Mac OS X Server
Administrator’s Guide
For version 10.2.3 or later
K Apple Computer, Inc.
© 2002 Apple Computer, Inc. All rights reserved.
The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services.
The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Netscape Navigator is a trademark of Netscape Communications Corporation.
RealAudio is a trademark of Progressive Networks, Inc.
© 1995–2001 The Apache Group. All rights reserved.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
022-0395/11-20-02
|
Preface |
|
|
|
|
|
|
How to Use This Guide |
13 |
|
|
||
|
What’s Included in This Guide |
13 |
|
|
||
|
Using This Guide 14 |
|
|
|
|
|
|
Setting Up Mac OS X Server for the First Time |
15 |
||||
|
Getting Help for Everyday Management Tasks |
15 |
||||
|
Getting Additional Information |
15 |
|
|
||
1 |
Administering Your Server |
17 |
|
|||
|
Highlighting Key Features |
17 |
|
|
|
|
|
Highlighting Individual Services |
21 |
|
|
||
|
Highlighting Server Applications |
30 |
|
|
||
|
Where to Find More Information |
39 |
|
|
||
2 |
Directory Services |
|
41 |
|
|
|
|
Storage for Data Needed by Mac OS X |
42 |
|
|||
|
A Historical Perspective |
43 |
|
|
|
|
|
Uses of Directory Data |
46 |
|
|
|
|
|
Inside a Directory Domain |
47 |
|
|
|
|
|
Discovery of Network Services |
48 |
|
|
||
|
Directory Domain Protocols |
49 |
|
|
||
|
Local and Shared Directory Domains |
50 |
|
|||
|
Directory Domain Hierarchies |
54 |
|
|
||
|
Search Policies for Directory Domain Hierarchies 58 |
|||||
|
Directory Domain Planning |
61 |
|
|
|
|
|
Open Directory Password Server |
63 |
|
|
3
Overview of Directory Services Tools |
68 |
|
|||
Setup Overview |
68 |
|
|
|
|
Before You Begin |
70 |
|
|
|
|
Setting Up an Open Directory Domain and Password Server 71 |
|||||
Configuring Open Directory Service Protocols |
86 |
||||
Setting Up Search Policies |
87 |
|
|
|
|
Changing Basic LDAPv3 Settings |
90 |
|
|
||
Configuring Access to Existing LDAPv3 Servers |
91 |
||||
Using an Active Directory Server |
98 |
|
|
||
Accessing an Existing LDAPv2 Directory |
100 |
|
|||
Using NetInfo Domains |
105 |
|
|
|
Using Berkeley Software Distribution (BSD) Configuration Files 110 Configuring Directory Access on a Remote Computer 114
Monitoring Directory Services |
115 |
|
||
Backing Up and Restoring Directory Services Files 116 |
||||
3 Users and Groups |
117 |
|
||
How User Accounts Are Used |
118 |
|
||
How Group Accounts Are Used |
123 |
|
||
Kinds of Users and Groups |
124 |
|
||
Setup Overview |
128 |
|
|
|
Before You Begin |
132 |
|
|
|
Administering User Accounts |
134 |
|
||
Working With Basic Settings for Users |
136 |
|||
Working With Advanced Settings for Users 143 |
||||
Working With Group Settings for Users |
145 |
|||
Working With Home Settings for Users |
147 |
|||
Working With Mail Settings for Users |
147 |
|||
Working With Print Settings for Users |
149 |
|||
Working With Managed Users |
151 |
|
||
Defining a Guest User 151 |
|
|
||
Deleting a User Account |
151 |
|
|
|
Disabling a User Account |
152 |
|
|
|
Administering Home Directories 152 |
|
|||
Administering Group Accounts |
167 |
|
4Contents
|
Working With Member Settings for Groups |
169 |
|||||||
|
Working With Folder Settings for Groups |
172 |
|
||||||
|
Working With Group and Computer Preferences |
175 |
|||||||
|
Deleting a Group Account |
175 |
|
|
|
||||
|
Finding User and Group Accounts |
176 |
|
|
|||||
|
Shortcuts for Working With Users and Groups |
178 |
|||||||
|
Editing Multiple Users Simultaneously 178 |
|
|||||||
|
Using Presets |
|
179 |
|
|
|
|
|
|
|
Importing and Exporting User and Group Information 181 |
||||||||
|
Understanding Password Validation |
193 |
|
|
|||||
|
Storing Passwords in User Accounts |
198 |
|
|
|||||
|
Using a Password Server |
200 |
|
|
|
|
|||
|
Using Kerberos |
205 |
|
|
|
|
|
||
|
Using LDAP Bind Authentication |
208 |
|
|
|||||
|
Backing Up and Restoring Files |
209 |
|
|
|||||
|
Supporting Client Computers |
210 |
|
|
|
||||
|
Solving Problems |
210 |
|
|
|
|
|
||
4 |
Sharing |
215 |
|
|
|
|
|
||
|
Setup Overview |
|
218 |
|
|
|
|
|
|
|
Before You Begin |
219 |
|
|
|
|
|
||
|
Setting Up Sharing |
221 |
|
|
|
|
|
||
|
Managing Sharing |
227 |
|
|
|
|
|
||
|
Supporting Client Computers |
231 |
|
|
|
||||
|
Solving Problems |
231 |
|
|
|
|
|
||
5 |
File Services |
233 |
|
|
|
|
|
||
|
Before You Begin |
233 |
|
|
|
|
|
||
|
Setup Overview |
|
235 |
|
|
|
|
|
|
|
Apple File Service |
236 |
|
|
|
|
|
||
|
Windows Services |
248 |
|
|
|
|
|
||
|
File Transfer Protocol (FTP) Service |
256 |
|
|
|||||
|
