Review - Mac OS X Server 10.3, Part 2

In yesterday's article, I gave an overview of Mac OS X Server, and described some of the features. Read on for some detail of the specific services that Server offers, and the final verdict.

AFP

The first thing I wanted to do was get file serving up, so I selected AFP (Apple Filing Protocol). My files are all on an external 160GB FireWire hard drive. Photos, (legal) MP3s, tons of (legal) file archives, (legal) games, (legal) movies (I swear!). I am usually the only person who needs to connect via AFP, but sometimes other people do, so I want to make sure I set it up the Right Way.

I quickly discovered that Server Admin does not grant control over what is being shared, and with whom. For this, I must venture forth into Workgroup Manager, and set up a Share Point, and define who has access to it. It is fairly intuitive, and a few minutes later, I set it up and am back in Server Admin, where I make sure Rendezvous registration is on, and allow idle clients to sleep for a long time before being disconnected (good for my PowerBook, which is often asleep). I clicked "enable secure connections" and "enable administrator to masquerade as any registered user."

The masquerading is a neat feature: it allows me to type in any user's name and my admin password, and be logged in as that user. It's not something I'd use often, but it could be handy. Some have complained that this is a security hole. If you think it is, then make good use of that checkbox. Note that this is on by default in Client, where there is no apparent way to turn it off.

To turn on the AFP service, like most of the services, I then clicked the green icon with an arrow in it at the top of the window. When it turns into a red button with an X in it, the service has started; to turn it off, I can click the red button.

AFP in Server as the same as what is in Client. The only difference is that in Server, you have many more options for configuration and control of the service. Last I checked, you could do some of this configuration manually in NetInfo, but it is not for the weak-hearted.

And, as mentioned in the last article, the $500, 10-client version of Server is limited to 10 simultaneous clients on AFP. To get around this, pay double for the unlimited version, or use plain old Panther Client.

MP3s

I wish there were a lightweight music server built-in to Server, one that could use less RAM and CPU, that would just serve MP3s. Alas, there is not. So, I set up iTunes for my music sharing. I won't bore you with the details, for more boring details are yet to come.

And heck, now that iPhoto can share too, it'd be nice to have a photo server as well. What I'd really like to see is the ability to modify the photos via sharing, so I can keep them on the server but manage them with my laptop. I'd also like to download MP3s and use shared MP3s from iMovie and iPhoto. But this is not an iLife review, so I shall move on.

Print

To be blunt: Printer Sharing does not work as I need it to -- as it does in Client -- and it is by far the biggest headache with Server, and almost enough, on its own, to make me revert to using plain old Client.

I have two printers to share: a Canon S820 USB inkjet printer, and the internal fax modem. As you may not know, you can share the fax modem in Panther. Just make sure you have printer sharing on, and that you use your fax modem once to "create" the "printer." It will be shared with everyone else on your network just like any other printer, showing up in the "Fax List" in Printer Setup Utility, and in the "Shared Faxes" popup in the Fax dialog box.

That is to say, all this happens if you are using Client to share your fax modem. This does not work if you are using Server.

Nor does the regular USB Printer Sharing work. Server does not use the same mechanism for sharing. The only way to share my printer with the Clients is to go into the Print service, select the printer in Settings -> Queues, and then share it via LPR (optionally turning on Rendezvous discovery as well).

So when I go to use it in the Client, I can see the printer available, but Client doesn't get any driver information for it. It looks to Client like a generic PostScript printer. You can select from a list of CUPS+Gimp-Print drivers, which may or may not work like the original driver, and may or may not be available for your printer.

For some people, print serving in Panther Server might be fine. You can serve printers via LPR (+Rendezvous), Samba, or AppleTalk. You can have quotas, view jobs, cancel or pause jobs, and do cool things. It's a great tool, but I can't use it.

If I want to share my printer I must either use generic drivers, which is unacceptable to me, or use Client or the AirPort Extreme Base Station. I'd never shared a printer with the Base Station before, but I tried it, and it worked. I am sending faxes through my Panther-based MP3 player in the closet (but receiving them through Server). It's a shame that the $500 Server product can't do what Client can do. Maybe Server 10.4 will fix the problem.

FTP

After wasting a lot of time on printing, I picked something simple: FTP. I do backups with Retrospect via FTP, or else I wouldn't even bother. I know, I can do it over AFP too, but I've been using FTP for awhile (I used to do backups to a Linux box), and I just stick with what works. Besides, I need a reason to enable the service for the purposes of the review.

