Apple Mac OS X Server User Manual

0 (0)
Apple Mac OS X Server User Manual

Mac OS X Server

Administrator’s Guide

For version 10.2.3 or later

K Apple Computer, Inc.

© 2002 Apple Computer, Inc. All rights reserved.

The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services.

The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc.

Adobe and PostScript are trademarks of Adobe Systems Incorporated.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

Netscape Navigator is a trademark of Netscape Communications Corporation.

RealAudio is a trademark of Progressive Networks, Inc.

© 1995–2001 The Apache Group. All rights reserved.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

022-0395/11-20-02

Contents

 

Preface

 

 

 

 

 

 

How to Use This Guide

13

 

 

 

What’s Included in This Guide

13

 

 

 

Using This Guide 14

 

 

 

 

 

 

Setting Up Mac OS X Server for the First Time

15

 

Getting Help for Everyday Management Tasks

15

 

Getting Additional Information

15

 

 

1

Administering Your Server

17

 

 

Highlighting Key Features

17

 

 

 

 

Highlighting Individual Services

21

 

 

 

Highlighting Server Applications

30

 

 

 

Where to Find More Information

39

 

 

2

Directory Services

 

41

 

 

 

 

Storage for Data Needed by Mac OS X

42

 

 

A Historical Perspective

43

 

 

 

 

Uses of Directory Data

46

 

 

 

 

 

Inside a Directory Domain

47

 

 

 

 

Discovery of Network Services

48

 

 

 

Directory Domain Protocols

49

 

 

 

Local and Shared Directory Domains

50

 

 

Directory Domain Hierarchies

54

 

 

 

Search Policies for Directory Domain Hierarchies 58

 

Directory Domain Planning

61

 

 

 

 

Open Directory Password Server

63

 

 

3

Overview of Directory Services Tools

68

 

Setup Overview

68

 

 

 

 

Before You Begin

70

 

 

 

 

Setting Up an Open Directory Domain and Password Server 71

Configuring Open Directory Service Protocols

86

Setting Up Search Policies

87

 

 

 

Changing Basic LDAPv3 Settings

90

 

 

Configuring Access to Existing LDAPv3 Servers

91

Using an Active Directory Server

98

 

 

Accessing an Existing LDAPv2 Directory

100

 

Using NetInfo Domains

105

 

 

 

Using Berkeley Software Distribution (BSD) Configuration Files 110 Configuring Directory Access on a Remote Computer 114

Monitoring Directory Services

115

 

Backing Up and Restoring Directory Services Files 116

3 Users and Groups

117

 

How User Accounts Are Used

118

 

How Group Accounts Are Used

123

 

Kinds of Users and Groups

124

 

Setup Overview

128

 

 

 

Before You Begin

132

 

 

 

Administering User Accounts

134

 

Working With Basic Settings for Users

136

Working With Advanced Settings for Users 143

Working With Group Settings for Users

145

Working With Home Settings for Users

147

Working With Mail Settings for Users

147

Working With Print Settings for Users

149

Working With Managed Users

151

 

Defining a Guest User 151

 

 

Deleting a User Account

151

 

 

Disabling a User Account

152

 

 

Administering Home Directories 152

 

Administering Group Accounts

167

 

4Contents

 

Working With Member Settings for Groups

169

 

Working With Folder Settings for Groups

172

 

 

Working With Group and Computer Preferences

175

 

Deleting a Group Account

175

 

 

 

 

Finding User and Group Accounts

176

 

 

 

Shortcuts for Working With Users and Groups

178

 

Editing Multiple Users Simultaneously 178

 

 

Using Presets

 

179

 

 

 

 

 

 

Importing and Exporting User and Group Information 181

 

Understanding Password Validation

193

 

 

 

Storing Passwords in User Accounts

198

 

 

 

Using a Password Server

200

 

 

 

 

 

Using Kerberos

205

 

 

 

 

 

 

Using LDAP Bind Authentication

208

 

 

 

Backing Up and Restoring Files

209

 

 

 

Supporting Client Computers

210

 

 

 

 

Solving Problems

210

 

 

 

 

 

4

Sharing

215

 

 

 

 

 

 

Setup Overview

 

218

 

 

 

 

 

 

Before You Begin

219

 

 

 

 

 

 

Setting Up Sharing

221

 

 

 

 

 

 

Managing Sharing

227

 

 

 

 

 

 

Supporting Client Computers

231

 

 

 

 

Solving Problems

231

 

 

 

 

 

5

File Services

233

 

 

 

 

 

 

Before You Begin

233

 

 

 

 

 

 

Setup Overview

 

235

 

 

 

 

 

 

Apple File Service

236

 

 

 

 

 

 

Windows Services

248

 

 

 

 

 

 

File Transfer Protocol (FTP) Service

256

 

 

 

Network File System (NFS) Service

268

 

 

 

Supporting Client Computers

272

 

 

 

Contents 5

Solving Problems With File Services

275

 

Where to Find More Information About File Services 278

6 Client Management: Mac OS X

279

The User Experience

280

 

 

 

 

Before You Begin

281

 

 

 

 

 

Designating Administrators

283

 

 

Setting Up User Accounts

283

 

