Author Topic: Projected Publishing Date  (Read 4165 times)

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Projected Publishing Date
« on: December 05, 2013, 07:02:33 PM »
I've been working very hard to get the second book out.  At my current pace, I should have this book available in the iBooks Store by mid January as long as I do not run into any issues with Apple's review process.  This book will include the following chapters:

Users and Groups
File Sharing
Permissions
Profile Manager
VPN
Web and Wiki (this may be dropped for the initial release just to meet the deadline.  However, if it is dropped, it will be added in the 1.1 release)

With all the new Managed Distribution and Apple Configurator changes, I need to expand much of the content.  This is exciting times for iOS!

brightstone

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Projected Publishing Date
« Reply #1 on: January 05, 2014, 08:22:11 PM »
Excellent, I just finished your first book and was very pleased. It is is very well written and filled in a lot of gaps for me. I am anxious to read this new one since I am in the process of planning out the transition of three of my clients serves to Profile Manager. One is coming from MCX, another is on Snow Leopard and Kerio and the third is just primitive. I am looking forward to learning about best practices for all these collaborative services.

One thing I would be very interested in knowing/learning since this seems to be the big decision for my clients, is Google Apps and Google Drive a better or just different option to using Mavericks Server? I used to be a big fan of Google services, but many of their latest business moves makes me more skeptical of relying on them.

I have been supporting Mac servers since they first came out in the 90s, but have always been in the small business camp so the SA level knowledge was rarely necessary, but often critical at certain times. Apple's moves with Xserve and Lion Server made me feel that Apple and servers was a dead end. I have been changing my mind since Mavericks, but cloud services in comparison to Mavericks collaborative services are the new big question.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Projected Publishing Date
« Reply #2 on: January 06, 2014, 04:29:48 PM »
Wow.  You have asked the big question...  Build or Cloud?  This is a tough one to answer in a generic way and I will admit that I am intentionally staying away from the topic in the books.  I felt that it would add too much to the book and take away from the focus which is Mavericks server.

That being said, the reality for many small businesses, especially when considering services like mail, is to move to the cloud.  While there are many business and technical reasons, the end decision is often made by simple economics.  Let's take an simple example.

You have a 20 person company.  You need to provide email.  Let's assume 20 GB storage for each so you need 400 GB of live storage and maybe 1.2 TB for archive or replication.  (More if you have compliance issues... 7 years is a lot of data to retain)  Now, you need a mail server and you probably should be protecting against spam and viruses.  Next, you need someone to manage the care and feeding of the solution.  Thus a partial salary (or consulting fee).  So, that is the server ($1200 for a mini with extra RAM), a backup drive ($250), and a fractional salary (at the low end let's say $5000 for the year).  So to run the mail server for 20 people for the first year you have an outlay of ~$6450.  For that, you get one person with the knowledge of the kingdom and you are entrusting everything to the following single points of failure:  1 internet connection, 1 server with next to no redundancy, 1 network switch, 1 source of power, and 1 person with knowledge of the setup. 

Is this worth it?  Consider that you can go to Rackspace and pay $480 (20 people * $2 * 12 months) for the first year and have no single points of failure and exceptional support.  Or, if you need to replicate Exchange, you can spend about $2400 a year and get hosted Exchange from Microsoft!

These numbers are hard to argue with.  From the technical, there is the growing frequency of weather related power loss.  Hardware can fail.  And while I am in a big fan of the mini and what it can do, I am also grounded in what it fails at.  Relying on it to be your mail server is not high on my list of things to do.  (by the way, I use Kerio for my business and for many customers - so despite realizing this, I am a hypocrite as it remains hard to put into practice depending on many conditions).

Now, there are always organizations that need to build and host internally.  We work with a number of law firms that insist on controlling their own mail servers.  They refuse to even discuss the possibility of externally hosted solutions.  I respect this and ensure that we provide proper security to protect their content.

