Slashdot Mirror

Apple does have a directory system and management tools, Ars Technica has a 10 page review up today in fact.

Nobody in their right mind tries using Mac OS X server to manage any real amount of macs (not by itself, anyways). Otherwise you are correct, mac can be perfectly good corporate citizens, with every aspect of the client locked down and managed centrally. You can use commercial 3rd party software to do it (Casper, Absolute Manage) or do it with Open Source tools (Puppet, Munki). You can use Apple Profile Manager combined with any of tools above. You can even use SCCM with Macs these days (if you really, really want to), or product like Centrify, to attach your mac to your AD with better control.

If you really are interested in managing macs in real environments, check out the following:

https://groups.google.com/forum/#!forum/macenterprise
http://krypted.com/
http://www.afp548.com/ /jussi

Name one thing Apple prevents you from doing on OS X [...] something that Apple EXPLICITLY PREVENTS YOU OR ANYONE FROM DOING.

Run a terminal server.

Install OS X on the computer I'm building.

Name one thing Apple prevents you from doing on OS X [...] something that Apple EXPLICITLY PREVENTS YOU OR ANYONE FROM DOING.

Run a terminal server.

Mac OS X Server before it, and now OS X Lion Server aren't intended for enterprise IT, and haven't been for a while. Apple has been working the word enterprise out of the marketing pages for a while now.

Indeed, the current blurb says this on apple.com: "OS X Lion Server gives you everything you need to provide workgroup and Internet services.".

For workgroup and SMB sized applications it's pretty nice, but a bit of a quandary when you hit the big leagues.

I put all my thoughts on it in my review on AFP548.com: http://www.afp548.com/article.php?story=lion-server-review

The real place in enterprise for the Mac has been in on the client side for quite some time now.

You can just copy the Lion installer to a network share or other disk to move it around as well.

The EULA allows for virtualization of up to two additional instances without the need for more licenses as long as you do it on Mac hardware. http://www.afp548.com/article.php?story=lion-eula

Wow, go-go-gadget misinformation. Mac OS X Server is BSD based, and I've had great success installing any open source project that I needed, using ports, fink, gems, or CPAN if what came with operating system didn't do what I needed.

Also, the vast majority of services available on OS X Server are open source, which Apple does contribute back. So if you don't like how the Server Admin tool works, you can be a r3@l l33t h4xx0r and edit the config files in vi or emacs and do it yourself.

As for the submitter's original question, there are a number of useful tools available for mass deployments of Macs across a network. Tools like radmind, LanRev, Apple's PackageMaker, InstaDMG, and Casper Suite all have varying degrees of management of machine images, image distribution, etc. Also consider at least downloading the PDFs Apple provides for their built in services to learn the ins and outs of their tools allow you to do and not do. You can even modify existing services to use more recent versions of projects that come with OS X if you're missing something or need to upgrade to a newer version for some reason (although this will likely make you have to freeze your OS version in place, or else future updates will probably overwrite your changes.)

Administration of a network of Macs falls somewhere in between an Active Directory environment and a roll your own Linux/BSD network. The client administration is great, but not as comprehensive as Active Directory. However, you still have the freedom to tinker with the services that come with OS X Server and borrow and add capabilities from open source. There are also many other forums out there that have a much lower troll count than what you'll find here, with many knowledgeable and helpful folks who will actually attempt to address and answer your question.

Because seriously, why go to Slashdot if not for the trolling?

Wow, go-go-gadget misinformation. Mac OS X Server is BSD based, and I've had great success installing any open source project that I needed, using ports, fink, gems, or CPAN if what came with operating system didn't do what I needed.

Also, the vast majority of services available on OS X Server are open source, which Apple does contribute back. So if you don't like how the Server Admin tool works, you can be a r3@l l33t h4xx0r and edit the config files in vi or emacs and do it yourself.

As for the submitter's original question, there are a number of useful tools available for mass deployments of Macs across a network. Tools like radmind, LanRev, Apple's PackageMaker, InstaDMG, and Casper Suite all have varying degrees of management of machine images, image distribution, etc. Also consider at least downloading the PDFs Apple provides for their built in services to learn the ins and outs of their tools allow you to do and not do. You can even modify existing services to use more recent versions of projects that come with OS X if you're missing something or need to upgrade to a newer version for some reason (although this will likely make you have to freeze your OS version in place, or else future updates will probably overwrite your changes.)

