Mac OS X Server Command-Line Administration For Version 10.
Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc.
1 Contents Preface 15 16 16 16 16 16 17 17 18 19 19 20 20 About This Guide Using This Guide Understanding Notation Conventions Summary Commands and Other Terminal Text Command Parameters and Options Default Settings Commands Requiring Root Privileges Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information Chapter 1 21 21 21 22 23 23 24 25 26 26 26 26 26 27 27 28 29 Executing Commands UNIX 03 Certification Openi
Chapter 2 31 31 31 32 33 34 35 35 35 36 37 Connecting to Remote Computers Understanding SSH How SSH Works Generating Key Pairs for Key-Based SSH Connections Updating SSH Key Fingerprints An SSH Man-in-the-Middle Attack Controlling Access to SSH Service Connecting to a Remote Computer Using SSH Using Telnet Remotely Controlling the Xserve Front Panel Chapter 3 39 39 41 41 42 42 42 43 45 45 48 49 49 49 50 51 51 52 53 Installing Server Software and Finishing Basic Setup Installing Server Software Locat
Chapter 6 59 60 60 60 61 61 61 61 62 63 63 63 63 63 64 64 Viewing or Changing the Date and Time Viewing or Changing the System Date Viewing or Changing the System Time Viewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing Energy Saver Settings Viewing or Changing Sleep Settings Viewing or Changing Automatic Restart Settings Changing Power Management Settings Viewing or Changing Startup Disk Settings Viewing or Changing Sharing Settings Viewing or Changi
78 78 79 79 79 79 80 80 80 81 81 82 83 Viewing or Changing Web Proxy Settings Viewing or Changing Secure Web Proxy Settings Viewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Setting Viewing or Changing SOCKS Firewall Proxy Settings Viewing or Changing Proxy Bypass Domains Managing AirPort Settings Managing Computer, Host, and Bonjour Names Computer Name Hostname Bonjour Name Managing Preference Files and the Configuration Daemon Changing Network Locations Chapter 7 85 85 85
Chapter 9 100 101 102 102 105 106 106 107 108 109 110 111 112 113 114 115 117 117 118 118 118 121 122 123 127 127 128 129 130 130 131 131 131 131 132 133 134 136 Creating a Local Administrator User Account for a Server Creating a Domain Administrator User Account Verifying a User’s Administrator Privileges Creating a Nonadministrator User Account Retrieving a User’s GUID Removing a User Account Preventing a User from Logging In Verifying a Server User’s Name, UID, or Password Modifying a User Account Mana
140 140 140 141 141 141 141 142 142 145 146 147 147 148 149 150 151 151 151 151 151 152 152 152 152 152 153 153 155 155 155 156 156 156 156 157 157 159 160 161 161 162 162 8 Modifying a Share Point Disabling a Share Point Setting Disk Quotas Managing AFP Service Starting and Stopping AFP Service Viewing AFP Service Status Viewing all AFP Settings Changing AFP Settings Available AFP Settings Available AFP serveradmin Commands Viewing Connected Users Sending a Message to AFP Users Disconnecting AFP Users Ca
162 163 164 Managing ACLs Using chmod to Modify ACLs Using fsaclctl to Enable and Disable ACL Support Chapter 10 167 167 169 169 169 169 169 172 173 173 173 174 175 175 Working with the Print Service Understanding the Print Process Performing Print Service Tasks Starting and Stopping Print Service Viewing the Status of Print Service Viewing Print Service Settings Changing Print Service Settings Managing Print Service Listing Queues Pausing and Releasing a Queue Listing Jobs and Job Information Holding a
187 187 187 187 187 188 200 200 201 202 203 203 205 206 206 206 207 208 208 Managing Mail Service Starting and Stopping Mail Service Checking the Status of Mail Service Viewing Mail Service Settings Changing Mail Service Settings Mail Service Settings Mail serveradmin Commands Viewing Mail Service Statistics Viewing Mail Service Logs Backing Up Mail Files Setting Up SSL for Mail Service Generating a CSR and Creating a Keychain Obtaining an SSL Certificate Importing an SSL Certificate into the Keychain
222 223 223 224 226 227 228 228 228 228 228 229 229 229 229 229 230 230 231 231 231 231 232 232 232 232 233 236 236 237 237 237 237 238 238 238 238 239 239 240 240 241 241 Viewing DHCP Service Settings Changing DHCP Service Settings DHCP Service Settings DHCP Subnet Settings Array Adding a DHCP Subnet Adding a DHCP Static Map Viewing the Location of the DHCP Service Log Viewing the DHCP Service Log Managing DNS Service Starting and Stopping DNS Service Checking the Status of DNS Service Viewing DNS Service
241 241 242 245 245 245 246 247 247 247 248 248 249 251 251 Viewing VPN Service Settings Changing VPN Service Settings Available VPN Service Settings Available VPN serveradmin Commands Viewing the VPN Service Log and Log Path Site-to-Site VPN Configuring Site-to-Site VPN Adding a VPN Keyagent User Setting Up IP Failover IP Failover Prerequisites IP Failover Operation Enabling IP Failover Configuring IP Failover Enabling PPP Dial-In Restoring the Default Configuration for Server Services Chapter 15 25
Chapter 17 270 270 270 271 271 274 275 275 276 276 277 277 277 278 279 280 281 281 281 281 282 Starting and Stopping QTSS Viewing QTSS Status Viewing QTSS Settings Changing QTSS Settings Available QTSS Parameters Managing QTSS Viewing QTSS Connections Viewing QTSS Statistics Viewing Service Logs and Log Paths Forcing QTSS to Reread Preferences Preparing Older Home Folders for User Streaming Configuring Streaming Security Resetting the Streaming Server Admin User Name and Password Controlling Access to Str
289 290 292 292 293 293 Applying a Quartz Composer Transition Applying a Quartz Composer Effect Shared File System Uploading Mechanisms Copy Upload FTP Upload HTTPS CGI POST Upload Chapter 18 295 295 296 Configuring and Managing iCal Service and iChat Service Configuring iCal Service Configuring iChat Service Chapter 19 297 297 297 297 298 299 Configuring and Managing System Logging Logging System Events Configuring the Log File Configuring System Logging Local Logging Remote Logging Appendix 3
Preface About This Guide This guide describes Mac OS X Server command-line tools and commands, including the syntax, purpose, and parameters, and provides examples of usage and output. Command-Line Administration is written for system administrators familiar with administering and managing servers, storage, and networks. Beneath the interface of Mac OS X is a core operating system known as Darwin. Darwin integrates a number of technologies, most importantly Mach 3.
Using This Guide This guide describes commands that perform functions used to configure and manage Mac OS X computers. Chapters in this guide describe sets of commands that work for specific aspects of the operating system. Use this guide to:  Learn which commands are available for specific tasks  Learn how the commands work, and how to execute them  Review examples of command usage Understanding Notation Conventions The following conventions are used throughout this book.
Parameters You Must Enter as Shown If you must enter a parameter as shown, it appears following the command in the same font. For example: $ doit -w later -t 12:30 To use the command in this example, enter the entire line as shown (without the $ and space). Parameter Values You Provide If you must provide a value, its placeholder is italicized and has a name that indicates what you need to provide.
Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.
This guide ... tells you how to: User Management Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Web Technologies Administration Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Xgrid Administration and High Performance Computing Set up and manage computational clusters of Xserve systems and Mac computers.
Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides. Â To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application. Â To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.
1 Executing Commands 1 Use this chapter to learn how to execute commands and to view online information about commands and tools. A command-line interface is a way for you to manipulate your computer in situations where a graphical approach is not available. The Terminal application is the Mac OS X gateway to the BSD command-line interface (UNIX shell command prompt). Each window in Terminal contains an execution context, called a shell, that is separate from all other execution contexts.
Terminal presents a prompt when it is ready to accept a command. The prompt you see depends on your Terminal and shell preferences, but it often includes the name of the host you’re logged in to, your current working folder, your user name, and a prompt symbol. For example, if you’re using the default bash shell, the prompt appears as: server1:~ anne$ where you are logged in to a computer named server1 as the user named anne, and your current folder is anne’s home folder (~).
Standard Pipes Many commands can receive text input from the user and print text to the console. They do so using standard pipes, which are created by the shell and passed to the command. Standard pipes include: Â stdin—The standard input pipe is the means through which data enters a command. By default, the user enters this from the command-line interface. You can also redirect the output from files or other commands to stdin. Â stdout—The standard output pipe is where the command output is sent.
Using Environment Variables Some commands require the use of environment variables for their execution. Environment variables are inherited by all commands executed in the shell’s context. The shell uses environment variables to store information, such as the name of the current user, the name of the host computer, and the paths to any commands. You can create environment variables and use them to control the behavior of your command without modifying the command itself.
Executing Commands and Running Tools To execute a command in the shell, enter the complete pathname of the tool’s executable file, followed by arguments, and then press Return. If a command is located in one of the shell’s known folders, you can omit path information and enter the command name. The list of known folders is stored in the shell’s PATH environment variable and includes the folders containing most command-line tools.
Correcting Typing Errors You can use the Left and Right Arrow keys to correct typing errors before you press Return to execute a command. To correct a typing error: 1 Press Left Arrow or Right Arrow to skip over parts of the command you don’t want to change. 2 Press Delete to remove characters. 3 Enter regular characters to insert them. 4 Press Return to execute the command. To ignore what you entered and start again, press Control–U.
The sudo command gives root user privileges to users specified in the sudoers file. If you’re logged in as an administrator user and your username is specified in the etc/sudoers file, you can use this command. To execute a single command with root user privileges, begin the command with sudo (short for super user do). For example: $ sudo serveradmin list If you haven’t used sudo recently, you’re prompted for your administrator password.
When commands execute, output is mailed to the owner of the crontab file or to the user named in the MAILTO environment variable in the crontab file, if one exists. If you modify a crontab file, you must restart cron. You use crontab to install, deinstall, or list the tables used to drive the cron daemon. Users can have their own crontab file. To configure your crontab file, use the crontab crontab file. -e command.
Viewing Command Information Most command-line documentation comes in the form of man pages. These formatted pages provide reference information for shell commands, tools, and high-level concepts. You can also access command information using the help command, and sometimes information is displayed if you enter the command without parameters or options. To access a man page: $ man command where command is the topic you want to find information about.
To access command help: m Enter the command followed by the -help, -h, --help, or help parameter: $ hdiutil help $ dig -h $ diff --help To view a list of options and parameters you can use with the command: m Enter the command without options or parameters: $ sudo serveradmin Note: Not all techniques work for all commands, and some commands don’t have onscreen help.
2 Connecting to Remote Computers 2 Use this chapter to learn the commands to connect to remote computers. Connecting to remote computers helps you manage and configure resources efficiently. This chapter covers using Secure Shell (SSH) and Telnet to connect to remote computers. Understanding SSH SSH lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer. You use the ssh tool in Terminal to open a command-line connection to a remote computer.
The following are SSH tools:  sshd—Daemon that acts as a server to all other commands  ssh—Primary user tool that includes a remote shell, remote command, and portforwarding sessions  scp—Secure copy, a tool for automated file transfers  sftp—Secure FTP, a replacement for FTP Generating Key Pairs for Key-Based SSH Connections By default, SSH supports the use of password, key, and Kerberos authentication.
To generate the identity key pair: 1 Enter the following command on the local computer: $ ssh-keygen -t dsa 2 When prompted, enter a filename in the user’s folder to save the keys in; then enter a password followed by password verification (empty for no password). For example: Generating public/private dsa key pair. Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in frog.
Be sure this is the correct key before accepting it. If possible, provide users with the encryption key through FTP, mail, or a download from the web, so they can be sure of the identity of the server. If you later see a warning message about a man-in-the-middle attack (see below) when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer. This can happen if you: Â Change your SSH configuration on the local or remote computer.
Important: Removing an entry from the known_hosts file bypasses a security mechanism that would help you avoid imposters and man-in-the-middle attacks. Before you delete its entry from the known_hosts file, be sure you understand why the key on the remote computer has changed. Controlling Access to SSH Service You can use Server Admin to control which users can open a command-line connection using the ssh tool in Terminal. Users with administrator privileges can always open a connection using SSH.
5 To send a command to the remote computer, enter the command. 6 To close a remote connection, enter logout. You can authenticate and send a command using a single line by appending the command to execute to the basic ssh tool. For example, to delete a file you could use: $ ssh -l anne server1.example.com rm /Users/anne/Documents/report or $ ssh -l anne@server1.example.com "rm /Users/anne/Documents/report" You’re prompted for the user’s password.
You may see a series of messages on the screen, followed by the remote computer’s prompt. You are now logged in. When you finish working, log out from the remote computer by entering logout or exit at the remote computer’s prompt. The telnet client exits when you log out from the remote computer. For more information, see the telnet man page. Remotely Controlling the Xserve Front Panel You can use the ipmitool command to remotely control an Xserve’s front panel.
Chapter 2 Connecting to Remote Computers
3 Installing Server Software and Finishing Basic Setup 3 Use this chapter to learn the commands to install, set up, and update Mac OS X Server software on local or remote computers. This chapter explains the commands to perform software setup and installation tasks. Some computers come with Mac OS X Server software installed. However, you might want to upgrade from a previous version, change a computer configuration, automate software installation, or refresh your server environment.
To use the installer to install Mac OS X Server software: 1 Start the target computer from the first installation CD or the installation DVD. The procedure you use depends on the target computer hardware: Â If the target computer has a keyboard and an optical drive, insert the first installation disc into the optical drive; then hold down the C key on the keyboard while restarting the computer.
Locating Computers for Installation If you are installing software on a remote computer from Terminal, you must first establish an SSH session as the root user with the remote computer. To do so, you need the remote computer’s IP address and serial number. You can find the serial number on a label on the computer. Enter the serial number as the password when establishing the SSH session. If you are installing on an older computer that has no built-in hardware serial number, use 12345678 for the password.
