Apple Mac OS X Server Guide d'installation

Mac OS X ServerAdvanced Server AdministrationVersion 10.6 Snow Leopard

10 Contents

Installing Locally from the Installation DiscYou can install Mac OS X Server directly onto a computer with a display, a keyboard, and a DVD drive atta

Chapter 5 Installation and Deployment 101After installation is complete, the target server restarts and you can perform initial server setup. Ch

3 Select the target server from the list of servers waiting for installation.If neither the target server nor the list appear, make sure the target

Chapter 5 Installation and Deployment 103For detailed instructions for connecting to a computer running from an Install DVD, see “Remotely Acces

sudo shutdown -r now# Method 2sudo systemsetup -liststartupdiskssudo systemsetup -setstartupdisk <path to disk root>Using the installer Command-

Chapter 5 Installation and Deployment 105 4 If you haven’t already done so, prepare the disks for installation.For more information about prepa

Installing Multiple ServersMost Ecient Methods of InstallationThe most ecient method of installation would be completely automated. Opening the Term

Chapter 5 Installation and Deployment 107Upgrading a Computer from Mac OS X to Mac OS X ServerThis is not supported in Mac OS X Server v10.6. Pe

108Basic characteristics of your Mac OS X Server are established during server setup. The server can operate in three dierent congurations: advanc

Chapter 6 Initial Server Setup 109If you’re setting up a server without a keyboard or display, you can enter the following in the Terminal appli

11This guide provides a starting point for administering Mac OS X Server v10.6 using its advanced administration tools. It contains information ab

Default SSH and Apple Remote Desktop state is enabled. ÂNetwork interfaces (ports) are congured. ÂTCP/IP and Ethernet settings are dened for each po

Chapter 6 Initial Server Setup 111 Â Import Users and GroupsThis setting connects the server to an existing Open Directory or Active Directory s

Even if you want to change the server’s directory setup, selecting “Congure Manually” is the safest option, especially if you’re considering changing

Chapter 6 Initial Server Setup 11 3To interactively connect to an additional directory server: 1 Open the Accounts pane of System Preferences o

The following illustration shows target servers on the same subnet as the administrator computer in one scenario and target servers on a dierent subn

Chapter 6 Initial Server Setup 11 5If the computer you want to congure doesn’t appear in the list, you can add it manually by clicking the Add

The automatic approach is useful when you:Have more than a few servers to set up ÂWant to prepare for setting up servers that aren’t yet available ÂWa

Chapter 6 Initial Server Setup 11 7You can dene generic setup data that can be used to set up any server. For example, you can dene generic se

Using Encryption with Setup Data FilesSaved setup data can be encrypted for extra security. Before a server sets itself up using encrypted setup data,

Chapter 6 Initial Server Setup 11 9If setup data is encrypted, the server needs the correct passphrase before setting itself up. You can use Ser

12 Preface About This GuideUsing Onscreen HelpYou can get task instructions onscreen in Help Viewer while you’re managing Mac OS X Server v10

To use setup data from a le remotely: 1 Create the folder for the setup le on the remote server. a Connect to the remote server.ssh root@<serve

Chapter 6 Initial Server Setup 121Handling Setup ErrorsWhen a server encounters a setup problem, Server Assistant shows a description of the set

Setting Up ServicesAfter installation and initial startup, the rst time you open Server Admin, you see any services that were congured during server

Chapter 6 Initial Server Setup 12 3Setting Up Open DirectoryUnless your server must be integrated with another vendor’s directory system or the

12 4This chapter shows you how to complete ongoing management for your systems, including setting up administrator computers, designating administra

Chapter 7 Ongoing System Management 12 5In the following illustration, the arrows originate from administrator computers and point to servers th

Using the Administration ToolsInformation about administration tools can be found on the pages indicated in the following table.Use this application o

Chapter 7 Ongoing System Management 12 7You can use Workgroup Manager on a v10.6 server to manage Mac OS X clients running the latest Mac OS X v

Server Admin BasicsYou use Server Admin to administer services on Mac OS X Server computers. Server Admin also lets you specify settings that support

Chapter 7 Ongoing System Management 12 9If a server in the Servers list appears gray, double-click the server or click the Connect button in the

