Apple Mac OS X Server (version 10.2.3 or later) Manual de usuario Pagina 1

Mac OS X ServerAdministrator’s GuideFor version 10.2.3 or laterCC.0395.SUS4AdminGuideCvr 11/13/02 11:19 AM Page 1

10 Contents Where to Find More Information 582 16 SLP DA Service 583 Before You Begin 583Managing Service Location Protocol (SLP) Direc

100 Chapter 2 Setting Up an Active Directory ServerIf you want a Mac OS X computer to get administrative data from an Active Directory server, the d

Directory Services 101m Create an LDAPv2 server configuration. For instructions, see “Creating an LDAPv2 Server Configuration” on page 101.m Change LD

102 Chapter 2 In the Name field, enter a descriptive name for the LDAPv2 server.In the Address field, enter the LDAPv2 server’s DNS name or IP address

Directory Services 103Select “Use the username and password below” if Open Directory should not connect anonymously. Enter the distinguished name (f

104 Chapter 2 Select Groups in the Record Type list. Then edit the “Maps to” value to specify a search base on the LDAPv2 server that provides group

Directory Services 105If other items in the Data Type column will be retrieved from the LDAPv2 server, select them one by one. When you select an it

106 Chapter 2 3 Click the right arrow to get to the Location step, and then select the setting that indicates the server is at its permanent network

Directory Services 107m With DHCP binding, a DHCP server automatically supplies the address and NetInfo tag of the shared NetInfo domain. To use DHC

108 Chapter 2 To add a machine record to a parent NetInfo domain:1 Open NetInfo Manager on the computer where the parent domain resides, then open t

Directory Services 1094 To change the value of an existing port property, double-click the value in the Value(s) column and make the change. 5 To de

Contents 11 Standard Attributes in Mount Records 636Standard Attributes in Config Records 637 Appendix BIntegrating Mac OS X Directory Serv

110 Chapter 2 Using Berkeley Software Distribution (BSD) Configuration FilesHistorically, UNIX computers have stored administrative data in configura

Directory Services 111/etc/master.passwd/etc/group/etc/hosts/etc/fstabYou can specify different BSD configuration files by editing the DSFFPlugin.plis

112 Chapter 2 If Directory Access displays an error message saying “Plug-in configuration application /Developer/Applications/Property List Editor.ap

Directory Services 1137 When you finish, save and close the file.Field name PurposeAlternateRecordNameIndex (optional) An index that can be used as a

114 Chapter 2 Setting Up Data in BSD Configuration FilesIf you want a Mac OS X computer to get administrative data from BSD configuration files, the d

Directory Services 115Editing BSD Configuration Files of Remote ComputersYou can’t use the Directory Access application on your computer to connect

116 Chapter 2 Backing Up and Restoring Directory Services FilesYou can back up the following directory services data:m Open Directory domain data:

117CHAPTER33 Users and Groups User and group accounts play a fundamental role in a server’s day-to-day operations:m A user account stores data Mac O

118 Chapter 3 How User Accounts Are UsedWhen you define a user’s account, you specify the information needed to prove the user’s identity: user name

Users and Groups 119After login, the user can connect to a remote Mac OS X computer if the user’s account can be located within the search policy of

LL0395.Book Page 12 Wednesday, November 20, 2002 11:44 AM

120 Chapter 3 m A non-Apple LDAP server can be used to validate the password.Information Access ControlAll directories (folders) and files on Mac OS

Users and Groups 121Directory and File Access by Other UsersThe UID, in conjunction with a group ID, is also used to control access by users who are

122 Chapter 3 Any user who has a user account in a directory domain can be made an administrator of that domain. You can control the extent to which

Users and Groups 123Mail account settings let you enable and disable the user’s access to mail services running on a particular Mac OS X Server. You

124 Chapter 3 You can grant administration privileges for a group folder to a user. A group folder administrator has owner privileges for the group

Users and Groups 125Groups, Primary Groups, and WorkgroupsAs noted earlier, when you define preferences for a group, the group is known as a workgrou

126 Chapter 3 Predefined AccountsThe following table describes the user accounts that are created automatically when you install Mac OS X Server (un

Users and Groups 127The following table characterizes the group accounts that are created automatically when you install Mac OS X Server.Unprivilege

128 Chapter 3 Setup Overview These are the major user and group administration activities:m Step 1: Before you begin, do some planning.m Step 2: S

Users and Groups 129Step 1: Before you begin, do some planningSee “Before You Begin” on page 132 for a list of items to think about before you start

13 PREFACE How to Use This Guide What’s Included in This Guide This guide consists primarily of chapters that tell you how to administer individual

130 Chapter 3 Step 4: Configure server search policies so servers can find user and group accountsMake sure that the search policy of any server tha

Users and Groups 131For details about all the settings for a group account, see “Working With Member Settings for Groups” on page 169 through “Worki

132 Chapter 3 Before You BeginBefore setting up user and group accounts for the first time:m Identify the directory domains in which you will store u

Users and Groups 133You may want to store home directories for users with last names from A to F on one computer, G to J on another, and so on. Or y

134 Chapter 3 Administering User AccountsThis section describes how to administer user accounts stored in various kinds of directory domains.Where U

Users and Groups 135Creating Read-Write LDAPv3 User AccountsYou can create a user account on a non-Apple LDAPv3 server if it has been configured for

136 Chapter 3 Working With Read-Only User AccountsYou can use Workgroup Manager to review information for user accounts stored in read-only director

Users and Groups 137You can use Workgroup Manager to edit the user name of an account stored in a directory domain residing on Mac OS X Server or in

138 Chapter 3 Typically, short names contain eight or fewer characters.You can use Workgroup Manager to edit the short name of an account stored in

Users and Groups 139Consider an example that consists of three shared directory domains. Tony Smith has an account in the Students domain, and Tom S

14 Preface m Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to

140 Chapter 3 If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domain, the

Users and Groups 141When Tom attempts to access MyDoc, Mac OS X searches the login hierarchy for user records with short names that match those asso

142 Chapter 3 Defining PasswordsSee “Understanding Password Validation” on page 193 for details about setting up and managing passwords.Assigning Ad

Users and Groups 1436 Click Privileges to specify what the user should be able to administer in the domain. By default, the user has no directory do

144 Chapter 3 You can use Workgroup Manager to define login settings of an account stored in a NetInfo or LDAPv3 directory domain or to review login

Users and Groups 145Working With Group Settings for UsersGroup settings identify the groups a user is a member of.In Workgroup Manager, use the Grou

146 Chapter 3 To open the account, click the Accounts button, then use the At pop-up menu to open the directory domain where the account resides. Cl

Users and Groups 147Working With Home Settings for UsersHome settings describe a user’s home directory attributes. See “Administering Home Directori

148 Chapter 3 To open the account, click the Accounts button, then use the At pop-up menu to open the directory domain where the account resides. Cl

Users and Groups 149Working With Print Settings for UsersPrint settings associated with a user’s account define the ability of a user to print to acc

How to Use This Guide 15 Most chapters end with a section called “Where to Find More Information.” This section points you to Web sites and other r

150 Chapter 3 To set up a quota that applies to all queues, go to step 3. Alternatively, to set up quotas for specific print queues, go to step 4.3 C

Users and Groups 151Working With Managed UsersSee Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,”

152 Chapter 3 Disabling a User AccountTo disable a user account, you canm delete the account (see “Deleting a User Account” on page 151)m change the

Users and Groups 153Types of Home DirectoriesThe following table contrasts local, network, and advanced home directories and tells you where to find

154 Chapter 3 Distributing Home Directories Across Multiple ServersThe following illustration depicts using one Mac OS X Server for storing user acc

Users and Groups 155When a user restarts his or her computer and logs in using the account in the shared domain, the home directory is created autom

156 Chapter 3 Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different from o

Users and Groups 157You can use Workgroup Manager to define a network home directory for a user whose account is stored in a NetInfo or LDAPv3 direct

158 Chapter 3 Use Workgroup Manager to enable guest access for the share point. Click the Protocols tab and make sure that “Apple File Settings, ” “

Users and Groups 159To create an NFS network home directory using Workgroup Manager:1 In Workgroup Manager, open the account you want to work with i

LL0395.Book Page 16 Wednesday, November 20, 2002 11:44 AM

160 Chapter 3 6 Define the share point’s automounting settings.Click the Automount tab.On the pop-up menu, select the shared domain in which the user

Users and Groups 161To create an advanced AFP home directory using Workgroup Manager:1 In Workgroup Manager, open the account you want to work with

162 Chapter 3 6 Define the share point’s automounting settings.Click the Automount tab.On the pop-up menu, select the shared domain in which the user

Users and Groups 163Defining an Advanced Home Directory for NFS AccessIn Workgroup Manager, you can customize a user’s NFS home directory settings u

164 Chapter 3 Use the pop-up menus next to the fields to specify privileges. For the owner, select Read & Write. For Group and Everyone, select R

Users and Groups 165Using createhomedir to Create Home DirectoriesYou can use the createhomedir command-line tool to create AFP or NFS home director

166 Chapter 3 Setting Disk QuotasYou can limit the disk space a user can consume to store files he or she owns in the partition where his home direct

Users and Groups 167Administering Group AccountsThis section describes how to administer group accounts stored in various kinds of directory domains

168 Chapter 3 Creating Read-Write LDAPv3 Group AccountsYou can create a group account on a non-Apple LDAPv3 server if it has been configured for writ

Users and Groups 169Working With Read-Only Group AccountsYou can use Workgroup Manager to review information for group accounts stored in read-only

17 CHAPTER 1 1 Administering Your Server Mac OS X Server is a powerful server platform that delivers a complete range of services to users on the I

170 Chapter 3 To add users to a group using Workgroup Manager:1 In Workgroup Manager, open the group account you want to work with if it is not alre

Users and Groups 171m A short group name can contain as many as 255 Roman characters. However, for clients using Mac OS X version 10.1.5 and earlier

172 Chapter 3 2 In the Group ID field on the Members tab, review or edit the ID. Before saving a new group ID, Workgroup Manager checks to ensure tha

Users and Groups 1735 In the Owner Name field, enter the name of the user you want to own the group folder so he or she can act as group folder admin

174 Chapter 3 To set up an advanced group folder:1 On the server where you want the group folder to reside, create a folder that will serve as the s

Users and Groups 175If the server is remote, establish an SSH session. “Secure Shell (SSH) Command” on page 591 tells you how. 14 Type “sudo /usr/sb

176 Chapter 3 Finding User and Group AccountsIn Workgroup Manager, user and group accounts are listed in tabs at the left side of the Workgroup Mana

Users and Groups 177To list accounts in search path domains of the server you are working with:1 In Workgroup Manager, log in to a server whose sear

178 Chapter 3 Finding Specific Users and Groups in a ListAfter you have displayed a list of users or groups in Workgroup Manager, you can filter the

Users and Groups 179Using PresetsPresets are Workgroup Manager account templates. They let you set up initial attributes for new accounts you create

