Mac Os X Server as central point of services.

This document acts as a whitepaper on how to use Mac OS X Server 10.4 as a central point of service for your LAN. This writing takes place along with a complete re-installation of an existing setup. The following tends to implement as much as possible the best practices for standards and Mac OS X. By following informations and setup detailed bellow, it is possible to complete an entire setup. Here is the recipe.
Notes: In this documentation aren’t mandatory for success. They’re only there to give you more informations regardless of the platform or setup.
Here are all the chapters to jump into if you need them.

  • Hardware setup/requirement
  • Installing Mac Os X Server
  • Setting DHCP
  • Setting DNS
  • Setting Directory Access
  • Getting Mail service in
  • VPN is needed, no problem
  • Web services
  • Get Out, here is my firewall.

Hardware setup&requirement
Getting a machine right for your need is all that matters. Especially when you don’t have the luxury to afford an overkilling machine for economic issues. As my experiences goes, any machine would do but don’t get to confident with it. Corporate background brought me at the point where I would never use something lower then a 700 MHz G4. That sounds overkilling already, doesn’t it? If planning to use that machine for DNS, DHCP and a small web hosting, then yes, it is much. To tell the real story behind that 700 MHz G4 limit is some weirdness reboot, KPanics and problems faced with G3 B&W and early G4s. Here is how it goes.

PMU
The thing to keep in mind with problems with those G3s and G4s is the PMU “Power Management Unit”. This little feature came into our Macs around those 400 or 500 Mhz G4. In the system log file on a Mac OS X Machine, you may have seen something like “watchdog has reset counter”. It means that as long as the server is running, the watchdog will always reset that PMU counter. If the server would be to stop running by a Kernel Panic or anything that will prevent the Watchdog from reseting that counter, the PMU will cold restart the machine. That’s a nice feature that you want enable on the system. Keeping in mind that not all machine that has built-in Firewire are that PMU feature ready.

Calculate your hardware needs
Choosing the right hardware to fit the need isn’t easy. Let’s review and evaluate what is going to run on that machine. Here is the list of what I’m going for:

  • File sharing for less than 5 users(up to 4 AFP and one SMB).
  • Doing DNS recursive request for the LAN. Up to 10 users on a 5 Mbit DSL line.
  • Providing those 6 users with 15 email addresses overall.
  • Hosting an LDAP(Directory Master) service for the clients. (Single sign-on: Kerberos needed)
  • Hosting few Net-boot images for troubleshooting and one NetInstall.
  • VPN PPTP and L2TP for remote access(up to 5 users)
  • Web Hosting. I’m just saying here, Lots of hosting.
  • LAN systems backup

Taking all those services in consideration to evaluate which hardware is needed could be a real nightmare. It’s hard because there is no formula or tools to add up MB of RAM or MHz CPU speed per services nor users. As experience come in, I evaluate my needs to a 600 or 700 MHz G4 with 512 MB of RAM minimum. The real job for that machine is only tiny process all together. I did not specified any information into what’s going to be hosted on purpose. I’ll just keep the mood on and add up an other CPU. Why? Just because I have a spare one… no way. The objective for the web server is to host some sites and be used primarily for testing purposes. Testing lots of web-based softwares such as BigBrother, Acid, this blog and much more.

Hardware config
PowerMac G4 Dual 1Ghz
1GB RAM
Sonnet Tempo ATA 133
250GB, 2 times 80GB
Everything else is stock to a standard QuickSilver. Notice the Sonnet pci card. Why risking taking down the server for as long as it takes to restore a snapshot or to restore whatever kinda backup available when raid is available at a very low cost? Raid mirror it! Why not when it’s so cheap?

Hardware setup
Setting up that hardware with the drives by hooking up both 80 GB hard-drive to the Sonnet card. Each drive as master paired up with a dedicated IDE controller. That’s because I want to make a mirrored RAID with those 2 drives and install the system, web sites, databases and other things except raw production data. The 250 GB hard-drive is getting the built-in ATA 133 controller. I don’t know how much it is worth but, I need to keep both sides of the RAID as equal as possible. That is only to prevent loosing to much performance for a security gain. That’s about it for the PowerMac.

