Slashdot Mirror
Review - Mac OS X Server 10.3, Part 1
Sure, I can read. I can go to the Mac OS X Server web site and read all the documentation for things related to "standards-based management," "share printers and files," "n-tier" solutions. Yawn. I know all about this stuff, and I know I can do it already. If I am paying good money for this, it better have value I can't already get for free.
First Things First
Essentially, Mac OS X Server is the same thing as Mac OS X (a.k.a. Client). It's the same core OS, it has the same versioning (10.3.2 as of this writing), it runs the same programs. But Server comes with programs and tools and configurations geared toward being a server, rather than a user's workstation.
Server comes in two flavors: a 10-client version for $500, and an unlimited client version for $1000. The only difference between the two is that the 10-client version limits file and windows sharing to 10 simultaneous clients. You can have any number of users, but only 10 can connect to those services at the same time.
With that money, you also get 90 days of "up-and-running" support covering the software that ships with Server. So if you've read the frelling manual and still can't figure out why the firewall doesn't seem to be working, you can get some help. After 90 days, you can still get help -- including more advanced topics -- but it will cost you from $6,000 to $50,000.
Hardware
The Xserve, Apple's rack-mountable computer, comes with the unlimited client version of Server preinstalled; and really, Server is built with Xserve in mind. Server Monitor, included with Server, displays uptime, temperature, drives, power, network usage, fans, and security of Xserve boxes.
You can configure Xserve boxes automatically with Panther Server preinstalled. Design your configuration on one machine, set up an LDAP server and put it in the DHCP server settings, and add your configuration file to the LDAP server. Turn on the other servers for the first time, and each one will find the DHCP server, find the LDAP server, find the configuration file, and configure itself automatically. You can also put the configuration file on a USB key or somesuch, and the machines will configure themselves that way, too.
My test box is a dual G4/1.25 GHz Power Mac; it performs with nary a hiccup. If I had a large network or many users, I can imagine wanting more power: with a Power Mac or Xserve G5, I'd be able to take advantage of an OS that is optimized for the 64-bit CPU. For me, however, this would result in a depressingly, perpetually, low CPU load.
Initial Security Considerations
Out of the box, assuming no one has set up a rogue DHCP server on your network, Mac OS X Server is mostly secure: only SSH is on by default. As other services are turned on, more security concerns are created, because new security holes may be opened.
For the most part, the default configurations of the various services are secure, but that largely depends on your specific environment. Mac OS X Server is excellent at making advanced server configuration easier, but this ease of use comes with a price: you may be opening yourself up to attack. Mac users are often not used to the idea of making themselves vulnerable just by clicking checkboxes.
This may look like a Mac, and may be easy to use, but it is no substitute for having a real live sysadmin on hand to -- at the very least -- audit the security of the system. It'd be nice if Server included audit tools; I envision UI elements that warn you when you have conflicts, or when you've opened up a hole, or when you've violated predefined security policies. On the other hand, it would be more reliable to have a third-party system to do the audit, on basic principle. But that's so un-Mac-like.
Open
Tom Goguen, Director of Marketing for Mac OS X Server, says that Apple is 100% into using open standards and open source in the core operating system.
Mac OS X Server has always been largely based on open standards, but the Panther incarnation has gone even further. Gone are Apple's proprietary mail systems; they are replaced by postfix, mailman, and cyrus. Mostly gone is NetInfo; it is replaced by LDAP. Rendezvous, also an open system that others can plug into, is a bigger part of Server now: FTP, LPR, and web services are all announced via Rendezvous.
Of course, as always, Server -- just like Client -- is based on FreeBSD (now version 4.8, with some of 5.0 stirred in), and most of the Apple core OS itself is under the Apple Public Source License.
A Case for Case
New to Panther is case sensitivity in HFS+. For many years, Mac OS has used the HFS as its file system, which treated "Foo" and "foo" as the same file. Some years ago, HFS+ was introduced to overcome many of the limitations of HFS, but case sensitivity -- seen more as a usability feature than a limitation -- remained.
But in Unix, this certainly is a limitation for many people. "Makefile" vs. "makefile" and "head" vs. "HEAD" have caused many a headache for Mac OS X/Unix users. But now case sensitivity is a formatting option.
Because case insensitivity is still seen as a usability feature, this feature is not available by default on Client, although you could always connect your drive to a Server to format it. It is also possible, in theory, to format a drive with case sensitivity in Client using various tricks.
Setting it Up
My server is connected to my home network via a 100BaseT switch, to which is also connected a cable modem and an AirPort Extreme base station. My PowerBook G4/867 connects to the network via AirPort or the switch. My wife has an iBook G3/600, and I've got a PowerBook G3/400 in my stereo closet for playing MP3s. The PowerBook doesn't have internal AirPort, and instead is connected to another switch and another Extreme base station, configured to do WDS. I've also got the PS2 connected in there. Everything is running Panther Client (except for the PS2, last I checked).
Looking at the various services offered by Server, I can already see many things I want to set up: file sharing (Apple Filing Protocol, or AFP), DHCP for guests, DNS, FTP, SMTP, printing, and web. I have most of those already set up now, but I wouldn't mind if they were easier to configure and manage.
After surveying my situation, I installed Panther Server and took a look around.
The first thing I wanted to see was what my configuration options were. And lo, there in my Dock were not the expected iMovie, iTunes, iPhoto, and the like, but icons that a mouseover revealed to be representative of programs like Workgroup Manager, the aforementioned Server Monitor, and Server Admin.
Workgroup Manager uses a lot of terminology that is completely lost on me, and I am not managing any users, really. My wife doesn't need the file server -- we can exchange files via iChat, or I can copy them to her machine via scp -- and she keeps all her own files on her machine. We won't be using any print quotas. I do use Workgroup Manager to create some basic user accounts for friends, but I don't need any features more advanced than what is in Client.
Server Admin is what I want to sink my greedy little digits into. I opened it up, clicked the "add new server" button, typed in my server name ("Sweeney.local") and password, and started playing.
As I started looking around, I remembered that there was an extra CD in the distribution called Admin Tools. It allows you to install these tools on any Client machine, so you can manage the Server remotely. I want to go hang out in my La-Z-Boy while I configure my server, so I installed the tools on my PowerBook. Nifty.
Server Admin lists each machine and the services available to it, with an icon next to each describing its status. If you select a machine's name, you see several tabs: Overview, Logs, System, Graphs, Update, and Settings. Overview reports the system version, names, and dates. Under Logs, you can view the system log, watchdog log, etc. System reports what network interfaces and volumes are available. Graphs displays CPU and network use in pretty pictures. Update runs Software Update. Settings controls the system names, the date and time and timezone.
This is basic stuff, and each service is laid out in similar fashion. All of them have at least two tabs: Overview and Settings. Most also have a Logs tab. Some have other tabs like Connections, Graphs, Clients, Activity, Accounts, Queues, and Jobs.
The available services are AFP, Application Server, DHCP, DNS, Firewall, FTP, Mail, NAT, NetBoot, NFS, Open Directory, Print, QuickTime Streaming, VPN, Web, and Windows. Somewhat conspicuous in its absence, to me, is MySQL, which is included in Server, but doesn't have an interface in Server Admin.
Server Admin does have its problems. It will crash on occasion, but I see no evidence of my settings being corrupted, or any other lasting ill effects. Some of the lists are not sortable, though they appear to be: for example, the DNS zone listings are not sortable, even though clicking on the column headers indicate otherwise.
Also, it can be slow to update. This is understandable, but annoying. Logs don't refresh immediately, and when you hit reload, the wrong log is selected, instead of the current log being refreshed. When restarting services or viewing logs, I will sometimes use the command line tools, as they are more efficient; it would be nice if Server Admin would display the path to the log you are looking at, so you can easily find and tail it in a shell.
Sharing
Some of these services are available in a minimal form in Client, in Sharing under System Preferences: file sharing, Windows sharing, web, FTP, and printing. In Server, the Sharing preferences are still there, but contain only three items: Remote Login, Apple Remote Desktop, and Remote Apple Events. Remote Login is simple: it allows users to connect with ssh/scp, and can be turned on or off. The other two require, perhaps, a bit more explanation.
Apple Remote Desktop is a way for an admin to control client computers. Previously, the client was distributed only as part of the software package of the same name, but now the client is included with Panther. It is, of course, off by default, and once turned on, each machine must define what users have access to what resources (this can be done via the command line, too). I most commonly use ARD for controlling and viewing the screen of another computer, installing packages, and copying files.
Remote Apple Events has been in Mac OS for many years, since back in version 7-dot-something. It allows controlling "scriptable" Mac applications -- such as with AppleScript -- over the network. It used to run over AppleTalk, but now runs over plain old TCP/IP. Not many people make use of remote Apple events in my experience, but I use them often; for example, I have a Perl script that queries iTunes on a remote box, and sets the current track in iChat.
Windows
I don't use Windows, and therefore can't really test the new Windows integration in Panther Server. But from what I can tell, Apple has added quite a few improvements. Samba has been updated to version 3, and the lists of Unix and Windows users can be united via Directory Services. But I confess to a crippling ignorance and apathy about this small corner of the computing world. Sorry.
To Be Continued
Tomorrow, I'll get into the details of setting up the services I use on my network.
That's right.. the Mac has been dying for 20 years now. Another 10 should just about wrap it up..
Trolling is a art,
This has always been their pricing scheme. It's assumed that if you need more than 10 concurrent connections, the $500 difference is negligible, and you just go for the $1000 unlimited client version. Which is still _much_ cheaper than MS server licensing. Think of the $500 as a cheap version for small businesses or students.
The main reason Apple developed the XServe is because their original server, the iRack, was inadvertenly taken over by the US military due to a typo.
Please stop saying that MacOS X unix tools is based upon FreeBSD.
:
/usr/bin/* /bin/* /sbin/* /usr/sbin/* 2>/dev/null | fgrep OpenBSD | wc -l /usr/bin/* /bin/* /sbin/* /usr/sbin/* 2>/dev/null | fgrep FreeBSD | wc -l /usr/bin/* /bin/* /sbin/* /usr/sbin/* 2>/dev/null | fgrep NetBSD | wc -l
:
Apple actually took parts of NetBSD, FreeBSD and OpenBSD.
Most tools actually come from OpenBSD.
If you got MacOS X and if you need a proof, just try
ident
ident
ident
Here's what I get on Darwin 7.2.0 (Panther, everything up to date)
OpenBSD : 303
FreeBSD : 258
NetBSD : 143
The rest is mostly GNU tools.
{{.sig}}
How many clients can connect to OS X Client? That would be interesting to know. Granted, the server version comes with tools, but what tools are really there that aren't available for free somewhere?
stuff |
While you can easily do everything that Panther Server does on your linux box, what Panther excels in is integration. Specifically the binding together of OpenLDAP, Samba, Apache, Postfix, IMAP, POP, and CUPS with the OpenDirectory password server. OpenDirectory's password server is essentially a SASL password store that they've hacked all the programs mentioned to interact directly with it for all authentication. Think of it similarly to what pam does for linux. The nice thing about OpenDirectory is that a password change from any of these mechanisms (say via samba) then all of the password hashes in the database are automatically synced (even kerberos is synced). This makes for very slick administration of users all from one central console. In the past on Linux, it was not uncommon to have to hack together some scripts to syncronize ldap, samba, and kerberos authentication stores. Even in the best case right now, samba password hashes have to be kept in the ldap database along with either an md5 hash for unix logins, or a pointer to kerberos. With OpenDirectory, there are no passwords stored in ldap itself. Instead an Apple Password field points to the password database which can provide md5 challenges and responses, samba challenges, and general password verification.
Essentially OpenDirectory brings all the technologies together that we already use and make them into a service that competes very well with Active Directory or NDS.
Another bonus is that since OpenDirectory (all its parts including the SASL password database and patches to cups, samba, etc) is open source, we could build a complete OpenDirectory-compatible system on Linux. I plan to do this over the next year or so. Most likely there will have to be a pam module created, and some patches made to OpenLDAP, Samba, etc. But it's a very exciting example of how to put open source projects together and have them work really well.
You're missing the killer server features.
You know how Kerberos can be a real pain to set up and manage? Well with Panther Server, if you've set up a box as an Open Directory master, it automatically integrates itself as a KDC.
Any boxes which log into that OD/LDAP directory automatically retrieve the relevant Kerberos information from the LDAP store, no extra configuration required.
The AFP server, the SMB server, the POP/IMAP/SMTP servers are all Keberized, as is the ssh daemon, and the loginwindow of any client machines.
It's probably worth discussing the fact that Apple have finally gotten their shit together with regards to command line administration, as in that everything you can do with the GUI tools you now have *simple* command line equivalents.
ie, no more screwing around with NetInfo and inserting properties by hand to construct mounts/users, you now have proper tools.
Apple finally did the smart thing and followed what most OSXS admins have been doing for a few years, they've dropped their proprietary AppleMailServer in favour of postfix+cyrus.
They've pretty much dropped NetInfo for network directories, it's now just restricted to a local store, and LDAP publishes this information by default. You can still run a NetInfo directory, and indeed I've got boxes logging into both my old NetInfo directory and my new LDAP directory so that I can do user migration more easily.
There are a wealth of features that weren't even touched upon by this review, it's just kind of lame to read a home user's review of a server product.
i don't read slashdot anymore.
Peace
Most source files that, when compiled, have RCS IDs in the resulting object file, and that are used to build tools, came from OpenBSD.
Try running a script such as
and look at the output. Many tools have no RCS IDs in the binary. Some of them have multiple RCS IDs in them, as more than one source file for a tool in that set has an RCS ID in it that shows up in the object file.
If we prune that output to leave, for each tool, only one line for each OS for each tool, we get 85 lines for NetBSD, 75 lines for FreeBSD, and 19 lines for OpenBSD - OpenBSD is overrepresented in your results because, for example, the OpenSSH stuff came from OpenBSD, with each tool having multiple source files, and most if not all of those files put the RCS ID into the binary.
NetBSD is slightly overrepresented by the counts I gave, as Panther's yacc came from NetBSD, and its skeleton parser puts an RCS ID into the object file; if we remove those 7 lines, we get 78 for NetBSD.
Of course, there are a lot of commands that don't have any RCS information at all. 171 commands do, but there are a total of 928 commands. This means that your counts and my counts don't necessarily give any believable information about the number of tools that came from FreeBSD, NetBSD, or OpenBSD, unless all the tools without RCS IDs came from elsewhere (GNU, Apple, etc.).
There are a couple points of note. First, MacOS X cannot do group policy. Nothing other than a Win2k server can--so it could be harder to lock down workstations if that is a goal. Second, MacOS X has a little bit of difficulty joining a Win2k domain (ie, a file server in a Win2k Domain). *BSD does not have nss, so Apple drew up a little " AD Integration" tool. Its a great concept and basically does what nss does, but it is still far from perfect*.
*=This is as far as I know--Apple's own forums tell of horror stories about the subject. I have not attempted to use AD Integration with Panther Server. I had a developer preview CD that I DID attempt AD integration, however, this was quite broken and there was no documentation. It was a developer release. It also wasn't very important. It way my home I'm-a-big-nerd-with-a-home-lab-that-has-too-many-O Ses-installed lab. Once I can afford a copy for home use, I'll know for certain.
Yeah, that's not actually... true. I called Apple a couple months ago about a really odd password problem with Mac OS X Server (you could log in as any user on my server by entering a blank password!), and while they did charge me, it was only $100.
Now here's $100 worth of secret, annoyingly undocumented Mac OS X Server information: you can use the password of an Admin account to log in via AFP as any user on the system. For example, if one of your admin passwords is "fl0nk", you could use "fl0nk" as the password to test any user on the system.
So make sure your Admin passwords are strong! And secret! And not blank!
~jeff
As mentioned in the article, this capability was present in the System 7.0.x days (late '80s/early '90s). When you enabled filesharing (Localtalk based), there was an option to enable program sharing.
If you enabled that, you were able to script applications on a remote machine (assuming you had an user account with the rights).
What was really nice about Apple's scripting engine was that you didn't have to do anything extra to enable remote scripting in an app. If you took the effort to make your app AppleScriptable, you got remote scripting for free.
http://afp548.com/
It's a great site with lots of very informative, down and dirty technical articles. They also have a forum where you can post questions.
The same guys produce some utilities designed to make VPN and DNS easier...
Apple Xserve G5: 2 x 2.0GHz IBM 970's, 1GB RAM, 80GB SATA, 2 x GigE, with Apple Fibre Channel card (LSI 7202, includes copper HSSDC2 to SFP FC cables), Mac OS X Server unlimited and the 3 year premium service and support costs $5,449
Compaq DL360, 2 x 3.06GHz Intel Xeons, 1GB RAM, 18GB 15krpm SCSI drive, 2 x GigE, universal sliding rail kit, Windows 2003 with only 10 CALs costs $6,438
The HP Storageworks FCA2214DC PCI-X HBA costs $2,500 bringing the total to $8,938
You might consider getting your head out of the sand
And if I set up a password server, I couldn't change the IP address of the machine. Ever.
This has been addressed by Apple with a script to change the IP settings everywhere necessary, without breaking any services.
Works like a charm, I had to do it a couple months ago for a client.
~Philly