Apple Mac OS X Server User Manual

0 (0)
Apple Mac OS X Server User Manual

Understanding

and Using NetInfo

Includes information on setting up Mac OS X Server and NetInfo

to increase the power of your Mac OS X network

K Apple Computer, Inc.

© 2001 Apple Computer, Inc. All rights reserved.

Under the copyright laws, this publication may not be copied, in whole or in part, without the written consent of Apple.

The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Apple, the Apple logo, AppleShare, Mac, and Macintosh are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Computer, Inc.

© 1995-2001 The Apache Group. All rights reserved.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

062-8432/06-16-01

Contents

Preface

About This Document 7

What’s in This Document 7

Where to Find More Information 8

1What Is NetInfo? 9

NetInfo: A Service for Mac OS X Processes

9

A Historical Perspective

10

 

 

 

Data Consolidation

10

 

 

 

Data Distribution

11

 

 

 

The Power of NetInfo: Software That Uses It

12

Folder and File Ownership

12

 

 

Home Directories

13

 

 

 

Mounts

14

 

 

 

 

 

Architectural Elements of NetInfo

14

 

Local Data

 

14

 

 

 

 

Shared Data

15

 

 

 

 

NetInfo Hierarchies

17

 

 

 

Binding

19

 

 

 

 

 

Replication

21

 

 

 

 

Inside NetInfo 22

 

 

 

 

Accessing and Manipulating NetInfo Data

24

Defining NetInfo Domains

24

 

 

Configuring NetInfo Hierarchies

24

 

Setting Up Search Policies

25

 

 

Managing NetInfo Data 25

 

 

 

3

Viewing NetInfo Data

25

 

Using Command Line Utilities 27

The Importance of Planning

27

2 NetInfo Planning

29

 

General Planning Guidelines

29

Controlling NetInfo Data Visibility 31
Simplifying Changes to NetInfo Data 31
Identifying Computers for Hosting Shared Domains 31

Devising a Binding Strategy

32

 

 

 

User Data Planning

32

 

 

 

 

Understanding the Login Environment

32

 

Contrasting Logging In and Connecting

35

 

Managing Names

35

 

 

 

 

Managing UIDs

38

 

 

 

 

Setting Up Home Directories 38

 

 

 

Group Data Planning

39

 

 

 

 

Ensuring Group Visibility

39

 

 

 

Avoiding Duplicate Short Names

40

 

 

The Next Step 41

 

 

 

 

 

 

3 Setting Up NetInfo Hierarchies

43

 

The Overall Process

 

43

 

 

 

 

Setting Up the Root Domain of a Simple Hierarchy

44

Setting Up Shared Domains in Deeper Hierarchies

45

Understanding Machine Records

45

 

 

Defining Shared Domains

47

 

 

 

Setting Up Local Domains of Network Users

51

 

Static Binding

51

 

 

 

 

 

DHCP Binding

52

 

 

 

 

Broadcast Binding

52

 

 

 

 

Setting Up Replication

53

 

 

 

 

Distinguishing Masters 53

 

 

 

 

Locating and Using Masters and Clones

54

 

Creating Masters

 

54

 

 

 

 

4Contents

Creating Clones

54

 

 

Replacing a Master With a Clone

55

 

Setting Up Windows User Authentication

56

Simple Hierarchies With No Clones

56

Other Hierarchies

57

 

 

Disabling Authentication Manager

60

Populating Domains

60

 

 

Setting Up Mounts and Automounting

60

Defining Users and Groups 61

 

 

Sharing Printers

62

 

 

Contents 5

P R E F A C E

About This Document

What’s in This Document

If you’re a system or network administrator whose responsibilities include Mac OS X administration, this document will help you understand and implement NetInfo.

NetInfo is the directory system that is built into computers running Mac OS X and Mac OS X Server. NetInfo facilitates the management of administrative information used by Mac OS X computers.

For example, NetInfo lets you centralize information about users, printers, servers, and other network devices so that all Mac OS X computers on your network, or only some of them, have access to it. It helps you set up and manage home directories for Mac OS X users on multiple, integrated Mac OS X Servers. And it simplifies the day-to-day management of administrative information by letting you update information that’s used across the network in one central place.

mChapter 1, “What Is NetInfo?,” introduces NetInfo. It tells you how NetInfo is used by Mac OS X computers and highlights key aspects of its external and internal architecture. It also introduces you to the various ways you can access and manipulate NetInfo data.

mChapter 2, “NetInfo Planning,” provides guidelines to help you decide how to implement NetInfo in your environment. Use the information in this chapter to design a NetInfo hierarchy that gives your Mac OS X users easy access to the network resources they need, yet minimizes the time you spend maintaining NetInfo data.

mChapter 3, “Setting Up NetInfo Hierarchies,” tells you how to create and configure the components of a NetInfo directory system.

