Slashdot Mirror
Review - Mac OS X Server 10.3, Part 2
AFP
The first thing I wanted to do was get file serving up, so I selected AFP (Apple Filing Protocol). My files are all on an external 160GB FireWire hard drive. Photos, (legal) MP3s, tons of (legal) file archives, (legal) games, (legal) movies (I swear!). I am usually the only person who needs to connect via AFP, but sometimes other people do, so I want to make sure I set it up the Right Way.
I quickly discovered that Server Admin does not grant control over what is being shared, and with whom. For this, I must venture forth into Workgroup Manager, and set up a Share Point, and define who has access to it. It is fairly intuitive, and a few minutes later, I set it up and am back in Server Admin, where I make sure Rendezvous registration is on, and allow idle clients to sleep for a long time before being disconnected (good for my PowerBook, which is often asleep). I clicked "enable secure connections" and "enable administrator to masquerade as any registered user."
The masquerading is a neat feature: it allows me to type in any user's name and my admin password, and be logged in as that user. It's not something I'd use often, but it could be handy. Some have complained that this is a security hole. If you think it is, then make good use of that checkbox. Note that this is on by default in Client, where there is no apparent way to turn it off.
To turn on the AFP service, like most of the services, I then clicked the green icon with an arrow in it at the top of the window. When it turns into a red button with an X in it, the service has started; to turn it off, I can click the red button.
AFP in Server as the same as what is in Client. The only difference is that in Server, you have many more options for configuration and control of the service. Last I checked, you could do some of this configuration manually in NetInfo, but it is not for the weak-hearted.
And, as mentioned in the last article, the $500, 10-client version of Server is limited to 10 simultaneous clients on AFP. To get around this, pay double for the unlimited version, or use plain old Panther Client.
MP3s
I wish there were a lightweight music server built-in to Server, one that could use less RAM and CPU, that would just serve MP3s. Alas, there is not. So, I set up iTunes for my music sharing. I won't bore you with the details, for more boring details are yet to come.
And heck, now that iPhoto can share too, it'd be nice to have a photo server as well. What I'd really like to see is the ability to modify the photos via sharing, so I can keep them on the server but manage them with my laptop. I'd also like to download MP3s and use shared MP3s from iMovie and iPhoto. But this is not an iLife review, so I shall move on.
To be blunt: Printer Sharing does not work as I need it to -- as it does in Client -- and it is by far the biggest headache with Server, and almost enough, on its own, to make me revert to using plain old Client.
I have two printers to share: a Canon S820 USB inkjet printer, and the internal fax modem. As you may not know, you can share the fax modem in Panther. Just make sure you have printer sharing on, and that you use your fax modem once to "create" the "printer." It will be shared with everyone else on your network just like any other printer, showing up in the "Fax List" in Printer Setup Utility, and in the "Shared Faxes" popup in the Fax dialog box.
That is to say, all this happens if you are using Client to share your fax modem. This does not work if you are using Server.
Nor does the regular USB Printer Sharing work. Server does not use the same mechanism for sharing. The only way to share my printer with the Clients is to go into the Print service, select the printer in Settings -> Queues, and then share it via LPR (optionally turning on Rendezvous discovery as well).
So when I go to use it in the Client, I can see the printer available, but Client doesn't get any driver information for it. It looks to Client like a generic PostScript printer. You can select from a list of CUPS+Gimp-Print drivers, which may or may not work like the original driver, and may or may not be available for your printer.
For some people, print serving in Panther Server might be fine. You can serve printers via LPR (+Rendezvous), Samba, or AppleTalk. You can have quotas, view jobs, cancel or pause jobs, and do cool things. It's a great tool, but I can't use it.
If I want to share my printer I must either use generic drivers, which is unacceptable to me, or use Client or the AirPort Extreme Base Station. I'd never shared a printer with the Base Station before, but I tried it, and it worked. I am sending faxes through my Panther-based MP3 player in the closet (but receiving them through Server). It's a shame that the $500 Server product can't do what Client can do. Maybe Server 10.4 will fix the problem.
FTP
After wasting a lot of time on printing, I picked something simple: FTP. I do backups with Retrospect via FTP, or else I wouldn't even bother. I know, I can do it over AFP too, but I've been using FTP for awhile (I used to do backups to a Linux box), and I just stick with what works. Besides, I need a reason to enable the service for the purposes of the review.
