Mac OS X Server
Administrator’s Guide
Includes information on how Mac OS X Server software works
and strategies for using it with your network
K
Apple Computer, Inc.
©
2001 Apple Computer, Inc. All rights reserved.
Under the copyright laws, this publication may not be copied, in whole or in part, without the written consent of
Apple.
The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the
“keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may
constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, Final Cut Pro, FireWire, Keychain, Mac,
Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc.,
registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, iMovie, and Power Mac are
trademarks of Apple Computer, Inc.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in
the U.S. and other countries.
Netscape Navigator is a trademark of Netscape Communications Corporation.
RealAudio is a trademark of Progressive Networks, Inc.
©
1995-2001 The Apache Group. All rights reserved.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open
Company, Ltd.
062-8441/7-26-01
Contents
Preface How to Use This Guide 15
What’s Included in This Guide 15
Setting Up Mac OS X Server for the First Time 16
Getting Help for Everyday Management Tasks 16
Getting Additional Information 17
1 Mac OS X Server Administration 19
What Is Mac OS X Server? 19
Using Mac OS X Server 20
K–12 Classrooms and Labs 21
Higher Education Facilities 22
Design and Publishing Businesses 24
Web Service Providers 25
Services Included With Mac OS X Server 26
Directory Services 26
File Services 26
Print Service 27
Web Service 27
Mail Service 28
QuickTime Streaming Service 28
Client Management Services 28
Network Services 28
Application Services 30
How You Administer the Services 30
Server Admin 31
3
Macintosh Manager 34
Streaming Server Admin 34
NetBoot Desktop Admin 35
Setting Up Your Server for the First Time 35
Step 1:
Get acquainted with the server and its administration applications 35
Step 2:
Install the server 35
Step 3:
Log in 35
Step 4:
Create share points 36
Step 5:
Define default home directory settings 36
Step 6:
Define users 36
Step 7:
Define groups 37
Step 8:
Assign privileges to share points 38
Step 9:
Set up additional services as required 38
Where to Find More Information About Mac OS X Server and Server Management 40
If You’re New to Server and Network Management 40
If You’re an Experienced Server Administrator 40
2 Directory Services 41
What Are Directory Services? 41
User Information Needed for Authentication 41
Other User Information Needed by the Server 41
Where You Can Define User Information 42
How the Server Finds User Information 45
Using NetInfo 46
Before You Set Up NetInfo 46
Setting Up NetInfo for the First Time 50
Using LDAP 51
Before You Set Up LDAP Server Access 51
Setting Up LDAP for the First Time 51
Setting Up Search Policies 52
Before You Set Up Your Search Policy 55
Setting Up Search Policies for the First Time 55
3 Users and Groups 57
What Are Users and Groups? 57
Contents
4
How User Information Is Used 57
Characteristics of Users 58
Characteristics of Groups 59
Before You Set Up Users and Groups 59
Setting Up Users and Groups for the First Time 59
Step 1:
Modify the administrator account defined at server setup 59
Step 2:
Create new users 60
Step 3:
Create new groups (optional) 60
User Settings 60
General User Settings 61
Advanced User Settings 62
User Comment 65
Mail Service Settings 65
Group Settings 68
Users and Groups Strategies and Tips 70
Exporting and Importing Users and Groups 70
Setting Up Home Directories to Mount Automatically 70
Mac OS X Server Password Restrictions 71
Solving Problems With Users and Groups 72
4 Sharing 73
What Is Sharing? 73
Before You Assign Privileges 73
Explicit Privileges 74
Types of Privileges 74
User Categories 74
Client Users and Privileges 75
Security Issues 75
Setting Up Sharing for the First Time 76
Step 1:
Turn file service on 77
Step 2:
Create a share point 77
Step 3:
Set privileges for share points 77
Sharing Settings 78
General Settings 78
Automount Settings 80
Contents
5
NFS Access Control Settings 81
Solving Problems With Sharing 82
5 File Services 83
What Are File Services? 83
Before You Set Up File Services 83
Setting File and Folder Privileges 83
Restricting Guest Access 84
Allowing Access to Registered Users Only 84
Apple File Service 85
Before You Set Up Apple File Service 85
Setting Up Apple File Service for the First Time 85
Apple File Service Settings 86
Solving Problems With Apple File Service 91
Apple File Service Specifications 92
Windows Services 93
Before You Set Up Windows Services 93
Setting Up Windows Services for the First Time 94
Windows Services Settings 95
Solving Problems With Windows Services 99
Windows Services Specifications 99
Network File System (NFS) Service 100
Who Should Use NFS Service? 100
Before You Set Up NFS Service 100
Setting Up NFS for the First Time 101
NFS Service Settings 101
NFS Access Control Settings 102
File Transfer Protocol (FTP) Service 104
Before You Set Up FTP Service 104
Setting Up FTP Service for the First Time 104
FTP Service Settings 105
FTP Service Strategies and Tips 106
Inside FTP Service 106
Solving Problems With FTP Service 108
FTP Service Specifications 109
Contents
6
Where to Find More Information About File Services 109
6 Print Service 111
What Is Print Service? 111
Connecting Printers to the Server 111
Sharing Queues Over the Network 112
Managing Print Queues and Their Jobs 113
Monitoring Print Jobs 113
Before You Set Up Print Service 113
Setting Up Print Service for the First Time 114
Step 1:
Add printers 114
Step 2:
Configure print service 114
Step 3:
Configure print queues 114
Step 4:
Start print service 114
Step 5:
Enable Windows services (optional) 114
Step 6:
Set up printing from client computers 114
Print Service Settings 115
General Print Service Settings 115
Print Queue Settings 116
Print Job Settings 117
Solving Problems With Print Service 118
7 Web Service 121
What Is Web Service? 121
Before You Set Up Web Service 121
Configuring Web Service 122
Providing Secure Transactions 122
Setting Up Web Sites 122
Hosting More Than One Web Site 122
Understanding WebDAV Security 123
Setting Up Web Service for the First Time 123
Step 1:
Set up the Documents folder 123
Step 2:
Create a default page 124
Step 3:
Assign privileges for your Web site 124
Step 4:
Configure Web service 124
Contents
7
Step 5:
Start Web service 124
Step 6:
Connect to your Web site 124
Web Service Settings 125
General Settings for Web Service 125
Sites Settings for Web Service 127
MIME Types Settings for Web Service 128
Proxy Settings for Web Service 129
Web Site Settings 130
General Settings for Web Sites 131
Logging Settings for Web Sites 133
Access Settings for Web Sites 134
Security Settings for Web Sites 136
Strategies and Tips for Web Service 137
Using Persistent Connections to Improve Server Performance 137
Working With Web Modules 138
Using a Common Gateway Interface (CGI) Script 140
Understanding Multipurpose Internet Mail Extension (MIME) 141
Setting Up Secure Sockets Layer (SSL) Service 142
Monitoring Service Activity and Performance 146
Advanced Apache Configuration 147
Disabling the Cache for Dynamic Web Pages 148
Understanding WebDAV Realms and Privileges 149
Solving Problems With Web Service 149
Web Service Specifications 150
Where to Find More Information About Web Service 151
8 Mail Service 153
What Is Mail Service? 153
Post Office Protocol 153
Internet Message Access Protocol 154
Simple Mail Transfer Protocol 154
Before You Set Up Mail Service 154
Mail Service for a Single Server 154
Mail Service for Multiple Domains 154
MX Records for Internet-Based Mail Service 155
Contents
8
Setting Up Mail Service for the First Time 155
Step 1:
Set up MX records 155
Step 2:
Start mail service 155
Step 3:
Configure mail service 156
Step 4:
Select default host settings 157
Step 5:
Enable mail for users and create a postmaster account 157
Mail Service Settings 158
General Settings 158
Messages Settings 159
Filter Settings 160
Protocols Settings 162
Host Settings 166
Incoming Mail Settings 166
Outgoing Mail Settings 167
Network Settings 169
Where to Find More Information About Mail Service 170
9 QuickTime Streaming Server 173
What Is QuickTime Streaming Server? 173
Viewing Streamed Media: How It Works 173
Who Should Use QuickTime Streaming Server? 174
Before You Set Up QuickTime Streaming Server 174
Sample Setup for Live Video 175
Setting Up QuickTime Streaming Server for the First Time 175
Step 1:
Open Streaming Server Admin 176
Step 2:
Choose your streaming server settings 176
Step 3:
Set up a Web page to show streamed media (optional) 176
Streaming Server Settings 177
General Settings 177
Logging Settings 178
Connected Users 179
Streaming Server Strategies and Tips 179
Preparing Live Media for Streaming 179
Preparing Stored Media for Streaming 180
Using Playlists to Broadcast Prerecorded Audio or Video 181
Contents
9
Inside QuickTime Streaming Server 184
Compatible File Formats 184
Controlling Access to Streamed Media 185
Getting Media Through Firewalls or Networks With Address Translation 188
Setting Up a Relay 189
Solving Problems With QuickTime Streaming Server 192
Where to Find More Information About QuickTime Streaming Server 194
10 Macintosh Management Service 195
What Is Macintosh Management Service? 195
Who Should Use Macintosh Management Service? 195
Before You Set Up Macintosh Manager 196
Setting Up Macintosh Manager for the First Time 196
Step 1:
Make sure users with home directories exist in Users & Groups 196
Step 2:
Make sure Macintosh Management service is running 196
Step 3:
Log in as an administrator 196
Step 4:
Add user accounts 197
Step 5:
Create a Macintosh Manager administrator 197
Step 6:
Create a workgroup 197
Step 7:
Set security options 197
Macintosh Manager Settings 198
Basic Settings for Users 198
Advanced Settings for Users 200
Members Settings for Workgroups 203
Items Settings for Workgroups 205
Privileges Settings for Workgroups 207
Volumes Settings for Workgroups 211
Printers Settings for Workgroups 213
Options Settings for Workgroups 215
Lists Settings for Computers 217
Workgroups Settings for Computers 218
Control Settings for Computers 219
Security Settings for Computers 221
Log-In Settings for Computers 223
Check Out Settings for Computers 224
Contents
10
Global Security Settings 225
Global CD-ROMs Settings 227
Macintosh Manager Strategies and Tips 228
Providing Quick Access to Unimported Users 228
Setting Up Macintosh Manager on Large or Growing Networks 229
Creating Workgroups to Meet Your Network’s Needs 229
Choosing Desktop Environments for Your Workgroups 230
Maximizing Security 231
Inside Macintosh Manager 232
How Macintosh Manager Starts Up 232
How Macintosh Manager Works With Preferences 232
How Macintosh Manager Ensures Security 237
How Client Computers Are Updated From the Server 238
How Macintosh Manager Keeps Track of Users, Workgroups, and Computer Lists 238
About the Macintosh Manager Share Point 239
Using Macintosh Manager and NetBoot Services Together 240
Solving Problems With Macintosh Manager 241
Problems Logging In to Macintosh Manager 241
Problems Client Users May Have 242
Where to Find More Information About Macintosh Manager 243
11 NetBoot 245
What Is NetBoot? 245
Who Should Use NetBoot? 245
Before You Set Up NetBoot 246
Planning Your Network 246
NetBoot Server Worksheet 253
Setting Up NetBoot Server Software for the First Time 254
Step 1:
Install NetBoot server software (optional) 254
Step 2:
Use the NetBoot Setup Assistant 254
Step 3:
Set up Macintosh Manager 255
Step 4:
Start up a NetBoot client computer 255
Using NetBoot Desktop Admin 255
Installing Software or Changing the Disk Image 256
NetBoot Strategies and Tips 257
Contents
11
Improving NetBoot Performance 257
Server Performance Factors 258
Inside NetBoot 260
Solving Problems With NetBoot 261
12 Network Services 263
What Are Network Services? 263
Service Location Protocol (SLP) Directory Agent (DA) Service 264
Who Should Use SLP DA Service? 264
Before You Set Up SLP DA Service 264
Setting Up SLP DA Service for the First Time 265
SLP DA Service Settings 267
SLP DA Service Strategies and Tips 269
Dynamic Host Configuration Protocol (DHCP) Service 271
Who Should Use DHCP Service? 271
Before You Set Up DHCP Service 271
Setting Up DHCP Service for the First Time 272
DHCP Service Settings 274
DHCP Service Strategies and Tips 279
Domain Name System (DNS) Service 280
Who Should Use DNS Service? 280
Before You Set Up DNS Service 280
Setting up DNS Service for the First Time 281
DNS Service Strategies and Tips 282
IP Filter Service 285
What Is IP Filter Service? 285
Who Should Use IP Filter Service? 286
Before You Set Up IP Filter Service 286
Setting Up IP Filter Service for the First Time 289
IP Filter Service Settings 290
IP Filter Window Settings 295
IP Filter Service Strategies and Tips 296
Solving Problems With IP Filter Service 300
Where to Find More Information About Network Services 300
Contents
12
Appendix A Advanced Topics 301
TCP/IP Topics 301
Ports Used by Mac OS X Computers 301
Setting Up a Private TCP/IP Network 304
Setting Up Multiple IP Addresses for a Port 305
Creating IP Filter Rules Using ipfw 306
Where to Find More Information About Setting Up TCP/IP 308
File Format for Importing or Exporting Users and Groups 308
Example XML File 308
Creating Your Own Users and Groups File 312
Where to Find More Information About XML 314
LDAP Data Specifications 314
Mapping User Data 315
Mapping Network Service Data 321
Using the Default Mappings 322
Configuring LDAP Access 323
Backing Up Server Information 328
Appendix B Mac OS X Server Information Worksheet 329
Glossary 333
Index 339
Contents
13
Contents
14
PREFACE
How to Use This Guide
What’s Included in This Guide
Whether you’re new to networking or an experienced administrator, this book is your
starting point. The chapters you choose to read depend on what you plan to do with
your server.
m
Read Chapter 1, “Mac OS X Server Administration,” for an overview of how Mac OS X
Server is used, the services it provides, how you administer it, and how you set it up for
the first time.
m
Chapters 2, 3, and 4 describe three of the core components of Mac OS X Server—
directory services, users and groups, and sharing. Most services depend on how you set
up these three components, so it’s worthwhile to take the time to read these chapters.
m
Chapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple
file service, Windows services, Network File System (NFS) service, and File Transfer
Protocol (FTP) service.
m
Chapter 6, “Print Service,” tells you how to share PostScript
users on Macintosh, Windows, and other computers.
m
Chapter 7, “Web Service,” describes Web service in Mac OS X Server. You’ll learn how to
set up secure transactions on your Web server and host multiple Web sites.
m
Chapter 8, “Mail Service,” includes information about mail service in Mac OS X Server,
including using mail over the Internet and choosing the best protocols for your network.
m
Chapter 9, “QuickTime Streaming Server,” describes the service that lets you deliver
media over the Internet in real time.
m
Chapter 10, “Macintosh Management Service,” offers information about how you can use
Macintosh Manager to manage your client computers more effectively.
m
Chapter 11, “NetBoot,” describes NetBoot, which allows administrators to configure and
update client computers instantly by simply updating the startup disk image on the server.