The path setup was a bit awkward at first. I needed access to the file server via FTP, but I didn't want to define it as the FTP server root. I could have set up a symlink to it, of course, but it was already a share point for AFP, so I set FTP to use "Home Directory with Share Points" for authenticated users. This dumped a symbolic link to the FTPRoot in my home directory, and symbolic links to all the share points in the FTPRoot. That'll work.

I turned it on, tested Retrospect with the new path, and it was all good ... unlike printing, which I am still bitter about. Onward and upward. Breathe in, breathe out.

Mail

I often have issues with various SMTP servers, so I decided I should have my own. Server switched over to Postfix from Apple's proprietary server, and Cyrus for POP/IMAP, Mailman for mailing lists ... but I need only SMTP.

I clicked on Settings and selected Enable SMTP, and told it my ISP as relay host. I could send mail directly, but some servers these days don't like mail coming from home boxes. Then I went over to Filters, and to make sure I am not used as a spam relay, I allow only 127.0.0.1/32, 10.0.0.0/22, and 192.168.0.0/24 to send mail.

Now, I just need to add my external hostname to my local host aliases in Advanced, and I am all set. Turn it on, and it works.

This is getting to be fun. Except for printing! (You can't see it, but I am shaking my fist at the sky right now.)

DHCP

Just for fun, I decided to serve DHCP from here too. My hardware router did it before, but I want to have as many services running as I know what to do with. Besides, I'd like more control over IP ranges and such than my little router offers. I do know a little bit about DHCP; I hope it's enough.

I click on Settings, and I add a subnet to the list. Interface en0, start at 10.0.1.200, end at 10.0.1.239. Router -- that which used to distribute IPs -- is 10.0.1.1. Lease time ... a month. Sure, why not? Set up default domain, name server addresses. No LDAP, no WINS. OK, all set turn it on. It works.

I am starting to feel mighty confident, I tell you what. And for the moment, I forget about printing.

DNS

I have a lot of local hostnames on my network. And true, I could use .local to deal with them all, but not all of them are Macs (the horror!), and I like using the same names for my machines when I am outside the LAN. I previously shuffled around hosts files, like we did back in the day. I know not a thing about DNS. Well, now's a chance to learn, right?

Emboldened by recent successes, I bravely clicked on the DNS service and Settings. It asks if I want to allow zone transfers and recursion. Um, I guess so. I feel like a Holiday Inn Express patron.

Then I clicked on Zones, and here's where the real "fun" begins. Again, I know not a thing about DNS. Well, enough that I know what I am looking at, in general. But after playing around a little and reading some online docs about DNS and PTR records and the like, I eventually figured it out. And once I realized what I was doing, the interface made a lot of sense.

OK, I don't feel quite as good about myself as I did before, but still feeling good. Have I the stamina to try Firewall?

Firewall

My router's firewall limitations are more severe than its DHCP limitations. It can only redirect a handful of incoming ports, and set a single default IP. I would like more control than that, so I figured I could set the router to send everything to Server, where Firewall can handle it.

In retrospect, it actually worked well. I have had even less experience with firewalls than with DNS. But I just, for quite awhile, could not get it to work. In Settings, there are default IP address groups, and I selected "10-net" to open all sorts of ports on the local network. But I didn't look closely enough, and it was set up for 10.0.0.x, and all my machines are on 10.0.1.x. Those wasted hours are what I get for using the defaults and not looking at them closely.

Another problem I ran into is that there is a rather handy list of services to allow for the given addresses: merely select an address group, and check the boxes. But the list of services is not configurable, so if I want to do something simple like allow local access for remote Apple events (port 3031), I can't merely hit a checkbox, because it is not already in the list. I need to manually configure that port in the Advanced section.

As it turns out, the Advanced section isn't too bad, even for someone, like me, largely unfamiliar with firewall configuration. Once I figured out my problem with the default 10-net group, the rest went smoothly.

VPN

As I was configuring my firewall I decided to close off everything to the outside world except for a few mostly secure and essential services, and try out VPN for the rest. Most of what I wanted to keep open were for my own sake, when I am away from home with the laptop. So if I just close it all off, then I can use VPN to get access to mail, FTP, even faxing.

