Tải bản đầy đủ - 0 (trang)
Chapter 3.  Server Management Tools

Chapter 3.  Server Management Tools

Tải bản đầy đủ - 0trang

3.1.GraphicalTools

TheuserexperienceisApple'stemple.Foragoodportionofthe

company'shistory,itwas(justifiably)thebiggestreasonbehind

theirexistence,andApplehasinmanywayscontinuedto

revolutionizetheuserexperiencewitheachOSrelease.Server

management,though,hasitsownsetofrequirementsthatare

whollydifferentfromthoseofhomeuserswishingtobetter

organizetheirdigitallife.AlthoughApple'sservertoolshave

generallybeenverysimpleandeasytouse,theyhavenot

alwaysscaleduptocomplexorlargedeploymentsaswellas

theunderlyingOShas.Towardtheseends,PantherServerisa

solidstepintherightdirection,andalthoughitisn'tperfect,it

providesbyfarthemostscalablemanagementinterfaceApple

haseverpresented.

We'llstartbyanalyzingPanther'ssimplified,reducedtoolset.

Ratherthanexaminingeachoptionofeachtoolingreatdepth,

we'llinsteadfocusonthetool'shigh-levelfunctions,revisiting

itsspecificcapabilitieslater,whenourfocusistheprotocolsand

technologiesthosetoolsmanage.



Oneveryimportantaspectofallofthesetoolsistheirabilitytoberun

remotely.MacOSXServeris,bydesign,aremotelymanaged

platform;everytoolwe'lllookat(evenwhenrunlocally)connectsover

TCP/IPtooneofseveralbackenddaemonsrunningontheserver.Given

thepropernetworkaccess,thismeansthatMacOSXServercanbe

managedgraphicallyfromanywhere,aslongasyouhaveaccessto

anotherMac.RemotemanagementissoimportanttoApplethat,

beginningwiththeXserveG5,Apple'sserversnolongershippedwitha

videocardasastandardoption.



Panthermovesastepfurther,withcommand-lineequivalentsto

manyofthesefunctions.Thisdesigntakesremotemanagement



toanotherlevel,sincetheservercannow,givenproper

networkaccess,bemanagedremotelyfromanyplatformusing

ansshclient.Thenextlogicalstepisawebinterfacetothese

functions,allowingforplatformagnosticismingraphical

managementaswell.Applehasnot,asofyet,indicatedthat

suchafeatureisforthcoming,althoughmanyserver

managementtoolsdouseHTTPasanunderlyingprotocol.



3.1.1.WorkgroupManagerWorkgroupManager

WorkgroupManagermadeitsfirstappearanceinJaguar,when

theadditionofManagedClientsettingsmadeaccount

managementatasktoocomplexfortheminimal10.0-10.1-era

ServerAdminapplication.Itstasks,atagenerallevel,include:



Accountmanagement

Thecreationandmanagementofuser,group,andmachine

accounts



Preferencemanagement(ManagedClientsettings)

Userexperiencerestrictionsandstandardizedbehaviors

enforcedonuser,group,andmachineaccounts



Sharepointmanagement

Servershares(portionsofthefilesystemmadeavailable

overserverprotocolslikeSMBandAFP),includingprotocolspecificsettingsforthoseshares



MusicalChairs

MacOSXServer'smanagementapplicationshavehadalittlebitofanidentity

crisisovertheyears.MacOSX10.0and10.1featuredafairlyconsistenttool

calledServerAdmin,whichhadobviousrootsinAppleShareIP'sMacOSServer

Admin.JaguarServer,however,dividedServerAdmin'sfeaturesintothree

applications:

WorkgroupManager,whichalsofeaturedMacOSXmanaged-client

settings(thinkMacintoshManager)

ServerSettings,whichcloselyresembled10.0'sand10.1'sServerAdmin

ServerStatus,whichfocusedonthemonitoringofserverservicesand

serverlogs

MacOSXServer10.2alsobroughtServerMonitor,theXserve-specifichardware

monitoringclient.

PantherServer(10.3)sportsconsolidationandmuch-welcomedsimplification.

