I'm probably 'small', but I run a campus of 300 staff and 3000 students, all services run on OS X Server.
Open Directory setup, masters, replicas, Samba, Apache, Tomcat, Cyrus, Postfix, MySQL, PostgreSQL, NFS, NetBoot, NetRestore, QTSS, ISC DHCPD, BIND, yadda yadda yadda.
Most storage is on XServe RAIDS, no FC switches, just direct FC.
All computers have AFP or SMB mounted home directories, the laptop users are on mobile homes.
It's a good server platform. Sure, the GUI gets annoying every so often when there are basic things it can't do like virtual mail domains, but I tend to prefer managing those kinds of things from the command line anyway.
The best thing is Open Directory. Apple realized a while ago that they simply had to "play well with others", and so it integrates very nicely with all the big ones, NIS, LDAP, Active Directory, etc.
Some dialogs do stop processing, but it's not "any time you get a dialog on the screen".
Your problem is more likely FileMaker, which is horrific at these things. As soon as *FileMaker* produced a dialog of its own, then *FileMaker* services stop working.
no, just that abstract problem solving doesn't depend on a computer science degree... and in some respects technically competent artists are better equipped for these kinds of roles.
i'm talking about first level tech support here...
My point was that it doesn't actually use it for authentication in very many contexts. yes, it is the same PAM as we're used to under Linux, but my point was that your statement "OSX just uses Linux-PAM [apple.com] for authentication" is kind of misleading.
The majority of authentications under OS X that people actually use do not touch PAM.
You really should download the sample chapters from the site.
Disclaimer before I go any further: I have read most of this eBook. I do know the author, he isn't one of my inner circle of friends in real life, but we get along, and we have some common close friends. My posting history should show that I'm reasonably knowledgeable about the Mac.
That being said, I'm going to address your issues you have raised.
This book has very little blatant philosophy, and almost entirely consists of practical advice. The few philosophical statements are 100% focused upon troubleshooting.
Yes, a lot of the content can be found from a hugely disparate set of sources on the internet. You were expecting "The Sekrit Tome of Macintosh" ? By no means has this simply been reprinted however. It's arranged in a very logical manner, and the cross indexing really is good. This isn't just a paper book in eBook form, a serious attempt has been made to take advantage of the format. This is a good thing. My Mac support unit never buys printed Mac books anymore. They just date too fast.
It's not broad. It is wide-ranging but specific. There is a difference.
You know how small creative departments often have to support Macs themselves? This book is perfectly aimed at that segment, but is not entirely restricted to it.
If you're a Mac guru who spends their life browsing Mac Ach, Apple discussions, MacOSXHints, MacFixIt, etc etc etc, then you probably know most of what is in this book. However, you might find it simpler to tell people to buy this rather than ring you up at all hours....:)
The detail, the incredibly tumultuous times... all these historically great scientific figures who hadn't worked out how to do science yet.... The political upheaval... the fights over the calculus... the amazing picture of London it built up...
a couple of pages here and there dragged on, but I was entranced. I called in sick for a couple of days to work to simply sit at home and read it.
I don't get the Snow Crash hero-worship though. It's kind of crap. Cryptonomicon was brilliant, Diamond Age slightly less so and Zodiac was a good yarn.
Re:Why would I use this over Dantz Retrospect?
on
BRU LE for Mac OS X
·
· Score: 4, Informative
Retrospect has been problematic for a lot of people in OS X.
It may be idiot-simple, but it's horrendously single-threaded, and still doesn't run properly as a daemon.
Don't go bagging people out just because your own personal anecdotes don't support their point of view. OS X Server admins have been clamouring for better solution than Retrospect for years
These are the optimizations on OS X Server that are done at boot. Otherwise not much is different I don't think. The AppleFileServer is a completely different daemon.
the lameness filter isn't allowing me to post it in it's entirety, so here are the relevant things.
# This sets the system-wide limit on the number of processes. kern.maxproc=2048
# This limits the number of processes per user. kern.maxprocperuid=1000
# This sets a threshold that triggers increasing the send/recv windows for TCP # connection from 32K to 64K to improve some file downloads. # net.inet.tcp.sockthreshold=512
# This sets the ICMP bandwidth limiter. # On a busy server, to avoid excess messages in the log, you may want to # increase this value beyond its default of 250 messages per second. # net.inet.icmp.icmplim=500
# These security options can be enabled to prevent your network from responding # with a reset to SYN request on a port that isn't listening, and to log such attempts. # Their default value is 0. # # net.inet.tcp.blackhole=1 # net.inet.tcp.log_in_vain=1 # net.inet.udp.blackhole=1 # net.inet.udp.log_in_vain=1
Basically once you're logged into the Kerberos realm as a particular user, any Kerberized service will automatically recognize you as that user, so you don't need to enter in another password/username combination.