18 Chapter 1 Password Security You can choose from several user authentication options, ranging from Mac OS X Server’s Open Directory Password Ser

180 Chapter 3 Using Presets to Create New AccountsTo create a new account using a preset:1 Open Workgroup Manager on a server configured to access th

Users and Groups 181To change a preset:1 Open Workgroup Manager on the server where the preset has been defined.2 Click the Accounts button. 3 From t

182 Chapter 3 This section describes how to prepare files for importing and how to conduct import and export operations using Workgroup Manager and d

Users and Groups 1836 Select one of the Duplicate Handling options to indicate what to do when the short name of an account being imported matches t

184 Chapter 3 Using Workgroup Manager to Export Users and GroupsYou can use Workgroup Manager to export user and group accounts from a NetInfo or LD

Users and Groups 185-p imports accounts from an XML file formatted as “Using XML Files Created With AppleShare IP 6.3” on page 190 describes.file nam

186 Chapter 3 -s startingUIDspecifies the starting UID to use when importing from an ASIP XML file or a character-delimited file that contains new user

Users and Groups 187-y ipAddressis the IP address of a remote Mac OS X Server from which the directory domain is visible.-Vadds the version number o

188 Chapter 3 Using dsimportexport to Export Users and GroupsYou can use dsimportexport to export user and group accounts from NetInfo or LDAPv3 dir

Users and Groups 189-yrpwd passwordis the password for logging in to a remote Mac OS X Server identified in the -y parameter.-y ipAddressis the IP ad

Administering Your Server 19 Open Directory Services User and group information is used by your server to authenticate users and authorize their a

190 Chapter 3 m Apple mail datam ara (Apple Remote Access; this data is ignored)The following group account attributes might be present in these XML

Users and Groups 191Using Character-Delimited FilesYou can create a character-delimited file by using Workgroup Manager or dsimportexport to export a

192 Chapter 3 In addition, you can includeUserShell (the default shell)NFSHomeDirectory (the path to the user’s home directory on the user’s compute

Users and Groups 193Using the StandardUserRecord ShorthandWhen the first record in a character-delimited import file contains “StandardUserRecord,” th

194 Chapter 3 m Using LDAP bind authentication with a non-Apple LDAPv3 directory server. Clients needing password validation, such as login window a

Users and Groups 195Contrasting Password Validation OptionsHere are the pros and cons of the options for validating a user’s password:m Storing a pa

196 Chapter 3 See “Using a Password Server” on page 200 for details about this strategy.m Using a Kerberos server. This option is not supported by a

Users and Groups 197m A zero-length password is not recommended; Password Server and some systems (such as LDAP bind) do not support a zero-length p

198 Chapter 3 Authentication Manager may be of interest if you are using it on a version 10.1 server that you want to upgrade to version 10.2 or if

Users and Groups 199Enabling Basic Password Validation for a UserBasic password validation is the simplest form of password validation. It relies on

K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may

20 Chapter 1 High AvailabilityTo maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and r

200 Chapter 3 A very effective way to thwart password hacking is to use good passwords. A password should contain letters, numbers, and symbols in c

Users and Groups 201m The password, stored in recoverable or hashed form. The form depends on the network authentication protocols enabled for the P

202 Chapter 3 4 On the Advanced tab, choose “Password Server” from the “User Password Type” pop-up menu if it is not already selected.5 If the user’

Users and Groups 2035 On the Advanced tab, click Options to set up the user’s password policy. If you select the “Disable login as of ” option, ente

204 Chapter 3 3 Select the user in the list.4 On the Advanced tab, choose Basic from the “User Password Type” pop-up menu. You will be prompted to e

Users and Groups 205Using KerberosIf you already use Kerberos to authenticate users, you can use Kerberos to validate passwords for the following se

206 Chapter 3 The following illustration summarizes these activities. Note that the service and the client in this picture may be the same entity (s

Users and Groups 2072 Create user accounts for each of the same users in directory domains accessible from Mac OS X computers on which Kerberized se

208 Chapter 3 Enabling Kerberos Authentication for FTPUse Server Settings to enable FTP server support for Kerberos. See Chapter 5, “File Services,”

Users and Groups 209To enable LDAP bind user authentication using Workgroup Manager:1 Make sure the account for a user whose password you want to va

Administering Your Server 21Highlighting Individual ServicesThis section highlights individual Mac OS X Server services and tells you where in this

210 Chapter 3 Supporting Client Computers Validating Windows User PasswordsSee “Providing Secure Authentication for Windows Users” on page 197.Setti

Users and Groups 211m You can make other users Password Server administrators after setting up a Password Server. Make sure they have an account in

212 Chapter 3 You Can’t Assign Server Administrator PrivilegesIn order to assign server administrator privileges to a user for a particular server,

Users and Groups 213m Refer to the KDC log (kdc.log) for information that can help you solve problems. Incorrect setup information such as wrong con

LL0395.Book Page 214 Wednesday, November 20, 2002 11:44 AM

215CHAPTER44 SharingThe Sharing module of Workgroup Manager lets you share information with clients of the Mac OS X Server and control access to sha

216 Chapter 4 Note: QuickTime Streaming Server and WebDAV have their own privileges settings. For information about QTSS, refer to the QTSS online

Sharing 217EveryoneEveryone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors.Priv

218 Chapter 4 Share Points in the Network GlobeThe Network globe on OS X clients represents the Darwin /Network directory. By default, the Network g

Sharing 219Step 1: Read “Before You Begin”Read “Before You Begin” on page 219 for issues you should consider before sharing information on your netw

22 Chapter 1 Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X computer.Password ValidationOpen Directory g

220 Chapter 4 Conversely, you might want to set up share points using a single protocol even though you have different kinds of clients. For example

Sharing 221 m Set privileges for Everyone to None for files and folders that guest users should not access. Items with this privilege setting can be

222 Chapter 4 3 Click the General tab.4 Select “Share this item and its contents.”Change the owner and group of the shared item by typing names into

Sharing 2237 Choose a default permissions option for new files and folders.Select “Use Standard UNIX behavior” if you want new or copied items to ret

224 Chapter 4 4 Select the “Share this item using FTP” option. 5 Select “Allow FTP guest access” to allow FTP users with guest access to use this it

Sharing 225Automounting Share PointsYou can mount share points automatically on client computers using automounts. You can set up an automount to mo

226 Chapter 4 Resharing NFS Mounts as AFP Share PointsResharing NFS mounts (NFS volumes that have been exported to the Mac OS X Server) as AFP share

Sharing 227name: server:/test/lab1vfstype: nfsdir: /nfs_reshares/myshareClick the lock when finished. In the Confirm Changes dialog box, click Upda

228 Chapter 4 Browsing Server DisksYou can view the folders (but not files) located on servers using the Sharing module of Workgroup Manager.To brows

Sharing 2294 Click the Protocols tab and use the pop-up menu to see the protocol settings for the item.5 Click the Automount tab to see the automoun

Administering Your Server 23File ServicesMac OS X Server makes it easy to share files using the native protocols of different kinds of client compute

230 Chapter 4 2 Click the Share Points tab and select the NFS export (share point) you want to change.3 Click the Protocols tab and choose NFS Expor

Sharing 231Alternatively, you can choose View Directories from the Server menu.2 Use a root user name and password to log in.If you are not logged i

LL0395.Book Page 232 Wednesday, November 20, 2002 11:44 AM

233CHAPTER55 File ServicesFile services enable clients of the Mac OS X Server to access files, applications, and other resources over a network. Mac

234 Chapter 5 You must configure and turn on file services in order for clients to be able to access shared information—the volumes and folders that y

File Services 235Client Computer RequirementsFor information on client computer requirements, see “Supporting Client Computers” on page 272.Setup Ov

236 Chapter 5 Apple File ServiceApple file service allows Macintosh client users to connect to your server and access folders and files as if they wer

File Services 237Apple File Service SpecificationsBefore You Set Up Apple File ServiceIf you asked the Server Assistant to configure Apple file servic

238 Chapter 5 The name you enter here must be unique among all computers connected to the network. If you leave this field blank, the server will reg

File Services 2392 Click Apple and choose Configure Apple File Service.3 Click the Access tab. 4 Choose the authentication method you want to use: S

24 Chapter 1 m fine-grain access controls for managing client connections and guest accessm automatic disconnect of idle clients after a period of in

240 Chapter 5 3 Click the Logging tab. 4 Select “Enable Access log” if you want to create an access log. The access log stores information about any

File Services 241Although the server disconnects clients when they become idle or go to sleep, the clients’ sessions are maintained for the specified

242 Chapter 5 Managing Apple File ServiceThis section tells you how to perform day-to-day management tasks for Apple file service once you have it up

File Services 243Stopping Apple File ServiceTo stop Apple file service:1 In Server Settings, click the File & Print tab.2 Click Apple and choose

244 Chapter 5 Enable Browsing With Network Service LocationYou can register your Apple file server with Network Service Locator (NSL) to allow users

File Services 2456 Click Save.Turning On Access Logs for Apple File ServiceThe access log can record any time a user logs in or out, opens a file, cr

246 Chapter 5 You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting

File Services 247Allowing Guest Access to the Apple File ServerGuests are users who can see information on your server without using a name or passw

248 Chapter 5 Windows ServicesWindows services in Mac OS X Server provide four native services to Windows clients. These services arem file service—a

File Services 249In addition, you can improve the user experience by following these guidelines:m Use comparable versions of application software on

Administering Your Server 25FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP clients, resuming of interrupted FT

250 Chapter 5 Configuring Windows Services General SettingsYou use the General pane to set identifying information about your Windows server and to

File Services 2512 Click Windows and choose Configure Windows Services.3 Click the Access tab. 4 Select “Allow Guest access” only if you want to allo

252 Chapter 5 You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on

File Services 253Managing Windows Services This section tells you how to perform day-to-day management tasks for Windows services once you have the

254 Chapter 5 Checking Windows Services StatusYou use Server Status to check the status of all Mac OS X Server devices and services.To view Windows

File Services 2552 Click Windows and choose Configure Windows Services.3 Click the Neighborhood tab, then select Master Browser or Domain Master Brow

256 Chapter 5 3 Click the Connections tab and select the user you want to disconnect.4 Click the Disconnect button.Allowing Guest Access in Windows

File Services 257Secure FTP EnvironmentMost FTP servers provide a restricted directory environment that confines FTP users to a specific area within a

258 Chapter 5 FTP Root and Share PointsThe “FTP Root and Share Points” user environment gives access—for both real and anonymous users—to the FTP ro

File Services 259Home Directory With Share PointsWhen the user environment option is set to “Home Directory with Share Points,” real users log in to

26 Chapter 1 Web service also includes support for Web-based Distributed Authoring and Versioning (WebDAV). With WebDAV capability, your client user

260 Chapter 5 Home Directory OnlyIn the Restricted user environment, real users are confined to their home directories and do not have access to the