Preface About This Guide 13Document Road MapMac OS X v10.6 has a suite of guides which can cover management of individual services. Each service

IP address ÂOS version ÂTo create a server smart group: 1 Under the Server list at the bottom of the Server Admin window, click the Add (+) button. 2

Chapter 7 Ongoing System Management 131The following table contains a summary of what you nd for each button:Toolbar button ShowsOverview Info

Server-side le tracking for mobile home-sync is a feature of mobile home folders. For information about when to enable this feature, see the online h

Chapter 7 Ongoing System Management 133The following sections give guidance regarding the types of changes will be necessary for a name or IP ad

Your network conguration might have other domains, computers, and record types that are impacted by a server’s IP address change (SRV records, for in

Chapter 7 Ongoing System Management 13 5Changing the DNS name of the directory server requires that all bound machines be rebound to the new dir

VPNVPN servers allocate IP address ranges to VPN clients and mediate DNS queries of VPN clients. Any of these can be aected by a change to the VPN se

Chapter 7 Ongoing System Management 137MySQLIn general, MySQL is not aected by changing an IP address or DNS name. However, none of the data in

For the most part, changing the network address or DNS name of a le server has no internal aect on le services. The le service processes monitor n

Chapter 7 Ongoing System Management 13 9IMAP and POPDovecot, the IMAP and POP service, loads the fully-qualied domain name at startup and cong

14 Preface About This GuideViewing PDF Guides OnscreenWhile reading the PDF version of a guide onscreen:Show bookmarks to see the guide’s outl

Address Book ServiceChanging the IP address of an Address Book server does not aect new connections to the server; however, it can disconnect existin

Chapter 7 Ongoing System Management 141Certicates for Collaboration ServicesAddressBook, iCal, and iChat servers that use SSL will need new cer

To change the IP address of the Podcast Producer computer: 1 Stop the Xgrid job queue when empty (or stop and empty it). 2 Recongure DNS, Open Dire

Chapter 7 Ongoing System Management 143Software Update Service ÂXgrid ÂAfter Software Update changes the DNS name or IP address, a number of cha

Changing the IP Address of a ServerYou can change the IP address of a server using the Network pane of System Preferences or the networksetup tool.Do

Chapter 7 Ongoing System Management 145You can use the scutil command-line tool to set the local hostname and local hostname. For more informati

Adding and Removing Services in Server AdminServer Admin can only show you the services you are administering, hiding all other service conguration p

Chapter 7 Ongoing System Management 147Controlling Access to ServicesYou can use Server Admin to congure which users and groups can use service

Using SSL for Remote Server AdministrationYou can control the level of security of communications between Server Admin and remote servers by choosing

Chapter 7 Ongoing System Management 149The following is the File Sharing conguration pane in Server Admin.Tiered Administration PermissionsIn p

Preface About This Guide 15Getting Documentation UpdatesPeriodically, Apple posts revised help pages and new editions of guides. Some revised he

Server Admin updates to reect what operations are possible for a user’s permissions. For example, some services are hidden or the Settings pane is di

Chapter 7 Ongoing System Management 151The following topics describe general Workgroup Manager usage. Instructions for conducting specic admini

The following is a sample user record conguration pane in Workgroup Manager: Initially, accounts listed are those stored in the last directory node o

Chapter 7 Ongoing System Management 153Dening Managed PreferencesTo work with managed preferences for user accounts, group accounts, or compute

Working with Directory DataTo work with raw directory data, use Workgroup Manager’s Inspector.The following is the record Inspector pane in Workgroup

Chapter 7 Ongoing System Management 155Service Conguration AssistantsServer Admin has conguration assistants to guide you through setting up s

Address Book ServiceFile type LocationConguration les /etc/cardavd/cardavd.plistData /Library/AddressBookServer/Documents/iCal ServiceFile type Loca

Chapter 7 Ongoing System Management 157Mail—AmavisdFile type LocationConguration les /etc/amavisd.confData: (default locations) /var/amavis/M

NoticationsFile type LocationConguration les /etc/emond.d//etc/emond.d/rules//Library/Keychains/System.keychainOpenDirectory ServiceThe entire Open

Chapter 7 Ongoing System Management 159Web ServiceFile type LocationConguration les /etc/apache2/* (for Apache 2.2)/etc/httpd/* (for Apache 1.

