034-2454_Cvr 10/15/03 11:47 AM Page 1 Mac OS X Server Command-Line Administration For Version 10.
LL2354.book Page 2 Monday, October 20, 2003 9:47 AM Apple Computer, Inc. © 2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. The Apple logo is a trademark of Apple Computer, Inc.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.
About This Book Preface LL2354.book Page 11 Monday, October 20, 2003 9:47 AM Notation Conventions The following conventions are used throughout this book. Summary Notation Indicates monospaced font A command or other terminal text $ A shell prompt [text_in_brackets] An optional parameter (one|other) Alternative parameters (type one or the other) underlined A parameter you must replace with a value [...
LL2354.book Page 12 Monday, October 20, 2003 9:47 AM Parameters You Must Type as Shown If you need to type a parameter as shown, it appears following the command in the same font. For example, $ doit -w later -t 12:30 To use the command in the above example, type the entire line as shown. Parameter Values You Provide If you need to supply a value, its placeholder is underlined and has a name that indicates what you need to provide.
LL2354.book Page 13 Monday, October 20, 2003 9:47 AM Typing Commands 1 1 How to use Terminal to execute commands, connect to a remote server, and view online information about commands and utilities. To access a UNIX shell command prompt, you open the Terminal application. In Terminal, you can use the ssh command to log in to other servers. You can use the man command to view online documentation for most common commands.
LL2354.book Page 14 Monday, October 20, 2003 9:47 AM m To type a command: Wait for a prompt to appear in the Terminal window, then type the command and press Return. If you get the message command not found, check your spelling. If the error recurs, the program you’re trying to run might not be in your default search path. Add the path before the program name or change your working directory to the directory that contains the program.
LL2354.book Page 15 Monday, October 20, 2003 9:47 AM Commands Requiring Root Privileges Many commands used to manage a server must be executed by the root user. If you get a message such as “permission denied,” the command probably requires root privileges. To issue a single command as the root user, begin the command with sudo. For example: $ sudo serveradmin list You’re prompted for the root password if you haven’t used sudo recently.
LL2354.book Page 16 Monday, October 20, 2003 9:47 AM Sending Commands to a Remote Server Secure Shell (SSH) lets you send secure, encrypted commands to a server over the network. You can use the ssh command in Terminal to open a command-line connection to a remote server. While the connection is open, commands you type are performed on the remote server. Note: You can use any application that supports SSH to connect to Mac OS X Server. To open a connection to a remote server: 1 Open Terminal.
LL2354.book Page 17 Monday, October 20, 2003 9:47 AM Updating SSH Key Fingerprints The first time you connect to a remote server using SSH, the local computer asks if it can add the remote server’s “fingerprint” (a security key) to a list of known remote computers. You might see a message like this: The authenticity of host "server1.company.com" can’t be established. RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.
LL2354.book Page 18 Monday, October 20, 2003 9:47 AM Using Telnet Because it isn’t as secure as SSH, Telnet access isn’t enabled by default. To enable Telnet access: $ service telnet start To disable Telnet access: $ service telnet stop Getting Online Help for Commands Onscreen help is available for most commands and utilities. Note: Not all techniques work for all commands, and some commands have no onscreen help.
LL2354.book Page 19 Monday, October 20, 2003 9:47 AM Notes About Specific Commands and Tools serversetup The serversetup utility is located in /System/Library/ServerSetup. To run this command, you can type the full path, for example: $ /System/Library/ServerSetup/serversetup -getAllPort Or, if you want to use the utility to perform several commands, you can change your working directory and type a shorter command: $ cd /System/Library/ServerSetup $ ./serversetup -getAllPort $ .
LL2354.
LL2354.book Page 21 Monday, October 20, 2003 9:47 AM 2 Installing Server Software and Finishing Basic Setup 2 Commands you can use to install, set up, and update Mac OS X Server software on local or remote computers. Installing Server Software You can use the installer command to install Mac OS X Server or other software on a computer. For more information, see the man page.
LL2354.book Page 22 Monday, October 20, 2003 9:47 AM To create a template configuration file at any time after initial setup: 1 Open the Server Assistant (in /Applications/Server). 2 In the Welcome pane, choose “Save setup information in a file or directory record” and click Continue. 3 Enter settings on the remaining panes, then, after you review the settings in the final pane, click Save As. 4 In the dialog that appears, choose Configuration File next to “Save as” and click OK.
LL2354.book Page 23 Monday, October 20, 2003 9:47 AM DS DSClientInfo 2 - NetInfo client - broadcast dhcp static -192.168.42.250 network DSClientType 2 DSType 2 - directory client HostName server1.company.
LL2354.
LL2354.book Page 25 Monday, October 20, 2003 9:47 AM Naming Configuration Files The Server Assistant recognizes configuration files with these names: • • • • • MAC-address-of-server.plist IP-address-of-server.plist hardware-serial-number-of-server.plist full-host-name-of-server.plist generic.plist The Server Assistant uses the file to set up the server with the matching address, name, or serial number.
LL2354.book Page 26 Monday, October 20, 2003 9:47 AM Viewing, Validating, and Setting the Software Serial Number You can use the serversetup command to view or set the server’s software serial number or to validate a server software serial number. The serversetup utility is located in /System/Library/ServerSetup.
LL2354.book Page 27 Monday, October 20, 2003 9:47 AM Moving a Server Try to place a server in its final network location (subnet) before setting it up for the first time. If you’re concerned about unauthorized or premature access, you can set up a firewall to protect the server while you're finalizing its configuration. If you must move a server after initial setup, you need to change settings that are sensitive to network location before the server can be used.
LL2354.
LL2354.book Page 29 Monday, October 20, 2003 9:47 AM 3 Restarting or Shutting Down a Server 3 Commands you can use to shut down or restart a local or remote server. Restarting a Server You can use the reboot or shutdown -r command to restart a server at a specific time. For more information, see the man pages.