 

Setting Up Group Accounts

284

 

 

Setting Up Computer Accounts 284

 

 

Managing Guest Computers

 

290

 

 

Working With Access Settings

291

 

 

Managing Portable Computers

293

 

 

How Workgroup Manager Works With System Preferences 294

Managing Preferences

295

 

 

 

 

Managing Applications Preferences

301

 

Managing Classic Preferences

304

 

 

Managing Dock Preferences

 

308

 

 

Managing Finder Preferences

311

 

 

Managing Internet Preferences

319

 

 

Managing Login Preferences

 

320

 

 

Managing Media Access Preferences

324

 

Managing Printing Preferences

327

 

 

Solving Problems

330

 

 

 

 

 

7 Print Service

335

 

 

 

 

Setup Overview

337

 

 

 

 

 

Before You Begin

339

 

 

 

 

 

Setting Up Print Service

339

 

 

 

Setting Up Print Quotas

342

 

 

 

Setting Up Printing on Client Computers

343

Managing Print Service

345

 

 

 

Managing Print Queues

346

 

 

 

Managing Print Jobs 349

 

 

 

 

Managing Print Quotas

352

 

 

 

6Contents

 

Managing Print Logs

352

 

 

 

 

 

 

Solving Problems

354

 

 

 

 

 

8

Web Service

357

 

 

 

 

 

 

Before You Begin

358

 

 

 

 

 

 

Setting Up Web Service for the First Time

361

 

 

Managing Web Service

362

 

 

 

 

 

 

Managing Web Sites

369

 

 

 

 

 

 

WebMail 379

 

 

 

 

 

 

 

 

Setting Up Secure Sockets Layer (SSL) Service

383

 

Solving Problems

385

 

 

 

 

 

 

Installing and Viewing Web Modules

386

 

 

 

Where to Find More Information

389

 

 

9

Mail Service

391

 

 

 

 

 

 

Mail Service Protocols

392

 

 

 

 

 

 

How Mail Service Uses SSL

394

 

 

 

 

 

How Mail Service Uses DNS

394

 

 

 

 

Where Mail Is Stored

394

 

 

 

 

 

 

How User Account Settings Affect Mail Service

395

 

What Mail Service Can Do About Junk Mail

396

 

What Mail Service Doesn’t Do

398

 

 

 

 

Mail Service Configuration in the Local Directory 398

 

Overview of Mail Service Tools

398

 

 

 

 

Setup Overview

399

 

 

 

 

 

 

 

Overview of Ongoing Mail Service Management

401

 

Before You Begin

401

 

 

 

 

 

 

Working With General Settings for Mail Service

402

 

Working With Settings for Incoming Mail

405

 

 

Working With Settings for Incoming POP Mail

406

 

Working With Settings for Incoming IMAP Mail

407

 

Working With Settings for Outgoing Mail

410

 

 

Working With Settings for SMTP Mail

411

 

 

 

Working With the Mail Database

416

 

 

 

 

Working With Network Settings for Mail Service

419

Contents 7

Limiting Junk Mail

421

 

 

 

 

 

Working With Undeliverable Mail

425

 

 

Monitoring Mail Status

427

 

 

 

Supporting Mail Users

429

 

 

 

Performance Tuning

431

 

 

 

 

Backing Up and Restoring Mail Files 431

 

 

Where to Find More Information

432

 

 

10 Client Management: Mac OS 9 and OS 8

435

Before You Begin

438

 

 

 

 

 

Inside Macintosh Manager

442

 

 

 

Setting Up Mac OS 9 or Mac OS 8 Managed Clients 448

Logging In to Macintosh Manager as an Administrator

449

Importing User Accounts

450

 

 

 

Designating Administrators

455

 

 

Working With User Settings

457

 

 

Setting Up Workgroups

459

 

 

 

Using Items Settings 462

 

 

 

 

Using Privileges Settings

464

 

 

 

Sharing Information in Macintosh Manager

467

 

Using Volumes Settings

469

 

 

 

Using Printers Settings

471

 

 

 

Using Options Settings

474

 

 

 

Setting Up Computer Lists

476

 

 

 

Using Workgroup Settings for Computers

478

 

Using Control Settings

479

 

 

 

Using Computer Login Settings

484

 

 

Managing Portable Computers

486

 

 

Using Global Security Settings

487

 

 

Using Global CD-ROM Settings

490

 

 

Managing Preferences

491

 

 

 

Solving Problems

496

 

 

 

 

 

Where to Find More Information

499

 

 

8Contents

11

DHCP Service

501

 

 

 

 

 

 

Before You Set Up DHCP Service

502

 

 

 

Setting Up DHCP Service for the First Time

503

 

Managing DHCP Service

505

 

 

 

 

 

Solving Problems

510

 

 

 

 

 

 

Where to Find More Information

510

 

 

12

NetBoot 511

 

 

 

 

 

 

 

Before You Set Up NetBoot

512

 

 

 

 

Inside NetBoot

516

 

 

 

 

 

 

Setup Overview

522

 

 

 

 

 

 

Setting Up NetBoot

525

 

 

 

 

 

 

Managing NetBoot

535

 

