Volume Number: 20 (2004)
Issue Number: 4
Column Tag: Programming

Patch Panel

by John C. Welch

A Look At Panther Server

Now that we've all had a few months to weigh in on Mac OS X Server 10.3, I figured it was time to see how it stacks up against the previous version of Mac OS X Server and other server OS's, primarily Windows 2000/2003 Server. This is less a review of Mac OS X Server as a product, and more a look at how it does the job as a server. (Keep in mind print lead times, this article is based on Mac OS X Server 10.3.3

There is a plethora of new features in Mac OS X Server 10.3, that cover almost every feature of the product at almost every level.

For network administrators, Mac OS X Server 10.3 represents Apple's first serious attempt at one of the holy grails of any network, Single Signon. The idea for single signon is simple: you sign onto the network one time, and after that, you are authenticated for any network resource you may need. So, in a perfect single signon environment, you will log on to your Mac running Mac OS X 10.3.x (You pretty much have to be running Panther for single signon, aka SSO to work). The user id and password you provide gets you all the credentials you need for everything from network file shares to email to printing. Does Apple achieve this? Well, as we shall see, mostly.

Apple is using MIT's Kerberos security system as the basis for SSO in Panther. Kerberos is an open standard for network security, and it is designed to allow for a highly secure environment that is secure without needing a firewall. (Considering that Universities need to be highly open environments, and often use protocols that do not play well with firewalls, the need for security without a firewall is critical.) Kerberos is a network authentication mechanism. Its purpose is to validate that the person trying to get to a resource is a known person. Other services then use this authentication to authorize that person to use that service or services. This is an important distinction. Kerberos does not allow you to get at share "foo" on AFP Server "Bar". All Kerberos does is say "whomever is authenticating as principle (Kerbspeak for user id) TAFKAP has indeed successfully authenticated (or not) as that principle." It is then up to the service to decide if that person is authorized to make use of its services or not. Kerberos is a cross - platform, standardized way to do authentication. (I'm not going to go into an explanation here, because there is an excellent functional and descriptive explanation of Kerberos in Mac OS X written by Joel Rennich at AFP548.com: http://www.afp548.com/Articles/Panther/kerberos1.html)

So, thanks to the way Kerberos works, it is highly compatible with SSO systems, so Apple has implemented a (mostly) stock MIT KDC in Mac OS X Server, and Mac OS X Server is now able to act as a Kerberos Domain Controller, or KDC.

Open Directory, now Open Directory 2 has received major attention from Apple as well. It is now based on OpenLDAP, and uses that, along with the BerkelyDB as a data store to provide fast, scalable, secure directory services for Mac OS X Server networks. NetInfo is still there, but by default, it is used only for local machine records, and is now considered a legacy service. LDAPv3 support is much improved, along with BSD Flat Files and NIS (Not NIS+) support. The big news here however is the addition of an Active Directory plugin, which allows Mac OS X Server to directly and more cleanly access Active Directory networks without the schema change workarounds that Jaguar server required.

The Server Admin tools have undergone yet another change. Now, actual server administration is done from the aptly named "Server Admin" application. It controls all non - user/non - client management. Along with greatly improved interfaces for the Firewall, NetBoot, Open Directory, etc. is the ability to manage multiple servers from a single window, and apply standard settings to servers via drag and drop from another server. Apple has promised to make the APIs for Server Admin available, so that third parties can write their own management console interfaces. Sybase has already released a plug in for Server Admin that allows you to manage their ASE 12 Database under OS X. Hopefully Apple will encourage the Mac version of the Windows MMC snap-in market.

Workgroup Manager gained some improvements; most notably the ability to directly browse and edit LDAP information in Open Directory without needing what is still one of the most awkward tools on the market, NetInfo Manager. With NetInfo taking a notable step back in Mac OS X Server 10.3, to continue using NetInfo Manager for LDAP administration tasks would have been very silly. Server Monitor is essentially unchanged from Jaguar Server.

The second major change in Mac OS X Server 10.3 is the addition of a plethora of command line tools for running your server. Better directory services tools, user and group management, etc. Pretty much everything you can do with the GUI tools can be done via the shell and vice versa. While the command line may seem to be the antithesis of the Mac experience, any administrator knows that a good set of command line utilities can let you get a lot of tasks done far faster than the same tools as a GUI, especially if you are stuck with dialup access.

