Apple iPod touch ユーザガイド iPod_touch_2.2_User_Guide_J.pdf Apple sur FNAC.COM - Pour voir la liste complète des manuels APPLE, cliquez ici

 

 

TELECHARGER LE PDF : http://manuals.info.apple.com/ja_JP/iPod_touch_2.2_User_Guide_J.pdf

 

 

Voir également d'autres Guides APPLE :

Apple-DVD_Studio_Pro_4_Installation_de_votre_logiciel

Apple-Windows_Services

Apple-Motion_3_New_Features_F

Apple-g4mdd-fw800-lowerfan

Apple-MacOSX10.3_Welcome

Apple-Print_Service

Apple-Xserve_Setup_Guide_F

Apple-PowerBookG4_17inch1.67GHzUG

Apple-iMac_Intel-based_Late2006

Apple-Installation_de_votre_logiciel

Apple-guide_des_fonctions_de_l_iPod_nano

Apple-Administration_de_serveur_v10.5

Apple-Mac-OS-X-Server-Premiers-contacts-Pour-la-version-10.3-ou-ulterieure

Apple-boot_camp_install-setup

Apple-iBookG3_14inchUserGuideMultilingual

Apple-mac_pro_server_mid2010_ug_f

Apple-Motion_Supplemental_Documentation

Apple-imac_mid2011_ug_f

Apple-iphone_guide_de_l_utilisateur

Apple-macbook_air_11inch_mid2011_ug_fr

Apple-NouvellesfonctionnalitesdeLogicExpress7.2

Apple-QT_Streaming_Server

Apple-Web_Technologies_Admin

Apple-Mac_Pro_Early2009_4707_UG

Apple-guide_de_l_utilisateur_de_Numbers08

Apple-Decouverte_d_Aperture_2

Apple-Guide_de_configuration_et_d'administration

Apple-mac_integration_basics_fr_106.

Apple-iPod_shuffle_4thgen_Guide_de_l_utilisateur

Apple-ARA_Japan

Apple-081811_APP_iPhone_Japanese_v5.4.pdf-Japan

Apple-Recycle_Contract120919.pdf-Japan

Apple-World_Travel_Adapter_Kit_UG

Apple-iPod_nano_6thgen_User_Guide

Apple-RemoteSupportJP

Apple-Mac_mini_Early2009_UG_F.pdf-Manuel-de-l-utilisateur

Apple-Compressor_3_Batch_Monitor_User_Manual_F.pdf-Manuel-de-l-utilisateur

Apple-Premiers__contacts_avec_iDVD_08

Apple-Mac_mini_Intel_User_Guide.pdf

Apple-Prise_en_charge_des_surfaces_de_controle_Logic_Express_8

Apple-mac_integration_basics_fr_107.pdf

Apple-Final-Cut-Pro-7-Niveau-1-Guide-de-preparation-a-l-examen

Apple-Logic9-examen-prep-fr.pdf-Logic-Pro-9-Niveau-1-Guide-de-preparation-a-l-examen

Apple-aperture_photography_fundamentals.pdf-Manuel-de-l-utilisateu

Apple-emac-memory.pdf-Manuel-de-l-utilisateur

Apple-Apple-Installation-et-configuration-de-votre-Power-Mac-G4

Apple-Guide_de_l_administrateur_d_Xsan_2.pdf

Apple-premiers_contacts_avec_imovie6.pdf

Apple-Tiger_Guide_Installation_et_de_configuration.pdf

Apple-Final-Cut-Pro-7-Level-One-Exam-Preparation-Guide-and-Practice-Exam

Apple-Open_Directory.pdf

Apple-Nike_+_iPod_User_guide

Apple-ard_admin_guide_2.2_fr.pdf

Apple-systemoverviewj.pdf-Japon

Apple-Xserve_TO_J070411.pdf-Japon

Apple-Mac_Pro_User_Guide.pdf

Apple-iMacG5_iSight_UG.pdf

Apple-premiers_contacts_avec_iwork_08.pdf

Apple-services_de_collaboration_2e_ed_10.4.pdf

Apple-iPhone_Bluetooth_Headset_Benutzerhandbuch.pdf

Apple-Guide_de_l_utilisateur_de_Keynote08.pdf

APPLE/Apple-Logic-Pro-9-Effectsrfr.pdf

Apple-Logic-Pro-9-Effectsrfr.pdf

Apple-iPod_shuffle_3rdGen_UG_F.pdf

Apple-iPod_classic_160Go_Guide_de_l_utilisateur.pdf

Apple-iBookG4GettingStarted.pdf

Apple-Administration_de_technologies_web_10.5.pdf

Apple-Compressor-4-User-Manual-fr

Apple-MainStage-User-Manual-fr.pdf

Apple-Logic_Pro_8.0_lbn_j.pdf

Apple-PowerBookG4_15inch1.67-1.5GHzUserGuide.pdf

Apple-MacBook_Pro_15inch_Mid2010_CH.pdf

Apple-LED_Cinema_Display_27-inch_UG.pdf

Apple-MacBook_Pro_15inch_Mid2009_RS.pdf

Apple-macbook_pro_13inch_early2011_f.pdf

Apple-iMac_Mid2010_UG_BR.pdf

Apple-iMac_Late2009_UG_J.pdf

Apple-iphone_user_guide-For-iOS-6-Software

Apple-iDVD5_Getting_Started.pdf

Apple-guide_des_fonctionnalites_de_l_ipod_touch.pdf

Apple_iPod_touch_User_Guide

Apple_macbook_pro_13inch_early2011_f

Apple_Guide_de_l_utilisateur_d_Utilitaire_RAID

Apple_Time_Capsule_Early2009_Setup_F

Apple_iphone_4s_finger_tips_guide_rs

Apple_iphone_upute_za_uporabu

Apple_ipad_user_guide_ta

Apple_iPod_touch_User_Guide

apple_earpods_user_guide

apple_iphone_gebruikershandleiding

apple_iphone_5_info

apple_iphone_brukerhandbok

apple_apple_tv_3rd_gen_setup_tw

apple_macbook_pro-retina-mid-2012-important_product_info_ch

apple_Macintosh-User-s-Guide-for-Macintosh-PowerBook-145

Apple_ipod_touch_user_guide_ta

Apple_TV_2nd_gen_Setup_Guide_h

Apple_ipod_touch_manual_del_usuario

Apple_iphone_4s_finger_tips_guide_tu

Apple_macbook_pro_retina_qs_th

Apple-Manuel_de_l'utilisateur_de_Final_Cut_Server

Apple-iMac_G5_de_lutilisateur

Apple-Cinema_Tools_4.0_User_Manual_F

Apple-Personal-LaserWriter300-User-s-Guide

Apple-QuickTake-100-User-s-Guide-for-Macintosh

Apple-User-s-Guide-Macintosh-LC-630-DOS-Compatible

Apple-iPhone_iOS3.1_User_Guide

Apple-iphone_4s_important_product_information_guide

Apple-iPod_shuffle_Features_Guide_F

Liste-documentation-apple

Apple-Premiers_contacts_avec_iMovie_08

Apple-macbook_pro-retina-mid-2012-important_product_info_br

Apple-macbook_pro-13-inch-mid-2012-important_product_info

Apple-macbook_air-11-inch_mid-2012-qs_br

Apple-Manuel_de_l_utilisateur_de_MainStage

Apple-Compressor_3_User_Manual_F

Apple-Color_1.0_User_Manual_F

Apple-guide_de_configuration_airport_express_4.2

Apple-TimeCapsule_SetupGuide

Apple-Instruments_et_effets_Logic_Express_8

Apple-Manuel_de_l_utilisateur_de_WaveBurner

Apple-Macmini_Guide_de_l'utilisateur

Apple-PowerMacG5_UserGuide

Disque dur, ATA parallèle Instructions de remplacement

Apple-final_cut_pro_x_logic_effects_ref_f

Apple-Leopard_Installationshandbok

Manuale Utente PowerBookG4

Apple-thunderbolt_display_getting_started_1e

Apple-Compressor-4-Benutzerhandbuch

Apple-macbook_air_11inch_mid2011_ug

Apple-macbook_air-mid-2012-important_product_info_j

Apple-iPod-nano-Guide-des-fonctionnalites

Apple-iPod-nano-Guide-des-fonctionnalites

Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation

Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation

Apple-Manuel_de_l_utilisateur_d_Utilitaire_de_reponse_d_impulsion

Apple-Aperture_2_Raccourcis_clavier

AppleTV_Setup-Guide

Apple-livetype_2_user_manual_f

Apple-imacG5_17inch_harddrive

Apple-macbook_air_guide_de_l_utilisateur

Apple-MacBook_Early_2008_Guide_de_l_utilisateur

Apple-Keynote-2-Guide-de-l-utilisateur

Apple-PowerBook-User-s-Guide-for-PowerBook-computers

Apple-Macintosh-Performa-User-s-Guide-5200CD-and-5300CD

Apple-Macintosh-Performa-User-s-Guide

Apple-Workgroup-Server-Guide

Apple-iPod-nano-Guide-des-fonctionnalites

Apple-iPad-User-Guide-For-iOS-5-1-Software

Apple-Boot-Camp-Guide-d-installation-et-de-configuration

Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation

Power Mac G5 Guide de l’utilisateur APPLE

Guide de l'utilisateur PAGE '08 APPLE

Guide de l'utilisateur KEYNOTE '09 APPLE

Guide de l'Utilisateur KEYNOTE '3 APPLE

Guide de l'Utilisateur UTILITAIRE RAID

Guide de l'Utilisateur Logic Studio

Power Mac G5 Guide de l’utilisateur APPLE

Guide de l'utilisateur PAGE '08 APPLE

Guide de l'utilisateur KEYNOTE '09 APPLE

Guide de l'Utilisateur KEYNOTE '3 APPLE

Guide de l'Utilisateur UTILITAIRE RAID

Guide de l'Utilisateur Logic Studio

Guide de l’utilisateur ipad Pour le logiciel iOS 5.1

PowerBook G4 Premiers Contacts APPLE

Guide de l'Utilisateur iphone pour le logiciel ios 5.1 APPLE

Guide de l’utilisateur ipad Pour le logiciel iOS 4,3

Guide de l’utilisateur iPod nano 5ème génération

Guide de l'utilisateur iPod Touch 2.2 APPLE

Guide de l’utilisateur QuickTime 7  Mac OS X 10.3.9 et ultérieur Windows XP et Windows 2000

Guide de l'utilisateur MacBook 13 pouces Mi 2010

Guide de l’utilisateur iPhone (Pour les logiciels iOS 4.2 et 4.3)