 

 

 

 

 

Load Balancing

537

 

 

 

 

 

 

Supporting Client Computers

538

 

 

 

Solving Problems

541

 

 

 

 

 

13

Network Install

543

 

 

 

 

 

Before You Set Up Network Install

544

 

 

 

Setup Overview

544

 

 

 

 

 

 

Setting Up Network Install

545

 

 

 

14

DNS Service

553

 

 

 

 

 

 

Before You Set Up DNS Service

554

 

 

 

Setting Up DNS Service for the First Time

555

 

Managing DNS Service 556

 

 

 

 

 

Inside DNS Service (Configuring BIND)

558

 

 

Setting Up a Private TCP/IP Network 561

 

 

 

Where to Find More Information

562

 

 

15

Firewall Service

563

 

 

 

 

 

Before You Set Up Firewall Service

565

 

 

 

Setting Up Firewall Service for the First Time

568

 

Managing Firewall Service

569

 

 

 

 

 

Port Reference

578

 

 

 

 

 

 

 

Solving Problems

581

 

 

 

 

 

Contents 9

Where to Find More Information 582

16 SLP DA Service 583

Before You Begin

583

 

Managing Service Location Protocol (SLP) Directory Agent (DA) Service 585

Where to Find More Information

588

17 Tools for Advanced Administrators 589

Terminal

590

 

 

 

Secure Shell (SSH) Command

591

dsimportexport

593

 

createhomedir

594

 

Log Rolling Scripts

594

 

diskspacemonitor

595

 

diskutil 596

 

 

 

installer

596

 

 

 

softwareupdate

600

 

systemsetup 600

 

 

networksetup

602

 

MySQL Manager

605

 

Simple Network Management Protocol (SNMP) Tools 605

diskKeyFinder

606

 

Enabling IP Failover

606

 

Using Disk Journaling 611

 

Setting Up SSL for Mail Service

614

Setting Up Authentication Manager 618

ldapsearch

620

 

 

Appendix A

Data Requirements of Mac OS X Directory Services 621

User Data That Mac OS X Server Uses

622

Standard Attributes in User Records 623

Format of MailAttribute in User Records

629

Standard Attributes in Group Records

632

Standard Attributes in Computer Records 634

Standard Attributes in Computer List Records 635

10 Contents

Standard Attributes in Mount Records

636

Standard Attributes in Config Records

637

Appendix B

Integrating Mac OS X Directory Services With Active Directory 639

The Scenarios

639

Glossary

649

Index 659

Contents 11

P R E F A C E

How to Use This Guide

What’s Included in This Guide

This guide consists primarily of chapters that tell you how to administer individual Mac OS X Server services:

mChapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X Server’s services and takes you on a tour of its administration applications.

mChapter 2, “Directory Services,” describes the services that Mac OS X computers use to find information about users, groups, and devices on your network. The Mac OS X directory services architecture is referred to as Open Directory.

mChapter 3, “Users and Groups,” covers user and group accounts, describing how to administer settings for server users and collections of users (groups), including Open Directory Password Server and other password authentication options.

mChapter 4, “Sharing,” tells you how to share folders, hard disks, and CDs among network users, as well as how to make them automatically visible after logging in to Mac OS X computers.

mChapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple file service, Windows services, Network File System (NFS) service, and File Transfer Protocol (FTP) service.

mChapter 6, “Client Management: Mac OS X,” addresses client management for Mac OS X computer users. Client management lets you customize a user’s working environment and restrict a user’s access to network resources.

mChapter 7, “Print Service,” tells you how to share printers among users on Macintosh, Windows, and other computers.

mChapter 8, “Web Service,” describes how to set up and administer a Web server and host multiple Web sites on your server.

mChapter 9, “Mail Service,” describes how to set up and administer a mail server on your server.

13

mChapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage their day-to-day working environments.

mChapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP) service, which lets you dynamically allocate IP addresses to the computers used by server users.

mChapter 12, “NetBoot,” describes the application that lets Macintosh Mac OS 9 and X computers boot from server-based system disk images.

mChapter 13, “Network Install,” tells you how to use the centralized network software installation service that automates installing, restoring, and upgrading Macintosh computers on your network.

mChapter 14, “DNS Service,” describes Dynamic Name Service (DNS), a distributed database that maps IP addresses to domain names.

mChapter 15, “Firewall Service,” addresses how to protect your server by scanning incoming IP packets and rejecting or accepting them based on filters you create.

mChapter 16, “SLP DA Service,” describes Service Location Protocol Directory Assistant (SLP DA), which you can use to make devices on your network available to your users.

mChapter 17, “Tools for Advanced Administrators,” describes server applications, tools, and techniques intended for use by experienced server administrators.

mAppendix A, “Data Requirements of Mac OS X Directory Services,” provides information you’ll need when you must map directory services information needed by Mac OS X to information your server will retrieve from another vendor’s server.

mAppendix B, “Integrating Mac OS X Directory Services With Active Directory,” provides information about how Mac OS X Server can be set up to take advantage of Microsoft Active Directory information.

mThe Glossary defines terms you’ll encounter as you read this guide.