(While Apple Remote Desktop, aka ARD has been improved, and the client portion is now a standard install for Panther, since the administrator part is not a shipping part of Mac OS X Server's default configuration, I won't be talking about it here.)

The Managed Client for OS X, (MCX) services have been updated for Panther. The new feature for this is the Mobile Account, which allows for managed laptops to still function as part of an Open Directory system, even if they cannot see the Open Directory network. This is a major plus for schools and other cases where you still want to manage your users, even when they are off the main network.

Services

New in Mac OS X Server 10.3 is the JBoss Java Application server, another sign that Apple is serious about playing in the Java market. The email server has been completely replaced with Postfix and Cyrus. This finally gives Mac OS X Server email capabilities that are as first rate as the rest of the system by incorporating robust, scalable, and secure email subsystems that are well respected regardless of platform. Thanks to the Kerberos features of Cyrus and Panther, if your email client is Kerberized, then it can take advantage of SSO for email services. This is an important upgrade as the previous mail server in Mac OS X Server was simply unsuitable for heavy-duty email services.

Windows services are upgraded with the inclusion of Samba version 3.X in Mac OS X Server. This upgrade allows Mac OS X Server to work as a Windows NT 4 Primary Domain Controller. Other changes help create better integration for users logging in from a Windows machine to Mac OS X Server.

If you haven't gotten the idea by now, there's almost nothing in Mac OS X Server that did not get a major upgrade or at least serious attention in 10.3.x. But a feature list is only half the story. The question is, did Apple do things well or not? Mac OS X Server 10.2 was a pretty mixed bag of issues, and was, in my eyes, about 50% of the way to being what it should be. So now, let's look at how well Mac OS X Server 10.3.X is doing here.

So the first thing we should look at is what Apple did right. Well, as of 10.3.3, there's a lot to like about Mac OS X Server. At the top of the list is the mail server. The previous server was an albatross around the product's neck. It was unable to keep up with the rest of Mac OS X Server, and was simply unsuited to modern email needs. The inclusion of Postfix and Cyrus finally gives Mac OS X Server an email server that can play with any commercial product out there. Because Cyrus supports Kerberos, if you use a Kerberized email client, email can fit into the SSO realm of services. Log into your machine, start up your email client, you're in. No need to perform a separate login. This is one of the handier features of Windows XP/2000 in an Active Directory domain, and it's good to see that Apple has used it in a more open fashion. The administration UI in Server Admin is sufficient to take you from no email to a pretty solid and secure email server, and you can easily go to the command line if you need more in-depth control.

The Server Administration tools have all been updated for this new version, but the most notable change is the Server Admin tool, and the scriptability of that tool as of Mac OS X Server 10.3.3. The Server administration tools outside of Workgroup Manager were a muddled collection of half - baked attempts at putting a UI on things. Server Admin, new with 10.3.X fixes many of these shortcomings. As mentioned earlier, you can now manage multiple servers far easier than before, and the UI is far more capable. The DNS section has been completely revamped, and is now at least usable, (although, in the end, if you are going to muck with DNS, you still want a copy of the O'Reilly book handy, and well - read. DNS is absolutely critical in Mac OS X Server, and a poorly set up DNS will cause you pain that has to be felt to be believed. If you are not extremely comfortable with DNS, throw money at someone who is, it will be well worth the cost). The Firewall setup is finally worth the effort, although it still needs a bit of work to be on a par with third party tools, like Brickhouse. You can set up PPTP VPNs with ease, and LT2P/IPsec VPNs almost as easily. If you want to do a "pure" IPSec VPN, you're still going to be living in the command line, an oversight that needs to be remedied at some point. The Web server/Apache setup is about the same as in Jaguar, that is, tedious and obtuse. But, the ability to drag and drop settings between servers is a major plus, as is the fact that Server Admin is now scriptable. It's not a complete dictionary by any means, but the introduction of AppleScript into this realm is most definitely counted as "a good thing". One continual annoyance is the inability for Server Admin to deal gracefully with servers in the list that it cannot see. Modal dialogs and application lockups are the result of having an unreachable server. Server Admin really needs to emulate the behavior of Server Monitor here, and just fail quietly. If I never attempt to manage a server that I can't see, why do I need to wait for timeouts and dialogs? Just red - light the silly thing and leave me alone. But shortcomings of the implementations of the services aside, the new Server Admin tool is a huge improvement over Jaguar's version. One final improvement is that Apple has structured Server Admin so that third parties can extend it. While the APIs haven't been widely distributed yet, Sybase has created a Server Admin module for its ASE product.