16Mac OS X Server gives you everything you need to provide standards-based workgroup and Internet services — delivering a world-class UNIX server so

Some single points of failure include:Computer system ÂHard disk ÂPower supply ÂAlthough it is almost impossible to eliminate all single points of fai

Chapter 7 Ongoing System Management 161Using Backup PowerIn the architecture of a server solution, power is a single point of failure. If power

The automatic restart options are: Â Restart automatically after a power failure. The power management unit automatically starts up the server after a

Chapter 7 Ongoing System Management 163Link AggregationAlthough not common, the failure of a switch, cable, or network interface card can cause

About the Link Aggregation Control Protocol (LACP)IEEE 802.3ad Link Aggregation denes a protocol called Link Aggregation Control Protocol (LACP) that

Chapter 7 Ongoing System Management 165Computer to SwitchIn this scenario shown in the following illustration, you connect your server to a swit

For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active, the

Chapter 7 Ongoing System Management 167The interface name bond<num> assigned by the system is dierent from the name you give to the link

Load BalancingOne factor that can cause services to become unavailable is server overload. A server has limited resources and can service a limited nu

Chapter 7 Ongoing System Management 169Daemon OverviewBy the time a user logs in to a Mac OS X system, a number of processes are running. Many o

Chapter 1 System Overview and Supported Standards 17What’s New in Mac OS X Server v10.6Mac OS X Server v10.6 oers major enhancements in several

The launchctl utility is the command-line tool used to control launchd. It can:Load and unload daemons ÂStart and stop launchd controlled jobs ÂGet sy

171Eective monitoring allows you to detect potential problems before they occur and gives you early warning when they occur.Detecting potential p

Several factors can be considered for a monitoring response:What are relevant response methods? In other words, how will the response take Âplace?Wha

Chapter 8 Monitoring Your System 173A green status indicator shows the component is OK, a yellow status indicator notes a warning, and a red sta

df -HlFilesystem Size Used Avail Capacity Mounted on/dev/disk0s9 40G 38G 2.1G 95% /In this example, the hard disk is almost full with only 2.1 GB left

Chapter 8 Monitoring Your System 175If you detect an unusual number of requests coming from the same source, use Firewall service to block trac

The following shows a sample Overview pane for a single server.This overview shows basic hardware, operating system versions, active services, and gr

Chapter 8 Monitoring Your System 177When a server kernel panics it abruptly halts all normal system operations. Usually, a kernel process named

Setting Up a Core Dump ServerYou can use any Mac OS X v10.5 or later computer to be a core dump server that ts the following criteria. The core dump

Chapter 8 Monitoring Your System 179Setting Up a Core Dump ClientA core dump client sends its kernel panic debug information to the core dump se

OpenCL support ÂMac OS X Server v10.6 supports OpenCL and makes it possible for developers to use the GPU for general computational tasks.What’s New i

Conguring Common Core Dump OptionsBy default, core dumps happen using UDP port 1069 over the built-in Ethernet (en0) interface, and the resulting le

Chapter 8 Monitoring Your System 181SNMPv2 is the default access protocol and the default read-only community string is “public.”Enabling SNMP r

To enable and congure SNMP:Use the /usr/bin/snmpconf command, which takes you through a basic text-based msetup assistant for conguring the communi

Chapter 8 Monitoring Your System 183Step 3: Collect SNMP information from the hostTo get the SNMP-available information you added, execute this

There are two main notication daemons: syslogd and emond. Â syslogd: The syslogd daemon is a standard UNIX method of monitoring systems. It logs mes

Chapter 8 Monitoring Your System 185LoggingMac OS X Server maintains standard UNIX log les and Apple-specic process logs. Logs for the OS can

Syslog Conguration FileThe Syslog conguration le can be found at /etc/syslog.conf. Each line has the following format:<facility>.<loglevel

Chapter 8 Monitoring Your System 187To run slapd in debugging mode: 1 Stop and remove slapd from launchd’s watch list:launchctl unload /System/

188Provide increased server responsiveness to clients and reduce server load with Push Notication Server.Mac OS X Server v10.6 uses an XMPP Pubsub

