files directly from the command line.
Checking the Status of Print Service To see summary status of print service: $ sudo serveradmin status print To see detailed status of print service: $ sudo serveradmin fullstatus print Viewing Print Service Settings To list print service configuration settings: $ sudo serveradmin settings print To list a particular setting: $ sudo serveradmin settings print:setting To list a group of settings: You can list a group of settings that have part of their names in common by typing only as much of the name as
Print Service Settings Use the following parameters with the serveradmin tool to change settings for the print service.
Queue Data Array Print service settings include an array of values for each existing print queue. The array is a set of parameters that define values for each queue. The array of sharing services has been expanded to include IPP. This is the same service as Mac OS X version 10.3 printer sharing, now integrated with Mac OS X Server version 10.4. Many of the following parameters are CUPS parameters. You can get more details about the CUPS parameters in the CUPS documentation.
The following is an example of a queue array parameter block: print:queuesArray:_array_id:my_printer:quotasEnforced = no print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:service = "LPR" print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:sharingEna ble = no print:queuesArray:_array_id:my_printer:sharingList:_array_index:1:service = "SMB" print:queuesArray:_array_id:my_printer:sharingList:_array_index:1:sharingEna ble = no print:queuesArray:_array_id:my_printer:sharingList:_arr
Listing Queues You can use the serveradmin getQueues command to list print service queues. $ sudo serveradmin command print:command = getQueues Pausing a Queue You can use the serveradmin setQueueState command to pause or release a queue. To pause a queue: $ sudo serveradmin command print:command = setQueueState print:state = PAUSED print:namesArray:_array_index:0 = queue Control-D Parameter Description queue The name of the queue.
For each job, the command lists:  Document name  Document size  Job ID  Submitting user  Submitting host  Job name  Job state  Job priority Holding a Job You can use the serveradmin setJobState command to hold or release a job. To hold a job: $ sudo serveradmin command print:command = setJobState print:status = HOLD print:jobsArray:_array_index:0:printer = queue print:jobsArray:_array_index:0:idsArray:_array_index:0 = jobid Control-D Parameter Description queue The name of the queue.
Viewing Print Service Log Files You can use tail or any other file-listing tool to view the contents of the print service logs. To view the latest entries in a log: $ tail log-file The following are the log files for the Print Service: Â /var/log/cups/error_log (CUPS general message log) Â /var/log/cups/access_log (CUPS access log) Â /var/log/cups/page_log (CUPS page log) Â /Library/Logs/PrintService/PrintService.admin.
Chapter 10 Working with the Print Service
11 Working with NetBoot Service and System Images 11 In this chapter you will find commands you can use to configure and manage the NetBoot Service and system images. NetBoot is used to host a standard operating system and application configuration on all of the clients in a network from the server.This chapter describes the commands used to configure and manage the NetBoot service.
Checking NetBoot Service Status To see if NetBoot service is running: $ sudo serveradmin status netboot To see complete NetBoot status: $ sudo serveradmin fullstatus netboot Viewing NetBoot Settings To list all NetBoot service settings: $ sudo serveradmin settings netboot Changing NetBoot Settings You can change NetBoot service settings using the serveradmin tool. To change a NetBoot setting: $ sudo serveradmin settings netboot:setting = value Parameter Description setting A NetBoot service setting.
Changing General Netboot Service Settings NetBoot allows client computers to start up from an operating system image stored on your server. Use the following parameters with the serveradmin tool to change settings for the NetBoot service. Parameter (netboot:) Description filterEnabled Specifies whether client filtering is enabled. Default = "no" netBootStorageRecordsArray... An array of values for each server volume used to store boot or installation images.
Filters Record Array An array of the following values appears in the NetBoot service settings for each computer explicitly allowed or denied access to images stored on the server. Parameter (netboot:) Description netBootFiltersRecordsArray: _array_index::hostName The host name of the filtered computer, if available. netBootFiltersRecordsArray: _array_index::filterType Whether the specified computer is allowed or denied access.
Parameter (netboot:) Description netBootImagesRecordsArray: _array_index::IsEnabled Sets whether the image is available to NetBoot (or Network Image) clients. netBootImagesRecordsArray: _array_index::IsInstall yes specifies a network installation image; no specifies a NetBoot image. Port Record Array An array of the following items is included in the NetBoot service settings for each network port on the server set to deliver images.
Working with System Images A boot image is a file that looks and acts like a mountable disk or volume. NetBoot boot images contain the system software needed to act as a startup disk for client computers across the network. An installation image is a special boot image that boots the client long enough to install software from the image, after which the client can start up from its own hard disk. Both boot images and installation images are special kinds of disk images.
To split an image into three segments: $ hdiutil segment -segmentSize 10m -o /tmp/aseg 30m.dmg This creates three separate files: aseg.dmg, aseg.002.dmgpart, and aseg.003.dmgpart. To convert an image to a CD-R export image with a .toast extention: $ hdiutil convert master.dmg -format UDTO -o master To burn an image onto the CD drive: $ hdiutil burn myImage.dmg To create an image from a folder: $ hdiutil create -srcfolder mydir mydir.
To configure a client to receive a multicast stream: $ sudo asr -source asr:// -target -erase The client will receive the multicast stream from and save it to a client. Add -erase to overwrite any existing image. Passing -erase with -target indicates any existing image should be overwritten when doing a multicast. Choosing a Boot Device Using systemsetup You can use the systemsetup tool to choose your boot device.
12 Working with the Mail Service 12 In this chapter you will find commands you can use to manage the mail service. Mac OS X Server provides a full complement of tools for setting up and managing email service for your users. You can use the commands described in this chapter to control the individual components that make up the mail service.
The spool files for Postfix are located in /var/spool/postfix and the log file is /var/log/ mail.log. See www.postfix.org for more information about postfix. Cyrus Cyrus was developed at Carnegie Mellon University with the purpose of creating a highly scalable enterprise mail system for use in small- to large-enterprise environments. The Cyrus technologies can scale from independent use in small departments to a system centrally managed in a large enterprise.
Managing the Mail Service Mac OS X Server ships with some powerful tools to help administer you mail service. The following sections describe basic mail service functions.
Mail Service Settings Use the following parameters with the serveradmin tool to change settings for the mail service.