Workgroup Manager has received some notable updates, primarily based on new capabilities of Panther, and the new Open Directory access is a good start on a decent LDAP manipulation tool. You can now directly manipulate information in the directory structure outside of what Workgroup Manager lets you see. You can add pre-built settings, change existing settings, or add custom settings of your own. Dealing with the Open Directory structure this way is nicer than trying to manipulate data via the command line, but Workgroup Manager still needs a proper LDAP browser, ala the Java - based LDAPBrowser tool. You can activate Server Admin from within Workgroup Manager or vice - versa. At some point, these tools really need to be integrated into one tool, mostly so that Workgroup Manager can benefit from the improvements to Server Admin.

However, even with these notable improvements, client and machine management in an OS X network is still far harder than it has to be. To really manage client machines, you almost have to buy Apple Remote Desktop, because Workgroup Manager is only capable of the most limited machine management. So in essence, you have the "ARD Tax". There's no way to tell how computer lists fit into Open Directory. Are they a container? An OU? Short of using a tool like LDAPBrowser, or the command line directory tools, there's no way to tell. Want to change the IP address on a large group of computers? Hope you have some time for ARD or SneakerNet, that's the only way you're doing it. Apple really needs to look hard at Microsoft and Novell's directory management tools, and learn from them. Workgroup Manager is not up to the task of managing a large network.

As a first start, the Kerberos integration is outstanding in many ways. The basic setup is simple, and as of 10.3.3, most of the outstanding bugs with AFP and Kerberos have been fixed. You can make most of your services use Kerberos, (aka having them be "Kerberized"), and once that happens, you get the benefits of SSO, excellent security, and convenience. However, if you are going to need to do more with it than a very basic setup, you had better get very familiar with the MIT Kerberos administration documentation, http://web.mit.edu/kerberos/www/krb5-1.3/#documentation, because Apple has almost nothing beyond "read the man page". But, they at least give you a complete MIT Kerberos setup, so you can get more complex things done; it's just harder than it should be. If your needs align with what Apple anticipated them to be, then the setup is dead simple. If not, you're going to be spending a lot of time below the UI.

Finally, the command line utilities. Apple has finally given server administrators a complete set of command line applications for running Mac OS X Server. Pretty much anything you can do through the UI, you can do through the command line, and there are a few things, such as setting mount style for Active Directory homes that you can't do via the command line. While some may shudder in horror at the idea of a command line, the fact is, server administrators need one. It allows you to integrate Mac OS X Server tools into other systems. By providing a full-featured command line interface to Mac OS X Server, Apple makes integrating Mac OS X Server into management tools on other platforms far easier. That is, by the way, a good thing.

Under this heading we start with the Windows support. The big news is that in Panther, you have near one-click Windows NT 4 PDC setup. (I say near, because it's rarely that simple). However, if you want to make your Mac OS X Server a part of a Windows domain, then you can't use NTLMv2 or Kerberos for your login authentication. In fact, SMB under Mac OS X Server isn't Kerberized at all, so you can't have anyone needing Windows sharing participating in SSO. This puts a real crimp in SSO for Mac OS X. Along with that, the Active Directory plugin for Directory Services, while a good start, is not anything close to what it needs to be for heavy use. If you have a home directory in Active Directory, it doesn't mount as your home directory under OS X, but rather as an additional mount on your desktop. If you're trying to get an Open Directory Master to talk to Active Directory, that is far harder than it needs to be.

The LDAP access in WGM is too disjointed to be useful. It's very hard for new administrators to use the directory inspector to get an idea of how all of the directory information is laid out. In Active Directory by contrast, seeing how containers and OUs are laid out is quite easy, and it makes moving resources between directory structures much easier than in Workgroup Manager.

Sharing is still not as flexible as it needs to be. For example, if you, as an administrator, want to see volumes, instead of shares, Apple has a kbase article that will tell you how to do this. (http://docs.info.apple.com/article.html?artnum=107823). The problem is, if you follow this procedure, and you're an administrator with a network home directory, you may end up killing your ability to log in with that account, because now you can't get access to the share points. It's a binary setting, either volumes or share points, but not both. This is rather silly that an administrator can't choose how they want to get to information on the server. There's a clear need for both, and forcing you to choose like that is silly. Since this is a system-wide change, and not a user specific change, you can't just apply it for one administrator.