7

Where to Find More Information

The following information is available for Mac OS X Server administrators. Mac OS X Server is a powerful server platform that delivers a complete range of services to network users, including applications that help you set up and manage your NetInfo data:

mMac OS X Server Administrator’s Guide provides information about Mac OS X Server’s administrative applications and how to use them to set up your server.

mThe online help for each server administration program provides step-by-step instructions for everyday server management.

mMac OS X Server Migration Guide provides instructions for upgrading to Mac OS X Server from AppleShare IP, Macintosh Manager, and Mac OS X Server 1.2.

If you would like help planning, designing, and implementing NetInfo, contact Apple iServices at iservices@apple.com or call 800-848-6398.

8Preface

C H A P T E R

1

What Is NetInfo?

NetInfo is the built-in Mac OS X directory system. A directory system is software that system and application processes can use to store and find administrative information about resources and users.

The Mac OS X login process, for example, consults user information in NetInfo to determine whether the name and password entered in the login window are those of a valid user. Other processes need information about the location of such resources as home directories, printers, file servers, and other devices available from a particular Mac OS X computer.

NetInfo: A Service for Mac OS X Processes

NetInfo stores information about users and resources and makes it available to Mac OS X processes that want to use it.

Users

Groups

 

Printers NetInfo

 

Servers

 

Mounts

Processes

 

Processes running on Mac OS X computers can save information in NetInfo, and processes that need the information can retrieve it from NetInfo. For example, when you set up a user account, the application you use to do so stores information about the user in NetInfo:

mOn a computer running Mac OS X, you use the Users pane of System Preferences to set up user accounts.

mOn Mac OS X Server, use the Users & Groups module of Server Admin, which lets you set up additional user attributes, such as the user’s home directory.

9

No matter which application you use, the user information is stored in NetInfo. When a user attempts to log in to a Mac OS X computer, the login process consults the information in NetInfo to authenticate the user.

NetInfo

This chapter introduces NetInfo. It briefly describes how it evolved. It samples some of the common ways NetInfo is used, illustrating how it makes Mac OS X one of the world’s most advanced operating systems. And it highlights key elements of NetInfo’s visible and behind- the-scenes architecture.

A Historical Perspective

Like Mac OS X, NetInfo has a UNIX heritage. Much of what it manages is the same administrative data formerly kept in UNIX configuration files, but it consolidates the data and distributes it for ease of access and maintenance.

Data Consolidation

In early UNIX systems, administrative information was stored in a collection of files located in the /etc directory. Every computer had its own set of these files, and processes read the files when they needed administrative information. If you’re experienced with UNIX, you’ll likely recall the files in the /etc directory—group, hosts, hosts.eq, passwd, and so forth.

group hosts

passwd

Processes

When a process needed to retrieve a password, it used one kind of call to consult the /etc/ passwd file, which contained a record for each user. When a process needed group information, it used a different call to read the group file.

10 Chapter 1

NetInfo consolidates administrative information, simplifying the interactions between processes and the administrative data they create and use.

NetInfo

Processes

Processes no longer need to be aware of how and where administrative data is stored. NetInfo does that for them. If a process needs the home directory for a user, it simply retrieves it from NetInfo. NetInfo finds the requested information, then returns it, insulating the process from the details of how the information is stored. And when you take advantage of NetInfo’s ability to store administrative data in several NetInfo databases, NetInfo automatically consults them when needed.

NetInfo

NetInfo

Processes

Much of the data NetInfo stores is identical to data stored on earlier UNIX systems. The crypt password, the home directory, the real name, short name, UID, GID—all stored in NetInfo user records—have corresponding entries in the standard /etc/passwd file. However, much of the data stored by NetInfo supports functions unique to Mac OS X, such as support for Apple Filing Protocol (AFP) directories.

Data Distribution

Another characteristic of early storage strategies for administrative data is that the data was stored locally. If you wanted to use a specific computer, your user account information had to be stored on that computer. To configure a computer’s network settings, the administrator needed to go to each computer and manually enter the IP address and all the other information needed to identify the computer on the network.

What Is NetInfo? 11

Likewise, user or network information needed to be changed on the computer where it resided. Some changes, such as network settings, had to be made on multiple computers. As networks grew in size and complexity, it became unwieldy to maintain administrative information using this approach.

NetInfo solves this problem by letting you store administrative data in such a way that it can be managed by a system administrator from one location. NetInfo lets you distribute the information so that it is visible on a network to both computers that need it and administrators who manage it:

NetInfo

System administrator

Users

The Power of NetInfo: Software That Uses It

Although NetInfo provides an easy-to-maintain database that lets you consolidate and distribute network information, that information is useful only if it can be accessed by processes that need it. The real power of NetInfo is not NetInfo itself, but the fact that Mac OS X software takes full advantage of data stored in NetInfo.