Network File System (NFS) Service |
268 |
|
|
|||||
|
Supporting Client Computers |
272 |
|
|
|
Contents 5
Solving Problems With File Services |
275 |
|
||||
Where to Find More Information About File Services 278 |
||||||
6 Client Management: Mac OS X |
279 |
|||||
The User Experience |
280 |
|
|
|
|
|
Before You Begin |
281 |
|
|
|
|
|
Designating Administrators |
283 |
|
|
|||
Setting Up User Accounts |
283 |
|
|
|||
Setting Up Group Accounts |
284 |
|
|
|||
Setting Up Computer Accounts 284 |
|
|
||||
Managing Guest Computers |
|
290 |
|
|
||
Working With Access Settings |
291 |
|
|
|||
Managing Portable Computers |
293 |
|
|
|||
How Workgroup Manager Works With System Preferences 294 |
||||||
Managing Preferences |
295 |
|
|
|
|
|
Managing Applications Preferences |
301 |
|
||||
Managing Classic Preferences |
304 |
|
|
|||
Managing Dock Preferences |
|
308 |
|
|
||
Managing Finder Preferences |
311 |
|
|
|||
Managing Internet Preferences |
319 |
|
|
|||
Managing Login Preferences |
|
320 |
|
|
||
Managing Media Access Preferences |
324 |
|
||||
Managing Printing Preferences |
327 |
|
|
|||
Solving Problems |
330 |
|
|
|
|
|
7 Print Service |
335 |
|
|
|
|
|
Setup Overview |
337 |
|
|
|
|
|
Before You Begin |
339 |
|
|
|
|
|
Setting Up Print Service |
339 |
|
|
|
||
Setting Up Print Quotas |
342 |
|
|
|
||
Setting Up Printing on Client Computers |
343 |
|||||
Managing Print Service |
345 |
|
|
|
||
Managing Print Queues |
346 |
|
|
|
||
Managing Print Jobs 349 |
|
|
|
|
||
Managing Print Quotas |
352 |
|
|
|
6Contents
|
Managing Print Logs |
352 |
|
|
|
|
|
|
|
Solving Problems |
354 |
|
|
|
|
|
|
8 |
Web Service |
357 |
|
|
|
|
|
|
|
Before You Begin |
358 |
|
|
|
|
|
|
|
Setting Up Web Service for the First Time |
361 |
|
|||||
|
Managing Web Service |
362 |
|
|
|
|
|
|
|
Managing Web Sites |
369 |
|
|
|
|
|
|
|
WebMail 379 |
|
|
|
|
|
|
|
|
Setting Up Secure Sockets Layer (SSL) Service |
383 |
||||||
|
Solving Problems |
385 |
|
|
|
|
|
|
|
Installing and Viewing Web Modules |
386 |
|
|
||||
|
Where to Find More Information |
389 |
|
|
||||
9 |
Mail Service |
391 |
|
|
|
|
|
|
|
Mail Service Protocols |
392 |
|
|
|
|
|
|
|
How Mail Service Uses SSL |
394 |
|
|
|
|
||
|
How Mail Service Uses DNS |
394 |
|
|
|
|||
|
Where Mail Is Stored |
394 |
|
|
|
|
|
|
|
How User Account Settings Affect Mail Service |
395 |
||||||
|
What Mail Service Can Do About Junk Mail |
396 |
||||||
|
What Mail Service Doesn’t Do |
398 |
|
|
|
|||
|
Mail Service Configuration in the Local Directory 398 |
|||||||
|
Overview of Mail Service Tools |
398 |
|
|
|
|||
|
Setup Overview |
399 |
|
|
|
|
|
|
|
Overview of Ongoing Mail Service Management |
401 |
||||||
|
Before You Begin |
401 |
|
|
|
|
|
|
|
Working With General Settings for Mail Service |
402 |
||||||
|
Working With Settings for Incoming Mail |
405 |
|
|||||
|
Working With Settings for Incoming POP Mail |
406 |
||||||
|
Working With Settings for Incoming IMAP Mail |
407 |
||||||
|
Working With Settings for Outgoing Mail |
410 |
|
|||||
|
Working With Settings for SMTP Mail |
411 |
|
|
||||
|
Working With the Mail Database |
416 |
|
|
|
|||
|
Working With Network Settings for Mail Service |
419 |
Contents 7
Limiting Junk Mail |
421 |
|
|
|
|
|
Working With Undeliverable Mail |
425 |
|
|
|||
Monitoring Mail Status |
427 |
|
|
|
||
Supporting Mail Users |
429 |
|
|
|
||
Performance Tuning |
431 |
|
|
|
|
|
Backing Up and Restoring Mail Files 431 |
|
|
||||
Where to Find More Information |
432 |
|
|
|||
10 Client Management: Mac OS 9 and OS 8 |
435 |
|||||
Before You Begin |
438 |
|
|
|
|
|
Inside Macintosh Manager |
442 |
|
|
|
||
Setting Up Mac OS 9 or Mac OS 8 Managed Clients 448 |
||||||
Logging In to Macintosh Manager as an Administrator |
449 |
|||||
Importing User Accounts |
450 |
|
|
|
||
Designating Administrators |
455 |
|
|
|||
Working With User Settings |
457 |
|
|
|||
Setting Up Workgroups |
459 |
|
|
|
||
Using Items Settings 462 |
|
|
|
|
||
Using Privileges Settings |
464 |
|
|
|
||
Sharing Information in Macintosh Manager |
467 |
|
||||
Using Volumes Settings |
469 |
|
|
|
||
Using Printers Settings |
471 |
|
|
|
||
Using Options Settings |
474 |
|
|
|
||
Setting Up Computer Lists |
476 |
|
|
|
||
Using Workgroup Settings for Computers |
478 |
|
||||
Using Control Settings |
479 |
|
|
|
||
Using Computer Login Settings |
484 |
|
|
|||
Managing Portable Computers |
486 |
|
|
|||
Using Global Security Settings |
487 |
|
|
|||
Using Global CD-ROM Settings |
490 |
|
|
|||
Managing Preferences |
491 |
|
|
|
||
Solving Problems |
496 |
|
|
|
|
|
