macosxhints.com OS X Server tips

Cannot boot to NetRestore Image

Wed, 14 Dec 2011 07:30:00 -0800

I ran into a problem recently where I was unable to boot into any of the images I had made from any Mac. I have NetRestore and one NetBoot image, but not one of my Macs could get to it. After many failed attempts, I finally tricked it into letting me boot. Here's how.

The problem actually has to do with the way that NetBoot filters computers. It used to be that you could turn filtering on and off, but now, it is not so simple. In the Image Properties window, you have the option to either all model types, or just the ones selected from a given list.

However, MAC filtering is different, you can't simply say allow all. The default selection is to allow only only those computers with the matching MAC addresses in the list below and deny others. This is what is preventing computers from being able to boot. And unless you are interested in manually entering in every new MAC address, it is impractical.

The second option is to deny only those computers in the lis ...

10.7: Virtual Hosts and multiple web servers

Thu, 13 Oct 2011 07:30:00 -0700

After a great deal of searching the net for answers I have pieced together what is needed to do a couple of things I have wanted to do for some time now. The first is to have virtual hosts working nicely on 10.7 Lion Server. The second and related item is to have multiple web servers within a LAN accessible from one WAN address.

Virtual Hosts

To get this working add the following line to the /etc/apache2/httpd.conf file and then restart the web service.

NameVirtualHost *:80

Restarting the web service can be done in the Terminal using:

sudo serveradmin stop web sudo serveradmin start web

Now you can add virtual hosts through the Server app.

Multiple web servers within a LAN accessed from one WAN address.

Set up: The following assumes that you have 3 servers with correctly working DNS and apache services. The 10.10.10.x subnet is used for the examples, change them to w ...

10.7: Setting the default timezone for calendars viewed on Wiki Server

Thu, 08 Sep 2011 07:30:00 -0700

Apple does not seem to have provided a setting to change the default timezone despite the obvious need to be able to do so. This hint is a workaround giving a way of changing the timezone for all users who view the calendar via the web interface.

First backup the following file:

/usr/share/collabd/coreclient/app/views/projects/calendar.html.erb

You will need root privileges to edit the file; this can be accomplished by:

sudo nano /usr/share/collabd/coreclient/app/views/projects/calendar.html.erb

Add the following line to the original file below the line <% content_for(:head) do %>:

<meta name="tzid" content="Europe/London">

Where "Europe/London" is replaced by the desired timezone.

The file should now read (in its entirety) ...

10.6 Server: Workaround for recurring CalDAV password dialogs on iOS devices

Thu, 26 May 2011 07:30:00 -0700

Follow these steps to work around an issue that causes recurring password dialogs on iOS devices that are configured to connect to a CalDAV account hosted by Mac OS X Server 10.6.

The procedure involves turning off Digest authentication and enabling Basic authentication. Since all passwords will be sent in the clear, make sure that all traffic to the iCal server is encrypted. This can be done either by requiring users to connect via VPN or by using a valid SSL certificate and setting SSL to 'Redirect' in the iCal Service settings in Server Admin.

Log in to an administrative user's account on the server and open the Terminal application located in /Applications/Utilities/.
Type the following command to change to the directory containing the settings for the iCal service:
cd /private/etc/caldavd
Make a copy of the preference file. You will be asked for the administrative user's password after en ...

Change iCal Server invitations so they will clear spam assassin

Thu, 31 Mar 2011 07:30:00 -0700

The default invitations which iCal Server sends may be seen as spam by Spam Assassin (score of 5.8 or so), because of a large picture attachment.

The workaround for this I found was to modify the template for the invitation to eliminate the attachment.

The templates for iCal Server invitations are located in: /usr/share/caldavd/share/email_templates.

I changed mine so they are straightforward but at least not seen as spam. For example, my invite.html is:

<html>
<head></head>
<body>
<p>Event: %(summary)s</p>
<p>Organizer: %(htmlOrganizer)s</p>
<p>Location: %(location)s</p>
<p>Date: %(dateInfo)s %(recurrenceInfo)s</p>
<p>Time: %(timeInfo)s %(durationInfo)s</p>
<p>Description: %(desc ...

Make event emails sent from 10.6 iCal Server come from actual user

Tue, 29 Mar 2011 07:30:00 -0700

In Server Admin, the iCal settings allow you to specify a single email from which event invitations will come. For a personal calendar though, you really want the email to come from your own email.

The script which sends invitations is found at:

/usr/share/caldavd/lib/python/twistedcaldav/mail.py

It appears that it tries to find the appropriate email address, but I could not figure out how to make a value ever be present where it was looking.

So, I modified the script as shown below. Change:

 if organizer.startswith("mailto:"):
  orgEmail = fromAddr = organizer[7:]
 else:
  fromAddr = serverAddress
  orgEmail = None
 cn = calendar.getOrganizerProperty().params().get('CN', (None,))[0]

To: ...