Parameter (mail:) Description postfix:lmtp_sasl_password_maps Default = no postfix:smtp_sasl_password_maps Default = no postfix:qmgr_clog_warn_time Default = "300s" postfix:smtp_sasl_auth_enable Default = no postfix:smtp_skip_4xx_greeting Default = yes postfix:smtp_skip_5xx_greeting Default = yes postfix:stale_lock_time Default = "500s" postfix:strict_8bitmime_body Default = no postfix:disable_mime_input_processing Default = no postfix:smtpd_hard_error_limit Default = 20 postfix:empty_
Parameter (mail:) Description postfix:lmtp_connect_timeout Default = "0s" postfix:strict_7bit_headers Default = no postfix:unknown_hostname_reject_code Default = 450 postfix:virtual_alias_domains Default = "$virtual_alias_maps" postfix:lmtp_sasl_auth_enable Default = no postfix:queue_directory Default = "/private/var/ spool/postfix" postfix:sample_directory Default = "/usr/share/doc/ postfix/examples" postfix:fallback_relay Default = 0 postfix:smtpd_use_pw_server Default = "yes" postfix:
Parameter (mail:) Description postfix:mail_spool_directory Default = "/var/mail" postfix:mailbox_delivery_lock Default = "flock" postfix:disable_dns_lookups Default = no postfix:mailbox_command_maps Default = "" postfix:default_destination_concurrency _limit Default = 20 postfix:2bounce_notice_recipient Default = "postmaster" postfix:virtual_alias_maps Default = "$virtual_maps" postfix:mailq_path Default = "/usr/bin/mailq" postfix:recipient_delimiter Default = no postfix:masquerade_excep
Parameter (mail:) Description postfix:trigger_timeout Default = "10s" postfix:newaliases_path Default = "/usr/bin/ newaliases" postfix:default_rbl_reply Default = "$rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}" postfix:alias_database Default = "hash:/etc/aliases" postfix:qmgr_message_recipient_limit Default = 20000 postfix:extract_recipient_limit Default = 10240 postfix:header_checks Default = 0 postfix:syslog_facility Defaul
Parameter (mail:) Description postfix:fallback_transport Default = 0 postfix:owner_request_special Default = yes postfix:default_transport Default = "smtp" postfix:biff Default = yes postfix:relay_domains_reject_code Default = 554 postfix:smtpd_delay_reject Default = yes postfix:lmtp_quit_timeout Default = "300s" postfix:lmtp_mail_timeout Default = "300s" postfix:fast_flush_purge_time Default = "7d" postfix:disable_verp_bounces Default = no postfix:lmtp_skip_quit_response Default = no
Parameter (mail:) Description postfix:debug_peer_level Default = 2 postfix:in_flow_delay Default = "1s" postfix:smtpd_junk_command_limit Default = 100 postfix:program_directory Default = "/usr/libexec/ postfix" postfix:smtp_quit_timeout Default = "300s" postfix:smtp_mail_timeout Default = "300s" postfix:minimal_backoff_time Default = "1000s" postfix:queue_file_attribute_count_limit Default = 100 postfix:body_checks Default = no postfix:smtpd_client_restrictions: _array_index:0 Default =
Parameter (mail:) Description postfix:myhostname Default = "" postfix:default_minimum_delivery_slots Default = 3 postfix:recipient_canonical_maps Default = no postfix:hash_queue_depth Default = 1 postfix:hash_queue_names:_array_index:0 Default = "incoming" postfix:hash_queue_names:_array_index:1 Default = "active" postfix:hash_queue_names:_array_index:2 Default = "deferred" postfix:hash_queue_names:_array_index:3 Default = "bounce" postfix:hash_queue_names:_array_index:4 Default
Parameter (mail:) Description postfix:strict_8bitmime Default = no postfix:virtual_transport Default = "virtual" postfix:berkeley_db_create_buffer_size Default = 16777216 postfix:broken_sasl_auth_clients Default = no postfix:home_mailbox Default = no postfix:content_filter Default = "" postfix:forward_path Default = "$home/ .forward${recipient_delimit er}${extension},$home/ .
Parameter (mail:) Description postfix:bounce_notice_recipient Default = "postmaster" postfix:smtp_connect_timeout Default = "30s" postfix:fault_injection_code Default = 0 postfix:unknown_client_reject_code Default = 450 postfix:virtual_minimum_uid Default = 100 postfix:fast_flush_domains Default = "$relay_domains" postfix:default_database_type Default = "hash" postfix:dont_remove Default = 0 postfix:expand_owner_alias Default = no postfix:max_idle Default = "100s" postfix:defer_transpo
Parameter (mail:) Description imap:pop_auth_clear Default = no imap:imapidresponse Default = yes imap:sasl_auto_transition Default = no imap:mupdate_port Default = "" imap:admins:_array_index:0 Default = "cyrus" imap:plaintextloginpause Default = 0 imap:popexpiretime Default = 0 imap:pop_auth_any Default = no imap:sieve_maxscriptsize Default = 32 imap:hashimapspool Default = no imap:tls_lmtp_cert_file Default = "" imap:tls_sieve_key_file Default = "" imap:sievedir Default = "
Parameter (mail:) Description imap:autocreatequota Default = 0 imap:allowanonymouslogin Default = no imap:pop_auth_apop Default = yes imap:partition-default Default = "/var/spool/imap" imap:imap_auth_cram_md5 Default = no imap:mupdate_password Default = "" imap:idlesocket Default = "/var/imap/socket/ idle" imap:allowallsubscribe Default = no imap:singleinstancestore Default = yes imap:unixhierarchysep Default = "yes" imap:mupdate_realm Default = "" imap:sharedprefix Default = "Share
Mail serveradmin Commands You can use the following commands with the serveradmin tool to manage mail service. Command (mail:command=) Description getHistory View a periodic record of file data throughput or number of user connections. See “Listing Mail Service Statistics” on this page. getLogPaths Display the locations of the Mail service logs. See “Viewing the Mail Service Logs” on page 195.
mail:samplesArray:_array_index:i:vn = mail:samplesArray:_array_index:i:t =
Value Description The location of the Mailing Lists Postings log. Default = /private/var/mailman/logs/post The location of the Mailing Lists Delivery log. Default = /private/var/mailman/logs/smtp The location of the Mailing Lists Subscriptions log. Default = /private/var/mailman/logs/subscribe The location of the server log. Default = smtp.log The location of the server log. Default = pop3.