Administration of a network of Macs falls somewhere in between an Active Directory environment and a roll your own Linux/BSD network. The client administration is great, but not as comprehensive as Active Directory. However, you still have the freedom to tinker with the services that come with OS X Server and borrow and add capabilities from open source. There are also many other forums out there that have a much lower troll count than what you'll find here, with many knowledgeable and helpful folks who will actually attempt to address and answer your question.

Because seriously, why go to Slashdot if not for the trolling?

For freebies InstaDMG http://www.afp548.com/article.php?story=20090812091929480 and DeployStudio http://www.deploystudio.com/Home.html with Radmind (if you need it). For pro stuff try Jamf http://www.jamfsoftware.com/. Join the system-imaging list with Apple. The people on there are far less 'flamey' than on the OSX server list and will be able to advise you on the different tools, their experiences etc and really are helpful.

Radmind can be good.

InstaDMG from AFP548 is a great way to build SOE images from a collection of packages.

DeployStudio is a great way to get the images on a hard drive.

NetBoot/NetRestore is also a good way to get an image on a drive.

If you really like tinkering, you can tweak the supplied Mac OS X installer, and modify the list of packages it knows about. Using Adobe's enterprise deployment toolkit, for instance, you can package up CS4 with serialisation, and have the installer call these packages after it's installed the bare OS, but this is a lot of work.

I still use tools like the Enterprise Deployment Toolkit, but use the packages it creates in an InstaDMG workflow.

For the server - Mac OS X Server is good as a general solution and (not having tried Snow Leopard server in any kind of heavy-duty deployment) I use Kerio Mail Server as a general groupware solution - it's as close to a drop-in replacement for Exchange as you'll get on the Mac platform, and as well as serving IMAP and CalDAV clients really well, it can also serve Outlook.

Storage and backup is really critical - there's Apple's rebadged Promise RAID units if you want everything to be all Apple, and there are some good third-party alternatives. Backup to tape is pretty important with any kind of serious server deployment - I use LTO libraries wherever possible...

Apple has a robust remote installation suite with OS X Server, which is darn cheap compared to most other commercial offerings.

10.6 includes a first party version of NetRestore (full system image deployment, similar to Ghost or Flash Archive on Solaris), but most people deploying across a large number of systems should roll their own images with packaged based tools like DeployStudio or InstaDMG:

http://www.deploystudio.com/
http://code.google.com/p/instadmg/

Some other good sites for finding info:
  http://www.afp548.com/
  http://www.macenterprise.org/

I think NFS is a good alternative to AFP. I use it at my Mac shop, and it works really well once you figure out the automounter tricks, which in short is, on Mac OS X 10.4 and 10.5 the automounter works oddly much better if you use 'net' and let it pick where to mount the share.

Once you get that worked out, Macs get along quite nicely with standard NFS servers which gives you a huge complicated market from which to draw.

There are some huge high-performance vendors in this space too like Bluearc and Isilon, and in addition to the already pretty intimidating (separate data/metadata cluster) NFS to SamFS/QFS gateway above, Sun is working aggressively (albeit slowly) on a new generation of cluster-backed (high-availability and not-limited-to-the-bandwidth-of-a-single-CPU) NFS stuff like pNFS, and NFS-to-Lustre gateways. It is not a mistake to make a commitment to NFS.

it'd be nice, though, if Apple would push all their netboot, LDAP, and software update cache tools as open source packages and get them integrated into CentOS or Ubuntu, the way they did with CUPS which works amazingly well. It's like they think they're doing some Microsoft Small Business Server thing with OS X Server, and it's just not on.

http://www.linux.com/feature/46616

BSD systems of course include OS X http://www.afp548.com/article.php?story=20060214081244545

You do realize that netinfo was phased out as of 10.5? Those of us running Leopard have dslocal, which is a nice set of flat files to work with.