LL2354.book Page 30 Monday, October 20, 2003 9:47 AM Changing a Remote Server’s Startup Disk You can change a remote server’s startup disk using SSH. To change the startup disk: Log in to the remote server using SSH and type $ bless -folder "/Volumes/disk/System/Library/CoreServices" -setOF Parameter Description disk The name of the disk that contains the desired startup volume. For information on using SSH to log in to a remote server, see “Sending Commands to a Remote Server” on page 16.
LL2354.book Page 31 Monday, October 20, 2003 9:47 AM 4 Setting General System Preferences 4 Commands you can use to set system preferences, usually set using the System Preferences GUI application. Computer Name You can use the systemsetup command to view or change a server’s computer name (the name used to browse for AFP share points on the server), which would otherwise be set using the Sharing pane of System Preferences.
LL2354.
LL2354.
LL2354.book Page 34 Monday, October 20, 2003 9:47 AM To set how long the system waits to restart after a power failure: $ sudo systemsetup -setWaitForStartupAfterPowerFailure seconds Parameter Description seconds Must be a multiple of 30 seconds.
LL2354.book Page 35 Monday, October 20, 2003 9:47 AM Sharing Settings You can use the systemsetup command to view or change settings that would otherwise be set using the Sharing pane of System Preferences. Viewing or Changing Remote Login Settings You can use SSH to log in to a remote server if remote login is enabled.
LL2354.book Page 36 Monday, October 20, 2003 9:47 AM Login Settings Disabling the Restart and Shutdown Buttons To disable or enable the Restart and Shutdown buttons in the login dialog: $ sudo serversetup -setDisableRestartShutdown (0|1) 0 disables the buttons. 1 enables the buttons.
LL2354.book Page 37 Monday, October 20, 2003 9:47 AM 5 Network Preferences 5 Commands you can use to change a server’s network settings. Network Interface Information This section describes commands you address to a specific hardware device (for example, en0) or port (for example, Built-in Ethernet). If you prefer to work with network port configurations following the approach used in the Network preferences pane of System Preferences, see the commands in “Network Port Configurations” on page 38.
LL2354.book Page 38 Monday, October 20, 2003 9:47 AM Viewing or Changing MTU Values You can use these commands to change the maximum transmission unit (MTU) size for a port.
LL2354.book Page 39 Monday, October 20, 2003 9:47 AM To enable or disable a port configuration: $ sudo networksetup -setnetworkserviceenabled configuration (on|off) Changing Configuration Precedence To list the configuration order: $ sudo networksetup -listnetworkserviceorder The configurations are listed in the order that they’re tried when a network connection is established. An asterisk (*) marks an inactive configuration.
LL2354.book Page 40 Monday, October 20, 2003 9:47 AM Viewing or Changing IP Address, Subnet Mask, or Router Address You can use the serversetup and networksetup commands to change a computer’s TCP/IP settings. Important: Changing a server’s IP address isn’t as simple as changing the TCP/IP settings. You must first run the changeip utility to make sure necessary changes are made throughout the system. See “Changing a Server’s IP Address” on page 39.
LL2354.book Page 41 Monday, October 20, 2003 9:47 AM Viewing or Changing DNS Servers To view the DNS servers for port en0: $ serversetup -getDefaultDNSServer (devicename|"portname") To change the DNS servers for port en0: $ sudo serversetup -setDefaultDNSServer (devicename|"portname") server1 [server2] [...
LL2354.book Page 42 Monday, October 20, 2003 9:47 AM Enabling TCP/IP To enable TCP/IP on a particular port: $ serversetup -EnableTCPIP [(devicename|"portname")] If you don’t provide an interface, en0 is assumed. To disable TCP/IP on a particular port: $ serversetup -DisableTCPIP [(devicename|"portname")] If you don’t provide an interface, en0 is assumed.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.book Page 47 Monday, October 20, 2003 9:47 AM 6 Working With Disks and Volumes 6 Commands you can use to prepare, use, and test disks and volumes. Mounting and Unmounting Volumes You can use the mount_afp command to mount an AFP volume. For more information, type man mount_afp to see the man page.
LL2354.book Page 48 Monday, October 20, 2003 9:47 AM Monitoring Disk Space When you need more vigilant monitoring of disk space than the log rolling scripts provide, you can use the diskspacemonitor command-line tool. It lets you monitor disk space and take action more frequently than once a day when disk space is critically low, and gives you the opportunity to provide your own action scripts. diskspacemonitor is disabled by default.
LL2354.book Page 49 Monday, October 20, 2003 9:47 AM Reclaiming Disk Space Using Log Rolling Scripts Three predefined scripts are executed automatically to reclaim space used on your server for log files generated by • Apple file service • Windows service • Web service • Web performance cache • Mail service • Print service The scripts use values in the following configuration files to determine whether and how to reclaim space: • The script /etc/periodic/daily/600.daily.server runs daily.
LL2354.book Page 50 Monday, October 20, 2003 9:47 AM Managing Disk Journaling Checking to See if Journaling is Enabled You can use the mount command to see if journaling is enable on a volume. To see if journaling is enabled: $ mount Look for journaled in the attributes in parentheses following a volume.
LL2354.book Page 51 Monday, October 20, 2003 9:47 AM Enabling Journaling When You Erase a Disk You can use the newfs_hfs command to set up and enable journaling when you erase a disk. To enable journaling when erasing a disk: $ newfs_hfs -J -v volname device Parameter Description volname The name you want the new disk volume to have. device The device name of the disk.
LL2354.book Page 52 Monday, October 20, 2003 9:47 AM Imaging and Cloning Volumes Using ASR You can use Apple Software Restore (ASR) to copy a disk image onto a volume or prepare existing disk images with checksum information for faster copies. ASR can perform file copies, in which individual files are restored to a volume unless an identical file is already there, and block copies, which restore entire disk images. The asr utility doesn’t create the disk images.
LL2354.book Page 53 Monday, October 20, 2003 9:47 AM 7 Working With Users and Groups 7 Commands you can use to set up and manage users and groups in Mac OS X Server. Creating Server Administrator Users You can use the serversetup command to create administrator users for a server. To create regular users, see “Importing Users and Groups” on page 54. To create a user: $ serversetup -createUser fullname shortname password The name, short name, and password must be typed in the order shown.