Chapter 9 Push Notication Server 189Starting and Stopping Push NoticationWhen you start push notication on a server, the service broadcasts i

Chapter 1 System Overview and Supported Standards 19The following table highlights the capabilities of each conguration tool.Service Set in ini

Changing a Service’s Push Notication ServerIf push notication is congured on the server, it is listed in the location on the service’s settings pan

AaccessACLs 55, 75IMAP 13 9IP address restrictions 52Keychain Access Utility 66LDAP 21, 58Mac address 53, 90remote installation 84, 88, 90, 101

192 Indexpreparing 64private keys 59public keys 59renewing 71requesting 63, 64, 65root 66self-signed 61, 65Server Admin 62, 148services us

Index 193Eemail. See mail serviceemond daemon 184encryption 54, 55, 59, 11 8See also SSLEthereal packet sning tool 175Ethernet 53, 109, 166exp

19 4 Indexserver 14 4static 82See also identityIPv6 addressing 22Jjournaling, le system 93junk mail screening 13 9KKerberos 21, 57, 58, 13 4

Index 195See also Open DirectoryOpenCL 18OpenLDAP 21OpenSSL 54operating environment requirements 162PPackageMaker 47packets, data, ltering of

19 6 IndexServer Adminaccess control 147as administration tool 12 8authentication 38certicates 62, 148conguration methods 18customizing 40n

Index 197UUDP (User Datagram Protocol) 52, 180UNIX 23updating software 107upgradingfrom previous server versions 25, 28saved setup data 11 7vs

Apple Inc. K© 2009 Apple Inc. All rights reserved.The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publicat

Service Set in initial server setupServer Preferences Server AdminOpen Directory master (user accounts and other data)Optional Optional Yes Podcast P

Chapter 1 System Overview and Supported Standards 21A standards-based directory services architecture oers centralized management of network re

 Web Technologies: Mac OS X Server is a complete AMP stack (a bundle of integrated Apache-MySQL-PHP/Perl/Python software). Mac OS X Server web tech

Chapter 1 System Overview and Supported Standards 23 Â XMPP: Extensible Messaging and Presence Protocol (XMPP) is an open XML-based messaging p

24Before installing and setting up Mac OS X Server do a little planning and become familiar with your options.The major goals of the planning phase

Chapter 2 Planning Server Usage 25During the planning stage, you’ll also decide which installation and server setup options best suit your needs

If you’ve been planning to replace a Windows NT computer, consider using Mac OS X Server with its extensive built-in support for Windows clients. Make

Chapter 2 Planning Server Usage 27Home folders for network users can be consolidated onto one server or distributed Âamong various servers. Alt

Dening a Migration StrategyIf you’re using Mac OS X Server v10.4–10.5 or a Windows-based server, examine the opportunities for moving data and settin

Chapter 2 Planning Server Usage 29The rst aspect primarily involves directory services integration. Identify which Mac OS X Server computers wi

11 Preface: About This Guide11 What’s in This Guide12 Using Onscreen Help13 Document Road Map14 Viewing PDF Guides Onscreen14 Printing PDF Gui

For example, if you use Mac OS X Server to provide DHCP, network time, or BootP services to other servers, you should set up the servers that provide

Chapter 2 Planning Server Usage 31Making Sure Required Server Hardware Is AvailableYou might want to postpone setting up a server until all its

Understanding Backup and Restore PoliciesThere are many reasons to have a backup and restore policy. Your data is subject to failure because of failed

Chapter 2 Planning Server Usage 33Your organization must determine the following:What must be backed up? ÂWhat should not be backed up (as per o

Understanding Backup SchedulingBacking up les requires time and resources. Before deciding on a backup plan, consider the following questions:How muc

Chapter 2 Planning Server Usage 35Consider the following questions:How long will it take to restore data at each level of granularity? ÂFor exam

 Capacity. If you back up only a small amount of data, low-capacity storage media can do the job. But if you need to back up large amounts of data,

Chapter 2 Planning Server Usage 37For example, Time Machine doesn’t back up user and group directory records, email, DNS records, Address Book s

38Manage Mac OS X Server using graphical applications or command-line tools.Mac OS X Server v10.6 administration applications must be run from eithe