Where to Find More Information |
499 |
|
|
8Contents
11 |
DHCP Service |
501 |
|
|
|
|
|
|
|
Before You Set Up DHCP Service |
502 |
|
|
||||
|
Setting Up DHCP Service for the First Time |
503 |
||||||
|
Managing DHCP Service |
505 |
|
|
|
|
||
|
Solving Problems |
510 |
|
|
|
|
|
|
|
Where to Find More Information |
510 |
|
|
||||
12 |
NetBoot 511 |
|
|
|
|
|
|
|
|
Before You Set Up NetBoot |
512 |
|
|
|
|||
|
Inside NetBoot |
516 |
|
|
|
|
|
|
|
Setup Overview |
522 |
|
|
|
|
|
|
|
Setting Up NetBoot |
525 |
|
|
|
|
|
|
|
Managing NetBoot |
535 |
|
|
|
|
|
|
|
Load Balancing |
537 |
|
|
|
|
|
|
|
Supporting Client Computers |
538 |
|
|
||||
|
Solving Problems |
541 |
|
|
|
|
|
|
13 |
Network Install |
543 |
|
|
|
|
||
|
Before You Set Up Network Install |
544 |
|
|
||||
|
Setup Overview |
544 |
|
|
|
|
|
|
|
Setting Up Network Install |
545 |
|
|
|
|||
14 |
DNS Service |
553 |
|
|
|
|
|
|
|
Before You Set Up DNS Service |
554 |
|
|
||||
|
Setting Up DNS Service for the First Time |
555 |
||||||
|
Managing DNS Service 556 |
|
|
|
|
|||
|
Inside DNS Service (Configuring BIND) |
558 |
|
|||||
|
Setting Up a Private TCP/IP Network 561 |
|
|
|||||
|
Where to Find More Information |
562 |
|
|
||||
15 |
Firewall Service |
563 |
|
|
|
|
||
|
Before You Set Up Firewall Service |
565 |
|
|
||||
|
Setting Up Firewall Service for the First Time |
568 |
||||||
|
Managing Firewall Service |
569 |
|
|
|
|
||
|
Port Reference |
578 |
|
|
|
|
|
|
|
Solving Problems |
581 |
|
|
|
|
|
Contents 9
Where to Find More Information 582
16 SLP DA Service 583
Before You Begin |
583 |
|
||
Managing Service Location Protocol (SLP) Directory Agent (DA) Service 585 |
||||
Where to Find More Information |
588 |
|||
17 Tools for Advanced Administrators 589 |
||||
Terminal |
590 |
|
|
|
Secure Shell (SSH) Command |
591 |
|||
dsimportexport |
593 |
|
||
createhomedir |
594 |
|
||
Log Rolling Scripts |
594 |
|
||
diskspacemonitor |
595 |
|
||
diskutil 596 |
|
|
|
|
installer |
596 |
|
|
|
softwareupdate |
600 |
|
||
systemsetup 600 |
|
|
||
networksetup |
602 |
|
||
MySQL Manager |
605 |
|
||
Simple Network Management Protocol (SNMP) Tools 605 |
||||
diskKeyFinder |
606 |
|
||
Enabling IP Failover |
606 |
|
||
Using Disk Journaling 611 |
|
|||
Setting Up SSL for Mail Service |
614 |
|||
Setting Up Authentication Manager 618 |
||||
ldapsearch |
620 |
|
|
Appendix A
Data Requirements of Mac OS X Directory Services 621
User Data That Mac OS X Server Uses |
622 |
Standard Attributes in User Records 623 |
|
Format of MailAttribute in User Records |
629 |
Standard Attributes in Group Records |
632 |
Standard Attributes in Computer Records 634
Standard Attributes in Computer List Records 635
10 Contents
Standard Attributes in Mount Records |
636 |
Standard Attributes in Config Records |
637 |
Appendix B
Integrating Mac OS X Directory Services With Active Directory 639
The Scenarios |
639 |
Glossary |
649 |
Index 659
Contents 11
P R E F A C E
This guide consists primarily of chapters that tell you how to administer individual Mac OS X Server services:
mChapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X Server’s services and takes you on a tour of its administration applications.
mChapter 2, “Directory Services,” describes the services that Mac OS X computers use to find information about users, groups, and devices on your network. The Mac OS X directory services architecture is referred to as Open Directory.
mChapter 3, “Users and Groups,” covers user and group accounts, describing how to administer settings for server users and collections of users (groups), including Open Directory Password Server and other password authentication options.
mChapter 4, “Sharing,” tells you how to share folders, hard disks, and CDs among network users, as well as how to make them automatically visible after logging in to Mac OS X computers.
mChapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple file service, Windows services, Network File System (NFS) service, and File Transfer Protocol (FTP) service.
mChapter 6, “Client Management: Mac OS X,” addresses client management for Mac OS X computer users. Client management lets you customize a user’s working environment and restrict a user’s access to network resources.
mChapter 7, “Print Service,” tells you how to share printers among users on Macintosh, Windows, and other computers.
mChapter 8, “Web Service,” describes how to set up and administer a Web server and host multiple Web sites on your server.
mChapter 9, “Mail Service,” describes how to set up and administer a mail server on your server.