Guide-de-l-utilisateur-iPod-touch-pour-le-logiciel-ios-4-3-APPLE

Guide-de-l-utilisateur-iPad-2-pour-le-logiciel-ios-4-3-APPLE

Guide de déploiement en entreprise iPhone OS

Guide-de-l-administrateur-Apple-Remote-Desktop-3-1

Guide-de-l-utilisateur-Apple-Xserve-Diagnostics-Version-3X103

Guide-de-configuration-AirPort-Extreme-802.11n-5e-Generation

Guide-de-configuration-AirPort-Extreme-802-11n-5e-Generation

Guide-de-l-utilisateur-Capteur-Nike-iPod

Guide-de-l-utilisateur-iMac-21-5-pouces-et-27-pouces-mi-2011-APPLE

Guide-de-l-utilisateur-Apple-Qadministrator-4

Guide-d-installation-Apple-TV-3-eme-generation

User-Guide-iPad-For-ios-5-1-Software

iPod touch ユーザガイド5 第 1章:お使いになる前に 5 必要なもの 5 iPod touch を登録する 6 iTunesと同期する 10 メール、連絡先、およびカレンダーのアカウント 12 構成プロファイルをインストールする 13 iPod touch をコンピュータから接続解除する(取り外す) 14 第 2章:基本 14 iPod touch 各部の説明 16 ホーム画面 18 ボタン 20 タッチスクリーン 22 オンスクリーンキーボード 26 インターネットに接続する 26 バッテリー 28 iPod touch を清掃する 28 iPod touch を再起動する/リセットする 29 第 3章:音楽およびビデオ 29 音楽、ビデオ、その他のメディアを取り込む 31 音楽およびその他のオーディオ 36 ビデオ 39 スリープタイマーを設定する 39 ブラウズボタンを変更する 40 第 4章:iTunesとApp Store 40 iTunes Wi-Fi Music Store 45 App Store 50 購入したコンテンツを同期する 51 購入したものを確認する 51 アカウントをアップデートする 2 目次目次 3 52 第 5章:Safari 52 Web ページを表示する 55 Webを検索する 55 ブックマーク 56 Webクリップ 57 第 6章:メール 57 メールアカウントを設定する 57 メールを送信する 58 メールを確認する/読む 61 メールを整理する 63 第 7章:その他のアプリケーション 63 マップ 69 YouTube 72 写真 75 カレンダー 79 連絡先 80 株価 81 天気 82 メモ 83 計算機 85 時計 87 Nike + iPod 88 第 8章:設定 88 Wi-Fi 89 VPN 89 新しいデータを取得する 90 明るさ 90 一般 95 ミュージック 96 ビデオ 96 写真 97 メール、連絡先、カレンダー 100 Safari 101 Nike + iPod4 目次 102 付録 A:トラブルシューティング 102 一般 103 iTunesと同期 105 サウンド、音楽、およびビデオ 106 iTunes Store 106 Safari、メール、および連絡先 107 iPod touch のバックアップを作成する 109 iPod touchソフトウェアをアップデートする/復元する 110 iPod touch のユーザ補助機能 111 付録 B:その他の参考資料 111 安全性、ソフトウェア、およびサービスに関する情報 112 iPod touch 用ユーザガイド 112 廃棄とリサイクルに関する情報5 · 警告:負傷を避けるため、iPod touch をお使いになる前に、このガイドの操作方法、および www.apple.com/jp/support/manuals/ipodtouchにある「この製品についての重要なお知ら せ」の安全性に関する情報をよくお読みください。 必要なもの iPod touch を使うには、次のものが必要です:  USB 2.0ポートおよび以下の OSのいずれかを搭載している Macまたは PC:  Mac OS Xバージョン 10.4.10 以降  Windows XP Homeまたは Professional(SP 2)以降  Windows Vista Home Premium、Business、Enterprise、または Ultimateエディション  解像度が 1024 × 768以上に設定されたコンピュータディスプレイ  iTunes 8.0.2以降。www.itunes.com/jp/downloadからダウンロードできます  iTunes Storeアカウント(iTunes Wi-Fi Music Storeまたは App Storeで商品を購入するため に必要)  コンピュータのインターネット接続(ブロードバンドを推奨) iPod touch を登録する iPod touch の機能を使用するには、まず「iTunes」を使って iPod touch を設定する必要があります。 このとき、iPod touch を登録したり、iTunes Storeアカウント(一部の国で利用できます)をまだ持っ ていない場合は作成したりすることもできます。 iPod touch を登録する: 1 www.itunes.com/jp/downloadから最新バージョンの「iTunes」をダウンロードしてインストール します。 2 iPod touch に付属のケーブルを使って、iPod touch を Macまたは PCの USB 2.0ポートに接続 します。 1 お使いになる前に3 「iTunes」の画面に表示される指示に従って、iPod touch を登録し、iPod touch をコンピュータ 上の連絡先、カレンダー、およびブックマークと同期します。 iTunesと同期する iPod touch では、iTunesライブラリ内の音楽やビデオ、iTunesライブラリからダウンロードしたア プリケーション、およびその他の iTunesライブラリのコンテンツに簡単にアクセスすることができます。 「iTunes」を使用すれば、これらすべての情報や、連絡先、カレンダー、ブラウザのブックマークを iPod touch に同期できます。 同期を設定する 「iTunes」を設定して、次のいずれか、またはすべてを同期することができます:  音楽およびオーディオブック  ムービー  テレビ番組 Podcast   写真  連絡先̶名前、電話番号、住所、メールアドレスなど  カレンダー̶予定およびイベント  メールアカウント設定  Web ページのブックマーク  iTunes Storeから購入またはダウンロードしたアプリケーション iPod touch がコンピュータに接続されているときはいつでも同期の設定を変更することができます。 6 第 1章 お使いになる前に第 1章 お使いになる前に 7 音楽、オーディオブック、Podcast、ビデオコンテンツ、および購入したアプリケーションは、iTunes ライブラリから同期されます。「iTunes」内にコンテンツがない場合は、iTunes Store(一部の国で 利用できます)でコンテンツを簡単に購入または登録して「iTunes」にダウンロードできます。また、 お持ちの CDからiTunesライブラリに音楽を追加することもできます。「iTunes」および iTunes Storeについては、「iTunes」を開き、「ヘルプ」>「iTunesヘルプ」と選択してください。 連絡先、カレンダー、および Web ページのブックマークは、お使いのコンピュータ上のアプリケー ション(次のセクションを参照してください)と同期されます。連絡先とカレンダーは、コンピュータと iPod touch の間で双方向で同期されます。iPod touch で新しく作成した項目や変更した内容はコ ンピュータに同期され、コンピュータからも同様に同期されます。Web ページのブックマークも双方 向で同期されます。写真は、アプリケーションまたはフォルダから同期できます。 メールアカウント設定の同期は、コンピュータのメールアプリケーションから iPod touch 方向にのみ 行われます。つまり、iPod touch 上でメールアカウントをカスタマイズしても、コンピュータ上のメー ルアカウント設定に影響を与えることはありません。 参考:iPod touch 上に直接メールアカウントを設定することもできます。10ページの「メール、連絡先、 およびカレンダーのアカウント」を参照してください。 iPod touch で iTunes Wi-Fi Music Storeまたは App Storeから購入した商品は、iTunesライブ ラリに同期されます。また、コンピュータで iTunes Storeから音楽やアプリケーションを直接購入ま たはダウンロードして、それらを iPod touch に同期することもできます。 必要に応じて、コンピュータ上の特定の項目だけを同期するように iPod touch を設定できます。たと えば、特定の音楽プレイリストだけを同期したり、まだ見ていないビデオ Podcastだけを同期したり できます。 重要:接続および同期できる iPod touch は一度に 1台のみです。すでに別の iPodが接続されてい るときは、先にそれを取り外してください。iPod touch を接続する前に、自分のコンピュータ・ユーザ・ アカウントを使ってログインしてください。PCで複数の iPod touch または iPodを同じユーザアカウ ントに同期する場合は、それぞれの装置で同じ同期設定を使用する必要があります。 「iTunes」との同期を設定する: 1 iPod touch をコンピュータに接続し、「iTunes」を開きます(自動的に開かない場合)。 2 「iTunes」のサイドバーで、iPod touch を選択します。 3 各設定パネルで同期の設定をします。 各パネルについては、次のセクションを参照してください。 参考:連絡先、カレンダー、またはブックマークを MobileMeまたは Microsoft Exchangeと同期 するように iPod touch を設定している場合、「iTunes」ではこれらの項目の同期が無効になります。 10 ページの「アカウントを設定する」を参照してください。 4 画面の右下にある「適用」をクリックします。 デフォルトでは、「この iPodの接続時に iTunesを開く」が選択されています。iTunesの iPod touch 設定パネル 以下のセクションでは、iPod touch の各設定パネルについて簡単に説明します。詳しいことを知りた いときは、「iTunes」を開き、「ヘルプ」>「iTunesヘルプ」と選択してください。 「概要」パネル iPod touch をコンピュータに接続したときに自動的に「iTunes」を開いて同期したい場合は、「こ の iPodの接続時に iTunesを開く」を選択します。「iTunes」の「同期」ボタンをクリックしたとき のみ同期したい場合は、このオプションの選択を外します。自動的に同期しないようにする方法につい ては、10 ページの「自動的に同期しないようにする」を参照してください。 iTunesライブラリ内で個別にチェックマークを付けた項目だけを同期したい場合は、「チェックマーク のある曲とビデオだけを同期」を選択します。 「ミュージック」および「ビデオ」設定パネルで自動同期を切にする場合は、「音楽とビデオを手動で 管理する」を選択します。30ページの「コンテンツを手動で管理する」を参照してください。 「ミュージック」、「ムービー」、「テレビ番組」、および「Podcast」パネル これらのパネルでは、同期したいメディアを指定します。すべての音楽、ムービー、テレビ番組、およ び Podcastを同期するか、iPod touch に同期したいプレイリストおよび項目を選択することができ ます。 レンタルムービーを iPod touch で視聴したい場合は、「iTunes」の「ムービー」パネルを使ってそ れらを iPod touch に転送します。 指定したすべてのメディアを取り込むのに十分な空き領域が iPod touch にない場合は、特別 なプレイリストを作成するかどうかを尋ねられます。「iTunes」によってプレイリストが作成され、 iPod touchと同期するように設定されます。 8 第 1章 お使いになる前に第 1章 お使いになる前に 9 「写真」パネル Macでは iPhoto 4.0.3以降または「Aperture」、PCでは Adobe Photoshop Album 2.0 以降 または Adobe Photoshop Elements 3.0以降と写真を同期できます。コンピュータ上のフォルダの うち、画像が含まれるフォルダ内の写真を同期することもできます。 「情報」パネル 「情報」パネルでは、連絡先、カレンダー、メールアカウント、および Webブラウザの同期を設定で きます。  連絡先 Macでは Mac OS Xの「アドレスブック」、「Microsoft Entourage」、「Yahoo!アドレスブック」、 Google連絡先リスト、PCでは「Yahoo!アドレスブック」、Google連絡先リスト、「Windows アドレス帳」(「Outlook Express」)、Vista の「アドレス帳」、「Microsoft Outlook 2003」ま たは「Microsoft Outlook 2007」などのアプリケーションと連絡先を同期できます。(Macでは、 複数のアプリケーションと連絡先を同期できます。PCでは、一度に 1つのアプリケーションだけと アドレスデータを同期できます。) 「Yahoo!アドレスブック」と同期する場合に、同期を設定した後に Yahoo! IDまたはパスワードを 変更するときは、「設定」をクリックして新しいログイン情報を入力するだけです。  カレンダー Macでは「iCal」、「Microsoft Entourage」、PCでは「Microsoft Outlook 2003」、「Microsoft Outlook 2007」などのアプリケーションからカレンダーを同期できます。(Macでは、複数のアプ リケーションとカレンダーを同期できます。PCでは、一度に 1つのアプリケーションだけとカレンダー を同期できます。)  メールアカウント メールアカウント設定は、Macでは「Mail」から、PCでは「Microsoft Outlook 2003」または 「Microsoft Outlook 2007」あるいは「Outlook Express」から同期できます。アカウント設 定の転送は、コンピュータから iPod touch 方向にのみ行われます。iPod touch でメールアカウ ントに変更を加えても、コンピュータのアカウントには影響しません。 参考:Yahoo!メールアカウントのパスワードは、コンピュータには保存されません。そのため、同 期することはできず、iPod touch で入力する必要があります。「設定」で、「メール /連絡先 /カ レンダー」を選択し、Yahoo!アカウントをタップして、パスワードを入力します。  Webブラウザ Macでは「Safari」、PCでは「Safari」または Microsoft 社の「Internet Explorer」からブックマー クを同期できます。  詳細 これらのオプションを使って、次回の同期のときに iPod touch 上の情報をコンピュータ上の情報 に置き換えることができます。「アプリケーション」パネル 「アプリケーション」パネルでは、iPod touch にインストールしたい App Storeアプリケーションを 指定します。