When it comes to education, the offerings of Google in many ways can not be beat.  However, Office 365 for Education is a compelling alliterative (although free vs pay is inversely compelling).  I too am not thrilled with Google's offerings as I fear their skill of searching and indexing.  I really don't want to contribute to a marketing profile.

Now, regarding file services, the reality now is that internet bandwidth is the limiting factor for the places where Macs tend to be used.  For example, moving file services to the cloud when you spend your day in Photoshop is asking to miss every deadline known to man.  Likewise for video, audio, and animation professionals.  For them, the need for local file services remain.  However, for general office work, take a look at what Box is up to.  The price still slaps you at first glance, but compare it to the cost of building out you own server and backup infrastructure.

Ok, I think if you made it here you can officially state I am rambling.  Once again, thanks for the feedback and the kind words.  Keep them coming.

Farf

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Projected Publishing Date
« Reply #3 on: February 07, 2014, 07:34:34 PM »
Thank you so much for writing the first book.  While I am tech savvy and Mac savvy, I have never installed a server before other than windows home server.  WHS proved easy to get started with but more difficult to maintain and has since been discontinued.  I wanted to migrate to an OS X server and so read many articles before starting this project.  In the end that first attempt didn't succeed and I ended up abandoning that initial install and reinstalling with the help of your book.  It was clear and thorough.  By the way, I discovered the book after I discovered you on the discussion forums where some of your advice proved useful with that initial implementation.  As I type I am eagerly anticipating the second book before I go on-line with my new server.  Do you have an update regarding the publishing date?  Thanks again.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Projected Publishing Date
« Reply #4 on: February 07, 2014, 08:01:09 PM »
Thanks you so much for the kind words!  Every time I see this I am encouraged to keep going.  I am so pleased to hear that the book has helped you successfully deploy Mavericks Server.  And I am glad you have found my forum posts helpful.  (I've decided to use the forums as my entire promotional effort :)  I want the Server to be successful because it is a product that I truly believe in and want to succeed.  I figure the more people who deploy it right, the more people there are to keep Apple making it better. 

I am in New Jersey and the weather and the start of year projects have derailed me.  This is good for business, but bad for the book.  However, I am committed to the second book.  It will come out!  I have time this coming week to put significant time into it.  I have multiple chapters complete and the others are well formed but need refinement and review.  The pending 10.9.2 and Server 3.1 are making me review everything to make sure it is relevant.  But I am very happy with the user and permission chapters.  So many people are confused on how to set proper permissions.  I believe I've captures a clear and simple explanation of permissions and a very thorough user analysis.

I've been doing a bunch with the managed distribution of apps but this is an animal that needs more time.  I am considering releasing an admittedly incomplete 1.0 of the book, omitting the chapter on VPP and managed applications.  But as with the first book, a future update will include the chapter and more.

So as I see if now, my tentative schedule is to release the 1.2 version to Apple for review in about 10 days or so (as I anticipate the release of 10.9.2 toward the end of the month... hopefully coinciding with new hardware...)  Then, my the second week of March, book 2 will be submitted to Apple for review.  This is my self-imposed deadline and I've informed the troops (wife and daughter and coworkers) that I will be focussed on this task. 

Hand in there.  It is coming.




Farf

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Projected Publishing Date
« Reply #5 on: February 08, 2014, 07:40:30 PM »
Thanks again.

The issue of permissions is what got me into trouble the first time when I initialised an external drive using a different computer.  In fact that's where I found you as I grew to understand and repair my situation.

The area I am looking forward to reading about is user accounts.  Specifically migrating existing local client users to users on the server without disturbing the user's current experience.  Also, the question of providing just services or creating local network users with user files residing on the server.  I have read someone who counsels strongly against local network accounts and just provides services. I look forward to your thoughts on this topic.

Anyway, this is just by way of encouragement since I don't expect you to respond directly.  I'll just have to wait like everyone else.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Projected Publishing Date
« Reply #6 on: February 09, 2014, 10:27:46 AM »
I can easily give you a preview.

