-- Main.iturner - 29 Mar 2010
Attachments not yet available
Apple Connect 2010 - Toronto March 14-19, 2010
Conference Notes
- Parallels bare metal allows GoDaddy to be offering virtual Mac OSX Servers in the cloud
- the newest XServes have an option to add an
SSD, without losing a hard drive, for the system / boot disk - speed boost, still 3 drives for data
- Snow Leopard server mail based on Dovecot
- Applecare for Mac Mini Server does also cover software support for 3 years
- need to get slides, especially for "home Folder" presentations; the presenter was knowledgeable, but fast, and jumped around a lot; key point emphasized = mobile synch is REALLY Complicated
Active Directory Integration
- excellent presenter, but now I know the context of Ed's comment from last year, about "pure AD, vs Magic Triangle"; this guy leads their large enterprise consulting group; selling to mostly companies who have a large, complex AD infrastructure; it is easier for him to sell them schema modification, than a bunch of XServes to spread across the world, duplicating a massive AD infrastructure.
-interesting viewpoints:
- he also made side comments about "the death of the computer lab", except where significantly more power is required than what students can do on their own machines - he thinks "we" should focus more on infrastructure
- similarly he has seen "companies" move away from providing staff machines; and sees them doing more "local" home folders, with limited synching - Sharepoint and e-mail are the "new document repositories"; central IT trying to reduce costs
- the tools on both Apple and Windows side for schema extension are now SIGNIFICANTLY better than what Clayton abortively tried a few years ago; but, BIG BUT, if UW is heading toward a single Forest AD, ie I think, a single UW wide schema for AD, then if
anyone requests the schema extensions, ALL Magic Triangles will be "BROKEN". AD will serve all the mcx fields, even if nonsense or not populated, and "trump" OD, because of the necessary service order for authentication
- the apple schema is on all macs at /etc/openldap/schema/
- on Windows server 208R3? there is a schema analyzer, which can compare current AD schema, with apple extensions, and generate an almost complete ldif file; their cookbook shows how to complete, then MS provides a command line tool to "do" the ldif add to generate the new AD schema
- in Snow Leopard, AD password expiry can be warned/enforced, and the password changed "natively" (if we allow it); and complexity rules from AD enforced
- BUT if they happen to change the password (any time after initial Mac login/account setup) on Windows or *nix, then their keychain password will squawk at next Mac login - at least confusing them, and they will need their "old" password, to cause it to assume their "new" password
- it seems they have gone away from "augment" records going from 10.5 to 10.6; can now manage on a "person" level directly
- DNS client is significantly different in Snow Leopard; mDNSResponder is used for all multicast AND Unicast queries; no more lookupd;
scutil --DNS
is also useful - on a Mac, /etc/resolve.conf is not current; but, interestingly, nslookup is no longer deprecated
- Directory Services also caches some DNS info, separately, so may need dscl to look at its specific caches
- setting up a server: have it's DNS record set up first, and a live network connection -->> else it will big-pause, then set up its own incorrect internal DNS, just so server admin will not crash
- ** for Clayton, we CAN map for example UID to UUID with a BIG BUT - that depends on the field always being properly populated; otherwise, big boom failure
- they have had other reports of issues of caching AD groups etc like Clayton ran into; logout is supposed to be sufficient, but reboot is sometimes required - might find notes on some tools - mcxrefresh - mcxquery to see what it "is", and maybe even what it "should be"
- can set up a restricted "binding user" in AD, ie less than full domain admin
- packet signing / encryption auto on in 10.6 so no more need to turn it off on Windows servers
- ** the issue we have periodically seen with lab macs not being able to authenticate, then not being able to bind/unbind -> traced down to corrupt kerberos records; they are aware of it - not sure, but they suspect that some cases have been caused by Anti-virus, "seeing" something, and "fixing", resulting in the kerberos file being "there" but zero-length - and worse-than-useless!
- iPhone integration was really interesting, but probably not too relevant to our world (best session I could find at that time)
- includes ability to pre-configure and use "vpn on demand", using certificates/PKI
- virtual machines - support command-line, so ARD can send a unix command to Mac host, to send a command to a virtual machine
- license for Mac OSX Server DOES allow running as a virtual machine, but OSX client DOES NOT!!
- thinking about the "podium pc to Mac/vnc" project; maybe we could buy a mac pro, with a server license, and Parallels Server, and set up some clone "servers with no server-services"; ie it would look pretty much like a workstation - with vnc allowed? BUT - server needs a serial number - need a license per virtual???
- BE VERY Careful, with virtual machines - if on the net, they are of course as Vulnerable as any computer
- very good, but again very fast Advanced ARD session - and it went overtime too - there will be a handout
- For further investigation:
- Task server on central machine
- lots more automation - there are now more templates, AND Automator action - customized, and we can write "services" - ie in the context menu for a "selected-group of machines"
- they demoed applescript embedded in shell scripts and or automator; eg parse info and do a similar but individualized action on a group of machines
- demoed package builder to "package up" an install, eg Firefox, so it could then be delivered automatically to a set of machines
- Steve Hayman invented a method of creating a "package" without a payload - it includes a script; so it can be delivered/scheduled within task manager; an example they gave was sending the fancy bless command to a batch of machines - with DeploStudio pre-staged, then using ARD to cause the reboot-reimage
Directory Services
-the original need for augment records in 10.5 (service locator records per person) is no longer there, but they are still available for other purposes
- the AD plugin does a good job / some magic to convert GUID UID GID, and it is the "thing" that creates "FAUX Mount Records" - EVEN if you id a user; translates
HomeDirectory into a file path and "where to mount it"
- OD failover is not necessarily "quick", and each of the component services can/will fail separately
- in Snow Leopard the old hardcoded 1000 user (concurrent) limit on OD removed; limited by the number of open files allowed - at one per OD connection - they have tested over 8000; configured in slapd launchd plist hard resource current default 8192 - can be increased, but no need to reduce
- new version of the included Free Radius server (can be used to support 802.1x from another session)
- complicated, but session handout will include a recipe / tools for changing name and / or ip of an OD master
- if building out a widespread OD infrastructure, plan replication; there are only 2 possible levels below the OD Master, and replication is serial, so put only fast link servers at the intermediate level, and slow link ones at the bottom level
802.1x Session
- interesting
- Relevant just in case we were thinking of 802.1x on ethernet, eg the labs
- CANNOT netboot over a secured switch port
- BUT supposedly Cisco (didn't mention others) has a neat feature with dynamic vlan switching; so an unauthenticated client could be "switched" to a netboot lan for imaging - then if there was a system certificate on it to authenticate after reboot, it would be back on the production vlan
Scripting and Services
Great presenter, mindboggling possibilities
- He demoed / evangelized from
http://www.macosxautomation.com
- applescript, automator, services
- Services greatly improved in SL - context sensitive and specific to application / data / etc
- In Leopard you can make a workflow to extract text from a pdf, in SL, you can make it context sensitive - right click on a pdf, and the "service" appears!
- in OSX data detection is built in - it "knows" addresses, phone numbers from text
- In SL can use "services" on, and within Terminal; eg get a man page from a command - nicely formatted in a text edit page!
- His viewpoint is that the "web" is "data/information" - not "browsers"; so you can get web content, eg wikipedia, in a "mobile browser window", then "action" content of interest
- ARD is integrated, and automation is integrateable - demoed