The path setup was a bit awkward at first. I needed access to the file server via FTP, but I didn't want to define it as the FTP server root. I could have set up a symlink to it, of course, but it was already a share point for AFP, so I set FTP to use "Home Directory with Share Points" for authenticated users. This dumped a symbolic link to the FTPRoot in my home directory, and symbolic links to all the share points in the FTPRoot. That'll work.
I turned it on, tested Retrospect with the new path, and it was all good ... unlike printing, which I am still bitter about. Onward and upward. Breathe in, breathe out.
I often have issues with various SMTP servers, so I decided I should have my own. Server switched over to Postfix from Apple's proprietary server, and Cyrus for POP/IMAP, Mailman for mailing lists ... but I need only SMTP.
I clicked on Settings and selected Enable SMTP, and told it my ISP as relay host. I could send mail directly, but some servers these days don't like mail coming from home boxes. Then I went over to Filters, and to make sure I am not used as a spam relay, I allow only 127.0.0.1/32, 10.0.0.0/22, and 192.168.0.0/24 to send mail.
Now, I just need to add my external hostname to my local host aliases in Advanced, and I am all set. Turn it on, and it works.
This is getting to be fun. Except for printing! (You can't see it, but I am shaking my fist at the sky right now.)
DHCP
Just for fun, I decided to serve DHCP from here too. My hardware router did it before, but I want to have as many services running as I know what to do with. Besides, I'd like more control over IP ranges and such than my little router offers. I do know a little bit about DHCP; I hope it's enough.
I click on Settings, and I add a subnet to the list. Interface en0, start at 10.0.1.200, end at 10.0.1.239. Router -- that which used to distribute IPs -- is 10.0.1.1. Lease time ... a month. Sure, why not? Set up default domain, name server addresses. No LDAP, no WINS. OK, all set turn it on. It works.
I am starting to feel mighty confident, I tell you what. And for the moment, I forget about printing.
DNS
I have a lot of local hostnames on my network. And true, I could use .local to deal with them all, but not all of them are Macs (the horror!), and I like using the same names for my machines when I am outside the LAN. I previously shuffled around hosts files, like we did back in the day. I know not a thing about DNS. Well, now's a chance to learn, right?
Emboldened by recent successes, I bravely clicked on the DNS service and Settings. It asks if I want to allow zone transfers and recursion. Um, I guess so. I feel like a Holiday Inn Express patron.
Then I clicked on Zones, and here's where the real "fun" begins. Again, I know not a thing about DNS. Well, enough that I know what I am looking at, in general. But after playing around a little and reading some online docs about DNS and PTR records and the like, I eventually figured it out. And once I realized what I was doing, the interface made a lot of sense.
OK, I don't feel quite as good about myself as I did before, but still feeling good. Have I the stamina to try Firewall?
Firewall
My router's firewall limitations are more severe than its DHCP limitations. It can only redirect a handful of incoming ports, and set a single default IP. I would like more control than that, so I figured I could set the router to send everything to Server, where Firewall can handle it.
In retrospect, it actually worked well. I have had even less experience with firewalls than with DNS. But I just, for quite awhile, could not get it to work. In Settings, there are default IP address groups, and I selected "10-net" to open all sorts of ports on the local network. But I didn't look closely enough, and it was set up for 10.0.0.x, and all my machines are on 10.0.1.x. Those wasted hours are what I get for using the defaults and not looking at them closely.
Another problem I ran into is that there is a rather handy list of services to allow for the given addresses: merely select an address group, and check the boxes. But the list of services is not configurable, so if I want to do something simple like allow local access for remote Apple events (port 3031), I can't merely hit a checkbox, because it is not already in the list. I need to manually configure that port in the Advanced section.
As it turns out, the Advanced section isn't too bad, even for someone, like me, largely unfamiliar with firewall configuration. Once I figured out my problem with the default 10-net group, the rest went smoothly.
VPN
As I was configuring my firewall I decided to close off everything to the outside world except for a few mostly secure and essential services, and try out VPN for the rest. Most of what I wanted to keep open were for my own sake, when I am away from home with the laptop. So if I just close it all off, then I can use VPN to get access to mail, FTP, even faxing.