Using This Guide

Review the first chapter to acquaint yourself with the services and applications that Mac OS X Server provides.

Then read any chapter that’s about a service you plan to provide to your users. Each service’s chapter includes an overview of how the service works, what it can do for you, strategies for using it, how to set it up for the first time, and how to administer it over time.

Also take a look at any chapter that describes a service with which you’re unfamiliar. You may find that some of the services you haven’t used before can help you run your network more efficiently and improve performance for your users.

14 Preface

Most chapters end with a section called “Where to Find More Information.” This section points you to Web sites and other reference material containing more information about the service.

Setting Up Mac OS X Server for the First Time

If you haven’t installed and set up Mac OS X Server, do so now.

mRefer to Getting Started With Mac OS X Server, the document that came with your software, for instructions on server installation and setup. For many environments, this document provides all the information you need to get your server up, running, and available for initial use.

mReview Chapter 1, “Administering Your Server,” in this guide to determine which services you’d like to refine and expand, to identify new services you’d like to set up, and to learn about the server applications you’ll use during these activities.

mRead specific chapters to learn how to continue setting up individual services. Pay particular attention to the information in these sections: “Setup Overview,” “Before You Begin,” and “Setting Up for the First Time.”

Getting Help for Everyday Management Tasks

If you want to change settings, monitor services, view service logs, or do any other day-to-day administration task, you can find step-by-step procedures by using the onscreen help available with server administration programs. While all the administration tasks are also documented in this guide, sometimes it’s more convenient to retrieve information in onscreen help form while using your server.

Getting Additional Information

In addition to this document, you’ll find information about Mac OS X Server

min Getting Started With Mac OS X Server, which tells you how to install and set up your server initially

min Upgrading to Mac OS X Server, which provides instructions for migrating data to Mac OS X Server from existing Macintosh computers

mat www.apple.com/server

min onscreen help on your server

min Read Me files on your server CD

How to Use This Guide 15

C H A P T E R

1

Administering Your Server

Mac OS X Server is a powerful server platform that delivers a complete range of services to users on the Internet and local network:

mYou can connect users to one another, using services such as mail and file sharing.

mYou can share system resources, such as printers and computers—maximizing their availability as users move about and making sure that disk space and printer usage remain equitably shared.

mYou can host Internet services, such as Web sites and streaming video.

mYou can customize working environments—such as desktop resources and personal files—of networked users.

This chapter is a tour of Mac OS X Server capabilities and administration. The chapter begins by pointing out some of Mac OS X Server’s key features. Then it summarizes the services you can set up to support the clients you want your server to host. Finally, it introduces the applications you use to set up and administer your server.

Highlighting Key Features

Mac OS X Server has a wide range of features that characterize it as easy to use, yet robust and high performing.

Ease of Setup and Administration

From the time you first unpack your server throughout its initial setup and deployment, its ease of use is apparent.

Setup assistants quickly walk you through the process of making basic services initially available. While your network users take advantage of the initial file sharing, mail, Web, and other services, you can add on additional client support and manage day-to-day server operations using graphical administrative applications. From one administrator computer, you can set up and manage all the Mac OS X Servers on your network.

17

Password Security

You can choose from several user authentication options, ranging from Mac OS X Server’s Open Directory Password Server to Kerberos or Lightweight Directory Access Protocol (LDAP).

Password Server lets you implement password policies and supports a wide variety of client protocols. The Password Server is based on a standard known as SASL (Simple Authentication and Security Layer), so it can support a wide range of network user authentication protocols that are used by clients of Mac OS X Server services, such as mail and file servers, that need to authenticate users.

Kerberos authentication is available for file services—Apple Filing Protocol (AFP) and File Transfer Protocol (FTP)—as well as for mail services (POP, IMAP, and SMTP).

Networking Security

External network communication requests can be controlled with built-in Internet Protocol (IP) firewall management. And data communications can be encrypted and authenticated with protocol-level data security provided with Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH).

File and Printer Sharing

File sharing offers flexible support for various native protocols as well as security and high availability:

mIt’s easy to share files with Macintosh, Windows, UNIX, Linux, and anonymous Internet clients.

mYou can control how much file space individual users consume by setting up mail and file quotas. Quotas limit the number of megabytes a user can use for mail or files.

mKerberos authentication is available for AFP and FTP file servers.

mYou can improve the security of NFS volumes by setting up share points on them that let users access them using the more secure AFP protocol. This feature is referred to as resharing NFS mounts.

mAFP autoreconnect lets client computers keep Apple file servers mounted after long periods of inactivity or after sleep/wake cycles.

Mac OS X Server printer sharing includes

mthe ability to set up print quotas. Print quotas can be set up for each user and each print queue, letting you limit the number of pages that can be printed during a particular period.

msupport for sharing printers among Mac OS 9 users (AppleTalk and LaserWriter 8 support), Mac OS X, Windows, and UNIX users

18 Chapter 1

Open Directory Services

User and group information is used by your server to authenticate users and authorize their access to services and files. Information about other network resources is used by your server to make printers and other devices available to particular users. To access this information, the server retrieves it from centralized data repositories known as directory domains. The term for the services that locate and retrieve this data is directory services.