The largest database is the mailbox folders. Each mailbox folder contains the following files: Â Message files—There is one file per message. The file name of each message is the message’s UID followed by a period. The UID is a unique ID that is given to each message. Â cyrus.header—This file contains a magic number and variable-length information about the mailbox. Â cyrus.index—This file contains fixed-length information about the mailbox and each message in the mailbox. Â cyrus.
Setting Up SSL for Mail Service Mail service requires some configuration to provide Secure Sockets Layer (SSL) connections automatically. The basic steps are as follows: Â Generate a Certificate Signing Request (CSR) and create a keychain. Â Obtain an SSL certificate from an issuing authority. Â Import the SSL certificate into the keychain. Â Create a password file.
8 Enter b when prompted to specify how this certificate will be used, and then press Return. Enter cert/key usage (s=signing, b=signing AND encrypting): 9 Enter s when prompted to select a signature algorithm, and then press Return. ...Generating key pair... Please specify the algorithm with which your certificate will be signed. 5 RSA with MD5 s RSA with SHA1 Select signature algorithm by letter: 10 Enter y when asked to confirm the selected algorithm, and then press Return.
Obtaining an SSL Certificate After generating a CSR and a keychain, you continue configuring mail service for automatic SSL connections by purchasing an SSL certificate from a certificate authority such as Verisign or Thawte. You can do this by completing a form on the certificate authority’s website. When prompted for your CSR, open the csr.txt file using a text editor, such as TextEdit. Then, copy and paste the contents of the file into the appropriate field on the certificate authority’s website.
To list the certificates stored in the System keychain: $ certadmin list By default, certadmin will print the “Common Name” field of each certificate separated by newlines. Adding the option -x or --xml will print the certificate list to screen as an xml property list (plist). To export the given certificate to OpenSSL: $ certadmin export See the certadmin man page for more information.
Configuring Mailboxes The mail service keeps track of incoming email messages with a small database (BerkeleyDB 4.2.52), but the database doesn’t contain the messages themselves. The mail service stores each message as a separate file in a mail folder for each user. This is the user’s mailbox. Incoming mail is stored on the startup disk in the /var/spool/imap/user/username folder. Cyrus puts a database index file in the folder of user messages.
The folder is owned by the mail service, so users normally don’t have access to it and can’t put their scripts there for mail processing. For security purposes, users and administrators upload their scripts to a Sieve process (timsieved) which transports the scripts to the mail process for use. There are various ways of getting the scripts to timsieved, such as Perl shell scripts (“sieveshell”), web mail plug-ins (“avelsieve”), and even some email clients.
Self-Defined Forwarding Script #-------# This is a sample script to illustrate how Sieve could be used # to let users handle their own mail forwarding needs. # Read the comments following the pound/hash to find out what the # script is doing. #--------# # No need to add any extension. 'redirect' is built-in. # Redirect all my incoming mail to the listed address redirect "my-other-address@example.
# put it in my inbox fileinto "INBOX"; } # End of script Sieve Scripting Resources Sieve’s complete syntax, commands, and arguments are found in IETF RFC 3028 located on the Web at www.ietf.org/rfc/rfc3028.txt?number=3028. Other information about Sieve and a sample script archive can be found at www.cyrusoft.com/sieve.
Chapter 12 Working with the Mail Service
13 Working with Web Technologies 13 In this chapter you will find commands you can use to configure and manage web services and web components of your server. Web technologies in Mac OS X Server consist of several components that provide a flexible and scalable server environment. This chapter covers the commands that are used to configure and manage these web technologies. Understanding Web Technology Apple’s web services are based primarily on Apache.
Apache web server version 2.0 files are in the /opt/apache2 folder. The main configuration file for the Apache web server is /etc/httpd/httpd.conf. The Apache web server (httpd) reads this file during startup. In addition, Mac OS X Server maintains a configuration file for each website it hosts. Mac OS X Server stores the website-specific configuration files in the /etc/httpd/sites folder.
To list a group of settings: You can list a group of settings that have part of their names in common by typing only as much of the name as you want, stopping at a colon (:), and typing an asterisk (*) as a wildcard for the remaining parts of the name. For example: $ sudo serveradmin settings web:IFModule:_array_id:mod_alias.c:* Changing Web Settings You can use serveradmin to modify your server’s web service configuration.
Web serveradmin Commands You can use the following commands with the serveradmin tool to manage web service. Command (web:command=) Description getHistory View Web service statistics. See “Viewing Service Statistics” on page 210. getLogPaths Finding the access and error logs for each hosted site. See “Viewing Service Logs” on this page. getSites Listing existing sites. See “Listing Hosted Sites” on this page.
To list samples: $ sudo serveradmin command web:command = getHistory web:variant = statistic web:timeScale = scale Control-D Parameter Description statistic The value you want to display. Valid values: v1—Number of requests per second v2—Throughput (bytes/sec) v3—Cache requests per second v4—Cache throughput (bytes/sec) scale The length of time in seconds, ending with the current time, for which you want to see samples. For example, to see 30 minutes of data, you would specify qtss:timeScale = 1800.
Example Script for Adding a Website The following script shows how you can use serveradmin to add a website to the server’s web service configuration. The script uses two files: Â addsite—The script you run. It accepts values for the site’s IP address, port number, server name, and root folder, and uses sed to substitute these values in the addsite.in file. This is then sent to serveradmin. Â addsite.
web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: StatusCode = 404 web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: Document = "/nwesite_notfound.html" web:Sites:_array_id:_ipaddr\:_port__servername:LogLevel = "warn" web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.c: SSLEngine = no web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.
Working with Application Servers and Java With the built-in JBoss application server and full support for JSPs, Java Servlets and SOAP, Mac OS X Server provides a complete solution for hosting Java 2 Platform Enterprise Edition (J2EE) applications. It also features powerful deployment tools that simplify configuration of application resources and EJB components.
To start JBoss, enter the following: /Library/JBoss/3.2/bin/run.sh -c deploy-standalone When you use this command, the system updates the Application Server pane of Server Admin to reflect the status of JBoss. Sometimes, however, you might need to click Refresh to show the configuration changes. You can monitor the JBoss logs by reading the logs in /Library/Logs/JBoss/. To stop JBoss, enter the following: /Library/JBoss/3.2/bin/shutdown.sh You can also stop JBoss by terminating the running run.sh command.