Preparing the Target Volume for a Clean Installation If the target volume has Mac OS X Server v10.3 or v10.4 installed, when you run installer, it upgrades the server to v10.5 and preserves user files.
Servers that have had Mac OS X Server v10.5 installed automatically detect the presence of the saved setup information and use it to complete initial server setup without user interaction. You can define generic setup data that can be used to set up any computer. For example, you can define generic setup data for a computer that’s on order, or for 50 Xserve computers you want to be identically configured. You can also save setup data that’s specifically tailored for a computer.
 partial-DNS-name-of-server.plist—for example, myserver.plist  built-in-hardware-serial-number-of-server.plist (first 8 characters only)—for example, ABCD1234.plist  fully-qualified-DNS-name-of-server.plist—for example, myserver.example.com.plist  partial-IP-address-of-server.plist—for example, 10.0.plist (matches 10.0.0.4 and 10.0.1.2)  generic.
Working with an Encrypted Configuration File If the setup data in the configuration file is encrypted, make the passphrase available to target computers. You can supply the passphrase interactively using Server Assistant, or you can provide it in a text file. To provide a passphrase in a file: 1 Create a text file and enter the passphrase for the saved setup file on the first line. 2 Save the file using one of the following names.
The following sample configuration file shows the basic structure and contents of a configuration file for a computer with this configuration: Â An administrator user named “Administrator” (short name “admin”) with a user ID of 501 and the password “secret” Â A computer name and host name of “server1.example.
workgroup HostName leopardserver.example.com InstallLanguage English Keyboard DefaultFormat 0 DefaultScript 0 ResName U.S.
PrimaryLanguage English SerialNumber XSVR-???-???-?-???-???-???-???-???-???-?|Registered_to| Organization ServiceNTP HostNTP HostNTPServer time.apple.
Configuring the Server Remotely from the Command Line It’s possible to configure the server remotely from the command line. Performing this task requires the following tools:  dscl—Use to create, read, and manage directory service data. If invoked without commands, dscl runs interactively, reading commands from standard input. For more information about this command, see Chapter 8, “Managing User and Group Accounts.”  systemsetup—Use  networksetup—Use to set a number of system-wide preferences.
Using the serveradmin Tool You use the serveradmin tool to administer service-related tasks. Some services must be restarted after you change specific settings. If you make a change using a service’s writeSettings tool that requires you to restart the service, the output from the command includes the setting :needsRecycleOrRestart with a value of yes. Important: The needsRecycleOrRestart setting appears only if you use the serveradmin svc:command = writeSettings command to change settings.
 checks the validity of the SSL certificate if the “Require valid digital signature” option is selected in Server Admin preferences. This option uses an SSL certificate installed on a remote server to ensure that the remote server is a valid server. If this option is enabled, the certificate must be valid and not expired, or Server Admin will refuse to connect.
Serial numbers generated for the server can be generated with watermarks so they can be tracked to a specific company, group, or individual. If a serial number has watermarking strings associated with it, it is necessary to supply the watermark information when setting or validating the serial number.
Moving a Server Before setting a server up for the first time, try to place it in its final network location (subnet). If you’re concerned about unauthorized or premature access, set up a firewall to protect the server while you’re finishing its configuration. If you must move a server after setup, you must change settings that are sensitive to network location before the server can be used.
Chapter 3 Installing Server Software and Finishing Basic Setup
4 4 Restarting or Shutting Down a Computer Use this chapter to learn the commands to shut down or restart a local or remote computer. This chapter covers the commands that shut down or restart a local or remote computer. Computers must be shut down or restarted, whether locally or remotely, when installing tools or making computer repairs. Restarting a Computer To restart a computer at a specific time, use the reboot or shutdown For more information, see the relevant man pages. -r command.
Changing a Remote Computer’s Startup Disk You can change a remote computer’s startup disk using SSH. To change the startup disk: Log in to the remote computer using SSH and enter: $ bless -folder "/Volumes/disk/System/Library/CoreServices" -setBoot Parameter Description disk The name of the disk that contains the startup volume For information about using SSH to log in to a remote computer, see “Sending Commands to a Remote Computer” on page 28.
Manipulating Open Firmware NVRAM Variables To manipulate Open Firmware NVRAM variables, use the nvram tool. If you modify a value with nvram, the value is saved only if the computer cleanly restarts or shuts down. For more information, see the nvram man page. To view NVRAM variables: $ nvram -p Monitoring and Restarting Critical Services In earlier versions of Mac OS X, a daemon called watchdog monitored critical services and restarted them if they failed or quit unexpectedly after a computer restarted.
Chapter 4 Restarting or Shutting Down a Computer
5 Setting General System Preferences 5 Use this chapter to learn the commands to set system preferences. You can use Mac OS X Server to manage the work environment of Mac OS X users by defining preferences. Preferences are settings that customize and control a user’s computer experience.
Viewing or Changing the System Date To view the system date $ sudo systemsetup -getdate or $ serversetup -getDate To set the system date: $ sudo systemsetup -setdate mm:dd:yy or $ sudo serversetup -setDate mm/dd/yy Viewing or Changing the System Time To view the system time: $ sudo systemsetup -gettime or $ serversetup -getTime To change the system time: $ sudo systemsetup -settime hh:mm:ss or $ sudo serversetup -setTime hh:mm:ss Viewing or Changing the System Time Zone To view the time zone: $ sudo
Viewing or Changing Network Time Server Usage To see if a network time server is being used: $ sudo systemsetup -getusingnetworktime To enable or disable a network time server: $ sudo systemsetup -setusingnetworktime (on|off) To view the network time server: $ sudo systemsetup -getnetworktimeserver To specify a network time server: $ sudo systemsetup -setnetworktimeserver timeserver Viewing or Changing Energy Saver Settings To view or change a server’s energy saver settings, use the systemsetup tool (or
To set how long the system waits to restart after a power failure: $ sudo systemsetup -setwaitforstartupafterpowerfailure seconds Parameter Description seconds Must be a multiple of 30 seconds To see if the system is set to restart after a system freeze: $ sudo systemsetup -getrestartfreeze To set the system to restart after a system freeze: $ sudo systemsetup -setrestartfreeze (on|off) Changing Power Management Settings You can use the pmset tool to change power management settings, including: Â Dis
Viewing or Changing Startup Disk Settings To view or change a computer’s startup disk, use the systemsetup tool (or the Startup Disk pane of System Preferences). To view the startup disk: $ sudo systemsetup -getstartupdisk To view available startup disks: $ sudo systemsetup -liststartupdisks To change the startup disk: $ sudo systemsetup -setstartupdisk path Viewing or Changing Sharing Settings To view or change Sharing settings, use the systemsetup tool (or the Sharing pane of System Preferences).
Viewing or Changing Language and Keyboard Settings To view or change language settings, use the serversetup tool (or the International pane of System Preferences). To view the primary language: $ serversetup -getPrimaryLanguage To view the installed language: $ serversetup -getInstallLanguage To set the installation language: $ sudo serversetup -setInstallLanguage language To select a keyboard: $ sudo serversetup -setKeyboardSelection ScripID(0) kbResID(0) ResName(U.S.
6 Setting Network Preferences 6 Use this chapter to learn the commands to change network settings on a server. Mac OS X Server provides command-line control to manage servers in a mixedplatform environment and to configure, deploy, and manage powerful network services. These tools make it easy to configure and maintain core network services, while providing the advanced features and functionality required by experienced IT professionals.
Viewing Port Names and Hardware Addresses To list all port names with their Ethernet (MAC) addresses: $ sudo networksetup -listallhardwareports To list hardware port information by port configuration: $ sudo networksetup -listallnetworkservices An asterisk (*) in the results marks an inactive configuration.
Managing Network Port Configurations Network port configurations are sets of network preferences that can be assigned to a network interface and then enabled or disabled. The Network pane of System Preferences stores and displays network settings as port configurations.
Changing a Server’s IP Address The server’s setup must reflect the network settings of the server’s primary interface. The primary interface is the topmost active connection in the Network pane of System Preferences. When using your server as a gateway to the Internet, the server uses the primary interface to connect to the Internet. Therefore, during server setup, you configure the primary interface to use the server’s public IP address and DNS information.
To change a server’s IP address: 1 Run the changeip tool: $ sudo changeip [(directory|-)] old-ip new-ip [old-hostname new-hostname] Parameter Description directory If the server is an Open Directory master or replica, or is connected to a folder system, include the path to the folder domain (folder directory domain). For a standalone server, enter “-” instead. old-ip The current IP address. new-ip The new IP address. old-hostname (Optional) The current fully qualified DNS host name of the server.
For example, for built-in Ethernet, the computer responds with the following output: $ networksetup -getinfo "Built-In Ethernet" Manual Configuration IP Address: 192.168.10.12 Subnet mask: 255.255.0.0 Router: 192.18.10.
To change DNS servers for a port or device: $ sudo serversetup -setDNSServer (devicename|"portname") server1 [server2] [...] To list DNS servers for a configuration: $ sudo networksetup -getdnsservers "configuration" To view DNS search domains for port en0: $ serversetup -getDefaultDNSDomain (devicename|"portname") To change DNS search domains for port en0: $ sudo serversetup -setDefaultDNSDomain (devicename|"portname") domain1 [domain2] [...
Statically Configuring Ethernet Interfaces You can configure your server to define an IPv4 address on an interface that does not have a live link. To define an IPv4 address on an interface that does not have a live link: 1 Edit the network preferences file located at /Library/Preferences/SystemConfiguration/ preferences.plist. In the preferences.plist, navigate to the block that defines the relevant interface (say, en1), look for the IPv4 configuration block, and add the IgnoreLinkStatus key.
To list devices that support VLANs: $ networksetup -listdevicesthatsupportVLAN IEEE 802.3ad Ethernet Link Aggregation IEEE 802.3ad provides increased bandwidth and automatic failover for the server environment. Apple introduced the implementation of the IEEE 802.3ad Ethernet Link Aggregation standard as part of the ifconfig tool. IEEE 802.3ad is a standard for bonding or aggregating multiple Ethernet ports into one virtual interface.
To remove an Ethernet interface from a bond virtual device (pseudo device): $ ifconfig bond_interface_name -bondev physical_interface The link status of the bond interface depends on the state of link aggregation. If no active partner is detected, the link status remains inactive. To monitor the IEEE 802.3ad Link Aggregation state, use the -b option. For more information, see the ifconfig man page. Configuring Ethernet Link Aggregation You can also use networksetup to configure Ethernet Link Aggregation.
To enable AppleTalk on en0: $ serversetup -EnableDefaultAT To disable AppleTalk on en0: $ serversetup -DisableDefaultAT To make AppleTalk active or inactive for a configuration: $ sudo networksetup -setappletalk "configuration" (on|off) To verify the AppleTalk state on en0: $ serversetup -getDefaultATActive To see if AppleTalk is active for a configuration: $ sudo networksetup -getappletalk Managing SNMP Settings Simple Network Management Protocol (SNMP) is a set of standard protocols used to manage an
Starting SNMP You can start SNMP in one of the following ways:  Using Server Admin  Using the launchctl command Both methods modify Net-SNMP’s launchd property list (/System/Library/ LaunchDaemons/org.net-snmp.snmpd.plist) and start the daemon (snmpd) immediately and for the next reboot. To start SNMP using Server Admin: 1 In Server Admin, select your server. 2 Click General. 3 Enable SNMP by selecting Network Management Server (SNMP).
Collecting SNMP Information from the Host To get the SNMP information you just added, enter this command from a host that has the SNMP tools installed: $ snmpget -c community_string hostname system.sysLocation.0 Replace community_string with the string provided during basic setup. The default community string (or password) is public. Also, replace hostname with the name of the target host, which could be localhost.
To view the system uptime: $ snmpget -c community_string localhost system.sysUptime.0 SNMPv2-MIB::sysUpTime.0 = Timeticks: (72239) 0:12:02.39 To view a list of snmp man pages: $ man -k snmp Managing Proxy Settings The proxy server is a component of Mac OS X Server that functions as a relay between a client and the server. This proxy server protects the network from unauthorized users and provides a more secure environment. To view or change the proxy settings, use the networksetup tool.
To enable or disable the secure web proxy for a configuration: $ sudo networksetup -setsecurewebproxystate "configuration" (on|off) Viewing or Changing Streaming Proxy Settings To view streaming proxy information for a configuration: $ sudo networksetup -getstreamingproxy "configuration" To set streaming proxy information for a configuration: $ sudo networksetup -setstreamingproxy "configuration" domain portnumber To enable or disable the streaming proxy for a configuration: $ sudo networksetup -setstrea
Managing AirPort Settings AirPort uses wireless local area network (WLAN) technology to provide wireless communication between computers. To view or change AirPort settings, use the networksetup tool.
Hostname The host name is a unique name that corresponds to a unique hardware MAC address. It is the name the network uses to identify a device attached to the network. To view or modify the host name, use the serversetup tool. To display the server’s local host name: $ serversetup -getHostname To change the server’s local host name: $ sudo serversetup -setHostname hostname Note: You can also set and get the host name using snmpd and scutil.
Managing Preference Files and the Configuration Daemon The sets of configuration information a user creates at different locations, whether in System Preferences or through the command line, are stored in the preference.plist file located in /Library/Preferences/SystemConfiguration/. Network configuration is handled by configd, the configuration daemon. configd reads the network configuration and stores it with the current state of the computer’s networking information.
You can also manage system configuration parameters scutil using the --get and --set options. These provide a means of reporting and updating a group of persistent system preferences, including ComputerName, LocalHostName, or HostName. To set the hostname of a system: $ sudo scutil --set HostName mycomputer.mac.com Parameter Description mycomputer.mac.com The new hostname value you want to set To get the hostname of a system: $ scutil --get HostName mycomputer.mac.
Chapter 6 Setting Network Preferences
7 Working with Disks and Volumes 7 Use this chapter to learn the commands to initialize and test disks and volumes. This chapter covers the commands used to manage, configure, initialize, and test disks and volumes. Understanding Disks, Partitions, and the File System Like UNIX, Mac OS X uses special files called device files, located in /dev, to keep track of the devices (disks, keyboards, monitors, network connections, and so on) attached to the computer.