LL2354.book Page 54 Monday, October 20, 2003 9:47 AM Importing Users and Groups You can use the dsimportexport command to import user and group accounts. Note: Despite its name, dsimportexport can’t be used to export user records. The utility is in /Applications/Server/Workgroup Manager.app/Contents/Resources. For information on the formats of the files you can import, see “Creating a CharacterDelimited User Import File” on page 55.
LL2354.book Page 55 Monday, October 20, 2003 9:47 AM 3 Open the Terminal application and type the dsimportexport command. The tool is located in /Applications/Utilities/Workgroup Manager.app/Contents/Resources. To include the space in the path name, precede it with a backslash (\). For example: /Applications/Utilities/Workgroup\ Manager.app/Contents/Resources /dsimportexport -h 4 If you want, use the createhomedir tool to create home directories for imported users.
LL2354.
LL2354.book Page 57 Monday, October 20, 2003 9:47 AM An example user account looks like this: jim:Adl47E$:408:20:J. Smith, Jr., M.D.
LL2354.book Page 58 Monday, October 20, 2003 9:47 AM Attribute Format HomeDirectory: Structured The location of an AFP-based UTF-8 text home directory afp://server/sharepoint usershomedirectory In the following example, Tom King’s home directory is K-M/Tom King, which resides beneath the share point directory, Users: afp://example.
LL2354.book Page 59 Monday, October 20, 2003 9:47 AM Attribute Format MCXFlags: If present, MCXSettings is loaded; if absent, MCXSettings isn’t loaded; required for a managed user.
LL2354.book Page 60 Monday, October 20, 2003 9:47 AM Mail Attributes in User Records The following table lists the standard XML data structures for a user mail attribute, part of a standard user record. 60 MailAttribute field Description Sample values AttributeVersion A required case-insensitive value that must be set to AppleMail 1.0. kAttributeVersion AppleMail 1.0 MailAccountState A required case-insensitive keyword describing the state of the user’s mail.
LL2354.book Page 61 Monday, October 20, 2003 9:47 AM MailAttribute field Description Sample values NotificationState An optional keyword describing whether to notify the user whenever new mail arrives. If provided, it must be set to one of these values: NotificationOff, NotificationLastIP, or NotificationStaticIP. If this field is missing, NotificationOff is assumed.
LL2354.book Page 62 Monday, October 20, 2003 9:47 AM Checking a Server User’s Name, UID, or Password You can use the following commands to check the name, UID, or password of a user in the server’s local directory. Note: These tasks only apply to the local directory on the server. To see if a full name is already in use: $ serversetup -verifyRealName "longname" The command displays a 1 if the name is already in the directory, 0 if it isn’t.
LL2354.book Page 63 Monday, October 20, 2003 9:47 AM Creating a User’s Home Directory Normally, you can create a user's home directory by clicking the Create Home Now button on the Homes pane of Workgroup Manager. You can also create home directory folders using the createhomedir tool. Otherwise, Mac OS X Server creates the user’s home directory when the user logs in for the first time.
LL2354.
LL2354.book Page 65 Monday, October 20, 2003 9:47 AM 8 Working With File Services 8 Commands you can use to create share points and manage AFP, NFS, Windows (SMB), and FTP services in Mac OS X Server. Share Points You can use the sharing tool to list, create, and modify share points. Listing Share Points To list existing share points: $ sharing -l In the resulting list, there’s a section of properties similar to the following for each share point defined on the server. (1 = yes, true, or enabled.
LL2354.book Page 66 Monday, October 20, 2003 9:47 AM Creating a Share Point To create a share point: $ sharing -a path [-n customname] [-A afpname] [-F ftpname] [-S smbname] [-s shareflags] [-g guestflags] [-i inheritflags] [-c creationmask] [-d directorymask] [-o oplockflag] [-t strictlockingflag] Parameter Description path The full path to the directory you want to share. customname The name of the share point.
LL2354.book Page 67 Monday, October 20, 2003 9:47 AM Shares the directory named Windows Docs on the disk 100GB. The share point is named WinDocs for server management purposes, but SMB users see it as Documents. It’s shared using only the SMB protocol with oplocks enabled.
LL2354.book Page 68 Monday, October 20, 2003 9:47 AM To list a particular setting: $ sudo serveradmin settings afp:setting Parameter Description setting Any of the AFP service settings. For a complete list of settings, type serveradmin settings afp or see “List of AFP Settings” on this page.
LL2354.book Page 69 Monday, October 20, 2003 9:47 AM Parameter (afp:) Description activityLogSize Rollover size (in kilobytes) for the activity log. Only used if activityLogTime isn’t specified. Default = 1000 activityLogTime Rollover time (in days) for the activity log. Default = 7 admin31GetsSp Set to true to force administrative users on Mac OS X to see share points instead of all volumes.
LL2354.book Page 70 Monday, October 20, 2003 9:47 AM 70 Parameter (afp:) Description guestAccess Allow guest users access to the server. Default = yes idleDisconnectFlag: adminUsers Enforce idle disconnect for administrative users. Default = yes idleDisconnectFlag: guestUsers Enforce idle disconnect for guest users. Default = yes idleDisconnectFlag: registeredUsers Enforce idle disconnect for registered users.
LL2354.book Page 71 Monday, October 20, 2003 9:47 AM Parameter (afp:) Description maxThreads Maximum number of AFP threads. (Must be specified at startup.) Default = 40 noNetworkUsers Indication to client that all users are users on the server. Default = no permissionsModel How permissions are enforced.
LL2354.book Page 72 Monday, October 20, 2003 9:47 AM Parameter (afp:) Description useAppleTalk Don’t modify. Internal use only. useHomeDirs Default = no List of AFP serveradmin Commands In addition to the standard start, stop, status, and settings commands, you can use serveradmin to issue the following service-specific AFP commands. Command (afp:command=) Description cancelDisconnect Cancel a pending user disconnect. See “Canceling a User Disconnect” on page 74.