WorkgroupManagerisstillaround,primarilyforaccountandshare-point

management,andServerAdminhasmadeareturn,atleastinname.Insteadof

itsminimal,AppleShare-IP-inspiredformerself,however,it'safull-screen

applicationthatencompassesallofServerStatus'smonitoringfeaturesaswell.



Youmighthavenoticedthatbothaccountsandpreferencescan

actuallybemanagedforthreedifferentkindsofobjects:users,

groups,andgroupsofcomputers.Tuckthisinthebackofyour

mind;itbecomesimportantlater.



3.1.1.1Accountmanagement

Whenyouinitiallyauthenticateasamemberoftheserver's

admingroup,WorkgroupManageropensinitsAccount

Managementmode,seeninFigure3-1.Itsoverallfunctionisn't

overlycomplex:itallowsyoutocreateandmanageusers,



groups,andcomputeraccounts,eachaccordingtothetab

that'sselectedintheAccountspane.

DataentryfieldsontherightsideofWorkgroupManager's

AccountEntryinterfaceadjustcontextuallytothetypeof

account(User,Group,orComputerList)beingmanaged,

allowingtheadministratortomodifythespecificsettingsofthe

accountinquestion.Accountsofanytypemaybesearched

usingavarietyofmetricsintheFilterfield(identifiedbyits

magnifyingglassicon)abovethelistofaccountsintheleft

paneoftheinterface.SpecificoptionsaredocumentedinFigure

3-2.

Inanycase,keepinmindthatmanualadditionofanysortof

accountdoesn'treallyscale.ImportingUsers,Groups,and

ComputerListsiscoveredinmoredepthinChapter4.



Figure3-1.WhentheAccountsbuttonisactive,

administratorsaregivenachoiceofUser,Group,

orComputerListmanagement.



3.1.2.CreatingUsers

Onasmallscale,usercreationisrelativelysimple.From

WorkgroupManager'sUseraccountmanagementinterface,

simplyclickontheNewUserbuttonintheToolBar.The

resultinginterface(theBasictabofthenewuserrecord)allows

fortheentryofminimaluserdata:Name,numericalUserID,

ShortName,Password,andadministrativerights.Ifthesefields

arepopulated,auserrecordalbeitaminimalonewillbesaved

intothecurrentworkingdirectorydomain.

Alsoofinterest,though,aretheAdvanced,Groups,andHome

tabbedsectionsofthenewuserrecord(Mail,Print,and

Windowsoptionsarediscussedintheirrespectivechapters).

TheAdvancedtab,seeninFigure3-3,allowsaccesstoasetof



largelyunrelatedoptions:simultaneouslogin,loginshell,

PasswordType,andpoliciesalongwithCommentsand

Keywords.

Thesimultaneouslogincheckboxtogglesatrueorfalsevalue

onakeyintheuserrecord'sMCXFlagsattributethatisliterally

calledsimultaneous_login_enabled.ThevalueofMCXFlagscan

beviewedusingthedsclcommand,asinExample3-1.



Figure3-2.WorkgroupManager'sinterfacefor

addingbasicuserdata.Noticethatmultipleshort

namesmaybeaddedtoasingleaccount.This

capabilityismostlyapplicabletoMailservices,

andisdiscussedinmoredepthinChapter22.



Figure3-3.TheAdvancedpaneofWorkgroup

Manager'susermanagementinterface.In

general,"Advanced"inMacOSXServermeans

"stuffthatdoesn'tbelonginothercategories."



Example3-1.Usingthedsclcommandto

remotelyviewtheuserDolt'sMCXFlags.Beaware

thatMCXFlagsmaycontainotherdatainaddition

tothesimultaneousloginflag,andthatthisisa

fairlysimpleexample.In10.3.5,

simultaneous_login_enabledappliestodesktop

(console)loginsandnottolog-insviaservices

likeSSH,FTP,AFP,orSMB.



big15:~mab9718$dscl-uodadm-pg5.4am-media.com-read/LDAPv

Password:

MCXFlags:


DTDs/PropertyList-1.0.dtd">





simultaneous_login_enabled









Passwordtype,discussedinfarmoredepthinChapter8,

specifieshowtheUser'sauthenticationdatashouldbestored.