Mounting Volumes You can use the mount tool with parameters appropriate to the type of file system you want to mount, or use one of these file-system–specific mount commands:  For Apple File Protocol (AppleShare) volumes: mount_afp  For ISO 9660 volumes: mount_cd9660  For CD Digital Audio format (CDDA) volumes: mount_cddafs  For Apple Hierarchical File System (HFS) volumes: mount_hfs  For PC MS-DOS volumes: mount_msdos  For Network File System (NFS) volumes: mount_nfs  For Server Message Block (SMB)
To view disk information: $ df The computer responds with output similar to the following: Filesystem 512-blocks Used Avail Capacity /dev/disk0s3 156039264 26138984 129388280 17% devfs 193 193 0 100% fdesc 2 2 0 100% 1024 1024 0 100% automount -nsl [170] 0 0 0 100% automount -fstab [174] 0 0 0 100% Servers automount -static [174] 0 0 0 100% static Mounted on / /dev /dev /.vol /Network /automount/ /automount/ The -l option restricts reporting to local drives only.
The configuration file is /etc/diskspacemonitor/diskspacemonitor.conf. You can specify how often you want to monitor disk space, and the thresholds to use for determining when to take the actions in the scripts. By default, disks are checked every 10 minutes, an alert script is executed when disks are 75% full, and a recovery script is executed when disks are 85% full. To edit the configuration file, log in to the server as an administrator and use a text editor to open the file.
These scripts reclaim space used by log files generated by the following services:  Apple file service  Windows service  Web service  Web performance cache  Mail service  Print service As configured, the scripts specify actions that complement the log file management performed by the services listed above, so don’t modify them. Log in as an administrator and use a text editor to define thresholds in the configuration files that determine when actions are taken.
To list the disks known and available on the computer: $ diskutil list If your system is an Xserve computer, you can use this command to determine which drive is in which bay. To erase and repartition a disk: $ diskutil partitionDisk disk numberOfPartitions … Parameter Description disk Device name (such as disk0). numberOfPartitions Number of partitions. part1Format The format of the volume.
To get mount info about a partition: $ diskutil info diskvol Parameter Description diskvol Device name (for example, disk0s9) for the partition This command tells you the device file that corresponds to the mounted partition (or device name) you specify.
When you start editing a device, the pdisk options change. Enter ? at the pdisk prompt to see the editing commands. The following are some of the more important ones: Command Description p Prints the partition map for the current device. i Initializes the partition map for the current device. C Creates a partition. There are two partition types: Apple_HFS and Apple_UFS. w Writes the modifications to the partition map on-disk.
Before running newfs, label the disk using the disklabel tool. To format a disk: $ newfs For more information, see the newfs man page. To format a disk to HFS+: m Use the newfs_hfs tool in /sbin: $ newfs_hfs For more information, see the newfs_hfs man page. Troubleshooting Disk Problems To verify the physical condition and file system integrity of a volume, use the diskutil or fsck tool (fsck_hfs for HFS volumes). For more information, see the related man pages.
To enable journaling: $ diskutil enableJournal volume Parameter Description volume The volume name or device name of the volume The following example shows journaling being enabled on volume /dev/disk0s10. $ mount /dev/disk0s9 on / (local, journaled) /dev/disk0s10 on /Volumes/OS 9.2.2 (local) $ sudo fsck_hfs /dev/disk0s10/ ** /dev/rdisk0s10 ** Checking HFS plus volume. ** Checking extents overflow file. ** Checking Catalog file. ** Checking Catalog hierarchy. ** Checking volume bitmap.
Understanding Spotlight Technology Spotlight is a desktop search technology that combines metadata-indexing with content-indexing that’s optimized for Mac OS X. When a file is added, moved, deleted, or modified, the file system notifies the Spotlight engine. The Spotlight engine then updates its index, known as the Spotlight store. The Spotlight engine then updates applications that use Spotlight, and changes are reflected dynamically to the user.
To view the metadata of a file: $ mdls filename The computer responds with something similar to the following output: ------------kMDItemAttributeChangeDate kMDItemFSContentChangeDate kMDItemFSCreationDate kMDItemFSCreatorCode kMDItemFSFinderFlags kMDItemFSInvisible kMDItemFSIsExtensionHidden kMDItemFSLabel kMDItemFSName kMDItemFSNodeCount kMDItemFSOwnerGroupID kMDItemFSOwnerUserID kMDItemFSSize kMDItemFSTypeCode kMDItemID kMDItemLastUsedDate kMDItemUsedDates = = = = = = = = = = = = = = = = =
Managing RAID Volumes In addition to standard drive management options, you can use diskutil to manage software RAID volumes.
Imaging and Cloning Volumes Using ASR You can use Apple Software Restore (ASR) to copy a disk image onto a volume or to prepare disk images with checksum information for faster copies. ASR can perform file copies, in which individual files are restored to a volume unless an identical file exists there, and block copies, which restores entire disk images. The asr tool doesn’t create the disk images. You use hdiutil to create disk images from volumes or folders. You must run ASR with root privileges.
8 Managing User and Group Accounts 8 Use this chapter to learn the commands to set up and manage user and group accounts. With Mac OS X Server, you can quickly create and administer accounts for users and groups. Several command-line tools are available to facilitate working with the directory domains that hold these accounts.
Administering and Creating User Accounts This section describes how to administer user accounts stored in directory domains. A user account stores data that Mac OS X Server needs to validate the user’s identity and provide services for the user. User and group accounts, as well as computer and computer group accounts, can be stored in any Open Directory domain accessible from any Mac OS X computer.
To create a local administrator user with a specific UID: $ sudo /System/Library/ServerSetup/serversetup -createUserWithID fullname shortname password uid Enter the name, short name, password, and UID in the order shown. If the full name includes spaces, enter it in quotes. The command displays a 0 if successful, or a 1 if the full name, short name, or UID is already in use or if the UID you specified is less than 100.
3 Authenticate as an administrator by entering the following command, replacing adminusername with your administrator user name, and entering your administrator password when prompted: > auth adminusername 4 Create an administrator user. >append admin Member adminusername This command creates an administrator user, but it doesn’t add the globally unique identifier (GUID) of the administrator user to the group account. 5 Add the administrator user to the group.
After you enter the command, the dscl tool displays a list of assigned user ID numbers, similar to the following output. These user IDs are for computer accounts that are included with Mac OS X Server: -2 0 1 99 25 26 27 70 71 75 76 77 78 79 501 Important: Select a user ID that isn’t in the list of assigned user ID numbers created when you install Mac OS X Server.
6 Specify the new user’s default UNIX shell: > create ajohnson UserShell /bin/bash 7 Specify the user ID, replacing 1234 with the new user’s ID: > create ajohnson UniqueID 1234 8 Specify the long name for the new user account, replacing Anne Johnson with the actual long name: > create ajohnson RealName "Anne Johnson" 9 Review the settings of your new user account by entering the following command, replacing ajohnson with the new user account’s short name as before: > read ajohnson dscl displays the sett
Replace username with the name of an administrator user on the remote server and replace server with the name or IP address of the server. 13 Create the home folder for the new user. Use the -s option if you are using a network directory domain or the -c option if you are using a local directory domain. You must run the command to create the home folder with root privileges.
Removing a User Account You can remove a user account by using the dscl tool. This does not remove the user’s home folder and the data that may be stored there. You can use the Finder to drag the deleted user’s home folder to the Trash.
To terminate a user’s processes: After disabling the user account, you need to kill the user’s active processes that are running on the directory server. WARNING: Unconditionally killing a user’s processes causes the user to lose unsaved data.
To test a user’s password: $ sudo /System/Library/ServerSetup/serversetup -verifyNamePassword shortname password The command displays a 1 if the password is good, or a 0 if it isn’t. To view names associated with a UID: $ sudo /System/Library/ServerSetup/serversetup -getNamesByID uid If you don’t receive a response, the UID is not valid.
To change a user account attribute to a new value: 1 Start the dscl tool in interactive mode, specifying the computer you are using as the source of directory service data: $ dscl localhost > 2 Change the current folder to /LDAPv3/ipaddress/Users by entering the path at the prompt: > cd /LDAPv3/ipaddress/Users Replace ipaddress with the IP address of your directory server.
For more information, see the createhomedir man page. In all cases, Home folders are created on the server where you run the tool. To create a Home folder for a user: $ sudo createhomedir -u uid In addition to the uid, you can also use the user’s short name. To create a Home folder for users in the local domain: $ sudo createhomedir [(-a|-l|-n domain)] -u uid You can also create a user’s Home folder using the serversetup tool.
Creating a Group Account You can create a group account by using dscl and other tools. When you create a group account via the command line, you must also set values for basic attributes of a group account, such as short name and group ID. To add a group account: 1 Identify an unused group ID by entering the following command to display a list of assigned group IDs.
6 Review the settings of your group by entering the following command, replacing officegroup with the group account’s short name.
Adding a User to a Group You can add users to a group using the dscl tool. To add a user to a group: 1 Start the dscl tool in interactive mode, specifying the computer you are using as the source of directory service data: $ dscl localhost > 2 Change the current folder to /LDAPv3/ipaddress/Groups by entering the path at the prompt: > cd /LDAPv3/ipaddress/Groups Replace ipaddress with the IP address of your directory server.
6 Quit dscl by entering: > quit To find the GUID of the administrator user admin on the local host: $ dscl localhost > cd /LDAPv3/127.0.0.1/Users > read admin GeneratedUID Removing a User from a Group You can remove users from a group by using the dscl tool.
5 Remove the user by entering the following command, replacing ajohnson with the short name of the user account, ajguid with ajohnson’s GUID, and officegroup with the short name of the group account: > delete officegroup GroupMembership ajohnson > delete officegroup GroupMembership ajguid 6 Review the new settings of the group: > read officegroup dscl displays the settings for the group, showing that the user you removed is no longer a group member, similar to the following output: dsAttrTypeNative:apple-g
To create a nested group: $ dseditgroup -o edit [-a childgroup] [-t group] [-u username] [-P password] [-n /LDAPv3/ipaddress] parentgroup Parameter Description childgroup The name of the child group you are adding to the parent group username The short name of a user with LDAP directory service access password The user password ipaddress The IP address of your directory server parentgroup The name of the parent group that the child group is being added to To verify a nested group: 1 Start the d
After a nested group is established, it can be unnested by using the dseditgroup tool with the -d option, which deletes the group record but leaves the group intact.
Viewing the Workgroup a User Selects at Login When you define preferences for a group, it is known as a workgroup. A workgroup provides you with a way to manage the working environment of group members. Preferences you define for a Mac OS X workgroup are stored in the group account. When a user selects a workgroup at login, a property list (plist) file stores the short name of the workgroup in its workgroup key. Important: You can only view the workgroup a user selects at login on the client computer.
Extension Description -mcxdelete Removes management for the specified MCX preference keys. -mcxexport Same functionality as the -mcxread command, but stores the output in the specified file using the specified format. The resulting file can later be imported using the -mcximport command. -mcximport Imports the keys and values previously exported using the -mcxexport command. -mcxhelp Displays help information for MCX extensions.
Parameter Description keyValue (Optional) The new value to be used for a key. You can specify this parameter using the same syntax as that of the defaults command. For more information, see the man page of the defaults command. When specifying plist or xml values, enclose the parameter in single quotes (for example, '(authenticate, eject)' and '64.0'). UPK (Optional) The value for the Union Policy Key (UPK). If present, the UPK must be specified as a dictionary.
The following command causes the autohide Dock key to no longer be managed: $ dscl > cd /LDAPv3/127.0.0.1/Users/sam /LDAPv3/127.0.0.1/Users/sam > mcxdelete . com.apple.dock autohide The following command exports the keys in the com.apple.dock domain for the current record to the /tmp/export.plist file: $ dscl > cd /LDAPv3/127.0.0.1/Users/sam /LDAPv3/127.0.0.1/Users/sam > mcxexport . -o /tmp/export.plist com.apple.dock The following command imports the keys in the /tmp/export.
Parameter Description groupName (Optional) The short name of a workgroup. A value of = indicates the workgroup (if any) chosen for the current login session. computerName (Optional) The short name of the computer group or the MAC address of a computer. If you do not provide a value for this option or use the equal sign (=), this command uses the MAC address of the current computer.
Parameter Description DSNodePath The path to the Open Directory server node where the imported records will be added. O|M|I|A|N Specifies how user data is handled if a record for an imported user exists in the folder: Â O: Overwrite the matching record. Â M: Merge the records. Empty attributes in the folder and assume values from the imported record. Â I: Ignore imported record and leave the record unchanged. Â A: Append data from an import record to an existing record.
The first record in the file, the record description, describes the format of each account record in the file. There are three options for the record description:  Write a full record description  Use the shorthand StandardUserRecord  Use the shorthand StandardGroupRecord The other records in the file describe user or group accounts, encoded in the format described by the record description. A line in a character-delimited file that begins with # is ignored during importing.
For group accounts, the list of attributes must include: Â RecordName (the group name) Â PrimaryGroupID (the group ID) Â GroupMembership The following is an example of a record description: 0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7 RecordName Password UniqueID PrimaryGroupID RealName NFSHomeDirectory UserShell The following is an example of a record encoded using the previous description: anne:Adl47E$:408:20:A. Johnsons, M.D.
Note: In this example, the colon (:) is the field separator. Because there is a colon in the description for this attribute, the escape character must be used to indicate that the colon should not be treated as a delimiter. The backslash (\) is the escape character in this example. If the field separator is anything other than the colon, the escape character is not needed. The method for setting an imported user’s password type to Open Directory requires that the imported data has a password value.
Exporting Users and Groups To export records from Open Directory use dsexport. The dsexport tool is in the /usr/bin/ folder. $ dsexport filePath DSNodePath recordType options DSProxy Parameter Description filepath The name (including the path) of the file to export. DSNodePath The path to the Open Directory server node to export records from. recordType (Optional) The type of record to be exported from the Open Directory server node. options Additional command options.