10.6 Virtualize machine-specific OS X Server in Fusion

Mon, 20 Dec 2010 07:30:00 -0800

I did all this on a new mid-2010 Mac mini Server (with an external MacBook Air SuperDrive), with OS X Server 10.6.5 (re)installed on the upper drive (*disk1*) and OS X client 10.6.5 (and Fusion, many other apps, etc.) installed on the lower drive (*disk0*): i.e., with the computer used mainly as a client desktop rather than a server; so, virtualizing the server OS might be the most convenient solution, while - if desired - also being able to natively boot into the server (at least as an experiment).

So, you want to virtualize a whole hard drive (HD) with OS X Server installed? Or, more simply, if you want to install OS X Server onto an 'ordinary,' file-based Fusion virtual machine (VM), but only have a machine-specific install DVD (which will refuse to install if used to boot the VM), here is what I did. Part 1: If you want to virtualize a whole dis ...

10.6: Exclude Software Update data in Time Machine backups

Tue, 25 May 2010 07:30:00 -0700

Using the Time Machine preference pane, it is not possible to effectively exclude the data for the Software Update service from Time Machine backups on Mac OS X Server 10.6. A method is presented here which will do that.

By default the software downloaded from Apple�s servers necessary for the Software Update service is located at /private/var/db/swupd. When excluding this directory using the Time Machine preference pane the path is changed to /var/db/swupd (/var being a symbolic link to /private/var) and the data is still backed up. [crarko adds: This is for Snow Leopard Server only.] To remove the Software Update service data from the backups, follow these steps using an administrative account:

Exclude /private/var/db/swupd or /var/db/swupd in the Time Machine preference pane.
Quit t ...

10.6: Stream high-resolution chapter-marked movies

Fri, 26 Mar 2010 07:30:00 -0700

So here was my problem: I needed to be able to produce high-resolution movies of live screen presentations (PowerPoint as it happens) with audio. And because these presentations were two hours long, people wanted chapter/section marks so they could go directly to the part they were interested in seeing again.

We wanted to stream the movies, so that people did not have to download the entire 2GB+ movie. They movies also had to be on a server I could get to, so that we could get the video online quickly.

This all proved harder than it sounds, and took me about three weeks to figure out and set up -- it wasn't hard, but it was undocumented and not intuitive. I am providing this information because the online information is either wrong, or it doesn't seem to exist.

...

10.6: Avoid a DHCP issue with Dual Band Airport Extreme

Thu, 18 Mar 2010 07:30:00 -0700

While playing with Snow Leopard Server's various services, I noticed DHCP wasn't working. Actually, it worked at first for my laptop, then it stopped. Then I noticed the iPhones were not able to receive IPs either. I thought it was something with my server, so I drew a network diagram, and it gave me an idea.

I have an Internet modem connected to a Netgear router, to which the AirPort Extreme (Dual Band) is connected. My Snow Leopard Server machine is connected via the AirPort, as are all other clients. My drawing showed that when my Server was connected on the 5Ghz side, and the DHCP clients were connected on the 2.4Ghz side, DHCP would not work.

I confirmed this by splitting the dual band and connecting server and all clients on the 2.4GHz channel only. Set up this way, DHCP worked great; problem solved! I'm not sure if that makes perfect ...

Add Volumes for mount at login directly on OS X Server Mac

Thu, 25 Feb 2010 07:30:02 -0800

Today I needed to use Workgroup Manager to add a Login Item that Mounts an afp Volume. Apple provides no instructions for doing this while logged in directly on the server; instead this task is done using Workgroup Manager on a client (see this Apple support document). I didn't have my MacBook with me at the time, nor did I want to install the Server Admin Tools on another machine just for this one task.

The solution is:

Open Safari and enter the URL in the form of afp://IP-address-OR-Server-name/Share Point
Drag the favicon (next to the URL) onto the Desktop.
Drag the favicon into the System Preferences » Login » Items section of Workgroup Manager.
Click Apply Now.

Note that you do not need to add %20 to any white space when typing the URL in Safari; this will automatically be added when you drag the Favicon to the Desktop. Also, the colon and fo ...

10.6 Server: How to get NFS disk serving working properly

Tue, 23 Feb 2010 07:30:00 -0800

You may be surprised to learn that if you follow the detailed 136 page instructions for setting up an NFS disk server that Apple provides for the OS X server machines, it won't actually work. The problem is the firewall. Unlike the non-server OS, which has an application firewall, the Server OS uses IPFW, which is port-based not application-based.

This means every service that takes inbound connections has to have fixed port range assignments so you can tell IPFW which port to open. NFS required the RPC deamon, and by default, RPC takes whatever ports are free at the moment and does not keep them fixed. You need to fix these to specific ports by hand because the GUI won't do it.

This can be confusing to diagnose because if you start NFS with the firewall down and then put it up, you find the server continues to work for about 30 minutes, be ...

10.6 Server: Set the appropriate Software Update Server

Wed, 21 Oct 2009 07:30:00 -0700

With Mac OS X Server 10.5 and below, Software Update Server only had one catalog of updates -- thus, you could run a command like this one, and have it point Software Update to your server:

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://Server.local:8088/"

With Mac OS X Server 10.6, Apple has divided the catalog file into three separate catalogs: one for 10.4, one for 10.5, and one for 10.6. Each is a separate URL, and if you set the wrong catalog for the OS, you'll get the (incorrect) message that your software is already up-to-date. Having three separate scripts is a hassle, though, and is prone to error.