iPod touch に直接ダウンロードしたアプリケーションは、同期の際に自動的に iTunes ライブラリにバックアップが作成されます。iPod touch で手動でアプリケーションを削除した場合、そ のアプリケーションが同期済みであれば、このパネルから再インストールできます。 自動的に同期しないようにする いつも同期しているコンピュータ以外のコンピュータに iPod touch を接続するときに、iPod touch が自動的に同期されないようにすることができます。 iPod touch の自動同期を切にする: iPod touch をコンピュータに接続します。「iTunes」のサイ ドバーで iPod touch を選択して、「概要」タブをクリックします。「この iPodの接続時に iTunesを 開く」の選択を解除します。「同期」ボタンをクリックすることで、いつでも同期を行うことができます。 すべてのiPhonesおよびiPodsの自動同期を切にする:「iTunes」で、「iTunes」>「環境設定」(Mac の場合)または「編集」>「設定」(PCの場合)と選択し、「デバイス」をクリックして、「すべての iPhoneおよび iPodの自動同期を無効にする」を選択します。 このチェックボックスを選択すると、「概要」パネルで「この iPodの接続時に iTunesを開く」を選択 しても、iPod touch が自動的に同期されなくなります。 設定を変更せずに一時的に自動同期しないようにする:「iTunes」を開きます。次に、コマンド+ Optionキー(Macの場合)または Shift + Ctrlキー(PCの場合)を押したまま iPod touch をコ ンピュータに接続し、サイドバーに iPod touch が表示されるまでそのままにします。 手動で同期する:「iTunes」のサイドバーで iPod touch を選択して、ウインドウの右上にある「同期」 をクリックします。同期の設定を変更した場合は、「適用」をクリックします。 メール、連絡先、およびカレンダーのアカウント iPod touch では、MobileMe、Microsoft Exchange、およびよく利用される多くのメールシステ ムを利用できます。 アカウントを設定する MobileMeおよび Microsoft Exchangeでは、メールだけでなく、連絡先やカレンダー情報も提 供されます。これらは、iPod touch に自動的に無線同期できます。MobileMeでは、Macでは 「Safari」、PCでは「Safari」または Microsoft 社の「Internet Explorer」と iPod touch 上のブッ クマークを同期することもできます。MobileMe、Exchange、およびその他のメールアカウントは、 iPod touch で直接設定します。 iPod touch では、Exchange ActiveSyncプロトコルを使用して、次のバージョンの Microsoft Exchangeとメール、カレンダー、および連絡先が同期されます: Exchange Server 2003 Service Pack 2  Exchange Server 2007 Service Pack 1  よく利用される多くのメールシステムのアカウントについては、ほとんどの設定が iPod touch によっ て自動的に入力されます。 10 第 1章 お使いになる前に第 1章 お使いになる前に 11 メールアカウントをまだ持っていない場合は、www.yahoo.com、www.google.com、または www.aol.comで、無料のアカウントをオンラインで取得できます。また、MobileMeの 60日間有 効な無料のトライアルアカウントを取得することもできます。www.me.comにアクセスしてください。 iPod touch でアカウントを追加する: 1 iPod touch のホーム画面で、「設定」をタップします。 2 「メール /連絡先 /カレンダー」をタップして、「アカウントを追加」をタップします。 3 アカウントの種類をタップします: Microsoft Exchange  MobileMe   Googleメール  Yahoo!メール AOL   その他 4 アカウント情報を入力し、「保存」をタップします。 必要なアカウント設定については、ご利用のサービスプロバイダまたはシステム管理者に問い合わせ てください。 Exchangeアカウント: 完全なメールアドレス、ドメイン(オプション)、ユーザ名、パスワード、およ び説明を入力します。説明は自由に入力できます。 iPod touch は、Microsoft 社の Autodiscoveryサービスに対応しています。ユーザ名とパスワー ドを使用して、Exchangeサーバのアドレスが判断されます。サーバのアドレスを判断できない場合は、 入力を求められます。(「サーバ」フィールドに完全なアドレスを入力します。)Exchangeサーバに接 続すると、サーバで設定されているポリシーを満たすパスコードに変更するように求められることがあ ります。 5 Exchangeまたは MobileMeアカウントを設定する場合は、メール、連絡先、カレンダー、ブックマー ク(MobileMeのみ)から同期したい項目をタップします。Exchangeアカウントの場合は、何日分 のメールを iPod touchと同期したいかも選択できます。「保存」をタップします。 重要:Exchangeまたは MobileMeアカウントを使用して連絡先やカレンダーを同期する場合、 「iTunes」での連絡先やカレンダーの同期は無効になります。iPod touch 上の連絡先やカレンダー 情報は、Exchangeまたは MobileMeアカウントからの連絡先およびカレンダー情報に置き換えられ ます。プッシュアカウント MobileMe、Microsoft Exchange、およびYahoo!メール は、「プッシュ」アカウントと呼ばれます。メー ルメッセージが到着するなど、新しい情報が利用可能になると、iPod touch に情報が自動的に配信 (プッシュ)されます。(これとは対照的な「フェッチ」型のサービスでは、メールソフトウェアが定期 的にサービスプロバイダに接続して新しいメッセージが届いているかどうかを確認し、メッセージの配 信を要求する必要があります。)アカウント設定で連絡先、カレンダー、およびブックマーク(MobileMe のみ)を選択している場合は、MobileMeおよび Exchangeでもこれらの項目を同期するためにプッ シュが使用されます。 同期する情報はワイヤレス接続を介して自動的に転送されるので、iPod touch をコンピュータに接続 して同期する必要はありません。iPod touch がスリープ解除された状態になっているとき(画面がオ ンになっているか、iPod touch がコンピュータまたは電源アダプタに接続されているとき)にのみ、プッ シュされたデータを iPod touch に Wi-Fi接続で受信できます。 構成プロファイルをインストールする エンタープライズ環境で利用している場合は、構成プロファイルをインストールすることによって、 iPod touch にアカウントやその他の項目を設定できることがあります。構成プロファイルは、システ ム管理者が、会社、学校、または組織の情報システムと連携するようにユーザの iPod touch をすば やく設定するための仕組みです。たとえば、社内の Microsoft Exchangeサーバにアクセスするよう に iPod touch を設定して、iPod touch から各自の Exchangeメール、カレンダー、および連絡 先にアクセスできるようにすることができます。 構成プロファイルでは、iPod touch の複数の設定を一度に構成できます。たとえば、Microsoft Exchangeアカウント、VPNアカウント、および社内のネットワークや情報に安全にアクセスできるよ うにするための証明書などを設定できます。構成プロファイルによって、パスコードロックを有効にする こともできます。有効にした場合は、iPod touch を使用するためのパスコードの作成と入力が必要 になります。 システム管理者から、メールまたはセキュリティ保護された Web ページを通して、構成プロファイル が配布されることがあります。 構成プロファイルをインストールする: 1 iPod touch を使用して、システム管理者からのメールメッセージを開くか、指定された Webサイト から構成プロファイルをダウンロードします。 2 構成プロファイルが開いたら、「インストール」をタップします。 3 必要に応じて、パスワードおよびその他の情報を入力します。 重要:構成プロファイルが信頼できるものであるかどうかを尋ねられる場合があります。疑わしい場合 は、構成プロファイルをインストールする前にシステム管理者に問い合わせてください。 構成プロファイルによって提供された設定は変更できません。これらの設定を変更したい場合は、先 に構成プロファイルを取り除くか、アップデートされた構成プロファイルをインストールする必要があり ます。 12 第 1章 お使いになる前に第 1章 お使いになる前に 13 プロファイルを取り除く:「設定」で、「一般」>「プロファイル」と選択し、構成プロファイルを選択して、 「削除」をタップします。 構成プロファイルを取り除くと、構成プロファイルによってインストールされた設定およびその他すべて の情報が iPod touch から削除されます。 iPod touch をコンピュータから接続解除する(取り外す) iPod touch がコンピュータと同期中でなければ、いつでも本体をコンピュータから接続解除すること ができます。 iPod touch がコンピュータと同期中の場合は、iPod touch に「同期作業が進行中」と表示され ます。同期が完了する前に iPod touch を接続解除すると、一部のデータが転送されないことがあり ます。iPod touch の同期が完了すると、「iTunes」に iPod touch の同期が完了しました。」と表 示されます。 同期をキャンセルする: iPod touch でスライダをドラッグします。14 iPod touch 各部の説明 スリープ/ スリープ解除ボタン 音量ボタン Dock コネクタ ヘッドフォンポート Wi-Fi アンテナ ホームボタン 内蔵スピーカー タッチスクリーン アプリケーションアイコン ステータスバー 2 基本第 2章 基本 15 iPod touch の付属アクセサリ ステレオヘッドフォン Dock コネクタ(USB ケーブル用) ポリッシングクロス iPod 部品 用途 ステレオヘッドフォン 音楽、オーディオブック、Podcast、ビデオを聴きます。 Dockコネクタ(USBケーブル用) iPod touch をコンピュータに接続して同期と充電を 行うとき、または電源アダプタに接続して充電するとき に、このケーブルを使用します。このケーブルはオプ ションの Dockで使用することができます。または直接 iPod touch に接続することもできます。 ポリッシングクロス iPod touch の画面を拭くのに使用します。 ステータスアイコン iPod touch についての情報を、画面上部のステータスバーにアイコンで表示します: ステータスアイコン 意味 Wi-Fi iPod touch が Wi-Fiネットワーク経由でインター ネットに接続されていることを示します。バーの本 数が多いほど、信号が強いことを示します。26ペー ジを参照してください。 ネットワーク操作 ネットワーク操作を実行中であることを示します。 他社製のアプリケーションでは、処理を実行中で あることを示すためにこのアイコンが使用されるこ ともあります。 VPN VPNを使ってネットワークに接続していることを示 します。91ページの「ネットワーク」を参照して ください。 ロック iPod touch がロックされていることを示します。 17ページを参照してください。 再生 曲、オーディオブック、または Podcastが再生中 であることを示します。31ページを参照してくだ さい。 アラーム アラームが設定されていることを示します。86ペー ジを参照してください。ステータスアイコン 意味 バッテリー バッテリーレベルまたは充電状況を示します。26 ページを参照してください。 ホーム画面 ホーム ボタンを押せば、いつでもホーム画面に移動して、iPod touch アプリケーションを表示で きます。アプリケーションアイコンをタップする(指で軽く叩く)とアプリケーションが開始します。 iPod touch アプリケーション iPod touch には次のアプリケーションが用意されています: ミュージック 曲、オーディオブック、および Podcastを聴くことができます。「On-The-Go」プレイリストを作成したり、 Genius機能を使用してライブラリから同じテイストの曲を集めてプレイリストを自動的に作成したりで きます。 ビデオ 購入またはレンタルしたムービー、ミュージックビデオ、ビデオ Podcast、およびテレビ番組をどこで も視聴できます。iPod touch をテレビに接続して大きな画面で視聴することもできます(テレビに接 続するには別売のケーブルが必要です)。 写真 コンピュータから転送した写真や画像、または iPod touch で保存した写真や画像を表示できます。 縦向き、横向き両方で表示することが可能です。写真を拡大して見ることができます。スライドショーを 見ることもできます。さらに、写真をメールで送ったり、MobileMeギャラリーに追加したり、連絡先 に割り当てたり、壁紙として使用したりすることもできます。 iTunes iTunes Wi-Fi Music Storeの音楽カタログを検索したり、ニューリリース、トップ 10ソング、トップ 10アルバムなどをブラウズ、プレビュー、および購入できます。Podcastをストリーム再生したり、ダ ウンロードしたりできます。Starbucksの一部の提携店舗で再生中の曲を探し出して、すぐに購入でき ます。おすすめの Starbucksコレクション以外の曲をブラウズ、プレビュー、および購入することもで きます。 App Store Wi-Fi接続を使用して、App Storeで iPod touch アプリケーションを検索し、購入またはダウンロー ドすることができます。気に入ったアプリケーションのレビューを読んだり書いたりすることもできます。 アプリケーションは、ホーム画面にダウンロードしてインストールできます。 Safari Wi-Fi経由で Webサイトをブラウズできます。iPod touch を横向きにすれば、ワイドスクリーンで表 示できます。ダブルタップで拡大/縮小することもできます。Web ページの列が自動的に iPod touch の画面いっぱいに表示されるので、内容が読みやすくなります。お使いのコンピュータ上の「Safari」 または Microsoft 社の「Internet Explorer」とブックマークを同期できます。Webクリップをホーム 画面に追加すれば、よく使うWebサイトにすばやくアクセスできます。さらに、Webサイトの画像をフォ トライブラリに保存することもできます。 カレンダー MobileMe、「iCal」、「Microsoft Entourage」、「Microsoft Outlook」、または Microsoft Exchange のカレンダーを表示できます。iPod touch でイベントを入力すれば、それらがコンピュー タ上のカレンダーに同期されます。イベント、約束、締め切りなどを知らせる通知を設定することもで きます。 メール iPod touch は、MobileMe、Microsoft Exchange、よく利用される多くのメールシステム(Yahoo! メール、Googleメール、AOLなど)、および業界標準のPOP3/IMAPメールシステムに対応しています。 PDFやその他の添付ファイルは「メール」内で表示できます。さらに、添付された写真や画像をフォト ライブラリに保存することもできます。 16 第 2章 基本第 2章 基本 17 連絡先 MobileMe、Mac OS Xの「アドレスブック」、「Yahoo!