Mac OS X provides distinct permissions for these types of users:  The owner of the item, who is usually the person who created the item  Any member of the group assigned to the item by Mac OS X  Any other user with access to the computer These are the levels of permission:  Read & Write, which allows a user to open the item to see its contents and change it.  Read Only, which allows a user to open the item to see its contents, but not change or copy the contents.
 The following file (-) displays read, write, and executable permissions for owner (rwx), but only read and executable for group (r-x) and others (r-x): -rwxr-xr-x  The following file (-) displays read, write, and executable permissions for owner (rwx), but only read for group (r--) and others (r--): -rwxr--r-- For more information, see the ls man page.
Changing Permissions To change permissions for an item, use the chmod tool. $ chmod securitygroup changetype permission fileorfolder Parameter Description securitygroup The person or group whose permission you are changing. Can be the following:  u—user  g—group  o—other  all—all changetype Type of change.
Changing the Group To change the group of a file or folder, use the chgrp tool. $ chgrp groupname fileorfolder Parameter Description groupname The group that will become associated with the file or folder. fileorfolder The name of the file or folder to change. To change the group of file1 and file2 to the group ateam: $ chgrp ateam file1 file2 For more information, see the chgrp man page. Securing System Accounts The following sections cover security settings for user accounts.
The computer uses a file called /etc/sudoers to determine which users have the authority to use the sudo program. This file initially specifies that all accounts with administrator privileges can use sudo.
4 Restrict which administrators are allowed to run the sudo tool by removing the line that begins with %admin and adding the following entry for each user, substituting the user’s short name for the word user: user ALL=(ALL) ALL Doing this means that any time an administrator is added to a system, the administrator must be added to the /etc/sudoers file as described above if that administrator needs to use the sudo tool. 5 Save and quit visudo. For more information, see the vi and visudo man pages.
Note: An Open Firmware password provides some protection, but it can be reset if a user has physical access to the computer and can change the physical memory configuration of the computer. To set the Open Firmware password for increased security: 1 Boot the computer while holding Command-Option-O-F (all four keys at the same time) to enter the Open Firmware command prompt. 2 At the prompt, enter the command: > password 3 Enter and verify the password to be used as the Open Firmware password.
To change a user’s password: $ pwpolicy -n /LDAPv3/ipaddress -a adminusername -u usertochange -setpassword newpassword Parameter Description ipaddress Location of the LDAP directory adminusername User name of an administrator usertochange Name of the user whose password is changing newpassword Password the user is changing to To view the global password policy: $ pwpolicy -getglobalpolicy To set the minimum password length to 5 characters: $ pwpolicy -n /LDAPv3/ipaddress -a adminusername -setglo
To set the password policy of a user to require that they change their password: $ pwpolicy -n /LDAPv3/ldap.apple.com -a adminusername -p adminpassword -u usertochange -setpolicy "newPasswordRequired=1" Parameter Description ldap.apple.com Location of the LDAP directory. adminusername User name of an administrator. adminpassword Administrator password. (Omit to prompt for the password.) usertochange User name of the user whose password is changing.
9 Working with File Services 9 Use this chapter to learn the commands to create share points and manage file services. This chapter covers the commands used to configure and manage these file services. Mac OS X Server allows you to set up central network storage that is accessible to clients throughout your organization.
Listing Share Points To list share points: $ sudo sharing -l In the resulting list is a section of properties similar to the following for each share point defined on the server (1 = yes, true, or enabled; 0 = false, no, or disabled).
Parameter Description guestflags A group of flags indicating which protocols allow guest access. The flags are written as a three-digit binary number with the digits representing, from left to right, AFP, FTP, and SMB. 1=guests allowed, 0=guests not allowed. inheritflags A group of flags indicating whether new items in AFP or SMB share points inherit the ownership and access permissions of the parent folder.
Modifying a Share Point To change share point settings: $ sudo sharing -e sharepointname [-n customname] [-A afpname] [-F ftpname] [-S smbname] [-s shareflags] [-g guestflags] [-i inheritflags] [-c creationmask] [-d directorymask] [-o oplockflag] [-t strictlockingflag] Parameter Description sharepointname The current name of the share point. Other parameters See the parameter descriptions in “Creating a Share Point” on page 138.
To set the grace period for enforcing disk quotas for groups: $ sudo edquota -t -g For a group, you specify the grace period in the file .quota.ops.group located at the root of the group’s mounted file system. Managing AFP Service AFP allows any Mac OS X computer to access shared folders on the server. Mac OS X Server uses Bonjour to provide automatic discovery of AFP file services, and to prevent shared disks from unmounting after extended periods of inactivity.
Changing AFP Settings You can change AFP service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings afp:setting = value Parameter Description setting An AFP service setting. To see a list of available settings, enter $ sudo serveradmin settings afp or see “Available AFP Settings” on page 142. value An appropriate value for the setting. Enclose text strings in double quotes (for example, "text string").
Parameter (afp:) Description allowRootLogin Allow user to log in as root. Default = no attemptAdminAuth Allow administrator user to masquerade as another user. Default = yes authenticationMode Authentication mode. Can be: standard kerberos standard_and_kerberos Default = "standard_and_kerberos" autoRestart Allow the AFP service to restart automatically when abnormally terminated. Default = yes clientSleepOnOff Allow client computers to sleep.
Parameter (afp:) Description idleDisconnectTime Idle time (in minutes) allowed before disconnect. Default = 10 kerberosPrincipal Kerberos server principal name. Default ="afpserver" loggingAttributes: logCreateDir Record folder creations in the activity log. Default = yes loggingAttributes: logCreateFile Record file creations in the activity log. Default = yes loggingAttributes: logDelete Record file deletions in the activity log.
Parameter (afp:) Description reconnectFlag Allow reconnect options. Can be set to:  none  all  no_admin_kills Default = "all" reconnectTTLInMin Time-to-live (in minutes) for a disconnected session waiting reconnection. Default = 1440 registerAppleTalk Advertise the server using AppleTalk NBP. Default = yes registerNSL Advertise the server using Bonjour. Default = yes sendGreetingOnce Send the login greeting only once. Default = no shutdownThreshold Don’t modify. Internal use only.
Command (afp:command=) Description getLogPaths Display the locations of the AFP service activity and error logs. See “Viewing AFP Log Files” on page 149. sendMessage Send a text message to connected AFP users. See “Sending a Message to AFP Users” on page 147. syncSharePoints Update share point information after changing settings. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service needs to be restarted.
Value returned by getConnectedUsers (afp:usersArray:_array_index::) Description Share point the user is accessing. Integer that identifies the user session. State of the service. Sending a Message to AFP Users To send a text message to connected AFP users, use the sendMessage command with the serveradmin tool. Users are specified by session ID.
Parameter Description minutes-until The number of minutes between the time the command is executed and the users are disconnected. sessionidn The session ID of a user you want to disconnect. To list the session IDs of connected users, use the getConnectedUsers command. See “Viewing Connected Users” on page 146.
The computer responds with the following output: afp:command = "cancelDisconnect" afp:timeStamp = "
Viewing AFP Service Statistics To view a log of periodic samples of the number of connections and the data throughput, use the serveradmin getHistory command. Samples are taken once each minute. To view service statistic samples: $ sudo serveradmin command afp:command = getHistory afp:variant = statistic afp:timeScale = scale Control-D Parameter Description statistic The value you want to display valid values: Â v1 = number of connected users (average during sampling period).
Managing NFS Service NFS is a file service used to provide file sharing to UNIX and Linux systems. With NFS, Mac OS X Server can host data for UNIX application servers and provide integration with enterprise UNIX storage devices. Support for NFS file locking prevents overwriting files while others are accessing them. NFS service can be used to mount NFS volumes and reshare them over AFP with Mac OS X and Mac OS 9 clients.
Managing FTP Service Mac OS X Server features a robust FTP file service for Internet file sharing from any platform. FTP provides the broadest compatibility across platforms, making it ideal for anonymous downloads or sharing files that are too large to be sent over mail. Mac OS X Server improves the security of FTP service with Kerberos authentication. It also supports automatic resumption of disconnected FTP file transfers.
Changing FTP Service Settings To change FTP service settings, use the serveradmin tool. To change a setting: $ sudo serveradmin settings ftp:setting = value Parameter Description setting An FTP service setting. To see a list of available settings, enter $ sudo serveradmin settings ftp or see “Available FTP Service Settings” below. value An appropriate value for the setting. To change several settings: $ sudo serveradmin settings ftp:setting = value ftp:setting = value ftp:setting = value [...
Parameter (ftp:) Description bannerMessage Displays a banner message that appears when you are prompted to log in to FTP. Customize to your own preferences. Default = "----------------------------------This is the "Banner" message for the Mac OS X Server's FTP server process. FTP clients will receive this message immediately before being prompted for a name and password. PLEASE NOTE: Some FTP clients may exhibit problems if you make this file too long.
Parameter (ftp:) Description showWelcomeMessage Default = yes welcomeMessage Displays a welcome message that appears after you log in to FTP. Customize to your own preferences. Default = "------------------------------------This is the "Welcome" message for the Mac OS X Server's FTP server process. FTP clients will receive this message right after a successful log in.
Managing SMB Service Mac OS X Server includes Samba 3, a popular open-source project that delivers highperformance SMB file and print services and Microsoft Windows NT domain services for Microsoft Windows clients. Support for native service discovery protocols means that Mac OS X Server computers appear in the My Network Places window (Windows XP and 2000) or the Network Neighborhood window (Windows 95, 98, or ME) like a Windows server.
Changing SMB Service Settings You can change SMB service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings smb:setting = value Parameter Description setting An SMB service setting. To view a list of available settings, enter $ sudo serveradmin settings smb or see “Available SMB Service Settings” on page 157. value A value for the setting.
Parameter (smb:) Description domain master Whether the server is providing Windows domain master browser service. Can be set to: yes | no This corresponds to the Domain Master Browser checkbox in the Advanced pane of Window service settings in the Server Admin application. dos charset The code page being used.
Parameter (smb:) Description max smbd processes The maximum allowed number of smbd server processes. Each connection uses its own smbd process, so this is the same as specifying the maximum number of SMB connections. 0 means unlimited. This corresponds to the “maximum” client connections field in the Access pane of the Windows service settings in the Server Admin application. netbios name The server’s NetBIOS name. Can be set to a maximum of 15 bytes of UTF-8 characters.
Command (smb:command=) Description syncPrefs Update the service to recognize changes in share points. See “Updating Share Point Information” on page 162. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service must be restarted. See “Using the serveradmin Tool” on page 50. Viewing SMB User Information To retrieve information about connected SMB users, use the serveradmin getConnectedUsers command.
Disconnecting SMB Users To disconnect SMB users, use the serveradmin specified by session ID. disconnectUsers command. Users are To disconnect users: $ sudo serveradmin command smb:command = disconnectUsers smb:sessionIDsArray:_array_index:0 = sessionid1 smb:sessionIDsArray:_array_index:1 = sessionid2 smb:sessionIDsArray:_array_index:2 = sessionid3 [...] Control-D Parameter Description sessionidn The session ID of a user you want to disconnect.
Updating Share Point Information After you make a change to an SMB share point using the sharing tool, you must update the SMB service information. To update share point information: $ sudo serveradmin command smb:command = syncPrefs Viewing SMB Service Logs To view the contents of the SMB service logs, use tail or another file-listing tool. To view the latest entries in a log: $ tail log-file To see where the SMB logs are located, use the serveradmin getLogPaths command.
Using chmod to Modify ACLs Using chmod, you can add and delete ACEs for a file or a folder. The following parameters can be used with ACLs: Parameter Description +a Adds an entry to the ACL. +ai Adds an inherited entry. -a Removes an entry from the ACL. The following are common permissions you can assign to files: Permission Description delete Grants permission to delete the item. readattr Reads an object’s basic attributes. read Reads the object. write Writes to the object.
The output should look like the following: -rw-r--r--+ 1 juser wheel owner: juser 0: guest deny read 1: user1 allow write 0 Apr 28 14:06 file1 For more information, see the ls man page. Using fsaclctl to Enable and Disable ACL Support By default, ACL is enabled at the volume level. However, you can use the fsaclctl command to disable or enable ACL support on any volume. In addition, you can use this command to determine whether ACL support is enabled on a given volume.
The output is similar to the following: ProcessVolume: processing / Access control lists are supported on /. ProcessVolume: processing /Volumes/Data HD Access control lists are supported on /Volumes/Data HD.
Chapter 9 Working with File Services
10 Working with the Print Service 10 Use this chapter to learn the commands to configure and manage the Print service. This chapter covers the commands needed to view, modify, or change Print service settings. Print service in Mac OS X Server lets you share network and direct-connect printers among clients on your network. Print service also includes support for managing print queues, monitoring print jobs, extensive logging, and using print quotas. For more information, see Print Service Administration.
CUPS has its own URL, 127.0.0.1:631, which you can access with a web browser. The URL is independent of the Apache web server, so you do not need to enable web sharing to use it. You can find the CUPS documentation at www.cups.org. CUPS includes System V (lp) and Berkeley (lpr) printing commands. CUPS supports many different file formats, including PostScript and image files, so you can print most files from the command line.
Performing Print Service Tasks To perform print service tasks, use the serveradmin tool and commands that interact with CUPS.
To change several settings: $ sudo serveradmin settings print:setting = value print:setting = value print:setting = value [...] Control-D Available Print Service Settings To change settings for the print service, use the following parameters with the serveradmin tool.
Queue Data Array Print service settings include an array of values for each print queue. The array is a set of parameters that define values for each queue. The array of sharing services now includes IPP. This is the same service as Mac OS X v10.3 printer sharing, now integrated with Mac OS X Server v10.5. Many of the following parameters are CUPS parameters. For more details about CUPS parameters, see the CUPS documentation. is a CUPS queue ID (for example, or _192_216_3_45).