The documentation, while 10.3 from 10.2 still needs a lot of work. Apple needs to include far more examples for new administrators, especially considering the lack of third party references available. For example, in the firewall docs, while they talk about setting up rules for TCP and UDP ports, they don't have an example of what a rule to allow a service into a specific machine should look like. This is one of the most common tasks an administrator does on a firewall, and it would make a lot of sense for Apple to include more screen shots of this from both the UI setup and the IPFW setup. While it's good to talk about generic hows and whys, and wherefores, for someone who hasn't been setting up Unix networks for twenty years, nothing beats a well - annotated picture. There are also far too many instances of "read the man page." Well, the man page is only designed to tell you how a command needs to be structured. That's a syntax guide, not a howto. Since Apple isn't shipping this stuff in paper anymore, they need to spend that savings on putting more information into the docs. I really doubt they'll get a ton of emails complaining that the "documentation was just too darn informative and useful."

Now we come to my least favorite part of any analysis. The stuff that I think is just bad. Heading this list, indeed, leading it by a huge margin is the Mac OS X Server print server. First of all, it virtually ignores all the features of CUPS other than the lowest - level drivers. Adding a printer via the server only allows you to connect via AppleTalk or LPR. Um, hello, IPP? The only way to get any kind of authenticated printing is via SMB. So not only do you lose any integration with SSO, but if you want authenticated printing, none of your OS 9 clients can connect. Wait it gets better. If you have a bunch of different printers, say HP LaserJets, and you use Server Admin to connect to all of them. They all have different host names, different IPs, but the same queue name, say the default. In that case, in Server Admin, all the printers would have the same name, because queue name, not IP, or DNS name is what is used to identify the printers. Even better, if you want to set the default queue, you'll only see one entry. If you want to advertise the printer via Open Directory, you can't set that up in Server Admin. You have to do that manually in Workgroup Manager, by creating a manual LDAP entry. As it turns out, you can use Printer Setup Utility to add an IPP printer, but the Print Server almost totally ignores it, including to the point of not logging any of the printer activity in its logs, (which are utterly separate from CUPS. On Mac OS X Server, if you use the print server, then as far as the CUPS logs are concerned, all print jobs are created by root. Even better, CUPS does allow for authenticated, and even SSL printing, but the Mac OS X Server Print Server completely ignores this, as does the documentation. As of 10.3, the Print Server is simply not worth the trouble, and you're far better off with a third party product, or just getting CUPS to do it all for you.

Next on the list here is Apple's support for Mac OS X Server. It's glaringly inconsistent. Sometimes, a problem can go on for months, until you happen to talk to the right person who has the secret knowledge. It's almost like as far as Apple Support is concerned, databases are things that other people use. If you have any questions on the Active Directory plugin, or customizing install packages, that thousand - dollar support package you bought? Useless. They won't even talk to you. That is what is considered "advanced integration" and requires another support package, which starts at $6000 and goes up from there, although if you have a tight budget, per - incident calls are only $700. Apple's support organization is still far too weak and bush-league for the type of markets they are starting to hit. Making people keep a list of "the smart ones" is just silly. The only way I've found to get bugs into the hands of the people who will actually do anything about them is to get a free, online developer membership and report bugs that way.

Documentation is still far from where it needs to be. Telling someone to "read the man page" is only useful if the man page is complete. Kerberos documentation is a large gaping hole in Apple's docs. If you look at the "Command-Line Administration" documentation, the entire section on the command line utilities for kdcsetup, sso_util, and kerberosautoconfig takes up less than a quarter of page 160, and is basically a nice table telling you to read the man page. If that's all you're going to put in, why waste the space? Parts of the documentation are far from being as clear as they need to be, (tip: If you're setting up advertising a printer in Open Directory, you have to have a queue name. The docs make it sound optional). Accurate and complete documentation is critical to a server product, and Apple is dropping the ball here. The online knowledgebase is not filling the holes here at all. Searching for "Kerberos" in the Mac OS X Server section of Apple's support site results in two hits, both of which are readmes for updates.

Even with the missteps and holes in the product, Mac OS X Server 10.3.3 is a major leap forward for the product. If Apple uses the next major version to patch and fix the problems noted here, and in other forums, they will truly have a server product that is the equal of any on the market from any company.

John Welch <jwelch@provar.com> is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/). He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.