File Services 261The table below shows common file extensions and the type of compression they designate.Custom FTP RootFor increased security, Mac O

262 Chapter 5 Restrictions on Anonymous FTP Users (Guests)Enabling anonymous FTP poses a security risk to your server and data because you open your

File Services 263Step 6: Create an “uploads” folder for FTP users (optional)If you enabled anonymous access in Step 2, you may want to create a fold

264 Chapter 5 Configuring FTP Access SettingsThe Access settings let you specify the number of real and anonymous users.To configure the FTP Access

File Services 2656 Click Save.Configuring FTP Advanced SettingsThe Advanced settings allow you to specify a custom FTP root. A custom FTP root creat

266 Chapter 5 Setting Up Anonymous FTP ServiceYou can allow guests to log in to your FTP server with the user name “ftp” or “anonymous.” They do not

File Services 2672 Click FTP and choose Configure FTP Service.3 Click the Advanced tab.4 Choose the type of user environment you want to provide.The

268 Chapter 5 Displaying Banner and Welcome Messages to UsersFTP service in Mac OS X Server allows you to create certain messages that you can send

File Services 269You use the NFS module of Server Settings to configure and manage NFS service. You also use the Sharing module of Workgroup Manager

Administering Your Server 27Client ManagementYou can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X clients. Preferences

270 Chapter 5 Step 3: Create share points and share them using NFSUse the Sharing module of Workgroup Manager to specify the share points that you w

File Services 271Managing NFS ServiceThis section tells you how to perform day-to-day management tasks for NFS service once you have it up and runni

272 Chapter 5 Supporting Client ComputersThis section describes the client computer requirements for using Mac OS X file services.Supporting Mac OS X

File Services 273To set a Mac OS X client computer to mount a server volume automatically:1 Choose “Connect to Server” from the Finder’s Go menu to

274 Chapter 5 Connecting to the Apple File Server in Mac OS 8 or Mac OS 9Apple file service does not support AppleTalk connections, so clients need t

File Services 275Using the Network Neighborhood to Connect to the Windows ServerBefore trying to connect to the server from a Windows client compute

276 Chapter 5 m Make sure the file server is running. You can use a “pinging” utility to check whether the server is operating.m If the user is searc

File Services 277User Can’t Log in to the Windows Serverm If you are using Password Server to authenticate users, check to make sure that it is confi

278 Chapter 5 Clients Can’t Connect to the FTP Serverm See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP ser

279CHAPTER66 Client Management: Mac OS XWorkgroup Manager provides network administrators with a centralized method of managing Mac OS X workstation

28 Chapter 1 m Network Install is an excellent solution for operating system migrations, installing software updates and custom software packages, r

280 Chapter 6 This chapter summarizes certain aspects of Mac OS X client management, describes how to set up Mac OS X computer accounts using Workgr

Client Management: Mac OS X 281Finding ApplicationsApplications can be stored locally on the computer’s hard disk or on a server in a share point. I

282 Chapter 6 Client Computer Hardware Requirements m Macintosh computer with a G3 processor or better (except original PowerBook G3 or upgraded Pow

Client Management: Mac OS X 283Designating AdministratorsFor Mac OS X clients, the server administrator has the greatest amount of control over othe

284 Chapter 6 Setting Up Group AccountsAlthough Mac OS X users are not required to be added to group accounts in order to be managed, groups are sti

Client Management: Mac OS X 285Creating a Computer AccountYou can use a computer account to assign the same privileges and preferences to multiple c

286 Chapter 6 2 Use the At pop-up menu to open the directory domain where you want to create computer accounts using presets, then click Accounts.3

Client Management: Mac OS X 287Adding Computers to an Existing Computer AccountYou can easily add more computers to an existing list. However, you c

288 Chapter 6 7 Change information in the information fields as needed, then click Save.Moving a Computer to a Different Computer AccountOccasionally

Client Management: Mac OS X 289Deleting a Computer AccountIf you no longer need an any computers listed in a computer account, you can delete the en

Administering Your Server 29You will use DNS if you use SMTP mail service or if you want to create subdomains within your primary domain. You will a

290 Chapter 6 Managing Guest ComputersIf an unknown computer (one that isn’t already in a computer account) connects to your network and attempts to

Client Management: Mac OS X 291If you do not select settings or preferences for the Guest Computers account, guest computers are not managed. Howeve

292 Chapter 6 Making Computers Available to All UsersIf you want, you can make computers in a list available to any user in any group account you se

Client Management: Mac OS X 2938 If you want to show only certain workgroups to users during login, select “Restrict to groups below,” and add group

294 Chapter 6 Portable Computers With One Primary Local UserThere are two ways set up portable computers for a single user.m The user does not have

Client Management: Mac OS X 295In addition to various settings for users, groups, and computer accounts, Workgroup Manager provides control over the

296 Chapter 6 About the Preferences CacheOnly local user accounts use a preference cache. The preference cache is created on the local hard drive wh

Client Management: Mac OS X 297To empty the managed preferences cache:1 Open Workgroup Manager.2 Use the At pop-up menu to find the directory domain

298 Chapter 6 The overrides described above do not apply to settings in the Items pane of the Applications preference, the Dock Items pane, the Prin

Client Management: Mac OS X 299Managing User PreferencesYou can manage preferences for individual users as needed. However, if you have large number

3 Contents Preface How to Use This Guide 13 What’s Included in This Guide 13Using This Guide 14Setting Up Mac OS X Server for the First

30 Chapter 1 You can deliver live and prerecorded media over the Internet to both Macintosh and Windows users, or relay streamed media to other stre

300 Chapter 6 4 Select a group account in the account list.5 Click the icon for the preference you want to manage.6 In each tab for that preference,

Client Management: Mac OS X 301If you adjust a mixed-state setting, every account will have the new setting you choose. For example, suppose you sel

302 Chapter 6 Creating a List of Approved ApplicationsYou need to provide access to the applications you want users to open. To do this, use Items s

Client Management: Mac OS X 3038 Click Apply Now.Managing Application Access to Helper ApplicationsSometimes, applications need to use “helper appli

304 Chapter 6 Managing Access to System PreferencesUsing the System Preferences pane of the Applications preference, you can select which preference

Client Management: Mac OS X 305Making Classic Start Up After a User Logs InIf users often need to work with applications that run in Classic, it is

306 Chapter 6 Classic Advanced PreferencesAdvanced preference settings for Classic let you control items in the Apple menu, Classic sleep settings,

Client Management: Mac OS X 307Preventing Access to the Chooser and Network BrowserIf you don’t want users to have access to the Chooser or Network

308 Chapter 6 To adjust Classic sleep settings:1 Open Workgroup Manager.2 Use the At pop-up menu to find the directory domain that contains the accou

Client Management: Mac OS X 3098 If you want items in the Dock to be magnified when a user moves the pointer over them, select the Magnification check

Administering Your Server 31Server Settings Configure file, print, mail, Web, NetBoot, and network servicespage 35Server Status Monitor services page

310 Chapter 6 Providing Easy Access to Group FoldersAfter you have set up a group volume, you can make it easy for users to locate the group directo

Client Management: Mac OS X 3114 Select a user, group, or computer account in the account list, then click the Dock preference icon.5 Click Dock Ite

312 Chapter 6 To set Finder window preferences:1 Open Workgroup Manager and click Preferences.2 Select a user, group, or computer account in the acc

Client Management: Mac OS X 313In order to use additional Simplified Finder features, an administrator can use Workgroup Manager tom Add applications

314 Chapter 6 4 Select a user, group, or computer account in the account list, then click the Finder preference icon.5 Click the Preferences tab and

Client Management: Mac OS X 3154 Select a user, group, or computer account in the account list, then click the Finder preference icon.5 Click Comman

316 Chapter 6 Hiding the Burn Disc Command in the FinderOn computers with appropriate hardware, users can “burn discs” (write information to recorda

Client Management: Mac OS X 317As an additional preventive measure, you can also remove the Restart and Shut Down buttons from the login window usin

318 Chapter 6 Default View settings control the overall appearance of all Finder windows. Computer View settings control the view for the top-level

Client Management: Mac OS X 319Managing Internet PreferencesInternet preferences let you set email and Web browser options.Setting Email Preferences

32 Chapter 1 networksetup Configure network services for a particular network hardware port on a remote serverpage 602MySQL Manager Manage the versio

320 Chapter 6 8 Type a URL for the Search Page.9 Type a folder location for storing downloaded files, or click Set to browse for a folder.10 Click Ap

Client Management: Mac OS X 321Deciding How a User Logs InDepending on the settings you choose, a user will see either a name and password text field

322 Chapter 6 3 Click the lock and enter your user name and password.4 Select a computer account in the account list, then click the Login preferenc

Client Management: Mac OS X 323A user can suppress automatic application opening by holding down the Shift key during login. Do not release the Shif

324 Chapter 6 4 Select a group account in the account list, then click the Login preference icon.5 Click Login Items.6 Set the management setting to

Client Management: Mac OS X 325Select the Allow checkbox next to CDs & CD-ROMs to let users access music, data, or applications on compact discs

326 Chapter 6 To prevent users from recording information to compact discs or DVD-R discs, deselect Allow.8 Click Apply Now.Media Access Other Media

Client Management: Mac OS X 327If you select the Read-Only checkbox, users can view the contents of external disks but cannot modify them or save fi

328 Chapter 6 Making Printers Available to UsersTo give users access to printers, you first need to set up a printer list. Then, you can allow specifi

Client Management: Mac OS X 3296 Click Printer List.7 If you want only administrators to modify the printer list, select “Require an administrator p

Administering Your Server 33Administering a Server From Different ComputersYou can use the server applications to manage the local server or to mana

330 Chapter 6 To set the default printer:1 Open Workgroup Manager.2 Use the At pop-up menu to find the directory domain that contains the account you

Client Management: Mac OS X 331I Can’t Enforce Default Web SettingsIf you manage Internet preferences using Workgroup Manager and set up a default W

332 Chapter 6 Users Cannot Add Printers to a Printer ListUsers are able to add printers to the list of printers in Print Center if you select Always

Client Management: Mac OS X 333Users See a Message About an Unexpected ErrorWhen you manage Classic preferences and try to use the Extensions Manage

LL0395.Book Page 334 Wednesday, November 20, 2002 11:44 AM

335CHAPTER77 Print ServicePrint service lets you share network printers with clients of the Mac OS X Server. You share printers by setting up print

336 Chapter 7 What Printers Can Be Shared?Mac OS X Server supports PostScript-compatible printers connected to your network using AppleTalk or the L

Print Service 337Who Can Use Shared Printers?Shared printers can be used over the network by users who submit print jobs using AppleTalk, LPR, or Se

338 Chapter 7 Step 2: Start up and configure print serviceUse Server Settings to start up and configure print service. Print service configuration let

Print Service 339Before You BeginBefore you set up print service, determine which protocols are used for printing by client computers. When you confi