™
-compatible printers among
15
m
Chapter 12, “Network Services,” presents information about Mac OS X Server’s network
services, which include Service Location Protocol (SLP) Directory Agent (DA) service,
Dynamic Host Configuration Protocol (DHCP) service, Domain Name System (DNS)
service, and IP filter service.
m
Appendix A, “Advanced Topics,” provides supplemental information for administrators
who want more details about advanced server management.
m
Appendix B, “Mac OS X Server Information Worksheet,” provides a form for recording
information about your server.
m
The glossary lists and defines all the acronyms you’ll encounter as you read this manual.
Read any chapter that’s about a service you plan to provide to your users. Each service’s
chapter includes an overview of how the service works, what it can do for you, strategies
for using it, and how to set it up for the first time. Also take a look at any chapter that
describes a service with which you’re unfamiliar. You may find that some of the services
you haven’t used before can help you run your network more efficiently and improve
performance for your users.
Toward the end of some chapters is a section, “Inside” the service, that includes more
technical information for the advanced user. You’ll want to read this section if you want a
deeper understanding of the software or protocols that are running behind the scenes in a
particular service.
Most chapters end with a section called “Where to Find More Information.” This section
points you to Web sites and other reference material where you can find more detailed
information about the service.
Setting Up Mac OS X Server for the First Time
If you haven’t installed and set up Mac OS X Server, do so now. Refer to
Mac OS X Server,
the fold-out card that came with your software, for instructions on server
Getting Started With
installation and setup. After completing the steps in that document, use the instructions in
Chapter 1 of this guide to set up your server for the first time.
Getting Help for Everyday Management Tasks
If you want to change settings, monitor services, view service logs, or do any other
management task, you can find step-by-step procedures by using the online help available
with each of your server administration programs.
Preface
16
Getting Additional Information
These documents are available at www.apple.com/macosx/server/
m
Mac OS X Server Migration Guide
provides instructions for upgrading to Mac OS X Server
from AppleShare IP, Macintosh Manager, and Mac OS X Server 1.2.
m
Understanding and Using NetInfo
describes the built-in Mac OS X directory system and
provides instructions for configuring NetInfo and Mac OS X Server to increase the power
of your Mac OS X network.
How to Use This Guide
17
CHAPTER
1
1
Mac OS X Server Administration
This chapter introduces Mac OS X Server and gives an overview of its administration. It also
provides several suggestions for helping you get started with your server:
m
“Setting Up Your Server for the First Time” on page 35 provides a procedure for getting
your server up and running quickly.
m
“Where to Find More Information About Mac OS X Server and Server Management” on
page 40 lists resources for server and network management information for both novice
and experienced server administrators.
What Is Mac OS X Server?
Mac OS X Server is a powerful server platform that delivers a complete range of services to
users on the Internet and the local network:
m
It lets you connect users to each other, using such services as mail and file sharing.
m
It helps you share system resources, such as printers and computers.
m
It can host Internet services, such as Web sites and streaming video.
m
It lets you customize what is visible to networked users, such as desktop resources and
personal files.
19
This chapter introduces you to the services included with Mac OS X Server and provides a
tour of the programs you use to administer them. First you’ll read about how the services can
be put to use in educational, publishing, and Internet service environments. Then you’ll
review the capabilities of individual services and get an introduction to the applications that
let you administer them. Finally, you’ll find instructions for getting the server up and running.
Using Mac OS X Server
Your server can address the needs of many environments. This section gives examples of four
common environments:
m K–12 classrooms and labs
m Higher education facilities
m Design and publishing businesses
m Web service providers
Chapter 1
20
K–12 Classrooms and Labs
Servers in any educational environment need to help students access the Internet, send mail,
manage files, view videos, and print documents. They also need to help teachers access
lesson plans and other classroom materials, as well as student records and centralized
administrative information. The Mac OS X Server Web, mail, print, and file services support
all these needs:
The Internet
Mac OS 8 clients
Web
and
mail
services
Print service
Mac OS X Server
File
services
Client management services
Mac OS 9 clients Mac OS X clients
Mac OS X Server
File
services
Servers supporting K–12 classrooms and labs have several special requirements:
m They need to provide ways to control the student workstation environment. Mac OS X
Server software includes client management services, which let you manage and monitor
Macintosh computers used by students.
For example, Macintosh Management service lets you control which applications students
can access. You can also define application preferences, desktop patterns, and other
personal desktop settings so that students experience the same environment on different
computers on the network.
m They must also efficiently handle many simultaneous requests for the same Internet
resources. Mac OS X Server provides caching Web proxy service, so that Web content that
has already been downloaded doesn’t need to be retrieved again from the Internet the
next time it is requested.
Mac OS X Server Administration 21
Higher Education Facilities
In colleges and universities, server requirements are much more complex and varied,
because the students and the workstations they use are highly diverse. This complexity
requires a complete range of file and network services:
Windows NT server
LDAP server
UNIX NFS file server
Mac OS X Server Mac OS X Server
File, print,
directory,
Web and
mail services
The Internet
and network
services
Macintosh clients UNIX clientsWindows clients
m The wide range of client computers—Macintosh, Windows, UNIX, Linux—demands flexible
file access support. The highly scalable IP-based file services in Mac OS X Server support
file access from anywhere on the network via Apple Filing Protocol (AFP), Network File
System (NFS), File Transfer Protocol (FTP), and Server Message Block (SMB).
22 Chapter 1
m The server offers PostScript-compatible print spooling and job accounting for print jobs
submitted using LPR, the industry-standard TCP printing protocol, as well as the Windows
SMB protocol.
m Because higher education networks are heterogeneous and complex, network services are
critically important. Domain Name System (DNS) and Service Location Protocol (SLP)
services are only two examples of services that Mac OS X Server provides to help client
computers and services find resources on a network. Dynamic Host Configuration Protocol
(DHCP) helps you serve students who log in to the network from portable computers.
m IP filtering, another Mac OS X Server network service, provides a security firewall around
sensitive data.
m User and network resource information needs to be retrievable from directory systems,
such as NetInfo, and integrated into existing infrastructures, such as Lightweight
Directory Access Protocol (LDAP) servers. Mac OS X Server can be easily configured to
access this information.
Mac OS X Server Administration 23
Design and Publishing Businesses
Mac OS X Server provides services that fully support the workflow needs of Internet
designers and publishers:
Mac OS X Server
The Internet
File
services
Print service
Windows clients Mac OS 9 clients Mac OS X clients
WebDAV
services
Web and
QuickTime
Streaming
services
m The popular Apache Web server is built into Mac OS X Server.
m The Web-based Distributed Authoring and Versioning (or WebDAV) technology, integrated
into the server’s Web service, lets you do drag-and-drop publishing and file sharing from
Mac OS X computers.
m For video, QuickTime Streaming service lets you broadcast streaming video to client
computers in real time.
m Apple Filing Protocol (AFP) lets you transfer large files among workgroup members.
24 Chapter 1
Web Service Providers
Mac OS X Server provides the support necessary for hosting ecommerce Web sites and
providing other Internet services that require high availability and scalability:
Mac OS X Server
The Internet
WebDAV
Mac OS X Server Mac OS X Server
service
Web, FTP,
and QuickTime
Streaming
services
Mail
service
Mac OS X computer for
server “farm” administration
Mac OS X Server “farm”
WebObjects
Mac OS X Server
Mail
service
m Web service is based on Apache, an open source HTTP Web server. You can host many
Web sites on a single server, each with its own address (multilink multihoming). You can
configure your server to support multiple addresses per Ethernet card (virtual hosting).
m Web service supports Secure Sockets Layer (SSL) protection for secure Internet connections.
m The server includes deployment components of the WebObjects software suite. These
application services let you deploy ecommerce applications that can connect to multiple
databases and generate HTML and Java
™
dynamically.
m Mac OS X Server also includes built-in support for Perl, Java Servlets, JavaServer Pages,
and PHP.
m QuickTime Streaming Server lets you broadcast multimedia in real time to viewers using
an industry-standard streaming protocol.
m The server automatically restarts when a service or power failure occurs, maximizing
service availability.
Mac OS X Server Administration 25
Services Included With Mac OS X Server
These Mac OS X Server services are highlighted in this section:
m directory services
m file services
m print service
m Web service
m mail service
m QuickTime Streaming service
m client management services
m network services
m application services
Directory Services
Directory services let your server locate information about users and groups (collections of
users) that is needed for authentication and authorization. Directory services let you
configure your server to find user information stored right on the server or in a location that
has been set up to share information among servers.
While you usually store user information using the built-in NetInfo directory system, your
server can also retrieve it from standard Lightweight Directory Access Protocol (LDAP)
servers. If you store user names in multiple directory systems, the server automatically
searches the locations you specify in the order you prefer when it needs to validate a user.
File Services
File services allow your client users to access files, applications, and other resources over a
network. Mac OS X Server includes these file services:
m Apple file service
m Windows services
m FTP service
m NFS service
26 Chapter 1
Apple File Service
Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with
Macintosh clients. Macintosh users can connect to your server and access folders and files as
if they were located on their own computers. Mac OS X users access your server using the
Connect To Server command in the Finder’s Go menu; you can also automatically mount
directories on Mac OS X computers when they start up. Mac OS 8 and Mac OS 9 users use
the Chooser or Network Browser. Apple file service is fully integrated into the operating
system environment, providing support for such features as file aliases and Sherlock.
Windows Services
Windows services let users of Windows or Windows-compatible computers take advantage of
Mac OS X Server resources. Without any additional software, Windows users can find your server
and browse for files and print queues using their familiar Network Neighborhood windows.
FTP Service
File Transfer Protocol (FTP) lets users transfer files over the Internet. Users of any computer
that supports FTP can download files from your server—usually by using an Internet browser
or FTP client application. FTP also offers a standard way for both known and anonymous
users to transfer files to and from your server.
NFS Service
Network File System (NFS) service lets you make directories (folders) available for users who
have NFS client software. NFS is often used to export directories for UNIX clients.
Print Service
Print service lets you share PostScript-compatible printers among users who submit print
jobs from Macintosh, Windows, and UNIX computers. Any user whose computer is
configured to print using the standard LPR protocol or the Windows SMB protocol can
submit print jobs to printers you configure your server to manage.
Web Service
The heart of Mac OS X Server Web service is Apache, the dominant open source Web server.
If you are already familiar with Apache, you will continue to enjoy its log file analysis tools,
configuration file handling, and readily available documentation.
Web service in Mac OS X Server also offers you the ability to customize your Web
environment. You can set up Web sites for as many domains as you’d like, configure secure
(SSL-based) communications on a per site basis, and use the built-in support for such
application services as CGI, WebObjects, Perl, PHP, and Java Servlets.
Web service includes Web-based Distributed Authoring and Versioning ( WebDAV ), which
lets users check out Web pages, make changes, then check them back in while the site is
running. WebDAV essentially provides a file server specifically for Web content authors.
Mac OS X Server Administration 27
Mail Service
Mail service lets you provide email service for users over your network or over the Internet.
The service provides multiple-domain mail support as well as built-in junk mail protection.
It supports all the standard mail protocols: Internet Message Access Protocol (IMAP), Post
Office Protocol (POP), and Simple Mail Transfer Protocol (SMTP).
To provide mail service over the Internet, you can define Domain Name System (DNS)
services on your network or use DNS services offered by your Internet service provider (ISP).
DNS is one of the Mac OS X Server network services and is required for SMTP mail handling.
QuickTime Streaming Service
QuickTime Streaming Server lets you stream multimedia in real time using the industrystandard RTSP/RTP protocol.
You can deliver live and prerecorded media over the Internet to both Macintosh and
Windows users, or relay streamed media to other streaming servers. You can provide unicast
streaming, which sends one stream to each individual client, or multicast streaming, which
sends the stream to a group of clients.
Client Management Services
Client management services let you simplify and control the environment that Macintosh
client users experience.
Macintosh Management Service
Macintosh Management service lets you set network-wide policies for controlling user access
to applications, home directories, and printers. You can also define the environment users
see when they log in. You can use this service to manage clients with Mac OS 8.1 or later
installed.
NetBoot
NetBoot allows Macintosh client computers to start up using a Mac OS 9 operating system
provided by a Mac OS X Server.
NetBoot lets you configure and update Mac OS 9 computers by simply updating their startup
image. The server hosts a startup image that contains a System Folder and applications folder
for all Mac OS 9 computers. Any changes made on the server are automatically reflected on
the client computers when they restart.
