Here are my notes for debugging and maintaining an OS X Server (3.1.2) on Mavericks 10.9.4. This is mostly command line stuff, very little GUI stuff.
Note, this post is part of a series. Here are the other posts.
- OS X Server - Basics (this page)
- OS X Server - Managing user accounts
- OS X Server - Postfix
- OS X Server - Dovecot
- OS X Server - Sieve
About OS X Server
OS X Server is a product that reached it's peak around 2009-2011 with Mac OS X Server 10.6. Back then it was a complete OS install and was different from Mac OS X client. Since then Apple has scaled the product back, made it very inexpensive ($20), released very little documentation compared to 10.5 and 10.6, and made the server an app download from the Mac App Store that is installed on the client OS (rather then being a OS unto itself).
The OS X Server (3.1 on OS X 10.9) installs and pre-configures some of the best open source server products such as apache, php, postfix, dovecot, and openldap. I am unsure if the bugs I've seen are in the Server.app, modifications Apple has made to the open source products, or in how Apple has configured all of these 3rd party server products to work with each other.
Working with OS X Server
Make sure everything is ok
sudo changeip -checkhostname
To change the IP
Do not change the IP of the server if you are using Open Directory. Changing the IP destroys the LDAP and Kerberos databases. If you are not using Open Directory, this is how you change the IP.
sudo changeip <old-ip> <new-ip> <old-hostname> <new-hostname>
Then go to System Preferences.app and change the IP there. Then reboot the server.
If you are using Open Directory, all hope is not lost. Assuming you don't have replicas and you don't need to retain the passwords then run something like these commands (I did something like this, but I didn't save my history, so I don't remember exactly what I did):
sudo slapconfig -backupdb /full/path/to/archive
dsexport -e dsAttrTypeStandard:AuthenticationAuthority -e dsAttrTypeStandard:AltSecurityIdentities \ users.txt /LDAPv3/127.0.0.1 dsRecTypeStandard:Users dsexport groups.txt /Local/Default dsRecTypeStandard:Groups
sudo serveradmin stop dirserv sudo slapconfig -destroyldapserver
sudo slapconfig -createldapmasterandadmin
dsimport users.txt /LDAPv3/127.0.0.1 M --username <diradmin> dsimport groups.txt /Local/Default M --username <diradmin> <dirpassword>
If you need to keep passwords probably the easiest solution is to replicate your Open Directory database to a different server, promote the replica to a master, bind the first server to the new master, change the IP of the first server, then replicate the Open Directory database back. But I don't know how to do any of this. Years ago I seem to remember being told this is how it's done, but I don't remember too well because I didn't manage OS X Server's back then.
It should also be possible to export the Kerberos database but
kadmin -l dump says "kadmin: hdb_foreach: iteration over database only supported for DSLocal".
Modifications to the system.
Have the output from the periodic scripts emailed to you.
daily_output="firstname.lastname@example.org" weekly_output="email@example.com" monthly_output="firstname.lastname@example.org"
The common wisdom is that you never know if your backup solution actually works unless you use it. I'd like to add that you'll never know how your backup solution works unless you use it. I've had to restore my system twice before it was even in production yet.
I'm just going to say this, you must know your backup software inside and out. And if you're using TimeMachine as your backup, don't be deceived by the silly TimeMachine System Preferences pane. Read the tmutil man page!
Hey, OS X Server opens a lot of ports. I haven't fully tested this yet, but I don't want all of these ports open, so I'm going to shut them off and see if the server still works. So remember, these are my notes, and as of the moment I'm writing this, I haven't actually tested them yet, so don't take this as truth yet.
This is all of the open ports on a server with Open Directory, Mail, ssh, and vnc turned on.
22 ssh 25 smtp 80 http 88 kerberos 106 3com-tsmux 110 pop3 143 imap 389 ldap 443 https 464 kpasswd 587 submission 625 dec_dlm 636 ldaps 749 kerberos-adm 993 imaps 995 pop3s 1640 cert-responder 2012 ttyinfo 3659 apple-sasl 4190 sieve 5900 rfb
The the mail ports are 25, 110, 143, 587, 993, 995, they all need to be open. 4190 is used by dovecot for filtering mail, and I'm not sure if it actually needs to be open.
The ports for ssh and ARD are 22 and 5900. I have a gateway and only the gateway can contact those ports.
The ports for Open Directory are 88, 106, 389, 464, 625, 636, 749, 3659 and for my setup, I don't want any of these open at all for anyone. 1640 and 2012 have something to do with certs. 80 and 443 are apache, and I have no idea why that is running, and ironically when I connect to the computer with a web browser it shows this text "Websites are turned off. An administrator can turn them on using the Server application." That's not "off" in my book...
Run a firewall script at startup.
I have my own startup solution using Xhooks (no real link for that anymore since I left my last job and haven't set up a new site for it). Anyway, you can just create a launchdaemon or you can hijack Apple's /etc/rc.server.firewall script. That script is executed by /etc/rc.server, and that script is executed by none other then launchd at startup (search that source file for rc.server). And you thought the rc scripts were gone!
I can't explain all the ins and outs of setting up a firewall because there are too many things I don't know about them. I'll just list a simple ipfw (deprecated) ruleset. I'm not the best networking guru so I'm not sure if all of these rules are even needed for this, but I think it works so what the heck.
# Default stuff sysctl -w net.inet.ip.fw.enable=1 ipfw -q -f flush ipfw -q add allow all from any to any via lo0 ipfw -q add deny log all from any to 127.0.0.0/8 ipfw -q add deny log ip from 192.168.0.0/16 to any in via en0 ipfw -q add deny log ip from not 192.168.0.0/16 to any in via en0 ipfw -q add deny log ip from 192.168.0.0/16 to any in via en0 ipfw -q add deny log ip from 172.16.0.0/12 to any in via en0 ipfw -q add deny log ip from 10.0.0.0/8 to any in via en0 ipfw -q add deny log ip from any to 192.168.0.0/16 in via en0 ipfw -q add deny log ip from any to 172.16.0.0/12 in via en0 ipfw -q add deny log ip from any to 10.0.0.0/8 in via en0 ipfw -q add allow tcp from any to any established ipfw -q add allow icmp from any to any ipfw -q add allow icmp from any to any icmptypes 3,4,11,12 # Allow your GATEWAY (replace 10.0.0.9) with your IP or CIDR ipfw -q add allow ip from 10.0.0.9 to any # Allow the mail service (this isn't needed because it's a mostly open ruleset) ipfw -q add allow tcp from any to any 25, 110, 143, 587, 993, 995 in # Stop Open Directory ipfw -q add reset tcp from any to any 88, 106, 389, 464, 625, 636, 749, 3659 in # Stop Apache ipfw -q add reset tcp from any to any 80, 443 in # Stop Cert thingies ipfw -q add reset tcp from any to any 1640, 2012 in # Allow everything else ipfw add 65535 allow ip from any to any
More information on OS X Server
- Apple's advanced guide
- krypted.com guide
- arstechnica.com review
- Macgasm review
- OS X Server Essentials 10.9 book
- Take Control of OS X Server book
Copyright 2016 James Reynolds