After initial setup, the next step to take with OS X Server is to configure directory services, so you have your users and groups ready for when you enable other services in subsequent chapters.
This content is for TidBITS members only.
Log In or Register
Subscribe today so you don’t miss any TidBITS articles!
Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.
Registration confirmation will be emailed to you.
If you have a home folder on the server, is it right that it synchronises only at logon and logoff? And is there still an option to have the home folder stored on an external drive, or has that been deprecated?
You can control sync to run at timed intervals and delete older, unused homes after a period of time (helpful in classrooms) in Workgroup Manager. Those managed preferences can also be configured using custom mcx entries that can be cut and pasted into the mcx attributes using dscl. You can also point a home en masse to an external drive, although I've tried not to do that as it's caused inconsistent writes for actual production use. Overall, these features are being used less and less and as a consequence the body of knowledge surrounding them is decreasing. The technology is a great idea, for certain environments. Definitely outside the scope of this book, but am happy to answer questions about it here, as I have setup and managed these features a lot over the years.
Can you expand on why you think Network Home Folders are a bad idea? We just upgraded our server to Mavericks and are using it. It theory at least, it seems ideal for:
1. allowing home folder backups to be done centrally (i.e. just backup the server)
2. allowing a relatively easy way to restore home folders if we upgrade/replace computers. Just log in, let the home folder copy over to the local HD, and you're done.
I have setup Network Home Folders, with sync and without, for a long time and for a large number of users. In some cases, they are great. In others, more often the case, they take up way too much space, they cause computers to take too long to login or they have a lot of synchronization conflicts, which is probably the top issue I see trying to support them. To address the points you bring up:
1. I don't treat mobile home folders as a backup. I've seen many scenarios where sync stops working (e.g. conflicts, disconnected systems, etc) and people loose data. I use CrashPlan, Time Machine Server and another of other tools to backup data, but not mobile homes or roaming profiles in Windows for that matter. A true network home could be used in that capacity, provided the apps people need can support them.
2. Growing iTunes libraries, growing amounts of data and issues connecting to the homes can be a factor, but if you set it up and it works for you then great. When we first started working with them we loved them. But over the years, I've seen enough issues here and there that I've tried to just stop using them. Having said that, as you noted, when they work they can be incredibly helpful.
Overall, create a share, check the box, then select the home for each user. If you want to sync, open Workgroup Manager, set the sync policies and you're done. This whole process usually takes me maybe 5 minutes. And when it works, it's slick. It works for some, not for others. When Adam and I reviewed how it's used in most environments we both agreed that it's a bit outside the scope of what we're trying to do with this book. My discouragement of the use of network and mobile homes is more a reflection of the large number of sync issues, apps that don't support (or fully support at least) using true network homes and trying to cut down on potential directory service problems for smaller environments.
Hope that helps to explain the positioning!
Very helpful. Thank you! Yes, we've gotten around the long login time by having it sync only at logout. And thanks for bringing up the point about it not being a true backup solution. We've had problems with previous server versions with stability too, so I'm hoping it's better with Mavericks...though we're having a heckuva time with permissions running amuck with the file server part...ugh.
Just a minor suggestion - in Fig 3 you show tcadmin as the directory administrator but later when setting up the Open Direcory replica you list dradmin as the username - maybe have both listed as dradmin?
Thanks - we'll reshoot that. Consistency in screenshot demo data can be tricky when a book goes through various edit stages.
"Overall, these features are being used less and less and as a consequence the body of knowledge surrounding them is decreasing"
I have been struggling to use OSX server in my small business in the Seattle area for 2 years now. I have 11 users, 10 client computers. I am the ONLY user that routinely uses the same computers, all other users use different computers from day to day.
Network based logins and network based homes seem like the only way to go for this, but you are right, resources for configuring and supporting this are dismal. I've spent a few thousand on local apple support folks who were unable to give me a reliable setup, so i've been going at it alone. Not fun.
So, I completely disagree with your decision to consider this beyond the scope of your book. I think it is actually the single greatest need. Frankly, reading through your book so far, I'd say that other resources out there already do an excellent job of covering what you have chosen to address, and I'd say that if you really wanted to contribute to filling an important knowledge gap you really ought to consider something more along the lines of using OSX Server in small business.
I'm hoping that Yosemite fixes some of the network user bugs. Otherwise, I probably have no choice but to switch to a windows setup.