For more information, I will turn to Joel Rennich, who knows a hell of a lot more about this than I do:
http://www.afp548.com/article.php?story=LeopardServerReview-LocalDirectory&query=netinfo

Have you found a solution for the problem of spontaneous reboots on xserves. This only happened to us once a month or so but so many other had it much worse. Apple enterprise support did not have a clue how to resolve this issue do you? http://www.afp548.com/forum/viewtopic.php?forum=18&showtopic=4870

If you have OS X 10.4, you can make your own certificates.

If you're a brave schema-forging soul, you can also push out policy for Macs via Active Directory. More information at AFP548, and at other places around the net.

Maybe you should read up a bit on Mac solutions before you comment- software like Apple Remote Desktop, FileWave, NetOctopus, NetBoot/NetRestore, Radmind, HP OpenView, Deep Freeze and resources like AFP548, Mac Managers, MacOSX Labs, MacEnterprise, and of course Apple itself (I'll leave finding Apple's website as an exercise for the reader ;) make running large Macintosh installations fairly easy. There are plenty of UNIX/CLI tools and scripts out there, and Apple offers professional certifications if you want paper to show a potential employer.

Pimping myself here a bit, but our article on launchd might be of more help to sysadmins. It later formed the basis for the wikipedia article and has thrilling Jordan Hubbard comments to boot!

A more appropriate link for Josh Wisenbaker would be to http://www.afp548.com/

Nigel Kersten is on the staff at a university in Australia. I have no idea exactly why he's on the list, but he sends zillions of useful answers to questions on Apple's macos-x-server email list. (http://lists.apple.com/)

I'd say this is the place to look.

It links to this as well.

I haven't verified this information, but I'm pretty sure this is how you get an EFI prompt on the new Macs:

http://www.afp548.com/forum/viewtopic.php?forum=43 &showtopic=10606

"Was on the floor at Macworld and spoke to one of the Apple people huddled protectively around the new iMacs - while the Help Viewer docs still say Command-Option-O-F, he told me that you access EFI while holding down the "X" key at boot."

Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.

Well, it's a bit more than that. With a few button clicks you can have a fully functioning Directory Service with OpenLDAP and Kerberos. You get password policies, single sign on for everything from mail to smb to web, and you even get a one click samba pdc.

The only thing it lacks is the groupware support. Firstclass or any number of OSS solutions can provide that.

Check out our site, or even just Apple's server site for more info.

Of course since the questioner didn't mention openLDAP to begin with,

Yeah he did, by name even.

Password policies! I had no idea Tiger could do that.

It can starting with 10.3. I have an older article about it on my site here. The article is from 10.3, but really just more of it works now on 10.4. Also look at the site for my login times script that uses pwpolicy to imitate the login hours policy that other OSes offer admins.

Last year at MacWorld SF, I put together a pwpolicy GUI in AppleScript Studio for a live demo. I also did a minor bit of pwpolicy scripting at WWDC this year. If you have an ADC membership you can watch that preso. It was fun when the demo Mac started to fall apart while I was trying to code...

Focus follows mouse is there in some apps.

Check this article.

Apple, with 10.4 Tiger, made a technology called Launchd that was intended to replace a couple technologies(like init) and handle the automatic service startup and whatnot functions.. They way it was designed and and implemented has led to noticable, sometimes dramatic speed improvements in boot time. Plus, it consolidates redundant features into a single, clean, application.

A good review can be found here: http://www.afp548.com/article.php?story=2005062007 1558293

his website works.

"404 Error
Gee, I've looked everywhere but I can not find http://www.afp548.com/News/index.html.

We're sorry, but the file you have requested does not exist. Please feel free to check the main page or the search page to see if you can find what you lost."

Point, the other guy. ;)

I don't think it is as complicated as you seem to describe it.

What stops you from starting natd and adding two rules to ipfw to route all packets between the interface associated with your WAN connection, eg. eth0 and whichever interface is associated with your bluetooth device, eg. ppp0.

I did this back in the day of OSX 10.1 when there was no internet sharing option in the network preference panel and it worked just fine.

