Hands on: Using Apple's Workgroup Manager

While you can edit several attributes of user, group and computer accounts in Mac OS X Server using traditional command-line tools and configuration files as in other Unix environments, Workgroup Manager is the preferred way to go. It helps manage share points and user accounts in Mac OS X Server. It's designed to interoperate with the various technologies that have been bundled to create Open Directory and supports the way other services integrate with Open Directory.

In two earlier articles, I discussed the theory behind Apple's Open Directory architecture and how to configure Open Directory under Mac OS X Server to provide directory services in Mac and multiplatform environments. This article continues that discussion with a hands-on guide to Workgroup Manager.

Workgroup Manager has four primary areas that it can be used to manage: share points, accounts (including users, groups and computer lists) and preferences that define the user experience for clients bound to an Open Directory domain using Apple's managed preferences architecture. The final management area includes network views that determine what Mac users see when they use the Network globe icon to browse a network.

Each of these four areas can be managed by selecting the appropriate button in the Workgroup Manager tool bar (see Figure 1). The default tool bar also contains a button labeled "Admin" for launching the Server Admin application and another button for adding new items such as users or groups and connecting or disconnecting from a server. Like Server Admin, Workgroup Manager can run locally on a server or can run on a remote Mac.

Other potential new items that can be added include tools for refreshing the displayed information, opening a new window and searching accounts. In an upcoming article, I'll take a detailed look at managed preferences and network views.

The Workgroup Manager Window. (Click image for larger view.)
Figure 1: The Workgroup Manager Window. (Click image for larger view.)

Workgroup Manager can be used to manage accounts and related records in a server's local NetInfo domain and records that have been stored in your directory services domain. Typically, this will be an Open Directory domain host in a Mac OS X Server, though some advanced multiplatform configurations allow for modifying records in other directory services such as Microsoft's Active Directory.

It is important to understand which domain (also referred to as a directory node) you are working with. Only those accounts stored in a directory services domain can be used to log into workstations and to access resources on multiple servers within your network via single sign-on. Accounts stored in a server's local NetInfo domain can be used to access resources such as share points on that server remotely, but they can't be used to log into workstations or for single sign-on.

The small blue globe beneath the Workgroup Manager tool bar (see Figure 1) identifies the directory domain that you are accessing and allows you to select among those that are available for editing from the server to which you are connected. In many organizations this list will primarily be used to switch between "local," which identifies that server's local NetInfo domain, and the shared Open Directory domain hosted by the server, which is typically displayed as something like "/LDAPv3/"

If you are working with an Open Directory domain, you should connect to the Open Directory master to modify user, group and computer list account records. In environments containing multiple Open Directory domains and/or integrated directory services hosted by multiple platforms, there might be a number of other options. When switching between directory nodes, you may need to authenticate an account that has the authority to view and edit the domain. When you are using Workgroup Manager to edit share points, you will need to connect to the specific server where you wish to create or modify a share point -- whether or not it is bound to an Open Directory domain.

When the application is launched, it will automatically display a "Connect to server" dialog. Enter the IP address or DNS name of the server you want to connect to, along with the user name and password of an account that has administrative rights to either the server or to the Open Directory domain. You can also browse for servers if you don't know the IP address or DNS name.

You can open multiple Workgroup Manager windows and connect to more than one server at a time using the "New Window" and "Connect" buttons in the tool bar. To disconnect from a server, use the appropriate button in the tool bar or close all Workgroup Manager windows associated with a server.

Setting up share points

Share points are folders located on a server that are shared over the network. A server can have many share points, and users will be able to select the ones that they want to mount when they connect to a server. For users to connect to a share point, the appropriate file services must be configured and turned on using Server Admin. By default, three share points are preconfigured under Mac OS X Server: one for network home folders called Users, one for group folders called Groups and one for general public access called Public.

You can elect to use these or disable them; you can use any share point you create for these purposes. Also, if you configure Apple's NetBoot service, additional NetBoot share points will also be created and should be left intact so long as the server will support NetBoot.

It is good practice to store share points on volumes other than the Mac OS X Server boot drive. This is for independent backup, to ensure the data in these share points won't be affected by operating systems issues. Often these volumes are RAID arrays that allow for fault tolerance of the drives involved and/or increased data performance when accessing shared files. Network home folders often require particularly fast drives because they are so frequently accessed.

To set up a share point, click the "Sharing" button in the tool bar. You will notice that the window is divided into two panes as shown in Figure 2. The left-hand pane contains two tabs: Share Points and All. Share Points displays any folders that are currently being shared. You can select any existing share points and use the four tabs in the right-hand pane to modify their behavior.