One thing that's become clear as we've worked through various chapters of this book is that there parts of OS X Server that Apple is focusing on, and parts they're ignoring (plus parts that they've deprecated to the extent of removing them entirely). Network home folders don't seem to be getting a lot of attention, which doesn't give much hope to Apple resolving the sync issues that Charles referred to in a previous comment. :-(
Another thing I've learned is that unlike many normal apps, where the key to making a desired feature work well is simply more knowledge, with OS X Server, when something doesn't work well, knowing more about it often doesn't help at all. Or, to be more accurate, you may be able to make various services work better by dropping entirely to the command line, but if you're going to do that, you're better off with a full-fledged Unix box running the latest and greatest versions of all the necessary apps.
So maybe, then, some help on a good strategy with how to best work with multiple users on a single computer. I've been using PHD since 10.5 (on 10.9 now) for the 6 members of my family. With 4 children, the last thing I want is to listen to is child 1 claiming that he cannot complete an assignment because child 2 is on "his" computer. With a PHD set up for all users, every computer in the house is "his" computer with his preferences, files and such there as soon as he logs in.
As Charles stated in an earlier comment, iTunes has long been an issue, even with iTunes Match, due to limitations presumably from the RIAA. Maybe 10.10 will be some help there with family sharing, but that won't solve it for the non-related people at work. At home, I share an iTunes folder with all of our content. Each user has a local copy of iTunes that downloads apps and iOS device backups and points to the media on the server (server media is not copied to the user profile to keep the iTunes library size down). It mostly works fine, except for the addition of new content.
iCloud Keychain sync is also somewhat helpful for some preferences, but that doesn't really solve everything. Users, even adults, tend to save files in their documents folder, because that is easy (rather than saving to a shared directory). Realizing I am trying to solve a human issue with technology, using a PHD solves that transparently for the end user.
So, perhaps the solution is a combination of lots of things: Network authentication by binding the client to OD; No syncing to server; Utilize iCloud for everything possible; use either server-based or cloud-based share points for everything outside of iWork; purchase iTunes Match for each user (or share a common Apple ID, which is a problem for everything else); and still dedicate a "Home" Machine for each user to sync non-purchased video content to an iOS device. I sure hope there is something better.
We only have one kid, so I can only sympathize with what you're trying to do. :-) Apple's desire, I believe, would be to have each kid have their own computer.
iTunes is a total nightmare when it comes to sharing media between people and computers. Home sharing works in some cases but very much not in others, and the iOS device syncing and backup causes a lot of problems. I've never found a good solution to that, and I don't hold out any real hope for Yosemite improving it.
Interestingly, from our son's perspective, the solution would largely be a Chromebook. He does most of his stuff in Google Docs, since he can get to it from anywhere at home or school, and all his friends use Google+ for chatting too. From the Mac perspective, he hates iTunes and uses it to back up his iPhone only under duress. He likes Pages, mostly for layout, and otherwise the main Mac app he uses is probably Minecraft. But the simple fact is that for actual work, a Chromebook would meet the vast majority of his needs.
Under the title "Set Up the Open Directory Master"
--> Run the Open Directory Assistant
you go to the next step of "SSL Certificates" without a section title and even worse, the User is lost on what to do next to find the input Screen shown in "Figure 4".
You write "On the Organization Information screen, enter a name ..."; but I have no idea on how you got there. In Certificates, when I select (gear icon at the bottom) 'Show All Certificates' it shows already 3 pre-made Certificates.
Ah - now I get it!!! That was the last screen in OD setup (was so easy I forgot already). The paragraph:
"Now, we’re going to configure the Secure Sockets Layer (SSL) information, which requires creating an SSL certificate. ..." irritated me, as I thought this is the next step.
IMHO it should be clear, that it is only an information where the input information will be used (for Certificates). Very helpful information (at given point). Please just make it clear that it is just an (albeit important) sidenote. THX for your great Tutorial.
reply to comment 24030:
A little rewording (intro sentence) would do the trick to fix this irritation.
I know I am a perfectionist - so if you don't like me to write 'bug reports' (relating UX) for your Tutorial, just let me know via twitter @ApfelTutor. I am just a 'think different' guy by nature like Steve Jobs was (albeit an introvert - INTJ).