I read up a little bit and decided L2TP over IPsec, instead of PPTP, would be best. So I hit a checkbox to enable it, and I restricted access to my personal group ("pudge"). I added a shared secret and added a block of IP addresses.

Then I went into Internet Connect on Client, selected "New VPN Connection" under the File menu, and put in the server address, account name, password, and shared secret. I dialed up on a PPP connection so I could test it, and clicked Connect in the VPN window, and it just worked. Very nice.

Of course, my measly cable modem is slow, so when I was at a coffee house "hot spot" the other day, I could get on the network, but it was excruciating to do anything requiring significant bandwidth. I can't find a way to blame Apple for that, though.

Web

I serve various things from the local web server: MP3s (for downloading MP3 files, since iTunes assumes that is stealing), documentation, books and periodicals, a local CPAN mirror, personal photos, etc.

The web server is serviceable for basic HTML and file serving, but it is a pain to configure. It won't let you put things where you want them in the config files, and sometimes just breaks things.

For example, I want to turn use mod_rendezvous, so I add a couple of RegisterResource directives. They work fine. But the next time I edit my configuration through Server Admin, it removes one of the directives, apparently thinking that I can only have one.

The best thing to do is to use Apache's Include directive and put all the custom configurations in a separate file, wherever possible. Then Server Admin should be less likely to throw its weight around.

And then there's mod_perl, which is severely broken: normal print statements don't work. For some reason, the print() never gets tied properly to $r->print(). Thanks to the always useful macosxhints.com, I found a servicable workaround, though the only proper and decent fix is to get a nonbroken mod_perl build. Once I did this, my custom mod_perl scripts, plus Apache::MP3 and Apache::Pod, seemed to work well.

Also, I set up some directives to Deny services unless the remote address is in 10.0. In the access log, they showed up as 10.0., but in the error log, when denied, the address was 127.0.0.1. I traced this to the Performance Cache, which is turned on by default. I don't need it, so I turned it off.

In figuring this out, I discovered that a side effect of having every client appear to come from 127.0.0.1 is that the mod_status data (at the "server-status" path) was open to the world. The server-status resource is, by default, restricted so that only clients from 127.0.0.1 can access it. I don't think this can be used to directly exploit a system, but it might make private information available, such as client IPs and URLs (which may include session IDs, or other private information). It would be wise to turn off Performance Caching, or lock down your services that may be restricted by IP.

One nice feature is that the Apple-supplied mod_auth_apple uses, in addition to standard htpasswd files, the system user and passwords (if the same user is in both places, with different passwords, either password is acceptable). There's also a mod_sherlock_apple that provides web access to Sherlock content indexes, though I couldn't get this to work, and the documentation wasn't much help.

Hardware Revisited

The initial test machine was the dual G4/1.25 GHz I described earlier, but I also had the opportunity to test it on a dual G5/2 GHz. Man, is that a sweet machine. But my needs are so few, I didn't notice any substantive difference in the serving (though when I was actually working on the machine, or compiling software, or playing games, I noticed huge differences, as one would expect).

I've now got everything set up on a comparatively wimpy PowerBook G3/500. I thought it would squeal and keel over, but it's been stable and plenty fast. The one exception is when I am doing large file transfers: it seems the data moves through the PowerBook pretty slowly. Still, the CPU load stays low all the time, although it sometimes ran out of free memory pretty quickly; once I upped the RAM from 256MB to 640MB, that problem went away.

I guess I shouldn't be too surprised: after all, I used to use a 486 for a server, doing mostly the same sorts of things, and this G3 is faster than that was. I expected it to be slower because of the Mac OS X GUI overhead, I think, but Panther's speed improvements over Jaguar, especially for G3s, are probably helping out here. If I had this in a business environment though, I can't imagine anything less than a dual G4.

Verdict

I like Mac OS X Server, and apart from printing, would rather have it than not have it. Server Admin has its problems, but it is worlds better than the Jaguar Server version, and I expect it to continue to improve: more stability, UI fixes, faster response. Maybe it could even integrate more monitoring features, or make Server Monitor work with non-Xserves. What I really want is ProcessViewer to work with remote machines.

I am well aware Server is not geared toward home use, but I was hoping it might, despite the price, be something a lot of home users could benefit from. Maybe as Server improves in its ease of use and security policies are easier to enforce and audit, through Server or third-party software, it can be such a product.