Chapter 3 Administration Tools 39Server Admin InterfaceThe Server Admin interface is shown here, with each element explained in the following ta

4 Contents33 Understanding Backup Types34 Understanding Backup Scheduling34 Understanding Restores35 Other Backup Policy Considerations36 Co

DMain Work Area: Shows status and conguration options. This looks dierent for each service and for each context button selected.EAvailable servers:

Chapter 3 Administration Tools 41Server AssistantServer Assistant is used for:Remote server installations ÂInitial setup of a local server ÂInit

Server PreferencesServer Preferences is the simplied administration application you need for managing Mac OS X Server v10.6. You can use Server Prefe

Chapter 3 Administration Tools 43Workgroup Manager InterfaceThe Workgroup Manager interface is shown here, with each element explained in the fo

Customizing the Workgroup Manager EnvironmentThere are several ways to tailor the Workgroup Manager environment:To open Workgroup Manager Preferences,

Chapter 3 Administration Tools 45To identify the Xserve computer to monitor, click Add Server, identify the server, and enter user name and pass

iCal Service UtilityiCal Service Utility gives users access to shared information about locations and resources. Users can use iCal Service Utility to

Chapter 3 Administration Tools 47System Image ManagementYou can use the following Mac OS X Server applications to set up and manage NetBoot and

Command-Line ToolsIf you’re an administrator who prefers to work in a command-line environment, you can do so with Mac OS X Server.From the Terminal

Chapter 3 Administration Tools 49Podcast Capture, Composer, and ProducerPodcast Capture takes audio and video from a local or remote camera, cap

Contents 558 Single Sign-On59 About Certicates, SSL, and Public Key Infrastructure59 Public and Private Keys60 Certicates60 About Certicate

Apple Remote DesktopApple Remote Desktop (ARD), which you can optionally purchase, is an easy-to-use network-computer management application. It simpl

51By vigilantly adhering to security policies and practices, you can minimize the threat to system integrity and data privacy.Mac OS X Server is b

About Network SecurityNetwork security is as important to data integrity as physical security. Although someone might immediately see the need to lock

Chapter 4 Enhancing Security 53This allows an organization to provide services to the external network while protecting the internal network fro

In theory, MAC ltering allows a network administrator to permit or deny network access to hosts and devices associated with the MAC address, although

Chapter 4 Enhancing Security 55Most transport encryption requires the participation of both parties in the transaction. Some services (such as S

 Secure VM: Secure VM encrypts system virtual memory (memory data temporarily written to the hard disk), not user les. It improves system security

Chapter 4 Enhancing Security 57In Mac OS X Server, users trying to access services (like logging in to a directory-aware workstation, or trying

Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation ÂMechanism protocol)Xgrid  ÂStoring passwords in user accounts. This app

Chapter 4 Enhancing Security 59Kerberos also provides a single sign-on environment where users must authenticate only once a day, week, or other

6 Contents84 About Starting Up for Installation84 Before Starting Up85 Starting Up from the Install DVD85 Starting Up from an Alternate Parti

Web, mail, and directory services use the public key with SSL to negotiate a shared key for the duration of the connection.For example, a mail server

Chapter 4 Enhancing Security 61About IdentitiesIdentities are a certicate and a private key, together. The certicate identies the user, and t

Several keychains can hold certicates: Â SystemRootCerticates: This keychain holds root certicates that ship with Mac OS X. The certicates alread

Chapter 4 Enhancing Security 63The Server Admin interface is shown below, with Certicates selected.Certicate Manager provides integrated manag

When certicates and keys are imported via Certicate Manager, they are put in the /etc/certicates/ directory. The directory contains four PEM format

Chapter 4 Enhancing Security 65Creating a Self-Signed CerticateA self-signed certicate is generated at server setup. Although it is available

4 Click the Action button below the certicates list and choose “Generate Certicate Signing Request (CSR).”Certicate manager creates the signing r

Chapter 4 Enhancing Security 67 5 If you override the defaults, provide the following information in the next few screens:A unique serial numbe

Using a CA to Create a Certicate for Someone ElseYou can use your CA certicate to issue a certicate to someone else. By doing so you are stating yo