The guys as afp548.com still have the HOWTO article online from the time when there was no internet sharing option in the GUI ...

http://www.afp548.com/articles/system/natserver.ht ml

Since packet routing is a generic feature built-in to the BSD core of OSX it will work no matter what your ethernet interfaces are. It shouldn't matter if it's ultimately sitting on a physical bluetooth layer or not.

o'reilly's article - a little out of date now, but still valid.

and AFP548.com - run by the guy i took OS X server classes from.

Unfortunately for the poster the article reads like AD needs to be at the root. :^(

There is a sidebar pointing to another whitepaper:

http://www.afp548.com/filemgmt/viewcat.php?cid=8

But it too seems to deal with AD as root "A detailed overview of how to integrate OS X clients into an Active Directory environment while still retaining the ability to manage the clients with the OS X Server tools."

There's a pretty good whitepaper about this on AFP548. Specifically, download the PDF.

There's a pretty good whitepaper about this on AFP548. Specifically, download the PDF.

While interesting, I would suggest that you look at Apple centric boards for resolution of this kind of question. How many Slashdotters know or care? Here's some examples:

• AFP 548
• OS X Enterprise
• Apple's Server mailing list,this question is right up that alley.
• X server boards on Apple's website
• Apple's PDF on Open Directory Administration.

You might also consider a Server Support agreement from Apple; they can help with this kind of integration. Sure, it costs; but then you didn't think that we'd do your job for you either, right? And I believe that you could get this kind of support for the cheapest plan: $5995, and even have a few more calls left over for the rest of the year.

This link was the most helpful to me. The most important thing to do is make sure beyond a reasonable doubt that your DNS functions properly before you waste any time trying to get this working! If you can run 'host' with the value returned by 'hostname' on your server I think that is good enough, but I could be mistaken on that. What I eventually wound up doing was keeping only a forward and reverse mapping to the XServe itself, but I am sure that wouldn't work in many, many environments.

I also had to delete my /etc/krb5.keytab before I could get sso_util to configure my service.

Good luck!

I've not worked with OS X Server yet, but I believe it uses the same kernel as the desktop version.

Mac OS X does support IPSec. Because of its BSD roots, it inherits the KAME project. However, it may not have a nice GUI to configure it and you'll have to do it from the command line like all the rest of the *BSDs

Check out the articles that start with "Flying Racoons:" at http://www.afp548.com/Articles/

A good site for managing OS X servers that seems to be getting better all the time is http://www.afp548.com/. I'm not affiliated with them btw, but it's worth checking out if this is your business.

I'm not sure of the distinction--I'm a Mac guy, not allowed to admin Windows Servers--but you might find answers in the pages and docs on Windows services in Apple's pages on Panther Server, or on a discussion of setting up the Windows Services in X Server 10.2-3.

sudo mtree -c -p /usr -k cksum > /tmp/mtree_checksum1
sudo mtree -c -p /Volumes/BadHD/usr -k cksum > /tmp/mtree_cksum2

sudo mtree -c -p /usr -k cksum > /tmp/mtree_checksum1
sudo mtree -c -p /Volumes/BadHD/usr -k cksum > /tmp/mtree_cksum2

Sure! These are things you can do if you are using Postfix as your MTA.

In your main.cf file include this at the bottom

body_checks = regexp:/etc/postfix/spammerbodies

Learn more here about main.cf and other cool spam protections here:
http://www.afp548.com/Articles/mail/spam2.html including a really great RBL configuration.

Create a spammerbodies file and include this line
# various encoded URL formats. if they're trying to disguise the URL then they're up to no good /(ftp|https?):\/\/([^\/]*@)?([01]{10,})?(\d+|00+\d +(\.00+\d+){3}|[\%0-9a-zA-Z\.\?_-]*\%[\%0-9a-zA-Z\ .\?_-]+)(:\d+)?(\/|"|\s|$)/ REJECT

You can get a full list of other scripts here:
http://www.securitysage.com/guides/postfix_uce_bod y.html

and here

http://www.hispalinux.es/~data/postfix/

Hope that helps.

http://afp548.com/

It's a great site with lots of very informative, down and dirty technical articles. They also have a forum where you can post questions.