The Mac OS X directory services architecture is referred to as Open Directory. It lets you store data in a way that best suits your environment. Mac OS X Server can host directory domains using Apple’s NetInfo and LDAP directory domains. Open Directory also lets you take advantage of information you have already set up in non-Apple directory domains—for example, LDAP or Active Directory servers or Berkeley Software Distribution (BSD) configuration files.

Comprehensive Management of Macintosh Workgroups

Workgroup management services let you simplify and control the environment that Macintosh client users experience.

Mac OS X Server client management support helps you personalize the computing environment of Macintosh clients. You can set up Mac OS 8, 9, and X computers to have particular desktop environments and access to particular applications and network resources. You can design your Macintosh users’ experience as circumstances warrant.

You can also use NetBoot and Network Install to automate the setup of software used by Macintosh client computers:

mNetBoot lets Macintosh Mac OS 9 and X computers start up from a network-based system disk image, offering quick and easy configuration of department, classroom, and individual systems as well as Web and application servers throughout a network. When you update NetBoot images, all NetBooted computers have instant access to the new configuration.

mNetwork Install is a centralized network software installation service. It lets you selectively and automatically install, restore, or upgrade network-based Macintosh systems anywhere in the organization.

Mac OS X Server also lets you automatically configure the directory services you want Mac OS X clients to have access to. Automatic directory services configuration means that when a user logs in to a Mac OS X computer, the user’s directory service configuration is

automatically downloaded from the network, setting up the user’s network access policies, preferences, and desktop configuration without the need to configure the client computer directly.

Administering Your Server

19

High Availability

To maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and reclaiming disk space, automatically restarting malfunctioning services, and automatically restarting the server following a power failure.

You can also configure IP failover. IP failover is a way to set up a standby server that will take over if the primary server fails. The standby server takes over the IP address of the failed server, which takes the IP address back when it is online again. IP failover is useful for DNS servers, Web servers hosting Web sites, media broadcast servers, and other servers that require minimal data replication.

Extensive Internet and Web Services

Powerful Internet and Web services are built into Mac OS X Server:

mApache, the most popular Web server, provides reliable, high-performance Web content delivery. Integrated into Apache is Web-Based Distributed Authoring and Versioning (WebDAV), which simplifies the Web publishing and content management environment.

mIf your Web sites contain static HTML files that are frequently requested, you can enable a performance cache to improve server performance.

mWeb services include a comprehensive assortment of open-source services—Ruby, Tomcat, MySQL, PHP, and Perl.

mMac OS X Server includes a high-performance Java virtual machine.

mSSL support enables secure encryption and authentication for ecommerce Web sites and confidential materials.

mQuickTime Streaming Server (QTSS) lets you stream both live and stored multimedia content on the Internet using industry-standard protocols.

mMail service lets you set up a mail server your network users can use to send and receive email.

mWebMail service bundled with Mac OS X Server enables your users to access mail service via a Web browser.

20 Chapter 1

Highlighting Individual Services

This section highlights individual Mac OS X Server services and tells you where in this guide to find more information about them.

Directory Services

Directory services let you use a central data repository for user and network information your server needs to authenticate users and give them access to services. Information about users (such as their names, passwords, and preferences) as well as printers and other resources on the network is consolidated rather than distributed to each computer on the network, simplifying the administrator’s tasks of directory domain setup and maintenance.

Open Directory

On Mac OS X computers, the directory services are collectively referred to as Open Directory. Open Directory acts as an intermediary between directory domains that store information and Mac OS X processes that need the information.

Open Directory supports a wide variety of directory domains, letting you store your directory information on Mac OS X Server or on a server you already have set up for this purpose:

mYou can define and manage information in directory domains that reside on Mac OS X Server. Open Directory supports both NetInfo and LDAPv3 protocols and gives you complete control over directory data creation and management.

mMac OS X Server can also retrieve directory data from LDAP and Active Directory servers and BSD configuration files you’ve already set up. Your server provides full read/write and SSL communications support for LDAPv3 directory domains.

Chapter 2, “Directory Services,” provides complete information about all the Open Directory options, including instructions for how to create Mac OS X–resident directory domains and how to configure your server and your clients to access directory domains of all kinds. Chapter 3, “Users and Groups,” describes how to work with user and group accounts stored in Open Directory domains.

Search Policies

Before a user can log in to or connect with a Mac OS X client or server, he or she must enter a name and password associated with a user account that the computer can find. A Mac OS X computer can find user accounts that reside in a directory domain of the computer’s search policy. A search policy is a list of directory domains the computer searches when it needs configuration information.

You can configure the search policy of Mac OS X computers on the computers themselves. You can automate Mac OS X client directory setup by using your server’s built-in DHCP Option 95 support.

Administering Your Server

21

Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X computer.

Password Validation

Open Directory gives you several options for validating a user’s password:

mYou can use a value stored as a readable attribute in the user’s account.

The account can be stored in a directory domain residing on Mac OS X Server or on another vendor’s directory server, such as an LDAP or Active Directory server.

This option, referred to as the “basic” password validation strategy, is the simplest and fastest approach to password validation and offers the greatest opportunity for sharing user information for authentication with non-Apple servers. Basic password validation may not support clients that require certain network-secure authentication protocols, such as APOP.