LL2354.book Page 73 Monday, October 20, 2003 9:47 AM Sending a Message to AFP Users You can use the serveradmin sendMessage command to send a text message to connected AFP users. Users are specified by session ID. To send a message: $ sudo serveradmin command afp:command = sendMessage afp:message = "message-text" afp:sessionIDsArray:_array_index:0 = sessionid1 afp:sessionIDsArray:_array_index:1 = sessionid2 afp:sessionIDsArray:_array_index:2 = sessionid3 [...
LL2354.book Page 74 Monday, October 20, 2003 9:47 AM Output afp:command = "disconnectUsers" afp:messageSent = "" afp:timeStamp = "
LL2354.book Page 75 Monday, October 20, 2003 9:47 AM Listing AFP Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of connections and the data throughput. Samples are taken once each minute. To list samples: $ sudo serveradmin command afp:command = getHistory afp:variant = statistic afp:timeScale = scale Control-D Parameter Description statistic The value you want to display.
LL2354.book Page 76 Monday, October 20, 2003 9:47 AM Viewing AFP Log Files You can use tail or any other file listing tool to view the contents of the AFP service logs. To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current AFP error and activity logs are located.
LL2354.book Page 77 Monday, October 20, 2003 9:47 AM Changing NFS Service Settings Use the following parameters with the serveradmin command to change settings for the NFS service. Parameter (nfs:) Description nbDaemons Default = 6 To reduce the number of daemons, you must restart the server after changing this value. useTCP Default = yes You must restart the server after changing this value. useUDP Default = yes You must restart the server after changing this value.
LL2354.book Page 78 Monday, October 20, 2003 9:47 AM Changing FTP Settings You can change FTP service settings using the serveradmin application. To change a setting: $ sudo serveradmin settings ftp:setting = value Parameter Description setting An FTP service setting. To see a list of available settings, type $ sudo serveradmin settings ftp or see “FTP Settings” on this page. value An appropriate value for the setting.
LL2354.
LL2354.book Page 80 Monday, October 20, 2003 9:47 AM ftp:command= Description getLogPaths Show location of the FTP transfer log file. See “Viewing the FTP Transfer Log” on this page. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service needs to be restarted. See “Determining Whether a Service Needs to be Restarted” on page 19.
LL2354.book Page 81 Monday, October 20, 2003 9:47 AM Viewing SMB Settings To list all SMB service settings: $ sudo serveradmin settings smb To list a particular setting: $ sudo serveradmin settings smb:setting Parameter Description setting An SMB service setting. To see a list of available settings, type $ sudo serveradmin settings smb or see “List of SMB Service Settings” on page 82.
LL2354.book Page 82 Monday, October 20, 2003 9:47 AM List of SMB Service Settings Use the following parameters with the serveradmin command to change settings for the SMB service. 82 Parameter (smb:) Description adminCommands:homes Whether home directories are mounted automatically when Windows users log in so you don’t have to set up individual share points for each user.
LL2354.book Page 83 Monday, October 20, 2003 9:47 AM Parameter (smb:) Description local master Whether the server is providing workgroup master browser service. Can be set to: yes | no Corresponds to the Workgroup Master Browser checkbox in the Advanced pane of Window service settings in the Server Admin GUI application. log level The amount of detail written to the service logs.
LL2354.book Page 84 Monday, October 20, 2003 9:47 AM Parameter (smb:) Description wins server The name of the WINS server used by the server. Corresponds to the WINS Registration “Register with WINS server” selection and field in the Advanced pane of the Windows service settings in the Server Admin GUI application. workgroup The server’s workgroup. Can be set to a maximum of 15 bytes of UTF-8 characters.
LL2354.
LL2354.book Page 86 Monday, October 20, 2003 9:47 AM Listing SMB Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of SMB connections. Samples are taken once each minute. To list samples: $ sudo serveradmin command smb:command = getHistory smb:variant = v1 smb:timeScale = scale Control-D Parameter Description v1 The number of connected users (average during sampling period).
LL2354.book Page 87 Monday, October 20, 2003 9:47 AM Viewing SMB Service Logs You can use tail or any other file listing tool to view the contents of the SMB service logs. To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current SMB logs are located.
LL2354.
LL2354.book Page 89 Monday, October 20, 2003 9:47 AM 9 Working With Print Service 9 Commands you can use to manage the Print service in Mac OS X Server.
LL2354.book Page 90 Monday, October 20, 2003 9:47 AM Changing Print Service Settings To change a setting: $ sudo serveradmin settings print:setting = value Parameter Description setting A Print service setting. To see a list of available settings, type $ sudo serveradmin settings print or see “Print Service Settings” on this page. value An appropriate value for the setting. To change several settings: $ sudo serveradmin settings print:setting = value print:setting = value print:setting = value [...
LL2354.book Page 91 Monday, October 20, 2003 9:47 AM Queue Data Array Print service settings include an array of values for each existing print queue. The array is a set of 14 parameters that define values for each queue. is the queue ID, for example, 29D3ECF3-17C8-16E5-A330-84CEC733F249.
LL2354.
LL2354.book Page 93 Monday, October 20, 2003 9:47 AM Print Service serveradmin Commands You can use the following commands with the serveradmin application to manage Print service. print:command= Description getJobs List information about the jobs waiting in a queue. See “Listing Jobs and Job Information” on page 94. getLogPaths Finding the locations of the Print service and job logs. See “Viewing Print Service Log Files” on page 95. getQueues List Print service queues.
LL2354.book Page 94 Monday, October 20, 2003 9:47 AM Listing Jobs and Job Information You can use the serveradmin getJobs command to list information about print jobs. $ sudo serveradmin command print:command = getJobs print:maxDisplayJobs = jobs print:queueNamesArray:_array_index:0 = queue Control-D Parameter Description jobs The maximum number of jobs to list. queue The name of the queue. To find the name of the queue, use the getQueues command and look for the value of the print setting.
