OReilly essential mac OS x panther server administration may 2005 ISBN 0596006357

Whether you're a seasonedUnix or Windows administrator or a long-time Mac professional, Essential Mac OS X Panther Server Administration provides you with the depth you're seeking to max

By Michael Bartosh, Ryan Faas

Publisher: O'Reilly Pub Date: May 2005 ISBN: 0-596-00635-7 Pages: 848

Table of Contents | Index

From the command line to Apple's graphical tools, this book uses a thorough, fundamental approach that leads readers to mastery of every aspect of the server Full of much-needed insight, clear explanations, troubleshooting tips, and security information in every chapter, the book shows system administrators how to utilize the software's capabilities and

By Michael Bartosh, Ryan Faas

Publisher: O'Reilly Pub Date: May 2005 ISBN: 0-596-00635-7 Pages: 848

most titles (safari.oreilly.com) For more information, contactour corporate/institutional sales department: (800) 998-9938 or

Apple, the Apple logo, Mac, Finder, FireWire, iBook, iDisk, iMac,iPod, Mac, Mac logo, Macintosh, PowerBook, QuickTime,

QuickTime logo, Rendezvous, and Sherlock are trademarks ofApple Computer, Inc., registered in the U.S and other

countries The "keyboard" Apple logo (Shift-Command-K) is

used with permission of Apple Computer, Inc

While every precaution has been taken in the preparation of thisbook, the publisher and authors assume no responsibility forerrors or omissions, or for damages resulting from the use oftheinformation contained herein

As Apple's place in institutional and enterprise marketplaces hasgrown, so has Mac OS X Server, Apple's server software

product Mac OS X Server seeks to provide centralized services

to a variety of cross-platform clients, and has only grown inscope since its introduction in 2000 That tremendously

expanding scope gave birth to this book

Little or no in-depth documentation exists for Mac OS X Server.Sure, Apple provides about 1,200 pages worth of PDF

documentation, but you have to wade through fields of Applemarketing jargon to get to the tasty bits, and even then, you're

left holding crumbs and scratching your head A lot Essential

Mac OS X Panther Server Administration seeks to fill that void,

approaching Apple's server systems in a thorough and

fundamental way, from the command line to Apple's graphicaltools

Essential Mac OS X Panther Server Administration is for the IT

professional who wants to push Mac OS X Server to its limits.Server administration all too typically is a complex task,

requiring integration with not one but several disparate

systems, often run by different administrators, and this book iswritten with that in mind If you've ever wondered how to safelymanipulate Mac OS X Server's many underlying configurationfiles or needed to explain AFP permission mappingthis book'sfor you

This book is written for Macintosh system administrators

responsible for running Mac OS X Server While the focus is

oriented towards IT professionals, this book should also be ofinterest to anyone pursuing an accumulated knowledge of

server products and their evolution Whether you're a seasonedUnix or Windows administrator or a long-time Mac professional,

Essential Mac OS X Panther Server Administration provides you

with the depth you're seeking to maximize the potential of yourMac OS X Server deployment

This is not a book for beginners If you are a graphic artist looking to install a web server, you should probably look for another book, such as

services As mentioned earlier, Mac OS X Server is an extremelybroad product providing a variety of services This book is notmeant as a complete, protocol-level discussion of HTTP, DNS, orany other of the well-documented technologies implemented inMac OS X Server It is instead concerned primarily with Apple-specific changes, management techniques and configurationarchitectures

This chapter acquaints you with the basic concerns ofdeployment planning Hardware and infrastructure

large body of knowledge has developed around

technologies that complement Apple's efforts The mostthorough documentation of its type available, this

chapter provides an analysis of the Mac OS X Serverinstallation process through several variations:

graphical, command-line, remote, and local

Chapter 3, Server Management Tools

The centerpiece of Mac OS X Server is its managementtool suite With an eye towards remote management,these tools tie the user experience together and providecohesiveness among the product's many services andoptions This chapter examines both those tools and theunderlying infrastructures that support their

functionality

Chapter 4, System Administration

In the past 20 or 30 years, a number of trends havedeveloped in the field generally known as system

administration This chapter examines those trends andtechniques in the context of how they specifically apply

to Mac OS X Server Specific topics such as backup andsoftware updates are also included in this chapter

