Information on the stability, or lack thereof, of Mac OS 10.5 (Leopard) Server seems to be a bit scarce. One reason for this is probably that experienced system administrators will wait a few months, until the initial bugs are discovered and patched, before deploying a new operating system — any new operating system. This is just good practice.

Good practice never gets in the way of those with little to no experience in system administration though. To help that crowd enter a world of pain, Apple promotes their new server product with alluring proclamations like:

If you think it takes a dedicated IT department to deploy and use a server, think again. Leopard Server is designed so you can easily set up and manage servers.

Don’t let this fool you. Mac OSX Server is a real UNIX server, and its services and configuration options are sophisticated and complex.

Pretty much all of the services in Leopard Server are provided by open source software, most of which is natively configured from the command line. Apple has attempted to create graphical user interfaces to manage this software, but often their interfaces do not provide adequate functionality to address all requirements of all users.

The official Apple forums are rife with posts from newbie or would-be sysadmins struggling with the simplest of tasks. Many of them popped the upgrade version of the installation DVD into their production 10.4 servers, and hoped for the best.

Another point about good practice: always do a clean install of a major new operating system version. Then migrate the data from your (backed up) previous version. Apple has provided step-by-step instructions for how to migrate your data from previous versions to a new install of Leopard. I think it was a mistake to provide the “upgrade” install option at all. All OS vendors do it though, despite that they also all recommend against using that option. [1]

My Leopard experience

This will be a series of blog posts chronicling my experience migrating a production Mac OS 10.4 Server to 10.5. I have had 10 years of experience as professional UNIX system administrator, mostly working with Sun Solaris, Linux and the BSDs. I only took up Apple products when they saw the light and re-invented Mac OS, basing it on FreeBSD, to become Mac OSX. It’s now UNIX with a shiny wrapper.

Some of you might be thinking, I thought he just said it was best practice to wait a few months…. It is. I have the good fortune of having access to a non-production environment where I can test the new server product without affecting anyone using the old server. I can incrementally migrate data from the production server to the test server. When and if I think it is stable, I can simply swap them. By that time, patches might be out, and bugs fixed.

The Installation

I installed Leopard Server from the installation DVD onto an Apple Xserve with two hard drives, one containing a backup of my 10.4 install, plus exported data files and home directories, and another one completely blank. This is how it went:

• Before starting, I unplugged the server from the network as a security precaution.
• Installation went smoothly, taking 30-40 minutes. All that I had to do was select the drive to install on, and accept an EULA. At some point, I selected “Advanced Install”, and choose the services that I intend to use (most of them).
• When I reached the “Enter your serial number screen”, I entered it, but it was not accepted. I triple-checked, it was correctly entered. I officially experienced the serial number bug.

  According to someone on the forum, you can boot into single user mode and delete the file “/etc/systemserialnumbers/xsvr” to fix it. In order to boot into single-user mode, you normally hold down the command (apple) key + s during boot-up. However, I was using a USB keyboard from Sun, which didn’t have an Apple key. The meta key gets assigned the apple key, but only after the keyboard is configured from within the OS. i.e., after the serial number is entered.

  As luck would have it though, following a reboot, the problem went away on its own, and it accepted my serial number.

The Firewall

One of the first things that I did, because I wanted network access to the server, is set up the firewall. I had exported the firewall settings from my 10.4 install by drag & dropping the settings icon in the firewall pane of the Server Admin application:

To restore them in Leopard, I opened the Firewall section in Server Admin, selected Import from the Server menu, navigated to the “Firewall Config.plist” file that I saved on my second disk, and my firewall rules loaded, no problem.

I kept a console window open while I was working, because I like to keep an eye on what is going on “under the hood”, and to spot any error messages that get logged. I noticed, that when I plugged the server into the network, the system automatically added a new firewall rule to allow connections to serialnumberd, the serial number monitor. Cheeky.

I hadn’t noticed before, but this rule is also active in Tiger, even though the GUI doesn’t report it:

# ipfw list | grep 626
00001 allow udp from any 626 to any dst-port 626

I made a note for myself to come back and close that open port, find out the process responsible for setting it, and disable it. I have a legal copy of the OS, but I don’t have as much faith that serialnumberd has no vulnerabilities as Apple apparently does. They could at least create a rule to allow only connections to port 626 from their servers, and not the whole big-bad Internet. I’m not impressed.

DNS Server

Forward and reverse DNS must be established before LDAP (Open Directory) with SSL will work, and I think its also necessary for Kerberos support. If you try setting up Open Directory without network access and/or without DNS, you will get errors. I’ve been down that road before ;).

Unlike the firewall section, importing the plist file in the DNS service seemed to have no effect. So to migrate my DNS settings, I copied /etc/named.conf and /var/named from my 10.4 install to my 10.5 install (after backing up the original 10.5 files). I loaded up Server Admin, selected the DNS service, and it asked me whether I’d like to upgrade my settings. I choose to upgrade, and it worked like a charm. DNS is now online, so I can start configuring Open Directory.

Open Directory

The default configuration of Open Directory has a Role of “Stand alone server”. For my purposes, which includes network authentication of Mac clients, I need it to be a “Master Replica”. So I changed its Role in Server Admin to Master Replica.

It prompted me to define a user for the Directory Domain Administrator (or something like that). Some people in the forums seemed to confuse this with a user account, but really its an entry in your LDAP server that has privileges to alter other entries in the LDAP server. You can call it anything you like — just don’t forget the username & password that you choose.

After setting up my directory administrator account, I fired up Workgroup Manager, and authenticated to the directory to make sure it was working, and all was well. Its ready for network user and computer accounts to be added.

My next step will be tackling the task of importing user accounts. This would normally be easy with LDAP, but Apple doesn’t store passwords in LDAP. They actually recommend that admins reset every user’s password as part of the migration. Imagine a system that has a few thousand users? No thanks. I don’t have many users, but I don’t want to mess with their passwords.

So what I’ll have to do is get the password entries from the password server in 10.4, which are cross-referenced with RSA keys in the LDAP directory, then import both the LDAP records and password server records on the new 10.5 server. This will be the subject of my next post.

Tags: Apple, Leopard, Leopard-Server, Mac-OS-X, OS-X-Server, Sysadmin

This entry was posted on Wednesday, November 7th, 2007 at 3:01 pm MST and is filed under Articles, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.