LL2354.book Page 95 Monday, October 20, 2003 9:47 AM To release the job for printing, change its state to PENDING. To release the job: $ sudo serveradmin command print:command = setJobState print:status = PENDING print:namesArray:_array_index:0:printer = queue print:namesArray:_array_index:0:idsArray:_array_index:0 = jobid Control-D Viewing Print Service Log Files You can use tail or any other file listing tool to view the contents of the Print service logs.
LL2354.
LL2354.book Page 97 Monday, October 20, 2003 9:47 AM 10 Working With NetBoot Service 10 Commands you can use to manage the NetBoot service in Mac OS X Server. Starting and Stopping NetBoot Service To start NetBoot service: $ sudo serveradmin start netboot If you get the following response: $ netboot:state = "STOPPED" $ netboot:status = 5000 you have not yet enabled NetBoot on any network port.
LL2354.book Page 98 Monday, October 20, 2003 9:47 AM Changing NetBoot Settings You can change NetBoot service settings using the serveradmin command. To change a setting: $ sudo serveradmin settings netboot:setting = value Parameter Description setting A NetBoot service setting. To see a list of available settings, type $ sudo serveradmin settings netboot or see “NetBoot Service Settings” on this page. value An appropriate value for the setting.
LL2354.book Page 99 Monday, October 20, 2003 9:47 AM Storage Record Array A volume parameter array: Parameter (netboot:) Description netBootStorageRecordsArray:_array_index:: sharepoint First parameter in an array describing a volume available to serve images.
LL2354.book Page 100 Monday, October 20, 2003 9:47 AM Image Record Array An array of the following values appears in the NetBoot service settings for each image stored on the server: Parameter (netboot:) Description: netBootImagesRecordsArray: _array_index::Name Name of the image as it appears in the Startup Disk control panel (Mac OS 9) or Preferences pane (Mac OS X). netBootImagesRecordsArray: _array_index::IsDefault Yes specifies this image file as the default boot image on the subnet.
LL2354.book Page 101 Monday, October 20, 2003 9:47 AM Port Record Array An array of the following items is included in the NetBoot service settings for each network port on the server set to deliver images: Parameter (netboot:) Description netBootPortsRecordsArray:_array_index:: isEnabledAtIndex First parameter in an array describing a network interface available for responding to netboot requests.
LL2354.
LL2354.book Page 103 Monday, October 20, 2003 9:47 AM 11 Working With Mail Service 11 Commands you can use to manage the Mail service in Mac OS X Server.
LL2354.book Page 104 Monday, October 20, 2003 9:47 AM Changing Mail Service Settings You can use serveradmin to modify your server’s mail configuration. However, if you want to work with the Mail service from the command-line, you’ll probably find it more straightforward to work directly with the underlying Postfix and Cyrus mail services. For information on Postfix, visit www.postfix.org. For information on Cyrus IMAP/POP, visit asg.web.cmu.edu/cyrus.
LL2354.
LL2354.
LL2354.book Page 107 Monday, October 20, 2003 9:47 AM Parameter (mail:) Description postfix:local_transport Default = "local:$myhostname" postfix:smtpd_helo_restrictions Default = no postfix:fork_delay Default = "1s" postfix:disable_mime_output_conversion Default = no postfix:mynetworks:_array_index:0 Default = "127.0.0.1/32" postfix:smtp_never_send_ehlo Default = no postfix:lmtp_cache_connection Default = yes postfix:local_recipient_maps Default = "proxy:unix:passwd.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.
LL2354.book Page 113 Monday, October 20, 2003 9:47 AM Parameter (mail:) Description postfix:append_dot_mydomain Default = yes postfix:command_expansion_filter Default = "1234567890!@%_=+:,.
LL2354.
LL2354.
LL2354.
LL2354.book Page 117 Monday, October 20, 2003 9:47 AM Listing Mail Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of user connections and the data throughput. Samples are taken once each minute. To list samples: $ sudo serveradmin command mail:command = getHistory mail:variant = statistic mail:timeScale = scale Control-D Parameter Description statistic The value you want to display.
LL2354.book Page 118 Monday, October 20, 2003 9:47 AM Viewing the Mail Service Logs You can use tail or any other file listing tool to view the contents of the Mail service logs. To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the Mail service logs are located.
LL2354.book Page 119 Monday, October 20, 2003 9:47 AM Setting Up SSL for Mail Service Mail service requires some configuration to provide Secure Sockets Layer (SSL) connections automatically. The basic steps are as follows: • Generate a Certificate Signing Request (CSR) and create a keychain. • Obtain an SSL certificate from an issuing authority. • Import the SSL certificate into the keychain. • Create a passphrase file.
LL2354.book Page 120 Monday, October 20, 2003 9:47 AM 7 Type y when prompted to confirm the algorithm and key size, then press Return. You have selected algorithm RSA, key size (size entered above) bits. OK (y/anything)? 8 Type b when prompted to specify how this certificate will be used, then press Return. Enter cert/key usage (s=signing, b=signing AND encrypting): 9 Type s when prompted to select a signature algorithm, then press Return. ...Generating key pair...
LL2354.book Page 121 Monday, October 20, 2003 9:47 AM Obtaining an SSL Certificate After generating a CSR and a keychain, you continue configuring Mail service for automatic SSL connections by purchasing an SSL certificate from a certificate authority such as Verisign or Thawte. You can do this by completing a form on the certificate authority’s website. When prompted for your CSR, open the csr.txt file using a text editor such as TextEdit.
LL2354.book Page 122 Monday, October 20, 2003 9:47 AM Creating a Passphrase File To create a passphrase file, you will use TextEdit, then change the privileges of the file using the Terminal application. This file contains the passphrase you specified when you created the keychain. Mail service will automatically use the passphrase file to unlock the keychain that contains the SSL certificate. This concludes configuring Mail service for automatic SSL connections.
LL2354.book Page 123 Monday, October 20, 2003 9:47 AM 12 Working With Web Technologies 12 Commands you can use to manage Web service in Mac OS X Server.