I read up a little bit and decided L2TP over IPsec, instead of PPTP, would be best. So I hit a checkbox to enable it, and I restricted access to my personal group ("pudge"). I added a shared secret and added a block of IP addresses.
Then I went into Internet Connect on Client, selected "New VPN Connection" under the File menu, and put in the server address, account name, password, and shared secret. I dialed up on a PPP connection so I could test it, and clicked Connect in the VPN window, and it just worked. Very nice.
Of course, my measly cable modem is slow, so when I was at a coffee house "hot spot" the other day, I could get on the network, but it was excruciating to do anything requiring significant bandwidth. I can't find a way to blame Apple for that, though.
Web
I serve various things from the local web server: MP3s (for downloading MP3 files, since iTunes assumes that is stealing), documentation, books and periodicals, a local CPAN mirror, personal photos, etc.
The web server is serviceable for basic HTML and file serving, but it is a pain to configure. It won't let you put things where you want them in the config files, and sometimes just breaks things.
For example, I want to turn use mod_rendezvous, so I add a couple of RegisterResource directives. They work fine. But the next time I edit my configuration through Server Admin, it removes one of the directives, apparently thinking that I can only have one.
The best thing to do is to use Apache's Include directive and put all the custom configurations in a separate file, wherever possible. Then Server Admin should be less likely to throw its weight around.
And then there's mod_perl, which is severely broken: normal print statements don't work. For some reason, the print() never gets tied properly to $r->print(). Thanks to the always useful macosxhints.com, I found a servicable workaround, though the only proper and decent fix is to get a nonbroken mod_perl build. Once I did this, my custom mod_perl scripts, plus Apache::MP3 and Apache::Pod, seemed to work well.
Also, I set up some directives to Deny services unless the remote address is in 10.0. In the access log, they showed up as 10.0., but in the error log, when denied, the address was 127.0.0.1. I traced this to the Performance Cache, which is turned on by default. I don't need it, so I turned it off.
In figuring this out, I discovered that a side effect of having every client appear to come from 127.0.0.1 is that the mod_status data (at the "server-status" path) was open to the world. The server-status resource is, by default, restricted so that only clients from 127.0.0.1 can access it. I don't think this can be used to directly exploit a system, but it might make private information available, such as client IPs and URLs (which may include session IDs, or other private information). It would be wise to turn off Performance Caching, or lock down your services that may be restricted by IP.
One nice feature is that the Apple-supplied mod_auth_apple uses, in addition to standard htpasswd files, the system user and passwords (if the same user is in both places, with different passwords, either password is acceptable). There's also a mod_sherlock_apple that provides web access to Sherlock content indexes, though I couldn't get this to work, and the documentation wasn't much help.
Hardware Revisited
The initial test machine was the dual G4/1.25 GHz I described earlier, but I also had the opportunity to test it on a dual G5/2 GHz. Man, is that a sweet machine. But my needs are so few, I didn't notice any substantive difference in the serving (though when I was actually working on the machine, or compiling software, or playing games, I noticed huge differences, as one would expect).
I've now got everything set up on a comparatively wimpy PowerBook G3/500. I thought it would squeal and keel over, but it's been stable and plenty fast. The one exception is when I am doing large file transfers: it seems the data moves through the PowerBook pretty slowly. Still, the CPU load stays low all the time, although it sometimes ran out of free memory pretty quickly; once I upped the RAM from 256MB to 640MB, that problem went away.
I guess I shouldn't be too surprised: after all, I used to use a 486 for a server, doing mostly the same sorts of things, and this G3 is faster than that was. I expected it to be slower because of the Mac OS X GUI overhead, I think, but Panther's speed improvements over Jaguar, especially for G3s, are probably helping out here. If I had this in a business environment though, I can't imagine anything less than a dual G4.
Verdict
I like Mac OS X Server, and apart from printing, would rather have it than not have it. Server Admin has its problems, but it is worlds better than the Jaguar Server version, and I expect it to continue to improve: more stability, UI fixes, faster response. Maybe it could even integrate more monitoring features, or make Server Monitor work with non-Xserves. What I really want is ProcessViewer to work with remote machines.