Let’s get started.

Installing Mac Os X Server
Let’s get into it with my headless machine. Let’s connect remotely to the fresh install DVD booted machine. It is possible to use diskutil interface in order to create the RAID set. I won’t be explaining how to use the GUI”Graphical User Interface”… By connecting remotely with ssh with the root account and the password it is possible to perform the raid setup via the command line tools. If your machine is old, the password id 12345678 otherwise it’s the first 8 characters of your machine serial number.(Case sensitive)

berta ~ # ssh 10.0.1.2 -l root
The authenticity of host ‘10.0.1.2 (10.0.1.2)’ can’t be established.
RSA key fingerprint is 72:82:17:a4:3d:dc:33:d0:80:1e:21:c5:74:b6:53:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.1.2′ (RSA) to the list of known hosts.
Password:

darwin:~ root# diskutil createRAID mirror Darwin HFS+ disk0 disk1

Here it goes. The Mirrored RAID is created from disk0 and disk1. It should be a new volume available called Darwin to install the server Operating System on.

Note: The machine may require to reboot so that the new RAID set is available for installation. I had to.

After the DVD does it’s job, it is time to configure the new machine. The best way to do so is by using Server Assistant application that Apple provides. I’ll go ahead and launch it; then select “Save setup information in a file or directory record”. Go all the way with the assistant until saving the file at the end of the process. Save the config as a “Configuration File” without encrypting it. You must save that file in the server’s root volume. egg. Save the file at the top level of the volume you want to run your server on. Next, reboot the server and next time it starts the configuration GUI, it will get all the information it needs out of the file. In the process, the server will complete the first initial configuration with the configuration file. Nice ein!

Note: That file could be in any connected volume to the server. ANY. A USB key, a dvd/cd, the server partition, your iPod…..
assistant-setup.pngassistant-save.png

The last thing to do before going to the next step is upgrading your OS. It is possible to upgrade the server through SoftwareUpdate or it’s command line version. Download the pkg and upgrade the OS to the latest possible before doing any work.

Setting DHCP
Reference(Francais)
Reference(English)

Setting up the DHCP is all worth the time it takes. It saves lots of time addressing/changing static ips. Speaking of time it takes, it’s about 2 to 3 minutes. If you’re not use to DHCP technologies, read one of the reference link at the sections title. The configuration I’ve done is reflected in screen shots bellow. Notice that it is set to use static mapping IP. It means that IP addresses are mapped to MAC addresses. It results in always giving the same IP to the same machine. That could be nice for server and printers and even to workstations.
dhcp-range.pngdhcp-static.png

Setting DNS
Here is a bloody edge. If your personal knowledge is limited or if you don’t know much about DNS, it is time to lear it. In the Windows world, DNS is more optional then needed. In the Unix/Linux it is mandatory. By mandatory, I mean Mac OS X requires a fully workable DNS within the network in order for all services to work as good as possible. In all cases, you need a DNS server. DNS is built-in almost all services in UNIX/Linux machines.

As example: when connecting to an AFP server, the client’s computer perform a DNS lookup to pair up IP to name or name to IP. It means that when a connection is established using IP, the machine looks out for the IP’s name. If there is no DNS server that can provide that information, there will be a time out after few seconds and connect only using IP without the name. SSH works the same, and many other services. If you are going for a Single sign-on setup, there is NO way around the DNS setup. Bottom line, for a smooth and fast connections, you should have a workable DNS server in your LAN.
There are 2 screen shots of the working configuration. Take a look at them and test your DNS server BEFORE getting to the next step. Directory services require a fully functional DNS server so if the service isn’t configured properly, any directory services isn’t going to work at all.