Network Services
Mac OS X Server includes these network services for helping you manage Internet
communications on your TCP/IP network:
m SLP DA service
28 Chapter 1
m DHCP service
m DNS service
m IP filter service
SLP DA Service
Service Location Protocol (SLP) provides structure to the services available on a network and
gives users easy access to them.
Anything that can be addressed using a URL can be a network service—for example, file
servers and WebDAV servers. When a service is added to your network, it uses SLP to register
itself on the network; you don’t need to configure it manually. When a client computer needs
to locate a network service, it uses SLP to look for services of that type. All registered services
that match the client computer’s request are displayed for the user, who then can choose
which one to use.
SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository
for registered network services. You can set up a DA to keep track of services for one or more
scopes (groups of services). When a client computer looks for network services, the DA for
the scope in which the client computer is connected responds with a list of available network
services. Because a client computer only needs to look locally for services, network traffic is
kept to a minimum and users can connect to network services more quickly.
DHCP Service
Dynamic Host Configuration Protocol (DHCP) is a protocol that helps you administer and
distribute IP addresses dynamically to client computers from your server. From a block of IP
addresses that you define, your server locates an unused address and “leases” it to client
computers as needed. DHCP is especially useful when an organization has more clients than
IP addresses. IP addresses are assigned on an as-needed basis, and when they are not
needed, they are available for use by other clients.
DNS Service
Domain Name System (DNS) service lets users connect to a network resource, such as a Web
or file server, by specifying a domain name (such as server.apple.com) rather than an IP address
(192.168.11.12). DNS is a distributed database that maps IP addresses to domain names.
A server that provides DNS service keeps a list of names and the IP addresses associated with
the names. When a computer needs to find the IP address for a name, it sends a message to
the DNS server (also known as a name server). The name server looks up the IP address and
sends it back to the computer. If the name server doesn’t have the IP address locally, it sends
messages to other name servers on the Internet until the IP address is found.
Mac OS X Server Administration 29
You will use DNS if you use SMTP mail service or if you want to create subdomains within
your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t
have an ISP who handles DNS for your network, you can set up a DNS server on your
Mac OS X Server.
IP Filter Service
IP filter service protects your server and the content you store on it from intruders. It
provides a software firewall, scanning incoming IP packets and accepting or rejecting them
based on filters you define.
You can set up server-wide restrictions for packets from specific IP addresses. You can also
restrict access to individual services—such as Web, mail, and FTP—by defining filters for the
ports used by the services.
Application Services
WebObjects offers a flexible and scalable way to develop and deploy ecommerce and other
Internet applications. WebObjects applications can connect to multiple databases and
dynamically generate HTML content.
Your server includes the WebObects deployment system and an unlimited license to deploy
your WebObjects applications. You can also purchase the WebObjects development tools if
you want to create WebObjects applications.
The remainder of this guide does not address WebObjects. For more information and
documentation on WebObjects, go to the WebObjects Web page:
www.apple.com
How You Administer the Services
This section introduces the administration applications you use to configure and manage the
services in Mac OS X Server and tells you how to get started using them:
m Server Admin: You use Server Admin to configure and manage most services, to set up
and manage server user accounts, and to configure share points (items such as folders
and disks you want users to share on the server).
You can use Server Admin either on your server or remotely, using secure, encrypted
communications between a computer running Mac OS X or another server and the server
you are administering. Server Admin has an individual module for managing each service.
See “Server Admin” on page 31 for more information.
m Macintosh Manager: Use Macintosh Manager to set up authentication and define user
environments for computers with Mac OS 8.1 through Mac OS 9.1 installed.
This application, described in “Macintosh Manager” on page 34, can be used on
computers with Mac OS 9 or later installed.
30 Chapter 1
m Streaming Server Admin: This browser-based application lets you set up and manage
streaming service from a Web browser.
You can use this application, described in “Streaming Server Admin” on page 34, from any
computer that has Netscape Navigator
™
, Netscape Communicator, or Microsoft Internet
Explorer, versions 4.5 or later, installed.
m NetBoot Desktop Admin: Use NetBoot Desktop Admin to install, update, or remove items
from the system image your NetBoot clients use to start up.
You can use NetBoot Desktop Admin from a client computer with Mac OS 9 installed. See
“NetBoot Desktop Admin” on page 35 for more information about this application.
Server Admin
You can use Server Admin locally (at the server) or remotely (from a computer running
Mac OS X or another Mac OS X Server) to administer services on one or more Mac OS X
Servers.
When you install Mac OS X Server, Server Admin is automatically installed on the server. To
install the remote Server Admin component on a computer running Mac OS X, follow these
steps:
1 On a Mac OS X computer with networking configured, insert the Mac OS X Server CD.
2 Open the Admin Install folder and double-click the installer package, Admin_Install.mpkg.
3 Choose the Custom Install option, then select Server Admin.
Server Admin is installed in /Applications/Utilities/.
Logging in to Server Admin
To log in to Server Admin:
1 Open Server Admin (located in /Applications/Utilities/) by clicking the Server Admin icon in
the Dock:
2 Enter the IP address or domain name of the Mac OS X Server you want to administer. By
default, the IP address of the local server appears in the login window. To administer a
different server, enter that server’s address or domain name. Then enter the administrator’s
user name and password for the server.
3 Click Connect.
Mac OS X Server Administration 31
You can manage multiple servers simultaneously by logging in to each server and
administering it from its own toolbar.
Getting Acquainted With the Toolbar
After you open Server Admin and log in to a server, a toolbar for that server appears. You
administer services by using the service modules, which are arranged on four tabs in the toolbar.
Here is a summary of when to use the service modules and where to find more information
about them in this guide:
Go here
To do this Use this module
for more info
View information about
Server Info module (in the General tab) page 34
your server
View server logs Log Viewer (in the General tab) page 33
Set up and manage
Mac OS X utilities for Directory Services page 41
directory services
Set up and manage
users
Work with Macintosh
Users & Groups module (in the General tab)
Sharing module (in the General tab)
page 57
page 73
Macintosh Mgr module (in the General tab) page 195
Management service
Set up and manage
Modules in the File & Print tab:
file services
m Apple file service
m Windows services
m FTP service
m NFS service
Set up and manage
m Apple
m Windows
m FTP
m NFS
page 85
page 93
page 104
page 100
Print module (in the File & Print tab) page 111
print service
32 Chapter 1
To do this Use this module
Go here
for more info
Set up and manage
Web service
Set up and manage mail
service
Set up and manage
network services
m SLP DA service
m DHCP service
m DNS service
m IP filter service
Web module (In the Internet tab) page 121
Mail module (in the Internet tab) page 153
Modules in the Network tab
m SLP Service
m DHCP/NetBoot
m DNS Service
m IP Filter
page 264
page 271
page 280
page 285
When you click a Server Admin module, a menu of commands appears. For information
about how to use the commands to manage your services, refer to the pages indicated in the
table above or see the onscreen help for the module. For information about how to use
Server Admin in general, look in the Help menu in the Server Admin menu bar.
At the bottom of the toolbar, a status bar indicates how many services are running and alerts
you to conditions that warrant your attention. A globe identifies running services, and a
triangle containing “!” identifies alerts. These symbols also appear on individual module
icons, and on any tab containing a module with an alert.
Viewing Logs
The Log Viewer lets you monitor errors and other noteworthy events logged by various
services and applications running on your server. Log Viewer windows are dynamically
updated as new log records are written, letting you monitor multiple services in real time.
Click Log Viewer, then choose the service whose logs you want to view. Choose Print Service,
for example, to view logs for print service and for each of the server’s print queues. If you
don’t see the service you are interested in, make sure the service is running, then check the
system log (choose System Software from the Log Viewer menu, then choose System Log
from the Display pop-up menu).
Later chapters in this guide and the onscreen help provide information about the logs for
particular services. Also refer to the onscreen help for information about using the Log
Viewer and setting up and viewing logs maintained by various services.
Mac OS X Server Administration 33
Getting Information About Your Server
Click Server Info, then choose Show Server Info to view the serial number and networking
characteristics of your server.
If you need to change the server’s serial number, click Server Info, then choose Change
Product Serial Number.
Macintosh Manager
You use the Macintosh Manager application to administer Macintosh Management service
and set up user environments for client computers on your network. You can use Macintosh
Manager locally (at the server) or remotely (from a Mac OS 9 or Mac OS X computer on the
same network as your Mac OS X Server).
In addition to Macintosh Manager, you’ll also use two Server Admin modules to administer
Macintosh Management service: Users & Groups and Sharing. Details about all these
applications can be found starting on
Logging in to Macintosh Manager
page 195.
Open Macintosh Manager by clicking its icon in the Dock. Log in using a server administrator
user name and password. As a server administrator, you automatically have global
administrator privileges for Macintosh Manager. Once you are logged in, you can add users,
create workgroups, and manage computers on the network.
You can also open Macintosh Manager by clicking Macintosh Mgr in the Server Admin
General tab, then choosing Open Macintosh Manager.
Starting and Stopping Macintosh Management Service
To start and stop Macintosh Management service, use the Macintosh Mgr module of Server
Admin. You can also use the Macintosh Mgr module to set whether Macintosh Management
service automatically starts when the server starts up.
Streaming Server Admin
You can use Streaming Server Admin from any computer that has a Web browser installed
and running. To open Streaming Server Admin, open a browser and enter the URL for
Streaming Server Admin on your server. Then enter the streaming server administrator login
ID and password. The connection established is secure.
For further information about Streaming Server Admin, see Chapter 9, “QuickTime Streaming
Server,” on page 173.
34 Chapter 1
NetBoot Desktop Admin
On a Mac OS 9 computer, use the Chooser to locate the NetBoot server volume, then log in
to it as a server administrator. You can then open NetBoot Desktop Admin and make changes
to the startup image. Follow the onscreen instructions when using NetBoot Desktop Admin.
You can read more about NetBoot administration starting on page 245.
Setting Up Your Server for the First Time
Follow these steps to get your server up and running quickly. After you complete step 8,
users will be able to access the server and take advantage of basic Apple file service features.
Step 9 refers you to other places in this guide where you can get instructions for setting up
additional services you want to provide your users.
Step 1: Get acquainted with the server and its administration
applications
If you haven’t already done so, read the earlier sections of this chapter. These sections
describe some common scenarios in which Mac OS X Server can be used, in both business
and education environments. Then they introduce the services you can provide to your users
and survey the applications you use to administer the server.
These sections introduce terms and concepts you’ll encounter as you proceed through the
remaining steps.
Step 2: Install the server
Use the worksheet and instructions in Getting Started With Mac OS X Server to install your
server and make it ready to use on your network.
Step 3: Log in
Using the owner/administrator name and password you specified during step 2, log in to the
server. Then log in to the Server Admin application:
1 Open Server Admin from the Dock or from Applications/Utilities.
2 In the Address box, enter the IP address or domain name you assigned to the server during
step 2.
3 In the User Name box, enter the owner/administrator name. In the Password box, enter the
owner/administrator password.
4 Click Connect.
Mac OS X Server Administration 35
Step 4: Create share points
A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder that contains
files you want users to share. If you are a teacher, for example, you may want to set up a
share point for individual classes—Math, English, Biology—so that students in each class can
access their assignments and handouts.
To create share points:
1 In a Finder window, open the folder in which you want to create the share point. Choose
New Folder from the File menu. Name the share point.
2 In Server Admin, click the File & Print tab and make sure that Apple file service is running. If
it’s not, click Apple and choose Start Apple File Service.
3 Click the General tab. Then click Sharing and choose Set Sharing Attributes. Select the folder
you created and click Choose.
4 Click “Share this item and its contents,” then click Save.
5 Repeat steps 1 through 4 for each share point you want to create.
Step 5: Define default home directory settings
A home directory is a folder for a user’s personal files. Each student, for example, might use
a home directory for storing class notes or assignments they’re working on.
If you define default home directory settings, a home directory is automatically created for
each new user you define on your server. To define default home directory settings:
1 In the General tab of Server Admin, click Users & Groups and choose Home Directory Defaults.
2 Choose Local to set up a simple default strategy. You can always change your strategy later if
you need to.
3 Choose the share point in which you want the home directories to reside from the Share
Point pop-up list. You can choose the predefined Users share point or one of the share
points you created earlier.
4 Click Save.
Whenever you define a new user, a home directory will be created for the user in the share
point you selected and named using the “short name” you enter for the user. The user owns
the home directory, meaning the user has Read & Write access to the directory and has
complete control over access to the files in the home directory.
Step 6: Define users
To define the users you want to be able to use your server:
1 In the General tab of Server Admin, click Users & Groups and choose New User.
36 Chapter 1
2 In the Name field, enter a name that identifies the user (for example, Bob W. Brown, Jr.).
3 In the Short Name field, enter a short name for the user. Although the user can log in to the
server using the name you specify in step 2, a short name is more convenient. Also,
remember that the user’s home directory will be named using the short name. The short
name is also used in the user’s email address if you set up mail service on the server.
Typically the short name is 8 characters or shorter. Use only letters, numbers, the hyphen
character (-), or the underscore character (_).
4 In the Password field, enter the password the user should use to log in to the server.
Although you define the password initially, the user can change it when logging in to the
server or by using the Password pane in System Preferences. Enter a password that won’t be
easily guessed by unauthorized users.
The password is case-sensitive and does not appear on the screen as it is entered. Make sure
you have not pressed the Caps Lock key before entering the password. Avoid spaces and
Option-key combinations.
5 Select “User can administer the server” if you want the user to be able to administer the
server. When you first set up the server, only the owner/administrator designated during
setup can administer it. Server administrators can use all the server management applications
and have complete access to all the server’s facilities.
6 Select “User can log on” to let the user log in to the server, then click Save.
7 Repeat steps 1 through 6 for each user you want to be able to access the server.
Step 7: Define groups
Groups are collections of users with similar needs. For example, you can add math students
to a math class group and give the group access to files in the math group’s share point.