13
mChapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage their day-to-day working environments.
mChapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP) service, which lets you dynamically allocate IP addresses to the computers used by server users.
mChapter 12, “NetBoot,” describes the application that lets Macintosh Mac OS 9 and X computers boot from server-based system disk images.
mChapter 13, “Network Install,” tells you how to use the centralized network software installation service that automates installing, restoring, and upgrading Macintosh computers on your network.
mChapter 14, “DNS Service,” describes Dynamic Name Service (DNS), a distributed database that maps IP addresses to domain names.
mChapter 15, “Firewall Service,” addresses how to protect your server by scanning incoming IP packets and rejecting or accepting them based on filters you create.
mChapter 16, “SLP DA Service,” describes Service Location Protocol Directory Assistant (SLP DA), which you can use to make devices on your network available to your users.
mChapter 17, “Tools for Advanced Administrators,” describes server applications, tools, and techniques intended for use by experienced server administrators.
mAppendix A, “Data Requirements of Mac OS X Directory Services,” provides information you’ll need when you must map directory services information needed by Mac OS X to information your server will retrieve from another vendor’s server.
mAppendix B, “Integrating Mac OS X Directory Services With Active Directory,” provides information about how Mac OS X Server can be set up to take advantage of Microsoft Active Directory information.
mThe Glossary defines terms you’ll encounter as you read this guide.
Review the first chapter to acquaint yourself with the services and applications that Mac OS X Server provides.
Then read any chapter that’s about a service you plan to provide to your users. Each service’s chapter includes an overview of how the service works, what it can do for you, strategies for using it, how to set it up for the first time, and how to administer it over time.
Also take a look at any chapter that describes a service with which you’re unfamiliar. You may find that some of the services you haven’t used before can help you run your network more efficiently and improve performance for your users.
14 Preface
Most chapters end with a section called “Where to Find More Information.” This section points you to Web sites and other reference material containing more information about the service.
If you haven’t installed and set up Mac OS X Server, do so now.
mRefer to Getting Started With Mac OS X Server, the document that came with your software, for instructions on server installation and setup. For many environments, this document provides all the information you need to get your server up, running, and available for initial use.
mReview Chapter 1, “Administering Your Server,” in this guide to determine which services you’d like to refine and expand, to identify new services you’d like to set up, and to learn about the server applications you’ll use during these activities.
mRead specific chapters to learn how to continue setting up individual services. Pay particular attention to the information in these sections: “Setup Overview,” “Before You Begin,” and “Setting Up for the First Time.”
If you want to change settings, monitor services, view service logs, or do any other day-to-day administration task, you can find step-by-step procedures by using the onscreen help available with server administration programs. While all the administration tasks are also documented in this guide, sometimes it’s more convenient to retrieve information in onscreen help form while using your server.
In addition to this document, you’ll find information about Mac OS X Server
min Getting Started With Mac OS X Server, which tells you how to install and set up your server initially
min Upgrading to Mac OS X Server, which provides instructions for migrating data to Mac OS X Server from existing Macintosh computers
mat www.apple.com/server
min onscreen help on your server
min Read Me files on your server CD
How to Use This Guide 15
C H A P T E R
1
Mac OS X Server is a powerful server platform that delivers a complete range of services to users on the Internet and local network:
mYou can connect users to one another, using services such as mail and file sharing.
mYou can share system resources, such as printers and computers—maximizing their availability as users move about and making sure that disk space and printer usage remain equitably shared.
mYou can host Internet services, such as Web sites and streaming video.
mYou can customize working environments—such as desktop resources and personal files—of networked users.
This chapter is a tour of Mac OS X Server capabilities and administration. The chapter begins by pointing out some of Mac OS X Server’s key features. Then it summarizes the services you can set up to support the clients you want your server to host. Finally, it introduces the applications you use to set up and administer your server.
Mac OS X Server has a wide range of features that characterize it as easy to use, yet robust and high performing.
From the time you first unpack your server throughout its initial setup and deployment, its ease of use is apparent.
Setup assistants quickly walk you through the process of making basic services initially available. While your network users take advantage of the initial file sharing, mail, Web, and other services, you can add on additional client support and manage day-to-day server operations using graphical administrative applications. From one administrator computer, you can set up and manage all the Mac OS X Servers on your network.
17
You can choose from several user authentication options, ranging from Mac OS X Server’s Open Directory Password Server to Kerberos or Lightweight Directory Access Protocol (LDAP).
Password Server lets you implement password policies and supports a wide variety of client protocols. The Password Server is based on a standard known as SASL (Simple Authentication and Security Layer), so it can support a wide range of network user authentication protocols that are used by clients of Mac OS X Server services, such as mail and file servers, that need to authenticate users.