This takes centralized user accounts to another level, where not only do you have the same username and password for all your services, but you only have to enter that combination in once. The default on OS X is for Kerberos tickets to last 10 hours before expiring.
You know how Kerberos can be a real pain to set up and manage? Well with Panther Server, if you've set up a box as an Open Directory master, it automatically integrates itself as a KDC.
Any boxes which log into that OD/LDAP directory automatically retrieve the relevant Kerberos information from the LDAP store, no extra configuration required.
The AFP server, the SMB server, the POP/IMAP/SMTP servers are all Keberized, as is the ssh daemon, and the loginwindow of any client machines.
It's probably worth discussing the fact that Apple have finally gotten their shit together with regards to command line administration, as in that everything you can do with the GUI tools you now have *simple* command line equivalents.
ie, no more screwing around with NetInfo and inserting properties by hand to construct mounts/users, you now have proper tools.
Apple finally did the smart thing and followed what most OSXS admins have been doing for a few years, they've dropped their proprietary AppleMailServer in favour of postfix+cyrus.
They've pretty much dropped NetInfo for network directories, it's now just restricted to a local store, and LDAP publishes this information by default. You can still run a NetInfo directory, and indeed I've got boxes logging into both my old NetInfo directory and my new LDAP directory so that I can do user migration more easily.
There are a wealth of features that weren't even touched upon by this review, it's just kind of lame to read a home user's review of a server product.
Slashdot Mirror
I've got 600.
and I know of much bigger clients than me.
bullshit.
There are problems with OS X Server, but none of this is really valid.
depends what you mean by medium.
I'm probably 'small', but I run a campus of 300 staff and 3000 students, all services run on OS X Server.
Open Directory setup, masters, replicas, Samba, Apache, Tomcat, Cyrus, Postfix, MySQL, PostgreSQL, NFS, NetBoot, NetRestore, QTSS, ISC DHCPD, BIND, yadda yadda yadda.
Most storage is on XServe RAIDS, no FC switches, just direct FC.
All computers have AFP or SMB mounted home directories, the laptop users are on mobile homes.
It's a good server platform. Sure, the GUI gets annoying every so often when there are basic things it can't do like virtual mail domains, but I tend to prefer managing those kinds of things from the command line anyway.
The best thing is Open Directory. Apple realized a while ago that they simply had to "play well with others", and so it integrates very nicely with all the big ones, NIS, LDAP, Active Directory, etc.
Bullshit.
I admined pre-OSX boxes for years.
Some dialogs do stop processing, but it's not "any time you get a dialog on the screen".
Your problem is more likely FileMaker, which is horrific at these things. As soon as *FileMaker* produced a dialog of its own, then *FileMaker* services stop working.
The whole machine doesn't though.
no, just that abstract problem solving doesn't depend on a computer science degree... and in some respects technically competent artists are better equipped for these kinds of roles.
i'm talking about first level tech support here...
This is so true.
I've gotten jobs that described a Comp Sci degree as mandatory, and yet my undergraduate is in Philosophy.
If your resume is up to scratch, quite a lot of these places will accept you for an interview anyway.
(some of my worst tech support staff have been Comp Sci graduates, and some of the best have been artists...)
that trick worked in pre-10.3.6, but no longer does.
heh. Apple know pr0n is what everyone really uses the internet for... Private Surfing Mode
So?
Why do you care?
If you simply accept that languages have always changed, and will always change, you'll probably be a lot happier.
There's a difference between using language incorrectly according to the culture you live in, and the meaning of a word changing over time....
be descriptive, not prescriptive.
My point was that it doesn't actually use it for authentication in very many contexts. yes, it is the same PAM as we're used to under Linux, but my point was that your statement "OSX just uses Linux-PAM [apple.com] for authentication" is kind of misleading.
The majority of authentications under OS X that people actually use do not touch PAM.
No, PAM isn't as pervasive in OS X as it can be under Linux.
You cannot authenticate from the loginwindow against PAM. Try it. You cannot authenticate against the AFP server.
This is a case of the left hand not knowing what the right hand is doing...
I believe this is because loginwindow consults SecurityServer
directly and PAM sits on top of SecurityServer.
You really should download the sample chapters from the site.