Groups simplify the administration of shared resources. Instead of granting access to those
resources to each individual who needs them, you can simply add the users to a group, and
grant access to the group.
To define a group:
1 In the General tab of Server Admin, click Users & Groups and choose New Group.
2 Enter a name for the group. Avoid the space character or Option-key characters if you want
to be able to send mail to the group.
3 To add users to the group, click Open U&G List. Locate the users you want to add, then drag
them into the group settings window.
4 Click Save.
Mac OS X Server Administration 37
Step 8: Assign privileges to share points
To assign access privileges for your share points to the users and groups you have defined:
1 In the General tab of Server Admin, click Sharing and choose Show Disks & Share Points.
2 Double-click a share point.
3 In the General tab, click Users & Groups, then choose Open U&G List.
4 To change the share point owner, drag a user from the Users & Groups List window to the
Owner field in the sharing window. Use the pop-up menu to the right of the Owner field to
set access privileges for the owner.
5 To assign access privileges to a group, drag a group from the Users & Groups List window to
the Group field in the sharing window. Then use the pop-up menu to the right of the Group
field to set access privileges for the group. If the group is a math class group, for example,
you may want to grant Read Only access so that math students can read information you
place within the share point but not change it.
6 To assign access privileges to any user who can log in to the server, use the pop-up menu to
the right of Everyone.
Step 9: Set up additional services as required
Decide which additional services you want to set up, then refer to the chapters indicated in
the following table. Browse through the chapter first to become familiar with what’s in it.
Then use the instructions for what to do before you set up the service and how to set it up
for the first time. This information, supplemented by detailed procedures available in the
onscreen help, will guide you through setting up individual services.
If you want to Set up Instructions are in
Assign access privileges to
folders and files within a
share point
Implement additional Apple
file service features
Provide file and print services
for Windows users
Make folders available for
users with NFS client software
Let users transfer files from
the server using FTP
38 Chapter 1
Folders and files, then assign
access privileges
Apple file service Chapter 5, “File Services,” on
Windows services Chapter 5, “File Services,” on
NFS service Chapter 5, “File Services,” on
FTP service Chapter 5, “File Services,” on
Chapter 4, “Sharing,” on
page 73
page 85
page 93
page 100
page 104
If you want to Set up Instructions are in
Share printers among users print service Chapter 6, “Print Service,” on
page 111
Set up Web sites or WebDAV
support on the server
Provide email service for
your users
Broadcast multimedia in
real time from the server
Web service Chapter 7, “Web Service,” on
page 121
mail service Chapter 8, “Mail Service,” on
page 153
QuickTime Streaming Service Chapter 9, “QuickTime
Streaming Server,” on
page 173
Manage the environment that
Mac OS 8.1 and later users
experience
Provide identical System and
applications folders for all
Macintosh Management
service
Chapter 10, “Macintosh
Management Service,” on
page 195
NetBoot Chapter 11, “NetBoot,” on
page 245
Mac OS 9 client computers
Automate registration for
network devices accessible
SLP DA service Chapter 12, “Network
Services,” on page 263
using a URL
Assign IP addresses dynamically
to client computers
DHCP service Chapter 12, “Network
Services,” on page 271
Set up a domain name server DNS service Chapter 12, “Network
Services,” on page 280
Filter IP packets that the
server receives
Share user information among
multiple Mac OS X Servers
IP filter service Chapter 12, “Network
Services,” on page 285
directory services Chapter 2, “Directory
Services,” on page 41
and/or Mac OS X computers
Mac OS X Server Administration 39
Where to Find More Information About Mac OS X Server and Server Management
If You’re New to Server and Network Management
If you want to learn more about Mac OS X Server, see the Mac OS X Server Web site:
www.apple.com/macosx/server/
Online discussion groups can put you in touch with your peers. Many of the problems you
encounter may already have been solved by other server administrators. To find the lists
available through Apple, see the following site:
www.lists.apple.com
Consider obtaining some of these reference materials. They contain background information,
explanations of basic concepts, and ideas for getting the most out of your network.
m Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books
Worldwide, 1998).
m Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997).
In addition, NetworkMagazine.com offers a number of online tutorials on their Web site:
www.networkmagazine.com
If You’re an Experienced Server Administrator
If you’re already familiar with network administration and you’ve used Mac OS X Server,
Linux, UNIX, or a similar operating system, you may find these additional references useful.
m A variety of books from O’Reilly & Associates cover topics applicable to Mac OS X Server,
such as Internet Core Protocols: The Definitive Reference, DNS and BIND, and TCP/IP
Network Administration. For more advanced information, see Apache: The Definitive
Guide, Writing Apache Modules with Perl and C, Web Performance Tuning, and Web
Security & Commerce, also published by O’Reilly and Associates. See the O’Reilly &
Associates Web site:
www.ora.com
m See the Apache Web site for detailed information about Apache:
www.apache.org/
Although you’ll want to use the administration tools provided with Mac OS X Server, it’s
possible to execute most UNIX commands and shell scripts from the built-in command-line
interface of the Terminal application. You can access the command-line interface by logging
in to the server as the administrator and navigating to the Terminal application, located in
/Applications/Utilities. See Appendix A, “Advanced Topics,” on page 301 for several
suggestions.
40 Chapter 1
CHAPTER
2
2 Directory Services
What Are Directory Services?
Your Mac OS X Server uses directory services to find information about users. The server
needs user information for authentication and to support various services.
User Information Needed for Authentication
When a user logs in to a Mac OS X Server, the server authenticates the user—or determines
whether the user is a valid user. Only valid users are entitled to access a server or take
advantage of the services it provides.
To authenticate a user, the server consults this information for the user:
m user name
m password
m user ID
At a minimum—regardless of the services your users will use—each user that you want to
be able to access the server must have a user name, a password, and a user ID stored in a
location accessible to the server. When a user logs in and enters a user name and password,
the information entered must match one of the users defined for the server for the user to
be authenticated.
Other User Information Needed by the Server
Other user information is needed by individual services. For example, mail service requires
mail settings for each user, and Macintosh Management service needs to know a user’s home
directory. Most services require the user ID.
Appendix A, “Advanced Topics,” on page 301 describes all the data that individual services
need to access after a user has been authenticated.
41
Where You Can Define User Information
User information needed by directory services is stored on Mac OS X Servers in NetInfo
databases. A NetInfo database is known as a domain.
Mac OS X Servers can also retrieve user information from standard servers known as
Lightweight Directory Access Protocol (LDAP) servers. LDAP servers are often used to handle
requests for user information.
Where you store your server’s user information is determined by whether it needs to be
shared.
If User Information on a Server Is Not Shared
When your server supports users whose information cannot be obtained from another
Mac OS X Server on the network, information for users must reside locally, on the server
itself. In this case, it is stored in a NetInfo domain—called the local domain—on the server:
Mac OS X Server
Local
NetInfo
domain
Mac OS 9 user
Mac OS X user
Windows user
When a user logs in to the server, directory services search for the user in the local domain.
The user can access the server only if the user is defined in the local domain.
Every Mac OS X Server has a local domain. Users defined in a local domain are visible only to
the computer on which the domain resides. While defining users in the local domain is
adequate for standalone servers or servers used in simple networks, in many cases it is more
efficient for computers to share user information. Sharing user data minimizes redundancy,
so when a user’s data changes, it needs to be changed in fewer places.
42 Chapter 2
If User Information on a Server Can Be Shared
When your network has several Mac OS X Servers that provide services for users, user
information stored in a NetInfo domain on one of the servers can be shared among the servers:
Mac OS X Server
Mac OS 9 user
Local
domain
Shared
domain
Mac OS X user
Mac OS X Server
Local
domain
Windows user
You define a shared domain when NetInfo information needs to be visible from multiple
Mac OS X Servers.
In the picture above, users who are defined in the shared domain can access both servers.
When a user logs in to either server, directory services search for the user in the local
domain on that server. If the user is not found, directory services look for the user in the
shared domain.
Directory Services 43
A shared domain can also be used to manage who can use a computer running Mac OS X:
Mac OS X Server
Mac OS 9 user
Local
domain
Shared
domain
Mac OS X user
Mac OS X Server
Local
domain
Local
domain
Windows user
Like Mac OS X Server, a computer running Mac OS X always has a local NetInfo domain. In
the picture above, users who are defined in the Mac OS X local domain or in the shared
domain on the server can use the Mac OS X computer.
44 Chapter 2
If Information External to the Server Can Be Shared
Some organizations—such as universities and worldwide corporations—maintain user
information on LDAP servers. Your Mac OS X Server can be configured to retrieve user
information from these standard systems:
Mac OS X Server
Mac OS 9 user
Local
domain
Shared
domain
Mac OS X user
Mac OS X Server
Local
domain
LDAP Server
Local
domain
Windows user
When a user logs in to one of the Mac OS X Servers, directory services still search for the
user in NetInfo domains, starting with the local domain. But if the user is not found and the
server has been configured to use an LDAP server, the server consults the LDAP server for
information about the user.
How the Server Finds User Information
Directory services, which are part of the underlying architecture of a Mac OS X Server,
provide a centralized roadmap that the server uses to find information about users, groups
(collections of users), and devices—all the people and resources your server supports.
When your server needs user information, directory services identify where the server
should look for that information:
Directory Services
NetInfo LDAP
Directory Services 45
When your server needs to access user information stored in multiple locations, such as
NetInfo domains on different servers and one or more LDAP servers, directory services also
control the order in which the server searches those locations.
The locations searched and the order in which they are searched are called a server’s search
policy. When a user logs in, directory services look for the user in the local NetInfo domain,
then possibly in a shared domain or LDAP server, depending on how the search policy has
been set up.
Using NetInfo
NetInfo lets you store and manage user information on a Mac OS X Server.
There’s always at least one NetInfo domain defined on a server—the local domain.
Information stored in the local domain is visible only to the server on which it resides. It
cannot be shared with other servers. So users defined in the local domain have access only to
the server on which the local domain resides.
If you want to share information in a NetInfo domain, you need to make the local domain a
child of a shared domain, called the parent domain.
Before You Set Up NetInfo
If you think you can take advantage of shared NetInfo domains, you need to understand
parent-child hierarchies.
Two-Level Hierarchies
The simplest hierarchy is a two-level hierarchy:
Parent NetInfo
domain
Local NetInfo
domain
46 Chapter 2
Here’s a scenario in which a two-level hierarchy might be used:
Root domain
Local domain on
English department’s
computer
Local domain on
Math department’s
computer
Local domain on
Science department’s
computer
Each department (English, Math, Science) has its own computer. The students in each
department are defined as users in the local domain of that department’s computer. All three
of these local domains have the same parent—the root domain—in which all the instructors
are defined. Instructors, as members of the root domain, can use services on all the
departmental computers. The members of each local domain can only use services on the
server where their local domain resides.
Directory Services 47
While local domains reside on their respective servers, a parent domain can reside on any
Mac OS X Server accessible from the child domain’s computer. In this example, the root
domain can reside on any server accessible from the departmental servers. It can reside
on one of the departmental servers, or—as shown here—on an entirely different server on
the network:
Faculty Mac OS X
Server
Local
domain
Root
domain
Local
domain
English department’s
computer
Science department’s
computer
Local
domain
Local
domain
Math department’s
computer
When an instructor logs in to any of the three departmental servers and cannot be found in
the local domain, the server searches the root domain.
A root domain is a special kind of shared domain. It is the shared domain that is always at the
top of a NetInfo hierarchy. It is visible to all computers that use the hierarchy. In this example,
the root domain is the only shared domain, but in more complex hierarchies, there may be
many shared domains.
48 Chapter 2
More Complex Hierarchies
NetInfo also supports multilevel domain hierarchies. Complex networks with large numbers of
users may find this kind of organization useful, although it’s much more complex to administer:
Root domain
Research domain
Undergraduates
domain
Local domains on Mac OS X clients or servers
Graduates
domain
Postgraduates
domain
In this scenario, an instructor defined in the root domain can use Mac OS X computers on
which any of the local domains reside. Research fellows, defined in the Research domain, can
log in to any Mac OS X computers whose local domains have the Graduates or Postgraduates
domain as their parent, because the Research domain is the parent of the Graduates and
Postgraduates domains.
How a Server Searches Through NetInfo Hierarchies
The default search strategy for a server is to search for a user in NetInfo domains, starting
with the local domain:
m If the server’s local domain has no parent, the server searches only the local domain.
m If the server’s local domain does have a parent NetInfo domain, the server searches the
parent domain when a user is not found in the local domain. If the user is not found in
the local domain’s parent and that parent domain is configured as the child of a second
parent domain, the second parent is searched. If the user is still not found, the server
continues searching up through the NetInfo hierarchy, stopping when the user is found
or after the final parent has been searched.
If you want your server to search other NetInfo domains, or if you want to specify that LDAP
servers be searched, use the Directory Setup application to customize the search policy, as
described in “Setting Up Search Policies” on page 52.
Directory Services 49
Setting Up NetInfo for the First Time
Follow these steps to set up your NetInfo domains:
Step 1: Assess your server access requirements
Identify which users need to access your Mac OS X Servers.
Users whose information is not accessible from an LDAP server, or whose information can be
managed most easily on a Mac OS X Server, should be defined in a NetInfo domain.
Step 2: Design the NetInfo hierarchy
Determine whether user information should be stored in a local NetInfo domain or in a
NetInfo domain that can be shared among servers. Design your NetInfo hierarchy, identifying
the shared and child domains you want to use, the servers on which the shared domains
should reside, and the parent-child relationship between domains. In general, try to limit the
number of users associated with any domain to no more than 10,000.
Chapter 2, “NetInfo Planning,” in Understanding and Using NetInfo provides some
guidelines that will help you decide what your NetInfo hierarchy should look like.