アドレスブック」、Google連絡先リスト、 「Windowsアドレス帳」(「Outlook Express」)、「Microsoft Outlook」、または Microsoft Exchangeから連絡先情報を同期できます。連絡先を追加、変更、または削除することもできます。 変更内容は、同期の際にコンピュータ上の連絡先情報に反映されます。 YouTube YouTubeのオンラインコレクションからビデオを再生できます。ビデオを検索するか、おすすめビデオ、 人気ビデオ、最近アップデートされたビデオ、またはトップレートのビデオをブラウズできます。 株価 関心のある株価を見ることができます。インターネットから自動的に最新の情報を入手できます。 マップ 世界中の市街地図、航空写真図、または地図+写真を見ることができます。拡大すれば、より近づい て見ることができます。おおよその現在位置を確認することもできます。運転経路の詳細を表示したり、 高速道路の現在の渋滞状況を確認したりできます。周辺の店舗や企業を検索することもできます。 天気 現在の気象情報と6日分の予報を見ることができます。よく見る場所を追加して、いつでもすばやく天 気予報を見ることができます。 時計 世界の都市の時間を表示します。お気に入りの都市の時計を作成できます。1つまたは複数のアラー ムを設定することができます。ストップウォッチを使ったり、カウントダウンタイマーを設定することもで きます。 計算機 足し算、引き算、掛け算、および割り算ができます。iPod touch を横向きにすれば、高度な関数電 卓として使用できます。 メモ メモ、買い物リスト、ひらめいたアイデアをいつでも書き留めることができます。それらをメールで送信 できます。 設定 iPod touch のすべての設定を一括してここで操作します。音量制限を設定すれば、突然大音量になっ てしまうこともありません。壁紙、画面の明るさのほか、ネットワーク、メール、Web、音楽、ビデオ、 写真などの設定ができます。セキュリティのために、自動ロックおよびパスコードを設定することができ ます。露骨な内容(EXPLICIT)の iTunesコンテンツや特定のアプリケーションへのアクセスを制限す ることもできます。さらに、iPod touch をリセットすることもできます。 Nike + iPod Nike + iPodを「設定」で有効にすると、iPod touch がワークアウトのパートナーになります。ワー クアウトのペース、時間、および距離を管理したり、ルーチンを完了するための曲を選択したりできま す。(専用の NikeシューズとNike + iPodセンサーが必要です(別売)。第 1世代の iPod touchで は利用できません。) 参考:アプリケーションの機能は、iPod touch を購入および使用する国や地域によって異なる場合が あります。 ホーム画面をカスタマイズする ホーム画面のアイコン(画面下部にある Dockアイコンなど)のレイアウトをカスタマイズすることが できます。必要に応じて、複数のホーム画面の間で並べ替えることもできます。アイコンを並べ替える: 1 ホーム画面上にあるアイコンをタッチしたまま押さえていると、アイコンが波打ち始めます。 2 アイコンをドラッグして並べ替えます。 3 ホーム ボタンを押して配置を保存します。 よく使うWeb ページへのリンクをホーム画面に追加することもできます。56ページの「Webクリッ プ」を参照してください。 ホーム画面を追加する: アイコンを並べ替えるときに、アイコンを画面の右端までドラッグすると、新 しい画面が表示されます。フリックして(指で画面をはじく)元の画面に戻り、別のアイコンを新しい 画面にドラッグすることもできます。 最大 9つの画面を作成できます。「Dock」の上にある点は、画面の数と表示している画面を示します。 別のホーム画面に切り替える: 左または右にフリックするか、点の列の左または右をタップします。 最初のホーム画面を表示する: ホーム ボタンを押します。 ホーム画面をデフォルトのレイアウトにリセットする:「設定」>「一般」>「リセット」と選択し、「ホー ム画面レイアウトをリセット」をタップします。 ボタン いくつかの簡単なボタンを使って、手軽に iPod touch の電源の入/切を切り替えたり音量を調節し たりできます。 スリープ/スリープ解除ボタン iPod touch を使わないときは、ロックしておくことができます。 iPod touch がロックされているときは、画面に触れても操作できません。 デフォルトでは、1分間画面に触れないと、iPod touch が自動的にロックされます。 18 第 2章 基本第 2章 基本 19 スリープ/ スリープ解除ボタン iPod touch をロックする スリープ/スリープ解除ボタンを押します。 iPod touch のロックを解除する ホーム ボタン、またはスリープ/スリープ解除ボタン を押して、スライダをドラッグします。 iPod touch の電源を完全に切る スリープ/スリープ解除ボタンを数秒間、赤いスライダが 表示されるまで押し続け、スライダをドラッグします。 iPod touch の電源を入れる スリープ/スリープ解除ボタンを Appleロゴが表示される まで押し続けます。 iPod touch がロックされるまでの時間を変更する方法については、92ページの「自動ロック」を参 照してください。iPod touch のロックを解除するときにパスコードを入力するように設定する方法に ついては、「パスコードロック」ページの 92を参照してください。 音量ボタン 曲、ムービー、その他のメディアの再生中は、iPod touch の横にあるボタンを使って音量を調節でき ます。それ以外のときにこのボタンを使うと、通知音やその他のサウンド効果の音量が変更されます。 参考:音量ボタンは、第 1世代の iPod touchに付いていません。 警告:聴覚の損傷を避けるための重要な情報については、www.apple.com/jp/support/ manuals/ipodtouchにある「この製品についての重要なお知らせ」を参照してください。 音量を調節するには、iPod touch の横にあるボタンを使用します。 音量 を上げる 音量 を下げる iPod touch で音楽およびビデオを再生するときの音量制限を設定する方法については、95ページの 「ミュージック」を参照してください。タッチスクリーン iPod touch のタッチスクリーンの操作方法は、行っている作業によって変わります。 アプリケーションを開く アプリケーションを開く: アイコンをタップします。 ホーム画面に戻る: ディスプレイの下にあるホーム ボタンを押します 。 スクロールする スクロールするには、指で上下にドラッグします。Web ページなど、画面によっては左右にスクロール することもできます。 指で上下にドラッグしてスクロールしても、画面上では何も変更されたりアクティブになったりすること はありません。 20 第 2章 基本第 2章 基本 21 すばやくスクロールするには、フリックします。 スクロールが止まるまで待ちます。または画面に軽く触れるとすぐに止まります。画面に触れてスクロー ルを止めても、何も変更されたりアクティブになったりすることはありません。 リスト、Web ページ、またはメールの先頭まですばやくスクロールするには、ステータスバーをタップ します。 リストを操作する リスト表示のときに、右側にインデックスが表示されることがあります。 インデックス付きのリストで項目を探す: インデックスの文字をタップすると、その文字の最初の項目 にジャンプします。指でインデックスをドラッグすると、リスト内をすばやくスクロールすることができます。 インデックス 項目を選択する: リストで項目をタップします。 リストの内容によって、項目をタップしたときの動作が異なります。たとえば、項目をタップすると、新 しいリストが開いたり、曲が再生されたり、メールが開いたり、連絡先が表示されたりします。 前のリストに戻る: 左上の「戻る」ボタンをタップします。拡大/縮小する 写真、Web ページ、メール、またはマップを表示しているときに、拡大/縮小することができます。 ピンチ(2本の指で押し開くまたは閉じる)します。写真とWeb ページの場合は、ダブルタップ(す ばやく2回軽く叩く)すると拡大し、もう一度ダブルタップすると縮小します。マップの場合は、ダブル タップすると拡大し、2本の指で 1回タップすると縮小します。 オンスクリーンキーボード オンスクリーンキーボードを使って、連絡先、テキストメッセージ、Webアドレスなどのテキストを入 力できます。 入力する 使用しているアプリケーションによっては、このインテリジェントキーボードを使うと、入力中に自動的 に入力候補が表示されることがあります。これにより、単語のスペルミスを防ぐことができます。 テキストを入力する: 1 メモや新しい連絡先などのテキストフィールドをタップすると、キーボードが表示されます。 2 キーボードのキーをタップします。 はじめは人差し指だけで入力してみてください。慣れてきたら、2本の親指を使うとさらにすばやく入 力できます。 入力するたびに、入力した文字がキーの上に表示されます。間違ったキーをタッチした場合は、正し いキーに指をスライドさせます。キーから指が離れるまで文字は入力されません。 22 第 2章 基本第 2章 基本 23 大文字を入力する 文字を入力する前にシフト キーをタップします。 ピリオドやスペースをすばやく入力する スペースバーをダブルタップします。(「設定」>「一般」 >「ネットワーク」でこの機能の入/切を切り替えること ができます。) Caps Lockを入にする Shift キーをダブルタップします。シフトキーが青に変 わり、すべての文字が大文字で入力されます。再びシフト キーをタップすると、Caps Lockが切になります。(「設定」 >「一般」>「ネットワーク」でこの機能の入/切を切り 替えることができます。) 数字、句読点、または記号を表示する 数字 キーをタップします。記号 キーをタップする と、さらにほかの句読点や記号が表示されます。 キーボードに表示されない文字や記号を入力する 同類の文字または記号を押し続けてから、目的の文字まで スライドして選択します。 各国のキーボード iPod touch には、さまざまな言語でテキストを入力できるキーボードが用意されています。サポート されるキーボードの完全なリストについては、www.apple.com/jp/ipodtouch/specs.htmlを参 照してください。 ほかの言語のキーボードの入/切を切り替える: 1 「設定」で、「一般」>「言語環境」>「キーボード」と選択します。 2 使用したいキーボードを入にします。日本語や中国語など、複数の種類のキーボードがある言語の場 合は、利用可能なキーボード数が表示されます。目的の言語のキーボードをタップして選択します。複数のキーボードを入にした場合にキーボードを 切り替える をタップしてキーボードを切り替えます。タップすると、 アクティブになったキーボードの名前が少しの間表示され ます。 日本語テンキーを使用する テンキーを使って読みを入力します。ほかの読みを表示す るには、矢印キーをタップして、ウインドウから別の読み または単語を選択します。 日本語フルキーボードを使用する フルキーボードを使って読みをローマ字入力します。入力 中に読みの候補が表示されます。候補をタップして選択し ます。 韓国語を入力する 2-Set Koreanキーボードを使ってハングル文字を入力し ます。二重子音または複合母音を入力するには、文字を 押したまま、重ねる文字にスライドして選択します。 簡体字中国語のピンイン入力を使用する フルキーボードを使って漢字のピンインを入力します。入 力中に漢字の候補が表示されます。文字をタップして選択 するか、ピンインの入力を続けてほかの候補を表示します。 簡体字中国語または繁体字中国語の手書き入力を 使用する タッチパッドで指を使って漢字を入力します。入力中に iPod touch によってストロークが認識され、一致する文 字がリストに表示されます。最も近い候補が一番上に表示 されます。文字を選択すると、追加の候補として同類の文 字がリストに表示されます。 一部の複雑な文字は、2つ以上の文字を組み合わせて入 力できます。たとえば、魚を入力してから巤を入力すると、 文字リストに鱲(香港国際空港の名前の一部)が横に矢 印付きで表示されます。文字をタップして、入力した文字 を置き換えます。 簡体字中国語または繁体字中国語の手書き入力が入のときは、次の図に示すように指で漢字を入力で きます: 24 第 2章 基本第 2章 基本 25 辞書 iPod touch には、多くの言語の入力を支援する辞書が内蔵されています。サポートされるキーボー ドを選択すると、対応する辞書が自動的に有効になります。 サポートされる言語のリストについては、www.apple.com/jp/ipodtouch/specs.htmlを参照して ください。 iPod touch では、その有効になっている辞書を使用して、修正候補が表示されたり、入力中の単語 が補完されたりします。候補の単語を使用するために、入力を中断する必要はありません。 候補の単語 辞書による入力候補を使用または無視する:  候補の単語を無視するには、単語を最後まで入力し、次の単語を入力する前に「×」をタップして 候補を消します。その単語の候補を無視するたびに、タイプしたままの単語が iPod touch に表示 されるようになります。  候補の単語を使用するには、スペース、句読点、またはリターンを入力します。 自動修正の入/切を切り替える:「一般」>「キーボード」と選択し、「自動修正」の入/切を切り 替えます。自動修正はデフォルトで入になっています。 参考:中国語または日本語を入力する場合は、候補のいずれかをタップします。 テキストを入力する: テキストをタッチしたまましばらく待って拡大鏡を表示し、挿入ポイントを目的の 位置までドラッグします。インターネットに接続する iPod touch では、Wi-Fi ネットワーク経由でインターネットに接続できます。iPod touch は、自宅、 職場、または世界中の Wi-Fiホットスポットの AirMacおよびその他の Wi-Fiネットワークに接続する ことができます。インターネットに接続された Wi-Fiネットワークに接続しているときは、iPod touch で「メール」、「Safari」、「YouTube」、「株価」、「マップ」、「天気」、App Store、または iTunes Wi-Fi Music Storeを使用すると、自動的にインターネットに接続されます。 Wi-Fiネットワークに接続する Wi-Fi設定を使って、Wi-Fiを入にしたりWi-Fiネットワークに接続したりできます。 Wi-Fiを入にする:「設定」>「Wi-Fi」と選択し、Wi-Fiを入にします。 Wi-Fiネットワークに接続する:「設定」>「Wi-Fi」と選択し、しばらく待ちます。iPod touch によっ て接続圏内にあるネットワークが検出されたら、ネットワークを選択します(Wi-Fiネットワークによっ ては接続料が必要な場合があります)。必要に応じてパスワードを入力し、「参加」をタップします(パ スワードが必要なネットワークには鍵 のアイコンが表示されます)。 Wi-Fiネットワークに一度手動で接続すれば、そのネットワークが接続圏内にあるときは、iPod touch からそのネットワークに自動的に接続されます。使用したことのあるネットワークが接続圏内に複数あ る場合は、iPod touch で最後に使用したネットワークに接続されます。 iPod touch が Wi-Fiネットワークに接続されているときは、画面上部のステータスバーに Wi-Fi アイコンが表示され、信号の強さが示されます。アイコンのバーの本数が多いほど、信号が強いこと を示します。 Wi-Fiの設定方法については、88ページの「Wi-Fi」を参照してください。 バッテリー iPod touch には、充電式バッテリーが内蔵されています。 