Configuring Share Points. (Click image for larger view.).
Figure 2: Configuring Share Points. (Click image for larger view.)

The "All" tab allows you to navigate through the server's file system. You can also create a new folder at any point in the file system by using the "New Folder" button at the bottom of the left-hand pane. When you locate a folder that you want to share, you use the same four tabs in the right-hand pane to configure it.

To share a folder, check the "Share this item and its contents" option on the "General" tab, and then click the "Save" button at the bottom of the pane. You must save any changes you make in Workgroup Manager to make them effective.

You may also notice two checkboxes that are grayed out unless you select a volume under the "All" tab: "Enable disk quotas on this volume" and "Enable access control lists on this volume."

Disk quotas allow you to limit how much disk space a user is allowed to use. Technically, disk quotas are intended for network home folders and you assign disk quotas along with the location of home folders. However, disk quotas assigned to a user's home folder actually affect the entire server volume where their home folder is stored. This is true regardless of whether they are storing files in their home folder or in another folder or in a share point on the same volume. Disk quotas must be enabled at a volume level.

Access Control Lists were introduced with Tiger (Mac OS X Version 10.4). ACLs are extremely flexible and operate similarly to the array of permissions that can be used on Windows Server. They offer an alternative to the traditional POSIX permissions of many Unix operating systems, including Mac OS X Server, which allow you to set a single individual user account as the owner of an item, a single defined group of users, and for all other users (known as the "Everyone" group).

ACLs are part of a volume's file system and must be enabled at the volume level.

Once you have created a share point, you can use the "Access" tab (shown in Figure 3) to assign permissions to the share point itself. You can also select and assign permissions to a folder within a share point. You can set the traditional POSIX permission structure by identifying an owner and group for the share point.

You can either type the appropriate names or display a drawer containing all available users and groups, which you can drag to the appropriate fields by clicking the "Users & Groups" button. Then use the appropriate pop-up menus to assign whether the owner and members of the assigned group have no access, write-only (in which they can copy things to a drop-box style share point but not see anything in it), read-only or read and write. You can also assign a permission to the "Everyone" group, which includes anyone who can access the server, including guest users if you allow guest access.

The Access Tab for a Share Point. (Click image for larger view.)
Figure 3: The Access Tab for a Share Point. (Click image for larger view.)

You can also assign access via an ACL for the item. To do so, display the "Users & Groups" drawer. Select and drag users and groups into the "Access Control List" box. You can then use the various pop-up menus next to each user or group to configure their access to the share point. For more granular control, you can select a user or group in the list and click the "Edit" button (which looks like a pencil). See this tech note for additional information or see the Mac OS X Server File Services Admin Guide for full details on ACL permission and inheritance options. You can also use the "Gear" menu to remove any ACLs inherited by the folder or share point and to make inherited permissions explicit -- meaning they won't be changed if the original ACL they were inherited from is changed. Or you can propagate changes you make to other folders and can display the Effective Permissions Inspector.

The Effective Permissions Inspector is a way to see which permissions any given user has. It's a floating window that lets you drag any user from the "Users & Groups" drawer onto it to display that user's permissions to the selected share point or folder. It takes into account group memberships and explicitly assigned permissions. Given the complexity with which permissions can be set under Mac OS X Server, the Effective Permissions Inspector is a powerful tool.

The "Protocols" tab allows you to define the protocols that clients will be able use to access the share point. Mac OS X Server can share folders using the Apple Filing Protocol (AFP), the Server Message Block/Common Internet File System (SMB/CIFS) used by Windows, the Unix Network File System (NFS) and FTP. Because of the inherently insecure nature of NFS and FTP, you should only allow this access if absolutely needed. And you should never allow guest access via FTP; also never use the "NFS Export to World" option.

You can select each protocol using the pop-up menu on this tab and set various options, as well as determine whether the share point will be shared with each protocol. For both AFP and SMB (which is displayed in the menu as "Windows File Settings"), you can choose to share the item over the selected protocol, set custom names for the share point other than its folder name, and determine how permissions for newly created items should be set. For AFP, this option may not be available if you are using ACLs that determine this by inheritance. You can also choose to allow guest access, although this practice is strongly discouraged because of its inherent insecurity and lack of logging capability. For the SMB protocol, you can also choose to use strict and opportunistic locking. These options control how the server will react when multiple clients attempt to access the same files, or segments of files, simultaneously. More information on strict and opportunistic locking and their use in Mac OS X Server can be found in this Apple tech note.

NFS access to a share point is generally discouraged because it relies on client IP addresses rather than user accounts to assign permissions. Since many Unix and Linux installations now use Samba to allow for SMB access, there is little need for NFS access. If you must use NFS, be sure to use the "Map root" and "Map user to nobody" options as well as the option to force all clients to have read-only access. Additional information on NFS options is available from Apple. The FTP protocol offers only the options of sharing the folder via FTP and allowing guest access.