On the Hints Forums, users tw and Hal Itosis were instrumental in crafting this AppleScript. It checks the OS that you ...

Update the Software Update Server without re-downloading

Tue, 20 Oct 2009 07:30:02 -0700

I had the need to update a server that was acting as a Software Update Server. I knew that the machine had the update on it, but was unsure of how to get it to see the locally-hosted update. If you open Terminal and issue this command...

open /usr/share/swupd/html/index.sucatalog

...then Software Update will launch, looking at the localhost -- no need to re-download the update from Apple.

10.6: Using iCal Group calendars on Snow Leopard Server

Mon, 21 Sep 2009 07:30:02 -0700

Snow Leopard's iCal Server changed the location of the Wiki-based calendars, so that this previous hint no longer works. Intead of using the path of /principals/groups/groupname, the URL for wiki-based calendars has changed to one of the following:

https://ical.domain.com:8443/principals/wikis/groupname/
http://ical.domain.com:8008/principals/wikis/groupname/

When you add this in as a URL for an additional account, you can then access this shared calendar, with your changes reflected on the wiki page. You could alternatively create a specific user in workgroup manager to be used as the 'silent' owner of a group calendar, create your calendars, assign delegation to all the real users. But if done in that way, you don't get to see the calendar in the wiki, online.

...

10.5: List service ACLs on Mac OS X 10.5 Server

Mon, 20 Jul 2009 07:30:00 -0700

Mac OS X lacks a good command line tool for following a Services Access Control List (SACL) tree of users and groups. If you don't want to, or just can't, use the GUI to list users in service ACLs of your Mac OS X server (or managed client), you need to parse the groups/nested groups/users tree one group at a time, using dscl. It's really painful. As an alternative, I've created a script to handle this for sys admins.

I won't promise you a killer command line tool with foolproof error and recursion handling, but I still believe I've designed a usable piece of shell script -- even if it looks like it's the worst code I've ever written (which is not true; I've made things way uglier). The source code is too long and messy to be just copy-pasted here; just download the getsacls.sh script (4KB) directly from my mach ...

10.5 Server: Force certain folders into managed clients' Docks

Wed, 17 Jun 2009 07:30:00 -0700

I have recently discovered a solution to a long-time annoyance of mine with 10.5 server and managed preferences for 10.5/10.4 clients: How to force the Applications and Downloads folders into the Dock.

I 'took apart' and examined the com.apple.dock.plist file and found the options for the Applications folder and the Downloads folders. If you simply place these folders into the Workgroup Manager (WGM) area for dock preferences, you end up with a broken downloads folder and an Applications folder that won't show its contents. Instead, when you click on Applications in 10.5, you just get a new window instead of the list of its contents.

The secret is to take a com.apple.dock.plist file and take out everything but the entries for Applications and Downloads. Use this file in the Details tab of preferences plists that you can force out -- don't forge ...

Upgrade to 10.5 Server without reboot on newest Macs

Wed, 11 Mar 2009 07:30:00 -0700

This is more observational than hint-like, but it's interesting. This morning we had a customer order a new 2009 Mac mini, and they asked to have it upgraded to Leopard Server.

When we put the DVD into the Mac mini slot, we were getting ready to boot from DVD to do the upgrade. However, with this new mini, it no longer requires a reboot. You can install the Leopard Server Install Package without booting from the DVD.

Use one Deploy Studio server with images on many servers

Tue, 03 Mar 2009 07:30:01 -0800

I am jumping on board the DeployStudio train, and with multiple sites to support, I ran into the issue of how to use one master Deploy Studio server, but host the images at each of the sites (especially the WAN locations).

The solution I came up with was simple. When Deploy Studio wants to mount the images volume (via AFP), I just have a preflight script that mounts the volume based on which location (based on subnet) the computer is being imaged at. For instance, our Deploy Studio is on our fiber network, but our satellite site is on cable. When the computer netboots and DeployStudio Runtime is launched, it connects up to the Deploy Studio server (again, hosted on the fiber network).

A preflight script will mount the correct AFP mount prior to imaging the computer. We are basing this on our subnets, but your mileage may vary. Hope this helps those other network administrators going through the same struggles ...

10.5: Fix cron for LDAP Users in Mac OS X Server 10.5

Mon, 26 Jan 2009 07:30:01 -0800

To the best I'm able to determine, Mac OS X Server's cron does not recognize crontabs of users who exist in LDAP, nor the flat files (e.g., /etc/passwd). This is because cron starts prior to LDAP, and thus sees the crontabs of such users as "orphans." If you log in and re-establish the crontab, all is well ... but a simple reboot shouldn't cause crontabs to become disabled.

The system cron is a launchd service, and so it's quite difficult to control the order in which it launches. One can make the argument that it's cron's fault that it doesn't check for LDAP when it starts, but I think that the blame is really Apple's to bear. I spent hours today trying to figure out a graceful way to delay cron's launch without installing a new cron or hacking things up too badly, all in vain.
...