To set the root password: $ sudo /usr/bin/mysqladmin shutdown $ sudo /usr/bin/mysqld_safe --skip-grant-tables --skip-networking & $ sudo /usr/bin/mysqladmin -u root flush-privileges password new-password When you set up MySQL service for the first time, make sure to set up a password for the MySQL root user to protect your server from unauthorized access. To create a database: $ mysqladmin -u root password "password" > create database mydatabase To set the network option: Edit /etc/mysqlManager.
14 Working with Network Services 14 In this chapter you will find commands you can use to configure and manage DHCP, DNS, Firewall, NAT, and VPN services in Mac OS X Server. Mac OS X Server network services add administrative and managerial capabilities to basic networking protocols. This chapter describes the commands used to configure and manage network services.
and xinetd each have their own configuration files. inetd uses one file, map a given service to its executable. All standard services that inetd handles are already listed in the file. xinetd, on the other hand, uses a different configuration file for each service it provides. In the /etc/xinetd.d folder, there are configuration files for each of the services that xinetd handles. If you were to enable ftp sharing, Mac OS X will modify the configuration file /etc/xinetd.d/ftp.
Changing DHCP Service Settings To see a list of available service settings: $ sudo serveradmin settings dhcp Also see “DHCP Service Settings” on this page and “DHCP Subnet Settings Array” on page 220. To change a single DHCP setting: $ sudo serveradmin settings dhcp:setting = value Parameter Description setting A DHCP service setting. See table below. value An appropriate value for the setting.
Parameter (dhcp:) Description subnet_defaults:dhcp_domain_name_ser ver:_array_index:n Default = The DNS server addresses provided during server setup, as listed in the Network pane of the server’s System Preferences. subnets:_array_id:... An array of settings for a particular subnet. is a unique identifier for each subnet. See “DHCP Subnet Settings Array” on this page.
Subnet Parameter subnets:_array_id:: Description lease_time_secs Lease time in seconds. Default = "3600" Corresponds to the Lease Time pop-up menu and field in the General pane of the subnet settings in the Server Admin application. net_address The IPv4 network address for the subnet. net_mask The subnet mask for the subnet. Corresponds to the Subnet Mask field in the General pane of the subnet settings in the Server Admin application.
Subnet Parameter subnets:_array_id:: Description WINS_scope_id A domain name such as apple.com. Default = "" Corresponds to the NetBIOS Scope ID field in the WINS pane of the subnet settings in the Server Admin application. WINS_secondary_server The secondary WINS server to be used by clients. Corresponds to the WINS/NBNS Secondary Server field in the WINS pane of the subnet settings in the Server Admin application.
Parameter Description subnetID A unique number that identifies the subnet. Can be any number not already assigned to another subnet defined on the server. Can include embedded hyphens (-). dns-server-n To specify additional DNS servers, add additional dhcp_name_server settings, incrementing _array_index:n for each additional value. Other parameters The standard subnet settings described under “DHCP Subnet Settings Array” on page 220.
To create a static map: $ sudo serveradmin settings dhcp:static_maps:_array_id:examplehost/9681BABD-3329-402E-A7AB-F0C3608E231D = create dhcp:static_maps:_array_id:examplehost/9681BABD-3329-402E-A7ABF0C3608E231D:ip_address = "1.2.3.
To display the log path: $ sudo serveradmin command dhcp:command = getLogPaths The computer will respond with the following output: dhcp:systemLog = Value Description The location of the DNS service log. Default = /var/logs/system.log Managing the DNS Service The Domain Name System (DNS) is a distributed database that maps IP addresses to domain names so your clients can find the resources by name rather than by numerical address.
Changing DNS Service Settings You can use serveradmin to modify your server’s DNS configuration. However, you’ll probably find it more straightforward to work directly with DNS and BIND using the standard tools and techniques described in the many books on the subject. (See, for example, DNS and BIND by Paul Albitz and Cricket Liu.) DNS Service Settings To list the settings, see “Viewing DNS Service Settings” on this page.
dns:queriesArray:_array_index:4:value = -1 dns:queriesArray:_array_index:5:name = "SOA_QUERIES" dns:queriesArray:_array_index:5:value = -1 dns:queriesArray:_array_index:6:name = "TXT_QUERIES" dns:queriesArray:_array_index:6:value = -1 dns:nxdomain = 0 dns:nxrrset = 0 dns:reloadedTime = "" dns:success = 0 dns:failure = 0 dns:recursion = 0 dns:startedTime = "2003-09-10 11:24:03 -0700" dns:referral = 0 Configuring IP Forwarding You can configure Mac OS X Server to provide routing services by configuring the n
Firewall Startup Although the firewall is treated as a service by the Server Admin application, it is not implemented by a running process like other services. It is simply a set of behaviors in the kernel, controlled by the ipfw and sysctl tools. To start and stop the firewall, the Server Admin application sets a switch using the sysctl tool. When the computer starts, a startup item named IPFilter checks the /etc/hostconfig file for the “IPFILTER” flag.
Changing Firewall Service Settings To change a setting: $ sudo serveradmin settings ipfilter:setting = value Parameter Description setting An ipfilter service setting. See “Firewall Service Settings” on page 229. value An appropriate value for the setting. To change several settings: $ sudo serveradmin ipfilter:setting = ipfilter:setting = ipfilter:setting = [...
ipfilter Groups with Rules Array An array of the following settings is included in the ipfilter settings for each defined IP address group. These arrays aren’t part of a standard ipfw configuration, but are created by the Server Admin application to implement the IP Address groups in the General pane of the Firewall service settings. In an actual list of settings, is replaced with an IP address group.
The unmodified ipfw.conf file: # ipfw.conf.default - Installed by Apple, never modified by Server Admin app # # ipfw.conf - The servermgrd process (the back end of Server Admin app) # creates this from ipfw.conf.default if it's absent, but does not modify # it. # # Administrators can place custom ipfw rules in ipfw.conf. # # Whenever a change is made to the ipfw rules by the Server Admin # application and saved: # 1. All ipfw rules are flushed # 2.