For the private LAN domain name, it is possible to choose anything regardless of the standards and registration on the Internet. It is so because this domain name isn’t going to be reachable from the Internet. For the configuration I am doing, I choose the extension lan to be the private domain name. You may choose anything; pretendco.com, apple.com etc… The warning I should point here is if you choose apple.com as your internal domain name, you’ll never be able to access the real internet apple.com domain. Keep that in mind and choose carefully.
dns-zone.pngdns-machines.png

Note: Once the DNS is set, try it. Here is some notes on how to make sure it’s fully functional. Fire up a Terminal window and enter nslookup. Then, perform the following request/commands that reflect the installation.

wirelessbook:~ francois$ nslookup
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig’ or `host’ programs instead. Run nslookup with
the `-sil[ent]’ option to prevent this message from appearing.

> server 10.0.1.2
Default server: 10.0.1.2
Address: 10.0.1.2#53
> imac
Server: 10.0.1.2
Address: 10.0.1.2#53

Name: imac.lan
Address: 10.0.1.4
> 10.0.1.4
Server: 10.0.1.2
Address: 10.0.1.2#53

4.1.0.10.in-addr.arpa name = imac.lan.
> exit

Withing nslookup tool, I set the software to query the server that I want to test “10.0.1.2″. Then I ask the server what is the ip match the name iMac. Then I query the name matching the IP. Everything looks nice here.

Setting Open Directory
Before I start, let me point some of the requirement for that step to go easy. The server must have its final IP address set onto the server otherwise you will run into so much trouble with Open Directory. As of this isn’t all, you also need a DNS server to be fully functional before promoting the server.

If both of these features are set and tested, go ahead with the following. In the Server Admin tool:Open Directory:Setting, change “Role” from Standalone Server to Open Directory Master. Then, create the directory administrator account. Leave the Domain Info alone. Just make sure they are filled as the server’s fully qualified domain-name. egg. darwin.lan so there should be dc=darwin,dc=lan.
od-master.pngod-master.png

That is it. Hit save and wait a bit. Then go back to the overview tab and make sure all services are running.
od-running.png

Note: If all services are running but Kerberos, try checking out first the DNS setup. Most of the time, there is the suckup. You may also check if the machine has synced with a time server. Kerberos is a time sensitive protocol.
I don’t thing there is much more to say. The directory system is up and running, the next step is to create accounts and set preferences for users, computers, groups etc….

Home directories.
In this setup, I would like to use the network home directory feature. First, start up the AFP service. Config it as you would like and get to Workgroup Manager. Select the Sharing tab and then choose among the Shares available. Clic on the “Users” share point then select the “Network Mount” tab. Set the “Where” section to be the “LDAPv3/127.0.0.1″. Also, check “User Home Directories” as Use for: definition. An extra step here could be to desable FTP and Windows sharing for security purposes. You should also disabled AFP guest access and all Windows and FTP services.

At that point, the home directory setup is done and should be working. Still no users are set to use it. Get back in Workgroup Manager; account preferences; Home, select the newly added share-point.

home-share.png

Note: If in the Home setting tab you have already the share point selected, select None, save and then go back and save again. I’ve experienced problems with that. Just make sure you select the share point and hit save. By redoing the operation manually, home folders are usually created at that moment.

Mail
Reference link(Français)
Reference link(English)
That part is all about hosting a mail service with the built-in Mac os X Server, cyrus server. Cyrus is well knows mail server all across the Open-Source community. Apple had that nice server integrated with-in it’s own server. Cyrus covers the imap/pop delivering part as Postfix is all about SMTP, mail delivery. If you just got lost with those words, you shouldn’t think about setting anything fancy.

Email 101. Email servers uses SMTP protocol to exchange email. That’s it. IMAP/POP are only use by clients to collect those email from mailboxes on the server.

When setting it up in the Server Admin interface, no need to worry about what is running with Cyrus or Postfix. What is important to set is the domain name to host email for. Also, you may set a relay server if your provider requires it. Other options aren’t mandatory in order for the mail server to run but, some are necessary for it to work in your environment. egg. smtp relay may block outgoing email if your provider requires it. Start the server up and see what it is up to. The server is now configured to exchange emails. You then need to configure users email address. You need the Workgroup Manager to enable and set email address. Mail setup is very straight forward.