I am well aware Server is not geared toward home use, but I was hoping it might, despite the price, be something a lot of home users could benefit from. Maybe as Server improves in its ease of use and security policies are easier to enforce and audit, through Server or third-party software, it can be such a product.
For now, as much as I like Server, the price tag and knowledge requirements keep me from recommending it for home use. I want to say "if you can't figure out this stuff on your own, then buy Server," but if you really lack that ability, then you shouldn't be configuring Server anyway.
For commercial use, however, Server is an excellent product that I wouldn't hesitate to recommend. It can offer the majority of services any business environment needs, for much less than the cost of Windows alternatives, and the man-hours cost saved with Server Admin is worth the price alone.
This strikes me as being a solution in need of a problem. Most people would agree it's far better to hire somebody to install the right server solution than to buy special hardware/software for the sole purpose of making it easier for yourself to do it.
The masquerading is a neat feature: it allows me to type in any user's name and my admin password, and be logged in as that user. It's not something I'd use often, but it could be handy. Some have complained that this is a security hole."
Why would this be any more of a security hole than someone being logged in as root and then doing "su - " ?
I am running jaguar + apache + tomcat + mysql on a G3 350 with 512M RAM. It is only a desktop edition OS X but runs not bad. Some people told me that Panther on G3 is slower than Jaguar, but here the information is that the Panther actually quicker, so could somebody with experience shred some light on me?
Which one is quicker?
There is a spark in every single flame bait point.
I can't help but feel that the strength of an Apple lies in its desktop features Very true - even the old versions of MacOS were a relative joy to use (OS7 era im talking about). Admittedly, I hadnt used *nix around that time, but Windows certainly wasnt great at all! Some of their newer hardware, especially their cluster servers looks absolutely gorgeous. I'd love to admin something like that :)
Good god, imagine if Virginia Tech had used racks of those instead.. A sight to behold, I'd bet!
I am a viral sig. Please copy me and help me spread. Thank you.
I'm one of these admins where "server" means rack mounted, U rated (1U, 2U, 4U etc), non-gui'd required system located at a co-location. However, if I ran a company that was all Mac desktops then I'd want Mac servers as well, but can't picture 20+ tower cases littering the floor. I'd much perfer to mount them all in a 60U rack.
Picture of a rack, in case you don't know what I'm talking about.
I know you can put them on side-way on a shelf, but that the shelf takes up an extra 1U to 2U and case it about 6U. Rack property is very vital to some.
So does Apple have rack mounted system ... and do they look all pretty ( blue LEDs and all :) )
First off, Panther Server is an awesome product. I find it markedly better compared to Jaguar server (esp. the mail, Cyrus IMAP kicks butt over the old Apple Mail Server).
/etc/nat/) working. My experience is that Server Admin always incorrectly parses the natd.plist file, only parsing the alias IP objects but never the target IP objects.
One area that's still week is NAT, specifically port forwarding. The server admin app configures natd by parsing a plist file called natd.plist located in etc/nat/. And the only way to set up port forwarding is to manually edit this plist file or not manage natd with Apple's Server Admin app.
First boo is having to even go and configure the natd.plist file (a plist file is an XML file that many OS X apps use as a preferences file) instead of just being able to edit NAT settings in Server Admin.
Second boo is that I have never personally, nor have I heard of anyone being able to get a natd.plist file with port forwarding instructions (you have to set up an array of dictionary keys for port forwarding... for more info read the natd.plist.default file located in
Now I know that there are plenty of easy workarounds (like an airport sitting on the outside, handling the port forwarding) - but it would be nice if this worked, it would make using an older Mac as a firewall/router much more feasible IMHO.
On the other hand, the fact that this is my only gripe with Panther Server speaks volumes to how pleased I am overall with Panther Server.
old versions of MacOS were a relative joy to use (OS7 era im talking about)
Do you also enjoy having your eyelids pulled out and your fingers broken, healed, and rebroken repeatedly? OS 7 was by far the biggest mistake Apple ever made. I was at two separate companies that switched from Mac to PC because of the instability of OS 7. Did you enjoy having to go to the chooser everytime you wanted to change printers? How about when the machine just randomly locked up even when left alone for a couple of hours? Maybe you licked the Force Quit that did nothing more than lock the machine. I still have nightmares of the years I wasted working on OS 7, 7.5, and 7.6. When we switched to NT 4 we actually looked forward to the once a week blue screens. At least then we knew we crashed and we didn't try every key combination possible to get it back.
http://www.apple.com/xserve/cluster/wgcluster.html
and try to tell me Apple is producing shit hardware.