34 Chapter 1 You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to use the application, see Chapter 2, “Dire

340 Chapter 7 If you choose None, print jobs sent to the default queue will not be accepted by the server (and therefore will not be printed).7 Sele

Print Service 341You’ll probably need to change the queue name if users who print to your queues have restrictions on printer names they can use. Fo

342 Chapter 7 The Open Directory printer is named using the queue name defined in the Print module of Server Settings. LPR clients do not support nam

Print Service 343Setting Up Printing on Client ComputersMac OS X ClientsMac OS X users must add shared print queues to their Print Center printer li

344 Chapter 7 Mac OS 8 and Mac OS 9 ClientsMac OS 8 and 9 support both AppleTalk and LPR printers. Users can set up printing to a server print queue

Print Service 345Windows ClientsTo enable printing by Windows users who submit jobs using SMB, make sure Windows services are running and that one o

346 Chapter 7 Stopping Print ServiceYou use the File & Print pane in Server Settings to stop print service.To stop print service:1 In Server Set

Print Service 347Putting a Print Queue on Hold (Stopping a Print Queue)To prevent jobs in a queue from printing, put the print queue on hold. Printi

348 Chapter 7 Note: If you change the name of a print queue that has already been shared, print jobs sent by users to the old queue name will not b

Print Service 349Selecting a Default Print QueueSpecifying a default print queue simplifies setup for printing from client computers to LPR print que

Administering Your Server 35Major Workgroup Manager TasksAfter login, the user account window appears, with lists of user, group, and computer accou

350 Chapter 7 The Queue Monitor window displays all the current print jobs in priority order. It also indicates the current status of the active (pr

Print Service 351To restart a print job:1 In Server Settings, click the File & Print tab.2 Click Print and choose Show Print Monitor.3 Select th

352 Chapter 7 3 Select the queue containing the job, then click Show Queue Monitor.4 Select the job and click Set Priority.5 Select the priority you

Print Service 353Viewing Print LogsPrint service has two kinds of logs: print service and print queue. Print service logs record such events as when

354 Chapter 7 Deleting Print Log ArchivesThe log files are stored in /Library/Logs/PrintService. You can clear out unwanted archive files by deleting

Print Service 355m Make sure the printer is turned on and that there are no problems with the printer itself (out of paper, paper jams, and so on).m

LL0395.Book Page 356 Wednesday, November 20, 2002 11:44 AM

357CHAPTER88 Web ServiceWeb service in Mac OS X Server offers an integrated Internet server solution. Web service is easy to set up and manage, so y

358 Chapter 8 Before You BeginThis section provides information you need to know before you set up Web service for the first time. You should read th

Web Service 359Hosting More Than One Web SiteYou can host more than one Web site simultaneously on your Web server. Depending on how you configure yo

36 Chapter 1 Click the service modules arranged on the Server Settings tabs to choose commands that let you work with individual services: m For ad

360 Chapter 8 You can avoid this problem by carefully setting access privileges for the site files using the Sharing module of Server Settings. Mac O

Web Service 361MIME type mappings are divided into two subfields separated by a forward slash, such as “text/plain.” Mac OS X Server includes a list

362 Chapter 8 Step 3: Assign privileges for your Web siteThe Apache process running on the server must have access to the Web site’s files and folder

Web Service 363Starting or Stopping Web ServiceYou start and stop Web service from the Server Settings application.To start or stop Web service:1 In

364 Chapter 8 4 Click Add to add a new mapping, or select a mapping and click Edit, Duplicate, or Delete. (If you choose Delete, you’ve finished.)5 T

Web Service 365The range for maximum simultaneous connections is zero to 9999. The default maximum is 500, but you can set the number as high or as

366 Chapter 8 To block Web sites:1 In Server Settings, click the Internet tab.2 Click Web and choose Configure Web Service.3 Click the Proxy tab and

Web Service 367Setting Up WebDAV for a Web ServerWeb-based Distributed Authoring and Versioning (WebDAV) allows you or your users to make changes to

368 Chapter 8 3 On the General pane, click “Start Tomcat at system startup.”4 Click Save, then restart the server.To verify that Tomcat is running,

Web Service 369To view the log files:1 In Server Status, click Web under your server.2 Click the Logs tab.3 Select the log you want to view in the t

Administering Your Server 37m To customize the Server Status toolbar, choose Customize Toolbar from the View menu.m To retrieve online information,

370 Chapter 8 Setting Up the Documents Folder for Your Web SiteTo make files available through a Web site, you put the files in the Documents folder f

Web Service 371Enabling a Web Site on a ServerBefore you can enable a Web site, you must create the content for the site and set up your site folder

372 Chapter 8 5 In the General pane, type a name in the Default Document Name field.A file with this name must be in the Web site folder.6 Click Save,

Web Service 373You can also improve server performance by disabling the access and error logs.Enabling Access and Error Logs for a Web SiteYou can s

374 Chapter 8 8 Select “Enable detailed folder listings.”9 Click Save, then restart Web service.Connecting to Your Web SiteOnce you configure your We

Web Service 375Setting Access for WebDAV-Enabled SitesYou create realms to provide security for Web sites. Realms are locations within a site that u

376 Chapter 8 To enable a CGI for a Web site:1 In Server Settings, click the Internet tab.2 Click Web and choose Configure Web Service.3 Click the Si

Web Service 377AddHandler server-parsed shtmlAddType text/html shtmlIf your SSI files use a file extension other than .shtml, you should add that type

378 Chapter 8 Enabling SSLBefore you can enable Secure Sockets Layer (SSL) protection for a Web site, you have to obtain the proper certificates.For

Web Service 379#LoadModule php4_module /usr/libexec/httpd/libphp4.so#AddModule mod_php4.c3 Save the changes and close the file.The changes take effe

38 Chapter 1 m Use the Export Items and Import Items buttons to manage different lists of Xserve servers you want to monitor. The Merge Items button

380 Chapter 8 Users log into WebMail with the name and password they use for logging in to regular mail service. WebMail does not provide its own au

Web Service 3814 In the Terminal application, use a text editor to edit /etc/httpd/httpd_macosxserver.conf and add the following line:Include /etc/h

382 Chapter 8 m Sent Folder is the name of the IMAP folder where mail service puts messages after sending them. The default is Sent Messages.m Draft

Web Service 383Setting Up Secure Sockets Layer (SSL) ServiceIf you want to provide secure transactions on your server, such as allowing users to pur

384 Chapter 8 m Organizational name: The organization to which your domain name is registered.m Organizational unit: Usually something similar to

Web Service 3855 Select Enable Secure Socket Layer (SSL).6 Click Edit Certificate File and paste the text from your certificate file (the certificate yo

386 Chapter 8 m If the module came with your Web server, check the Apache documentation for that module and make sure the module is intended to work

Web Service 387m To index a folder’s contents, choose Get Info from the file menu.Note: You must be logged in as root for the index to be copied to

388 Chapter 8 PHP: Hypertext PreprocessorPHP lets you handle dynamic Web content by using a server-side HTML-embedded scripting language resembling

Web Service 389Where to Find More InformationFor information about configuration files and other aspects of Apache Web service, see these resources:m

Administering Your Server 39Where to Find More Information Regardless of your server administration experience, you may want to take advantage of th

LL0395.Book Page 390 Wednesday, November 20, 2002 11:44 AM

391CHAPTER99 Mail ServiceMail service in Mac OS X Server allows network users to send and receive email over your network or across the Internet. Ma

392 Chapter 9 Mail Service ProtocolsA standard mail setup uses SMTP to send outgoing email and POP and IMAP to receive incoming email. Mac OS X Serv

Mail Service 393Internet Message Access Protocol (IMAP)Internet Message Access Protocol (IMAP) is the solution for people who need to receive mail f

394 Chapter 9 How Mail Service Uses SSLThe mail service supports secure IMAP connections with mail client software that requests them. If a mail cli

Mail Service 395Mail service uses an additional folder if you turn on the option to use an alternate mail transfer agent, such as the UNIX Sendmail

396 Chapter 9 What Mail Service Can Do About Junk MailYou can configure your mail service to decrease the volume of unsolicited mail, also known as j

Mail Service 397SMTP Authentication and Restricted SMTP Relay CombinationsThe following table describes the results of using SMTP authentication and

398 Chapter 9 What Mail Service Doesn’t DoMail service provided by Mac OS X Server does not supportm mailing listsm virtual domains ([email protected]

Mail Service 399Setup OverviewYou can have mail service set up and started as part of the Mac OS X Server installation process. An option for settin

4 Contents Overview of Directory Services Tools 68Setup Overview 68Before You Begin 70Setting Up an Open Directory Domain and Password

LL0395.Book Page 40 Wednesday, November 20, 2002 11:44 AM

400 Chapter 9 m If you use Mac OS X Server to provide DNS service, create your own MX records as described in “Using DNS With Mail Service” on page

Mail Service 401m “Limiting Junk Mail” on page 421m “Working With Undeliverable Mail” on page 425Step 7: Set up accounts for mail usersEach person w

402 Chapter 9 m If your server will provide mail service over the Internet, you need a registered domain name. You also need to determine whether yo

Mail Service 403Requiring or Allowing Kerberos AuthenticationYou can choose to require, allow, or disallow the Kerberos authentication method for al

404 Chapter 9 If a domain name in this list does not have an MX record, only your mail service recognizes it. External mail sent to this domain name

Mail Service 405For detailed instructions, see “Setting Up SSL for Mail Service” on page 614 of Chapter 17, “Tools for Advanced Administrators.”Work

406 Chapter 9 Notifying Users Who Have New MailRather than require each user to periodically check for new mail, the mail service can notify users w

Mail Service 4073 Click the Protocols tab and select Enable POP3, if it is not already checked.4 Click POP3 Options.5 Select “Require APOP authentic

408 Chapter 9 The mail service has settings for requiring secure IMAP authentication, changing the IMAP response name, using case-sensitive IMAP fol

Mail Service 409To allow case-sensitive IMAP folder names:1 In Server Settings, click the Internet tab.2 Click Mail Service and choose Configure Mail

41CHAPTER22 Directory ServicesDirectory services provide a central repository for information about the systems, applications, and users in an organ

410 Chapter 9 Changing the IMAP Port NumberThe default port for incoming IMAP connections is 143. You can change this port number, but you’ll need t

Mail Service 4114 Choose “Limit to local users” from the pop-up menu, then click Save.If you limit outgoing mail to local users, all the options in

412 Chapter 9 Note: If you configure your mail service to require CRAM-MD5, mail users’ accounts must be set to use a Password Server that has CRAM-

Mail Service 413m The incoming and outgoing SMTP response names are typically the same.m The incoming and outgoing response names should match the D

414 Chapter 9 Changing the Outgoing SMTP Port NumberYou can change the port number that your SMTP service uses when attempting to send outgoing mail

Mail Service 415To configure Sendmail to start automatically every time the system starts up, you need root privileges; edit the /etc/hostconfig file,

416 Chapter 9 Working With the Mail DatabaseThe mail database keeps track of messages for all mail service users. Mail service stores messages in se