LL2354.book Page 124 Monday, October 20, 2003 9:47 AM To list a group of settings: You can list a group of settings that have part of their names in common by typing only as much of the name as you want, stopping at a colon (:), and typing an asterisk (*) as a wildcard for the remaining parts of the name. For example, $ sudo serveradmin settings web:IFModule:_array_id:mod_alias.c:* Changing Web Settings You can use serveradmin to modify your server’s Web service configuration.
LL2354.book Page 125 Monday, October 20, 2003 9:47 AM To change several settings: $ sudo serveradmin settings web:setting = value web:setting = value web:setting = value [...] Control-D Web serveradmin Commands You can use the following commands with the serveradmin application to manage Web service. Command (web:command=) Description getHistory View Web service statistics. See “Viewing Service Statistics” on page 126. getLogPaths Finding the access and error logs for each hosted site.
LL2354.book Page 126 Monday, October 20, 2003 9:47 AM Viewing Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of requests, cache performance, and data throughput. Samples are taken once each minute. To list samples: $ sudo serveradmin command qtss:command = getHistory qtss:variant = statistic qtss:timeScale = scale Control-D Parameter Description statistic The value you want to display.
LL2354.book Page 127 Monday, October 20, 2003 9:47 AM Example Script for Adding a Website The following script shows how you can use serveradmin to add a website to the server’s Web service configuration. The script uses two files: • addsite The actual script you run. It accepts values for the site’s IP address, port number, server name, and root directory and uses sed to substitute these values in the settings it reads from the second file (addsite.in) feeds to serveradmin. • addsite.
LL2354.book Page 128 Monday, October 20, 2003 9:47 AM web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: StatusCode = 404 web:Sites:_array_id:_ipaddr\:_port__servername:ErrorDocument:_array_index:0: Document = "/nwesite_notfound.html" web:Sites:_array_id:_ipaddr\:_port__servername:LogLevel = "warn" web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.c: SSLEngine = no web:Sites:_array_id:_ipaddr\:_port__servername:IfModule:_array_id:mod_ssl.
LL2354.book Page 129 Monday, October 20, 2003 9:47 AM 13 Working With Network Services 13 Commands you can use to manage DHCP, DNS, Firewall, NAT, and VPN service in Mac OS X Server.
LL2354.book Page 130 Monday, October 20, 2003 9:47 AM Changing DHCP Service Settings To change a setting: $ sudo serveradmin settings dhcp:setting = value Parameter Description setting A DHCP service setting. To see a list of available settings, type $ sudo serveradmin settings dhcp or see “DHCP Service Settings” on this page and “DHCP Subnet Settings Array” on page 131. value An appropriate value for the setting.
LL2354.book Page 131 Monday, October 20, 2003 9:47 AM Parameter (dhcp:) Description subnet_defaults:dhcp_domain_name_ Default = The DNS server addresses provided server:_array_index:n during server setup, as listed in the Network pane of the server’s System Preferences. subnets:_array_id:... An array of settings for a particular subnet. is a unique identifier for each subnet. See “DHCP Subnet Settings Array” on this page.
LL2354.book Page 132 Monday, October 20, 2003 9:47 AM Subnet Parameter subnets:_array_id:: Description 132 lease_time_secs Lease time in seconds. Default = "3600" Corresponds to the Lease Time pop-up menu and field in the General pane of the subnet settings in the Server Admin GUI application. net_address The IPv4 network address for the subnet. net_mask The subnet mask for the subnet.
LL2354.book Page 133 Monday, October 20, 2003 9:47 AM Subnet Parameter subnets:_array_id:: Description WINS_scope_id A domain name such as apple.com. Default = "" Corresponds to the NetBIOS Scope ID field in the WINS pane of the subnet settings in the Server Admin GUI application. WINS_secondary_server The secondary WINS server to be used by clients. Corresponds to the WINS/NBNS Secondary Server field in the WINS pane of the subnet settings in the Server Admin GUI application.
LL2354.book Page 134 Monday, October 20, 2003 9:47 AM Parameter Description subnetID A unique number that identifies the subnet. Can be any number not already assigned to another subnet defined on the server. Can include embedded hyphens (-). dns-server-n To specify additional DNS servers, add additional dhcp_name_server settings, incrementing _array_index:n for each additional value. Other parameters The standard subnet settings described under “DHCP Subnet Settings Array” on page 131.
LL2354.
LL2354.book Page 136 Monday, October 20, 2003 9:47 AM To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current DNS log is located. The default is /Library/Logs/named.log. To display the log path: $ sudo serveradmin command dns:command = getLogPaths Listing DNS Service Statistics You can use the serveradmin getStatistics command to display a summary of current DNS service workload.
LL2354.
LL2354.book Page 138 Monday, October 20, 2003 9:47 AM Parameter (ipfilter:) Description logAllDenied Specifies whether to log all denials. Default = no ipAddressGroups:_array_id: n:address The address of a defined IP address group, the first element of an array that defines an IP address group. ipAddressGroups:_array_id: n:name The name of a defined IP address group, the second element of an array that defines an IP address group. logAllAllowed Whether to log access allowed by rules.
LL2354.book Page 139 Monday, October 20, 2003 9:47 AM The unmodified ipfw.conf file: # ipfw.conf.default - Installed by Apple, never modified by Server Admin app # # ipfw.conf - The servermgrd process (the back end of Server Admin app) # creates this from ipfw.conf.default if it's absent, but does not modify # it. # # Administrators can place custom ipfw rules in ipfw.conf. # # Whenever a change is made to the ipfw rules by the Server Admin # application and saved: # 1. All ipfw rules are flushed # 2.
LL2354.book Page 140 Monday, October 20, 2003 9:47 AM Adding Rules Using serveradmin If you prefer not to work with the ipfw.conf file, you can use the serveradmin settings command to add firewall rules to your configuration. Note: Be sure to include the special first setting (ending with = create). This is how you tell serveradmin to create the necessary rule array with the specified rule number.