For now, as much as I like Server, the price tag and knowledge requirements keep me from recommending it for home use. I want to say "if you can't figure out this stuff on your own, then buy Server," but if you really lack that ability, then you shouldn't be configuring Server anyway.

For commercial use, however, Server is an excellent product that I wouldn't hesitate to recommend. It can offer the majority of services any business environment needs, for much less than the cost of Windows alternatives, and the man-hours cost saved with Server Admin is worth the price alone.

Re:Masq

[pudge]

Isn't this new feature "masquerading" known traditionally as 'su'?

No. su is on the command line, this is via AFP. It is similar, though, yes.

AFP

[RadioheadKid]

Just in case you were wondering, I know I was...
AFP = Apple Filing Protocol

Re:AFP

[pauljlucas]

Actually, it's "AppleTalk Filing Protocol."

Re:Masquarading a security hole? Why?

[pudge]

Why would this be any more of a security hole than someone being logged in as root and then doing "su - " ?

Because you don't need to be logged in as anyone to do this. Any user who has access to the machine can do it.

How to stream media files (MP3, MPEG, etc)

[NatasRevol]

Right from apple

Granted it's not quite as easy as iTunes, but it's much more powerful.

Re:How to stream media files (MP3, MPEG, etc)

[.com+b4+.storm]

And here's the free version for use on Darwin (or an OS X desktop machine). I have it set up on my G4 Mac here, and it works really nice. Very slick interface for managing everything. Definitely give it a try if you want to stream MP3s easily from a Mac.

Re:How to stream media files (MP3, MPEG, etc)

[selacious]

Why not MP3 Sushi Server? It is an Aqua frontend to GnuMP3D. Works great on my G5. Just set its source directory to your iTunes Music Folder.

Re:How to stream media files (MP3, MPEG, etc)

I store all the MP3's on the server mounted over AFP and just turn off file management in iTunes. Drag the entire folder to iTunes to add them to your iTunes Library. If the AFP volume isn't mounted when you play a song, it auto-mounts. I've been doing this with iTunes since version 1. The file stream is unnoticeable. I can even re-share the files from my desktop while iTunes is running. Still no appreciable performance issues. Since the files reside on a share point they can be used by several machines running iTunes. Gets rid of dupes on multiple machines and don't have to rely on iTunes being up on the machine that has the song you want to listen to. Which isn't always the case.

I use OS X Server daily for my job

[taybin]

We have a computer lab with about 50 computers and about 500 users. I've found 10.2 Server to be great. 10.0 was rough to work with, but 10.1 and up have been easy to work with.

The Workgroup Manager program can be a bit tricky with setting up shares and network mounts, but overall is a good program.

The DHCP doesn't work in an environment when you have few spare IPs and the machines are restarted constantly.

I like that it includes PHP and MySQL, but you might want to compile your own PHP with support for more libraries such as PNG and zlib and stuff. The provided one is a bit sparse.

Overall, it's fairly painless to work with if you have the foresight to setup user policies and stick to them. It's nicely cross platform with NFS support; I wouldn't be hesitant to use it in a Unix only environment.

Re:I use OS X Server daily for my job

[markbark]

Quoth the poster:
but you might want to compile your own PHP with support for more libraries such as PNG and zlib and stuff

Surf on over to here for one stop downloading goodness.

PHP, MySQL and Apache under MacOSX all in one easily installed file

Re:I use OS X Server daily for my job

[justMichael]

You can also get packages here

MP3 Server

[iomud]

Your lightweight mp3 server: Slimserver. It's free, it's pretty, it's open source. More info. Fairly easy setup, very configurable and best of all if you really don't like something about it you can change it.

FYI: There is a built-in streaming media server

[hargettp]

It's called QuickTime Streaming Server 5 and it comes bundled with Panther Server. Checking out Apple's website, in addition to supporting video it also handles MP3 audio, among many other formats.

To be fair, I haven't used QTSS so I can't speak to it's utility. And you did say "lightweight," so it's possible this isn't it.... ;)

Re:FYI: There is a built-in streaming media server

[pi+radians]

It is very lightweight if all you're serving are MP3s. I run a number of streams from my computer and the CPU load never goes over 1% (dual 867 G4s).

Re:My Mac Sucks

[grubi]

I've been sitting here at my freelance gig in front of a Mac (a 8600/300 w/64 Megs of RAM)

Um... you're not serious, asre you? You're using a Mac from 1997 and you're complaining about performance?