Kerberos authentication is available for file services—Apple Filing Protocol (AFP) and File Transfer Protocol (FTP)—as well as for mail services (POP, IMAP, and SMTP).
External network communication requests can be controlled with built-in Internet Protocol (IP) firewall management. And data communications can be encrypted and authenticated with protocol-level data security provided with Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH).
File sharing offers flexible support for various native protocols as well as security and high availability:
mIt’s easy to share files with Macintosh, Windows, UNIX, Linux, and anonymous Internet clients.
mYou can control how much file space individual users consume by setting up mail and file quotas. Quotas limit the number of megabytes a user can use for mail or files.
mKerberos authentication is available for AFP and FTP file servers.
mYou can improve the security of NFS volumes by setting up share points on them that let users access them using the more secure AFP protocol. This feature is referred to as resharing NFS mounts.
mAFP autoreconnect lets client computers keep Apple file servers mounted after long periods of inactivity or after sleep/wake cycles.
Mac OS X Server printer sharing includes
mthe ability to set up print quotas. Print quotas can be set up for each user and each print queue, letting you limit the number of pages that can be printed during a particular period.
msupport for sharing printers among Mac OS 9 users (AppleTalk and LaserWriter 8 support), Mac OS X, Windows, and UNIX users
18 Chapter 1
User and group information is used by your server to authenticate users and authorize their access to services and files. Information about other network resources is used by your server to make printers and other devices available to particular users. To access this information, the server retrieves it from centralized data repositories known as directory domains. The term for the services that locate and retrieve this data is directory services.
The Mac OS X directory services architecture is referred to as Open Directory. It lets you store data in a way that best suits your environment. Mac OS X Server can host directory domains using Apple’s NetInfo and LDAP directory domains. Open Directory also lets you take advantage of information you have already set up in non-Apple directory domains—for example, LDAP or Active Directory servers or Berkeley Software Distribution (BSD) configuration files.
Workgroup management services let you simplify and control the environment that Macintosh client users experience.
Mac OS X Server client management support helps you personalize the computing environment of Macintosh clients. You can set up Mac OS 8, 9, and X computers to have particular desktop environments and access to particular applications and network resources. You can design your Macintosh users’ experience as circumstances warrant.
You can also use NetBoot and Network Install to automate the setup of software used by Macintosh client computers:
mNetBoot lets Macintosh Mac OS 9 and X computers start up from a network-based system disk image, offering quick and easy configuration of department, classroom, and individual systems as well as Web and application servers throughout a network. When you update NetBoot images, all NetBooted computers have instant access to the new configuration.
mNetwork Install is a centralized network software installation service. It lets you selectively and automatically install, restore, or upgrade network-based Macintosh systems anywhere in the organization.
Mac OS X Server also lets you automatically configure the directory services you want Mac OS X clients to have access to. Automatic directory services configuration means that when a user logs in to a Mac OS X computer, the user’s directory service configuration is
automatically downloaded from the network, setting up the user’s network access policies, preferences, and desktop configuration without the need to configure the client computer directly.
Administering Your Server |
19 |
To maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and reclaiming disk space, automatically restarting malfunctioning services, and automatically restarting the server following a power failure.
You can also configure IP failover. IP failover is a way to set up a standby server that will take over if the primary server fails. The standby server takes over the IP address of the failed server, which takes the IP address back when it is online again. IP failover is useful for DNS servers, Web servers hosting Web sites, media broadcast servers, and other servers that require minimal data replication.
Powerful Internet and Web services are built into Mac OS X Server:
mApache, the most popular Web server, provides reliable, high-performance Web content delivery. Integrated into Apache is Web-Based Distributed Authoring and Versioning (WebDAV), which simplifies the Web publishing and content management environment.
mIf your Web sites contain static HTML files that are frequently requested, you can enable a performance cache to improve server performance.
mWeb services include a comprehensive assortment of open-source services—Ruby, Tomcat, MySQL, PHP, and Perl.
mMac OS X Server includes a high-performance Java virtual machine.
mSSL support enables secure encryption and authentication for ecommerce Web sites and confidential materials.
mQuickTime Streaming Server (QTSS) lets you stream both live and stored multimedia content on the Internet using industry-standard protocols.
mMail service lets you set up a mail server your network users can use to send and receive email.
mWebMail service bundled with Mac OS X Server enables your users to access mail service via a Web browser.
20 Chapter 1
This section highlights individual Mac OS X Server services and tells you where in this guide to find more information about them.
Directory services let you use a central data repository for user and network information your server needs to authenticate users and give them access to services. Information about users (such as their names, passwords, and preferences) as well as printers and other resources on the network is consolidated rather than distributed to each computer on the network, simplifying the administrator’s tasks of directory domain setup and maintenance.
Open Directory
On Mac OS X computers, the directory services are collectively referred to as Open Directory. Open Directory acts as an intermediary between directory domains that store information and Mac OS X processes that need the information.
Open Directory supports a wide variety of directory domains, letting you store your directory information on Mac OS X Server or on a server you already have set up for this purpose:
mYou can define and manage information in directory domains that reside on Mac OS X Server. Open Directory supports both NetInfo and LDAPv3 protocols and gives you complete control over directory data creation and management.
mMac OS X Server can also retrieve directory data from LDAP and Active Directory servers and BSD configuration files you’ve already set up. Your server provides full read/write and SSL communications support for LDAPv3 directory domains.