InPantherServer,mostusersshouldhaveaPasswordTypeof

OpenDirectory,meaningthattheyareauthenticatedusing

Apple'sPasswordServerandinsomecases(specifically,when

theuserexistsinanOpenDirectoryshareddomain),Kerberos.

Theoneexceptiontothistendencyistherootuserinthelocal

domain,whohasapasswordtypeofShadowHash.Userswith

OpenDirectorypasswordswillalsohaveanadditionaloptions

buttonintheAdvancedpaneoftheiruserrecord.Thisbutton,

usedtoenforceper-userpasswordpolicies(suchaslength

restriction),isalsoalsodiscussedinmoredepthinChapter8.



Cryptreferstoalegacy(andlargelyinsecure)methodofauthentication

thatinvolvedstorageofaweaklyencryptedformoftheuser's

passwordinthedirectory(generallyNetInfoorLDAP)itself.Workgroup

Managerwon'tcreateanencryptedpassword.ShadowHashreferstoa

moresecuremethodthatstoresbothNTLMv1andSHA1hashesofthe

user'spasswordinaroot-readablelocationonthefilesystem

(/var/db/shadow/hash).



TheGroupstaboftheuserrecord,illustratedinFigure3-4,

allowstheusertobeaddedtomultiplegroups;althoughthe

userinterfaceimpliesthatgroupsarebeingaddedtotheuser

record,thisisnotthecase.

Byclickingonthe+iconnexttotheOtherGroupspane,you

canaccessalistofgroupsfromanyofthedirectorynodesthat

yourserverhasaccessto.Thesegroupscanthenbeaddedto

thelistthattheusershouldbelongto.Thisdrawerinterfaceis

illustratedinFigure3-5.Inverylargeinstallations,allgroupsin

aparticulardomainmightnotnecessarilybedisplayed,due

eithertoqueryrestrictionsinthedomainoryourWorkgroup

Managersettings.Toallowformoregranularmanagement,

Applehasprovidedafilterinterfaceidenticaltotheoneinthe

AccountListpane,describedearlier.



Figure3-4.TheGroupspaneinWorkgroup

Manager'susermanagementinterface.



Figure3-5.WorkgroupManager'sgroupselection



drawer.NotetheFilterfield,identicalin

functionalitytotheoneintheAccountList

interface(discussedearlierinthischapter).



KeepinmindthatinMacOSX,userscanbelongtoupto16groups

(generallytheirprimarygroupand15others)andeventhough

WorkgroupManagerwillallowyoutoaccessmore,MacOSXwillnot

recognizethemall.



TheHometab,illustratedinFigure3-6,allowsthelocationof

users'homedirectoriestobespecified.Whilenotstrictly

requiredforallserverservices(mailservices,forexample,do

notrequiretheusertohavehisownhomedirectory),home

directoriesaregenerallyagoodidea,offeringbothaprivate

areaforfilestorageandsupportformoreadvancedfeatures,

likenetworkaccounts.

Intheirmostbasicincarnationsupportingalocal,ratherthana

shareddomain--managementofhomedirectoriesisfairly

straightforward.TheadministratormerelyspecifiesaShare

Point(asdefinedinWorkgroupManager'sSharingsection,



describedlaterinthischapter)underwhichtheuser'shome

directoryshouldbelocated.Oncesaved,thisdataisstoredasa

filesystempath(suchas/Users/jdoe)intheuserrecord's

NFSHomeDirectoryattribute,andthehomedirectoryiscreated

uponfirstAFPlogon.Morecomplexscenarios,involving

NetworkHomeDirectoriesanduserquotas,arediscussedin

Chapter24



Figure3-6.TheHomepaneofauserrecordin

WorkgroupManager.Homedirectories,usually

createdonfirstAFPlogin,mayoptionallybe

createdimmediatelyiftheServerthatWorkgroup

Managerismanagingisalsotheserveronwhich

theuser'shomedirectoryexistsbyclickingthe

CreateHomeNowbutton.



Onceagain,notethatthistreatmentofusercreationis

designedtoberathergeneral,andthatservice-specific(Mail,



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 3.  Server Management Tools

Tải bản đầy đủ ngay(0 tr)

×