Mail Service 4173 Click the General tab, select “Use alternate mail store location,” and enter the path of the location where you want the mail files

418 Chapter 9 4 In Server Settings, click the Internet tab, click Mail Service, and choose Start Mail Service.Configuring Automatic Mail DeletionIf

Mail Service 419To configure administrator access to the database:1 In Server Settings, click the Internet tab.2 Click Mail Service and choose Config

42 Chapter 2 The Open Directory architecture also includes Open Directory Password Server. A Password Server can securely store and validate the pas

420 Chapter 9 m when mail service connections time outThis section describes how to change these settings.Specifying DNS Lookup for Mail ServiceYou

Mail Service 421Select “Respect ‘Time to Live’ (TTL) DNS Settings” if you want to use the default settings of the DNS service. Ordinarily, your mail

422 Chapter 9 m Log and optionally reject an SMTP connection from a server whose DNS name doesn’t match a reverse-lookup of its IP address. For inst

Mail Service 423Rejecting SMTP Connections From Specific ServersYour mail service can reject non-authenticated SMTP connections from servers on a di

424 Chapter 9 5 Click Save.Your SMTP mail service may be unable to do a successful reverse-lookup of a server that identifies itself in a nonstandard

Mail Service 425Allowing SMTP Relay for a Backup Mail ServerIf your network has more than one mail server, one can be designated as a backup server

426 Chapter 9 Forwarding Undeliverable Incoming MailYou can have mail service forward messages that arrive for unknown local users to another person

Mail Service 427Sending Nondelivery Reports to PostmasterWhen a user on your network sends mail that can’t be delivered, a nondelivery report is sen

428 Chapter 9 Viewing Connected Mail UsersThe Server Status application can list the users who are currently connected to the mail service. For each

Mail Service 429Reclaiming Disk Space Used by Mail Service LogsMac OS X Server automatically reclaims disk space used by mail service logs when they

Directory Services 43Processes running on Mac OS X computers can use directory services to save information in a directory domain. For example, when

430 Chapter 9 Creating Additional Email Addresses for a UserMail service allows each individual user to have more than one email address. Every user

Mail Service 431Performance TuningMail service needs to act very fast for a short period of time. Mail service sits idle until a user wants to read

432 Chapter 9 An incremental backup of the mail service folder can be fast and efficient. If you use a third-party application to back up the mail se

Mail Service 433For more information about Sendmail, see this Web site: www.sendmail.orgYou can find out more about servers that filter junk mail at t

LL0395.Book Page 434 Wednesday, November 20, 2002 11:44 AM

435CHAPTER1010 Client Management: Mac OS 9 and OS 8Macintosh Manager provides network administrators with a centralized method of managing Mac OS 9

436 Chapter 10 Transition Strategies for Macintosh ManagerIf you are migrating to Macintosh Manager 2.2.2 from an earlier version, you can do a simp

Client Management: Mac OS 9 and OS 8 437Depending upon the computer being used, the network configuration, and access privileges, the user may have a

438 Chapter 10 Finding ApplicationsApproved applications for Panels and Restricted Finder workgroups are located in the “Items for workgroup name” f

Client Management: Mac OS 9 and OS 8 439Administrator Computer RequirementsSoftwarem Mac OS X Server (with Macintosh Manager administrator software)

44 Chapter 2 Data ConsolidationFor years, UNIX systems have stored administrative information in a collection of files located in the /etc directory.

440 Chapter 10 To set up an administrative client computer:1 Make sure the computer meets minimum requirements.2 Make sure the system software is ei

Client Management: Mac OS 9 and OS 8 4413 Restart the computer.To stop managing Mac OS 8 client computers, remove the Multiple Users startup extensi

442 Chapter 10 When a user connects to a Macintosh Manager server, the client computer should use the same language software that was used during an

Client Management: Mac OS 9 and OS 8 443Macintosh Manager’s design prevents users from renaming Macintosh Manager files or changing the file type or c

444 Chapter 10 m Multi-User Items file: This file contains an archive of the files currently inside the Multi-User Items folder. Do not open or modify

Client Management: Mac OS 9 and OS 8 445For more information about Directory Services, see Chapter 2, “Directory Services.”Macintosh Manager uses th

446 Chapter 10 How Macintosh Manager Works With Home DirectoriesYou can set up home directory locations when you create user accounts. If a user doe

Client Management: Mac OS 9 and OS 8 447Using the MMLocalPrefs ExtensionIf some applications create excess network activity, storing preferences loc

448 Chapter 10 Setting Up Mac OS 9 or Mac OS 8 Managed ClientsThe following steps provide an overview of the initial setup process for managing clie

Client Management: Mac OS 9 and OS 8 449Step 7: Create computer listsComputer lists let you group computers and apply the same settings to all the c

Directory Services 45Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a proce

450 Chapter 10 2 Choose Preferences from the Macintosh Manager menu (in Mac OS X) or choose Preferences from the File menu (in Mac OS 9).3 Select se

Client Management: Mac OS 9 and OS 8 451Importing All UsersIf you have a small number of users in your Mac OS X Server database, you may want to imp

452 Chapter 10 To collect user information in a text file:1 Make sure each user in the file already exists in directory services. Information for mis

Client Management: Mac OS 9 and OS 8 4534 Select the kinds of search information you want to use.If you select Comment, you can find users that have

454 Chapter 10 Providing Access to Unimported Mac OS X Server UsersAfter you enable the All Other Users feature, Macintosh Manager creates the All O

Client Management: Mac OS 9 and OS 8 4553 Click Users, and select Guest in the Imported Users list. In the Basic and Advanced panes, select the sett

456 Chapter 10 About Workgroup AdministratorsWorkgroup administrators can add or modify user accounts and workgroups according to privileges assigne

Client Management: Mac OS 9 and OS 8 457Working With User SettingsThis section describes basic and advanced user settings and how to use them. Avail

458 Chapter 10 Granting a User System AccessUsers who have system access can access all items on a client computer, including the Finder and the Sys

Client Management: Mac OS 9 and OS 8 4593 Select “Set user storage quota to __ K” and type the maximum amount of storage space to allow in kilobytes

46 Chapter 2 Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a system admin

460 Chapter 10 Types of Workgroup EnvironmentsWorkgroups can have one of three types of desktop environments. All three types have some optional set

Client Management: Mac OS 9 and OS 8 461Using a Template to Apply Workgroup SettingsYou can use a template to quickly create several workgroups that

462 Chapter 10 4 To add new members, select one or more users in the Available Users list and click Add. To remove members, select members in the Wo

Client Management: Mac OS 9 and OS 8 463Making Items Available to Panels or Restricted Finder WorkgroupsIf you choose to allow access to only specifi

464 Chapter 10 Making Items Available to Individual UsersIn some cases, you may want to make specific documents or applications available to individu

Client Management: Mac OS 9 and OS 8 465Preventing Applications From Altering FilesEnforcing file-level security prevents applications from writing t

466 Chapter 10 3 Select “Take Screen Shots,” then click Save.If disk space is a concern, you may not want to enable this feature.Allowing Users to O

Client Management: Mac OS 9 and OS 8 4673 Select each menu item you want workgroup members to be able to use, then click Save.Sharing Information in

468 Chapter 10 Folder Access PrivilegesMacintosh Manager allows four levels of access privileges for workgroup folders:Selecting Privileges for Work

Client Management: Mac OS 9 and OS 8 4692 Click Workgroups, then click Privileges.3 Select one or more workgroups in the Workgroups list.4 In the Pr

Directory Services 47m Folder and file access. After logging in successfully, a user can access files and folders. Mac OS X uses another data item fro

470 Chapter 10 Providing Access to Server VolumesIf workgroup members need to use files and applications that are not stored on the Macintosh Manager

Client Management: Mac OS 9 and OS 8 471Using Printers SettingsPrinters settings let you control access to workgroup printers and limit the number o

472 Chapter 10 Restricting Access to PrintersYou can restrict access to a printer by removing it from the Selected Printers list or by requiring a p

Client Management: Mac OS 9 and OS 8 4733 Click Save.Setting Up a System Access PrinterIf the printer you want to use doesn’t support desktop printi

474 Chapter 10 Using Options SettingsOptions settings are used to set up a group documents folder, create a login message for workgroups, set startu

Client Management: Mac OS 9 and OS 8 475To open items at startup:1 Before you enable the Startup Items option for Macintosh Manager clients, make su

476 Chapter 10 Setting Up Computer ListsYou can use Macintosh Manager to manage computers by grouping several computers together and choosing settin

Client Management: Mac OS 9 and OS 8 4773 Choose the settings you want to use in each pane of the Computers pane, then click Save.Duplicating a Comp

478 Chapter 10 2 Select a computer list, then set one of the login options explained in the steps that follow.3 Select “Disabled--Ask User” to allow

Client Management: Mac OS 9 and OS 8 479Using Control SettingsControl settings are used to set email settings in addition to options that affect the

48 Chapter 2 For example, when you define a user by using the Accounts module of Workgroup Manager, you are creating a user record (a record of the u

480 Chapter 10 To use a specific hard disk name:1 In Macintosh Manager, click Computers, and then click Control.2 Select a computer list, then selec

Client Management: Mac OS 9 and OS 8 481Idle logout occurs when there is no user activity (such as typing or using the mouse) for a specified period

482 Chapter 10 To allow access to only specific CDs or DVDs:1 In Macintosh Manager, make sure you have already set up a list of approved discs and i

Client Management: Mac OS 9 and OS 8 483Allowing Users to Work OfflineIf the Macintosh Manager server or a user’s home directory is not available, y

484 Chapter 10 If you want NetBoot client computers to choose a different Macintosh Manager server, remove the DNSPlugin extension from the NetBoot

Client Management: Mac OS 9 and OS 8 4852 Click Log-In and select a computer list.3 Select “Users choose their name from a list (1-2000 users)” to u

486 Chapter 10 Managing Portable ComputersIt is important to plan how you want to manage portable computers that have access to your network. This s

Client Management: Mac OS 9 and OS 8 4873 Select “These computers can be Checked Out” and then select one of the checkout options in the steps that

488 Chapter 10 Setting the Number of Items in a ReportYou can set the maximum number of log entries to show in Macintosh Manager reports.Note: The

Client Management: Mac OS 9 and OS 8 4892 If “Users can change their passwords” is selected, deselect it.3 Click Save.Note: In order to use Passwor

Directory Services 49In fact, Open Directory can provide information about network services both from service discovery protocols and from directory

490 Chapter 10 Netscape ƒ (cache folder inside is deleted)Newswatcher PreferencesRealAudio Player PreferencesStuffIt Expander PreferencesTo set how

Client Management: Mac OS 9 and OS 8 491Managing PreferencesYou can use the Managed Preferences folder to customize how application preferences and

492 Chapter 10 3 Create any preferences you want to place in the Initial Preferences folder.4 Copy the preferences you created to the Initial Prefer