VPN
Reference link(Français)
Something to consider when talking about VPN is what are the users would be doing outside of your organization? When talking about security, users needs becomes quickly nightmares for system administrator. Remember that it should be a balance between user experience and security. The easiest it is for legitimate users to perform tasks, the easier it is for anyone to do the same. When comes the time to give user access to the corporate LAN, there is a great amount of planning involved. VPN provides levels of security that might be part of your strategies. With the built-in tools provided by Apple, you have few but good options.

To scale those options up, let start with a basic VPN-low-security-level. This is called PPTP. The setup is easy, the level of security is low and the user experience/setup is easy. Setting up PPTP has only few steps. To enable PPTP; set the ip range to give out and start the VPN service. Take care of your firewall and don’t forget to add entries into dns for those IPs, it helps by reducing connection time.
vpn-pptp.pngvpn-pptp-dns.png

Going up one step to L2TP with MS-CHAPv2&Shared Secret. This is a big step up in security and user experience. To set this up, the protocol require a shared secret. This is a string that needs to be passes around all VPN client. Compare to PPTP, the user need to add this string and know about nothing else about VPN. For the administrator, still need to add DNS lookup for those IPs, set the IP range, enter the shared secret string and set the firewall for L2TP. As jumping from PPTP to L2TP, setting firewall becomes harder. L2TP use many ports and IP sub protocols to work fine. Pay attention to those ports and tcp/udp needs. Bad firewall setup is most of the time the problem. See in the firewall section for information on that setup.
vpn-l2tp-chap.png

If you want to skip the MS-CHAP authentication and go on with the encryption, there is a combination of L2TP with Kerberos for authentication or with SSL certificate. Setting IP up is close to the MS-CHAP setup but choose Kerberos from the drop down menu and hit Certificate instead of Shared Secret.
vpn-l2tp-kerberos.png

Here is my warning. If you plan to use the Kerberos/SSL setup, keep lots of time free to suppot your users over the phone. That warning isn’t regarding SSL, but Kerberos. For those of you who doesn’t know Kerberos, it is time sensitive. So when a user’s laptop or user’s home computer isn’t time sync with an Internet time servers, Kerberos isn’t going to work for you. You will then need to tell the user to set it’s computer to sync with that NTP(time) server.

Here is my recommendation. If your needs are security, get L2TP because it’s great but use the MS-CHAP challenge for authentication and either Shared Secret or SSL certificate.

That’s all options Apple provides built-in Mac OS X server. There are many more steps with third party applications and even more third party appls that works with Mac OS X.
Before setting it up for good and providing user access, try it with some of your friends to monitor the load on the machine. SSL is way more demanding then Shared Secret and L2TP is more demanding then PPTP. Give a try to PPTP, I thing it’s great for non sensitive information such as accessing an intranet that is already on https…..

Note: If you want to control the client routing table, set the Client Information tab in VPN service. The default is nothing. That means the default gateway when the client is connected becomes the VPN server. If you don’t want all internet traffic from VPN client to go through your server, set your local IP range. In that way, the default gateway will not change for the clients but, it will only add a static route for the remote local network. Search domain is important as well, same for DNS servers if you want the client to use your Domain informations correctly.

Web services
Providing ways for users to input raw data and process it may be vague. Maybe there is an intranet powered by web interface maybe not. I love web applications because they are easy to access and crazy easy ways to trigger actions or work on servers. In this documentation, the Web server is the most documented part. The following is a list of stuff set for hosting on the server.

  • phpMyAdmin
  • BigBrother
  • This blog “Wordpress”
  • A photo gallery “Gallery2″
  • Webmail “SquirrelMail”
  • Web statistics “Awstats”
  • Network Statistics “Cacti”
  • and more.