See “Storing Passwords in User Accounts” on page 198 for details about this strategy.

mYou can use a value stored in the Open Directory Password Server.

This option, which supports a wide range of client authentication protocols, lets you set up user-specific password policies for users. For example, you can require a user to change his password periodically or use only passwords having more than a minimum number of characters. It is the recommended password validation option for Windows users.

See “Open Directory Password Server” on page 63 for general Password Server concepts.

See “Setting Up an Open Directory Domain and Password Server” on page 71 for setup instructions.

See “Using a Password Server” on page 200 for information about how to manage Password Server settings for users.

mYou can use a Kerberos server.

This scheme offers the opportunity to integrate into existing Kerberos environments. See “Using Kerberos” on page 205 for details.

mYou can use LDAP bind authentication with a non-Apple LDAPv3 directory server.

This option, like Kerberos, offers a way to integrate your server into an existing authentication scheme.

See “Using LDAP Bind Authentication” on page 208 for how to implement this option.

22 Chapter 1

File Services

Mac OS X Server makes it easy to share files using the native protocols of different kinds of client computers. Mac OS X Server includes four file services:

mApple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems.

mWindows services use Server Message Block (SMB) protocol to let you share resources with clients who use Windows, and to provide name resolution service for Windows clients.

mFile Transfer Protocol (FTP) service lets you share files with anyone using FTP.

mNetwork File System (NFS) service lets you share files and folders with users who have NFS client software (UNIX users).

You can deploy network home directories for Mac OS X clients using AFP or NFS and for UNIX clients using NFS. With a network home directory, users can access their applications, documents, and individual settings regardless of the computer to which they log in. You can impose disk quotas on network home directories to regulate server disk usage for users with home directories.

Sharing

You share files among users by designating share points. A share point is a folder, hard disk (or hard disk partition), or CD that you make accessible over the network. It’s the point of access at the top level of a group of shared items.

On Mac OS X computers, share points can be found in the /Network directory and by using the Finder’s Connect To Server command. On Mac OS 8 and 9 computers, users access share points using the Chooser. On Windows computers, users use Network Neighborhood. Chapter 4, “Sharing,” tells you how to set up and manage share points.

Static file server listings can also be published in a non-Apple directory domain, making it easy for computers in your company that are not on your local network to discover and connect to Mac OS X Server.

Apple File Service

Apple Filing Protocol (AFP) allows Macintosh client users to connect to your server and access folders and files as if they were located on the user’s own computer.

AFP offers

mfile sharing support for Macintosh clients over TCP/IP

mautoreconnect support when a file server connection is interrupted

mencrypted file sharing (AFP through SSH)

mautomatic creation of user home directories

mKerberos v5 authentication for Mac OS X v10.2 and later clients

Administering Your Server

23

mfine-grain access controls for managing client connections and guest access

mautomatic disconnect of idle clients after a period of inactivity

AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not on the local network to access NFS volumes via a secure, authenticated AFP connection. It also lets Mac OS 9 clients access NFS file services on traditional UNIX networks.

See “Apple File Service” on page 236 for details about AFP.

Windows Services

Windows services in Mac OS X Server provide four native services to Windows clients:

mfile service, which allows Windows clients to connect to Mac OS X Server using Server Message Block (SMB) protocol over TCP/IP

mprint service, which uses SMB to allow Windows clients to print to PostScript printers on the network

mWindows Internet Naming Service (WINS), which allows clients across multiple subnets to perform name/address resolution

mbrowsing, which allows clients to browse for available servers across subnets

See “Windows Services” on page 248 for more information about Windows services.

Network File System (NFS) Service

NFS is the protocol used for file services on UNIX computers.

The NFS term for sharing is export. You can export a shared item to a set of client computers or to “World.” Exporting an NFS volume to World means that anyone who can access your server can also access that volume.

NFS does not support name/password authentication. It relies on client IP addresses to authenticate users and on client enforcement of privileges—not a secure approach in most networks. Therefore use NFS only if you are on a local area network (LAN) with trusted client computers or if you are in an environment that can’t use Apple file sharing or Windows file sharing. If you have Internet access and plan to export to World, your server should be behind a firewall.

See “Network File System (NFS) Service” on page 268 for more information about NFS.

File Transfer Protocol (FTP)

FTP allows computers to transfer files over the Internet. Clients using any operating system that supports FTP can connect to your FTP file server and download files, depending on the permissions you set. Most Internet browsers and a number of freeware applications can be used to access your FTP server.

24 Chapter 1

FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic file conversion, allowing users to request compressed or decompressed versions of information on the server.

FTP is considered to be an insecure protocol, since user names and passwords are distributed across the Internet in clear text. Because of the security issues associated with FTP authentication, most FTP servers are used as Internet file distribution servers for anonymous FTP users.

Mac OS X Server supports anonymous FTP and by default prevents anonymous FTP users from deleting files, renaming files, overwriting files, and changing file permissions. Explicit action must be taken by the server administrator to allow uploads from anonymous FTP users, and then only into a specific share point.