Step 3: Set up the NetInfo hierarchy
These are the main steps for setting up NetInfo hierarchies:
1 Set up shared domains. On each server you want to host shared domains, you create them
and configure them so that they bind together into the hierarchy you want.
2 Set up local domains on each Mac OS X computer so that they bind to the shared domain
you want to act as the parent domain.
3 Set up replication. You can replicate shared domains to improve reliability and speed of
access to their data.
4 Set up Windows user authentication. If Windows users need to be authenticated using
NetInfo and encrypted passwords, you enable Authentication Manager in all the domains in
the NetInfo hierarchy.
5 Populate shared domains with users, groups, and other information you want to share.
Chapter 3, “Setting Up NetInfo Hierarchies,” in Understanding and Using NetInfo describes
what to do in each of these steps.
Step 4: Customize your search policy (optional)
If the default NetInfo search policy for a server is not adequate for your purposes, use
Directory Setup to customize the search policy, as described in “Setting Up Search Policies”
on page 52.
50 Chapter 2
Using LDAP
Your server’s built-in LDAP support lets it retrieve user information from an LDAP V2 server.
LDAP servers can maintain information for a wide variety of individuals or network resources,
including users, groups, printers, or servers. Once an LDAP server has been set up, you can
easily configure your Mac OS X Server to access it to retrieve user and other information.
Before You Set Up LDAP Server Access
Before it can serve as a resource for Mac OS X Server user information, an LDAP server must
be configured to support LDAP-based authentication and password checking. The system
administrator responsible for maintaining the LDAP server and its data should configure the
LDAP server for access.
To provide the appropriate information for user authentication, the LDAP server must
contain entries and attributes for four items: user name (in RecordName and RealName
fields), password, and user ID. Depending on which Mac OS X Server services a user will
need access to, additional information may also be required.
After the LDAP server is configured to supply all needed data, make a note of the search base
and attribute name of each data item. You will need this information when configuring your
Mac OS X Server for LDAP access.
Setting Up LDAP for the First Time
Follow these steps to configure your server to access an LDAP server; see “Configuring LDAP
Access” on page 323 for more details.
Step 1: Prepare LDAP server data
Modify the LDAP server entries and attributes as necessary to provide the data needed for
server authentication, and for the other services that will use the data. “LDAP Data
Specifications” on page 314 provides complete specifications for LDAP data that’s used by
Mac OS X Servers. It may be necessary to add, modify, or reorganize information in your
LDAP server to provide the information in the format needed.
Step 2: Enable LDAP support
Open the Directory Setup application (located in Applications/Utilities). Click the lock and
log in as server administrator. Select LDAPv2 in the Directory Setup Services pane, then click
Configure.
Step 3: Identify the LDAP server
In the Identity pane, specify the LDAP server’s domain name or IP address.
Directory Services 51
Step 4: Define the LDAP search base
In the Records pane, map the record type “Users” to one or more search bases on the LDAP
server that provide user information (for example, o=people, ou=your company name). Also
map the record type “Groups” if you will be retrieving group information from the LDAP server.
Step 5: Map the data types for user and group information
In the Data pane, map at least the data types RecordName, RealName, Password, and
UniqueID to the LDAP fields that will supply values for them. For example, UniqueID may be
stored in an LDAP field named userid. If other information will be retrieved, map additional
data types as needed.
Step 6: Define the connection attributes
In the Access pane, enter information about the connections established between your
server and the LDAP server, such as the maximum time to spend searching for data on the
LDAP server.
Step 7: Indicate how you want to use LDAP data
Either add the LDAP server to the server’s search policy or define aliases for specific users on
the LDAP server. “Setting Up Search Policies,” next, tells you how.
Setting Up Search Policies
A server looks for user information in the locations specified in the server’s search policy.
If you are using only NetInfo domains to store user information, the default search policy is
usually sufficient. But when you want to search LDAP servers or additional NetInfo domains,
you define a custom search policy by using Directory Setup.
The Default Search Policy
Your Mac OS X Server always searches its local NetInfo domain when a user tries to log in.
Graduates
domain
Is the user
defined here?
52 Chapter 2
Local domain
If a user is not found in the local domain, any parent domain defined for the local domain
is searched:
Is the user
defined here?
No
Graduates
domain
Local domain
If the user is still not found, the next parent in the NetInfo hierarchy is searched, and so on
until the root domain is searched:
Is the user
defined here?
No
No
Root domain
Research domain
Graduates domain
No
Local domain
Directory Services 53
Custom Searches
When you want to use an LDAP server or NetInfo domains that aren’t in the default search
policy to obtain information about users, you set up a custom search policy using the
Directory Setup application. Here’s an example custom search policy:
Campus domain
Root domain
LDAP Server 1
Research domain
Graduates domain
Local domain
In this scenario, LDAP Server 1 is consulted for user information when a user cannot be
found in the domains of the default search policy. If the user’s information is not found on
the LDAP server, a NetInfo domain named “Campus” is searched.
Using Aliases
Sometimes you’ll want a server to be able to authenticate a user whose information is not
stored in any of the locations specified in a search policy.
54 Chapter 2
Your server can locate the information for such a user if you define an alias for the user in
one of the NetInfo domains that is in the search policy. An alias is a pointer to the location
where the user’s information is actually stored. When the server needs to authenticate a user
using an alias, it retrieves the user’s information from the actual location where it resides.
See the following illustration:
LDAP Server
Graduates domain
Alias
information
Science department’s
local domain
In the picture above, an alias for a user has been defined in the Graduates domain. The alias
is used to retrieve information for the user from an LDAP server. The entire LDAP server does
not need to be searched when a user is not found in the local or Graduates domain. A search
is conducted only for the user the alias refers to.
To set up a scenario such as this one, you would configure your server to access an LDAP
server but not add the LDAP server to the search policy. Then you would create aliases for
individual users on the LDAP server in a NetInfo domain that is in the search policy.
You create aliases using the Users & Groups module of Server Admin. For more information,
see the onscreen help for Users & Groups.
Before You Set Up Your Search Policy
Before you define a server’s search policy, make sure any NetInfo domain or LDAP server you
want the server to search has been configured for access by the Mac OS X Server.
Also determine whether defining aliases in one or more of your NetInfo domains would be
useful for individual users.
Setting Up Search Policies for the First Time
Step 1: Determine whether the default search policy is sufficient
If the default NetInfo search policy is adequate for your environment, you’re done.
Otherwise, go to step 2.
Step 2: Open Directory Setup
The Directory Setup application is located in Applications/Utilities.
Directory Services 55
Step 3: Define a search policy option for the server
In the Authentication pane, use the Search pop-up menu to choose the search policy you
want to set up:
m “NetInfo network” is the default NetInfo search policy used when a parent NetInfo domain
has been configured for the server. Servers using this policy look for a user’s information in
the local domain first, then proceed through the hierarchy of parent domains.
m “Local directory” causes the server to search for users only in the local NetInfo directory.
m “Custom path” lets you specify locations to search after the server searches NetInfo domains
in the default NetInfo search policy. Select LDAP servers that have been configured for the
server, or NetInfo domains that aren’t in the default search policy. See “Configuring LDAP
Access” on page 323 for details.
Step 4: Define a search policy for personal applications (optional)
In addition to setting up the search policy for the server, you can define a search policy for
use by your personal applications, such as mail or personal information managers. To do so,
use the Contacts pane and the procedure described in step 3.
56 Chapter 2
CHAPTER
3
3 Users and Groups
What Are Users and Groups?
To give individuals or groups (collections of individuals with similar requirements) access to
your Mac OS X Server and to the services it hosts, you define users and groups.
This chapter summarizes the attributes of users and groups and tells you how to set them up.
How User Information Is Used
Your Mac OS X Server uses information you define for users to authenticate them and
determine whether they are authorized to use particular services. User information is stored
in NetInfo databases, known as domains:
Mac OS X Server
Local
domain
Shared
domain
Mac OS 9 user
57
Mac OS X user
Mac OS X Server
Local
domain
Local
domain
Windows user
Every Mac OS X computer and Mac OS X Server has a local domain. Users defined in a local
domain can only use the computer where the local domain resides. In the preceding
illustration, users defined in the local domain on a server only have access to that server. And
users defined in the local domain on a Mac OS X computer can only log in to that computer.
Mac OS X Servers can also have shared domains defined on them. A shared domain stores
user information that can be used by multiple Mac OS X computers and servers on a
network. If a user is defined in a shared domain, he or she can use any computers that are
configured to retrieve user information from that domain. In the preceding illustration, users
defined in the shared domain can log in to either server or to a Mac OS X computer. If a user
is not found in the local domain when the user logs in, the shared domain is consulted.
You use the Users & Groups module in Server Admin to define users and groups in a server’s
local and shared domains.
You can also configure a server to retrieve user information from Lightweight Directory
Access Protocol (LDAP) servers. See “Using LDAP” on page 51 for more information if you are
using or plan to use an LDAP server.
Characteristics of Users
When you define a user, you specify the information needed to authenticate the user: user
name, password, and user ID. Regardless of the services a user will be using, this information
is required. When the user logs in, the user name and password entered by the user must
match one of the users defined for the server for the user to be authenticated.
Other information stored for users is needed by individual services—to determine what the
user is authorized to do and perhaps to personalize the user’s environment. For example:
m A user’s server access information determines whether the user can administer the server.
Only users with administrator privileges can use Server Admin and the other server
administration applications.
m A user’s mail information describes the user’s mail account attributes, which are used by
mail service (page 153).
m Macintosh Management service (page 195), Web service (page 121), Apple file service
(page 85), and Network File System service (page 100) use home directory information
for a user. A home directory is a network location where a user’s files and preferences
are stored.
58 Chapter 3
Characteristics of Groups
A group is simply a collection of users who have similar needs. For example, you can add all
English teachers to one group and give the group access privileges to certain files or folders
on the Mac OS X Server.
Groups simplify the administration of shared resources; instead of granting access to those
resources to each individual who needs them, you can simply add the users to a group, and
grant access to the group.
Before You Set Up Users and Groups
Before setting up users and groups on one or more Mac OS X Servers:
m Devise a strategy for storing user information so that it is accessible to all Mac OS X
Servers that need it. Set up any shared NetInfo domains or LDAP servers needed to
implement that strategy, using the information provided in Chapter 2, “Directory
Services.”
m If a server has multiple NetInfo domains, determine which users should be defined in
each domain.
Note: If all the NetInfo domains have not been finalized when you are ready to start adding
users, simply add them to any NetInfo domain that already exists on one of your servers.
(You can always use the local domain—it’s always available.) You can easily move users and
groups to another domain or server later using the Users & Groups module; instructions are
in the onscreen help for Users & Groups.
m Identify users who have similar server requirements. You can add them to groups.
Setting Up Users and Groups for the First Time
To set up users and groups on your Mac OS X Server, complete the following steps. If you
require additional help to perform any of these steps, click Users & Groups in Server Admin,
then choose Help.
Step 1: Modify the administrator account defined at server setup
When you use the Setup Assistant to configure your server, you specify a password for the
owner/administrator. The password you specify also becomes the root password for your
server. Use the Users & Groups module in Server Admin to create an administrator user
with a password that is different from the root password. Server administrators do not need
root privileges.
Users and Groups 59
The root password should be used with extreme caution and stored in a secure location. The
root user has full access to the system, including system files. If you need to, you can use the
Users & Groups module to change the root password. Choose Show Users & Groups List,
then select Show System Users & Groups to work with the root user.
Step 2: Create new users
Use the Users & Groups module in Server Admin to create new user accounts. If the server
has multiple NetInfo domains, be sure to select the domain where you want to create the
user. See “User Settings,” next, for an explanation of user settings.
Step 3: Create new groups (optional)
Use the Users & Groups module in Server Admin to create new groups if you want to use
them. If the server has multiple NetInfo domains, be sure to select the domain where you
want to create the new group. See “Group Settings” on page 68 for an explanation of the
group settings.
User Settings
To access the user settings, click the General tab in Server Admin. Then do any of the following:
To create a new user:
m Click Users & Groups and choose New User. Then, if presented with a list of domains,
choose the NetInfo domain in which you want to create the user.
m Click the New User button in any Users & Groups window in which it is available. (The
new user will be created in the domain you are currently working with.)
To edit a user:
m Select the user’s name in a window (for example, the U&G Find Results window) and
click the Edit button.
The user settings window has four panes: General, Advanced, Comment, and Mail Service.
Choose the pane you want to work with from the pop-up menu at the top of the window.
60 Chapter 3
General User Settings
Name
Enter a name used to identify the user—for example, Bob W. Brown, Jr.
Short Name
Enter a short login name, which may also be used in an email address. It can contain only
letters, numbers, the hyphen character (-), and the underscore character (_). Typically, this
name contains 8 or fewer characters.
Password
Enter the user’s password. The user enters this password when logging in to the server.
The password is case-sensitive and does not appear on the screen as it is entered. The
user can change the password when he or she logs in.
Use letters, numbers, and symbols in combinations that won’t be easily guessed by
unauthorized users. Avoid spaces and Option-key combinations. Also avoid characters that
can’t be entered on computers the user will be using. (Some computers do not support
passwords that contain double-byte characters, leading spaces, embedded spaces, and so
forth.) See “Mac OS X Server Password Restrictions” on page 71 for password requirements
of specific services on your Mac OS X Server.
Verify
Use this field to reenter the password you entered in the Password field.
Users and Groups 61
User can administer the server
Select this option if you want the user to be able to administer the server. When you first
install Mac OS X Server, only the owner/administrator designated during server setup can
administer it. Server administrators can use Mac OS X Server and other server administration
applications, and they have full access to all the server’s facilities.