Before setting up all web sites, let start with tuning the web server itself. To do so, go in the Web Settings tab and let set it as you like. My settings are viewable in the screen shot below.

In the Sites section of the Web Settings tab, there is the default site. That site is there as default and point to the apache’s default website. Edit that first entry or del/add one. The General section is all about the site, it’s domain name, it’s IP on which it listen, the port on which it is hosted, the full local path to the sites directory, the page to attempt if not specified(the index.html or .php or anything else), the error page to redirect to and the webmaster’s email address.
web-frjo-general.png

In the Options, uncheck Performance Cache if the machine sits behind a firewall with only the port 80 redirected. If you want the Caching performance on, you must redirect port 16080. That port is the one your browser is redirected to get the Performance caching service. If the site has no other need unlike mine, that’s it. You can fire it up and enjoy. Some web sites that I host requires more options and tunning. Realms, logs, security and aliases aren’t to check unless you have needs for it. For example, Awstats needs to perform scripts to generate pages to be shown. That features is call CGI (Common Gateway Interface). So those script are in the default CGI-Executables directory and by enabling CGI Execution in the Options, those script are accessible for that web site by a URL rewrite.
Statistics comes down very usefull as you want to make decision on investment. Maybe you don’t need that T1 line if you only have few hundreds of visitors a month. Maybe you should get a better connection since you have more then 1 TB of traffic out of your hosted sites. Statistics are there to guide your decisions. With that in mind, all my hosted sites has a general and detailed activity report. To achieve it, I’m using Awstats. Awstats require combined log files to perform well. So I’ll go on and set the Logging option for that frjo.info.

Note: Different types of logs are available in the Server Admin interface. Each log type has it’s own reset detail setup. You’re free to build your own by following the apache log system. See apache.org for more details.
web-frjo-logs.png

The combined template doesn’t look right in the Server Admin GUI but, if you choose combined and save, the actual log file is saved as combined format. Also, you may notice that I’ve created a folder into /var/log/httpd to put those files. That is only to keep my log files organize. It helps with Awstats to generate stats for one site.
The dance goes on and on for as many web site as you would like to host. In my case, I need mysql to back Gallery2, Wordpress, bixdata, Cacti, iptableslog and Snort. Mysql setup isn’t part of this article.

One last word on the WebServer. If you want to host an https site and redirect standard http to the secure one, you must use the redirector. First create your secure site. Then create a second one unsecured. Then, on the unsecured site, clic on the Aliases tab and add a redirector. This way, all incoming traffic on non secure port will be redirected to the secure one.
web-frjo-redirector.png

Get Out, here is my firewall
Firewalls must be part of a plan to secure an IT environment. Built into Mac OS X server, there is a very powerful firewall. This is backed by IPFW and IPFilter from the BSD world. With those two great tools, it is possible within the Server Admin utility to configure and fine tune the firewall as needed. The graphical interface is limited to what Apple made easy in the interface. It is still possible to set firewall at a very decent level without getting into hard work.

A word about firewalls. One on the greatest thing about it is that the machine has a wall between itself and the outside world. It means that regardless of the running services, security exploits, user privileges or else, it is possible to grand or deny access to it. When it comes down to securing a server, it is not in the best practices to leave access on ports that no one in the outside world has business doing with. That would be like opening your front door and not caring if someone looks inside your house or even get in.

Little firewall software overview. In the IT world, there is many brand of firewall. Just to name few of those; Cisco, Sonicwall, Duldog, Linksys, D-link etc… All those are physical devices. Mac OS X Server isn’t equipped with a physical dedicated device. It uses IPFW and IPFilter to rule traffic. In the Open-source community, iptables is the leader in software firewalling. Both software are similar in their strategy and options although completely different within it’s syntax and mechanism. Dedicated hardware firewall are small computer with a light operating system and a firewall software such as iptables.

The basics of firewall are simple, the act of setting it up and thinking it isn’t.

Done

It completes all that I have to say about it. Good luck with your installations.