Even Safari is straining to keep up as I type this

You're not going to actually try to convince us you're running OS X on that machine, are you? OS X can only be run on USB-equipped Macs.

Obviously a troll. *sigh*

Not quite...

[Millennium]

Not just any user can masquerade. Only a user who has Admin access can.

This would be like using "sudo su - username" in Linux or any other place that sudo is installed. In fact, I have a suspicion that this is exactly what happens behind the scenes.

Is this a security hole? Depends on who you hand Admin accounts to, I guess.

Re:Not quite...

[pudge]

No, there is an audit trail, a decent one. This is me logging in as "don" from 10.0.1.177 and copying a file to the server, then deleting it.

IP 10.0.1.177 - - [22/Jan/2004:11:44:03 -0800] "Login don" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:09 -0800] "OpenFork .DS_Store" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:29 -0800] "OpenFork .DS_Store" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:32 -0800] "CreateFile bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:32 -0800] "OpenFork bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:32 -0800] "OpenFork bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:32 -0800] "OpenFork bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:32 -0800] "OpenFork bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:33 -0800] "OpenFork bar" 0 0 0
IP 10.0.1.177 - - [22/Jan/2004:11:44:35 -0800] "Delete bar" 0 0 0

What it doesn't say is who I am, where these files are, or that I logged in with an admin password. But it's something.

But yeah, if I have a group of users, esp. in a business setting, this is a feature I'd turn off.

Re:Apple and rack mount system

[pudge]

Yes, check out the Xserve, mentioned in Part 1.

Re:Apple and rack mount system

[cyfer2000]

yes.

http://www.apple.com/xserve/
http://a1088.g.aka mai.net/7/1088/51/57c9ad84d5d1a5 /www.apple.com/xserve/images/index_rack_010604.gif
http://a1472.g.akamai.net/7/1472/51/39612ef293c7 da /www.apple.com/xserve/cluster/images/index_rack_01 0604.gif

Notes on the Print Server

[Dragonfly]

The Print Server in OS X Server is designed to manage network-capable printers. Client computers must have the correct drivers installed on their systems for the printer who's queue they are connecting to.

Although you can create a queue for a non-networked printer (like the USB printer Pudge was using), the client computers won't be able to use the printer's driver with the queue because the driver assumes a directly-connected USB printer.

OS X Client's USB printer sharing is a completely different mechanism that essentially tricks other computers into thinking that a shared USB printer is in fact connected directly to the local machine. This allows USB printer drivers to work correctly.

I don't know for a fact why USB printer sharing was disabled in OS X Server. It would be nice if it could be integrated into the Print Server in OS X Server, but Apple probably made the decision that the vast majority of customers would be using workgroup-sized, networked printers with OS X Server, and the time it would have taken to add USB Printer Sharing to the LPD-based Print Server wouldn't be worth it.

Workarounds include Pudge's solution of connecting the USB printer to an AirPort Extreme base station; connecting the USB printer to another computer on the network that runs OS X Client; or purchasing a simple print server for the USB printer. Many printer manufacturers sell add-on network adapters (both wired and wireless) for their USB printers.

Re:Notes on the Print Server

[Dragonfly]

This article might help you:

Mac OS X 10.3: Sharing Your Printer With Windows Users Via SMB

In brief, you can share your USB printer via USB Printer Sharing for the Macs on your network, and via SMB printer sharing for the Windows computers. You should be able to use Canon's drivers on the Windows computer.

Re:Notes on the Print Server

[Versalis]

I'm just guessing here, but Apple probably went with an assumption on the type of hardware that would be used with OS X Server vs. OS X Client.

On OS X Client you'll have a family with a handful of computers and one or two printers (low end printers.) They'll just plug the printer into one machine and share it. And for their needs this is just fine.

OS X Server on the other hand was not intended for Ward Clevers' home network. It's made for office environments with a lot of machines connecting. Who here has worked in an office where the boss decided to save money on the printer? I know I have: $100 Cannon bubblejet intended for home use but the boss-man wants it shared with all 80 people in the office. It was a frickin' catastrophy! The tech team spent 2 - 4 hours a day every day dealing with the printer for a few weeks until the boss finally saw the error of his ways a got a printer designed for the task at hand.