You have already seen how the Users pane of System Preferences or the Users & Groups module of Server Admin creates NetInfo user records, and how these records, in turn, are used to authenticate users who log in to Mac OS X computers. This section highlights a few additional ways that NetInfo data is created and used.

Folder and File Ownership

The Mac OS X file system uses a particular data item in the user record—the user ID (UID)— to keep track of directory and file ownership.

When a user creates a directory or file, the file system stores the creator’s UID. When a user with that UID accesses the directory or file, the user is granted read and write privileges to it. Any process started by the creator is granted read and write privileges to any files associated with the creator’s UID.

12 Chapter 1

If an administrator changes a user’s UID, the user may no longer be able to modify or even access files and directories she created. Likewise, if the user logs in as a user whose UID is different from the UID used to create the files and directories, the user will no longer have owner access privileges for them.

When you define a user, the UID for the user is automatically assigned and stored in the user’s record in NetInfo. The Server Admin Users & Groups module lets you change the UID of users if you need to. You might, for example, need to change a user’s UID when merging users created on different servers into one new server or cluster of servers; the same UID may have been associated with different users on the previous servers.

Home Directories

A home directory is a location for storing a user’s personal files and system preferences. Other users can see your home directory and read files in its Public folder, but they can’t (by default) access anything else in your home directory.

Home directories are defined using the same applications you use to set up user accounts:

mIf you set up the account using the Users pane of System Preferences, a local home directory named using the user’s short name is created in the /Users directory.

mIf you create a user on Mac OS X Server with the Users & Groups module, you have more control over the user’s home directory name and location. For example, you can store the home directory on a remote computer, or you can specify a name for the home directory. You can also set up home directories to mount automatically on the computer where the user logs in, using the Sharing module of Server Admin.

When you define a user’s home directory, its location is stored in NetInfo. Various Mac OS X processes use the home directory location. Here are several examples of Mac OS X activities that depend on home directory data stored in NetInfo:

mA user’s home directory is displayed when the user clicks Home in a Finder window or chooses Home from the Finder’s Go menu.

mHome directories that are set up for mounting automatically appear in the Finder on the computer where the user logs in.

mSystem preferences you set up, such as Desktop and folder backgrounds, take effect as soon as you log in. These preferences are stored in the Preferences folder in your home directory.

What Is NetInfo? 13

Home directories are an example of how some Mac OS X processes collaborate to define and use NetInfo data. The Finder can display your home directory automatically because it retrieves its location from your NetInfo user record. But making home directories available is more complicated than simply adding data to a NetInfo user record. It involves such file system actions as creating folders with particular privileges on an available file server. And for a remote home directory to be made visible on a user’s Desktop, the partition (or share) containing that home directory must be defined as a mount (or share point) and the mount must also have a NetInfo record.

Mounts

Mounts are Network File System (NFS) or AFP directories that have been set up as share points so that their contents are visible to other computers on the network.

You can set up a NetInfo record that makes a share point automatically visible in the Finder of a Mac OS X computer by using the Sharing module of Server Admin. For example, you can make volumes and files associated with share points visible in

/Network/Applications

/Network/Library

/Network/Servers

/Network/Users

Architectural Elements of NetInfo

The way you make NetInfo data accessible to processes that run on individual Mac OS X computers is by distributing the data among domains that are visible to those computers. A domain is a collection of administrative information that is stored in a NetInfo database.

Local Data

Every Mac OS X computer has a local NetInfo domain. A local domain’s administrative data is visible only to processes running on the computer where the domain resides. It is the first domain consulted when a user logs in or performs some other operation that uses data stored in NetInfo.

14 Chapter 1

When the user logs in to a computer running Mac OS X, the login process on that computer consults the local NetInfo domain on that computer. If the user’s record is found, the user is granted access to the computer.

Log in to

Local

 

Local

NetInfo

 

NetInfo

Mac OS X

 

domain

Connect to

domain

 

 

 

 

 

 

Mac OS

 

 

 

X Server

 

After login, if the user chooses Connect To Server from the Go menu to access a computer running Mac OS X Server, the local domain on the server is consulted to authenticate the user. Again, if a record for the user is found, the user is granted access to the server.

When you first set up a Mac OS X computer, its local NetInfo domain is automatically created and populated with records. For example, a user record is created for the user who performed the installation. It contains the user name and password entered during setup, as well as other information, such as a UID and the location of the user’s home directory.

Shared Data

While any process running on a Mac OS X computer can use the data stored in its local domain, the real power of NetInfo is that it lets you share administrative data among multiple Mac OS X computers by storing it in shared domains. When a computer is configured to use a shared domain, any administrative data in the shared domain is also visible to processes running on that computer.