The following is an example of a queue array parameter block: print:queuesArray:_array_id:my_printer:quotasEnforced = no print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:service = "LPR" print:queuesArray:_array_id:my_printer:sharingList:_array_index:0:sharingEna ble = no print:queuesArray:_array_id:my_printer:sharingList:_array_index:1:service = "SMB" print:queuesArray:_array_id:my_printer:sharingList:_array_index:1:sharingEna ble = no print:queuesArray:_array_id:my_printer:sharingList:_arr
Listing Queues To list print service queues, use the serveradmin getQueues command. $ sudo serveradmin command print:command = getQueues Pausing and Releasing a Queue You can use the serveradmin setQueueState command to pause or release a queue. To pause a queue: $ sudo serveradmin command print:command = setQueueState print:state = PAUSED print:namesArray:_array_index:0 = queue Control-D Parameter Description queue The name of the queue.
For each job, the command lists:  Document name  Document size  Job ID  Submitting user  Submitting host  Job name  Job state  Job priority Holding and Releasing a Job To hold or release a job, use the serveradmin setJobState command. To hold a job: $ sudo serveradmin command print:command = setJobState print:status = HOLD print:jobsArray:_array_index:0:printer = queue print:jobsArray:_array_index:0:idsArray:_array_index:0 = jobid Control-D Parameter Description queue The name of the queue.
Viewing Print Service Log Files and Log Paths To view the contents of the Print service logs and to view log paths, use tail or another file-listing tool. To view the latest entries in a log: $ tail log-file The following are log files for Print service: Â /var/log/cups/error_log (CUPS general message log) Â /var/log/cups/access_log (CUPS access log) Â /var/log/cups/page_log (CUPS page log) Â /Library/Logs/PrintService/PrintService.admin.
Chapter 10 Working with the Print Service
11 Working with NetBoot Service and System Images 11 Use this chapter to learn the commands to configure and manage NetBoot Service and system images. This chapter describes the commands used to configure and manage NetBoot service. You can use NetBoot to host a standard operating system and application configuration on a server for all clients on a network.
Viewing NetBoot Service Status To see if the service is running: $ sudo serveradmin status netboot To see complete service status: $ sudo serveradmin fullstatus netboot Viewing NetBoot Settings To list all service settings: $ sudo serveradmin settings netboot Changing NetBoot Settings You can change NetBoot service settings using the serveradmin tool. To change a setting: $ sudo serveradmin settings netboot:setting = value Parameter Description setting A NetBoot service setting.
Parameter (netboot:) Description netBootFiltersRecordsArray... An array of values for each computer explicitly allowed or disallowed access to images. For a description, see “The Filters Record Array” on page 180. netBootImagesRecordsArray... An array of values for each boot or installation image stored on the server. For a description, see “The Image Record Array” on page 180. netBootPortsRecordsArray... An array of values for each server network port used to deliver boot or installation images.
The Filters Record Array An array of the following values appears in NetBoot service settings for each computer explicitly allowed or denied access to images stored on the server. Parameter (netboot:) Description netBootFiltersRecordsArray: _array_index::hostName The host name of the filtered computer, if available. netBootFiltersRecordsArray: _array_index::filterType Whether the specified computer is allowed or denied access.
Parameter (netboot:) Description netBootImagesRecordsArray: _array_index::IsEnabled Sets whether the image is available to NetBoot (or Network Image) clients. netBootImagesRecordsArray: _array_index::IsInstall yes specifies a network installation image; no specifies a NetBoot image. The Port Record Array An array of the following items is included in the NetBoot service settings for each network port on the server set to deliver images.
Working with System Images A boot image is a file that acts like a mountable disk or volume. NetBoot boot images contain the system software needed to act as a startup disk for client computers on the network. An installation image is a special boot image that boots the client long enough to install software from the image, after which the client can start up from its own hard disk. Both boot images and installation images are special kinds of disk images.
Using hdiutil with System Images To manipulate disk images, use the hdiutil tool. You can use this tool to perform many functions, such as creating, compressing, mounting, unmounting, and resizing images. You can also display image information and burn images onto CDs. For information about how to manipulate disk images, see the hdiutil man page. The following examples provide basic hdiutil tool functions: To verify an image by comparing it to its internal checksum: $ hdiutil verify myimage.
Imaging Multiple Clients Using Multicast asr You can enable a multicast image server using the Mac OS X Server Multicast asr command. Multicast asr can restore multiple clients simultaneously from one looping multicast of an asr disk image. Each client can receive the restore image at any time during a multicast of the image, and the client continues receiving the first part of the next multicast until the client receives the complete restore image.
12 Managing Mail Service 12 Use this chapter to learn the commands to manage Mail service. Mac OS X Server provides a full complement of tools for setting up and managing Mail service for your users. You use the commands described in this chapter to control the components that make up Mail service.
If you make a manual change to the configuration file of Postfix, Server Admin overwrites your changes the next time you use it to modify the Mail service configuration. The spool files for Postfix are located in /var/spool/postfix/ and the log file is /var/log/ mail.log. For more information about postfix, see www.postfix.org. Cyrus Cyrus was developed at Carnegie Mellon University to create a highly scalable enterprise mail system for use in small- to large-enterprise environments.
Managing Mail Service Mac OS X Server ships with powerful tools to help you administer Mail service. The following sections describe basic Mail service functions.
Mail Service Settings Use the following parameters with the serveradmin tool to change settings for Mail service.
Parameter (mail:) Description postfix:lmtp_sasl_password_maps Default = no postfix:smtp_sasl_password_maps Default = no postfix:qmgr_clog_warn_time Default = "300s" postfix:smtp_sasl_auth_enable Default = no postfix:smtp_skip_4xx_greeting Default = yes postfix:smtp_skip_5xx_greeting Default = yes postfix:stale_lock_time Default = "500s" postfix:strict_8bitmime_body Default = no postfix:disable_mime_input_processing Default = no postfix:smtpd_hard_error_limit Default = 20 postfix:empty_
Parameter (mail:) Description postfix:lmtp_connect_timeout Default = "0s" postfix:strict_7bit_headers Default = no postfix:unknown_hostname_reject_code Default = 450 postfix:virtual_alias_domains Default = "$virtual_alias_maps" postfix:lmtp_sasl_auth_enable Default = no postfix:queue_directory Default = "/private/var/ spool/postfix" postfix:sample_directory Default = "/usr/share/doc/ postfix/examples" postfix:fallback_relay Default = 0 postfix:smtpd_use_pw_server Default = "yes" postfix:
Parameter (mail:) Description postfix:mail_spool_directory Default = "/var/mail" postfix:mailbox_delivery_lock Default = "flock" postfix:disable_dns_lookups Default = no postfix:mailbox_command_maps Default = "" postfix:default_destination_concurrency _limit Default = 20 postfix:2bounce_notice_recipient Default = "postmaster" postfix:virtual_alias_maps Default = "$virtual_maps" postfix:mailq_path Default = "/usr/bin/mailq" postfix:recipient_delimiter Default = no postfix:masquerade_excep
Parameter (mail:) Description postfix:trigger_timeout Default = "10s" postfix:newaliases_path Default = "/usr/bin/ newaliases" postfix:default_rbl_reply Default = "$rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}" postfix:alias_database Default = "hash:/etc/aliases" postfix:qmgr_message_recipient_limit Default = 20000 postfix:extract_recipient_limit Default = 10240 postfix:header_checks Default = 0 postfix:syslog_facility Defaul
Parameter (mail:) Description postfix:fallback_transport Default = 0 postfix:owner_request_special Default = yes postfix:default_transport Default = "smtp" postfix:biff Default = yes postfix:relay_domains_reject_code Default = 554 postfix:smtpd_delay_reject Default = yes postfix:lmtp_quit_timeout Default = "300s" postfix:lmtp_mail_timeout Default = "300s" postfix:fast_flush_purge_time Default = "7d" postfix:disable_verp_bounces Default = no postfix:lmtp_skip_quit_response Default = no
Parameter (mail:) Description postfix:debug_peer_level Default = 2 postfix:in_flow_delay Default = "1s" postfix:smtpd_junk_command_limit Default = 100 postfix:program_directory Default = "/usr/libexec/ postfix" postfix:smtp_quit_timeout Default = "300s" postfix:smtp_mail_timeout Default = "300s" postfix:minimal_backoff_time Default = "1000s" postfix:queue_file_attribute_count_limit Default = 100 postfix:body_checks Default = no postfix:smtpd_client_restrictions: _array_index:0 Default =
Parameter (mail:) Description postfix:myhostname Default = "" postfix:default_minimum_delivery_slots Default = 3 postfix:recipient_canonical_maps Default = no postfix:hash_queue_depth Default = 1 postfix:hash_queue_names:_array_index:0 Default = "incoming" postfix:hash_queue_names:_array_index:1 Default = "active" postfix:hash_queue_names:_array_index:2 Default = "deferred" postfix:hash_queue_names:_array_index:3 Default = "bounce" postfix:hash_queue_names:_array_index:4 Default
Parameter (mail:) Description postfix:strict_8bitmime Default = no postfix:virtual_transport Default = "virtual" postfix:berkeley_db_create_buffer_size Default = 16777216 postfix:broken_sasl_auth_clients Default = no postfix:home_mailbox Default = no postfix:content_filter Default = "" postfix:forward_path Default = "$home/ .forward${recipient_delimit er}${extension},$home/ .
Parameter (mail:) Description postfix:bounce_notice_recipient Default = "postmaster" postfix:smtp_connect_timeout Default = "30s" postfix:fault_injection_code Default = 0 postfix:unknown_client_reject_code Default = 450 postfix:virtual_minimum_uid Default = 100 postfix:fast_flush_domains Default = "$relay_domains" postfix:default_database_type Default = "hash" postfix:dont_remove Default = 0 postfix:expand_owner_alias Default = no postfix:max_idle Default = "100s" postfix:defer_transpo
Parameter (mail:) Description imap:pop_auth_clear Default = no imap:imapidresponse Default = yes imap:sasl_auto_transition Default = no imap:mupdate_port Default = "" imap:admins:_array_index:0 Default = "cyrus" imap:plaintextloginpause Default = 0 imap:popexpiretime Default = 0 imap:pop_auth_any Default = no imap:sieve_maxscriptsize Default = 32 imap:hashimapspool Default = no imap:tls_lmtp_cert_file Default = "" imap:tls_sieve_key_file Default = "" imap:sievedir Default = "
Parameter (mail:) Description imap:autocreatequota Default = 0 imap:allowanonymouslogin Default = no imap:pop_auth_apop Default = yes imap:partition-default Default = "/var/spool/imap" imap:imap_auth_cram_md5 Default = no imap:mupdate_password Default = "" imap:idlesocket Default = "/var/imap/socket/ idle" imap:allowallsubscribe Default = no imap:singleinstancestore Default = yes imap:unixhierarchysep Default = "yes" imap:mupdate_realm Default = "" imap:sharedprefix Default = "Share
Mail serveradmin Commands You can use the following commands with the serveradmin tool to manage Mail service. Command (mail:command=) Description getHistory View a periodic record of file data throughput or number of user connections. See “Viewing Mail Service Statistics” on this page. getLogPaths Display the locations of Mail service logs. See “Viewing Mail Service Logs” on page 201.
mail:samplesArray:_array_index:i:vn = mail:samplesArray:_array_index:i:t = mail:v1Legend = "connections" afp:currentServerTime = Value displayed by getHistory Description The total number of samples listed. The numerical value of the sample. For connections (v1), this is integer average number of users. For throughput, (v2), this is integer bytes per second. The time when the sample was measured.
Value Description The location of the mail filtering log. Default = "/var/log/amavis.log" The location of the virus definition updates log. Default = "/var/log/freshclam.log" The location of the Mailing Lists Subscriptions log. Default = "/var/mailman/logs/subscribe" The location of the Mailing Lists Delivery Failures log. Default = "/var/mailman/logs/smtp-failure" The location of the Mailing Lists Postings log.
 Postfix configuration file (/etc/postfix/main.cf ) The largest database is the mailbox folders database. Each mailbox folder contains the following files:  Message files—There is one file per message. The file name of each message is the message’s UID followed by a period. The UID is a unique ID given to each message.  cyrus.header—This file contains a magic number and variable-length information about the mailbox.  cyrus.
4 When “Enter key and certificate label:” appears in the Terminal window, enter a oneword key, a blank space, and a one-word certificate label, and then press Return. For example, you could enter your organization’s name as the key and mailservice as the certificate label. The following output appears. Please specify parameters for the key pair you will generate. r RSA d DSA f FEE Select key algorithm by letter: 5 Enter r, and then press Return. The following output appears.
11 Enter a phrase or random text, and then press Return. The following output appears. For Common Name, enter the server's DNS name, such as server.example.com. For Country, enter the country in which your organization is located. For Organization, enter the organization to which your domain name is registered. For Organizational Unit, enter something similar to a department name. For State/Province, enter the full name of your state or province.
Importing an SSL Certificate into the Keychain To import an SSL certificate into a keychain, use the certtool tool. This continues the process of configuring Mail service for automatic SSL connections. To import an SSL certificate into the keychain: 1 Log in to the server as root. 2 Open the Terminal application. 3 Go to the folder where the saved certificate file is located. For example, if the certificate file is saved on the desktop of the root user, enter cd private/var/root/Desktop and press Return.
To create a password file: 1 Log in to the server as root. 2 In TextEdit, create a file and enter the password as you entered it when you created the keychain. Don’t press Return after entering the password. 3 Make the file plain text by choosing Make Plain Text from the Format menu. 4 Save the file, naming it cerkc.pass. 5 Move the file to the root keychain folder. The path is /private/var/root/Library/Keychains/.
Things to note: Â cyradm is a limited shell. It supports shell-style redirection, but does not understand pipes. Â cyradm can be used interactively or be scripted, but Perl scripting with Cyrus::IMAP::Admin is more flexible. Â You must escape spaces in file or folder names with a backslash (\), just as you would in a shell. For a complete list of commands, see the cyradm man page. Enabling Sieve Scripting Mac OS X Server supports Sieve scripting for mail processing.