LL2354.book Page 141 Monday, October 20, 2003 9:47 AM IPFilter Rules Array An array of the following settings is included in the IPFilter settings for each defined firewall rule. In an actual list of settings, is replaced with a rule number. You can add a rule by using serveradmin to create such an array in the firewall settings (see “Adding Rules Using serveradmin” on page 140). Parameter (ipfilter:) Description rules:_array_id:: source The source of traffic governed by the rule.
LL2354.book Page 142 Monday, October 20, 2003 9:47 AM Viewing Firewall Service Log You can use tail or any other file listing tool to view the contents of the ipfilter service log. To view the latest entries in the log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current ipfilter service log is located.
LL2354.book Page 143 Monday, October 20, 2003 9:47 AM Changing NAT Service Settings To change a setting: $ sudo serveradmin settings nat:setting = value Parameter Description setting A NAT service setting. To see a list of available settings, type $ sudo serveradmin settings nat or see “NAT Service Settings” on this page. value An appropriate value for the setting. To change several settings: $ sudo serveradmin settings nat:setting = value nat:setting = value nat:setting = value [...
LL2354.book Page 144 Monday, October 20, 2003 9:47 AM Parameter (nat:) Description unregistered_only yes|no Default = no same_ports yes|no Default = yes NAT serveradmin Commands You can use the following commands with the serveradmin application to manage NAT service. Command (nat:command=) Description getLogPaths Find the current location of the log used by the NAT service. See “Viewing the NAT Service Log” on this page.
LL2354.
LL2354.book Page 146 Monday, October 20, 2003 9:47 AM List of VPN Service Settings Use the following parameters with the serveradmin command to change settings for VPN service. 146 Parameter (vpn:Servers:) Description com..ppp.l2tp: Server:VerboseLogging Default = 1 com..ppp.l2tp: Server:MaximumSessions Default = 128 com..ppp.l2tp: Server:LogFile Default = "/var/log/ppp/vpnd.log" com..ppp.l2tp: L2TP:IPSecSharedSecretEncryption Default = "Key" com..ppp.
LL2354.book Page 147 Monday, October 20, 2003 9:47 AM Parameter (vpn:Servers:) Description com..ppp.l2tp: PPP:DSACLEnabled Default = no com..ppp.l2tp: PPP:VerboseLogging Default = 1 com..ppp.l2tp: PPP:AuthenticatorPlugins: _array_index:n Default = "DSAuth" com..ppp.l2tp: PPP:LCPEchoInterval Default = 60 com..ppp.l2tp: PPP:LCPEchoEnabled Default = 1 com..ppp.l2tp: PPP:IPCPCompressionVJ Default = 0 com..ppp.
LL2354.book Page 148 Monday, October 20, 2003 9:47 AM 148 Parameter (vpn:Servers:) Description com..ppp.pptp: Interface:SubType Default = "PPTP" com..ppp.pptp: Interface:Type Default = "PPP" com..ppp.pptp: PPP:CCPProtocols:_array_index:n Default = "MPPE" com..ppp.pptp: PPP:LCPEchoFailure Default = 5 com..ppp.pptp: PPP:MPPEKeySize128 Default = 1 com..ppp.pptp: PPP:DSACLEnabled Default = no com..ppp.pptp: PPP:VerboseLogging Default = 1 com..
LL2354.book Page 149 Monday, October 20, 2003 9:47 AM List of VPN serveradmin Commands You can use the following commands with the serveradmin application to manage VPN service. Command (vpn:command=) Description getLogPaths Find the current location of the VPN service log. See “Viewing the VPN Service Log” on this page. writeSettings Equivalent to the standard serveradmin settings command, but also returns a setting indicating whether the service needs to be restarted.
LL2354.book Page 150 Monday, October 20, 2003 9:47 AM IP Failover IP failover allows a secondary server to acquire the IP address of a primary server if the primary server ceases to function. Once the primary server returns to normal operation, the secondary server relinquishes the IP address. This allows your website to remain available on the network even if the primary server is temporarily offline. Note: IP failover only allows a secondary server to acquire a primary server’s IP address.
LL2354.book Page 151 Monday, October 20, 2003 9:47 AM Enabling IP Failover You enable IP failover by adding command lines to the file /etc/hostconfig on the primary and the secondary server. Be sure to enter these lines exactly as shown with regard to spaces and punctuation marks. To enable IP failover: 1 At the primary server, add the following line to /etc/hostconfig: FAILOVER_BCAST_IPS="10.0.0.255 100.0.255.255" Substitute the broadcast addresses used on your server for the public and private networks.
LL2354.book Page 152 Monday, October 20, 2003 9:47 AM Configuring IP Failover You configure failover behavior using scripts. The scripts must be executable (for example, shell scripts, Perl, compiled C code, or executable AppleScripts). You place these scripts in /Library/IPFailover/ on the secondary server. You need to create a directory named with the public IP address of the primary server to contain the failover scripts for that server. For example: /Library/IPFailover/100.0.0.
LL2354.book Page 153 Monday, October 20, 2003 9:47 AM For example, your secondary server may perform other services on the network such as running a statistical analysis application and distributed image processing software. A preacquisition script quits the running applications to free up the CPU for the Web server. A postacquisition script starts the Web server.
LL2354.
LL2354.book Page 155 Monday, October 20, 2003 9:47 AM 14 Working With Open Directory 14 Commands you can use to manage the Open Directory service in Mac OS X Server. This chapter includes descriptions of general directory tools and tools for working with LDAP, NetInfo, and the Password Server. General Directory Tools Testing Your Open Directory Configuration You can use the dscl utility to test your directory services configuration. For more information, type man dscl to see the man page.
LL2354.book Page 156 Monday, October 20, 2003 9:47 AM Registering URLs With Service Location Protocol (SLP) You can use the slp_reg command to register service URLs using the Service Location Protocol (SLP). For more information, type man slp_reg to see the man page. SLP registration is handled by the SLP daemon slpd. For more information, type man slpd to see the man page.
LL2354.book Page 157 Monday, October 20, 2003 9:47 AM LDAP Configuring LDAP The following tools are available for configuring LDAP. For more information, see the man page for each tool. slapconfig You can use the slapconfig utility to configure the slapd and slurpd LDAP daemons and related search policies. For more information, type man slapconfig to see the man page. Standard Distribution Tools These tools are included in the standard LDAP distribution.