Chapter 2, “Directory Services,” provides complete information about all the Open Directory options, including instructions for how to create Mac OS X–resident directory domains and how to configure your server and your clients to access directory domains of all kinds. Chapter 3, “Users and Groups,” describes how to work with user and group accounts stored in Open Directory domains.
Search Policies
Before a user can log in to or connect with a Mac OS X client or server, he or she must enter a name and password associated with a user account that the computer can find. A Mac OS X computer can find user accounts that reside in a directory domain of the computer’s search policy. A search policy is a list of directory domains the computer searches when it needs configuration information.
You can configure the search policy of Mac OS X computers on the computers themselves. You can automate Mac OS X client directory setup by using your server’s built-in DHCP Option 95 support.
Administering Your Server |
21 |
Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X computer.
Open Directory gives you several options for validating a user’s password:
mYou can use a value stored as a readable attribute in the user’s account.
The account can be stored in a directory domain residing on Mac OS X Server or on another vendor’s directory server, such as an LDAP or Active Directory server.
This option, referred to as the “basic” password validation strategy, is the simplest and fastest approach to password validation and offers the greatest opportunity for sharing user information for authentication with non-Apple servers. Basic password validation may not support clients that require certain network-secure authentication protocols, such as APOP.
See “Storing Passwords in User Accounts” on page 198 for details about this strategy.
mYou can use a value stored in the Open Directory Password Server.
This option, which supports a wide range of client authentication protocols, lets you set up user-specific password policies for users. For example, you can require a user to change his password periodically or use only passwords having more than a minimum number of characters. It is the recommended password validation option for Windows users.
See “Open Directory Password Server” on page 63 for general Password Server concepts.
See “Setting Up an Open Directory Domain and Password Server” on page 71 for setup instructions.
See “Using a Password Server” on page 200 for information about how to manage Password Server settings for users.
mYou can use a Kerberos server.
This scheme offers the opportunity to integrate into existing Kerberos environments. See “Using Kerberos” on page 205 for details.
mYou can use LDAP bind authentication with a non-Apple LDAPv3 directory server.
This option, like Kerberos, offers a way to integrate your server into an existing authentication scheme.
See “Using LDAP Bind Authentication” on page 208 for how to implement this option.
22 Chapter 1
Mac OS X Server makes it easy to share files using the native protocols of different kinds of client computers. Mac OS X Server includes four file services:
mApple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems.
mWindows services use Server Message Block (SMB) protocol to let you share resources with clients who use Windows, and to provide name resolution service for Windows clients.
mFile Transfer Protocol (FTP) service lets you share files with anyone using FTP.
mNetwork File System (NFS) service lets you share files and folders with users who have NFS client software (UNIX users).
You can deploy network home directories for Mac OS X clients using AFP or NFS and for UNIX clients using NFS. With a network home directory, users can access their applications, documents, and individual settings regardless of the computer to which they log in. You can impose disk quotas on network home directories to regulate server disk usage for users with home directories.
Sharing
You share files among users by designating share points. A share point is a folder, hard disk (or hard disk partition), or CD that you make accessible over the network. It’s the point of access at the top level of a group of shared items.
On Mac OS X computers, share points can be found in the /Network directory and by using the Finder’s Connect To Server command. On Mac OS 8 and 9 computers, users access share points using the Chooser. On Windows computers, users use Network Neighborhood. Chapter 4, “Sharing,” tells you how to set up and manage share points.
Static file server listings can also be published in a non-Apple directory domain, making it easy for computers in your company that are not on your local network to discover and connect to Mac OS X Server.
Apple File Service
Apple Filing Protocol (AFP) allows Macintosh client users to connect to your server and access folders and files as if they were located on the user’s own computer.
AFP offers
mfile sharing support for Macintosh clients over TCP/IP
mautoreconnect support when a file server connection is interrupted
mencrypted file sharing (AFP through SSH)
mautomatic creation of user home directories
mKerberos v5 authentication for Mac OS X v10.2 and later clients
Administering Your Server |
23 |
mfine-grain access controls for managing client connections and guest access
mautomatic disconnect of idle clients after a period of inactivity
AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not on the local network to access NFS volumes via a secure, authenticated AFP connection. It also lets Mac OS 9 clients access NFS file services on traditional UNIX networks.
See “Apple File Service” on page 236 for details about AFP.
Windows Services
Windows services in Mac OS X Server provide four native services to Windows clients:
mfile service, which allows Windows clients to connect to Mac OS X Server using Server Message Block (SMB) protocol over TCP/IP
mprint service, which uses SMB to allow Windows clients to print to PostScript printers on the network
mWindows Internet Naming Service (WINS), which allows clients across multiple subnets to perform name/address resolution
mbrowsing, which allows clients to browse for available servers across subnets
See “Windows Services” on page 248 for more information about Windows services.
Network File System (NFS) Service
NFS is the protocol used for file services on UNIX computers.
The NFS term for sharing is export. You can export a shared item to a set of client computers or to “World.” Exporting an NFS volume to World means that anyone who can access your server can also access that volume.
NFS does not support name/password authentication. It relies on client IP addresses to authenticate users and on client enforcement of privileges—not a secure approach in most networks. Therefore use NFS only if you are on a local area network (LAN) with trusted client computers or if you are in an environment that can’t use Apple file sharing or Windows file sharing. If you have Internet access and plan to export to World, your server should be behind a firewall.
See “Network File System (NFS) Service” on page 268 for more information about NFS.