Sample Sieve Scripts The following scripts are examples of common scripts a user might want to use. Vacation Notification Script #-------# This is a sample script for vacation rules. # Read the comments following the pound/hash to find out # what the script is doing. #--------# # Make sure the vacation extension is used.
# If it's from my mom... if header ["From"] :contains ["Mom"]{ # send it to my home email account redirect "home-address@example.com"; } # # If the subject line has a certain keyword... else if header "Subject" :contains "daffodil" { # forward it to the postmaster forward "postmaster@server.edu"; } # # If the junk mail filter has marked this as junk...
13 Configuring and Managing Web Technologies 13 Use this chapter to learn the commands to configure and manage Web service and the web components on your server. Web technologies in Mac OS X Server consist of several components that provide a flexible and scalable server environment. This chapter covers the commands that are used to configure and manage these web technologies, referred to as Web service. For more information, see Web Technologies Administration.
Files Location Log files /var/log/httpd/ Loadable modules /usr/libexec/httpd/ Apache 2.0 files are in the /etc/apache2/ folder. The main configuration file for the Apache web server is /etc/httpd/httpd.conf. The Apache web server (httpd) reads this file during startup. In addition, Mac OS X Server maintains a configuration file for each website it hosts. Mac OS X Server stores the website-specific configuration files in the /etc/httpd/sites/ folder.
To view a group of settings: You can view a group of settings that have part of their names in common by entering as much of the name as you want, stopping at a colon (:), and entering an asterisk (*) as a wildcard for the remaining parts of the name. For example: $ sudo serveradmin settings web:IFModule:_array_id:mod_alias.c:* To view all Web service settings: $ sudo serveradmin settings web Changing Web Settings You can use serveradmin to modify your server’s Web service configuration.
To change several settings: $ sudo serveradmin settings web:setting = value web:setting = value web:setting = value [...] Control-D Web serveradmin Commands To manage Web service, use the following commands with the serveradmin tool. Command (web:command=) Description getHistory View Web service statistics. See “Viewing Service Statistics” on page 214. getLogPaths Find the access and error logs for each hosted site. See “Viewing Service Logs and Log Paths” on this page. getSites View existing sites.
To view samples: $ sudo serveradmin command web:command = getHistory web:variant = statistic web:timeScale = scale Control-D Parameter Description statistic The value you want to display. Valid values:  v1—Number of requests per second  v2—Throughput (bytes/sec)  v3—Cache requests per second  v4—Cache throughput (bytes/sec) scale The length of time in seconds, ending with the current time, that you want to see samples for.
Example Script for Adding a Website The following script shows how you can use serveradmin to add a website to the server’s Web service configuration. The script uses two files: Â addsite—The script you run. It accepts values for the site’s IP address, port number, server name, and root folder, and uses sed to substitute these values in the addsite.in file. This is then sent to serveradmin. Â addsite.
web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: StatusCode = 404 web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: Document = "/nwesite_notfound.html" web:Sites:_array_id:_ipaddr\:_port__servername:LogLevel = "warn" web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.c: SSLEngine = no web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.
Apache Tomcat Mac OS X Server comes with Apache Tomcat, the open source servlet container developed by Sun Microsystems. Tomcat runs as part of the Java process. To start Apache Tomcat: $ su /Library/Tomcat/6.0/bin/startup.sh Note: If you start Tomcat manually, it is not reflected in the Server Admin application. Additionally, it is not monitored by the launchd process. By default, Tomcat uses port 9006. Tomcat comes with several example servlets.
To set/change the root password: $ sudo /usr/sbin/serveradmin stop mysql $ sudo /usr/sbin/serveradmin settings mysql:rootPassword = password $ sudo /usr/sbin/serveradmin start mysql When you set up MySQL service, set up a password for the MySQL root user to protect your server from unauthorized access.
Chapter 13 Configuring and Managing Web Technologies
14 Configuring and Managing Network Services 14 Use this chapter to learn the commands to configure and manage DHCP, DNS, Firewall, NAT, and VPN services. Mac OS X Server network services add administrative and managerial capabilities to basic networking protocols. This chapter describes the commands used to configure and manage network services. For more information, see Network Services Administration.
uses a different configuration file for each service it provides. In the folder, there are configuration files for each service that xinetd handles. If you were to enable ftp sharing, Mac OS X will modify the configuration file /etc/xinetd.d/ftp. For more information about xinetd, see www.xinetd.org. xinetd /etc/xinetd.
Changing DHCP Service Settings To change a DHCP setting: $ sudo serveradmin settings dhcp:setting = value Parameter Description setting A DHCP service setting. See the table below. value An appropriate value for the setting. To change several DHCP settings: $ sudo serveradmin settings dhcp:setting = value dhcp:setting = value dhcp:setting = value [...
Parameter (dhcp:) Description subnet_defaults:dhcp_domain_name_ser ver:_array_index:n Default = The DNS server addresses provided during server setup, as listed in the Network pane of the server’s System Preferences. subnets:_array_id:... An array of settings for a subnet. is a unique identifier for each subnet. See “DHCP Subnet Settings Array” on this page.
Subnet Parameter subnets:_array_id:: Description net_mask The subnet mask for the subnet. Corresponds to the Subnet Mask field in the General pane of the subnet settings in Server Admin. net_range_end The highest available IPv4 address for the subnet. Corresponds to the Ending IP Address field in the General pane of the subnet settings in Server Admin. net_range_start The lowest available IPv4 address for the subnet.
Adding a DHCP Subnet To add other subnets to your DHCP configuration, use the serveradmin settings command. You might already have a subnet for each port you enabled when you installed and set up the server. You can use the serveradmin settings command to check for subnets the server set up for you (see “Viewing DHCP Service Settings” on page 222). Note: Include the special first setting (ending with = create). This is how you tell to create the settings array with the specified subnet ID.
Adding a DHCP Static Map To add a static map to the DHCP configuration, use the serveradmin tool. A static DHCP map allows you to map a specific IP address to a computer based on the Ethernet (MAC) address.
Viewing the Location of the DHCP Service Log To view the location of the DHCP service log, use the following command with the serveradmin tool. Command (dhcp:command=) Description getLogPaths Display the location of the DHCP service log. To view the log path: $ sudo serveradmin command dhcp:command = getLogPaths The computer responds with the following output: dhcp:systemLog = Value Description The location of the DHCP service log. Default = /var/logs/system.
Viewing DNS Service Settings To view a setting: $ sudo serveradmin settings dns:setting To view a group of settings: Enter as much of the name as you want, stopping at a colon (:), then enter an asterisk (*) as a wildcard for the remaining parts of the name. For example: $ sudo serveradmin settings dns:zone:_array_id:localhost:* To view all service configuration settings: $ sudo serveradmin settings dns Changing DNS Service Settings To modify your server’s DNS configuration, use serveradmin.
Viewing DNS Service Statistics To view a summary of the DNS service workload, use the serveradmin getStatistics command.
This change takes place immediately, but is not persistent if you reboot the computer. To enable IP forwarding when Mac OS X Server restarts, set the IPFORWARDING flag in the /etc/hostconfig file to -YES- to enable IP forwarding during the startup process. Managing Firewall Service For its Firewall service, Mac OS X Server uses the reliable open source IPFW2 software.
Checking the Status of Firewall Service To see summary status of the service: $ sudo serveradmin status ipfilter To see detailed status of the service, including rules: $ sudo serveradmin fullstatus ipfilter Viewing Firewall Service Settings To view a setting: $ sudo serveradmin settings ipfilter:setting To view a group of settings: Enter as much of the name as you want, stopping at a colon (:), then enter an asterisk (*) as a wildcard for the remaining parts of the name.
Parameter (ipfilter:) Description logAllDenied A parameter that specifies whether to log all denials. Default = no ipAddressGroups:_array_id: n:address The address of a defined IP address group, the first element of an array that defines an IP address group. ipAddressGroups:_array_id: n:name The name of a defined IP address group, the second element of an array that defines an IP address group. logAllAllowed Whether to log access allowed by rules.
Packets are passed to ipfw from a number of places in the protocol stack. (Depending on the source and destination of the packet, ipfw can be invoked multiple times on the same packet.) The packet passed to the firewall is compared with each rule in the firewall ruleset. When a match is found, the action corresponding to the matching rule is performed.
#add #add #add #add #... #add 01010 01020 01030 12300 deny all from any to 127.0.0.0/8 deny ip from 224.0.0.0/4 to any in deny tcp from any to 224.0.0.0/4 in ("allow" rules from the "General" panel) 65534 deny ip from any to any To add an entry that denies all TCP packets from cracker.evil.org to the Telnet port of my.host.org from being forwarded by the host: $ ipfw add deny tcp from cracker.evil.org to my.host.org telnet To disallow any connection from the cracker.evil.org network to my.host.
An example of this is the following: $ sudo serveradmin settings ipfilter:rules:_array_id:1111 = create ipfilter:rules:_array_id:1111:source = "10.10.41.
Viewing the Firewall Service Log and Log Path To view the contents of the ipfilter service log to view log paths, use tail or another file listing tool. To view the latest entries in the log: $ tail log-file To see where the ipfilter service log is located, use the serveradmin getLogPaths command.
Viewing the Status of NAT Service To see a summary status of the service: $ sudo serveradmin status nat To see detailed status of the service: $ sudo serveradmin fullstatus nat Viewing NAT Service Settings To view a setting: $ sudo serveradmin settings nat:setting To view all settings: $ sudo serveradmin settings nat Changing NAT Service Settings To change a setting: $ sudo serveradmin settings nat:setting = value Parameter Description setting A NAT service setting.
Parameter (nat:) log Description yes|no Default = yes proxy_only yes|no Default = no dynamic yes|no Default = yes use_sockets yes|no Default = yes interface unregistered_only The network port. Default = "en0" yes|no Default = no same_ports yes|no Default = yes NAT serveradmin Commands To manage NAT service, use the following commands with the serveradmin tool. Command (nat:command=) Description getLogPaths Find the location of the log used by the NAT service.
proto tcp targetIP 1.2.3.4 targetPortRange 80 aliasPortRange 80 Confirm those settings using the serveradmin tool: $ sudo serveradmin settings nat ... nat:redirect_port:_array_index:0:proto = "tcp" nat:redirect_port:_array_index:0:targetPortRange = "80" nat:redirect_port:_array_index:0:aliasPortRange = "80" nat:redirect_port:_array_index:0:targetIP = "1.2.3.
VPNs allow users at home or away from the LAN to securely connect to it using any network connection, such as the Internet. From the user’s perspective, the VPN connection appears as a dedicated private link.
Available VPN Service Settings To change settings for VPN service, use the following parameters with the serveradmin tool. 242 Parameter (vpn:Servers:) Description com..ppp.l2tp: Server:VerboseLogging Default = 1 com..ppp.l2tp: Server:MaximumSessions Default = 128 com..ppp.l2tp: Server:LogFile Default = "/var/log/ppp/vpnd.log" com..ppp.l2tp: IPSec:IPSecSharedSecretEncryption Default = "Keychain" com..ppp.l2tp: IPSec:SharedSecret Default = "com.apple.ppp.l2tp" com.
Parameter (vpn:Servers:) Description com..ppp.l2tp: Interface:Type Default = "PPP" com..ppp.l2tp: PPP:LCPEchoFailure Default = 5 com..ppp.l2tp: PPP:ACSPEnabled Default = 1 com..ppp.l2tp: PPP:VerboseLogging Default = 1 com..ppp.l2tp: PPP:AuthenticatorACLPlugins Default = DSACL com..ppp.l2tp: PPP:AuthenticatorEAPPlugins Default = EAP-KRB com..ppp.l2tp: PPP:AuthenticatorPlugins: _array_index:n Default = "DSAuth" com..ppp.
Parameter (vpn:Servers:) Description com..ppp.pptp: DNS:OfferedSearchDomains Default = _empty_array com..ppp.pptp: DNS:OfferedServerAddresses Default = _empty_array com..ppp.pptp: Interface:SubType Default = "PPTP" com..ppp.pptp: Interface:Type Default = "PPP" com..ppp.pptp: PPP:CCPProtocols:_array_index:n Default = "MPPE" com..ppp.pptp: PPP:LCPEchoFailure Default = 5 com..ppp.pptp: PPP:MPPEKeySize128 Default = 1 com..ppp.
Available VPN serveradmin Commands To manage VPN service, use the following commands with the serveradmin tool. Command (vpn:command=) Description getLogPaths Find the location of the VPN service log. See “Viewing the VPN Service Log and Log Path” on this page. writeSettings Equivalent to the standard serveradmin settings command but also returns a setting indicating whether the service must be restarted. See “Using the serveradmin Tool” on page 50.
The s2svpnadmin tool can:  List configured site-to-site VPN servers  Display their configuration details  Add a configuration  Delete a configuration You can use this tool to configure a local VPN server, not a remote one. To set up a siteto-site server, you must configure the two VPN gateway servers at the two sites independently. You must run s2svpnadmin with root privileges.
Adding a VPN Keyagent User To enable PPTP in your VPN server, add a keyagent user in the LDAP folder that hosts your users. If you have more than one folder with VPN users, add a keyagent in each folder. Use the vpnaddkeyagentuser tool to add the required VPN PPTP keyagent user to a folder. The tool prompts you for the administrator user name and password of the folder. It then sets up the keyagent user. This step is necessary to proceed with the configuration of the VPN PPTP server.
Hardware Requirements IP failover requires the following hardware setup:  Primary server  Secondary server  Public network (the servers must be on same subnet)  Private network between servers (requires an additional network interface card) Note: Because IP failover uses broadcast messages, both servers must have IP addresses on the same subnet of the public network. Both servers must also have IP addresses on the same subnet of the private network.