バッテリーを充電する 警告:iPod touch の充電の安全性に関する重要な情報については、www.apple.com/jp/ support/manuals/ipodtouchにある「この製品についての重要なお知らせ」を参照してください。 バッテリーを充電して iPod touch を同期する: 付属の USBケーブルを使って、iPod touch をコン ピュータに接続します。 26 第 2章 基本第 2章 基本 27 重要:電源を切ったコンピュータ、またはスリープモードかスタンバイモードのコンピュータに iPod touch を接続すると、iPod touch のバッテリーが充電されずに消耗してしまうことがあります。 iPod touch は、FireWireを使用する電源アダプタからは充電できません。 画面の右上のアイコンは、充電の状態を示しています。 充電中 充電済み iPod touch を同期しながら、または使用しながら充電すると、充電に時間がかかる場合があります。 別売の Apple USB Power Adapter(Apple USB電源アダプタ)を使って iPod touch を充電す ることもできます。 重要:iPod touch のバッテリー残量が少なくなると、次のいずれかのイメージが表示されることがあ ります。これは、iPod touch を使用できるようになるまでに 10 分以上充電する必要があることを示 します。iPod touch の電池残量が極めて少なくなると、画面に何も表示されなくなり、約 2分後に 電池が少ないことを知らせる画像が表示されます。 または バッテリー寿命を最大限に延ばす iPod touch では、リチウムイオンバッテリーが使用されます。iPod touch の製品寿命やバッテリー 寿命を最大限に延ばす方法について詳しくは、www.apple.com/jp/batteriesを参照してください。バッテリーを交換する 充電式のバッテリーに充電できる回数は限られているため、その回数を超えた場合は、バッテリーを 交換する必要があります。iPod touch のバッテリーはユーザ自身では交換できません。交換できるの は、正規サービスプロバイダのみです。詳しくは、www.apple.com/jp/support/ipod/service/ batteryを参照してください。 iPod touch を清掃する iPod touch を清掃するときは、すべてのケーブルを取り外し、iPod touch の電源を切ってください (スリープ/スリープ解除ボタンを押したまま、画面に表示されたスライダをスライドします)。柔らか くけば立たない布を水で湿らせて使用してください。開口部に水が入らないように注意してください。 iPod touch を清掃するために、窓ガラス用洗剤、家庭用洗剤、スプレー式の液体クリーナー、有機溶剤、 アルコール、アンモニア、研磨剤は使用しないでください。 iPod touch を再起動する/リセットする 機能が正しく動作しない場合は、iPod touch を再起動またはリセットすると問題が解決することがあ ります。 iPod touch を再起動する: スリープ/スリープ解除ボタンを赤いスライダが表示されるまで押し続 けます。指でスライダをスライドして、iPod touch の電源を切ります。もう一度 iPod touch の電源 を入れるときは、スリープ/スリープ解除ボタンを Appleロゴが表示されるまで押し続けます。 iPod touch をリセットする: スリープ/スリープ解除ボタンとホームボタンを、Appleロゴが表示さ れるまで同時に 10 秒以上押し続けます。 問題の解決方法について詳しくは、102 ページの付録 A「トラブルシューティング」を参照してくだ さい。 28 第 2章 基本29 iPod touch をコンピュータ上の「iTunes」と同期して、iTunesライブラリに収集した曲、ビデオ、 およびその他のコンテンツを取り込むことができます。iTunesライブラリに音楽やその他のメディアを 追加する方法については、「iTunes」を開いて「ヘルプ」>「iTunesヘルプ」と選択してください。 音楽、ビデオ、その他のメディアを取り込む 音楽、ビデオ、および Podcastを iPod touch に取り込むには、お使いのコンピュータでライブラリ 内のコンテンツを同期するように「iTunes」を設定するか、iPod touch に保存するメディアを手動 で管理する方法があります。 iTunesからコンテンツを同期する 「iTunes」のコンテンツを同期することによって、音楽、ビデオ、その他のメディアを iPod touch に 取り込むことができます。すべてのメディアを同期することも、特定の曲、ビデオ、および Podcastを 選択することもできます。 iPodのコンテンツを同期するように「iTunes」を設定する: 1 iPod touch をコンピュータに接続します。 2 「iTunes」のサイドバーで、iPod touch を選択します。 3 「ミュージック」、「ムービー」、「テレビ番組」、および「Podcast」タブで、iPod touch に転送した いコンテンツを選択します。たとえば、選択した音楽プレイリストやお気に入りのビデオ Podcastのこ こ 3回分のエピソードを同期するように「iTunes」を設定できます。 4 「適用」をクリックします。 iPod touch がサポートするフォーマットでエンコードされている曲やビデオのみが iPod touch に転 送されます。iPod touch が対応しているフォーマットについては、105 ページの「曲、ビデオ、その 他の項目が再生されない」を参照してください。 iTunesライブラリの曲が多すぎて、iPod touch に入らない場合は、特別なプレイリストを作成して iPod touchと同期する方法があります。ライブラリから自動的に選択された曲がプレイリストに追加 されます。このプレイリストから任意に曲を追加または削除して、再び同期させることができます。 3 音楽およびビデオ聞いている途中の Podcastまたはオーディオブックがある場合は、「iTunes」とコンテンツを同期す るときに、中断した位置も取り込まれます。それらを iPod touch で再生するときは、コンピュータの 「iTunes」で中断した位置を選択できます。これは、逆方向の同期でも同様になります。 「iTunes」を使って音楽やその他のメディアをコンピュータに取り込む方法について詳しくは、5ペー ジの「必要なもの」を参照してください。 コンテンツを手動で管理する 手動で管理する場合は、iPod touch に保存したい音楽、ビデオ、および Podcastだけを選択できます。 コンテンツを手動で管理するように iPod touch を設定する: 1 iPod touch をコンピュータに接続します。 2 「iTunes」のサイドバーで、iPod touch を選択します。 3 「概要」タブをクリックし、「音楽とビデオを手動で管理する」を選択します。 4 「適用」をクリックします。 iPod touch に項目を追加する: iTunesライブラリ内の曲、ビデオ、Podcast、またはプレイリスト をサイドバーの iPod touch にドラッグします。一度に複数の項目を選択して追加するときは、Shift キーまたはコマンドキーを押したままクリックします。 「iTunes」によってすぐにコンテンツが同期されます。「音楽とビデオを手動で管理する」の選択 を解除した場合、手動で追加したコンテンツは次回「iTunes」でコンテンツが同期されるときに iPod touch から取り除かれます。 iPod touch から項目を取り除く: iPod touch をコンピュータに接続した状態で、「iTunes」のサ イドバーで iPod touch のアイコンを選択します。アイコンの左にある開閉用三角ボタンをクリックし て、コンテンツを表示します。「ミュージック」や「ムービー」などのコンテンツ領域を選択し、削除 したい項目を選択して、キーボードの Deleteキーを押します。 iPod touch から項目を取り除いても、その項目は iTunesライブラリからは削除されません。 重要:「iTunes」から項目を削除した場合、その項目は次回の同期時に iPod touch からも削除さ れます。 音楽とPodcastをダウンロードする iPod touch で iTunes Wi-Fi Music Storeを使って曲やアルバムを購入して、iPod touch に直接 ダウンロードできます。オーディオ Podcastやビデオ Podcastのストリーム再生やダウンロードもで きます。40ページの「iTunes Wi-Fi Music Store」を参照してください。 購入したコンテンツを別のコンピュータに転送する iPod touch を使って、あるコンピュータで「iTunes」を使って購入したコンテンツを認証済みの別 のコンピュータの iTunesライブラリに転送できます。お使いの iTunesアカウントで、コンピュータが 認証されている必要があります。コンピュータを認証するには、そのコンピュータで「iTunes」を開き、 「Store」>「コンピュータを認証」と選択します。 購入したコンテンツを転送する: iPod touch をほかのコンピュータに接続します。購入したコンテン ツを転送するかどうかを確認するメッセージが「iTunes」に表示されます。 30 第 3章 音楽およびビデオ第 3章 音楽およびビデオ 31 iPod touch 用にビデオを変換する iTunes Storeから購入したビデオ以外のビデオ、たとえば Macの「iMovie」で作成したビデオや インターネットからダウンロードして「iTunes」に追加したビデオなども、iPod touch に追加するこ とができます。 「iTunes」から iPod touch にビデオを追加しようとして、iPod touch にビデオを再生できないとい うメッセージが表示される場合は、ビデオの形式を変換することができます。 iPod touch で再生できるようにビデオを変換する: iTunesライブラリで変換したいビデオを選択し、 「詳細」>「iPod/ Phoneバージョンを作成」と選択します。変換したビデオを iPod touch に 追加します。 音楽およびその他のオーディオ iPod touch の高解像度マルチタッチディスプレイで、音楽を映像と共に楽しむことができます。プレ イリストをスクロールしたり、Cover Flowでアルバムアートをブラウズすることができます。 オーディオは、内蔵スピーカー(第2世代のiPod touchのみ)、またはヘッドフォンポートに接続したヘッ ドフォンで聴くことができます。ヘッドフォンを接続すると、スピーカーから音が聞こえなくなります。 警告:聴覚の損傷を避けるための重要な情報については、www.apple.com/jp/support/ manuals/ipodtouchにある「この製品についての重要なお知らせ」を参照してください。 曲を再生する コレクションをブラウズする:「プレイリスト」、「アーティスト」、または「曲」をタップします。「その他」 をタップして、「アルバム」、「オーディオブック」、「コンピレーション」、「作曲者」、「ジャンル」、また は「Podcast」をブラウズします。 曲を再生する: 曲をタップします。 曲の再生を制御する 曲を再生しているときには、「再生中」画面が表示されます。次へ/早送り 再生/一時停止 戻る トラックリスト 前へ/巻き戻し 音量 曲を一時停止する をタップするか、iPod touch ヘッドセットのマイクボタ ンを押します。 再生を再開する をタップするか、iPod touch ヘッドセットのマイクボタ ンを押します。 音量を上げる/下げる 音量スライダをドラッグするか、iPod touch の横にある ボタンを使用します。 オーディオブックまたは Podcastの、曲またはチャプタを 再生する をタップします。 オーディオブックもしくは Podcastの、次または前の曲/ チャプタに移動する をダブルタップして前の曲に移動します。 をタップ するか、iPod touch ヘッドセットのマイクボタンをすばや く2回押して、次の曲に移動します。 巻き戻し/早送り または を押し続けます。長く押し続けるほど、曲 の巻き戻しまたは早送り速度が上がります。 iPodブラウズリストに戻る をタップします。または、アルバムカバーの上で右に 向かって指をさっと動かします。 再生中画面に戻る 「再生中」をタップします。 曲の歌詞を表示する 曲の再生中にアルバムカバーをタップします。(歌詞が表 示されるのは、「iTunes」で曲の情報ウインドウを使って 歌詞を曲に追加した場合だけです。) 音楽を聴いているときやほかのアプリケーションを使っているとき、または iPod touch がロックされ ているときでも、ホーム ボタンをダブルクリックすることによっていつでも再生コントロールを表示 できます。 アプリケーションを使っているときは、再生コントロールがアプリケーションの前面に表示されます。コ ントロールを使い終えたら、コントロールを閉じるか、「ミュージック」をタップして「再生中」画面に 移動できます。iPod touch がロックされているときは、画面にコントロールが表示され、使い終える と自動的に消えます。 32 第 3章 音楽およびビデオ第 3章 音楽およびビデオ 33 その他のコントロール 再生中画面で、アルバムカバーをタップします。 リピート、Genius、シャッフルコントロール、およびスクラブバーが画面に表示されます。経過時間、 残り時間、曲番号を見ることができます。「iTunes」で曲に歌詞を追加した場合には、曲の歌詞も表 示されます。 スクラブバー リピート 再生ヘッド Genius シャッフル 曲をリピートするよう iPod touch を設定する をタップします。 をもう一度タップすると、現在再 生中の曲だけをリピートするように iPod touch が設定さ れます。 が iPod touch に表示されているときは、現在再生中 のアルバムまたはリスト内のすべての曲がリピートされ ます。 が iPod touch に表示されているときは、現在再生 中の同じ曲が何度もリピートされます。 が iPod touch に表示されているときは、曲はリピー トされません。 曲の中の好きな場所に移動する スクラブバーの再生ヘッドを好きな場所にドラッグします。 Geniusプレイリストを作成する をタップします。Geniusプレイリストが表示されます。 35ページの「iPod touch で Geniusを使用する」を参 照してください。 曲をシャッフルするよう iPod touch を設定する をタップします。 をもう一度タップすると、順番通 りに曲を再生するように iPod touch が設定されます。 が iPod touch に表示されているときは、曲がシャッ フルされます。 が iPod touch に表示されているときは、曲が順番通 りに再生されます。 プレイリスト、アルバム、またはその他のリストの トラックをシャッフルする リストの一番上にある「シャッフル」をタップします。たと えば、iPod touch 内のすべての曲をシャッフルするには、 「曲」>「シャッフル」と選択します。 iPod touch がシャッフルするように設定されていても、 いなくても、曲のリストの一番上の「シャッフル」をタップ すると、iPod touch はそのリストの曲をランダムに再生 します。 アルバムカバーを Cover Flowでブラウズする 音楽をブラウズするときは、iPod touch を横向きにしてiTunesコンテンツを Cover Flowで表示し、 アルバムアートワークで音楽をブラウズできます。コンテンツを Cover Flowで表示する iPod touch を横に回転させます。 アルバムカバーをブラウズする 左右にドラッグするか、フリックします。 アルバムのトラックを表示する アルバムカバーまたは をタップします。 任意のトラックを再生する 再生したいトラックをタップします。トラックのリストを上下 にドラッグします。 