:)
Disclaimer before I go any further: I have read most of this eBook. I do know the author, he isn't one of my inner circle of friends in real life, but we get along, and we have some common close friends. My posting history should show that I'm reasonably knowledgeable about the Mac.
That being said, I'm going to address your issues you have raised.
This book has very little blatant philosophy, and almost entirely consists of practical advice. The few philosophical statements are 100% focused upon troubleshooting.
Yes, a lot of the content can be found from a hugely disparate set of sources on the internet. You were expecting "The Sekrit Tome of Macintosh" ? By no means has this simply been reprinted however. It's arranged in a very logical manner, and the cross indexing really is good. This isn't just a paper book in eBook form, a serious attempt has been made to take advantage of the format. This is a good thing. My Mac support unit never buys printed Mac books anymore. They just date too fast.
It's not broad. It is wide-ranging but specific. There is a difference.
You know how small creative departments often have to support Macs themselves? This book is perfectly aimed at that segment, but is not entirely restricted to it.
If you're a Mac guru who spends their life browsing Mac Ach, Apple discussions, MacOSXHints, MacFixIt, etc etc etc, then you probably know most of what is in this book. However, you might find it simpler to tell people to buy this rather than ring you up at all hours....
Political Hypercorrectness is one thing, but that guy you linked to is simply a tool.
I found it utterly compelling.
The detail, the incredibly tumultuous times... all these historically great scientific figures who hadn't worked out how to do science yet.... The political upheaval... the fights over the calculus... the amazing picture of London it built up...
a couple of pages here and there dragged on, but I was entranced. I called in sick for a couple of days to work to simply sit at home and read it.
I don't get the Snow Crash hero-worship though. It's kind of crap. Cryptonomicon was brilliant, Diamond Age slightly less so and Zodiac was a good yarn.
Well You've Completely Convinced Me...
Retrospect has been problematic for a lot of people in OS X.
It may be idiot-simple, but it's horrendously single-threaded, and still doesn't run properly as a daemon.
Don't go bagging people out just because your own personal anecdotes don't support their point of view. OS X Server admins have been clamouring for better solution than Retrospect for years
It's the name of the Apple higher ed magazine here in Australia.
the lameness filter isn't allowing me to post it in it's entirety, so here are the relevant things.
If you mean authentication realms, you can just define them to use usernames from Open Directory.
otherwise I'm not sure what you mean?
Single Sign On.
Basically once you're logged into the Kerberos realm as a particular user, any Kerberized service will automatically recognize you as that user, so you don't need to enter in another password/username combination.
This takes centralized user accounts to another level, where not only do you have the same username and password for all your services, but you only have to enter that combination in once. The default on OS X is for Kerberos tickets to last 10 hours before expiring.
You're missing the killer server features.
You know how Kerberos can be a real pain to set up and manage? Well with Panther Server, if you've set up a box as an Open Directory master, it automatically integrates itself as a KDC.
Any boxes which log into that OD/LDAP directory automatically retrieve the relevant Kerberos information from the LDAP store, no extra configuration required.
The AFP server, the SMB server, the POP/IMAP/SMTP servers are all Keberized, as is the ssh daemon, and the loginwindow of any client machines.
It's probably worth discussing the fact that Apple have finally gotten their shit together with regards to command line administration, as in that everything you can do with the GUI tools you now have *simple* command line equivalents.
ie, no more screwing around with NetInfo and inserting properties by hand to construct mounts/users, you now have proper tools.
Apple finally did the smart thing and followed what most OSXS admins have been doing for a few years, they've dropped their proprietary AppleMailServer in favour of postfix+cyrus.
They've pretty much dropped NetInfo for network directories, it's now just restricted to a local store, and LDAP publishes this information by default. You can still run a NetInfo directory, and indeed I've got boxes logging into both my old NetInfo directory and my new LDAP directory so that I can do user migration more easily.
There are a wealth of features that weren't even touched upon by this review, it's just kind of lame to read a home user's review of a server product.
hey! It's you... :)
If i remember correctly, this thing has been demoed at at least the last NAMM, and possibly the one before.
From what I heard, it was pretty much an empty shell last year and was utter vapourware....
Did you see it on?
Did it boot?
Could you do anything with it?
I seem to remember being amazed at just how many damn dates there were... and being even more amazed that people knew them...
nothing compared to that guy who came up with the internationalisation bug/easter egg that took three minutes just to describe....
I thought WWDC was full of nerds, but then Stump the Experts was like concentrated nerd juice...
perhaps you should investigate how crap gcc really is at optimizing, especially for Alitvec, and especially in comparison to xlc.