Client Management: Mac OS 9 and OS 8 493m Mac OS 9 clients: When a user logs in, Macintosh Manager compares preference folders and files in the /Lib

494 Chapter 10 When you use Preserved Preferences, this is what happens during login and logout on a Mac OS 8 client:m When a user logs in: Macinto

Client Management: Mac OS 9 and OS 8 495The table below lists certain preferences that are always copied, and other preferences that are never copie

496 Chapter 10 7 Select “Use preferences from home folder.”8 Click Apply Now.Alternatively, you can do the following on each Mac OS X client. Open S

Client Management: Mac OS 9 and OS 8 497Some Printers Don’t Appear in the Available Printers ListWhen you make printers available to client computer

498 Chapter 10 Macintosh Manager client computers can, however, use AppleTalk for service discovery. If your network has AppleTalk zones, users on M

Client Management: Mac OS 9 and OS 8 499You can create a folder called “Other Applications•” and then put the Applications folder (and all of its co

Contents 5 Working With Member Settings for Groups 169Working With Folder Settings for Groups 172Working With Group and Computer Preference

50 Chapter 2 m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in mixed environmentsm NetInfo, the Apple directory serv

LL0395.Book Page 500 Wednesday, November 20, 2002 11:44 AM

501CHAPTER1111 DHCP ServiceDynamic Host Configuration Protocol (DHCP) service lets you administer and distribute IP addresses to client computers fro

502 Chapter 11 Before You Set Up DHCP ServiceBefore you set up DHCP service, read this section for information about creating subnets, assigning sta

DHCP Service 503Locating the DHCP ServerWhen a client computer looks for a DHCP server, it broadcasts a message. If your DHCP server is on a differe

504 Chapter 11 To create subnets:1 In Server Settings, click the Network tab, click DHCP/NetBoot, and choose Configure DHCP/NetBoot.If you configured

DHCP Service 505Managing DHCP ServiceThis section describes how to set up and manage DHCP service on Mac OS X Server.Starting and Stopping DHCP Serv

506 Chapter 11 7 Select “LDAP over SSL” if you wish LDAP information to be encrypted with SSL.SSL must be enabled on your server to use this option.

DHCP Service 5072 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.3 Select a subnet address range and click Edit.4 Enter a number in the Lease T

508 Chapter 11 Addresses must be contiguous, and they can’t overlap.6 Enter the subnet mask and router for this subnet, then click Save.Click Use De

DHCP Service 509You need to know the file name of the NetInfo database (or NetInfo tag) you want to use and the IP address of the server that hosts t

Directory Services 51After login, the user may choose Connect To Server from the Go menu and connect to a file server on a computer running Mac OS X

510 Chapter 11 To view the DHCP or NetBoot client list:1 In Server Status, locate your server in the Devices & Services list and select DHCP-Net

511CHAPTER1212 NetBootNetBoot lets you start up Macintosh client computers from disk images stored on servers running Mac OS X Server. A disk image

512 Chapter 12 Mac OS X Server includes the following CDs containing applications and files specific to NetBoot: m Mac OS X Server Administration Tool

NetBoot 513These are estimates for the number of clients supported. See “Capacity Planning” on page 515 for a more detailed discussion of the optima

514 Chapter 12 To update a Mac OS X disk image, see “Updating an Existing Mac OS X NetBoot Disk Image” on page 527.To update Mac OS 9 disk images, s

NetBoot 515Capacity PlanningThe number of NetBoot client computers you can connect to your server depends on how your server is configured, the serve

516 Chapter 12 Inside NetBootThis section describes how NetBoot is implemented on Mac OS X Server—including information on the protocols, files, dire

NetBoot 517Mac OS 9 NetBoot image folder (MacOS9.2.2.nbi)You use NetBoot Desktop Admin to modify the Mac OS 9 NBI folder. The utility lets you chang

518 Chapter 12 Mac OS 9 property listMac OS X property listProperty Type DescriptionBootFile String Name of boot ROM file: Mac OS ROM.Index Number 1

NetBoot 519Boot Server Discovery Protocol (BSDP)NetBoot uses an Apple-created extension based on DHCP called Boot Server Discovery Protocol (BSDP).

52 Chapter 2 Similarly, you can make network resources such as printers visible to certain computers by setting up printer records in a shared domai

520 Chapter 12 If the mount point specified by path is directly bootable, you don’t need to specify image.Examples:m server3:/Images/OSX/Jaguar:Jag_

NetBoot 521SecurityYou can secure access to NetBoot service on a case-by-case basis using the hardware address of specific computers to which you spe

522 Chapter 12 Setup OverviewHere is an overview of the basic steps for setting up NetBoot:Step 1: Evaluate and update your network, servers, and cl

NetBoot 523Step 2: Create disk images for client computersYou can set up both Mac OS 9 disk images and Mac OS X disk images for client computers to

524 Chapter 12 You can set up NetBoot in the following ways:Clients running Mac OS 9: Use the Startup Disk control panel to select a startup disk i

NetBoot 525Setting Up NetBootThis section describes how to enable NetBoot on a Mac OS X server and how to create and edit NetBoot disk images. Creat

526 Chapter 12 Installing Classic on a Mac OS X Disk ImageYou install Classic onto a Mac OS X image by copying a Mac OS 9.2.2 system folder into an

NetBoot 527Updating an Existing Mac OS X NetBoot Disk ImageYou can apply a Mac OS X system update to an existing NetBoot image so that your clients

528 Chapter 12 Creating a Mac OS X NetBoot Image From an Existing SystemIf you already have a client computer set up to suit your users, you can use

NetBoot 529Add all of these properties, classes, and values:m BootFile, String, booterm Index, Number, <a unique image index of your choice>m

Directory Services 53While some devices may need to be used only by specific departments, other resources, such as personnel forms, may need to be sh

530 Chapter 12 Modifying a Mac OS 9 Disk ImageTo install software on or change the preconfigured Mac OS 9 disk image, you need to start up from a Net

NetBoot 531Be sure the disk image has enough space for the software you want to install. However, increase the size of an image only as much as need

532 Chapter 12 Specifying the Default NetBoot Disk ImageThe default disk image is the NetBoot disk image used when a user starts a client computer u

NetBoot 533Configuring NetBoot on Your ServerYou use DHCP/NetBoot module of Server Settings to configure your Mac OS X Server to provide NetBoot serv

534 Chapter 12 Starting NetBoot on Your ServerYou turn on NetBoot by starting DHCP. Note: You must also enable one or more images on your server be

NetBoot 535Managing NetBootThis section describes how to manage the ongoing use of a NetBoot installation. Turning Off NetBootThe best way to preven

536 Chapter 12 Monitoring the Status of Mac OS 9 NetBoot ClientsServer Status lets you monitor all services on a Mac OS X server. To monitor NetBoot

NetBoot 537Load BalancingNetBoot provides a significant benefit to those system administrators tasked with maintaining a large number of Macintosh com

538 Chapter 12 Using Share Points to Spread the Shadow Image LoadBy default, NetBoot creates share points for client shadow images on all server vol

NetBoot 539After the client computer has started up, you can use the Startup Disk control panel (Mac OS 9) or preference pane (Mac OS X) to select t

54 Chapter 2 Shared Data in Existing Directory DomainsSome organizations—such as universities and worldwide corporations—maintain user information a

540 Chapter 12 Starting Up Using the N KeyYou can use this method to start up any supported client computer from a NetBoot disk image. When you star

NetBoot 541Solving ProblemsA NetBoot Client Computer Won’t Start Upm Sometimes a computer may not start up immediately because other computers are p

LL0395.Book Page 542 Wednesday, November 20, 2002 11:44 AM

543CHAPTER1313 Network InstallNetwork Install lets you install Mac OS X system software and other software onto client computers over the network. N

544 Chapter 13 Before You Set Up Network InstallReview the first part of Chapter 12, “NetBoot,” for system requirements and other information that ap

Network Install 545Setting Up Network InstallThis section tells you how to create installer disk images and enable them on your server.Creating a Ne

546 Chapter 13 Enabling an Installer Disk ImageYou must enable an installer disk image on your server to make it available to client computers on th

Network Install 547About PackagesIf you plan to use Network Install to install application software or other files, you’ll need to group the applicat

548 Chapter 13 For more information on creating packages, open PackageMaker and choose PackageMaker Help, PackageMaker Release Notes, or Package For

Network Install 549Adding Packages to a Custom Package Install ImageTo add application or file packages to an installer image that does not contain s

Directory Services 55Two-Level HierarchiesThe simplest hierarchy is a two-level hierarchy:Here’s a scenario in which a two-level hierarchy might be

550 Chapter 13 Automating Installation of an OS ImageTo install Mac OS software (along with any packages you add) with limited or no interaction fro

Network Install 551About the minstallconfig.xml FileAutomated installs use information in this file to control how the installation proceeds. So, for

552 Chapter 13 Selecting a Network Install Image (From a Mac OS X client)If the client computer is running Mac OS X version 10.2 or later, use the S

553CHAPTER1414 DNS ServiceWhen your clients want to connect to a network resource such as a Web or file server, they typically request it by its doma

554 Chapter 14 Before You Set Up DNS ServiceThis section contains information you should consider before setting up DNS on your network. The issues

DNS Service 555If you want to change your mail server or redirect mail, you have to notify potential senders of a new address for your users. Or, yo

556 Chapter 14 For example, a server in a domain would be host1.example.com, a server in a subdomain would be host2.good.example.com. The DNS server

DNS Service 557To start or stop DNS service:1 In Server Settings, click the Network tab.2 Click DNS Service and choose Start DNS or Stop DNS.When th

558 Chapter 14 m Canonical Name (CName): Asks for the “real name” of a server when given a “nickname” or alias. For example, mail.apple.com might h

DNS Service 559Zone Data FilesZone data files consist of paired address files and reverse lookup files. Address records link host names (host1.example.