アルバムカバーに戻る タイトルバーをタップします。または をもう一度タップ します。 現在の曲を再生または一時停止する または をタップします。または、付属のステレオヘッ ドセットを使用している場合は、マイクボタンを押します。 アルバムのすべてのトラックを表示する 現在の曲が入っているアルバムのすべてのトラックを見る: 再生中画面で をタップします。任意の トラックをタップして再生します。アルバムカバーのサムネールをタップして、再生中画面に戻ります。 レートバー 再生中画面に戻る アルバムトラック 34 第 3章 音楽およびビデオ第 3章 音楽およびビデオ 35 トラックリスト表示で、曲にレートを付けることができます。「iTunes」のレートを使えば、最高のレー トを付けた曲が含まれるスマートプレイリストなど、条件に合わせて自動的にアップデートされるスマー トプレイリストを作成できます。 曲にレートをつける: 親指でレートバーをドラッグして、ゼロから5つまでの星を付けます。 iPod touch で Geniusを使用する Geniusでは、再生している曲と同じテイストの曲がライブラリから自動的に収集されてプレイリスト が作成されます。あなたのテイストをよく知っている DJが内蔵されていて、その DJが最適なミック スを作成してくれるようなものです。iPod touch で Geniusを使用するには、まず「iTunes」で Geniusを設定してから、iPod touch を「iTunes」に同期する必要があります。Geniusは無料の サービスですが、iTunes Storeアカウントが必要です。「iTunes」に Geniusプレイリストを作成して、 iPod touch に同期することができます。iPod touch 上で直接 Geniusプレイリストを作成すること もできます。 iPod touch 上で Geniusプレイリストを作成する: 1 「プレイリスト」をタップし、「Genius」をタップします。 2 リストで曲をタップします。その曲に基づいてほかの曲が収集されて、プレイリストが作成されます。 再生中の曲に基づいてGeniusプレイリストを作成することもできます。「再生中」画面からアルバム カバーをタップすると、別のコントロールが表示されるので、 をタップします。 Geniusプレイリストを保存する:プレイリストで「保存」をタップします。選択した曲のタイトルが付 いたプレイリストが、「プレイリスト」に保存されます。 Geniusプレイリストは好きな数だけ作成して保存できます。iPod touch で作成した Geniusプレイ リストを保存すると、次回「iTunes」に接続したときに同期されます。 Geniusプレイリストをリフレッシュする:プレイリストで「リフレッシュ」をタップします。 プレイリストをリフレッシュすると、選択した曲に基づいて異なる曲のプレイリストが作成されます。ど のような Geniusプレイリストでもリフレッシュできます。「iTunes」で作成して iPod touch に同期し たプレイリストでも、iPod touch 上で直接作成したプレイリストでもかまいません。 新しい曲に基づいてGeniusプレイリストを作成する:プレイリストで「新規」をタップしてから、新 しい曲を選択します。 保存済みの Geniusプレイリストを削除する: iPod touch 上に直接保存したプレイリストの場合は、 「編集」をタップしてから、「プレイリストを削除」をタップします。 Geniusプレイリストを「iTunes」に逆同期した場合は、それを iPod touch から直接削除すること はできません。「iTunes」を使用して、プレイリスト名を編集したり、同期を停止したり、削除したり できます。On-The-Goプレイリストを作成する On-The-Goプレイリストを作成する: 1 「プレイリスト」をタップし、「On-The-Go」をタップします。 2 画面の下にあるボタンを使って、曲をブラウズします。任意の曲またはビデオをタップして、プレイリス トに追加します。曲のリストの一番上にある「すべての曲を追加」をタップして、リストにあるすべて の曲を追加します。 3 完了したら、「完了」をタップします。 「On-The-Go」プレイリストを作成してから iPod touch をコンピュータと同期すると、プレイリストは iPod touchとiTunesライブラリに保存された後、iPod touch から削除されます。最初に作成し たプレイリストは「On-The-Go 1」、2番目に作成したリストは「On-The-Go 2」と作成するたびに 数字が上がります。プレイリストを iPod touch に戻すには、「iTunes」のサイドバーで iPod touch を選択し、「ミュージック」タブをクリックして、プレイリストを同期するように設定します。 「On-The-Go」プレイリストを編集する:「プレイリスト」をタップして、「On-The-Go」をタップし、「編 集」をタップした後、次の操作をします:  リストの中で曲の位置を変えるには、曲の隣にある をドラッグします。  プレイリストから曲を削除するには、曲の隣にある をタップしてから、「削除」をタップします。 「On-The-Go」プレイリストから曲を削除しても、iPod touch からは削除されません。  プレイリスト全体を消去するには、「プレイリストを消去」をタップします。  曲を追加するには、 をタップします。 ビデオ iPod touch を使って、ムービー、ミュージックビデオ、ビデオ Podcastなどのビデオコンテンツを見 ることができます。ビデオが複数のチャプタで構成される場合は、次のチャプタまたは前のチャプタに スキップしたり、リストを表示して選択したチャプタで再生を開始したりできます。ビデオにほかの言語 の機能が用意されている場合は、オーディオ言語を選択したり、字幕を表示したりできます。 ビデオを再生する ビデオを再生する:「ビデオ」をタップして、見たいビデオをタップします。 再生コントロールを表示する: コントロールを表示するには、画面をタップします。隠すときは、もう 一度タップします。 ビデオ再生を制御する ビデオは、ディスプレイの性能を最大限に利用してワイドスクリーンで再生されます。 36 第 3章 音楽およびビデオ第 3章 音楽およびビデオ 37 拡大/縮小 再生/一時停止 最初から再生/ 早送り 巻き戻し 再生ヘッド 音量 スクラブバー 「Run」(Gnarls Barkley)は、一部の国でのみ 「iTunes」で試聴できます ビデオを再生または一時停止する または をタップします。 音量を上げる/下げる 音量スライダをドラッグします。 ビデオの最初から再生する スクラブバーの再生ヘッドを左端までドラッグするか、ビデ オにチャプタがない場合は をタップします。 前または次のチャプタにスキップする(チャプタが ある場合) をタップして前のチャプタに移動します。 をタップ して次のチャプタに移動します。 特定のチャプタで再生を開始する(チャプタがある場合) をタップして、リストからチャプタを選択します。 巻き戻し/早送り または を押し続けます。 ビデオの中の好きな場所に移動する スクラブバーの再生ヘッドを好きな場所にドラッグします。 ビデオが最後まで再生される前にビデオを止める 「完了」をタップします。またはホーム ボタンを押します。 ビデオのサイズを調整して、ビデオをスクリーンに合わ せる、またはビデオ全体をスクリーンに表示する をタップして、ビデオをスクリーンに合わせます。 をタップして、ビデオ全体をスクリーンに表示します。 ビデオをダブルタップして、ビデオをスクリーンに合わせる かビデオ全体をスクリーンに表示するかを切り替えること もできます。 ビデオをスクリーンに合わせると、ビデオの端または上が 表示しきれない場合があります。ビデオ全体をスクリーン に表示すると、ビデオの両端または上下に黒い枠が表示さ れる場合があります。 ほかのオーディオ言語を選択する(ほかの言語が ある場合) をタップして、「オーディオ」リストから言語を選択し ます。 字幕の表示/非表示を切り替える(字幕がある場合) をタップして、「字幕」リストから言語を選ぶか「オフ」 を選択します。レンタルムービーを視聴する iTunes Storeからムービーをレンタルして、iPod touch で視聴できます。ムービーをレンタルして iPod touch に転送するときは、「iTunes」を使います。(レンタルムービーは、地域によっては利用 できないことがあります。) レンタルムービーを再生できる時間には制限があります。レンタルムービーをあとどのくらい視聴でき るかは、タイトルの近くに表示されます(この時間が経過すると、視聴できなくなります)。有効期限 が切れると、ムービーは自動的に削除されます。iTunes Storeでムービーをレンタルするときは、有 効期限を確認してください。 レンタルムービーを iPod touch に転送する: iPod touch をコンピュータに接続します。次に、 「iTunes」のサイドバーで iPod touch を選択し、「ムービー」をクリックして、転送したいレンタルムー ビーを選択します。お使いのコンピュータがインターネットに接続されている必要があります。 レンタルムービーを見る:「ビデオ」を選択し、ムービーを選択します。 ビデオをテレビで見る iPod touch をテレビに接続して、ビデオをより大きい画面で見ることができます。Apple Component AV Cable(AppleコンポーネントAVケーブル)、Apple Composite AV Cable (AppleコンポジットAVケーブル)、またはその他アップル認定の iPod touch 対応ケーブルを使用 します。これらのケーブルとApple Universal Dockを使って、iPod touch をテレビに接続するこ ともできます。(Apple Universal Dockには、離れた場所から再生を操作できるリモコンが付属して います。)アップル製のケーブルとDockは、www.apple.com/jp/ipodstoreから別途購入できます。 iPod touch からビデオを削除する 空き領域を増やすために、iPod touch からビデオを削除することができます。 ビデオを削除する: ビデオリストの項目の上で、左から右に指をさっと動かします。次に「削除」をタッ プします。 ビデオ(レンタルムービー以外)を iPod touch から削除しても、iTunesライブラリからは削除され ないので、後で iPod touch に再度同期することができます。ビデオを iPod touch に再度同期し たくない場合は、このビデオを同期しないように「iTunes」を設定します。5ページの「必要なもの」 を参照してください。 重要:レンタルムービーは、iPod touch から削除すると完全に削除され、コンピュータに戻すことは できなくなります。 38 第 3章 音楽およびビデオ第 3章 音楽およびビデオ 39 スリープタイマーを設定する 指定した時間後に iPod touch が音楽やビデオの再生を停止するように設定することができます。 スリープタイマーを設定する: ホーム画面から、「時計」>「タイマー」と選択し、フリックして時間 と分を設定します。「タイマー終了時」をタップし、「iPodをスリープ」を選択し、「設定」をタップし ます。それから「開始」をタップして、タイマーを開始します。 タイマー終了時には、音楽やビデオの再生が停止し、開いているすべてのアプリケーションが閉じて、 iPod touch がロックされます。 ブラウズボタンを変更する 画面の下にある「プレイリスト」、「アーティスト」、「曲」、「ビデオ」のブラウズボタンを、自分が頻 繁に使う項目と置き換えることができます。たとえば、Podcastをよく聞き、ビデオはあまり見ない場 合は、「ビデオ」ボタンを「Podcast」に置き換えることができます。 ブラウズボタンを変更する:「その他」をタップして、「編集」をタップし、追加したいボタンを画面の 下の置き換えたいボタンの上にドラッグします。 下にあるボタンを左右にドラッグして、順序を入れ替えることができます。完了したら、「完了」をタッ プします。「その他」をタップすると、置き換えたボタンにいつでもアクセスできます。40 iTunes Wi-Fi Music Store iTunes Wi-Fi Music Storeで曲やアルバムをブラウズ、プレビュー、および購入して、iPod touch に直接ダウンロードできます。iTunes Wi-Fi Music Storeを使って、オーディオ Podcastやビデオ Podcastをインターネットからストリーム再生したり、iPod touch に直接ダウンロードして視聴したり できます。 iTunes Wi-Fi Music Storeで曲やアルバムを購入するには、インターネットに接続された Wi-Fiネッ トワークに iPod touch が接続されている必要があります。Podcastは、携帯電話回線とWi-Fi接 続のどちらでもストリーム再生およびダウンロードができます。26ページの「インターネットに接続す る」を参照してください。 また、Wi-Fi経由で曲を購入するときは、iTunes Storeアカウントも必要です(iTunes Wi-Fi Music Storeは一部の国のみで利用できます)。iTunes Storeアカウントをまだ持っていない場合は、お使 いのコンピュータで「iTunes」を開き、「Store」>「アカウントを作成」と選択して、アカウントを 設定してください。 Podcastの再生やダウンロードに、iTunes Storeアカウントは必要ありません。 曲、アルバム、および Podcastを見つける ニューリリースや iTunes Wi-Fi Music Storeおすすめのコンテンツを見るときは、おすすめのセレク ションをブラウズします。いくつかのジャンルで人気のある上位の曲やアルバムを見るときは、トップ 10をブラウズします。おすすめの Podcastのリストを見るときは、「Podcast」をブラウズします。特 定の曲、アルバム、アーティスト、または Podcastを探すときは、検索機能を使います。 4 iTunesとApp Store第 4章 iTunesとApp Store 41 おすすめの曲やアルバムをブラウズする:「おすすめ」をタップし、画面上部でジャンルを選びます。 トップ 10 の曲やアルバムをブラウズする:「トップ 10」をタップし、ジャンルを選んで、「トップソング」 または「トップアルバム」をタップします。Podcastをブラウズする:「Podcast」をタップします。ビデオ Podcastは、 アイコンで示され ます。エピソードのリストを表示するときは、「Podcast」をタップします。 曲、アルバム、および Podcastを検索する:「検索」をタップし、検索フィールドをタップして語句を 入力してから、「検索」をタップします。検索結果は、アルバム、曲、および Podcastでグループ分 けされます。 アルバムの曲を表示する: アルバムをタップします。 曲が含まれているアルバムを表示する: 曲をダブルタップします。 Podcastのエピソード情報を表示する: Podcastのタイトルをタップします。 Starbucksセレクションをブラウズする Starbucksの一部の店舗(米国のみ)の Starbucks Wi-Fiネットワークに接続すると、画面下部の「お すすめ」の横に「Starbucks」アイコンが表示されます。この「Starbucks」アイコンをタップすると、 店内で流れている曲を調べたり、おすすめの Starbucksコレクションをブラウズしたりできます。 42 第 4章 iTunesとApp Store第 4章 iTunesとApp Store 43 対応している Starbucks店舗のリストについては、www.apple.com/itunes/starbucksを参照し てください。 現在流れている曲を調べる:「Starbucks」をタップします。画面上部に、現在流れている曲が表示 されます。