3 Disconnect the primary server from the public and private networks. 4 On the secondary server, add the following lines to /etc/hostconfig: FAILOVER_PEER_IP="10.0.0.1" FAILOVER_PEER_IP_PAIRS="en0:100.0.0.10" FAILOVER_EMAIL_RECIPIENT="admin@example.com" In the first line, substitute the IP address of the primary server on the private network.
You run the Test script to determine whether the IP address should be acquired and to determine if the IP address should be relinquished when the primary server returns to service. A simple way to set up this notification-only mode is to copy the script at /usr/bin/false to the folder named with your primary server IP address, and then change the name of the script to Test. This script always returns a nonzero result.
PostAcq10.StartTimer PostAcq20.StartApache PreRel10.StopApache PreRel20.StopTimer PostRel10.StartSA PostRel20.StartDIP PostRel30.MailTimerResultsToAdmin Enabling PPP Dial-In To set up Point-to-Point Protocol (PPP) dial-in service, use the pppd daemon. For more information, see the pppd man page. The “Examples” section of the man page shows an example of setting up dial-in service.
3 Recreate the two default records: $ sudo dscl . -create /machines/localhost $ sudo dscl . -append /machines/localhost ip_address 127.0.0.1 $ sudo dscl . -append /machines/localhost serves ./local $ sudo dscl . -create /machines/broadcasthost $ sudo dscl . -append /machines/broadcasthost ip_address 255.255.255.255 $ sudo dscl . -append /machines/broadcasthost serves ..
15 Configuring and Managing Open Directory 15 Use this chapter to learn the commands to configure and manage the Open Directory service. This chapter discusses the tools and commands used when working with Open Directory. Open Directory is the standards-based directory and network authentication services architecture used by Mac OS X and Mac OS X Server.
Using General Directory Tools This section describes how to test Open Directory configurations, modify Open Directory directory domains, and test Open Directory plug-ins. Testing Your Open Directory Configuration To test your directory services configuration, use the dscl tool. For more information, see the dscl man page. Modifying a Directory Domain To create, modify, or delete directory information in a directory domain, use the dscl tool.
Parameter Description passwordOptionsString Default = "usingHistory=0 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0" LDAPSettings:LDAPSSLCertificatePath Default = "" masterServer Default = "" LDAPServerType Default = "standalone" replicationWhen Default = "perio
An example value for rootdn is uid=root,cn=users,dc=example,dc=com. An administrator can edit the /etc/openldap/slapd_macosxserver.conf file to add a password hash, or plain-text password, to the file, at which point that administrator user could administer the LDAP database. This is especially useful when your LDAP database is damaged or the passwords are lost or forgotten.
Idle Rebinding Options The following LDAPv3 plug-in parameters are documented in Open Directory Administration. The parameters are used in the file /Library/Preferences/ DirectoryService/DSLDAPv3PlugInConfig.plist. Delay Rebind This parameter specifies how long the LDAP plug-in waits before attempting to reconnect to a server that fails to respond. You can increase this value to prevent continuous reconnection attempts.
can also be used for debugging issues with LDAP, independent of the directory services LDAPv3 plug-in. ldapsearch For example, you can read the root directory server entry (DSE) like this (-LLL omits some output, -x means no SASL, -h specifies the hostname, -b specifies the search base and -s specifies the type of search): $ ldapsearch -LLL -x -h ldap.psu.
ibm-ldapservicename: tr17n01.aset.psu.edu ibm-serverId: 0f876740-64d2-102b-8f0b-8ab9d7eaa702 ibm-supportedacimechanisms: 1.3.18.0.2.26.3 ibm-supportedacimechanisms: 1.3.18.0.2.26.4 ibm-supportedacimechanisms: 1.3.18.0.2.26.2 vendorname: International Business Machines (IBM) vendorversion: 5.2 ibm-sslciphers: N/A ibm-slapdisconfigurationmode: FALSE ibm-slapdSizeLimit: 200 ibm-slapdTimeLimit: 900 ibm-slapdDerefAliases: always ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: tr17n01.aset.psu.
uid: ajohnson cn: Anne Johnson Using LDIF Files Lightweight Directory Interchange Format (LDIF) is a file format used to represent LDAP entries in text form. LDAP tools such as ldappadd, ldapmodify, and ldapsearch read and write LDIF files. Here is an example of an LDIF file containing three entries. Multiple entries in an LDIF file are separated by blank lines.
Managing Open Directory Passwords When a user’s account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open Directory Password Server. Kerberos is a network authentication system that uses credentials issued by a trusted server. The Open Directory Password Server supports traditional password authentication methods that some network services or users’ client applications require. Services can be configured to not allow Kerberos.
The following tools are available for setting up your Kerberos and Apple single sign-on environment. For more information about a tool, see the related man page. Tool (in usr/sbin/) Description kdcsetup Creates necessary setup files and adds krb5kdc and kadmind servers for the Apple Open Directory KDC. sso_util Sets up, interrogates, and tears down the Kerberos configuration in the Apple single sign-on environment. kerberosautoconfig Creates the edu.mit.
The principal.kadm5 database is the kadmind process’ policy database. It is located in / var/db/krb5kdc/. Although principals and their keys are stored in /var/db/krb5kdc/ principal, policies, which can be applied to principals, are stored in principal.kadm5. Principal.kadm5.lock is a lock file used by kadmind. However, it is unlike most lock files because kadmind does not write to the policy or principal database unless it exists.
Often the server administrator can assume that its server’s principal name is serviceType/fqdn@REALM. For example, the service principal for the AFP server on the host “server.example.com” in the realm “EXAMPLE.COM” is afpserver/ server.example.com@EXAMPLE. However, the service type is service-specific and the primary place to get the information is from the service documentation. To kerberize a service (from a terminal running on that host): 1 To create the service principal, use kadmin.
Manipulating a Single Named Group Record Use dseditgroup to manipulate a single named group record on the default local directory domain or on the specified directory domain. The following examples show uses for dseditgroup. To view the attributes of a group in the local directory domain: $ dseditgroup -o read groupname To create a group in a domain: $ dseditgroup -o create -n /LDAPv3/ldap.example.
Configuring the Active Directory Plug-In Use dsconfigad to configure the Active Directory plug-in from the command-line. dsconfigad has the same functionality for configuring the Active Directory plug-in as the Directory Access application. To add a computer to a directory: $ dsconfigad -a computerid -u “administrator” -ou "CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com Parameter Description computerid The computer ID to add to the domain.
To start the RADIUS server: $ sudo radiusconfig -start To stop the RADIUS server: $ sudo radiusconfig -stop To disable Transport Level Security (TLS): $ sudo radiusconfig -disable-tls This command disables TLS by commenting-out the TLS section in the eap.conf file. To enable TLS: $ sudo radiusconfig -enable-tls This command enables TLS by activating the TLS section in the eap.conf file.
To assign an access control group to a client of the RADIUS service: $ sudo radiusconfig -setgroup nas-name group-name Parameter Description nas-name The name of the client. group-name The name of the access control group. To configure the rotation of RADIUS service logs: $ sudo radiusconfig -rotatelog [-n file-count] base-file Parameter Description file-count The number of log files to preserve. base-file The name of the log file.
16 Configuring and Managing QuickTime Streaming Server 16 Use this chapter to learn the commands to configure and manage the QuickTime Streaming Server service. This chapter describes the commands used to configure and manage the QuickTime Streaming Server (QTSS). Streaming is the delivery of media, such as movies and live presentations, over a network in real time. A streaming server sends the media to a client computer, which plays the media as it is delivered.
Performing QTSS Tasks To start QTSS, use the serveradmin or quicktimestreamingserver tool to specify additional service parameters when you start the service.
Changing QTSS Settings You can change QTSS settings by using the serveradmin tool or by editing the QTSS parameter list file. To change a setting: $ sudo serveradmin settings qtss:setting = value Parameter Description setting A QTSS service setting. To see a list of available settings, enter: $ sudo serveradmin settings qtss or see “Available QTSS Parameters” on page 271. value An appropriate value for the setting.
Parameter (qtss:) Description modules:_array_id:QTSSAccessLogModule: request_logfile_name Default = "StreamingServer" modules:_array_id:QTSSAccessLogModule: request_logfile_size Default = 10240000 modules:_array_id:QTSSAccessLogModule: request_logging Default = yes modules:_array_id:QTSSAccessLogModule: request_logtime_in_gmt Default = yes modules:_array_id:QTSSAccessModule: modAccess_groupsfilepath Default = "/Library/Quick modules:_array_id:QTSSAccessModule: modAccess_qtaccessfilename De
Parameter (qtss:) Description modules:_array_id:QTSSMP3StreamingModule: mp3_request_logfile_dir Default = "/Library/QuickTime modules:_array_id:QTSSMP3StreamingModule: mp3_request_logfile_interval Default = 7 modules:_array_id:QTSSMP3StreamingModule: mp3_request_logfile_name Default = "mp3_access" modules:_array_id:QTSSMP3StreamingModule: mp3_request_logfile_size Default = 10240000 modules:_array_id:QTSSMP3StreamingModule: mp3_request_logging Default = yes modules:_array_id:QTSSMP3StreamingModul
Parameter (qtss:) Description server:do_report_http_connection_ip_address Default = no server:error_logfile_dir Default = "/Library/Quick server:error_logfile_name Default = "Error" server:error_logfile_size Default = 256000 server:error_logfile_verbosity Default = 2 server:error_logging Default = yes server:force_logs_close_on_write Default = no server:maximum_bandwidth Default = 102400 server:maximum_connections Default = 1000 server:module_folder Default = "/Library/Quick TimeStreami
Viewing QTSS Connections To retrieve information about QTSS connections, use the serveradmin getConnections command. To view a list of connected users: $ sudo serveradmin command qtss:command = getConnections Viewing QTSS Statistics To display a log of periodic samples of the number of connections and the data throughput, use the serveradmin getHistory command. Samples are taken once each minute.
Value displayed by getHistory Description The numerical value of the sample. For connections (v1), this is integer average number of connections. For throughput, (v2), this is integer bytes per second. The time when the sample was measured. A standard UNIX time (number of seconds since September 1, 1970). Samples are taken every 60 seconds. Viewing Service Logs and Log Paths To view the contents of the QTSS logs, use tail or another file listing tool.
3 Send a HUP signal to one of the two process IDs (PIDs) for QuickTimeStreamingServer (949 or 950). For example: $ kill -HUP 950 Preparing Older Home Folders for User Streaming To enable QTSS home folder stream for home folders created using an earlier version of Mac OS X Server (before v10.3), use the createuserstreamingdir tool to set up the streaming media folder in each user’s Home folder.
To reset the broadcaster user name and password: 1 Log in to the server computer and open a Terminal window. 2 Remove the old broadcaster username by entering: $ sudo qtpasswd -R broadcaster 3 Add a new broadcaster username by entering: $ sudo qtpasswd -A broadcaster someUserName 4 If the new broadcaster user doesn’t exist, follow the prompts to enter and confirm the password. Controlling Access to Streamed Media You can set up authentication to control client access to streamed media files.
To set up Open-Directory-based user access control: 1 Create user accounts and passwords using Open-Directory-based user account services (for example, users created with System Settings, System Preferences, or Workgroup Manager). 2 Create an access file containing the Open Directory users and groups and place it in the media folder you want to protect. Note: You can designate qtpasswd-based and Open-Directory-based users and groups in the same access file.
The following is a description of the parameters in the qtaccess file: Parameter Description message (Optional) Text your users see when the login window appears. If your message contains white space (such as a space character between terms), enclose the text in quotation marks. user filename The path and filename of the user file: Â For Mac OS X, the default is /Library/QuickTimeStreaming/Config/qtusers. Â For other supported platforms, it is /etc/streaming/qtusers.
Adding User Accounts and Passwords You can add a user account and password if you log in to the server computer. To add a user account: 1 Enter the following: $ sudo qtpasswd -f user filename user-name 2 Enter a password for the user and reenter it when prompted.
Creating Reference Movies To create reference movies that can be used to embed QuickTime content in Web pages, use the qtref tool. You can use the following options: Parameter Description -r Create QuickTime Atom ref movie with extension .qtl -t Create XML text ref movie with extension .qtl -a Create alternate data rate movie with extension .qtl For more information about using qtref, enter the command without arguments to display usage information.
17 Configuring the Podcast Producer Service 17 Use this chapter to learn how to control and manage Podcast Capture and the Podcast Producer service. Mac OS X Server v10.5 provides command-line tools for controlling a Podcast Producer solution. These commands provide the same functionality available in Podcast Capture and the Podcast Producer pane of Server Admin, and more. For more information about Podcast Capture, see its online help.
You can submit multiple files and specify metadata (submission description) and upload buffer size (optional). For example, to specify a .plist file containing a description of the submission and to specify a smaller upload size than the default 128 KB, enter: $ podcast --submit --file file_path --workflow workflow_name --upload_buffer_size 64 The following is an example of a .plist file containing metadata describing a job submission:
Binding and Unbinding Cameras To bind a camera to the Podcast Producer server: $ sudo podcast --bind camera_name To unbind a camera from the Podcast Producer server: $ sudo podcast --unbind camera_name To find out whether a camera is bound to the Podcast Producer server: $ sudo podcast --isbound This command returns 1 if the local camera agent is bound to the Podcast Producer server; otherwise, it returns 0.
To resume video capture on a camera: $ podcast --resume camera_name Configuring Podcast Producer Service Use the /usr/bin/pcastconfig tool to configure the Podcast Producer service. For more information about pcastconfig, see its man page.
Configuring Properties To add a custom property: $ sudo pcastconfig --add_property p_name --value p_value [--protect] To remove a custom property: $ sudo pcastconfig --remove_property p_name Controlling Access to Properties To control access to a list of properties: $ sudo pcastconfig --add_access access_group --properties property_list This command lets you create a one-time access key that allows the specified group to access a list of colon-separated properties (for example, “p1:p2:p3”).