File Transfer Protocol (FTP)
FTP allows computers to transfer files over the Internet. Clients using any operating system that supports FTP can connect to your FTP file server and download files, depending on the permissions you set. Most Internet browsers and a number of freeware applications can be used to access your FTP server.
24 Chapter 1
FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic file conversion, allowing users to request compressed or decompressed versions of information on the server.
FTP is considered to be an insecure protocol, since user names and passwords are distributed across the Internet in clear text. Because of the security issues associated with FTP authentication, most FTP servers are used as Internet file distribution servers for anonymous FTP users.
Mac OS X Server supports anonymous FTP and by default prevents anonymous FTP users from deleting files, renaming files, overwriting files, and changing file permissions. Explicit action must be taken by the server administrator to allow uploads from anonymous FTP users, and then only into a specific share point.
See “File Transfer Protocol (FTP) Service” on page 256 for details about FTP.
Print service in Mac OS X Server lets you share network and direct-connect printers among clients on your network. Print service also includes support for managing print queues, monitoring print jobs, logging, and using print quotas.
Print service lets you
mshare printers with Mac OS 9 (PAP, LaserWriter 8), Mac OS X (IPP, LPR/LPD), Windows (SMB/CIFS), and UNIX (LPR/LPD) clients
mshare direct-connect USB printers with Mac OS X version 10.2 and later clients
mconnect to network printers using AppleTalk, LPR, and IPP and connect to direct-connect printers using USB
mmake printers visible using Open Directory directory domains
mimpose print quotas to limit printer usage
See Chapter 7, “Print Service,” for information about print service.
Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web server responds to requests for HTML Web pages stored on your site. Open-source software allows anyone to view and modify the source code to make changes and improvements.
Those features have led to Apache’s widespread use, making it the most popular Web server on the Internet today.
Web service includes a high-performance, front-end cache that improves performance for Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed by the server each time it is requested.
Administering Your Server |
25 |
Web service also includes support for Web-based Distributed Authoring and Versioning (WebDAV). With WebDAV capability, your client users can check out Web pages, make changes, and then check the pages back in while the site is running. In addition, Mac OS X users can use a WebDAV-enabled Web server as if it were a file server.
Web service’s Secure Sockets Layer (SSL) support enables secure encryption and authentication for ecommerce Web sites and confidential materials. An easy-to-use digital certificate provides non-forgeable proof of your Web site identity.
Mac OS X Server offers extensive support for dynamic Web sites:
mWeb service supports Java Servlets, JavaServer Pages, MySQL, PHP, Perl, and UNIX and Mac CGI scripts.
mMac OS X Server also includes WebObjects deployment software. WebObjects offers a flexible and scalable way to develop and deploy ecommerce and other Internet applications. WebObjects applications can connect to multiple databases and dynamically generate HTML content. You can also purchase the WebObjects development tools if you want to create WebObjects applications. For more information and documentation on WebObjects, go to the WebObjects Web page:
www.apple.com/webobjects
See Chapter 8, “Web Service,” for details about Web service.
Mail services support the SMTP, POP, and IMAP protocols, allowing you to select a local or server-based mail storage solution for your users.
With remote mail administration you can manage the message database from any IMAP client. Realtime Blackhole List support allows you to block messages from known spam sources. Support for single or dual IMAP/POP3 mail inboxes gives flexibility in mail retrieval; a user can have a POP mailbox for office use and an IMAP mailbox for mobile use. Automatic blind copying (BCC) on incoming mail from specified hosts lets you track email coming from specific sites. You can limit the amount of disk space a user consumes for mail messages.
To protect email communication from eavesdroppers, mail service features SSL encryption of IMAP connections between the mail server and clients, SMTP AUTH authentication using LOGIN and PLAIN, and APOP and Kerberos v5 authentication for POP, IMAP, and SMTP clients.
For complete information about mail services, see Chapter 9, “Mail Service.”
Mac OS X Server provides work environment personalization for Mac OS 8, 9, and X computer users, ranging from preference management to operating system and application installation automation.
26 Chapter 1
Client Management
You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X clients. Preferences you define for individual users, groups of users, and computers provide your Macintosh users with a consistent desktop, application, and network appearance regardless of the Macintosh computer to which they log in.
To manage Mac OS 8 and 9 clients, you use Macintosh Manager, described in Chapter 10, “Client Management: Mac OS 9 and OS 8.” To manage Mac OS X clients, you use Workgroup Manager, as Chapter 6, “Client Management: Mac OS X,” describes.
Mac OS X client management has several advantages:
mYou can take advantage of the directory services autoconfiguration capability to automatically set up the directory services used by Mac OS X client computers.
mWhen you update user, group, and computer accounts, managed Mac OS X users inherit changes automatically. You update Mac OS 8 and 9 accounts independently, using Macintosh Manager.
mYou have more direct control over individual system preferences.
mNetwork home directories and group directories can be mounted automatically at login.
NetBoot
NetBoot lets Macintosh clients boot from a system disk image located on Mac OS X Server instead of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments for different groups of clients.
NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an organization with a number of client computers that need to be identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple identically configured Web and application servers.
NetBoot allows administrators to configure and update client computers instantly by simply updating a boot image stored on the server. Each image contains the operating system and application folders for all clients on the server. Any changes made on the server are automatically reflected on the clients when they reboot. Systems that are compromised or otherwise altered can be instantly restored simply by rebooting.
See Chapter 12, “NetBoot,” for information about setting up and managing NetBoot.