User can log on
Select this option if you want the user to be able to log in to the server. It is selected by
default. Deselecting this setting does not disable mail delivery to the user. To disable mail
delivery, use the Mail Service pane.
Advanced User Settings
User ID
This is a number that uniquely identifies a user and determines the privileges the user has on
a Mac OS X Server. For example, user IDs are used to manage privileges associated with
share points; for more about privileges, see Chapter 4, “Sharing.”
The user ID is assigned automatically when a new user is created, but you can change it.
Assign a value of 100 or greater that is unique within the server’s search policy. (The search
policy is described in “Setting Up Search Policies” on page 52.) The maximum number is
2,147,483,647. User IDs below 100 are assigned to system accounts. Users with these IDs
cannot be deleted and should not be modified.
Primary Group
Enter the ID of the group you want the user to automatically belong to. By default, it is 20.
62 Chapter 3
Login Shell
Choose the default shell the user will use for command-line interactions with the server. The
option None, which prevents a user from using the command line, is useful if you want to
make sure a user cannot access the server using SSH.
Home Directory
Define the user’s home directory. This is a folder for a user’s personal use. It is displayed
automatically when the user chooses Home from the Finder’s Go menu. It must be located
within a special directory known as a share point.
Before you define a home directory, the share point in which you want it to reside must
exist. You can use the default share point for home directories (Users) or create a different
share point. Make sure that the share point owner has Read & Write privileges and that
Group and Everyone have Read privileges. See Chapter 4, “Sharing,” for information about
share points and privileges and to Users & Groups Help for instructions on creating a share
point for home directories.
When you initially define a user, the default home directory settings are assigned to the user.
(You can define the default home directory settings using the Home Directory Defaults
command in the Users & Groups menu.) You can override the default settings for each
individual user if you like:
m Choose None to give the user no home directory.
m Choose Local to create a home directory on the server where the user is defined. The
directory will have the same name as the user’s short name and will reside in the share
point you choose from the Share Point pop-up menu. If the share point is Users, the
home directory for a user named Mary might be the folder Users/Mary. The home
directory name is displayed next to Path, under the Share Point pop-up menu.
Users and Groups 63
The path to the home directory relative to the share point is displayed beneath the home
directory name.
When Server Admin creates the home directory, the user is defined as the owner of the
home directory and assigned Read & Write privileges.
m Choose Custom if you want to define a home directory on a different server or if you
want full control over the home directory path and name.
Important Server Admin automatically creates home directories only on the server you are
logged in to. If you want a user’s home directory to reside on a remote server, create the
home directory manually before using the Advanced pane to associate a user with the home
directory. Onscreen help tells you how to define home directories manually.
The Custom option is useful, for example, if you want to organize home directories into
several subdirectories within a share point. If Users is the share point, and home
directories for teachers and students are grouped into subdirectories named Teachers and
Students, a teacher’s home directory might be Users/Teachers/Smith, and a student’s
home directory might be Users/Students/Mary. Because the home directories are not at
the top level within the share point, you would use the Custom option to define them.
Enter the server’s DNS name or IP address in the Server field and the share point in the
Share Point field. In the Path field, enter the home directory folder name preceded by the
path to it within the share point. The path to the home directory relative to the share
point is displayed beneath the Path field.
64 Chapter 3
After using the Custom option to create a home directory on the local server, use the
Sharing module to define the user as the owner of the home directory, and assign the
owner Read & Write privileges. Refer to Chapter 4, “Sharing,” for information about
defining privileges.
You can configure home directories to be visible automatically to network users. See “Setting
Up Home Directories to Mount Automatically” on page 70 for instructions.
User Comment
You can use the Comment pane to enter general information about the user. Comments can
be as long as 32,767 characters.
Mail Service Settings
The Mail Service pane lets you enable and disable the user’s access to mail and configure
settings for the user’s mail account. See Chapter 8, “Mail Service,” for complete information
about how these settings are used to provide mail services for a user.
Users and Groups 65
Disabling Mail
To disable mail delivery for the user, click None.
Enabling Mail
To enable mail delivery for the user and set mail account options, click Enable.
Mail Account located on server
Enter the IP address or DNS name of the server to which the user’s mail is routed.
66 Chapter 3
Select the access method of the account
Select the protocol used for the user’s mail account: Post Office Protocol (POP) and/or
Internet Message Access Protocol (IMAP). Chapter 8, “Mail Service,” provides information
about these protocols.
Options
Click to set additional mail account options:
Use separate inboxes for POP and IMAP
Select this option to manage POP and IMAP mail using different inboxes.
Show POP mailbox in IMAP folder list
Select this option to show an IMAP folder named “POP Inbox.”
Enable NotifyMail
Select this option to automatically notify the user’s mail application when new mail has
arrived. The IP address to which the notification is sent can be either the last address from
which the user logged in or an address you specify.
Users and Groups 67
Forwarding Mail
You can automatically forward a user’s mail to a particular email address by clicking Forward
and specifying the address.
Group Settings
To access the group settings, click the General tab in Server Admin, then do any of the
following:
To create a new group:
m Click Users & Groups and choose New Group. Then choose the domain in which you
want to create the new group if presented with a list of domains.
m Click the New Group button in any Users & Groups window in which it is available. (The
new group will be created in the domain you are currently working with.)
To edit a group:
m Select the group’s name in a window that lists groups (for example, the U&G Find Results
window) and click the Edit button.
68 Chapter 3
This is the window you use to work with group settings.
Name
Enter a name for the group. If you want to be able to send mail to the group, the name
should not include the space character or Option-key characters.
GID
This is the group’s ID, used to determine what members of the group can do on the server.
For example, the group ID is used internally to keep track of privileges associated with share
points. For more about privileges, see Chapter 4, “Sharing.”
The group ID is assigned automatically when a new group is created, but you can change it.
Assign a value greater than 100 that is unique within the NetInfo domain you are working
with. Groups with IDs below 100 cannot be deleted.
Name, Kind, ID, and Location
These are characteristics of users currently associated with the group. “Kind” lists
“Administrator” if the user has administrator rights; otherwise it lists “User.” “Location”
identifies the NetInfo domain in which the user is defined. You may need to scroll
horizontally to see all these columns.
To add a user to the group, click Open U&G List, then drag the user from the Users &
Groups List into the group settings window. To remove a user from the group, select the
user, then click Remove.
Users and Groups 69
Users and Groups Strategies and Tips
This section provides some techniques that can be used to help you manage your users
and groups.
Exporting and Importing Users and Groups
On some occasions you may need to put information for users or groups in a text file, then
add users and groups from the file instead of adding them individually. This approach is
useful, for example, when you want to add the same users and groups to multiple servers
that aren’t on the same network.
You can use the Users & Groups module to import the users and groups from the file into a
NetInfo domain on any Mac OS X Server. To create the file, you have two options:
m The Users & Groups module can automatically create the file for you. This process is
known as exporting users and groups.
m You can also create the file by hand. “File Format for Importing or Exporting Users and
Groups” on page 308 describes the format of the file and provides instructions.
For additional instructions on using the Users & Groups module to import and export users
and groups, see the onscreen help.
Setting Up Home Directories to Mount Automatically
A user’s home directory is automatically visible when the user chooses Home from the
Finder’s Go menu.
You can also make home directories visible automatically to network users. Follow these
steps to set up home directories to mount automatically for network users:
Step 1: Configure NetInfo
Create a shared NetInfo domain on the server where you want to store home directories.
The domain must be in the search policy of Mac OS X computers on which you want
automatic mounting to be available. See Chapter 2, “Directory Services,” for information
about defining NetInfo domains and search policies.
Step 2: Set up a share point on the server
Use the Server Admin Sharing module to create a share point on the server and set it up for
mounting automatically (page 80). See onscreen help for specific instructions.
Step 3: Make sure that users will not be automatically disconnected
Use the Server Admin Apple file service module to make sure that users will not be
automatically disconnected when they do not use the server for a while. In the Idle Users
pane, do not select “Disconnect idle users after _ minutes.” See page 90 for more
information about this setting.
70 Chapter 3
Step 4: Define users and their home directories
Use the Server Admin Users & Groups module to define users and aliases, if needed, in the
shared NetInfo domain created in step 1. When setting up the user home directories, choose
the share point configured in step 2.
Mac OS X Server Password Restrictions
Most of the Mac OS X Server applications and services that require passwords support
7-bit or 8-bit ASCII passwords without leading or trailing spaces. Use the following table
to determine whether you need to take these restrictions into account when defining
passwords for server users:
Service or
application
7-bit ASCII
passwords OK
8-bit ASCII
passwords OK
Apple file service X X
File Transfer Protocol (FTP)
X
service
IMAP X X (some IMAP clients)
Macintosh Manager X X
POP3 X
Server Admin X X
Web service X
Windows services X
Double-byte
passwords OK
Users and Groups 71
Solving Problems With Users and Groups
If users can’t access files in their home directories:
Ensure that users have access to the share point in which their home directories are located
and to their home directories. Users need Read access to the share point and Read & Write
access to their home directories.
If a Mac OS X user defined in a shared NetInfo domain can’t log in:
This problem occurs when a user tries to log in to a Mac OS X computer using an account in
a shared NetInfo domain, but the server hosting the domain isn’t accessible. The user can log
in to the Mac OS X computer by using the local user account created automatically when he
or she set up the computer to use a NetInfo account. The user name is “administrator”
(short name is “admin”) and the password is the NetInfo password.
72 Chapter 3
CHAPTER
4
4 Sharing
What Is Sharing?
The Sharing module in Mac OS X Server allows you to designate the information you want to
share with others and assign access privileges to control who can see and use the information.
Shared items are contained within one or more share points. A share point is a folder, hard
disk (or hard disk partition), or CD accessible over the network. It’s the point of access at the
top level of a group of shared items. Users see share points as volumes mounted on the
desktop, or as volumes in the Finder in Mac OS X.
Privileges are the access levels you assign to any items you want to share with users. You’ll
use the Sharing module of Server Admin to set up share points and privileges that are used
by other services such as Apple file service, Windows services (SMB), Network File System
(NFS) service, and File Transfer Protocol (FTP) service.
Note: QuickTime Streaming Server and Web service have their own privileges settings. You
can read more about QuickTime Streaming Server in Chapter 9. You’ll find information on
Web privileges in “Access Settings for Web Sites” on page 134.
Before You Assign Privileges
Before you assign privileges, you need to understand how privileges for shared items work.
You also need to consider which users need access to shared items, and what type of
privileges you want those users to have.
73
Explicit Privileges
Share points and shared items (including files) have their own individual privileges. If you
move an item to another folder, it retains its own privileges and doesn’t automatically adopt
the privileges of the folder where you moved it. In the following illustration, the second
folder (Designs) and the third folder (Documents) were assigned privileges that are different
from those of their “parent” folders:
Read & Write
Engineering
Designs
Read only
Read & Write
Documents
Types of Privileges
There are four types of privileges that you can assign to a share point, folder, or file: Read &
Write, Read Only, Write Only, and None. The table below shows how the privileges affect user
access to different types of shared items (files, folders, and share points).
Read &
Users can
Write
Open a shared file Yes Yes No No
Copy a shared file Yes Yes No No
Edit a shared file’s contents Yes No No No
Open a shared folder or share point Yes Yes No No
Copy a shared folder or share point Yes Yes No No
Move items into a shared folder or share point Yes No Yes No
Move items out of a shared folder or share point Yes No No No
Read
only
Write
only None
You can assign Write Only privileges to a folder to create a drop box. The folder’s owner can
see and modify the drop box’s contents; everyone else can only copy files and folders into it,
without seeing what it contains.
User Categories
You can assign access privileges separately to three categories of users:
74 Chapter 4
Owner
A user who creates a new item (file or folder) on the file server is its owner, and automatically
has Read & Write privileges to that folder. The owner of an item and the server administrator
are the only users who can change its access privileges. The administrator or the item’s
owner can transfer ownership of the shared item to another user.
Group
You can put users who need the same access to files and folders into group accounts. Only
one group can be assigned access privileges to a shared item. For more information on
creating groups, see Chapter 3, “Users and Groups.”
Everyone
Everyone is any user who can log in to the file server: registered users, guests, anonymous
FTP users, and Web site visitors.
Privileges Hierarchy
If a user is included in more than one category of users, each of which has different
privileges, these rules apply:
m Group privileges override Everyone privileges.
m Owner privileges override Group privileges.
For example, when a user is both the owner of a shared item and a member of the group
assigned to it, the user has the privileges assigned to the owner.
Client Users and Privileges
Users can set some privileges for files or folders that they create on the server, or in shared
folders on their desktops. Users of AppleShare Client software can set access privileges for
folders they own. Windows file sharing users can set folder properties, but not privileges.
Security Issues
Security of your data and your network is critical. The most effective method of securing your
network is to assign appropriate privileges for each file, folder, and share point as you create it.
Be careful when creating and granting access to share points, especially if you’re connected to
the Internet. Granting access to Everyone, or to World (in Network File System service) could
potentially open up your data to anyone on the Internet.
Restricting Access by Unregistered Users (Guests)
When you configure any file service, you have the option of turning on guest access. Guests
are users who can connect to the server anonymously without entering a valid user name or
password. Users who connect anonymously are restricted to files and folders with privileges
set to Everyone.
Sharing 75
To protect your information from unauthorized access, and to prevent people from
introducing software that might damage your information or equipment, you can take these
precautions using the Sharing module of Server Admin:
m Share individual folders instead of entire volumes. The folders should contain only those
items you want to share.
m Set privileges for Everyone to None for files and folders that guest users should not access.