The final tab that is available for a share point is the "Network Mount" tab. This tab allows you to create a mount record for the share point in Open Directory. Mount records allow share points to be automatically mounted at start-up before users log in; such share points are sometimes referred to as auto-mounts. They are most frequently used for setting up network home folders, where access to a share point must be established before log-in, but can also be used for shared applications and shared library folders.

Shared application and library folders allow you to include centrally stored files in a computer's search path. If you create a shared library folder, for example, computers bound to Open Directory will access it along with the Library folder on their hard drives as well as the Library folder in the user's home folder. This provides a method for making system resources such as fonts or application support files available without having to install them on every computer. However, it can cause system delays on workstations connected by moderate to slow network links. It can also add noticeable load to the server.

To have a mount record, the server must be an Open Directory master or replica, or be bound to Open Directory. To configure a mount record, select the "Open Directory" domain -- where you wish to configure the mount record -- from the "Where" pop-up menu. If needed, click the padlock button to authenticate using an account that has administrative rights to the domain. Select the protocol that will be used to mount the share point -- AFP preferred or SMB secondarily -- and identify what it will be used for.

Creating and editing user accounts

To work with user, group or computer list accounts in Workgroup Manager, connect to your Open Directory master. If you are working with a server that is not part of a directory services infrastructure, connect to the server on which you wish to manage local accounts. Then click the "Accounts" button. Again, you will see two panes (see Figure 4). The left-hand pane displays existing accounts as well as a search filter box. It also contains tabs for selecting whether user, group or computer list accounts are displayed. (You can also choose to display the Inspector, which is covered later in this article.) The right-hand pane displays the various options for a selected account.

User Accounts. (Click image for larger view.)
Figure 4: User Accounts. (Click image for larger view.)

To edit an existing user, simply select the user in the accounts list; you can use the columns to sort users, and you can use the search filter box to search for specific users. To create a new account, click the "New User" button in the tool bar. A new account will be created with the name "Untitled X" (where X is a number). You can use the eight tabs in the right-hand pane to edit and save changes to an account.

The "Basic" tab includes items such as user full name, user ID (UID) number (used for POSIX permissions), short names, password and access levels. Users can have multiple short names, each of which can be used for log-in, although the first name cannot be deleted and is used to assign the name of the network home folder.

You can enable a user account to access (log into) an account, allow the user to administer the server you are working with or allow the user administrative authority over a directory domain. In this last case, you will be asked to choose which users, groups and computer lists the user has authority to administer.

The "Advanced" tab allows you to designate whether a user can log into multiple computers at once, which shell they have access to via the command line, their password type and password policy and comments and key words that can be used to locate like users in a search. For stand-alone servers, only the shadow hash password type is supported; this is the password type used by Mac OS X local NetInfo domains.

For Open Directory accounts, you can select an Open Directory password type that relies on Kerberos and the Open Directory Password Server to securely store passwords and authenticate users. Or you can choose a crypt password that stores the password as a hash inside the user account. Crypt passwords preserve compatibility with Mac OS X 10.1 and earlier workstations, but they are extremely insecure because an LDAP query can retrieve a hashed version of a user's password.

Unless you are absolutely required to support users of early Mac OS X releases, you should never use a crypt password.

For Open Directory passwords, you can also assign policies to a user, including when to disable log-in or when to require a new password. These policies override any domainwide policies established in Server Admin and, like domainwide policies, are not enforced on administrators.

The "Groups" tab displays the groups a user belongs to and allows you to add them to additional groups. It can also display which groups the user is a member of because they are nested within other groups. You can also define a primary group for the user.

The Home tab allows you to designate the location of a user's network home folder. All auto-mount share points designated for user home folders will be listed here -- regardless of which server those share points reside on -- and you can select one of them for each user. You can also use the "Add" button to create a custom path to the home folder; by default, home folders are located at the root level of the share point. The Disk Quota field allows you to designate the user's disk quota for the volume on which his home folder resides. Normally, home folders are created when a user first logs in using AFP. If users will be accessing their home folders using another protocol -- such as SMB for Windows log-in -- you can create them manually with the "Create Home Now" button.

The "Mail" tab allows you to designate whether the user's account has a mailbox associated with it -- provided you use Mac OS X Server's mail services, which are integrated with Open Directory. You can enable mail for a user or enable forwarding to another e-mail address. If you enable e-mail, mail addressed to any of the user's short names will be retrieved. More information on Mac OS X Server's mail services is available here.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon