2014-07-16

OS X Server - Basics

Here are my notes for debugging and maintaining an OS X Server (3.1.2) on Mavericks 10.9.4. This is mostly command line stuff, very little GUI stuff.

Note, this post is part of a series. Here are the other posts.

About OS X Server

OS X Server is a product that reached it's peak around 2009-2011 with Mac OS X Server 10.6. Back then it was a complete OS install and was different from Mac OS X client. Since then Apple has scaled the product back, made it very inexpensive ($20), released very little documentation compared to 10.5 and 10.6, and made the server an app download from the Mac App Store that is installed on the client OS (rather then being a OS unto itself).

The OS X Server (3.1 on OS X 10.9) installs and pre-configures some of the best open source server products such as apache, php, postfix, dovecot, and openldap. I am unsure if the bugs I've seen are in the Server.app, modifications Apple has made to the open source products, or in how Apple has configured all of these 3rd party server products to work with each other.

Working with OS X Server

Make sure everything is ok

sudo changeip -checkhostname

To change the IP

Do not change the IP of the server if you are using Open Directory. Changing the IP destroys the LDAP and Kerberos databases. If you are not using Open Directory, this is how you change the IP.

sudo changeip <old-ip> <new-ip> <old-hostname> <new-hostname>

Then go to System Preferences.app and change the IP there. Then reboot the server.

If you are using Open Directory, all hope is not lost. Assuming you don't have replicas and you don't need to retain the passwords then run something like these commands (I did something like this, but I didn't save my history, so I don't remember exactly what I did):

Backup data

sudo slapconfig -backupdb /full/path/to/archive

Export data

dsexport -e dsAttrTypeStandard:AuthenticationAuthority -e dsAttrTypeStandard:AltSecurityIdentities \
  users.txt /LDAPv3/127.0.0.1 dsRecTypeStandard:Users
dsexport groups.txt /Local/Default dsRecTypeStandard:Groups

Destroy database

sudo serveradmin stop dirserv
sudo slapconfig -destroyldapserver

Start over

sudo slapconfig -createldapmasterandadmin

Reimport

dsimport users.txt /LDAPv3/127.0.0.1 M --username <diradmin>
dsimport groups.txt /Local/Default M --username <diradmin> <dirpassword>

If you need to keep passwords probably the easiest solution is to replicate your Open Directory database to a different server, promote the replica to a master, bind the first server to the new master, change the IP of the first server, then replicate the Open Directory database back. But I don't know how to do any of this. Years ago I seem to remember being told this is how it's done, but I don't remember too well because I didn't manage OS X Server's back then.

It should also be possible to export the Kerberos database but kadmin -l dump says "kadmin: hdb_foreach: iteration over database only supported for DSLocal".

Modifications to the system.

Have the output from the periodic scripts emailed to you.

/etc/periodic.conf

daily_output="you@example.com"
weekly_output="you@example.com"
monthly_output="you@example.com"

Backups

The common wisdom is that you never know if your backup solution actually works unless you use it. I'd like to add that you'll never know how your backup solution works unless you use it. I've had to restore my system twice before it was even in production yet.

I'm just going to say this, you must know your backup software inside and out. And if you're using TimeMachine as your backup, don't be deceived by the silly TimeMachine System Preferences pane. Read the tmutil man page!

Firewall

Hey, OS X Server opens a lot of ports. I haven't fully tested this yet, but I don't want all of these ports open, so I'm going to shut them off and see if the server still works. So remember, these are my notes, and as of the moment I'm writing this, I haven't actually tested them yet, so don't take this as truth yet.

This is all of the open ports on a server with Open Directory, Mail, ssh, and vnc turned on.

22          ssh
25          smtp
80          http
88          kerberos
106         3com-tsmux
110         pop3
143         imap
389         ldap
443         https
464         kpasswd
587         submission
625         dec_dlm
636         ldaps
749         kerberos-adm
993         imaps
995         pop3s
1640        cert-responder
2012        ttyinfo
3659        apple-sasl
4190        sieve
5900        rfb

The the mail ports are 25, 110, 143, 587, 993, 995, they all need to be open. 4190 is used by dovecot for filtering mail, and I'm not sure if it actually needs to be open.

The ports for ssh and ARD are 22 and 5900. I have a gateway and only the gateway can contact those ports.

The ports for Open Directory are 88, 106, 389, 464, 625, 636, 749, 3659 and for my setup, I don't want any of these open at all for anyone. 1640 and 2012 have something to do with certs. 80 and 443 are apache, and I have no idea why that is running, and ironically when I connect to the computer with a web browser it shows this text "Websites are turned off. An administrator can turn them on using the Server application." That's not "off" in my book...

Run a firewall script at startup.

I have my own startup solution using Xhooks (no real link for that anymore since I left my last job and haven't set up a new site for it). Anyway, you can just create a launchdaemon or you can hijack Apple's /etc/rc.server.firewall script. That script is executed by /etc/rc.server, and that script is executed by none other then launchd at startup (search that source file for rc.server). And you thought the rc scripts were gone!

I can't explain all the ins and outs of setting up a firewall because there are too many things I don't know about them. I'll just list a simple ipfw (deprecated) ruleset. I'm not the best networking guru so I'm not sure if all of these rules are even needed for this, but I think it works so what the heck.

# Default stuff
sysctl -w net.inet.ip.fw.enable=1
ipfw -q -f flush
ipfw -q add allow all from any to any via lo0
ipfw -q add deny log all from any to 127.0.0.0/8
ipfw -q add deny log ip from 192.168.0.0/16 to any in via en0
ipfw -q add deny log ip from not 192.168.0.0/16 to any in via en0
ipfw -q add deny log ip from 192.168.0.0/16 to any in via en0
ipfw -q add deny log ip from 172.16.0.0/12 to any in via en0
ipfw -q add deny log ip from 10.0.0.0/8 to any in via en0
ipfw -q add deny log ip from any to 192.168.0.0/16 in via en0
ipfw -q add deny log ip from any to 172.16.0.0/12 in via en0
ipfw -q add deny log ip from any to 10.0.0.0/8 in via en0
ipfw -q add allow tcp from any to any established
ipfw -q add allow icmp from any to any
ipfw -q add allow icmp from any to any icmptypes 3,4,11,12

# Allow your GATEWAY (replace 10.0.0.9) with your IP or CIDR
ipfw -q add allow ip from 10.0.0.9 to any

# Allow the mail service (this isn't needed because it's a mostly open ruleset)
ipfw -q add allow tcp from any to any 25, 110, 143, 587, 993, 995 in

# Stop Open Directory
ipfw -q add reset tcp from any to any 88, 106, 389, 464, 625, 636, 749, 3659 in
# Stop Apache
ipfw -q add reset tcp from any to any 80, 443 in
# Stop Cert thingies
ipfw -q add reset tcp from any to any 1640, 2012 in

# Allow everything else
ipfw add 65535 allow ip from any to any

More information on OS X Server


Copyright 2016 James Reynolds