To disallow any connection from the entire cracker.evil.org network to my host: 1 Ping cracker.evil.org to determine its IP address. $ ping cracker.evil.org PING cracker.evil.org (123.45.67.10): 56 data 64 bytes from 123.45.67.10: icmp_seq=0 ttl=52 64 bytes from 123.45.67.10: icmp_seq=1 ttl=52 64 bytes from 123.45.67.10: icmp_seq=2 ttl=52 64 bytes from 123.45.67.10: icmp_seq=3 ttl=52 64 bytes from 123.45.67.10: icmp_seq=4 ttl=52 types time=24.953 time=19.406 time=18.871 time=29.776 time=26.
ipfilter:rules:_array_id:1111:readOnly = yes ipfilter:rules:_array_id:1111:source-port = "" Control-D ipfilter Rules Array An array of the following settings is included in the ipfilter settings for each defined firewall rule. In an actual list of settings, is replaced with a rule number. You can add a rule by using serveradmin to create such an array in the firewall settings (see “Adding Rules Using serveradmin” on page 232).
Viewing Firewall Service Log You can use tail or any other file listing tool to view the contents of the ipfilter service log. To view the latest entries in the log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current ipfilter service log is located.
Starting and Stopping NAT Service To start NAT service: $ sudo serveradmin start nat To stop NAT service: $ sudo serveradmin stop nat Checking the Status of NAT Service To see summary status of NAT service: $ sudo serveradmin status nat To see detailed status of NAT service: $ sudo serveradmin fullstatus nat Viewing NAT Service Settings To list NAT service configuration settings: $ sudo serveradmin settings nat To list a particular setting: $ sudo serveradmin settings nat:setting Changing NAT Service
NAT Service Settings Use the following parameters with the serveradmin tool to change settings for NAT service. Parameter (nat:) deny_incoming Description yes|no Default = no. log_denied yes|no Default = no. clamp_mss yes|no Default = yes reverse yes|no Default = no log yes|no Default = yes proxy_only yes|no Default = no dynamic yes|no Default = yes use_sockets yes|no Default = yes interface unregistered_only The network port.
Port Mapping You can configure port mapping by adding a redirect_port directive to the configuration file passed to the natd process. You can accomplish this by editing the plist version of the configuration file /etc/nat/natd.plist. This file is in turn processed by the serveradmin tool, and used to create the configuration file /etc/nat/ natd.conf.apple, which is passed to the natd process. See the natd man page for details about configuring natd. Note: Don’t edit the /etc/nat/natd.conf.
To display the log path: $ sudo serveradmin command nat:command = getLogPaths The computer will respond with the following output: nat:natLog = Value Description The location of the NAT service log. Default = /var/log/alias.log Managing the VPN Service Virtual Private Network (VPN) is two or more computers or networks (nodes) connected by a private link of encrypted data.
Changing VPN Service Settings To change a setting: $ sudo serveradmin settings vpn:setting = value Parameter Description setting A VPN service setting. To see a list of available settings, enter $ sudo serveradmin settings vpn or see “List of VPN Service Settings” on page 239. value An appropriate value for the setting. To change several settings: $ sudo serveradmin settings vpn:setting = value vpn:setting = value vpn:setting = value [...
Parameter (vpn:Servers:) Description com..ppp.l2tp: IPv4:DestAddressRanges Default = _empty_array com..ppp.l2tp: IPv4:OfferedRouteMasks Default = _empty_array com..ppp.l2tp: IPv4:OfferedRouteAddresses Default = _empty_array com..ppp.l2tp: IPv4:OfferedRouteTypes Default = _empty_array com..ppp.l2tp: IPv4:ConfigMethod Default = "Manual" com..ppp.l2tp: DNS:OfferedSearchDomains Default = _empty_array com..ppp.
Parameter (vpn:Servers:) Description com..ppp.pptp: Server:VerboseLogging Default = 1 com..ppp.pptp: Server:MaximumSessions Default = 128 com..ppp.pptp: Server:LogFile Default = "/var/log/ppp/vpnd.log" com..ppp.pptp: IPv4:DestAddressRanges Default = _empty_array com..ppp.pptp: IPv4:OfferedRouteMasks Default = _empty_array com..ppp.pptp: IPv4:OfferedRouteAddresses Default = _empty_array com..ppp.pptp: IPv4:OfferedRouteTypes Default = _empty_array com.
Parameter (vpn:Servers:) Description com..ppp.pptp: PPP:MPPEKeySize40 Default = 0 com..ppp.pptp: PPP:LCPEchoInterval Default = 60 com..ppp.pptp: PPP:LCPEchoEnabled Default = 1 com..ppp.pptp: PPP:CCPEnabled Default = 1 com..ppp.pptp: PPP:IPCPCompressionVJ Default = 0 com..ppp.pptp: PPP:AuthenticatorProtocol: _array_index:n Default = "MSCHAP2" com..ppp.pptp: PPP:LogFile Default = "/var/log/ppp/vpnd.
To display the log path: $ sudo serveradmin command vpn:command = getLogPaths The computer will respond with the following output: vpn:vpnLog = Value Description The location of the VPN service log. Default = /var/log/vpnd.log Site-to-Site VPN Site-to-site VPN is implemented by the daemon vpnd, which is in turn a wrapper around the racoon daemon and the setkey tool. The racoon daemon negotiates and configures a set of parameters of IPsec.
 The form of IPSec security to use (certificate or shared-secret). Before choosing certificate-based authentication, ensure that at least one certificate is currently installed on the server. s2svpnadmin will display a list of currently installed certificates and prompt the user to choose one of these. Certificates can be created, self-signed, and installed using the Server Admin application.
Setting Up IP Failover IP failover allows a secondary server to acquire the IP address of a primary server if the primary server ceases to function. Once the primary server returns to normal operation, the secondary server relinquishes the IP address. This allows your website to remain available on the network even if the primary server temporarily goes offline. Note: IP failover only allows a secondary server to acquire a primary server’s IP address.
Email notification is sent when the secondary server detects a failover condition or a network anomaly, and when the IP address is relinquished back to the primary server. Enabling IP Failover You enable IP failover by adding command lines to the file /etc/hostconfig on the primary and the secondary server. Be sure to enter these lines exactly as shown with regard to spaces and punctuation marks.