Chapter 5, Troubleshooting

When things break, they need to be fixed This chapterconsists of a rich set of tools and heuristics that may beleveraged towards those ends

Traditional system administration titles have not had to

focus much on user management As centralized systemshave developed, though, and as directory services haverisen in visibility in core Apple markets, it has become

necessary to devote increasingly large amounts of

documentation to these increasingly complex systems PartIII documents the server side of Apple's directory servicesinfrastructure

Chapter 6, Open Directory Server

Open Directory Server is Apple's Directory ServicelikeMicrosoft's Active Directory, it is used to store

administrative data (such as user and group accountsand security policies) centrally on the network The

biggest strength of this architecture is perhaps its

standardized configuration mechanism This chapterconcerns the configuration and management and

coordination of the underlying services that make upOpen Directory Server

Chapter 7, Identification and Authorization in Open

Directory Server

Identity management is central to any directory service.This chapter discusses Apple's use of OpenLDAP in

identification and authorization

Chapter 8, Authentication in Open Directory Server

Part III, IP Services

Network services can be described generally as services onwhich other services depend They provide the basic

functionality that makes networks useful and more friendly

Chapter 10, xinetd

xinetd(which replaces the traditional Unix inetd) is a

critical underlying process that starts certain systemservices on demand Due to its central nature, I've

devoted a chapter to it, even though it cannot be

configured graphically

Chapter 11, DNS

This chapter looks at Mac OS X DNS Servicesfrom

infrastructure put into place to help manage BIND, theunderlying open source DNS server Also included are avariety of advanced configuration techniques often

Chapter 13, NAT

Network Address Translation, or NAT, has come to be afundamental building block in network services

everywhere This chapter shows you how to use theServer Admin tool, as well as the command line, to set

up and configure NAT services

Part IV, File Services

File and print services have long been a vital aspect of

Apple Server products This section of the book takes aclose look at those services, with an emphasis on their

commonalities and advanced configurations

Chapter 14, File Services Overview

One of Mac OS X Server's strong points is its ability to

management systems put in place to set up shares andcustomize their behavior

Chapter 15, Apple Filing Protocol

The Apple Filing Protocol is Apple's homegrown file

service, and is also the filesystem most commonly usedfor high-demand roles like network home directories

Chapter 16, Windows File Services

Apple does not exist in a vacuum, and a flexible androbust Windows Services implementation is vital to thesuccess of Mac OS X Server in nearly any market

Chapter 17, FTP

As ubiquitous as it is insecure, FTP unfortunately cannot

be ignored Users both inside and outside of your serverframework will most likely need FTP services for

transferring files back and forth This chapter shows youhow to set up and configure FTP services, and discusses

documented extensively in Chapter 18

Chapter 19, Print Services

Server-side print management has not proven to beMac OS X Server's forte This chapter provides an

analysis of Apple's print service infrastructure and itsCommon Unix Printing System (CUPS) backend

Part V, Security Services

Central to any modern IT component is the question of

security Although good security principles are illustratedthroughout the book, this part covers Mac OS X Server

services specifically geared toward security

Chapter 20, The Mac OS X Server Firewall

Oversold perhaps as often as they are correctly

deployed, firewalls(or packet filters) are a vital part ofany security strategy This chapter, written by AndreLeBranche, shows you how to set up and configure

Chapter 23, Web Services

This chapter, written by James Duncan Davidson, detailsthe inner workings of Apache on Mac OS X Server, alongwith Apple's graphical management toolkit and its

underlying configuration infrastructure

Chapter 24, Application Servers

Most modern web content is dynamic, with informationdrawn from databases, user input, or a combination ofthe two This chapter, written by Wil Iverson, discussesthe Java-based software packages that Mac OS X Serveruses to provide these dynamic web services

High on the list of features important to many

administrators is client management This broad term

applies to a variety of Server and OS features, but generallyrefers to the ability to impose user experience restrictions

on users, such as which applications they are permitted torun and what their dock looks like These capabilities aredetailed in this part, which was written by Ryan Faas

Chapter 25, Managing Preferences for Mac OS X Clients

Managed preferences allow you to preconfigure many ofthe settings users would typically configure on a

standalone Mac OS X workstation This chapter showsyou how to use Workgroup Manager to manage the userenvironment for individual users, groups, workstations,

or a combination of all three

Chapter 26, Managing Classic Mac OS Workstations Using

Mac Manager

This chapter shows you how to use the Mac Manager totap into Mac OS 9's multiple users feature for managingClassic Mac OS workstations You'll learn about Mac OS9's multiple users feature and how to create limited-access users, and also learn about Mac Manager's

server component, installed with Mac OS X Server

Chapter 27, Managing Windows Clients Using Mac OS X

Server

Windows services under Mac OS Server include the

protocol, which is the default file and print protocol forWindows, and Windows name resolution services, as

shows you how to image a system, and describes

NetBoot and NetInstallnot only what they do and how touse them, but also how they differ You'll also learn how

to use Apple Software Restore (ASR) to apply Mac 0S 9and Mac OS X client images

Chapter 29, Apple Remote Desktop

Although not included with Mac OS X Server, Apple

Remote Desktop (also called simply Remote Desktop, orARD) is an incredibly robust and useful tool that canmake several of the tasks of deploying and managing aMac network much easier for administrators and

technical support staff alike This chapter discusses theadministrative and reporting functions of Apple RemoteDesktop 2.1 (the current version as of this writing) andhow they can be of use to system administrators andother IT staff

There is also one appendix to this book:

Used in examples and tables to show text that should bereplaced with user-supplied values

Menus/Navigation

Menus and their options are referred to in the text as File Open, Edit Copy, and so on Arrows are also used tosignify a navigation path when using window options; forexample, System Preferences Desktop & Screen Saver Screen Saver means that you would launch System

Preferences, click on the icon for the Desktop & Screen

Saver preferences panel, and select the Screen Saver panewithin that panel

Pathnames

Pathnames are used to show the location of a file or

application in the filesystem Directories (or folders, for Macand Windows users) are separated by a forward slash Forexample, if you see something like, "launch the Terminalapplication (/Applications/Utilities)" in the text, that meansthe Terminal application can be found in the Utilities

subfolder of the Applications folder

The tilde character (~) refers to the current user's Homefolder, so ~/Library refers to the Library folder within yourown Home folder

A carriage return ( ) at the end of a line of code is used todenote an unnatural line break; that is, you should not

enter these as two lines of code, but as one continuous line.Multiple lines are used in these cases due to printing

constraints

$, #

prompt for the root user

Menu symbols

When looking at the menus for any application, you will seesome symbols associated with keyboard shortcuts for aparticular command For example, to open a document inMicrosoft Word, you could go to the File menu and selectOpen (File Open), or you could issue the keyboard

shortcut -O

Figure P-1 shows the symbols used in the various menus todenote a shortcut

Figure P-1 Keyboard accelerators for issuing

commands.

Rarely will you see the Control symbol used as a menu

command option; it's more often used in association withmouse clicks or for working with the tcsh shell

Indicates a tip, suggestion, or general note

Indicates a warning or caution.

This book is here to help you get your job done In general, youmay use the code in this book in your programs and

documentation You do not need to contact us for permissionunless you're reproducing a significant portion of the code Forexample, writing a program that uses several chunks of codefrom this book does not require permission Selling or

distributing a CD-ROM of examples from O'Reilly books does

require permission Answering a question by citing this bookand quoting example code does not require permission

Incorporating a significant amount of example code from this

book into your product's documentation does require

permission

We appreciate, but do not require, attribution An attributionusually includes the title, author, publisher, and ISBN For

When you see a Safari® Enabled icon on the cover ofyour favorite technology book, it means the book is availableonline through the O'Reilly Network Safari Bookshelf

Safari offers a solution that's better than e-books It's a virtuallibrary that lets you easily search thousands of top technologybooks, cut and paste code samples, download chapters, andfind quick answers when you need the most accurate, currentinformation Try it for free at http://safari.oreilly.com

Please address comments and questions concerning this book tothe publisher:

http://www.oreilly.com/catalog/macxserver/

The author additionally maintains a site for further reading anddiscussion of book content:

http://www.pantherserver.org

To comment or ask technical questions about this book, sendemail to:

bookquestions@oreilly.com

For more information about our books, conferences, ResourceCenters, and the O'Reilly Network, see our web site at:

http://www.oreilly.com

http://www.pantherserver.org

This book wouldn't have been feasible without the help,

tolerance, and support of many people, chief among them mywife Amber, who has not yet had the good sense to leave me.Thanks also to the following contributors:

Andre LeBranche, for contributing Chapter 20, The Mac OS

X Server Firewall.

Joel Rennich of afp54.com (and now at Apple) has been afriend, a sounding board, and finally a contributor when thefirst edition of this book came close to the wire Joel

contributed Chapter 21, Virtual Private Networks.

James Duncan Davidson, for contributing Chapter 23, Web

Josh Wisenbaker

Michael Dhaliwal

Michael Dinsmore

Christopher Mackay

Craig Kabis

Jon L Gardner (thanks also to Jon for showing me aroundDoha, Qatar)

John Gonder

Jason Deraleau

And here's a long list of thanks to all the people who supported

me throughout the year or so it took me to write this book; it'sbeen a long haul, but I couldn't have done it without you all:

My editor, Chuck Toporek, had way more faith in the wholething than I did (he says he never doubted me, and sinceyou now hold this book, it must be true)

Kurt Ackman was always there to grab a drink and simmerdown a little whenever I was in Denver He was the best AEApple ever had

Michelle, Jeff, and Gary at CU Boulder have been supportivesince I was their SE, and Scott Brekken convinced me Iwanted to work with Apple

Greg Hydle Rock on!

me, but he's an alright guy, and he provided some keenfeedback

Schoun Regan is a good guy who's put all sorts of

opportunities in front of me, most of which I haven't blown.Iris Burdett is a hell of a lot of fun

Daveo, Jason, Eric, and Simon have never really steered mewrong and have put up with a bunch of my not-so-positiveall-the-time feedback

Eric, Scott, Leland, Robert, and countless others at Applehave paved the way to make this thing happen, and if theyall quit I wouldn't have anything much to write about

All the folks at macosxlabs I mean enterprise Whatever.

Thanks for all your input and inclusion

Todd Snider and Robert Earl Keen provided the soundtrackfor the development of this book, although I'd have beendone sooner if I went to fewer concerts

know, thanks

James Rabe first interested me in the Mac way back I'mgrateful even if the world is still slightly pissed

Mark McCann introduced me to the real heuristics of Unixsystem administration

Thanks to everyone who has shared with me a good time atsome point somewhere in the bars, beaches, venues,

pastures, and clubs that keep me juiced for all this

computer stuff Thanking all of you would be a book in

itself, but probably a good one

Don't read any order into this other than having Amber first.Put a fork in me I think I'm done

Management

Beginnings can be very delicate times, particularly whereservers are concerned By its very nature, a server affectsmore users than a workstation would; ensuring a properinitial configuration thus becomes doubly important Thissection of the book concerns beginningsboth the

beginning of a particular server's lifetime (planning andinstallation) and the beginning of an administrator's

experience with Mac OS X Server, from its basic graphicaltools to more advanced system administration and

troubleshooting techniques In every case, care is taken toundertake a thorough analysis, highlighting the

Environment

Installation seems like such a benign thing, and traditionally, inthe Mac OS world, it has been: sit down in front of the server,insert the install CD, format the drive, install, and repeat

Largely unchanged since the word CD replaced floppy, server

installation is a process most administrators and technical staffare familiar with, and if nothing else it seems like a logicalif also

a very boringway to begin a book Unix administrators,

however, have long had a number of other options: possibly stillboring, but in any case much more powerful and flexible from asystems management standpoint With Mac OS X, and

especially with Mac OS X Server, many of these options maketheir way to the Mac world, often with Apple's characteristicease of use

A second and very important aspect of this process is planning.Technology vendorsparticularly Appleendeavor to remove

complexity from the computing experience, in many cases verysuccessfully Integration into heterogeneous environments,

though, is still a complex issue with a number of facets Goodplanning can go a long way towards reducing the number ofheadaches and unexpected speed bumps that administratorsexperience Unfortunately, planning is a little-documented andoften-neglected part of deployment This chapter examines thatpre-installation process, starting with purchasing and policydecisions and traveling down several feasible installation andconfiguration routes

Covering installation planning in the first chapter might seem a little awkward You'll be asked to take a lot of things into consideration, many of which you may not have any experience with yet, but most of which will be covered later in the book With that in mind, this first chapter contains a lot of forward pointers to other material Feel free to

to you.