Maybe the reason there is so much Apple stuff on /. lately is becuase at this moment they are making the coolest stuff available in the computing world bar none, and /. editors *might* be able to tell when a company has turned itself around and react accordingly with increased coverage of thats company's offerings??
Or do you think they should still be pissing down a rope at Apples products of 3 or 4 years ago, like the asshats who give lame outdated reasons to bash Apple. Wake up. Things are different now.
This strikes me as being a solution in need of a problem. Most people would agree it's far better to hire somebody to install the right server solution than to buy special hardware/software for the sole purpose of making it easier for yourself to do it.
Most people would refuse to answer this question without in-depth knowledge of a particular situation. At least most of the reasonable ones. It's not that diffucult to imagine a small company with a small network, say - an independent design or advertising studio or an editorial office of a local newspaper - that ALREADY has a Mac network and one guy, who generally services all the dozen-or-so Macs in this network. It might be _more_ feasible to purchase XServe + MacOS X Server and give it to this guy to set up rather than hire an external networking consultant. Obviously, it's not a solution for everyone and I think in many cases indeed it would be cheaper to get someone just to put Linux on any given beige-box; but that's what Apple succesfully does since Steve's return - profitable exploration of niches.
in 2-3 years I bet with the advent of Xserves with G5 and ECC RAM.
I am the Alpha and the Omega-3
Slashdot needs to be more discerning in which reviews it accepts. Accepting a poor quality review simply because it is submitted is unacceptable and does not make a positive contribution to the website.
,from his own statements throughout the review, to make such an assessment.
Throughout the review the reviewer speaks in reference of the ease of use he had when he was with the regular Panther Client version, or how he is not sure how feature X works or why is this so complicated?
It was not designed for the reviwer's needs. Nor is this review of use to anyone who may actually use the features of Mac OSX Server. This simply displays that this user lacks the need, and the knowledge to properly take advantage of the product.
If we break down the reviewer's conclusion we discover that.
a) Oh well I really should've done my homework because Server doesn't really offer anything I need, but its not bad.
b) "For commercial use, however, Server is an excellent product that I wouldn't hesitate to recommend. It can offer the majority of services any business environment needs, for much less than the cost of Windows alternatives, and the man-hours cost saved with Server Admin is worth the price alone."
How can you possibly come to this conclusion based upon the experiences you have had? The reviewer has not faced the challenges of a sysadmin in a broader environment nor is the reviewer qualified
If Slashdot wishes to increase its content - it should do so by accepting the submission of quality reviews, not reviews such as Part 1/2 of this.
What *I* wanted to know about Server is what it offered in terms of tools, so that is what I researched and did a review on. I didn't think I was alone in wanting to understand this better, and from the comments, I am sure I was right. Yes, a comparison would be nice, but I don't really have the time to do it, and the readers have offered their own opinions on that anyway. :-)
I haven't encountered many companies that value their employees time so much to not want them to save a couple of thousand dollars.
Also, there are some fundamental problems with debates on what a value the XServe is:
-it assumes you've had to buy software to do the same. Even using Linux most comparisons I've seen talk about expensive, 'enterprise' versions. Should be compared to free software.
-assumes you've had to do make each box one at a time with no copied config files or installers and no knowledge retention (lots of talk on the expense of admin do to difficulty when compared to X's interface)
-assumes you like everything about the XServe and OS X. The way you update programs, the proprietary hardware, the admin system, etc.
I'm not saying it's not a swell machine. If you like it go for it. But don't think it's the best value for everyone. Many companies have stacks of Intel boxes, and paid for hardware with lots of spare parts and internal expertise.
According to his review most of the server related functions are your stock ftpd, samba, bind, etc... that work with the aqua GUI. Even the firewalling is just plain old IPFW, with a GUI interface.
OS X server is more likley showing indirectly how to configure all these services without CLI - rather than bridge the gap between user & admin.