Network Install
Network Install is a centrally managed installation service that allows administrators to selectively install, restore, or upgrade client computers. Installation images can contain the latest release of Mac OS X, a software update, site-licensed or custom applications, even configuration scripts:
Administering Your Server |
27 |
mNetwork Install is an excellent solution for operating system migrations, installing software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers.
mYou can define custom installation images for various departments in an organization, such as marketing, engineering, and sales.
With Network Install you don’t need to insert multiple CDs to configure a system. All the installation files and packages reside on the server and are installed on the client computer at one time. Network Install also includes preand post-installation scripts you can use to invoke actions prior to or after the installation of a software package or system image.
See Chapter 13, “Network Install,” for more information about Network Install.
Mac OS X Server includes these network services for helping you manage Internet communications on your TCP/IP network:
mDynamic Host Configuration Protocol (DHCP)
mDomain Name System (DNS)
mIP firewall
mService Location Protocol Directory Agent (SLP DA)
DHCP
DHCP helps you administer and distribute IP addresses dynamically to client computers from your server. From a block of IP addresses that you define, your server locates an unused address and “leases” it to client computers as needed. DHCP is especially useful when an organization has more clients than IP addresses. IP addresses are assigned on an as-needed basis, and when they are not needed they are available for use by other clients.
As you learned in “Search Policies” on page 21, you can automate the directory services setup of Mac OS X clients using your DHCP server’s Option 95 support. This option lets client computers learn about their directory settings from an LDAP server.
Chapter 11, “DHCP Service,” provides information about your server’s DHCP capabilities.
DNS
DNS service lets users connect to a network resource, such as a Web or file server, by specifying a host name (such as server.apple.com) rather than an IP address (192.168.11.12). DNS is a distributed database that maps IP addresses to domain names.
A server that provides DNS service keeps a list of names and the IP addresses associated with the names. When a computer needs to find the IP address for a name, it sends a message to the DNS server (also known as a name server). The name server looks up the IP address and sends it back to the computer. If the name server doesn’t have the IP address locally, it sends messages to other name servers on the Internet until the IP address is found.
28 Chapter 1
You will use DNS if you use SMTP mail service or if you want to create subdomains within your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t have an Internet service provider (ISP) who handles DNS for your network, you can set up a DNS server on your Mac OS X Server.
You’ll find more information about DNS in Chapter 14, “DNS Service.”
IP Firewall
IP firewall service protects your server and the content you store on it from intruders. It provides a software firewall, scanning incoming IP packets and accepting or rejecting them based on filters you define.
You can set up server-wide restrictions for packets from specific IP addresses. You can also restrict access to individual services—such as Web, mail, and FTP—by defining filters for the ports used by the services.
See Chapter 15, “Firewall Service,” for more information about this service.
SLP DA
Service Location Protocol (SLP) provides structure to the services available on a network and gives users easy access to them.
Anything that can be addressed using a URL can be a network service—for example, file servers and WebDAV servers. When a service is added to your network, the service uses SLP to register itself on the network; you don’t need to configure it manually. When a client computer needs to locate a network service, it uses SLP to look for services of that type. All registered services that match the client computer’s request are displayed for the user, who then can choose which one to use.
SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository for registered network services. You can set up a DA to keep track of services for one or more scopes (groups of services). When a client computer looks for network services, the DA for the scope in which the client computer is connected responds with a list of available network services. Because a client computer only needs to look locally for services, network traffic is kept to a minimum and users can connect to network services more quickly.
See Chapter 16, “SLP DA Service,” for information about this service.
QuickTime Streaming Server (QTSS) lets you stream multimedia in real time using the industry-standard RTSP/RTP protocols. QTSS supports MPEG-4, MP3, and QuickTime file formats.
Administering Your Server |
29 |
You can deliver live and prerecorded media over the Internet to both Macintosh and Windows users, or relay streamed media to other streaming servers. You can provide unicast streaming, which sends one stream to each individual client, or multicast streaming, which sends the stream to a group of clients.
For more information about QTSS, refer to the QuickTime Web site:
www.apple.com/quicktime/products/qtss/
You can use QuickTime Broadcaster in conjunction with QTSS when you want to produce a live event. QuickTime Broadcaster allows you to stream live audio and video over the Internet. QuickTime Broadcaster meets the needs of both beginners and professionals by providing preset broadcast settings and the ability to create custom settings. Built on top of the QuickTime architecture, QuickTime Broadcaster enables you to produce a live event using most codecs that QuickTime supports.
When teamed with QuickTime Streaming Server or Darwin Streaming Server, QuickTime Broadcaster can produce a live event for delivery to an audience of any size, from an individual to a large global audience.
For information about QuickTime Broadcaster, go to this Web site and navigate to the QuickTime Broadcaster page:
www.apple.com/quicktime/
This section introduces you to the applications, tools, and techniques you use to set up and administer your Mac OS X Server. The following table summarizes them and tells you where to find more information about them.
Application, tool, |
|
For more |
or technique |
Use to |
information, see |
|
|
|
Server Assistant |
Initialize services |
page 33 |
|
|
|
Open Directory |
Create or set up access to existing NetInfo and |
page 33 |
Assistant |
LDAPv3 directory domains and create and |
|
|
configure Password Servers |
|
|
|
|
Directory Access |
Configure access to data in existing directory |
page 34 |
|
domains and define a search policy |
|
|
|
|
Workgroup Manager |
Administer accounts, manage share points, and |
page 34 |
|
administer client management for Mac OS X |
|
|
users |
|
|
|
|
30 Chapter 1