Items with this privilege setting can only be accessed by the item’s owner or group.
m Put all files available to guests in one folder or set of folders. Assign the Read Only
privilege to the Everyone category for that folder and each file within it.
m Assign Read & Write privileges to the Everyone category for a folder only if guests must be
able to change or add items in the folder. Make sure you keep a backup copy of
information in this folder. You should also check this folder frequently for changes and
additions, and check the server for viruses regularly with a virus-protection program.
m Check folders frequently for changes and additions, and check the server for viruses
regularly with a virus-protection program.
m Disable anonymous FTP access using the FTP module of Server Admin.
m Don’t export NFS volumes to World. Restrict exports to a specific set of computers.
Setting Up Sharing for the First Time
You use the Sharing module of Server Admin to create share points and shared items, and to
set privileges for them. When you set privileges, you also need to use the Users & Groups
module of Server Admin to find groups.
The following steps tell you what to do to set up sharing for the first time. If you require
additional help to perform any of these steps, click Sharing in Server Admin, then choose Help.
76 Chapter 4
Step 1: Turn file service on
If you are administering the server remotely and want to select share points and set privileges,
Apple file service must be running. If you’re not sure if it’s running, you can check easily. In
Server Admin, click the File & Print tab. A service that is running has a globe on its icon. If you
don’t see the globe on the file service that you want, click the service icon, then choose the
“Start” menu item.
Step 2: Create a share point
If you haven’t already done so, create the item you want to share. You may want to partition a
disk into volumes to give each volume different access privileges, or create folders that will
have different levels of access.
To create a new folder, open the disk or folder where you want to place the new folder.
Choose New Folder from the File menu and name the new folder.
Step 3: Set privileges for share points
Click the General tab, then click Sharing and choose Set Sharing Attributes. Select the item
you want to share, then click Choose. The sharing window for the share point appears,
where you can set the access levels you want.
To assign user and group access for a share point, click Users & Groups and choose Show
Users & Groups List, or Find Users & Groups. If you choose Find, do a search for the user or
group you want. Then drag the name to the appropriate field in the sharing window.
Choose the access privileges for Owner, Group, and Everyone from the pop-up menu next to
each field. The privileges you assign are used by Apple file service, Windows services, and
FTP service.
Sharing 77
Sharing Settings
You set access privileges for share points in the sharing window. To access the sharing
window, click Sharing in Server Admin. Then do one of the following:
m Choose Set Sharing Attributes, select an item, then click Choose.
m Choose Show Disks & Share Points, select an item, then click Privileges.
Choose General, Automount, or NFS Access Control from the pop-up menu to set privileges
for a shared item. The settings available in each pane are described in the following sections.
General Settings
You use the General pane to set access privileges for share points and shared items.
Share this item and its contents
Select this option to set up the share point for AFP, Windows, and FTP access. To set it up for
NFS access, see “NFS Access Control Settings” on page 81. You can share an item for either or
both of these access strategies.
Owner
Drag a user from the Server Admin Users & Groups List to this field. The default owner is the
person who created the item.
78 Chapter 4
Group
Drag a group from the Server Admin Users & Groups List. If you don’t want any group to
have access, set the Group access privileges to None.
Everyone
Everyone is any user who can log in to the file server: registered users, guests, anonymous
FTP users, and Web site visitors. If you don’t want everyone to have access, set the Everyone
access privileges to None.
Privileges
Choose access levels for Owner, Group, and Everyone from the pop-up menu to the right of
each user category.
Copy
Click this button to copy this share point’s privileges to all items (files and folders) contained
in it. This will override privileges that other users may have set.
Sharing 79
Automount Settings
You use the Automount pane to set up share points (not files) to mount automatically for
Apple file service or NFS service. To access the Automount pane, select a shared item in the
Disks & Share Points window and click Privileges. Then choose Automount from the pop-up
menu below the share point name.
Automount this item to clients in domain
Choose the shared NetInfo domain to which you want to publish (or automount) this shared
item. The share point will be mounted automatically on any computer configured to use the
shared domain.
You are asked for the user name and password of a user authorized to change the domain.
After you are authenticated, click “Automount this item to clients in domain.”
Mount dynamically in /Network/Servers
Select this option if you want client users to see share points in the /Network/Servers
folder of their computer. When the user double-clicks a share point in the folder, the share
point mounts on the user’s desktop or in the Finder (depending on the user’s System
Preferences settings).
80 Chapter 4
Mount statically in
Select this option if you want the share point to mount automatically when the client
computer starts up. Choose the location where you want the item to appear. Do not use
static mounts for home directories.
Automount options
If you’ve set up the share point for access using AFP and NFS, click one of the radio buttons
to indicate which protocol you want to use to mount the share point.
NFS Access Control Settings
You use the NFS Access Control pane to set up Network File System (NFS) share point
exports and access privileges for them. NFS handles authentication differently than other
file services—it looks at IP addresses rather than user names and passwords to allow access.
NFS share points are exported to valid client computers, and these exports are mounted as
volumes in a location that you specify. NFS exports can also be Apple file service or Windows
services share points, but they don’t have to be.
To access the NFS Access Control settings, click Sharing and choose Set Sharing Attributes.
Select the item you want to share, then click Choose. Choose NFS Access Control from the
pop-up menu below the item name. For information about the settings, see page 102.
Sharing 81
Solving Problems With Sharing
If users can’t find a shared item:
Check the access privileges for the item. Users must have at least Read access privileges to
the share point where the item is located, and to each folder in the path to the item.
Note: Server administrators don’t see share points the same way a user does because
administrators see everything on the server. To see share points from a user’s perspective,
log in using a user’s name and password.
If users can’t access a CD-ROM disc:
m Make sure you’ve made the CD-ROM disc a share point.
m If you share multiple CDs, make sure each CD has a unique name.
82 Chapter 4
CHAPTER
5
5 File Services
What Are File Services?
File services allow your client users to access files, applications, and other resources over a
network. You use Server Admin to configure file services, turn them on and off, and check
their status. You can turn on guest (unregistered user) access for each service using the
module for that service, but to control access to the items you share, you use the Sharing
module of Server Admin. For more information about sharing, see Chapter 4, “Sharing.”
Mac OS X Server includes four file services:
m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources
with clients who use Macintosh or Macintosh-compatible operating systems.
m Windows services use Server Message Block (SMB) protocol to let you share resources
with clients who use Windows or Windows-compatible operating systems, and to provide
name resolution service for Windows clients.
m Network File System (NFS) service lets you make directories (folders) available for your
users who have NFS client software.
m File Transfer Protocol (FTP) service lets you share files with anyone using FTP.
Before You Set Up File Services
Security of your data and your network are the most critical issues you must consider when
setting up your file services.
Setting File and Folder Privileges
The most important protection for your server is how you set the privileges for individual
files. In Mac OS X, every file has its own privilege settings that are independent of the
privileges for its parent folder. Users can set privileges for files and folders they place on the
server, and the server administrator can do the same for share points. For more information
about setting up share points and assigning access privileges, read Chapter 4, “Sharing.”
83
Restricting Guest Access
When you configure any file service, you have the option of turning on guest access. Guests
are users who can connect to the server anonymously without entering a valid user name or
password. Users who connect anonymously are restricted to files and folders with privileges
set to Everyone.
To protect your information from unauthorized access, and to prevent people from
introducing software that might damage your information or equipment, you can take these
precautions using the Sharing module of Server Admin:
m Share individual folders instead of entire volumes. The folders should contain only those
items you want to share.
m Set privileges for Everyone to None for files and folders that guest users should not access.
Items with this privilege setting can only be accessed by the item’s owner or group.
m Put all files available to guests in one folder or set of folders. Assign the Read Only
privilege to the Everyone category for that folder and each file within it.
m Assign Read & Write privileges to the Everyone category for a folder only if guests must be
able to change or add items in the folder. Make sure you keep a backup copy of
information in this folder. You should also check this folder frequently for changes and
additions, and check the server for viruses regularly with a virus-protection program.
m Check folders frequently for changes and additions, and check the server for viruses
regularly with a virus-protection program.
m Disable anonymous FTP access using the FTP module in Server Admin.
m Don’t export NFS volumes to World. Restrict exports to a specific set of computers.
Allowing Access to Registered Users Only
If you do not want to allow guests to access your server, make sure guest access is turned off
for each file service. If you see a checkmark next to Allow Guest Access in any service’s
module, guest access is turned on. Click the box to remove the checkmark and turn guest
access off.
84 Chapter 5
Apple File Service
Apple file service allows Macintosh client users to connect to your server and access folders
and files as if they were located on the user’s own computer. If you are familiar with
AppleShare IP 6.3, you will find that Apple file service in Mac OS X Server functions in the
same way. It uses a new version of the Apple Filing Protocol (AFP), version 3.0, which
supports new features such as Unicode filenames and 64-bit file sizes.
One difference in the new Apple file service is that AppleTalk is no longer supported as a
connection method. Clients using AppleTalk can use the Chooser to look for your server on
the network, but they will use TCP/IP to connect.
Apple file service provides support for Unicode filenames, a standard that assigns a unique
number to every character regardless of language or the operating system used to display
the language.
Before You Set Up Apple File Service
If you turn on Apple file service in the Mac OS X Server Setup Assistant, your server will be
available right away on the network. However, no users can connect to it until you create
share points with appropriate privileges and create authorized users. Read Chapter 4,
“Sharing,” and Chapter 3, “Users and Groups,” to learn more about these topics.
Finding Compatible AppleShare Versions
Client computers must have AppleShare version 3.7 or later installed to access an Apple file
server. You can go to the Apple support Web site at www.apple/support/ to find out the latest
version of AppleShare client software supported by the client’s version of the Mac OS.
Enabling AppleTalk on Client Computers
To find the Apple file server over AppleTalk (using the Chooser), client users must enable
AppleTalk. To do this in Mac OS X, open System Preferences and click Network. In Mac OS 9
and earlier, use the AppleTalk control panel.
Setting Up Apple File Service for the First Time
If you asked the Setup Assistant to configure Apple file service when you installed Mac OS X
Server, you don’t have to do anything else to use Apple file service. However, you should
check to see if the default settings meet all your needs. If you did not set up Apple file service
when you installed Mac OS X Server, you can do so now.
Step 1: Configure Apple file service
In Server Admin, click the File & Print tab, then click Apple and choose Configure Apple File
Service. Click each of the four tabs in the Apple File Service Settings window and make the
settings you want. For a description of the available settings, see “Apple File Service Settings”
on page 86.
File Services 85
Step 2: Start Apple file service
Click Apple and choose Start Apple File Service. A globe appears on the service icon when
the service is turned on.
Step 3: Create share points and users and groups
You need to set access privileges for share points (shared folders and disks) that you want to
make available on your server. You also need to assign privileges to the users and groups you
want to access your information. You can find out how to do these tasks in Chapter 4,
“Sharing,” and Chapter 3, “Users and Groups.”
Apple File Service Settings
To access the Apple file service settings, click the File & Print tab, then click Apple and
choose Configure Apple File Service. Click each of the four tabs to see the settings in that
pane. The settings available in each pane are described in the following sections.
General Settings
You use the General pane to set identifying information about your server, enable automatic
startup, and create a login message. To access the General pane, click Apple and choose
Configure Apple File Service.
Computer Name
Type the name you want users to see when using the Chooser or the Network Browser. The
name you enter here must be unique among all computers connected to the network. If you
leave this field blank, the server will register itself on the network using its IP address, and
the server’s DNS name will show in this field.
86 Chapter 5
Start Apple File Service on system startup
Select this option to ensure that if the server is restarted after a power failure or other
unexpected event, file services will be available. In most cases it’s best to turn on this option.
Register with Network Service Location
Select this option if you want to allow users to see this server in the “Connect to Server”
pane in Mac OS X or in the Network Browser in Mac OS 9. This option is available to client
computers that have Mac OS 9 or later installed.
If you turn on this option, you must also enable IP multicasting on your network router. See
Chapter 12, “Network Services,” for more information about Service Location Protocol (SLP)
and IP multicast. See page 265 for information about client and router capabilities.
Logon Greeting
Type the message that you want users to see when they connect.
Note: If a user doesn’t see the login greeting, upgrade the software on the user’s computer.
Client computers must be using AppleShare client software version 3.7 or later.
Do not send same greeting twice to the same user
Select this option if you only want users to see the login greeting once. If you change the
message, users will see the new message the next time they connect to the server.
Access Settings
You use the Access pane to set up client connections and guest access. To find the Access
pane, click Apple and choose Configure Apple File Service, then click the Access tab.
File Services 87
Allow Guest access
Select this option if you want to allow unregistered users to access the file server. Guest
access is a convenient way to provide occasional users with access to files and other items for
which the appropriate privileges have been set.
Maximum client connections (including Guests)
Select Unlimited if you do not want to limit the number of users who can be connected to
your server at one time. If you are using your server to provide a number of services, you can
improve performance by limiting the number of client connections. To do so, click the
button below Unlimited and type the number of connections you want to set as a limit.
Maximum guest connections
Select Unlimited if you are allowing guest access and don’t want to limit the number of guest
users who can be connected to your server at one time. If you want to specify how many of
your maximum client connections can be used by guests, click the button below Unlimited
and type the number of connections you want to allow.
Allow clients to browse using AppleTalk
Select this option if you would like client users to be able to find your file server using the
Chooser. To find the server using the Chooser, AppleTalk must be enabled on both the client
computer and the server.
Encoding for older clients
Choose a character set for the server that matches the character set used by your client
users. When Mac OS 9 and earlier clients are connected, the server converts filenames from
the system’s UTF-8 to the chosen set.
88 Chapter 5
Logging Settings
You use the Logging pane to configure and manage logs for Apple file service. To access
the Logging pane, click Apple and choose Configure Apple File Service, then click the
Logging tab.
Enable Access Log
Select this option if you want to create an access log. The access log stores information about
any of the events you select. The log file is limited only by the amount of available disk space.
Of course, the more events you choose, the larger the log file. Consider your server’s disk
size when choosing events to log.