See “File Transfer Protocol (FTP) Service” on page 256 for details about FTP.

Print Service

Print service in Mac OS X Server lets you share network and direct-connect printers among clients on your network. Print service also includes support for managing print queues, monitoring print jobs, logging, and using print quotas.

Print service lets you

mshare printers with Mac OS 9 (PAP, LaserWriter 8), Mac OS X (IPP, LPR/LPD), Windows (SMB/CIFS), and UNIX (LPR/LPD) clients

mshare direct-connect USB printers with Mac OS X version 10.2 and later clients

mconnect to network printers using AppleTalk, LPR, and IPP and connect to direct-connect printers using USB

mmake printers visible using Open Directory directory domains

mimpose print quotas to limit printer usage

See Chapter 7, “Print Service,” for information about print service.

Web Service

Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web server responds to requests for HTML Web pages stored on your site. Open-source software allows anyone to view and modify the source code to make changes and improvements.

Those features have led to Apache’s widespread use, making it the most popular Web server on the Internet today.

Web service includes a high-performance, front-end cache that improves performance for Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed by the server each time it is requested.

Administering Your Server

25

Web service also includes support for Web-based Distributed Authoring and Versioning (WebDAV). With WebDAV capability, your client users can check out Web pages, make changes, and then check the pages back in while the site is running. In addition, Mac OS X users can use a WebDAV-enabled Web server as if it were a file server.

Web service’s Secure Sockets Layer (SSL) support enables secure encryption and authentication for ecommerce Web sites and confidential materials. An easy-to-use digital certificate provides non-forgeable proof of your Web site identity.

Mac OS X Server offers extensive support for dynamic Web sites:

mWeb service supports Java Servlets, JavaServer Pages, MySQL, PHP, Perl, and UNIX and Mac CGI scripts.

mMac OS X Server also includes WebObjects deployment software. WebObjects offers a flexible and scalable way to develop and deploy ecommerce and other Internet applications. WebObjects applications can connect to multiple databases and dynamically generate HTML content. You can also purchase the WebObjects development tools if you want to create WebObjects applications. For more information and documentation on WebObjects, go to the WebObjects Web page:

www.apple.com/webobjects

See Chapter 8, “Web Service,” for details about Web service.

Mail Service

Mail services support the SMTP, POP, and IMAP protocols, allowing you to select a local or server-based mail storage solution for your users.

With remote mail administration you can manage the message database from any IMAP client. Realtime Blackhole List support allows you to block messages from known spam sources. Support for single or dual IMAP/POP3 mail inboxes gives flexibility in mail retrieval; a user can have a POP mailbox for office use and an IMAP mailbox for mobile use. Automatic blind copying (BCC) on incoming mail from specified hosts lets you track email coming from specific sites. You can limit the amount of disk space a user consumes for mail messages.

To protect email communication from eavesdroppers, mail service features SSL encryption of IMAP connections between the mail server and clients, SMTP AUTH authentication using LOGIN and PLAIN, and APOP and Kerberos v5 authentication for POP, IMAP, and SMTP clients.

For complete information about mail services, see Chapter 9, “Mail Service.”

Macintosh Workgroup Management

Mac OS X Server provides work environment personalization for Mac OS 8, 9, and X computer users, ranging from preference management to operating system and application installation automation.

26 Chapter 1

Client Management

You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X clients. Preferences you define for individual users, groups of users, and computers provide your Macintosh users with a consistent desktop, application, and network appearance regardless of the Macintosh computer to which they log in.

To manage Mac OS 8 and 9 clients, you use Macintosh Manager, described in Chapter 10, “Client Management: Mac OS 9 and OS 8.” To manage Mac OS X clients, you use Workgroup Manager, as Chapter 6, “Client Management: Mac OS X,” describes.

Mac OS X client management has several advantages:

mYou can take advantage of the directory services autoconfiguration capability to automatically set up the directory services used by Mac OS X client computers.

mWhen you update user, group, and computer accounts, managed Mac OS X users inherit changes automatically. You update Mac OS 8 and 9 accounts independently, using Macintosh Manager.

mYou have more direct control over individual system preferences.

mNetwork home directories and group directories can be mounted automatically at login.

NetBoot

NetBoot lets Macintosh clients boot from a system disk image located on Mac OS X Server instead of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments for different groups of clients.

NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an organization with a number of client computers that need to be identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple identically configured Web and application servers.

NetBoot allows administrators to configure and update client computers instantly by simply updating a boot image stored on the server. Each image contains the operating system and application folders for all clients on the server. Any changes made on the server are automatically reflected on the clients when they reboot. Systems that are compromised or otherwise altered can be instantly restored simply by rebooting.

See Chapter 12, “NetBoot,” for information about setting up and managing NetBoot.

Network Install

Network Install is a centrally managed installation service that allows administrators to selectively install, restore, or upgrade client computers. Installation images can contain the latest release of Mac OS X, a software update, site-licensed or custom applications, even configuration scripts:

Administering Your Server

27

mNetwork Install is an excellent solution for operating system migrations, installing software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers.

mYou can define custom installation images for various departments in an organization, such as marketing, engineering, and sales.