The question about migrating users is something that I deal with a lot.  This is often when walking in to an environment with existing local accounts that need to be migrated to AD accounts.  Now, this is the easiest when there is an existing local admin account.  In those cases, I am able to simple "delete" the account attributes for the local user account, leaving the user's data in place.  Then it comes down to a permission and possibly a name change.  Take this simple example.

John Smith has a Mac and created a local account.  The short name is jsmith, the home folder is /Users/jsmith, and the UID is 502.
On the server (AD or OD), you create an account for John Smith.  The short name is jsmith, the home folder is /Users/jsmith, and the UID or GUID is something other than 502.
So, the easiest way to handle this is with a little UNIX magic and about 4 minutes of time.  Log into the Mac as the local admin, and "delete" the local user account, opting to "no touch the user's data."  This still renames the home folder, but that is really not a big deal.
Once the 502 account info is deleted, now you can bind the machine to the domain.  Once bound, it is aware of a user jsmith on the network node.  So...
sudo mv /Users/jsmith\ (deleted\ user) /Users/jsmith
sudo chown -R jsmith /Users/jsmith

Basically that is it.  Now log in as the user using domain credentials.  The user will be dropped into his old home folder and everything will be exactly as it was before.  The only gotcha is the Keychain will likely need to be unlocked as the user's local password and domain password are likely different.

As for user accounts.  There are the two options: Local Only, and None Services Only.  I will tend to create all as None Services Only simply because it makes me crazy that the Local Only will generate a home folder in the /Users directory on the Server.  I see no need for this.  The only time I need a user to have a home folder on the server is if I am supporting network homes.  But if that is the case, I would already have defined a network home folder share and would have set it for the user.

Hope that is a good preview.  All this is covered with real world deployment examples.

Farf

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Projected Publishing Date
« Reply #7 on: May 13, 2014, 07:44:55 PM »
Hi,

It's been a while since I wrote and you gave me your preview.  I was hoping to wait for the book before proceeding, but I didn't and your 4 minutes of Unix magic has taken me most of the day and I am having trouble logging in to the server.

I followed your directions.  On the server I created a Local Network User with "None - Services Only" for the home folder.

Back on the client, I created a second admin user; deleted my original (& only other) user (keeping the files); used terminal to mv the deleted folder to /Users/paul.  Then I bound the client to the server (so that paul was known).  Next I attempted to recursively change the ownership back to paul.  This is where I ran into some trouble because the permissions prevented my new admin account from accessing some of the folders.  Furthermore some of the files were locked.  Anyway, I learned a lot, unlocked all the files, changed permissions to give my admin account access, used chown to make paul owner as you outlined, and then set all files to have the same OS-X default permissions (owner RW, staff and everyone else RO).  So far so good.

Then I tried to login to the server from the client using the network account paul.  I got the shaking password box.  So I tried the server admin account - that failed too.  I am using "fast user switching" to login from the client.

However, I can connect to the server from finder using both the admin account and the new paul account. 

I can share the screen with the admin account, but not as paul.

I have found people on-line complaining about not being able to login over the network.  Maybe I am seeing the same problem.

The client is running the latest version of mavericks and server is up to date.

Finally, I can log in from my browser after accessing the server home page.  I can log in as the admin or paul.

I hate to bother you with this.  As I said, I was really hoping to have the 2nd book, but I need to move forward now.

Any immediate thoughts?

Thanks again.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Projected Publishing Date
« Reply #8 on: May 13, 2014, 10:41:26 PM »
I am franticly trying to have the 2nd one done by the end of the month.  It is coming along but this one is proving to be more intricate than the first. 

Ok, that being said, let's see if I can help out here.

It sounds like the account on the server may not have either (a) the home folder defined, or (b) the account is new set as a managed mobile account either through profile manager or via MCX (Server Admin).