1.1.1 Hardware

Apple's Xserve, a 1U (single standard rack-size) server product,has effectively ended most conversations about hardware

choices When the numbers are run, the Xserve, with its

included unlimited client license version of Mac OS X Server, isalmost always a better value than a Power Mac G5 with a

separate Server license tacked on The only real exceptions arevery small deploymentsparticularly in education environments,

[*] environments with existing hardware that can be put to work

as a server, or when the purchase of new hardware can't bejustified

[*] In the education market, Mac OS X is sold for approximately half of its retail price.

That said, Mac OS X Server can run on virtually any hardwareplatform that Mac OS X can In fact, much of the testing thatwent into this book was carried out on a set of iBooks I carry

such a configuration; in fact, portables are specifically not

supported by Mac OS X Server Real deployments should alwaysconform to Apple's list of supported hardware, if for no reasonother than that getting support for an unsupported hardwareplatform can be quite difficult

According to Apple's web site, Mac OS X Server requires an Xserve, Power Mac G5, G4, or G3, iMac, or eMac computer; a minimum of 128

MB RAM or at least 256 MB RAM for high-demand servers running multiple services; built-in USB; and 4 GB of available disk space These specifications are probably underestimated for most server roles.

The choice of a supported platform, though, is really only thebeginning of a good planning process Hardware configuration is

an entirely different matter Mac OS X Server is a general-purpose server product with literally hundreds of features Thismeans that it's very difficult to draw conclusions about

hardware requirements without defining what the server will beused for For instance, an iMac with 128 MB RAM could easilysupport thousands of static-content HTTP queries a day, while

an Apple Filing Protocol (AFP) server supporting the same

number of connections would need to be significantly more

capable The point is that different serviceseven at the samescalecan have very different requirements, and those

requirements play an important role in your choice of hardware.Going into great depth regarding the performance bottlenecks

of various services is well beyond the scope of this chapter, but

is covered in some depth in chapters specific to each service.From this chapter you should take a framework for this

planning; the actual details will come later

One very important concept relates to system architecture:

determining where bottlenecks actually exist in a system (be it

100 and Serial ATAover the well-established nature of SCSI connectivity Time will tell whether or not this choiceof size and redundancy over performance and reliabilitywas a good one In the meantime, it is yet another area in which Apple has taken a strong stand in defense of some technology in a new role Second, on a related note, the choice of fiber and the adoption of SAN technology illustrates a common trend seen in Apple products: bringing enterprise technology into the workgroup and driving down the price of previously very expensive products Xsan is not covered in this book.

levels: choice of storage technology and storage configuration.We'll look at both of these issues as they relate to the planningprocess, as well as examine some specific products and the

architectural decisions that went into them Our discussion

focuses on the Xserve, since it is the most common Mac OS XServer platform This focus doesn't really narrow our

conversation much, since the Xserve is mostly a Mac in a serverenclosure It does, though, give us some focus

1.1.2.1 Storage technologies

At one time in the not-so-distant past, discussions of serverstorage technologies (outside of very massive high-end

hardware) tended to be fairly simple Server platforms havetraditionally supported SCSI disksthat was thatand then youcould move into discussions of volume management Apple wasthe first vendor to change that, by using ATA disks in the Xserve

in such a way that they became viable for server products Thisfeature has spurred considerable debate and (toward the overallgood of the server industry) made our discussion more

complex This section examines various storage technologiesand highlights their strengths, weaknesses, and relative cost.Discussion of generic storage technologies might seem to bebeyond the scope of this book, given its stated goal of refrainingfrom rehashing material that's widely available elsewhere

However, the topic of storage technologies is particularly

germane to Mac OS X Server system administration for a

number of reasons:

As mentioned, Apple has really pioneered use of IDE/ATAdrives in server products in both the Xserve and Xserve

RAID This design necessitates a number of discussions that