Thanks, we're always happy to get feedback on this stuff, and we'll definitely look into as we do the next step of editing on the manuscript.
Sometimes we have to skip over certain details because if we included absolutely everything, the book would be 1000 pages long (and would never be done).
above Figure 7 your text:
"If you haven’t yet created any users (you aren’t skipping ahead, right?), the list will be blank, but we’ll rectify that next."
This is not true for my System! It shows my OD Admin User as 'Local Network User' (both when logged in as Admin or as OD Admin).
I did not skip! - but I had removed the Server.App (as described in help) after deleting ALL Users in OD via Server.App. And deleted the /Library/Server folder as you recommended at the very beginning of your Tutorial. Then rebooted and did everything as told in your TCo eBook. (-> this is my Test Server)
Trying to get a clean start on configuring Server is nearly impossible without wiping the disk, reinstalling OS X, and installing Server again from scratch. We've added more text to the book about this, since data is stored in all sorts of behind the scenes places that are impossible to clear out reliably.
I wouldn't worry about this too much as long as things are working properly; if you're running into serious errors, a clean reinstall might be necessary. I had that happen at some point during editing and had to spend a ton of time erasing and reinstalling.
I agree with ApfelTutor. The list is not blank. Under Local Network Users there is Directory Administrator listed.
BTW: I deleted my ssd and made a new clean install of Mavericks 10.9.4 and Mavericks Server 3.1.2 as advised, without importing old data. No skipping ahead.
Huh. I don't have that user showing. It's definitely on my system (you can see Local Network Users in Directory Utility, which is in /System/Library/Core Services). Just choose Users from the Viewing pop-up menu and LDAPv3/1270.0.1 from the node pop-up menu.
But it doesn't appear under Local Network Users in Server at all.
BTW, I don't recommend changing anything in Directory Utility unless you have explicit instructions that direct you to do so. Seems like a good way to thoroughly mess up your server.
So to demote Open Directory and then re-promote a system to be an Open Directory master, use the slapconfig command. slapconfig -destroyldapmaster will completely clear everything out and allow you to re-promote. You can't fully delete the only administrative user for the domain otherwise, as that would lock you from being able to manage the domain. Once you've run slapconfig you can delete the Server app and reinstall; however, if I'm going to do that much, I might go ahead and reformat and reinstall the server.
Figure 8. #Screenshot is not an 'add new user' window. Looks like an (older 3.0) info panel after an user has been setup (with the option 'Local Only' User home folder enabled ??).
Good eye - yes, some things change from the initial creation screen to the edit screen. I'll revisit that screenshot in the next edit pass on this chapter.
I am really impressed and love this Tutorial the more I read - You explain all the details I wanted to know (since Mac OS X Server 10.6) - and learn. #respect & big THX
Glad to hear it!
Thanks for the kind words! Will address some of your comments shortly!
I am missing a comment about the Directory Administrator. Should I continue to use the Server app, logged-in as admin of the mac, or should I restart the mac and login as Directory Administrator?
Charles can weigh in here if I'm missing something, but my understanding is as follows:
* At first, you can always use Server as the local admin of the Mac.
* Any user you create, and for whom you select the "administer the server" checkbox can also be used.
* If you are playing around with the Local User for your admin account and select that checkbox and then deselect, you will lock yourself out. Don't do this. :-) (Luckily, one of my other users had access.
* I can't see any reason you'd want to use the Directory Administrator account, but that's in part because it's not visible in my system for reasons I don't understand.
Another question: After restarting the mac, the Server app does not start automaticly. Is this a problem or is the Server app only a administration console while the server functions are working already in the background?
The Server app is merely a console (it can in fact be used over the network from another Mac, although Charles recommends against that for performance reasons on the other Mac). So if you want it to launch on boot, you need to add it to Login Items like any other app.
You'll also need to make sure that you're logging into with a user who can administer the server, and that user's password is saved in the Keychain. Otherwise, there's no real win in having it launch at startup.
Oh, one other thing. The actual services provided by Server are available as soon as the Mac has booted; the Mac can even be left at the login screen with no problems.
Just to add to what Adam said, I would not leave the Server app open for long periods of time. I find that it tends to make the system less stable when it's open for awhile. I only open it when I'm doing an administrative task. Once everything is setup, you should only need to open it when you're adding shares, adding users, deleting either, etc.