The same guys produce some utilities designed to make VPN and DNS easier...

http://afp548.com/

It's a great site with lots of very informative, down and dirty technical articles. They also have a forum where you can post questions.

The same guys produce some utilities designed to make VPN and DNS easier...

http://afp548.com/

It's a great site with lots of very informative, down and dirty technical articles. They also have a forum where you can post questions.

The same guys produce some utilities designed to make VPN and DNS easier...

As a Mac user (of the Classic variety) and now a Mac admin, I'm happy to have you, and I welcome you and your perspective to the Mac family. While the UNIX part of the New Mac is an interesting cultural shift for me, it's a learning experience that I'm excited to go through. While I'm sorry that you were scared away from the Mac forum you attempted, I think that there are others that cater to the "Mac-Classic user learning to use UNIX" that are very interested to glean UNIX knowledge; one of which is at Mac OS X Hints, and another at AFP548.

There are certainly two--maybe three, if you count the "Mac Classic users who want to learn Unix"--cultures, but I think Apple has done a pretty good job allowing each to work as they prefer. Except for NetInfo, but that's getting better. :)

we haven't bothered to figure out yet is how to get our OS X Server to act as a primary domain controller for out NT network

another excellent resource for mac os x admins

http://afp548.com.

Lots of great articles/software.

I especially like their ipsec articles and software (flying raccoon articles, vaporsec)

The most impressive thing, that I foudn, was the LDAP capability. Workgroup Manager is a joke to use, and you can set up share points for NFS, AFP, SMB, and FTP. I bought Impasse for $10 to make managing the firewall easier, and the whole thing is really nice.

We fired up a Redhat workstation, told it to authenticate against the LDAP server, and it just worked. We then NFS mount the home directory share point and we're good to go.

We're migrating over to OS X + Linux workstations, and we're moving our OpenBSD servers to Linux (it's gotten much more secure over the past two years, where our boxes got rooted all the time).

Compared to the issues of getting Samba to play nicely under Linux, this is a dream to adminster. The Xserve is our file+print server, and we use Linux for the production servers. They authenticate against the Xserve, pretty slick.

The only thing that was annoying is that Apple's Netinfo based LDAP bindings weren't standard, so mod_auth_ldap for Apache didn't pick up the groups, but we were able to modify it pretty quickly. As soon as we get ready to package it up, we'll maintain our variant and make it available (email me with questions).

The mail server is a bit week, but AFP548.com's instructions for adding Exim solved that. We now have our virtual hosts working, albeit not as elegantly as I'd like (editting text files). Hopefully OS X Server 10.3 will fix that.

AFP548.com's stunnel help was also great. Now we have everything going over SSL, so we can play inside or outside of the firewall.

The stuff that works works really nicely. It's a GREAT solution for file+print serving, LDAP serving, and mail if you don't need virtual hosts (if you do, pick up Exim from AFP548). The only thing that's annoying is that adding SSL to their IMAP server is really odd, but we stunnel it and we're all set. We even got watchdog (a great program) handling the stunnel server, so on the occaisions that it crashes, it's right back up.

Alex

I cannot believe he didn't even mention turning on your firewall (which is so simple in OS X, since a GUI interface to the ipfw software that has always been there is now available right in System Preferences). It is very irresponsible to tell people to set up a server without telling them how to protect it. Come on. (I use BrickHouse instead of Apple's interface, but they both provide a GUI interface to ipfw, so it's pretty similar, just more full-featured.) Also, the author does not mention alternatives to Sendmail. Many people consider Postfix to be superior. See Installing Postfix and UW IMAP on MacOS X Server for instructions on setting it up for OS X.

While you don't need Mac OS X Server to do this, the same resources will apply. I would recommend the OS X Server mailing list, or the X Server Admin Guide. Both are good sources of info for doing just this kind of thing.

Also take a look at some non-Apple resources: AFP548.com is consistently the most current, and has a question and answer bulletin board; there's also StepWise, an oldie but goodie.

Hope that helps, and good luck.

• Macfixit
• AFP548
• Maccentral
• MacNN
• MacMinute
• As The Apple Turns
• MOSR
• Mac OS X Hints
• Versiontracker
• MacSlash