Archive every _ days
Select this option if you want to specify how often the log file contents are saved to an
archive. After the number of days you specify, the server closes the log file, renames it to
include the current date, then opens a new log file. You can keep the archived logs for your
records, or delete them to free disk space when they are no longer needed. The default
setting is seven days.
Select events to include in the access log
Select the events that you want Apple file service to log. Entries are logged each time a user
performs one of the actions you select.
File Services 89
Error Log: Archive every _ days
Select this option if you want to specify how often the error log file contents are saved to an
archive. After the number of days you specify, the server closes the log file, renames it to
include the current date, then opens a new log file. You can keep the archived logs for your
records, or delete them to free disk space when they are no longer needed. The default
setting is seven days.
Idle Users Settings
You use the Idle Users pane to configure and administer idle user settings. “Idle users” are
users who are connected to the server but haven’t used the server volume for a period of
time. To access the Idle Users pane, click Apple and choose Configure Apple File Service,
then click the Idle Users tab.
Allow clients to sleep _ hour(s)–will not show as idle
Select this option if you don’t want the server to disconnect client computers that are in
sleep mode. Sleep is a state in which a client computer uses very little power. On computers
with the Energy Saver software installed, users can set the computer to sleep after a period
of inactivity.
Disconnect idle users after _ minutes
Select this option if you want to disconnect idle users after a specified time. This ensures that
server resources are available to current users. In addition, it may prevent unauthorized
users from using an unattended computer to access information on the network.
90 Chapter 5
Except
Select the users that you want to exempt from being disconnected:
m Guests
m Registered users (any user who is not also an administrator or guest)
m Administrators
m Idle users who have open files
Important If you don’t select the last option, any idle user (guests, registered users, or
administrators) who has open files will be disconnected and will lose unsaved changes to
their work.
Disconnect Message
Type the message you want users to see when they’re disconnected. If you do not type a
message, a default message appears stating that the user has been disconnected because the
connection has been idle for a period of time.
Not all client computers can display disconnect messages.
Solving Problems With Apple File Service
If users can’t find the file server:
m Make sure the network settings are correct on the user’s computer and on the computer
that is running Apple file service. If you can’t connect to other network resources from
the user’s computer, the network connection may not be working.
m Make sure the file server is running. You can use a “pinging” utility to check whether the
server is operating.
m If the user is searching for the server via AppleTalk (in the Chooser), make sure you’ve
enabled browsing over AppleTalk in the Access pane of the Apple File Server Settings
window, and that AppleTalk is active on both the server and the user’s computer.
m Check the name you assigned to the file server and make sure users are looking for the
correct name.
File Services 91
If users can’t connect to the file server:
m Make sure the user has entered the correct user name and password. The user name is
not case-sensitive, but the password is.
m Make sure logging in is enabled for the user in the Users & Groups module of Server Admin.
m Check to see if the maximum number of client connections has been reached (in the
Apple File Service Status window). If it has, other users should try to connect later.
m Make sure the server that stores users and groups is running.
m Verify that the user has AppleShare 3.7 or later installed on his or her computer.
m Make sure IP filter service is configured to allow access on port 548 if the user is trying to
connect to the server from a remote location. For more on IP filtering, see “IP Filter
Service” on page 285.
Apple File Service Specifications
Maximum number of connected users,
depending on your license agreement
Maximum volume size 2 terabytes
TCP port number 548
Log file location /Library/Logs in the AppleFileService folder
Unlimited (hardware dependent)
92 Chapter 5
Windows Services
Windows services in Mac OS X Server provide four services to Windows clients without
requiring any additional software. These services are
m file service, which allows Windows clients to connect to the Mac OS X Server using Server
Message Block (SMB) protocol over TCP/IP
m print service, which also uses SMB to allow Windows clients to print to PostScript printers
on the network
m Windows Internet Naming Service ( WINS), which allows clients across multiple subnets
to perform name/address resolution
m browsing, which allows clients to browse for available servers across subnets
Windows services use Unicode (a standard that uses 16-bit identifiers for any possible
character) to display the correct language for the client. Since older client computers don’t
use Unicode, Windows services support Samba code pages, which translate from the native
Unicode to the language the user has specified.
Before You Set Up Windows Services
If you plan to provide Windows services on your Mac OS X Server, read the following sections for
considerations you should keep in mind. You should also check the Microsoft documentation for
your version of Windows to find out more about the capabilities of the client software.
What You Need to Support Windows Clients
To support your Windows clients, you only need your Mac OS X Server software. Unlike
previous Apple server products, Mac OS X Server comes with built-in browsing and name
resolution services for your Windows client computers. You can enable WINS on your server,
or you can register with an existing WINS server.
Windows services in Mac OS X Server also provide Windows Master Browser and Domain
Master Browser services. This means you no longer need a Windows server or a primary
domain controller on your network to allow Windows users to see your server listed in the
Network Neighborhood window. Also, your Windows clients can be located on a subnet
outside of your server’s subnet.
Ensuring the Best Cross-Platform Experience
Mac OS and Windows computers store and maintain files differently. For the best cross-platform
experience, you should set up at least one share point to be used only by your Windows users.
In addition, you can improve the user experience by following these guidelines:
m Use comparable versions of application software on both platforms.
m Modify files only with the application they were created in.
m Limit filenames to 31 characters.
m Don’t use symbols or characters with accents in the names of shared items.
File Services 93
Windows User Password Validation
Mac OS X Server offers two techniques for validating Windows user passwords:
m Encrypted password validation. This is the preferred approach because it is the safest
and because it is the default technique supported by Windows computers on a local area
network (LAN). This technique transmits encrypted passwords between a Windows
computer and Mac OS X Server.
To use encrypted password validation, you enable Authentication Manager for all domains
in your NetInfo hierarchy and define an encryption key for each domain. When
Authentication Manager is enabled, a tim_passwd property is stored in NetInfo user
records. It can be decrypted to get the cleartext password using the encryption key,
which is stored in a file on the server that is readable only by root.
m Cleartext password validation. Use this technique only when encrypted transmission of
user authentication information is not important. Windows computers must be
configured individually to support cleartext password validation. See the Windows
documentation for information on how to set up cleartext password validation.
When you use cleartext password validation, passwords are not stored in a recoverable
format. The NetInfo password value, associated with the passwd property, is derived
using a one-way hash, which can’t be easily decoded. The one-way hash ensures that each
time it’s used for the same password, the same result occurs.
To set up encrypted password validation, enable Authentication Manager on every Mac OS X
computer that participates in the hierarchy. See Understanding and Using NetInfo, available
at www.apple.com/macosx/server/, for complete information on how to set up
Authentication Manager.
Setting Up Windows Services for the First Time
All you need to do to set up Windows services is to start it. The default settings will work well
in most cases, but you’ll probably want to take a look at the settings and change anything that
isn’t appropriate for your network. For a description of the settings you can make, see
“Windows Services Settings,” next.
Follow the steps below to set up Windows services for the first time. If you need more
detailed instructions for any of these steps, see the onscreen help.
Step 1: Configure Windows services
In Server Admin, click the File & Print tab, then click Windows and choose Configure
Windows Services. Click each of the four tabs in the Windows Services Settings window to
see the settings and change any that you need to. For a description of the available settings,
see “Windows Services Settings,” next.
94 Chapter 5
Step 2: Start Windows services
Click Windows and choose Start Windows Services. A globe appears on the service icon when
the service is turned on.
Step 3: Check client configurations
After you set up Windows services, you should make sure your Windows client computers
are configured properly to connect over TCP/IP. If you need more information about this,
consult your Windows networking documentation.
Windows Services Settings
To access Windows services settings, click the File & Print tab, then click Windows and
choose Configure Windows Services. Click each of the four tabs to see the settings for that
pane. The settings available in each pane are described in the following sections.
General Settings
You use the General pane to set identifying information about your Windows server, and to
enable automatic startup. To access the General pane, click Windows and choose Configure
Windows Services.
Server Name
Type the server name you want users to see when they connect. The default name is the
NetBIOS name of the Windows file server. The name should contain no more than 15
characters, and no special characters or punctuation.
If practical, make the server name match its unqualified DNS host name. For example, if
your DNS server has an entry for your server as “server.apple.com,” give your server the
name “server.”
File Services 95
Workgroup
Type the name of the workgroup that you want users to see in the Network Neighborhood
window. If you have Windows domains on your subnet, use one of them as the workgroup
name to make it easier for clients to communicate across subnets. Otherwise, consult your
Windows network administrator for the correct group name. The workgroup name cannot
exceed 15 characters.
Description
Type a description, no longer than 43 characters, that is meaningful to you or your users.
This description appears in the Network Neighborhood window on client computers, and it
is optional.
Code Page
Choose the code page for the language client computers will use.
Start Windows Services on system startup
Select this option if you want to ensure that the server is restarted after a power failure or
other unexpected event. In most cases it’s best to select this option.
Access Settings
You use the Access pane to allow guest access and set the maximum client connections. To
find the Access pane, click Windows and choose Configure Windows Services, then click the
Access tab.
Allow Guest access
Select this option only if you want to allow people who are not registered users to use
Windows file sharing. This is a convenient way to provide occasional users with access to files
and other items for which the appropriate privileges have been set.
96 Chapter 5
Maximum client connections
Type the maximum number of concurrent connections you want to allow. This number is
limited by the type of software license you own. If you are using your server to provide a
number of services, you can improve performance by setting the maximum connections to a
value lower than the license allowed by your server.
Logging Settings
You use the Logging pane to choose the level of detail you want in your log. To access the
Logging pane, click Windows and choose Configure Windows Services, then click the
Logging tab.
Detail Level
Choose the level of detail you want logged. The more detailed the logging, the larger the log
file. The table below shows the level of detail you’ll get for each option.
Events logged None Minimal Verbose
Starting and stopping the server No Yes Yes
When users try and fail to log in No Yes Yes
Warnings and errors Yes Yes Yes
When browser name registration
occurs
Access events (each time a file is
opened, modified, read, and so on)
File Services 97
No Yes Yes
No No Yes
Neighborhood Settings
You use the Neighborhood pane to set up name resolution and enable browsing across
subnets. To access the Neighborhood pane, click Windows and choose Configure Windows
Services, then click the Neighborhood tab.
WINS
Choose whether you want to register with a WINS server, either locally or externally. Your
choices are
m Off: Your server will not register itself with any external WINS server or local name
resolution server.
m Enable WINS server: The file server will provide local name resolution services. This
allows clients across multiple subnets to perform name/address resolution.
m Register with WINS server: Choose this setting if your Windows clients and Windows
server are not all on the same subnet, and your network has a WINS server. Then enter
the IP address or DNS name of the WINS server.
Workgroup/Domain
Choose whether to enable domain browsing services. Your choices are
m Master Browser: Provides browsing and discovery of servers in a single subnet
m Domain Master Browser: Provides browsing and discovery of servers across subnets
98 Chapter 5
Solving Problems With Windows Services
If users can’t see the Windows server in the Network Neighborhood:
m Make sure users’ computers are properly configured for TCP/IP and have the appropriate
Windows networking software installed.
m Enable guest access for Windows users.
m Go to the DOS prompt on the client computer and type “ping [IP address],” where
“IP address” is your server’s address. If the ping fails, then there is a TCP/IP problem.
m If users’ computers are on a different subnet from the server, you need to have a WINS
server on your network.
Note: If Windows computers are properly configured for networking and connected to the
network, client users can connect to the file server even if they can’t see the server icon in
the Network Neighborhood window. For instructions, see “Connecting to the Windows
server without the Network Neighborhood” in Server Admin Help.
If a Windows user can’t log in:
m Ensure that Authentication Manager is enabled for the NetInfo domain the user’s record
resides in, and all other NetInfo domains in the NetInfo hierarchy.
m Reset the user’s password and try again.
m Enable Windows users to be authenticated using cleartext password validation.
Windows Services Specifications
Maximum number of connected users,
depending on your license agreement
Maximum volume size 2 terabytes
TCP port number 139
UDP port numbers 137, 138
Log file location /Library/Logs in the WindowsFileServices folder
File Services 99
1000
Network File System (NFS) Service
Apple file service, Windows file sharing, and FTP service allow users to connect to shared
items based on a user name and password. NFS is different—it allows access to information
based on the computer’s IP address. This means that a particular client computer will have
access to certain share points regardless of who is using it. Whenever the computer is started
up, some volumes or folders are automatically mounted or made available, and anyone who
uses the computer has access to them.
In NFS, you don’t “share” items, you “export” them. Exporting is like publishing a share point
to a specific destination. You use the NFS module of Server Admin to configure and manage
NFS service. You also use the Sharing module of Server Admin to set privileges and access
levels for the share points or folders you want to export.
Who Should Use NFS Service?
NFS, unlike the other file services in Mac OS X Server, doesn’t provide a high degree of
precision in setting up access levels. You can export a shared item to a set of client computers or
to “World.” Be aware that exporting an NFS volume to World means that anyone who can access
your server (including anonymous FTP users) can also access that volume.
You should probably only use NFS service if you are on a local area network (LAN) with
trusted client computers, or if you are in an environment that can’t use Apple file sharing or
Windows file sharing. If you have Internet access and plan to export to World, your server
should be behind a firewall.
Before You Set Up NFS Service
Be sure to consider the security implications of exporting in NFS. NFS was created for a
secure networking environment, and trusts the client computers and the people who
administer the clients.
With NFS, it’s possible for a user to take over ownership of another person’s files. For
example, if a file on the server is owned by a user with user ID 1234, and you export a folder
that contains that file, someone on a remote computer can create a local user on the remote
computer, give it a user ID of 1234, mount that folder, and have the same access to the
folder’s contents as the file’s original owner.
You can take some steps to prevent this by creating unique user IDs, and by safeguarding
user information.
100 Chapter 5
Loading...