Configuring IP Failover You configure failover behavior using scripts. The scripts must be executable (for example, shell scripts, Perl, compiled C code, or executable AppleScripts). You place these scripts in /Library/IPFailover/IP_address on the secondary server. You need to create a folder named with the public IP address of the primary server to contain the failover scripts for that server. For example, /Library/IPFailover/100.0.0.10.
For example, your secondary server may perform other services on the network, such as running a statistical analysis application and distributed image processing software. A pre acquisition script quits the running applications to free up the CPU for the Web server. A post acquisition script starts the Web server. Once the primary server is up and running again, a pre relinquish script quits the Web server, and a post relinquish script starts the image processing and statistical analysis applications.
To restore the DHCP service to its default configuration: 1 Remove the subnet configuration from the /config/dhcp folder in the local NetInfo database by using the nicl tool: $ sudo nicl . -delete /config/dhcp 2 Remove the static Ethernet / IP Address static maps from the /machines folder in the local NetInfo database. The easiest way to do this is to delete the folder: $ sudo nicl . -delete /machines 3 Re-create the two default records: $ sudo nicl . -create /machines/localhost $ sudo nicl .
To restore the VPN service to its default configuration: Rename the com.apple.RemoteAccessServers.plist file located in the /Library/Preferences/SystemConfiguration/ folder. To restore the SERVERMGR_MAIL service to it’s default configuration: Rename these two files:  /etc/MailServicesOther.plist  /var/mailman/data/listinfo.
15 Working with Open Directory 15 In this chapter you will find commands used to configure and manage the Open Directory service. Open Directory is the standards-based directory and network authentication services architecture used by Mac OS X and Mac OS X Server. In Mac OS X Server, Open Directory relies on open source technologies such as OpenLDAP and Kerberos to provide directory and authentication services, but Open Directory does much more.
Modifying a Directory Domain You can use the dscl tool to create, modify, or delete directory information in a directory domain. Testing Open Directory Plug-ins You can use the dsperfmonitor tool to check the performance of the protocol-specific plug-ins used by Open Directory. It can list the API calls being made to plug-ins, how long the plug-ins take to reply, and recent API call errors. See the dsperfmonitor man page for more information.
Parameter (dirserv:) Description passwordOptionsString Default = "usingHistory=0 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0" NetInfoRunStatus Default = "" LDAPSSLCertificatePath Default = "" masterServer Default = "" LDAPServerType Default = "standalone" Net
The slapd_macosx.conf file contains an entry for the root user of the LDAP database, the directive rootdn. This root user is not the same as the root user in the local NetInfo database, but rather it is a user who has total control over all data inside the LDAP database—access controls do not apply to the root user. An example value for rootdn is uid=root,cn=users,dc=example,dc=com. An administrator user on the computer can edit the slapd_macosxserver.
Tool Used to /usr/sbin/slapindex Regenerate directory indexes. /usr/sbin/slappasswd Generate user password. hashes. Idle Rebinding Options The following two LDAPv3 plug-in parameters are documented in the Open Directory administration guide. The parameters are used in the file /library/preferences/ directoryservice/DSLDAPv3PlugInConfig.plist. Delay Rebind This parameter specifies how long the LDAP plug-in waits before attempting to reconnect to a server that fails to respond.
To avoid this error, include the -x option when you enter the command. For example: $ ldapsearch -h 192.168.100.1 -b "dc=example,dc=com" -x The -x option forces ldapsearch to use simple authentication instead of SASL. The -x option also works on the other LDAP tools. can also be used for debugging issues with LDAP, independent of the directory services LDAPv3 plug-in.
ibm-serverId: 71d3fb40-c90a-1028-9ef7-8e62f6ed25ed ibm-supportedacimechanisms: 1.3.18.0.2.26.3 ibm-supportedacimechanisms: 1.3.18.0.2.26.2 vendorname: International Business Machines (IBM) vendorversion: 5.1 ibm-sslciphers: N/A ibm-supportedcapabilities: 1.3.18.0.2.32.1 ibm-supportedcapabilities: 1.3.18.0.2.32.2 ibm-supportedcapabilities: 1.3.18.0.2.32.3 ibm-supportedcapabilities: 1.3.18.0.2.32.4 ibm-supportedcapabilities: 1.3.18.0.2.32.5 ibm-supportedcapabilities: 1.3.18.0.2.32.
After you get that, you can search for a record with a command like this: $ ldapsearch -LLL -x -h xtra.apple.com -b "dc=apple,dc=com" uid=ajohnson uid cn dn: uid=ajohnson,cn=users,dc=apple,dc=com uid: ajohnson cn: Anne Johnson Using LDIF Files Lightweight Directory Interchange Format (LDIF) is a file format used to represent LDAP entries in text form. LDAP tools such as ldappadd, ldapmodify, and ldapsearch read and write LDIF files. Here is an example of an LDIF file containing three entries.
Additional Information About LDAP The LDAP server in Mac OS X Server is based on OpenLDAP. Additional information about OpenLDAP, including an administrator’s guide, is available at www.openldap.org. Warning: Apple doesn’t support the OpenLDAP administrator’s guide, so you should carefully test all procedures documented in it before using them on an Open Directory server that’s in service.
Managing Open Directory Passwords When a user’s account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open Directory Password Server. Kerberos is a network authentication system that uses credentials issued by a trusted server. The Open Directory Password Server supports the traditional password authentication methods that some network services or users’ client applications require.
Kerberos and Apple Single Sign-On Built into Open Directory is a robust authentication server that uses MIT’s Kerberos Key Distribution Center (KDC)—providing strong authentication with support for secure single sign-on. That means users need authenticate only once, with a single user name and password pair, for access to a broad range of Kerberized network services. The following tools are available for setting up your Kerberos and Apple single sign-on environment.
Principal Management Mac OS X Server uses MIT’s Kerberos administration architecture for principal management. The Kerberos administration daemon kadmind is responsible for making changes to the Kerberos database. Aside from Open Directory, kadmind is largely manipulated by kadmin and kadmin.local . Generally in Mac OS X, Apple applications are responsible for telling kadmin what to do, and hence, manual modifications are rarely needed.