曲をタップすると、その曲が含まれているアルバムと、そのアルバム内のほかの曲が表示さ れます。 最近流れたプレイリストやその他の Starbucksプレイリストを見る:「Starbucks」をタップして、 「Recently Played」または目的の Starbucksプレイリストを選びます。 曲やアルバムを購入する iTunes Wi-Fi Music Storeで気に入った曲やアルバムが見つかったら、購入して iPod touch にダ ウンロードできます。購入前に曲をプレビューして、曲の中身を確認することができます。Starbucks の一部の店舗(米国のみ)では、現在流れている曲やおすすめの Starbucksコレクションに含まれる 曲をプレビューおよび購入することもできます。 曲をプレビューする: 曲をタップします。 曲やアルバムを購入してダウンロードする: 1 価格をタップして、「今すぐ購入」をタップします。 iPod touch を最後に同期したときに、「iTunes」で iTunes Storeアカウントにサインインしていた 場合は、アカウントIDを入力する必要はありません。サインインしていなかった場合は、アカウント IDの入力を求められます。 2 パスワードを入力し、「OK」をタップします。 購入すると、iTunes Storeアカウントに請求が発生します。購入後 15分以内は、パスワードを入力 せずに続けて購入を行うことができます。 以前、同じアルバムに含まれる曲を 1つ以上購入したことがある場合は、メッセージが表示されます。 以前購入した曲が含まれるアルバム全体を購入したい場合は、「購入」をタップします。残りの曲を個々 に購入したい場合は、「キャンセル」をタップします。一部のアルバムにはボーナスコンテンツが含まれていて、これらはコンピュータ上の iTunesライブラ リにダウンロードされます。ボーナスコンテンツの中には、iPod touch には直接ダウンロードされな いものがあります。 曲やアルバムのダウンロード状況を表示する:「ダウンロード」をタップします。 ダウンロードを一時停止するには、 をタップします。 購入したものをダウンロード中に iPod touch の電源を切ったり、Wi-Fiの接続圏から出たりしても問 題ありません。インターネットに接続されている Wi-Fiネットワークに次回 iPod touch を接続したと きに、iPod touch によってダウンロードが再開されます。または、お使いのコンピュータで「iTunes」 を開くと、「iTunes」が iTunesライブラリへのダウンロードを完了します(お使いのコンピュータがイ ンターネットに接続されている場合)。 購入した曲は、iPod touch の「購入したもの」プレイリストに追加されます。「購入したもの」プレ イリストを削除しても、iTunes Wi-Fi Music Storeから商品を購入したときに新しいものが自動的に 作成されます。 Podcastをストリーム再生する/ダウンロードする オーディオ Podcastやビデオ Podcastを、iTunes Wi-Fi Music Storeからインターネット経由でス トリーム再生して視聴できます。オーディオ Podcastやビデオ Podcastを iPod touch にダウンロー ドすることもできます。iPod touch にダウンロードした Podcastは、iPod touch をコンピュータに 接続するときに iTunesライブラリと同期されます。 Podcastをストリーム再生する: Podcastのタイトルをタップします。オーディオ Podcastが、新し いウインドウに再生コントロール付きで表示されます。 ビデオ Podcastが、ワイドスクリーンに再生コントロール付きで表示されます。 Podcastをダウンロードする:「無料」ボタンをタップして、「ダウンロード」をタップします。ダウンロー ドした Podcastが、「ミュージック」の Podcastリストに表示されます。 44 第 4章 iTunesとApp Store第 4章 iTunesとApp Store 45 ダウンロードした Podcastを視聴する:「ミュージック」で、画面下部の「Podcast」をタップして(「そ の他」を最初にタップすることが必要な場合があります)、Podcastをタップします。ビデオPodcastは、 ビデオリストに表示されます。 ダウンロードした Podcastのエピソードをさらに入手する:「ミュージック」の Podcastリストで、 Podcastをタップして、「さらにエピソードを入手」をタップします。 Podcastを削除する:「ミュージック」のPodcastリストの項目上で、左また右に指をさっと動かします。 次に「削除」をタップします。 Podcastのダウンロード状況を表示する:「ダウンロード」をタップします。 ダウンロードを一時停止するには、 をタップします。 Podcastのダウンロード中に iPod touch の電源を切ったり、Wi-Fiの接続圏から出たりしても問題 ありません。インターネットに接続されている Wi-Fiネットワークに次回 iPod touch を接続したとき に、iPod touch によってダウンロードが再開されます。 App Store App Storeでアプリケーションをブラウズ、レビュー、および購入して、iPod touch に直接ダウンロー ドできます。iPod touch で App Storeからダウンロードおよびインストールしたアプリケーションに ついては、次回 iPod touch をコンピュータと同期するときに、iTunesライブラリにバックアップが作 成されます。また、お使いのコンピュータで「iTunes」を使ってアプリケーションを購入またはダウンロー ドし、iPod touchと同期する際にインストールすることもできます。 App Storeを使用するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続 されている必要があります。26ページの「インターネットに接続する」を参照してください。また、ア プリケーションをダウンロードするには、iTunes Storeアカウントも必要です(ほとんどの国で利用で きます)。iTunes Storeアカウントをまだ持っていない場合は、お使いのコンピュータで「iTunes」 を開き、「Store」>「アカウントを作成」と選択して、アカウントを設定してください。 ブラウズする/検索する ニューリリースや App Storeおすすめのアプリケーションを見るときは、おすすめのセレクションをブ ラウズします。人気のあるアプリケーションを見るときは、トップ25をブラウズします。特定のアプリケー ションを探すときは、検索機能を使います。 おすすめのアプリケーションをブラウズする:「おすすめ」をタップし、画面上部でおすすめのジャンル を選びます。ジャンルでブラウズする:「カテゴリ」をタップして、ジャンルを選択します。ジャンル内で、並べ替え の方法を選択します。 トップ 25のアプリケーションをブラウズする:「トップ 25」をタップして、アプリケーションのリストを スクロールします。 46 第 4章 iTunesとApp Store第 4章 iTunesとApp Store 47 アプリケーションを検索する:「検索」をタップし、検索フィールドをタップして語句を入力してから、「検 索」をタップします。 「情報」画面 リストでアプリケーションをタップすると、価格やレビューなど、アプリケーションの詳細情報が表示さ れます。 そのアプリケーションがすでにインストールされている場合は、「情報」画面で価格の代わりに「インス トール済み」と表示されます。「iTunes」内のアプリケーションの「情報」ページへのリンクをメールで送信する:「情報」画面下 部にある、「友人に知らせる」をタップします。 レビューを読む:「情報」画面下部にある、「レビュー」をタップします。 問題を報告する:「情報」画面下部にある、「問題をレポート」をタップします。リストから問題を選 択するか、オプションのコメントを入力して、「レポート」をタップします。 アプリケーションをダウンロードする App Storeで欲しいアプリケーションを見つけたら、購入して iPod touch にダウンロードできます。 そのアプリケーションが無料の場合は、iTunesアカウント情報の入力後、支払いなしでダウンロード できます。 アプリケーションをダウンロードすると、すぐに iPod touch にインストールされます。 アプリケーションを購入してダウンロードする: 1 価格(または「無料」)をタップして、「今すぐ購入」をタップします。 iPod touch を最後に同期したときに、「iTunes」で iTunes Storeアカウントにサインインしていた 場合は、アカウントIDを入力する必要はありません。サインインしていなかった場合は、アカウント IDの入力を求められます。 2 パスワードを入力し、「OK」をタップします。 有料のダウンロードの場合は、iTunes Storeアカウントに請求が発生します。ダウンロード後 15分 以内は、パスワードを入力せずに続けてダウンロードを行うことができます。 アプリケーションのダウンロード状況を表示する: アプリケーションのダウンロードを開始すると、ホー ム画面にそのアプリケーションのアイコンが表示され、ダウンロードおよびインストールの状況が示さ れます。 48 第 4章 iTunesとApp Store第 4章 iTunesとApp Store 49 購入した曲のダウンロード中に iPod touch の電源を切ったり、ネットワークの接続圏から出たりして も問題ありません。インターネットに接続されているネットワークに次回 iPod touch を接続したとき に、iPod touch によってダウンロードが再開されます。 App Storeアプリケーションを削除する App Storeからインストールしたアプリケーションを削除できます。アプリケーションを削除すると、 そのアプリケーションを再インストールした場合でも、アプリケーションに関連付けられたデータは iPod touch で利用できなくなります。 コンピュータと同期することによってiTunesライブラリにアプリケーションのバックアップが作成されて いる場合は、アプリケーションおよび関連付けられたデータを再インストールできます。コンピュータに バックアップが作成されていないアプリケーションを削除しようとすると、警告メッセージが表示されま す。 App Storeアプリケーションを削除する: 1 ホーム画面で、アプリケーションのアイコンをタッチしたまま押さえ、アイコンが波打ち始めるまで待ち ます。 2 削除したいアプリケーションの隅にある「×」をタップします。 3 「削除」をタップしてからホーム ボタンを押すと、配置が保存されます。 アプリケーションに関連付けられたデータを上書きするには、iPod touch の設定で「すべてのコンテ ンツと設定を消去」を使用します。94ページの「iPod touch をリセットする」を参照してください。 レビューを書く iPod touch で直接、使用しているアプリケーションのレビューを書いて送信できます。 レビューを書く: 1 「情報」画面下部にある、「レビュー」をタップします。 2 「レビュー」画面で、「レビューを書く」をタップします。 3 アプリケーションのレートとして星の数(1~ 5)を選択し、レビューのタイトルとオプションのレビュー コメントを入力します。以前にレビューを書いたことがある場合は、ニックネームが自動的に入力され ます。書いたことがない場合は、レビュー者のニックネームを作成するかどうかを尋ねられます。 4 「送信」をタップします。 レビューを送信するには、iTunes Storeアカウントにサインインしておく必要があります。アプリケーションをアップデートする App Storeにアクセスすると常に、インストール済みのアプリケーションのアップデートが自動的に確 認されます。デフォルトでは、1週間おきにもアップデートが自動的に確認されます。App Storeのア イコンに、利用可能なアプリケーションアップデートの合計数が表示されます。 アップデートが利用可能な場合は、App Storeにアクセスするとすぐに「アップデート」画面が表示 されます。アプリケーションのアップデートは無料です。アップデートすることを選択すると、ダウンロー ド後に自動的にインストールされます。アプリケーションのアップグレードはニューリリース扱いになり、 iPod touch で App Storeから、またはコンピュータで iTunes Storeから、購入またはダウンロー ドできます。 アプリケーションをアップデートする: 1 画面下部の「アップデート」をタップします。 2 アップデートの詳細を確認するには、アプリケーションをタップします。 3 「アップデート」をタップします。 すべてのアプリケーションをアップデートする: 画面下部の「アップデート」をタップして、「すべてをアッ プデート」をタップします。 アップデートするアプリケーションが別のiTunes Storeアカウントで購入されていた場合は、アップデー トをダウンロードするために、そのアカウントの IDとパスワードの入力を求められます。 購入したコンテンツを同期する iPod touch をコンピュータに接続すると、iPod touch でダウンロードまたは購入した曲、アルバム、 Podcast、およびアプリケーションが iTunesライブラリに自動的に同期されます。これによって、ダウ ンロードしたものをコンピュータで聴くことができ、さらにアプリケーションまたは購入したコンテンツ を iPod touch から削除する場合のバックアップも作成できます。 曲は、「< iPod touch の名前>上に購入」プレイリストに同期されます。このプレイリストが存在し ない場合は自動的に作成されます。また、コンピュータ上で購入したもののために使用される「購入 したもの」プレイリストがすでに存在し、iPod touchと同期するように設定されている場合は、この プレイリストにも同期されます。 ダウンロードした Podcastは、iTunesライブラリ内の Podcastリストに同期されます。 ダウンロードしたアプリケーションは、次回「iTunes」に同期するときにバックアップが作成されます。 それ以降は、「iTunes」に同期するときにアプリケーションデータのバックアップだけが作成されます。 アプリケーションは、iTunesライブラリの「アプリケーション」リストに同期されます。このリストが存 在しない場合は自動的に作成されます。 50 第 4章 iTunesとApp Store第 4章 iTunesとApp Store 51 購入したものを確認する 「iTunes」を使って、iTunes Wi-Fi Music Storeまたは App Storeから購入したすべての音楽、ビ デオ、アプリケーション、およびその他の項目が iTunesライブラリ内にあるかどうかを確認できます。 ダウンロードを中断した場合に確認しておくと安心です。 購入したものを確認する: 1 お使いのコンピュータがインターネットに接続されていることを確認します。 2 「iTunes」で、「Store」>「ダウンロード可能なものがあるか確認」と選択します。 3 iTunes Storeアカウントの IDとパスワードを入力して、「確認」をクリックします。 購入したものの中にコンピュータにまだダウンロードされていないものがある場合は、ダウンロードさ れます。 「購入したもの」プレイリストには、購入したすべての項目が表示されます。ただし、このリスト内の 項目は追加したり取り除いたりできるので、必ずしも正確とは限りません。購入したすべての項目を確 認するには、アカウントにサインインし、「Store」>「マイアカウント(<アカウント名>)を表示」 と選択して、「Purchase History」(購入履歴)をクリックしてください。 アカウントをアップデートする iPod touch では、iTunes Storeアカウントの情報が「iTunes」から取り込まれます。iTunes Storeアカウント情報は、コンピュータで「iTunes」を使って確認および変更できます。 