Chapter 4 Enhancing Security 69 7 Click the Import button.If prompted, enter the private key passphrase.Managing CerticatesAfter you create an

Contents 7124 Chapter 7: Ongoing System Management124 Computers You Can Use to Administer a Server124 Setting Up an Administrator Computer125 U

For instructions on how to do this, see “Replacing an Existing Certicate” on page 71.Distributing a CA Public Certicate to ClientsIf you’re using se

Chapter 4 Enhancing Security 71 5 Click Save.Renewing an Expiring CerticateCerticates have an expiration date and must be renewed periodicall

SSH and SSH KeysSSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptograp

Chapter 4 Enhancing Security 73The -b ag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the

$count = @{[$_ =~ /$match/g]};if($count > 0) {$flag = 1;}}close SBUFF;if($flag == 1) {"ssh $server -x -o batchmode=yes shutdown -r now"}}

Chapter 4 Enhancing Security 75You can determine which services other admin group users can modify. To do this, the administrator making the de

Security Best PracticesServer administrators must make sure that adequate security measures are implemented to protect a server from attacks. A compro

Chapter 4 Enhancing Security 77Do not use administrator (UNIX “admin” group) accounts for daily use. ÂRestrict the use of administration privile

Creating Complex PasswordsUse the following tips to create complex passwords:Use a mix of alphabetic (upper and lower case), numeric, and special char

79Whether you install Mac OS X Server on a single server or a cluster of servers, there are tools and processes to help the installation and deplo

8 Contents159 Eliminating Single Points of Failure160 Using Xserve for High Availability161 Using Backup Power161 Setting Up Your Server for

Step 3: Set up the environmentIf you are not in complete control of the network environment (DNS servers, DHCP server, rewall, and so forth) coordina

Chapter 5 Installation and Deployment 81“ Â Installing Remotely with Server Assistant” on page 101“ Â Installing Remotely with Screen Sharing an

Setting Up Network ServicesBefore you can install, you must set up the following for your network service: Â DNS: You must have a fully qualied doma

Chapter 5 Installation and Deployment 83Mac OS X Server Install DiscThe Install Disc has a Documentation folder with Getting Started, Installati

When you install and set up Mac OS X Server on a computer that has a display and keyboard, it’s already an administrator computer. To make a computer

Chapter 5 Installation and Deployment 85Starting Up from the Install DVDThis is the simplest method of starting the computer, if you have physic

However, if you are reinstalling regularly, or if you are creating an external Firewire drive-based installation to take to various computers, or if y

Chapter 5 Installation and Deployment 87 4 Select File > New > Disk Image from <device>. 5 Give the image a name; select Read-only

Tip: ∏ You can use asr to restore a disk over a network, multicasting the blocks to client computers. Using the multicast server feature of asr, you

Chapter 5 Installation and Deployment 89This is usually the rst eight characters of the server’s built-in hardware serial number.For more infor

Contents 9188 Chapter 9: Push Notication Server188 About Push Notication Server189 Starting and Stopping Push Notication190 Changing a Servi

2 Identify the target server.If you don’t know the IP address and the remote server is on the local subnet, you can nd servers using the comannd l

Chapter 5 Installation and Deployment 91You can use the dns-sd tool to identify computers on the local subnetwhere you can install server softwa

Step 1: Create a NetInstall image from the Install DVDThis step doesn’t need to be done on the target computer. It can be done on an administrator com

Chapter 5 Installation and Deployment 93If you’re using an installation disc for Mac OS X Server v10.6, you can perform these tasks from another

A case-sensitive volume is supported as a start volume format. An HFSX le system for Mac OS X Server must be specically selected when erasing a volu

Chapter 5 Installation and Deployment 95Partitioning a DiskYou can use the Installer to open Disk Utility and then use Disk Utility to partition

Additional information about diskutil and other uses can be found in Introduction to Command-Line Administration. For complete command syntax for disk

Chapter 5 Installation and Deployment 97You can combine RAID sets to combine their benets. For example, you can create a RAID set that combines

5 Drag the disks to the window. 6 Follow the instructions in the window to set parameters. 7 Click Create.You can nd instructions for partitionin

Chapter 5 Installation and Deployment 99Erasing a Disk or PartitionYou have several options for erasing a disk, depending on your preferred tool