If a user’s record is not found in the local domain of a Mac OS X computer, a NetInfo process automatically searches for the user’s record in any shared domains that the computer has access to. In the following example, the user can access both computers because the shared domain accessible from both computers contains a record for the user.

 

 

Shared

 

 

 

domain

 

Log in to

Local

 

Local

NetInfo

 

NetInfo

Mac OS X

 

domain

Connect to

domain

 

 

 

 

 

 

Mac OS

 

 

 

X Server

 

What Is NetInfo? 15

Shared domains generally reside on Mac OS X Servers, because servers are equipped with tools such as Server Admin for managing network resources and network users.

Similarly, you can make network resources such as printers visible to certain computers by setting up printer records in a shared domain accessed by those computers. For example, graphic artists in a company might need to access color printers and scanners, while copy center personnel need to use high-speed laser printers. Rather than configuring printer access for each computer individually, you could use the Print module of Server Admin to add printers to two shared domains: Graphics and Repro.

Graphics Repro

domain domain

Graphic artists

Copy center personnel

Printers visible in the Print Center application on graphic artists’ computers would be those in the Graphics domain, while printers in the Repro domain would be visible to computers used by copy center personnel. Printers that have records in shared domains appear in the Directory Services list in Print Center.

16 Chapter 1

While some devices may need to be used only by specific departments, some resources, such as personnel forms, may need to be shared by all employees. You could make a directory of those forms visible to everybody by setting up a share point for the directory in a shared domain known as the root domain, which is always named “/”.

/

domain

Graphics Repro

domain domain

Graphic artists

Copy center personnel

Because the root domain is a shared domain that is visible to all computers that use a particular NetInfo hierarchy, all graphic and copy center personnel can access the forms.

NetInfo Hierarchies

Local and shared domains are organized into hierarchies, tree-like topologies that have a root domain at the top and local domains at the bottom of the tree.

What Is NetInfo? 17

A hierarchy can be as simple as a local domain and a root domain, or it can contain one or more shared domains between the local and root domains, as in this education example.

 

/

Employees

 

domain

Students

domain

 

domain

 

 

Under-

Graduates

 

graduates

Faculty

domain

domain

domain

 

Each shared domain is called a parent domain, and the domain immediately below it in the hierarchy is called a child domain. In this example, the local domain on each undergraduate computer is a child of the parent domain Undergraduates. Undergraduates, in turn, is a child of the parent domain Students, which is a child of the root domain.

A Mac OS X computer has access to NetInfo data stored in any of the parents of its local domain:

mWhen a Mac OS X login or connection process needs to authenticate a user, the local domain is searched first. If the user is not found in the local domain, its parent domain is searched. If the user is still not found and the parent domain also has a parent, the second parent is searched, and so on up through the hierarchy.

mPrinters defined in any of a computer’s parent domains appear in the Directory Services list in Print Center.

mAll the mounts defined in a computer’s parent domains can be visible in one of the Finder’s /Network folders.

A NetInfo hierarchy controls which Mac OS X computers can see particular administrative data. The “subtrees” of the hierarchy essentially hide information from other subtrees in the hierarchy. In the education example, computers using the subtree that includes the Graduates domain do not have access to records in the Undergraduates domain. But records in the root domain are visible to any computer that is configured to access the Undergraduates, Graduates, or Faculty domain.

18 Chapter 1

Domain visibility depends on the computer, not the user. So when a user logs in to a different computer, different NetInfo administrative data may be visible to that computer. In the educational scenario, an undergraduate can log in to a graduate student’s computer if the undergraduate’s user record resides in the Students domain. But the devices that are defined in the Undergraduates domain are not visible unless they are also defined in the Graduates, Students, or root domain.

You can affect an entire network or just a group of computers by choosing which domain to publish administrative data in. The higher the administrative data resides in a NetInfo hierarchy, the fewer places it needs to be changed as users and system resources change. Probably the most important aspect of NetInfo for administrators is planning NetInfo domains and hierarchies. They should reflect the resources you want to share, the users you want to share them among, and even the way you want to manage your NetInfo data.

Binding

Binding is the technique that sets up the subtree of domains visible to a Mac OS X computer.

Binding associates a child domain with a particular parent domain. In the education example, when an undergraduate’s computer starts up, the local domain on the computer binds to the Undergraduates domain, the Undergraduates domain binds to the Students domain, and the Students domain binds to the root domain.

Because the subtree is initially set up at login, it is sometimes called a login hierarchy.

All the shared domains in a hierarchy could reside on the same server, or they could be distributed among multiple servers. The way you set up the binding would determine the actual NetInfo hierarchy.

Student

 

 

domain

 

 

 

Faculty

/

 

domain

domain

Under-

 

Employees

 

domain

graduates

 

 

 

domain

Graduates

 

 

domain

 

What Is NetInfo? 19

Loading...
+ 43 hidden pages