I figure this decision from Apple was, a) saving themselves a little work in supporting shared USB printers and, b) protecting people from their own stupidity. But I do agree; they should have left it in and let people make their own decisions. If you want to share a 3ppm bubblejet desktop printer intended for small use on a 100+ user office network - go ahead, have fun keeping it online. Or if you want to spend $1,000 for a server for your family's $100 printer - more power to ya.

Re:Masquarading a security hole? Why?

[mr.capaneus]

This is not a security hole on your home network but it is definitely a big problem for any organization that needs to do resource auditing. Any organization that handles confidential information is going to want to know exactly who had access to that information and when. Allowing any user, even the administrator, to masquerade as a different user renders auditing useless.

Re:Apple and rack mount system

[painandgreed]

Apple has had rack monted cases for years. They're called Xserve. they have just been upgraded to the G5 processor but they were originally brought out with G4. The VA Tech supercoputer is going to be upgraded form their PowerMacs to Xserve. you can find them in the Apple store. They are 1U and can be a full server or a videoless node model.

They also have Xserve RAID which is a RAID box that, IIRC, is 3U and will work with Mac, Windows or Linux servers.

I've used Quicktime Streaming. It couldn't be much simpler. You install and tell it what directory that you're serving out to get it to run. Dump the QT files in that directory. the files must be hinted with QT pro and the pointer file also created with QTpro. This was way easier than the work I had to do with Windows streaming but not by much. I didn't do our Real server but was told that it was an undoly pain just to get the server up and running and the pointer files were more complicated than Windows to create. (FYI, this infor may be a couple of years out of date).

Re:Although it sounds interesting to play around w

[wchin]

Again, you have to prove that you can find an equivalent cheaper solution. The Apple Xserve G5 compares quite favorably against your common x86 Xeon or Opteron solution, especially if you are going to run Windows of some flavor. Plus, Mac OS X Server is far more approachable for for non-UNIX admins than most Linux distributions as long as what you want to do falls within the GUI. Actually, Mac OS X Server may act as a stepping stone to other UNIX flavors. :)

Have you priced IBM iron? Or Sun iron? Compared the features, performance, and reliability? For the SMB market, Apple's solutions are quite compelling especially if you are looking at centralized storage.

Re:Masquarading a security hole? Why?

[tvadakia]

Think of "ownership" and "accountability". If the administrator had the right to log in as any user, accountability gets thrown out the window. The administrator would then be able to sabbotage the clients files and the client would "seem" to be accountable. This could be a HUGE security hole in a world where not everyone INSIDE the company can possibly be trusted.

Think of the opposite, where there can be no Masquarading... if a client creates or edits a file, the file ownership attributes are tagged with the clients ID. All accountability of that file now lies with him because no one else can alter the file (not even the Administrator) without changing the ownership, therefore changing accountability.

Re:Although it sounds interesting to play around w

[iamacat]

Most people would agree it's far better to hire somebody to install the right server solution than to buy special hardware/software for the sole purpose of making it easier for yourself to do it.

You just hit the problem on the head. G5 XServe is $2,610.00, IT person's salary is how much? I don't think you will get your IBM box for 3K, or will be able to manage it by itself. PC - well let's just not mention all the "management" software that will install itself unless you keep patching the box.

Even if you already have an IT department, their time is better spent on supporting users and installing more software rather than mundane tasks like configuring a VPN.

Me, I don't see who wouldn't want to go with XServe, provided that their application is ported to MacOSX. Maybe companies like Google that have thousands of nodes and calculated that Intel hardware will be cheaper.

Panther Client doesn't allow unlimited connections

[iiioxx]

And, as mentioned in the last article, the $500, 10-client version of Server is limited to 10 simultaneous clients on AFP. To get around this, pay double for the unlimited version, or use plain old Panther Client.

I saw this mentioned in comments to yesterday's review as well, so last night I checked this out on my home network. With the client version, you are limited to 10 AFP connections (it says so at the bottom of the window when you click on Personal File Sharing). It isn't unlimited. I'm not sure about Windows File Sharing (SMB), as I don't use it and didn't think to check.

ummm...this guy is aware that

[the_2nd_coming]

OS X server is for companies and not consumers so an iPhoto server application and an iTunes server application is pretty pointless.

BTW...Quicktime has many server apps, one of them is a streaming application that will stream MP3s.

Re:Masq

SU means switch user, not superuser. You can SU to any account you want...

Re:What? No NTP?

[DeRobeHer]

Macs have had NTP built in since at least OS 9, maybe OS 8, can't remember.