Using kadmin to kerberize a service kadmin can be used to kerberize additional services, depending on your specific configuration requirements. While Mac OS X Server kerberizes many services for you, you can use Kerberos command-line tools to kerberize additional services with Open Directory Kerberos. A kerberized service needs to know its principal name. The service type for most services is compiled into the binary.
Finding Network Information The lookupd daemon acts as an information broker and cache. It is called by various routines in the System framework to find information about user accounts, groups, printers, email aliases and distribution lists, computer names, Internet addresses, and several other kinds of information. lookupd also has a channel to query Open Directory, allowing access to data from LDAP and other directory services.
Parameter Description some keyword Keyword to add groupname Group name See the dseditgroup man page for more information. Adding or Removing LDAP Server Configurations dsconfigldap allows you to add or remove LDAP server configurations in directory services. To add an LDAP server: $ dsconfigldap -v -a myldap.example.com To remove an LDAP server: $ dsconfigldap -v -r myldap.example.
Chapter 15 Working with Open Directory
16 Working with QuickTime Streaming Server 16 In this chapter you will find commands you can use to configure and manage the QuickTime Streaming Server service. Streaming is the delivery of media, such as movies and live presentations, over a network in real time. A streaming server sends the media to a client computer, which plays the media as it is delivered. With streaming, no files are downloaded to the viewer’s hard disk.
Starting and Stopping the QTSS Service To start QTSS service: $ sudo serveradmin start qtss or $ sudo quicktimestreamingserver To see a list of quicktimestreamingserver tool options: $ sudo quicktimestreamingserver -h To stop QTSS service: $ sudo serveradmin stop qtss Checking QTSS Service Status To see if QTSS service is running: $ sudo serveradmin status qtss To see complete QTSS status: $ sudo serveradmin fullstatus qtss Viewing QTSS Settings To list all QTSS service settings: $ sudo serveradmin se
To change several settings: $ sudo serveradmin settings qtss:setting = value qtss:setting = value qtss:setting = value [...] Control-D QTSS Settings Use the following parameters with the serveradmin tool to change settings for the QTSS service. Descriptions of Settings To see descriptions of most QTSS settings, you can look in the streamingserver.xml-sample file located in /Library/QuickTimeStreaming/Config/. Look for XML module and pref names that match the last two segments of the parameter name.
Parameter (qtss:) Description modules:_array_id:QTSSAccessModule: modAccess_usersfilepath Default = "/Library/Quick modules:_array_id:QTSSAdminModule: AdministratorGroup Default = "admin" modules:_array_id:QTSSAdminModule: Authenticate Default = yes modules:_array_id:QTSSAdminModule: enable_remote_admin Default = yes modules:_array_id:QTSSAdminModule: IPAccessList Default = "127.0.0.
Parameter (qtss:) Description modules:_array_id:QTSSMP3StreamingModule: mp3_streaming_enabled Default = yes modules:_array_id:QTSSReflectorModule: allow_broadcasts Default = yes modules:_array_id:QTSSReflectorModule: allow_non_sdp_urls Default = yes modules:_array_id:QTSSReflectorModule: BroadcasterGroup Default = "broadcaster" modules:_array_id:QTSSReflectorModule: broadcast_dir_list Default = "" modules:_array_id:QTSSReflectorModule: disable_overbuffering Default = no modules:_array_id:QTSSR
Parameter (qtss:) Description server:module_folder Default = "/Library/Quick TimeStreaming/Modules/" server:movie_folder Default = "/Library/Quick TimeStreaming/Movies/" server:pid_file Default = "/var/run/Quick TimeStreamingServer.
Viewing QTSS Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of connections and the data throughput. Samples are taken once each minute. To list samples: $ sudo serveradmin command qtss:command = getHistory qtss:variant = statistic qtss:timeScale = scale Control-D Parameter Description statistic The value you want to display.
Viewing Service Logs You can use tail or any other file listing tool to view the contents of the QTSS service logs. To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current QTSS error and activity logs are located.
Preparing Older Home Folders for User Streaming If you want to enable QTSS home folder streaming for home folders created using an earlier version of Mac OS X Server (before version 10.3), you need to set up the necessary streaming media folder in each user’s home folder. You can use the createuserstreamingdir tool to set up the needed Sites/Streaming/ folder.
Controlling Access to Streamed Media You can set up authentication to control client access to streamed media files. Two schemes of authentication are supported: basic and digest. By default, the server uses the more secure digest authentication. You can also control playlist access and administrator access to your streaming server. Authentication does not control access to media streamed from a relay server. The administrator of the relay server must set up authentication for relayed media.
Terms not in angle brackets are keywords. Anything in angle brackets is information you supply. Save the access file as plain text (not as .rtf or any other file format). Parameter Description message Text your users see when the login window appears. It’s optional. If your message contains any white space (such as a space character between terms), make sure you enclose the entire message in quotation marks. user filename The path and filename of the user file.
Accessing Protected Media Users must have QuickTime 5 or later to access a media file for which digest authentication is enabled. If your streaming server is set up to use basic authentication, users need QuickTime 4.1 or later. Users must enter their user names and passwords to view the media file. Users who try to access a media file with an earlier version of QuickTime will see the error message 401: Unauthorized.
Manipulating QuickTime and MP4 Movies You can use the qtmedia tool to manipulate QuickTime and MP4 movies. You can add hint tracks, prepare for “fast-start,” and edit annotations. For more information, run the qtmedia tool to display the command-line options. Creating Reference Movies You can use the qtref tool to create reference movies that can be used to embed QuickTime content in Web pages. You can use the following options with qtref.
Chapter 16 Working with QuickTime Streaming Server
17 Configuring System Logging 17 In this chapter you will find commands you can use to configure and manage system logging. Logging System Events Logs are text files that form a record of what has occurred on the system, much like a journal. Configuring the Log File Log files are maintained in the /Library/Logs/ and /var/log/ folders. Some commonly monitored log files include console.log and system.log. Applications may have their own log files located in different folders. Console.
The facility and priority are separated by a single period, and these are separated from the action by one or more tabs. Wildcards (“*”) may also be used in the configuration file. The following example line logs all messages of any facility or priority to the file /var/log/all.log: *.* /var/log/all.log See the syslog.conf man page for information about the configuration of this file. Local Logging The default configuration in /etc/syslog.
Remote Logging Using remote logging in addition to local logging is strongly recommended for any server system, because local logs can easily be altered if the system is compromised. Several security issues must also be considered when making the decision to use remote logging. First, the syslog process sends log messages as clear text, which could expose sensitive information. Second, too many log messages may fill storage space on the logging system, making further logging impossible.
This format is the IPv4 address with a mask bit length. Optionally, the service can be a name or number of the UDP port the source packet must belong to. When using the -a option, do not omit the masklen portion, as the default masklen may be very small and the corresponding matching addresses could, therefore, be almost anything. The default [:service] is syslog, which should not need to be changed. For example, match a subnet of 255 hosts as follows: -a 192.168.1.
Appendix PCI RAID Card Command Reference In this appendix you will find information about the megaraid command, used for managing a PCI RAID Card. The megaraid tool uses are described in the following table, along with parameter explanations. megaraid -alarm -on | -off | -silence Turns the alarm on, off, or to silence. When the alarm is set to silence, it turns off for the current failure, but will turn on again for the next failure.
megaraid -create R0 | R1 | R5 -drive { 0 1 2 3} [-stripesize n] [-size x] [-writecache enable | disable] [-readahead on | off | adaptive] [-iopolicy direct | cached] [-log file] Creates a logical drive and adds it to the existing configuration. The RAID level and participating physical drives’ parameters are required. All other parameters are optional. If size is not specified, the remaining size of the array will automatically be used.
Note: See the megaraid man page for more information. You can also use all megaraid commands with a [-log file] parameter, which logs all the displayed information with date and time in the file you specify.
Appendix PCI RAID Card Command Reference
Glossary Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. administrator A user with server or directory domain administration privileges. Administrators are always members of the predefined “admin” group. AFP Apple Filing Protocol.
DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute IP addresses to client computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds. The DHCP server checks for an available IP address and sends it to the client computer along with a lease period—the length of time the client computer may use the address.
FTP File Transfer Protocol. A protocol that allows computers to transfer files over a network. FTP clients using any operating system that supports FTP can connect to a file server and download files, depending on their access privileges. Most Internet browsers and a number of freeware applications can be used to access an FTP server. full name See long name. group A collection of users who have similar needs. Groups simplify the administration of shared resources.
IP subnet A portion of an IP network, which may be a physically independent network segment, that shares a network address with other portions of the network and is identified by a subnet number. ISP Internet service provider. A business that sells Internet access and often provides web hosting for ecommerce applications as well as mail services. Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time.
mail host The computer that provides your mail service. managed client A user, group, or computer whose access privileges and/or preferences are under administrative control. managed network The items managed clients are allowed to “see” when they click the Network icon in a Finder window. Administrators control this setting using Workgroup Manager. Also called a “network view.” managed preferences System or application preferences that are under administrative control.
NFS Network File System. A client/server protocol that uses Internet Protocol (IP) to allow remote users to access files as though they were local. NFS exports shared volumes to computers according to IP address, rather than user name and password. nfsd daemon An NFS server process that runs continuously behind the scenes and processes read and write requests from clients. The more daemons that are available, the more concurrent clients can be served.
presets Initial default attributes you specify for new accounts you create using Workgroup Manager. You can use presets only during account creation. primary group A user’s default group. The file system uses the ID of the primary group when a user accesses a file he or she doesn’t own. primary group ID A unique number that identifies a primary group. print queue An orderly waiting area where print jobs wait until a printer is available.
SDP Session Description Protocol. A text file used with QuickTime Streaming Server that provides information about the format, timing, and authorship of a live streaming broadcast and gives the user’s computer instructions for tuning in. search path See search policy. search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information; also the order in which domains are searched. Sometimes called a search path.
static IP address An IP address that’s assigned to a computer or device once and is never changed. subnet A grouping on the same network of client computers that are organized by location (different floors of a building, for example) or by usage (all eighth-grade students, for example). The use of subnets simplifies administration. See also IP subnet. system-less client A computer that doesn’t have an operating system installed on its local hard disk.
virtual user An alternate email address (short name) for a user. Similar to an alias, but it involves creating another user account. VPN Virtual Private Network. A network that uses encryption and other technologies to provide secure communications over a public network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or by routers.
Index Index A C ab tool 213 access 36 accounts 97 administrator 98 group 110 mobile user 108 modifying user 107 removing users 103 securing 126 ACL (access control list) 157 addsite script 212 AFP (Apple Filing Protocol) canceling user disconnect 143 changing service settings 137 checking service status 136 disconnecting users 142 listing connected users 141 sending user message 142 service settings 137 starting service 136 stopping service 136 viewing service logs 145 viewing service settings 136 viewi
DHCP (Dynamic Host Configuration Protocol) adding a subnet 222 changing service settings 219 checking service status 218 service settings 219 set server to use 68 starting service 218 static map 223 stopping service 218 viewing service logs 224 viewing service settings 218 dial-in service, PPP 248 DirectoryServiceAttributes 252 DirectoryService daemon 252 disk journaling 91 disklabel tool 90 diskspacemonitor tool 85 diskutil tool 87 DNS (Domain Name System) changing servers 69 changing service settings 226
K kadmind daemon 262 kadmin tool 262 kdb5_util tool 261 kdcsetup tool 261 Kerberos 261 backing up 261 principal management 262 tools and utilities 261 kerberosautoconfig tool 261 keychain 198 killall tool 105, 283 kill tool 74, 274 known_hosts file 33 krb5kdc tool 262 L launchd daemon 55 LDAP (Lightweight Directory Access Protocol) 253 and SASL 255 configuration file 255 delay rebinding options 255 idle timeout parameter 255 ldapsearch tool 255 parameter list 255 rebinding parameter 255 tools and utilities
Network File System.
S s2svpnadmin tool 243 sa_srchr tool 39 SASL used by ldapsearch 255 scheduling tasks 27 scp tool 32 scripts adding a website 212 scselect tool 82 scutil tool 80 Secure Shell (SSH) 31 man-in-the-middle attack 34 using 35 Secure Sockets Layer. See SSL serial number, server software 49 server configuration file example 44 naming 41, 42 saving 41 Server Message Block.
viewing VPN service logs 242 viewing Web service logs 210 TCP/IP settings 66, 68 telnet tool 36 Terminal application 21 terminating commands 27 throughput.