With Network Install you don’t need to insert multiple CDs to configure a system. All the installation files and packages reside on the server and are installed on the client computer at one time. Network Install also includes preand post-installation scripts you can use to invoke actions prior to or after the installation of a software package or system image.

See Chapter 13, “Network Install,” for more information about Network Install.

Network Services

Mac OS X Server includes these network services for helping you manage Internet communications on your TCP/IP network:

mDynamic Host Configuration Protocol (DHCP)

mDomain Name System (DNS)

mIP firewall

mService Location Protocol Directory Agent (SLP DA)

DHCP

DHCP helps you administer and distribute IP addresses dynamically to client computers from your server. From a block of IP addresses that you define, your server locates an unused address and “leases” it to client computers as needed. DHCP is especially useful when an organization has more clients than IP addresses. IP addresses are assigned on an as-needed basis, and when they are not needed they are available for use by other clients.

As you learned in “Search Policies” on page 21, you can automate the directory services setup of Mac OS X clients using your DHCP server’s Option 95 support. This option lets client computers learn about their directory settings from an LDAP server.

Chapter 11, “DHCP Service,” provides information about your server’s DHCP capabilities.

DNS

DNS service lets users connect to a network resource, such as a Web or file server, by specifying a host name (such as server.apple.com) rather than an IP address (192.168.11.12). DNS is a distributed database that maps IP addresses to domain names.

A server that provides DNS service keeps a list of names and the IP addresses associated with the names. When a computer needs to find the IP address for a name, it sends a message to the DNS server (also known as a name server). The name server looks up the IP address and sends it back to the computer. If the name server doesn’t have the IP address locally, it sends messages to other name servers on the Internet until the IP address is found.

28 Chapter 1

You will use DNS if you use SMTP mail service or if you want to create subdomains within your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t have an Internet service provider (ISP) who handles DNS for your network, you can set up a DNS server on your Mac OS X Server.

You’ll find more information about DNS in Chapter 14, “DNS Service.”

IP Firewall

IP firewall service protects your server and the content you store on it from intruders. It provides a software firewall, scanning incoming IP packets and accepting or rejecting them based on filters you define.

You can set up server-wide restrictions for packets from specific IP addresses. You can also restrict access to individual services—such as Web, mail, and FTP—by defining filters for the ports used by the services.

See Chapter 15, “Firewall Service,” for more information about this service.

SLP DA

Service Location Protocol (SLP) provides structure to the services available on a network and gives users easy access to them.

Anything that can be addressed using a URL can be a network service—for example, file servers and WebDAV servers. When a service is added to your network, the service uses SLP to register itself on the network; you don’t need to configure it manually. When a client computer needs to locate a network service, it uses SLP to look for services of that type. All registered services that match the client computer’s request are displayed for the user, who then can choose which one to use.

SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository for registered network services. You can set up a DA to keep track of services for one or more scopes (groups of services). When a client computer looks for network services, the DA for the scope in which the client computer is connected responds with a list of available network services. Because a client computer only needs to look locally for services, network traffic is kept to a minimum and users can connect to network services more quickly.

See Chapter 16, “SLP DA Service,” for information about this service.

QuickTime Streaming Service

QuickTime Streaming Server (QTSS) lets you stream multimedia in real time using the industry-standard RTSP/RTP protocols. QTSS supports MPEG-4, MP3, and QuickTime file formats.

Administering Your Server

29

You can deliver live and prerecorded media over the Internet to both Macintosh and Windows users, or relay streamed media to other streaming servers. You can provide unicast streaming, which sends one stream to each individual client, or multicast streaming, which sends the stream to a group of clients.

For more information about QTSS, refer to the QuickTime Web site:

www.apple.com/quicktime/products/qtss/

You can use QuickTime Broadcaster in conjunction with QTSS when you want to produce a live event. QuickTime Broadcaster allows you to stream live audio and video over the Internet. QuickTime Broadcaster meets the needs of both beginners and professionals by providing preset broadcast settings and the ability to create custom settings. Built on top of the QuickTime architecture, QuickTime Broadcaster enables you to produce a live event using most codecs that QuickTime supports.

When teamed with QuickTime Streaming Server or Darwin Streaming Server, QuickTime Broadcaster can produce a live event for delivery to an audience of any size, from an individual to a large global audience.

For information about QuickTime Broadcaster, go to this Web site and navigate to the QuickTime Broadcaster page:

www.apple.com/quicktime/

Highlighting Server Applications

This section introduces you to the applications, tools, and techniques you use to set up and administer your Mac OS X Server. The following table summarizes them and tells you where to find more information about them.

Application, tool,

 

For more

or technique

Use to

information, see

 

 

 

Server Assistant

Initialize services

page 33

 

 

 

Open Directory

Create or set up access to existing NetInfo and

page 33

Assistant

LDAPv3 directory domains and create and

 

 

configure Password Servers

 

 

 

 

Directory Access

Configure access to data in existing directory

page 34

 

domains and define a search policy

 

 

 

 

Workgroup Manager

Administer accounts, manage share points, and

page 34

 

administer client management for Mac OS X

 

 

users

 

 

 

 

30 Chapter 1

Loading...
+ 660 hidden pages