Re:Although it sounds interesting to play around w

[mbbac]

Except that VT paid retail for the hardware.

Re:Although it sounds interesting to play around w

[MarcQuadra]

Well my place of work just dropped $150K on a SAN that dosn't do nearly as well (or hold half as much) as a $15K XServe RAID would.

Apple hardware is 'heavy metal', all their pro-desktops are workstation-class hardware, and the servers are rock-solid.

As for file serving, I haven't seen a properly-configured file server have more than 10% CPU load from just serving files in over five years now. File serving for our entire school (over 1000 users, about 2TB data) would be just as fast from the end-user perspective with a 400MHz G3 as it is with our dual-Xeon PIII monster.

Re:What? No NTP?

[beattie]

Not only your mac, but every mac in the country (world?) should have the same time. By default, OS X has a NTP client (and has since like system 8) and it points to time.apple.com IIRC.

Not According to Apple

[RadioheadKid]

From the Mac OS X Server Administrator's Guide [PDF] glossary:

AFP (Apple Filing Protocol) A client/server protocol used by Apple file service on Macintosh-compatible computers to share files and network services. AFP uses TCP/IP and other protocols to communicate between computers on a network.

Re:Not According to Apple

[CatOne]

Well... AFP now is runs primarily on TCP/IP. The AppleTalk networking element has been deprecated and is only used if you need to maintain legacy compatibility (that is, with OS 9 or earlier clients).

So it's not AppleTalk filing protocol, because it's not using AppleTalk. Been that was since OS X was introduced, in fact may have been earlier.

Re:Not According to Apple

[good+soldier+svejk]

It's a product of the "we are Apple, so we will reinvent the wheel rather than use a mere industry standard" era.

What exactly was "industry standard" in PC networking in 1984? My memory is that ethernet and token ring cards cost close to $1,000 at that point. That was actually the year 10Base2 (thinwire) came out. The Mac would have looked pretty funny with a chunk of thickwire hanging off the back. Likewise TCP/IP had just fully pervaded the internet in 1983. It wasn't available on any PC platform that I know of. Apple was actually the first (well second after Xerox) PC vendor to build ethernet into their product (1988, IIRC).

Lots of people complain about AppleTalk, but it has never really caused problems on our 10,000 node network, despite the fact that our network admins don't have a clue about how it works. Wish I could say the same about NetBIOS and Novell.

Yes.

[MarcQuadra]

Panther is FASTER on the same hardware. OS X is getting better and better about resource management, optimization, etc. as time goes on. Remember that the whole system benefits from improvements to GCC, binutils, and other OSS projects, because the whole system is compiled with them. Opening apps in Panther on older hardware seems much snappier than when using Jaguar, and I chalk it up to better disk-access, caching, optimization, prelinking, and drivers.

Also, Apple really rushed to get OS X out the door, now the developers are getting their hands dirty with tweaks, getting much more proficient with Objective-C, and they have a user base to check things with.

I think this will continue for some time too, possibly until Apple stops supporting G3 CPUs. The architecture of the whole system seems to lend itself well to growing without 'bloating'.

Panther (10.3) is MUCH faster than Jaguar (10.2)

[green+pizza]

Subject says all... but be sure to run Software Update and let it update to 10.3.2... fixes a few bugs and security holes, but more importantly, it also contains new gfx drivers that bring OpenGL back up to speed. (10.3.0 was only slower than 10.2.8 in one area -- OpenGL... but 10.3.2 fixes that).

Most Macs are quiet

[green+pizza]

With the exception of the minitower flavored G4s, most Macs are very quiet... some don't even have fans. The loudest, by far, were the "hairdryer" 1.0 - 1.4 GHz G4 systems. Still not as loud as an SGI Octane, but loud enough.

I don't recall that the "Yikes" PCI G4 was all that loud, maybe you have a bad fan. If you want a really quiet Mac for a server, get an iMac, eMac, an old G4 Cube (no fan!) or a new G5 (lots of slow-moving, quiet fans).

XServe is very loud, but its designed that way... suited for a back room or datacenter/server room... small case, lots of air flow in the event of building air conditioning failure.

Re:Although it sounds interesting to play around w

[danigiri]

Ummm... lemme rehash it once more...