56 Chapter 2 While local domains reside on their respective servers, a shared domain can reside on any Mac OS X Server accessible from the local dom

560 Chapter 14 3 In the “Go to the folder:” sheet, enter “/etc” (no quotation marks) and click the Go button.4 Locate the file named.conf and rename

DNS Service 561Check Your ConfigurationTo verify the steps were successful, open Terminal, located in /Applications/Utilities and enter the followin

562 Chapter 14 If it’s unlikely that your local area network will ever be connected to the Internet and you want to use TCP/IP as the protocol for t

563CHAPTER1515 Firewall ServiceFirewall service is software that protects the network applications running on your Mac OS X Server. Turning on firewa

564 Chapter 15 The picture below illustrates this process.The port filters you create are applied to TCP packets and can also be applied to UDP packe

Firewall Service 565Before You Set Up Firewall ServiceWhen you start firewall service, the default configuration denies access to all incoming packets

566 Chapter 15 The segments in a mask go from general to specific, so the earlier a zero appears in the segments of the subnet mask, the wider the re

Firewall Service 567IP Address PrecedenceIf you create multiple filters for a port number, the filter that contains the most specific address range has

568 Chapter 15 Block Junk MailTo reject email from a junk mail sender with an IP address of 17.128.100.0 and accept all other Internet email:Allow a

Firewall Service 569Step 2: Add filters to the IP filter listRead “Before You Set Up Firewall Service” on page 565 to learn how IP filters work and h

Directory Services 57More Complex HierarchiesOpen Directory also supports multilevel domain hierarchies. Complex networks with large numbers of user

570 Chapter 15 To set firewall service to start automatically each time your computer starts up:1 In Server Settings, click the Network tab.2 Click

Firewall Service 5717 If you choose “a range of IP addresses,” enter a subnet mask or click Use My Subnet to use the computer’s subnet mask.The resu

572 Chapter 15 To configure firewall service:1 In Server Settings, click the Network tab.2 Click Firewall and choose Configure Firewall.3 Select “Sta

Firewall Service 573Log Example 2Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0This entry s

574 Chapter 15 UDP ports above 1023 are allocated dynamically by certain services, so their exact port numbers may not be determined in advance.To s

Firewall Service 5755 Click Save, then restart firewall service.Any IP filters you create allow NetInfo access for the IP addresses you specify. By de

576 Chapter 15 5 Click Save, then restart firewall service.Creating IP Filter Rules Using ipfwYou can use the ipfw command in conjunction with the fir

Firewall Service 577Reviewing IP Filter RulesTo review the rules currently defined for your server, use the Terminal application to submit the ipfw s

578 Chapter 15 For more information, consult the man pages for ipfw.Port ReferenceThe following tables show the TCP and UDP port numbers commonly us

Firewall Service 579139 Windows file and print (SMB) RFC 100143 IMAP (email access) RFC 2060311 AppleShare IP remote Web administration, Server Monit

58 Chapter 2 You can affect an entire network or just a group of computers by choosing the domain in which to publish administrative data. The highe

580 Chapter 15 2049 NFS2236 Macintosh Manager3031 Program Linking3283 Apple Remote Desktop7070 Real-Time Streaming Protocol (QTSS)8000–8999 Web serv

Firewall Service 581Solving ProblemsThis section reviews some common firewall service issues and provides possible solutions.You Can’t Access the Ser

582 Chapter 15 Where to Find More InformationRequest for Comments (RFC) documents provide an overview of a protocol or service and details about how

583CHAPTER1616 SLP DA ServiceService Location Protocol Directory Agent (SLP DA) provides structure to the services (or resources) available on a net

584 Chapter 16 Step 1: Define scopesTo define scopes, you need to decide how you want to organize the computers on your network. A scope can be a log

SLP DA Service 5851 In the Registered Services window, click New Service.2 In the Add Proxied Service dialog, choose the scope and add the service y

586 Chapter 16 5 Double-click a service to see more detailed information about the service.You can change the way the list is sorted by clicking a c

SLP DA Service 587Deregistering Services in SLP DA ServiceIf a service is no longer available to network clients, you must manually remove the servi

588 Chapter 16 Using the Attributes ListServices may advertise their presence on the network along with a list of attributes. These attributes are l

589CHAPTER1717 Tools for Advanced AdministratorsThis chapter describes tools and techniques intended for use by experienced server administrators. T

Directory Services 59If the local domain does not contain the user’s record, Open Directory goes to the next directory domain in the search policy.

590 Chapter 17 Terminal You use the Terminal application to run command-line tools. Most of the tools described in this chapter are command-line too

Tools for Advanced Administrators 591The percent symbol (%) is called the prompt. It indicates that you can enter a command. Press the Return key af

592 Chapter 17 Opening an SSH SessionOpen an SSH session and log in to a remote server when you manage the remote server using command-line tools.To

Tools for Advanced Administrators 593Understanding Key FingerprintsThe first time you log in to a server using SSH, your local computer adds a “finger

594 Chapter 17 createhomedirUse createhomedir to create AFP or NFS home directories for one or more users. m This tool is especially useful just aft

Tools for Advanced Administrators 595There are several additional parameters you can specify. Refer to comments in the configuration files for informa

596 Chapter 17 m If you want to provide your own alert and recovery scripts, you can. Put your alert script in /etc/diskspacemonitor/action/alert.lo

Tools for Advanced Administrators 597Using installerHere are the parameters that installer accepts. Parameters are delimited using angle brackets (&

598 Chapter 17 -plist formats the installer tool’s output into an XML file, which is sent by default to StdOut. You use this parameter with -pkginfo

Tools for Advanced Administrators 599Full Operating System InstallationIf you have to install the operating system on a remote Mac OS X Server, you

6 Contents Solving Problems With File Services 275Where to Find More Information About File Services 278 6 Client Management: Mac OS X

60 Chapter 2 Next the automatic search policy looks at the binding of shared NetInfo domains. The computer’s local domain may be bound to a shared N

600 Chapter 17 6 Type one of these commands to restart the server: /sbin/reboot/sbin/shutdown -rsoftwareupdateYou use softwareupdate to find new ver

Tools for Advanced Administrators 601Working With Server Identity and StartupYou can use systemsetup to set information about a remote server and sp

602 Chapter 17 networksetupUse networksetup to configure network services on a remote Mac OS X Server. A network service is a complete collection of

Tools for Advanced Administrators 603Retrieving Your Server’s Network ConfigurationYou can use networksetup to find out about the network services on

604 Chapter 17 Managing Network ServicesYou can use networksetup to create or rename network services, turn them on or off, remove them, and change

Tools for Advanced Administrators 605m To enable or disable the proxy settings, use these networksetup commands: -setftpproxystate <network servi

606 Chapter 17 SNMP support in Mac OS X Server is turned off by default. To turn it on, use TextEdit or another application to edit the /etc/hostcon

Tools for Advanced Administrators 607Note: IP failover only allows a secondary server to acquire a primary server’s IP address. You need additional

608 Chapter 17 Normal operation and failover operation are illustrated in the following two diagrams.Crossover Cableen1en1en0en0100.0.0.11100.0.0.10

Tools for Advanced Administrators 609Enabling IP FailoverYou enable IP failover by adding command lines to the file /etc/hostconfig on the primary and

Directory Services 61Directory Domain PlanningKeeping information in shared directory domains gives you more control over your network, allows more

610 Chapter 17 7 Reconnect the primary server to the private network, wait fifteen seconds, then reconnect the primary server to the public network.8

Tools for Advanced Administrators 611m PreAcq–run before acquiring IP address from primary serverm PostAcq–run after acquiring IP address from prima

612 Chapter 17 When you enable journaling on a disk, a continuous record of changes to files on the disk is maintained in the journal. If your server

Tools for Advanced Administrators 6135 To disable journaling, select the Information tab, then click Remove Journaling. Enabling Journaling Using di

614 Chapter 17 To disable journaling for a volume called MyDisk, type “sudo /usr/sbin/diskutil disableJournal /Volumes/MyDisk”.Repairing a Journaled

Tools for Advanced Administrators 6153 In the New Keychain Passphrase dialog that appears, enter a passphrase or password for the keychain you are c

616 Chapter 17 10 Type y when asked to confirm the selected algorithm, then press Return.You have selected algorithm RSA with SHA1.OK (y/anything)? 1

Tools for Advanced Administrators 617Importing an SSL Certificate Into the KeychainTo import an SSL certificate into a keychain, use the command-line

618 Chapter 17 6 In the Terminal application, change the access privileges to the passphrase file so only root can read and write to this file. Do thi

Tools for Advanced Administrators 6194 When prompted, enter and reenter an encryption key:Password for local:Re-enter to verify:Initialize service f

62 Chapter 2 Larger, more complex organizations can benefit from a deeper directory domain hierarchy. Controlling Data AccessibilityHierarchies that

620 Chapter 17 10 If the server has a shared NetInfo domain, enter the following command line in the Terminal application to set the Authentication

621APPENDIXAA Data Requirements of Mac OS X Directory ServicesThis appendix specifies the standard record types and attributes of Mac OS X directory

622 Appendix A User Data That Mac OS X Server UsesThe following table describes how your Mac OS X Server uses data from user records in directory do

Data Requirements of Mac OS X Directory Services 623Standard Attributes in User RecordsThe following table specifies facts about the standard attribu

624 Appendix A NFSHomeDirectory:local file system path to the user’s home directoryUTF-8 text /Network/Servers/example/Users/K-M/Tom KingNon-zero len

Data Requirements of Mac OS X Directory Services 625MailAttribute: a user’s mail service configuration (refer to “Format of MailAttribute in User Rec

626 Appendix A AdminLimitsthe privileges allowed by Workgroup Manager to a user that can administer the directory domain UTF-8 XML plist, single val

Data Requirements of Mac OS X Directory Services 627AuthenticationAuthority:describes the user’s authentication methods, such as Password Server or

628 Appendix A PhoneNumbernot used by Mac OS X, but corresponds to part of standard LDAP schema AddressLine1not used by Mac OS X, but corresponds to

Data Requirements of Mac OS X Directory Services 629Format of MailAttribute in User RecordsEnsure that the MailAttribute of each user record that yo

Directory Services 63You’ll want to try to make each directory domain applicable to all the computers that use it so you don’t have to change or add

630 Appendix A AutoForwardValue A required field only if MailAccountState has the value “Forward.” The value must be a valid RFC 822 email address.&l

Data Requirements of Mac OS X Directory Services 631SeparateInboxState An optional case-insensitive keyword indicating whether the user manages POP

632 Appendix A Standard Attributes in Group RecordsThe following table specifies facts about the standard attributes, or data types, found in group r

Data Requirements of Mac OS X Directory Services 633Member:same data as GroupMembership but each is used by different services of Mac OS X ServerASC

634 Appendix A Standard Attributes in Computer RecordsThe following table specifies facts about the standard attributes, or data types, found in comp

Data Requirements of Mac OS X Directory Services 635Standard Attributes in Computer List RecordsThe following table specifies facts about the standar

636 Appendix A Standard Attributes in Mount RecordsThe following table specifies facts about the standard attributes, or data types, found in mount r

Data Requirements of Mac OS X Directory Services 637Standard Attributes in Config RecordsThe following table specifies facts about the standard attri

LL0395.Book Page 638 Wednesday, November 20, 2002 11:44 AM

639APPENDIXBB Integrating Mac OS X Directory Services With Active DirectoryThis appendix describes how information stored in an Active Directory dom

64 Chapter 2 Authentication is part of the process by which your server determines whether it should grant access to a user, computer, or program. U

640 Appendix B m In another scenario, a Mac OS X Server hosts AFP home directories for Mac OS X users whose accounts are stored in an Active Directo

Integrating Mac OS X Directory Services With Active Directory 641Step 1: Connect to Mac OS X ServerAfter logging in to a Mac OS 9 or Mac OS X comput

642 Appendix B In this example, the user records reside in an Active Directory domain on a Windows 2000 server. The name of the Windows server is su