LL2354.book Page 158 Monday, October 20, 2003 9:47 AM The -x option forces ldapsearch to use simple authentication instead of SASL. Idle Rebinding Options The following two LDAPv3 plugin parameters aren’t documented in the open directory administration guide. The parameters are in, or can be added to, the file /library/preferences/directoryservice/DSLDAPv3PlugInConfig.plist.
LL2354.book Page 159 Monday, October 20, 2003 9:47 AM NetInfo Configuring NetInfo You can use the following command-line utilities to manage the NetInfo directory. For more information about a utility, see the related man page. Utility Used to NeST Configure the directory system of a server. nicl Create, view, and modify entries in the NetInfo directory. nifind Search the NetInfo directory for a particular entry. nigrep Search the NetInfo directory for an expression.
LL2354.book Page 160 Monday, October 20, 2003 9:47 AM For information on the available methods, see the Open Directory administration guide. Kerberos and Single Sign On The following tools are available for setting up your Kerberos and Single Sign-On environment. For more information on a tool, see the related man page. 160 Tool (in usr/sbin/) Description kdcsetup Creates necessary setup files and adds krb5kdc and kadmind servers for the Apple Open Directory KDC.
LL2354.book Page 161 Monday, October 20, 2003 9:47 AM 15 Working With QuickTime Streaming Server 15 Commands you can use to manage QTSS service in Mac OS X Server. Starting QTSS Service You can use the serveradmin command to start QTSS service, or you can use the quicktimestreamingserver command to specify additional service parameters when you start the service.
LL2354.book Page 162 Monday, October 20, 2003 9:47 AM Viewing QTSS Settings To list all QTSS service settings: $ sudo serveradmin settings qtss To list a particular setting: $ sudo serveradmin settings qtss:setting To list a group of settings: You can list a group of settings that have part of their names in common by typing only as much of the name as you want, stopping at a colon (:), and typing an asterisk (*) as a wildcard for the remaining parts of the name.
LL2354.book Page 163 Monday, October 20, 2003 9:47 AM QTSS Settings Use the following parameters with the serveradmin command to change settings for the QTSS service. Descriptions of Settings To see descriptions of most QTSS settings, you can look in the sample settings file /Library/QuickTimeStreaming/Config/streamingserver.xml-sample. Look for XML module and pref names that match the last two segments of the parameter name.
LL2354.book Page 164 Monday, October 20, 2003 9:47 AM 164 Parameter (qtss:) Description modules:_array_id:QTSSAdminModule: AdministratorGroup Default = "admin" modules:_array_id:QTSSAdminModule: Authenticate Default = yes modules:_array_id:QTSSAdminModule: enable_remote_admin Default = yes modules:_array_id:QTSSAdminModule: IPAccessList Default = "127.0.0.
LL2354.
LL2354.book Page 166 Monday, October 20, 2003 9:47 AM Parameter (qtss:) Description server:movie_folder Default = "/Library/Quick TimeStreaming/Movies/" server:pid_file Default = "/var/run/Quick TimeStreamingServer.
LL2354.book Page 167 Monday, October 20, 2003 9:47 AM Viewing QTSS Service Statistics You can use the serveradmin getHistory command to display a log of periodic samples of the number of connections and the data throughput. Samples are taken once each minute. To list samples: $ sudo serveradmin command qtss:command = getHistory qtss:variant = statistic qtss:timeScale = scale Control-D Parameter Description statistic The value you want to display.
LL2354.book Page 168 Monday, October 20, 2003 9:47 AM Viewing Service Logs You can use tail or any other file listing tool to view the contents of the QTSS service logs. To view the latest entries in a log: $ tail log-file You can use the serveradmin getLogPaths command to see where the current QTSS error and activity logs are located.
LL2354.book Page 169 Monday, October 20, 2003 9:47 AM Preparing Older Home Directories for User Streaming If you want to enable QTSS home directory streaming for home directories created using an earlier version of Mac OS X Server (before version 10.3), you need to set up the necessary streaming media folder in each user’s home directory. You can use the createuserstreamingdir tool to set up the needed /Sites/Streaming folder.
LL2354.
LL2354.book Page 171 Monday, October 20, 2003 9:47 AM A AFP (Apple Filing Protocol) canceling user disconnect 74 changing service settings 68 checking service status 67 disconnecting users 73 listing connected users 72 sending user message 73 service settings 68 starting service 67 stopping service 67 viewing service logs 76 viewing service settings 67 viewing service statistics 75 AirPort settings 44 Apache web server 124 Apple Filing Protocol.
LL2354.book Page 172 Monday, October 20, 2003 9:47 AM F L file system, case-sensitive 51 File Transfer Protocol. See FTP fingerprint, RSA 17 Firewall service.
LL2354.book Page 173 Monday, October 20, 2003 9:47 AM checking service status 142 service settings 143 starting service 142 stopping service 142 viewing service logs 144 viewing service settings 142 NeST tool 159 NetBoot service changing settings 98 checking status 97 filters record array 99 general settings 98 image record array 100 port record array 101 starting 97 stopping 97 storage record array 99 viewing settings 97 NetInfo tools and utilities 159 Network Address Translation.
LL2354.book Page 174 Monday, October 20, 2003 9:47 AM S SASL used by ldapsearch 157 scripts adding a website 127 Secure Sockets Layer. See SSL serial number, server software 26 serveradmin utility usage notes 19 server configuration file example 22 naming 25 saving 21 Server Message Block. See SMB serversetup utility usage notes 19 Service Location Protocol.
LL2354.book Page 175 Monday, October 20, 2003 9:47 AM starting service 145 stopping service 145 viewing service logs 149 viewing service settings 145 W web proxy settings 43 Web service changing settings 124 checking status 123 Index listing sites 125 script to add site 127 starting 123 stopping 123 viewing logs 125 viewing settings 123 viewing statistics 126 websites script for adding 127 Windows service.