Launching Podcast Producer Server Upon System Startup To edit the launchd configuration to launch the Podcast Producer server upon system startup: $ sudo pcastctl server on To edit the launchd configuration to not launch the Podcast Producer server upon system startup: $ sudo pcastctl server off Processing Submitted Content Use the /usr/bin/pcastaction tool in workflows. It provides a rich set of commands for processing and producing audio and video podcasts.
For more information about pcastaction and its commands, see its man page. You can also view help information about the commands of pcastaction by entering: $ pcastaction help command Applying Quartz Composer Compositions to Movies Quartz Composer supports the notion of composition protocols and repositories where compositions are stored.
Note: Enclose the repository identifier in double quotes ("/copy machine") or escape the spaces by adding a backslash character before a space (/copy\ machine).
Transition Composition Repository Identifiers Compound Eye "/compound eye" Concert "/concert" Crystallize "/crystallize" Dent "/dent" Dot Screen "/dot screen" Exposure Adjust "/exposure adjust" False Color "/false color" Film Stock "/film stock" Fish Eye "/fish eye" Flip Flop "/flip flop" Gamma Adjust "/gamma adjust" Glow "/glow" Image Resizer "/image resizer" Kaleidescope "/kaleidescope" Light Tunnel "/light tunnel" Line Overlay "/light overlay" Line Screen "/line screen"
Shared File System Uploading Mechanisms Podcast Producer provides the following mechanisms for uploading content to the shared file system: Â Copy upload (file_upload_url) Â FTP upload (ftp_upload_url) Â HTTPS CGI POST upload (https_upload_url) Podcast Producer stores the configuration information for these mechanisms in its server preferences file (/Library/Preferences/com.apple.pcastserverd.
FTP Upload Podcast Producer uses the ftp_upload_url mechanism as a last resort because it is not a secure mechanism for uploading. If the Podcast Producer system is deployed in a secure setting, there can be a significant speed advantage to using FTP for uploading content because there is no encryption overhead. Important: The FTP user you define for the ftp_upload_url key must be a member of the submissions_groupname group.
Chapter 17 Configuring the Podcast Producer Service
18 Configuring and Managing iCal Service and iChat Service 18 Use this chapter to learn the commands to configure and administer iCal and iChat services. This chapter describes the commands for configuring and managing iCal and iChat services. For more information, see iCal Service Administration and iChat Service Administration. Configuring iCal Service To start and stop the iCal service and to configure its settings, use the caldavd command-line tool.
To modify service settings: 1 Open the iCal service configuration file (caldavd.plist), which is stored in the /etc/caldavd/ folder by default. 2 Modify the following settings: Â To specify the document root for iCal service, modify the Document Root key. Â To specify the port number the service uses, modify the Port key. Â To enable or disable SS, modify the SSEnable key. Configuring iChat Service To start and stop the iChat service and to configure its settings, use the serveradmin command-line tool.
19 Configuring and Managing System Logging 19 Use this chapter to learn the commands to configure and manage system logging. Logging System Events Logs are text files that form a record of what has occurred on the system, much like a journal. Configuring the Log File Log files are maintained in the /Library/Logs/ and /var/log/ folders. Some commonly monitored log files include console.log and system.log. Applications can have their own log files located in different folders. Console.
The following example specifies that for any log messages in the category mail, with a priority of emerg or higher, the message is written to the /var/log/mail.log file: mail.emerg /var/log/mail.log The facility and priority are separated by a single period, and these are separated from the action by tabs. Wildcards (“*”) can also be used. The following example line logs all messages of any facility or priority to the file /var/log/all.log: *.* /var/log/all.
Remote Logging Using remote logging in addition to local logging is strongly recommended for any server system, because local logs can easily be altered if the system is compromised. Several security issues must also be considered when making the decision to use remote logging: Â The syslog process sends log messages as clear text, which could expose sensitive information. Â Too many log messages can fill storage space on the logging system, making further logging impossible.
Configuring Mac OS X Server to act as a remote log server involves changing syslogd command-line arguments. Enabling remote logging services requires removal of the -s tag from the syslogd tool, which allows any host to send traffic via UDP to the logging computer, which can present security risks. To better control the hosts that are allowed to send logging message traffic, use the -a option to ensure that log messages from only specific IP addresses are accepted.
Appendix PCI RAID Card Command Reference Use this appendix to learn the megaraid commands to manage a PCI RAID card. The megaraid tool uses are described in the following table, along with parameter explanations. Parameter Description megaraid -alarm -on | -off | -silence Turns the alarm on, off, or to silence. When the alarm is set to silence, it turns off for the current failure, but turns on again for the next failure.
Parameter Description megaraid -create R0 | R1 | R5 -drive {0 1 2 3} [-stripesize n] [-size x] [-writecache enable | disable] [-readahead on | off | adaptive] [-iopolicy direct | cached] [-log file] Creates a logical drive and adds it to the configuration. The RAID level and participating physical drives’ parameters are required. Other parameters are optional. If size is not specified, the remaining size of the array is used.
Parameter Description megaraid -showconfig [ld] [-log file] Displays the RAID configuration of the computer, including logical drive ID, RAID level, size, status, and participating physical drives. The logical drive status can be failed, degraded, or optimal. You cannot access a failed logical drive or recover data from it. You can access all data on a degraded logical drive (without a failure) even if attached physical drives are not in good condition.
Appendix PCI RAID Card Command Reference
Glossary Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. ACE Access Control Entry. An entry within the ACL that controls access rights. See ACL. ACL Access Control List. A list, maintained by a system, that defines the rights of users and groups to access resources on the system.
boot ROM Low-level instructions used by a computer in the first stages of starting up. BootP An older method of allocating IP addresses to clients on a network See also DHCP. BSD Berkeley Software Distribution. A version of UNIX on which Mac OS X software is based. canonical name The “real” name of a server when you’ve given it a “nickname” or alias. For example, mail.apple.com might have a canonical name of MailSrv473.apple.com.
computer name The default name used for SLP and SMB service registrations. The Network Browser in the Finder uses SLP to find computers advertising Personal File Sharing and Windows File Sharing. It can be set to bridge subnets depending on the network router settings. When you turn on Personal File Sharing, users see the computer name in the Connect to Server dialog in the Finder. Initially it is “’s Computer” (for example, “John’s Computer”) but can be changed to anything.
DNS Domain Name System. A distributed database that maps IP addresses to domain names. A DNS server, also known as a name server, keeps a list of names and the IP addresses associated with each name. DNS domain A unique name of a computer used in the Domain Name System to translate IP addresses and names. Also called a domain name. DNS name A unique name of a computer used in the Domain Name System to translate IP addresses and names. Also called a domain name.
FTP File Transfer Protocol. A protocol that allows computers to transfer files over a network. FTP clients using any operating system that supports FTP can connect to a file server and download files, depending on their access privileges. Most Internet browsers and a number of freeware applications can be used to access an FTP server. group A collection of users who have similar needs. Groups simplify the administration of shared resources.
ICMP Internet Control Message Protocol. A message control and error-reporting protocol used between host servers and gateways. For example, some Internet software applications use ICMP to send a packet on a round trip between two hosts to determine round-trip times and discover problems on the network. image See disk image. IMAP Internet Message Access Protocol. A client-server mail protocol that allows users to store their mail on the mail server rather than downloading it to the local computer.
Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time. After a user is authenticated, it’s possible to access additional services without retyping a password (called single signon) for services that have been configured to take Kerberos tickets. Mac OS X Server uses Kerberos v5. Kerberos Key Distribution Center See KDC.
log in (verb) To start a session with a computer (often by authenticating as a user with an account on the computer) in order to obtain services or access files. Note that logging in is separate from connecting, which merely entails establishing a physical link with the computer. logical disk A storage device that appears to a user as a single disk for storing files, even though it might actually consist of more than one physical disk drive.
NetBIOS Network Basic Input/Output System. A program that allows applications on different computers to communicate within a local area network. NetBoot server A Mac OS X server on which you’ve installed NetBoot software and have configured to allow clients to start up from disk images on the server. Network File System See NFS. NFS Network File System. A client/server protocol that uses Internet Protocol (IP) to allow remote users to access files as though they were local.
password policy A set of rules that regulate the composition and validity of a user’s password. Password Server See Open Directory Password Server. pathname The location of an item within a file system, represented as a series of names separated by slashes (/). PDC Primary domain controller. In Windows networking, a domain controller that has been designated as the primary authentication server for its domain. permissions Settings that define the kind of access users have to shared items in a file system.
PPD file Postscript Printer Description file. A file that contains information about the capabilities of a particular printer model. The PPD file provides the controls you need to take advantage of special features such as multiple paper trays, special paper sizes, or duplex printing. The printer model you choose when you add a printer specifies the PPD file used with the printer. predefined accounts User accounts that are created automatically when you install Mac OS X.
QTSS QuickTime Streaming Server. A technology that lets you deliver media over the Internet in real time. queue An orderly waiting area where items wait for some type of attention from the system. See also print queue. QuickTime Streaming Server See QTSS. RADIUS Remote Authentication Dial-In User Service. RADIUS server A computer on the network that provides a centralized database of authentication information for computers on the network. RAID Redundant Array of Independent (or Inexpensive) Disks.
RAID level A storage allocation scheme used for storing data on a RAID array. Specified by a number, as in RAID 3 or RAID 0+1. RAID set See RAID array. Real Time Streaming Protocol See RTSP. Real-Time Transport Protocol See RTP. realm General term with multiple applications. See WebDAV realm, Kerberos realm. relay In QuickTime Streaming Server, a relay receives an incoming stream and then forwards that stream to one or more streaming servers.
session The period of time during which two programs, or two users running programs, communicate across a network. For example, when a user logs in to a file server, a session is initiated that continues until the user logs out or the session is terminated by the file service. Session Description Protocol See SDP. shadow image A file created by the NetBoot daemon process for each NetBoot client where applications running on the client can write temporary data.
spam Unsolicited email; junk mail. SSL Secure Sockets Layer. An Internet protocol that allows you to send encrypted, authenticated information across the Internet. More recent versions of SSL are known as TLS (Transport Level Security). static IP address An IP address that’s assigned to a computer or device once and is never changed.
URL Uniform Resource Locator. The address of a computer, file, or resource that can be accessed on a local network or the Internet. The URL is made up of the name of the protocol needed to access the resource, a domain name that identifies a specific computer on the Internet, and a hierarchical description of a file location on the computer. user ID See UID. user name The long name for a user, sometimes referred to as the user’s real name. See also short name.
A ab tool 217 access ACLs 162, 163, 164 Podcast properties 287 QTSS 278, 279, 280, 281 SSH service 35 Telnet 36 user 106 See also ACLs; permissions access control lists.
installing server software 41, 42 storage location 100 See also remote computers configd daemon 82 configuration automatic 42, 43 customizing file 45 encrypted 45 Ethernet 72, 73, 74 file storage 48 firewall rules 233, 235 IP failover 249 LDAP 255, 256, 265 log files 297 mailboxes 207 modifying settings 49 moving servers 53 naming file 43 network interfaces 65, 73 network services 67 overview 39 Podcast Producer 286, 287 RADIUS 266 remote 49 restoring service defaults 251 saving file 43 site-to-site VPN 246
E email. See Mail service encryption 31, 33, 34, 35, 45, 63 energy saver settings 61 environment variables 24 env tool 24 Ethernet 66, 72, 73, 74 exporting users and groups 127 F files, specifying 22 file services 137 See also AFP; FTP; NFS; share points file systems mail storage 186 Podcast shared 292, 293 searching 95, 96 workings of 85 See also volumes File Transfer Protocol. See FTP FileVault 32 finding.
software updates 52 installer tool 39, 182 instant messaging. See iChat service Internet Printing Protocol. See IPP IP addresses changing 68 forwarding 230 IPv4 addressing 72 validating 70 IP failover 247, 248, 249, 250 IPFilter service. See Firewall service ipfilter tool 231 ipfw.
logs 201 mailbox configuration 207 Mailman 186 managing 187 overview 185 Postfix 185 settings 187, 188 Sieve scripting 208, 210 SSL 203, 205, 206 statistics 200 status checking 187 stopping 187 mail service overview 185 Sieve scripting 208, 209 SSL 206 starting 187 managed client/user 99 managed preferences, working with 118, 121 man-in-the-middle attacks 34 man pages 29 man tool 29 maximum transmission unit. See MTU MCX extensions 118, 119 mdfind tool 96 mdls tool 96 mdutil tool 96 media, streaming.
overview 253 passwords 261 service tools 264, 265 settings 254 testing configuration 254 testing plug-ins 254 tools 254 See also Active Directory; domains, directory; LDAP Open Directory Password Server 261 Open Firmware interface 57, 134, 182 P packets, data 66, 234 parameters, entering conventions 16, 17 partitions, disk displaying information 87 erasing 90 formatting 91 workings of 85 passphrases 45 passwd tool 104 passwords importing 125 Mail service 206 Open Directory 33 Open Firmware 134 policies 134
settings 270, 271 starting 270 statistics 275 status checking 270 stopping 270 quotas, disk 140 R racoon daemon 245 RADIUS (Remote Authentication Dial-In User Service) 266 RAID (Redundant Array of Independent Disks) 97, 301 rebinding options, LDAP 257 record descriptions, writing 124 Redundant Array of Independent Disks. See RAID reference movies 282 Remote Authentication Dial-In User Service (RADIUS).
Sieve scripting 208, 209, 210 Simple Authentication and Security Layer. See SASL Simple Mail Transfer Protocol. See SMTP Simple Network Management Protocol.
administrator 101, 102 authentication 33 creating 100, 102, 105 introduction 99 managing 99 modifying 108 QTSS 281 removing 106 user information 136 See also group accounts; guest accounts; users user name 277 users access control 35, 106 adding to groups 113 administrator 100 connections 146, 147, 148, 155, 160, 161 disk quotas 140 exporting 127 importing 123, 124, 126 keyagent for VPN 247 LDAP search for 257 messages to 147 name checking 107 passwords 107 permissions 99, 127, 128, 129, 130, 163 QTSS 281 r