Integrating Mac OS X Directory Services With Active Directory 643 2 Set up the Mac OS X Server that provides Apple file service so it can access the

644 Appendix B The following figure illustrates this scenario. A user has access to his or her home directory on Mac OS X Server after logging in to

Integrating Mac OS X Directory Services With Active Directory 645In this example, the user and mount records reside in an Active Directory domain on

646 Appendix B Step 4: Access the home directoryThe home directory is now mounted and visible on the user’s computer in the Mac OS X Finder, and log

Integrating Mac OS X Directory Services With Active Directory 647The following tables summarize the Active Directory data needed to support the AFP

648 Appendix B 2 Set up the Mac OS X computers, both clients and server, so they can access the Active Directory data. Use the Directory Access appl

649GlossaryThis glossary defines terms and spells out abbreviations you may encounter while working with online help or the “Mac OS X Server Administ

Directory Services 65Password Server Authentication MethodsA Password Server supports many different methods of authenticating users for login and o

650 Glossary CGI (Common Gateway Interface) A script or program that adds dynamic functions to a Web site. A CGI sends information back and forth be

Glossary 651dynamic IP address An IP address that is assigned for a limited period of time or until the client computer no longer needs the IP addr

652 Glossary I, J, KIANA (Internet Assigned Numbers Authority) An organization responsible for allocating IP addresses, assigning protocol parameter

Glossary 653Mmail host The computer that provides your mail service.managed client A user, group, or computer whose access privileges and/or prefe

654 Glossary Network File System (NFS) A client/server protocol that uses TCP/IP to allow remote users to access files as though they were local. NFS

Glossary 655preferences cache A storage place for computer preferences and preferences for groups associated with that computer. Cached preferences

656 Glossary search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information; also the order in whi

Glossary 657TTCP (Transmission Control Protocol) A method used along with the Internet Protocol (IP) to send data in the form of message units betw

658 Glossary WWebDAV (Web-based Distributed Authoring and Versioning) A live authoring environment that allows client users to check out Web pages,

659IndexAaccess logs 240access privilegesabout 120, 215of Active Directory users 641, 645administrator 216copying 228directory services and 47

66 Chapter 2 APOP Authentication MethodAPOP is used by many email programs. It encodes passwords when they are sent over the network, and stores the

660 Index administrator accountsbacking up 209administrator computerdefined 33administrator privilegesdirectory domain 121, 142local computer 121s

Index 661attributes list 588authenticationActive Directory for 640–643, 643–648Apple file service 236, 640–643directory data and 46FTP service 2

662 Index bsdpd_clients filedetermining client NetBoot server 537role and location 520CCA certificate 383cache. See DNS cachecache. See proxy cach

Index 663user experience 436using NetBoot 447using update package 441client management, Mac OS XSee also Workgroup Managerabout 279administrator

664 Index DHCP servers 503interactions 503network location 503DHCP service 501–510AirPort Base Stations 503automatic search policy and 60, 88de

Index 665setup overview 68status 115tools summary 68disconnect messages 241Disk Copycreating NetBoot images 528disk images, NetBoot 511, 519co

666 Index error logs 240, 245Ethernetdisabling NetBoot on ports 535requirements for NetBoot 515everyoneaccess privileges 217explicit privileges

Index 667solving problems 581starting 569starting automatically 569stopping 569uses for 564viewing logs 571folder access privileges 468folder

668 Index guest accountsaccess guidelines 220security guidelines 234guestsrestricting access 220guest user account, Mac OS 9 and 8 453guest users

Index 669Internet Gateway Multicast Protocol See IGMPInternet Message Access Protocol (IMAP)See IMAPInternet servers. See Web serversIP addressesass

Directory Services 67m Mac OS 8.1–8.6 client computers that have file server volumes mount automatically during startup should use AppleShare Client

670 Index LDAP Bind authentication 208ldapsearch 620LDAP serveraddress via DHCP 505LDAPv2access settings 102adding servers 101configuring 100–10

Index 671access privileges 466administrator access to user accounts 489administrator login 449All Other Computers account 476allowing media acce

672 Index user settings, basic 457users working offline 483using Password Server 489using server administrator accounts 455viewing reports 487wir

Index 673IMAP (Internet Message Access Protocol) 393, 407–410, 418IMAP authentication 408IMAP connections per user 409IMAP port 410IMAP response

674 Index adding to OS install image 548Microsoft Active Directory. See Active DirectoryMIME (Multipurpose Internet Mail Extension) 360–361mappings

Index 675image folder 516–517image size 516installing Classic in image 526key features 511load balancing 537–538monitoring Mac OS 9 clients 53

676 Index network servicesassigning to scopes 584data items used by 622discovery protocols 48networksetup 602nfsd daemons 270NFS serviceabout 2

Index 677adding to OS install image 548viewing contents of 547Panels workgroup 460parent NetInfo domain 105passwordsadministrator 133Authentica

678 Index Postfix program, configuring 393postmaster mail account 401, 426–427Post Office Protocol (POP)See POPpreference cacheabout 296how to emp

Index 679renaming 348restarting 347print quotasenforcing 342managing 352setting for Mac OS 9 and 8 clients 472setting up 342print serviceabout

68 Chapter 2 The Password Server must remain available to provide authentication services. If the Password Server goes down, password validation can

680 Index remote administration 33, 114Rendezvous 48, 86reportsMacintosh Manager 487resourcesApache Web server 39file services 278Mac OS X Server

Index 681Server Assistant application 33server managementmore information 39Server Message Block (SMB)See SMBServer Monitor applicationconnecting

682 Index firewall, starting and stopping 569firewall default filter 575firewall filters, creating 570firewall filters, editing 570firewall filters, findin

Index 683undeliverable mail, forwarding 426undeliverable mail, reporting 427viewing Web service status 368WebDAV, enabling 374WebDAV realms, set

684 Index SherlockAFP and 236showmount command 271Simple Mail Transfer ProtocolSee SMTPSimple Network Management Protocol (SNMP) 605SLP (Service L

Index 685staff (predefined group account) 128starting up using N key 540Startup Disk control panel, updating 538startup image, selecting 539stat

686 Index UDP ports 580undeliverable mail 425–427Universal Serial Bus (USB) 336UNIXBSD configuration files 50, 110commands, understanding 591compa

Index 687MailAttribute 629–631mapping data 622–631Users 385usersanonymous FTP users 278categories 216characteristics of 118limiting connection

688 Index Tomcat 367WebDAV 367WebMail, managing 380–382Web site privileges 362 Web services logs, viewing 368 Web site setting up SSL 378 Web

Index 689adding Dock items 309, 310, 323adding to computer accounts 287adding users to groups 170allowing access to local applications 302allowi

Directory Services 69Step 2: Set up Open Directory domains and Password ServersCreate shared directory domains on the Mac OS X Servers that you want

690 Index showing password hint 321solving problems 210sorting account lists 178specifying a Classic System Folder 305starting Classic at login

Contents 7 Managing Print Logs 352Solving Problems 354 8 Web Service 357 Before You Begin 358Setting Up Web Service for the First T

70 Chapter 2 Before You BeginBefore setting up directory services for the first time:m Understand why clients need directory data, as discussed in th

Directory Services 71Always remember: directory information is authoritative. It vitally affects everyone whose computers use it.Setting Up an Open

72 Chapter 2 To configure how your server works with directory information and a Password Server:1 Open the Open Directory Assistant application.It

Directory Services 73For Password, enter the password for the user name you entered.3 Click the right arrow to get to the Location step, and then se

74 Chapter 2 If you select Static IP Address, you must enter the IP address or DNS name of the Mac OS X Server whose LDAP domain you want your serve

Directory Services 75Hosting a Shared Directory Domain With a Password ServerUsing the Open Directory Assistant application, you can set up a Mac OS

76 Chapter 2 5 Go to the Configure step, where you specify how other computers can access the server’s shared Open Directory domain.Other computers c

Directory Services 77Hosting a Shared Directory Domain and Using an Existing Password ServerUsing the Open Directory Assistant application, you can

78 Chapter 2 5 Go to the Configure step, where you specify how other computers can access the server’s shared Open Directory domain.Other computers c

Directory Services 79If you create user accounts without a Password Server and later reconfigure your Mac OS X Server to host or use a Password Serve

8 Contents Limiting Junk Mail 421Working With Undeliverable Mail 425Monitoring Mail Status 427Supporting Mail Users 429Performance

80 Chapter 2 6 Advance to the Security step and select “Password and authentication information will be stored and accessed locally in user records.

Directory Services 814 Advance to the Directory Use step, and then select the option “The server will use a non-shared local directory.”5 Go to the

82 Chapter 2 If your Mac OS X Server currently gets directory information from another server and you change to getting directory information only f

Directory Services 83For User Name, enter the user name of an administrator of the Password Server. This administrator is a domain administrator for

84 Chapter 2 To configure a server to use only its own non-shared local directory domain with no Password Server:1 Open the Open Directory Assistant

Directory Services 85After making sure that no servers or client computers are using a shared Open Directory domain, you can delete it by using Open

86 Chapter 2 Configuring Open Directory Service ProtocolsOpen Directory uses many protocols to access administrative data in directory domains and d

Directory Services 874 Click Apply.Configuring SMB Service DiscoveryYou can configure how Mac OS X uses the Server Message Block (SMB) protocol to di

88 Chapter 2 You can configure the authentication search policy for a Mac OS X Server or other Mac OS X computer by using the Directory Access applic

Directory Services 89Note: Make sure the computer has been configured to access the LDAP servers, Active Directory servers, NetInfo domains, and BSD

Contents 9 11 DHCP Service 501 Before You Set Up DHCP Service 502Setting Up DHCP Service for the First Time 503Managing DHCP Service

90 Chapter 2 Changing Basic LDAPv3 SettingsYou can use the Directory Access application to change basic settings for accessing LDAPv3 servers, inclu

Directory Services 914 From the Location pop-up menu, choose the network location that you want to see, or use Automatic.5 Click Show Options or Hid

92 Chapter 2 7 Click the pop-up menu next to the DNS name or IP address and choose a mapping template or choose From Server.Before you can use Workg

Directory Services 93Duplicating an LDAPv3 ConfigurationYou can use Directory Access to duplicate an LDAPv3 server configuration. After duplicating a

94 Chapter 2 Changing an LDAPv3 Configuration’s Connection SettingsYou can use Directory Access to change the connection settings for an LDAPv3 serv

Directory Services 95Note: The mapping of Mac OS X attributes can be different for each record type. Mac OS X has separate LDAPv3 mappings for each

96 Chapter 2 To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAPv3 obj

Directory Services 97Mapping Config Record Attributes for LDAPv3 Directory DomainsIf you want to store information for managed Mac OS X users in an

98 Chapter 2 You can find out the object classes of existing user records on the LDAPv3 server by using the UNIX tool ldapsearch in a Terminal window

Directory Services 99In addition, you can edit, duplicate, or delete an Active Directory server configuration. You can also change the connection set