[...]and that the type of computing muscle necessary to run more than the meekest fileserver would be either more cheaply purchased in PC components[...]
I would not want to sound redundant here, but have you ever heard of VT? Speaking of "computing muscle", these guys have built the world's third-fastest supercomputer with G5's, for pocket money (as far as supercomputers go). Yeah, Moore's Law and whatever but your statement is definitely arguable nowadays (really arguable, some would claim just false). Please drop this dated misconception.

And no, I will not base my business central storage and computing center off some WalMart cheapo clone, I will buy some brand with their guarantee and support.

more reliably purchased in IBM iron

IMHO, this is also arguable (though not so much as point one). Please take a close look at the little big chip(s) inside an Apple -say G5- server... I you look closely you will see a shiny gasp! IBM logo. Yeah, incredible. I am sure these guys at IBM must know something or two about processor design... and they have Apple share the stuff.

As for reliability... well, I have not hard facts, but given my personal experience, I have had Macs in headless service (and they were not even servers) for years. No shites, no silly bugs, no crashes, none, zip, no HD breakdowns, nada. I can't even remember when I last formatted my G4, when was it? When I ****ing bought and partitioned it, years ago, back in the OS9 era. Not necessarily SPARC-quality, but for that price I can buy a bunch of G5 stuff.

dani++

Re:DNS setup that easy!?

[NatasRevol]

Yeah, if you have a basic understanding of DNS, then it's that easy.

See this networking link from Apple, second image. That's about it!

If you have no clue about DNS, the GUI won't help you much.

Re:Backups?

[CatOne]

Bru from the Tolis group (www.tolisgroup.com) does a great job. Plus, there's a new product called BakBone (www.bakbone.com).

These support numerous tape libraries.

Of course, these days, it's becoming more common to do a full offsite mirror. Xserve RAID is so inexpensive that you're now paying 2x-3x (or more) for the tape system to backup your disk storage, and a full nearline mirror is becoming a more compelling option. At $3/gigabyte for RAID protected storage, people buy 2 or 3 and use 'em to back each other up. It's how the iTunes Music Store is run. No tape.

Re:True Headless server?

[yummyporkproducts]

You don't need the GUI or a VNC connection to run the admin tools. Just install them on an OS X client machine, and run from there. There are very few applications that actually have to be run from the GUI. Just about everything can be done with the Admin Tools remotely, or using the command line over an ssh connection. Don't have an OS X client? Spend the $1.50 on a generic VGA dongle and install OSXVnc.app. Viola, problem solved.

Re:Backups?

[Dragonfly]

Veritas makes a client for Backup Exec 9 for Mac OS X (you still need to be running Backup Exec on a Windows or NetWare box). There are also dozens of open source & freeware backup solutions that provide schedulable GUI frontends to command line staples like ditto, psync, and rsync, such as Carbon Copy Cloner and RsyncX.

iTunes sharing, without the GUI

[vasi]

If you want to stream MP3's portably, stick with QTSS or Slimserver. But if you want to duplicate iTunes functionality, only without the GUI--but including AAC streaming and browsing from within iTunes clients--try daapd . Of course, it's available in Fink, so it's not hard to get started.

Re:hm

[justMichael]

I could be off base here, I don't have an XServe, but I am considering it.

The main reason one might want to use OS X Server over GNU/Linux or one of the other BSDs is the UI to the meat of your configuration. As many others have said, if you are a small design shop, you already have a person in house that keeps things running smooth. Odss are good that that person doesn't know or want to know Linux.

You can run quite a bit of your free software on an OS X box also, just look here and here.

The main reason I am looking at an XServe is that dollar for dollar it seems to beat up the competition.

I would really like to see a head to head between a Dual Proc. Xserve, comparable Opteron and comparable Xeon doing mundane tasks like Web/DB.

Re:A solution

[pudge]

Ever heard of Quicktime Streaming Server 5?

Yes. Ever hear of daap? It's the protocol iTunes uses, that I need, that QTSS doesn't do. :-) Or if it does, I couldn't see how.

Re:Backups?

Legato Networker supports MacOS X 10.2 and newer.

Well tested enough for you?

http://portal1.legato.com/products/networker/

Re:So on G3 panther is quicker than jaguar?

[kitzilla]

My personal experience is that Panther is noticably faster on a low-end G3 than Jaguar. It's bigger, but things like the Finder are far less annoying than 10.2.

you should be able to get more detailed informatio

Though I have not checked out 10.3 Server (still on 10.2 Server), 10.2 gives me detailed logs of what is going on (you have to enable some of it though)