Home folder first.  Here is the way to figure this out.  On the server, launch Server.app and select a user from the Local Network Users's list.  Right click on the account to reveal the contextual menu.  Select "Advanced Options" from the list (this is not available via the Gear menu).

When the sheet appears, what is the value in the Home Directory box?  By convention, for an account with the short name of paul, the value should be /Users/paul.  If you do not have a valid home folder path, add it and click OK.

Ok, that is the easy part.  Now the account has the proper attribute to tell the workstation where the home folder should be created.  But now for the tough part...  Enabling the account or the machine to support mobile home folders.

To make this more confusing, this can be done in two places.  It can be done using MCX in Workgroup Manager (Note... Apple has depreciated this tool and is telling everyone not to use it for 10.9 deployments, keeping it for legacy device support only).  Or it can be done in Profile Manager.

If you are using Workgroup Manager, then you select the user, select Preferences > Mobility and enable mobile homes with local home and no sync.  This works across 10.6 through 10.9 (have not tested older than 10.6 but I would guess that as old as 10.4 should work) but once again, MCX is depreciated.  (I will admit, in mixed environments I still rely on MCX to accomplish this one task).

So that leaves you to Profile Manager.  This requires a bit more work and if you want it to be easy, you will want to enroll the devices and then apply profiles automatically.  Now, for testing (as this can become confusing quick), you can always create the profile and distribute it manually.  If I am doing device enrollment, I will create a device group, apply global management to the device group and then add devices to the device group.  The configuration profile you are looking for is Mobility.  The settings are basically the same as the MCX policy.  • Create Mobile account at login, local home template, home folder on startup volume.

I know that is a down and dirty explanation.  But this actually just helped me clean up the section on this topic :)



Farf

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Projected Publishing Date
« Reply #9 on: May 14, 2014, 02:40:03 PM »
I can't thank you enough for taking the time to respond ... and so quickly.  At least it helped a little with your book which makes me feel better.

I am now up and running and I wanted to point out where I went wrong and hopefully this might help others.

The source of my problem was in how I implemented the new user account.  I skipped to the last paragraph in your preview where you said, "As for user accounts.  There are the two options: Local Only, and None Services Only.  I will tend to create all as None Services Only simply because it makes me crazy that the Local Only will generate a home folder in the /Users directory on the Server.  I see no need for this."  I agreed with your position and so did exactly that.

However, when I did this the new user was given "shell: /usr/bin/false" & "home directory: /dev/null".  The user was known to my client as seen by running "finger paul" and "id paul" in the terminal back on the client, but I couldn't login with these settings.

Next, I followed your instructions to change both of these to "shell: /bin/bash" & "home directory: /Users/paul" in server.app.  I checked back on the client but  "finger paul" showed the stale values - not the new shiny ones.  So, next I deleted the network account server in login options on the client.  A quick check of "finger paul" now showed "no such user" as expected.  Then I rebound the client to the server and was able to login successfully  8) ;D  I was dropped into my old home folder and it would appear that everything is exactly as before.   Finally "finger paul" now shows the updated shell and home folder settings. 

Good luck with your book.  I'm sure it will be well worth the wait.

Thank you for sharing your expertise with me and the community at large.


Farf

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Projected Publishing Date
« Reply #10 on: May 26, 2014, 10:37:59 PM »
Just a quick update that might help others.  I went through the process of migrating local users to network accounts as described earlier in this thread.  However, I realized today that there were many other thousands of files still owned by the now defunct user 501.  This became apparent when I was being asked to authenticate far more often than before.  Examples of "501 files" include applications loaded into /Applications (some, not all) and many files in /LIbrary/Application Support as well as elsewhere.  After a few tries, I decided on the shell command, "find / -user 501 -exec sudo chown -h paul "{}" \;" (sans quotes)  which recursively traversed my directory structure changing ownership from 501 to paul (1025) whenever it encountered a "501 file."  The -h option came later when I realized that without it, links were followed and those files were subject to chown instead of the links themselves.  Hope this helps.