iTunes Storeアカウント情報を確認および変更する:「iTunes」で、「Store」>「マイアカウント(< アカウント名>)を表示」と選択します。 iTunes Storeアカウントにサインインしておく必要があります。「Store」メニューに「マイアカウント(< アカウント名>)を表示」が表示されない場合は、「Store」>「サインイン」と選択します。 ほかの iTunes Storeアカウントから音楽またはアプリケーションを購入する: iTunes Wi-Fi Music Storeに接続するとき、または App Storeからアプリケーションを購入またはダウンロードするときに、 そのアカウントにサインインします。52 iPod touch 上の「Safari」では、コンピュータ上と同じように Webを閲覧したりWeb ページを表 示したりできます。iPod touch でブックマークを作成し、ブックマークをコンピュータと同期させるこ とができます。Webクリップを追加すると、よく使うサイトにホーム画面から直接すばやくアクセスで きます。 「Safari」を使用するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続さ れている必要があります。26ページの「インターネットに接続する」を参照してください。 Webページを表示する Web ページは縦向きまたは 横向きに表示できます。iPod touch を回転させるとWeb ページも回 転し、そのページが適切に表示されるように自動的に調整されます。 5 Safari第 5章 Safari 53 Web ページを開く Web ページを開く: アドレスフィールド(タイトルバーの左側にあります)をタップし、Webアドレス を入力して「Go」をタップします。アドレスフィールドが表示されていない場合は、画面上部のステー タスバーをタップするとWeb ページ上部のアドレスフィールドまですばやくスクロールします。 入力するたびに、入力した文字で始まる Webアドレスが表示されます。これらはブックマークに追加 したページまたは最近開いたページです。アドレスをタップするとそのページに移動します。リストに ない Webアドレスを入力したい場合は、入力を続けます。 アドレスフィールドのテキストを消去する: アドレスフィールドをタップして、 をタップします。 拡大する/スクロールする 拡大/縮小する: Web ページ上の列をダブルタップすると、その列が拡大されます。再びダブルタッ プすると元のサイズに戻ります。 ピンチして手動で拡大/縮小することもできます。 Web ページをスクロールする 上下左右にドラッグします。スクロールするときは、ページ 内のどこをタッチしてドラッグしてもかまいません。リンク があっても、リンク先に移動することはありません。 Web ページ上のフレーム内をスクロールする Web ページ上のフレーム内をスクロールするときは、2本 の指を使います。Web ページ全体をスクロールするとき は、1本の指を使います。 Web ページの一番上にすばやくスクロールする iPod touch 画面の上部にあるステータスバーをタップし ます。 Web ページをブラウズする Web ページ上のリンクは通常、Web 上の別の場所に関連付けられています。 Web ページにあるリンクを開く: リンクをタップします。 iPod touch 上のリンクを使って、「マップ」で場所を表示したり宛先があらかじめ入力されたメールメッ セージを作成したりすることもできます。リンクから別のアプリケーションを開いた後に「Safari」に戻 るときは、ホーム ボタンを押して「Safari」をタップします。リンク先のアドレスを確認する リンクをタッチしたまましばらく待ちます。指の横に、アド レスを示すポップアップが表示されます。イメージがリンク になっている場合は、イメージをタッチしたままにするとア ドレスが表示されます。 Web ページの読み込みを中止する をタップします。 Web ページを読み込み直す をタップします。 前または次のページに移動する 画面下部の または をタップします。 最近表示したページに戻る をタップして、「履歴」をタップします。履歴リストを 消去するときは、「消去」をタップします。 Web ページのアドレスをメールで送信する をタップしてから、「ここへのリンクをメール」をタップ します。 画像 または写真をフォトライブラリに保存する イメージを押したまま、「画像を保存」をタップします。 複数のページを開く 一度に最大 8ページを開くことができます。リンクによっては、現在のページが置き換わるのではなく、 自動的に新しいページが開くことがあります。 画面下部のページ アイコンに表示される数字は、開いているページの数を示します。中に数字が 表示されていないときは、1ページだけを開いていることを示します。たとえば、次のようになります: = 1ページ開いています = 3ページ開いています 新しいページを開く: をタップして、「新規ページ」をタップします。 別のページに移動する: をタップして、指で画面を左右にフリックします。表示したいページをタッ プします。 ページを閉じる: をタップして、 をタップします。開いているページが1ページだけのときは、ペー ジを閉じることはできません。 54 第 5章 Safari第 5章 Safari 55 テキストを入力する/フォームに入力する Web ページによっては、入力するためのテキストフィールドやフォームが用意されていることがあり ます。 キーボードを表示する テキストフィールド内をタップします。 ほかのテキストフィールドに移動する ほかのテキストフィールドをタップするか、「次へ」ボタン または「前へ」ボタンをタップします。 フォームを送信する フォームに入力し終えたら、「Go」または「検索」をタッ プします。ほとんどのページにはフォーム送信用のリンク が用意されているので、それをタップすることもできます。 フォームを送信せずにキーボードを閉じる 「完了」をタップします。 Webを検索する デフォルトでは、「Safari」で検索を行うときは Googleが使用されます。Yahoo!を使って検索する こともできます。 Webを検索する: 1 検索フィールド(タイトルバーの右側にあります)をタップします。 2 探したい内容の単語もしくはフレーズを入力して、「Google」をタップします。 3 検索結果のリストでリンクをタップして、Web ページを開きます。 Yahoo!を使って検索するように「Safari」を設定する: ホーム画面から、「設定」>「Safari」>「検 索エンジン」と選択して、「Yahoo!」を選択します。 ブックマーク 後でまた参照したい Web ページを ブックマークに追加することができます。 Web ページをブックマークに追加する: ページを開いて、 をタップします。次に、「ブックマークを 追加」をタップします。 ブックマークを保存するときに、そのタイトルを編集できます。デフォルトでは、ブックマークは「ブッ クマーク」の最上位に保存されます。別のフォルダを選ぶときは、「ブックマーク」をタップします。 Macで「Safari」を使っている場合、または PCで「Safari」か Microsoft 社の 「Internet Explorer」を使っている場合は、ブックマークをコンピュータ上の Webブラウザと同期できます。 ブックマークをコンピュータと同期する: 1 iPod touch をコンピュータに接続します。 2 「iTunes」のサイドバーで、iPod touch を選択します。 3 「情報」タブをクリックして、「Webブラウザ」の「…ブックマークを同期」を選択し、「適用」をクリッ クします。 6ページの「iTunesと同期する」を参照してください。ブックマークを MobileMeと同期する:iPod touch の「設定」で、MobileMeアカウントの「ブッ クマーク」を選択します。10 ページの「アカウントを設定する」を参照してください。 ブックマークに追加した Web ページを開く: をタップして、ブックマークを選択します。フォルダ 内のブックマークを表示するときは、フォルダをタップします。 ブックマークまたはブックマークのフォルダを編集する: をタップし、編集したいブックマークまた はフォルダが含まれるフォルダを選択して、「編集」をタップします。それから次のいずれかを行います:  新しいフォルダを作成するときは、「新規フォルダ」をタップします。  ブックマークまたはフォルダを削除するときは、 をタップしてから、「削除」をタップします。  ブックマークまたはフォルダの位置を変えるときは、 をドラッグします。  名前やアドレスを編集するとき、または別のフォルダに入れるときは、そのブックマークまたはフォ ルダをタップします。 完了したら、「完了」をタップします。 Webクリップ Webクリップをホーム画面に追加して、よく使うWebページにすばやくアクセスしましょう。Webクリッ プはホーム画面にアイコンとして表示され、ほかのアイコンと一緒に並べることができます。16 ページ の「iPod touch アプリケーション」を参照してください。 Webクリップを追加する: Webページを開いて、 をタップします。次に、「ホーム画面に追加」をタッ プします。 Webクリップを開くと、Webクリップを保存したときに表示されていた Web ページの領域まで自動 的に拡大/縮小およびスクロールされます。表示された領域は、その Web ページに独自のアイコン がある場合を除いて、ホーム画面上に Webクリップのアイコンを作成するときにも使用されます。 Webクリップを追加するときにその名前を編集できます。名前が長すぎる(約 10 文字を超える)場 合には、ホーム画面上で短縮されて表示されることがあります。 Webクリップはブックマークではないので、MobileMeまたは「iTunes」では同期されません。 Webクリップを削除する: 1 ホーム画面上のいずれかのアイコンをタッチしたまま押さえていると、アイコンが波打ち始めます。 2 削除したい Webクリップの隅にある「×」をタップします。 3 「削除」をタップしてからホーム ボタンを押すと、配置が保存されます。 56 第 5章 Safari57 「メール」は、MobileMe、Microsoft Exchange、よく利用される多くのメールシステム(Yahoo!メー ル、Googleメール、AOLなど)、および業界標準その他の POP3/IMAPメールシステムに対応して います。写真やグラフィックスを埋め込んで送受信したり、PDFやその他の添付ファイルを表示したり できます。 「メール」でメッセージをダウンロードしたり送信したりするには、インターネットに接続されたWi-Fiネッ トワークに iPod touch が接続されている必要があります。26ページの「インターネットに接続する」 を参照してください。 メールアカウントを設定する iPod touch のメールアカウントは、次のいずれかの方法で設定できます:  「iTunes」で、iPod touch の環境設定パネルを使ってコンピュータからメールアカウント設定を同 期します。6ページの「iTunesと同期する」を参照してください。  iPod touch でアカウントを直接設定します。10 ページの「アカウントを設定する」を参照してくだ さい。 メールを送信する メールメッセージは、メールアドレスを持っている人にならだれにでも送信できます。 メッセージを作成して送信する: 1 をタップします。 2 名前またはメールアドレスを「宛先」フィールドに入力するか、または をタップして、連絡先から 名前を追加します。 メールアドレスを入力していくと、連絡先リストから一致するメールアドレスが下に表示されます。アド レスをタップすると追加されます。名前を追加するときは、「Return」または をタップします。 6 メール参考:Microsoft Exchangeアカウントからメッセージを作成していて、会社のグローバルアドレス一 覧(GAL)にアクセスできる場合は、iPod touch 上の連絡先から一致するアドレスが最初に表示さ れてから、一致する GALアドレスが表示されます。 3 このメッセージをほかの人にコピーまたはブラインドコピーしたい場合、またはメッセージの送信元ア カウントを変更したい場合は、「Cc」、「Bcc」、または「差出人」をタップします。複数のメールアカ ウントがある場合は、「差出人」フィールドをタップして送信元アカウントを変更できます。 4 件名を入力してから、メッセージを入力します。 「Return」をタップすると、フィールド間を移動できます。 5 「送信」をタップします。 メッセージで写真を送信する 「写真」で写真を選び、 をタップしてから、「写真をメー ル」をタップします。 写真はデフォルトのメールアカウントを使って送信されます (98ページの「メール」を参照してください)。 メッセージの下書きを保存して後で完成させる 「キャンセル」をタップしてから、「保存」をタップします。メッ セージが「下書き」メールボックスに保存されます。 メッセージに返信する をタップします。差出人にだけ返信するときは「返信」 をタップし、差出人とすべての受信者に返信するときは「全 員に返信」をタップします。返信メッセージを入力してから、 「送信」をタップします。 最初のメッセージに添付されているファイルやイメージは 返信されません。 メッセージを転送する メッセージを開いて をタップしてから、「転送」をタッ プします。1つまたは複数のメールアドレスを追加し、メッ セージを入力してから、「送信」をタップします。 メッセージを転送するときに、元のメッセージに添付されて いるファイルやイメージを取り込むことができます。 メールを確認する/読む 「メール」アイコンには、すべての受信ボックス内の未開封メッセージの総数が表示されます。その他 のメールボックスにそれ以外の未開封メッセージが含まれている場合があります。 受信ボックス内の 未開封メールの数 アカウントの画面ごとに、各メールボックスの未開封メッセージの数が表示されます。 58 第 6章 メール第 6章 メール 59 未開封メッセージの数 タップすると、すべてのメール アカウントが表示されます メールボックスをタップすると、そのメッセージが表示されます。未開封メッセージの横には、青い点 が表示されます。 未開封メッセージ メールボックスを開いたときに、メッセージがまだ自動的に読み込まれていない場合は、「メール」設 定に指定されている数の最新メッセージが読み込まれます。(98ページの「メール」を参照してくだ さい。) 追加のメッセージを読み込む: メッセージリストの下部までスクロールし、「さらにメッセージを読み込 む」をタップします。 メッセージを読む: メールボックスをタップしてから、メッセージをタップします。メッセージ内で ま たは をタップすると、次のメッセージまたは前のメッセージが表示されます。 メッセージを部分的に拡大する メッセージの一部の領域をダブルタップすると拡大され ます。再びダブルタップすると元のサイズに戻ります。 テキスト列のサイズを画面に合うように変更する テキストをダブルタップします。 メッセージのサイズを手動で変更する ピンチして拡大/縮小します。 リンクをたどる リンクをタップします。 リンクになっているテキストは通常、下線が引かれ青字で 表示されます。イメージがリンクになっていることもよくあ ります。リンクをタップすると、Web ページが開いたり、 地図が開いたり、指定されているアドレスの新規メールメッ セージが開いたりします。 Webおよび地図のリンクをタップすると、iPod touch 上 で「Safari」または「マップ」が開きます。メールに戻る ときは、ホームボタンを押して「メール」をタップします。リンク先のアドレスを確認する リンクをタッチしたまましばらく待ちます。指の横に、アド レスを示すポップアップが表示されます。 iPod touch では、メールメッセージ内のほとんどのピクチャ添付ファイル(JPEG、GIF、および TIFF)は、 テキストと一緒にインライン表示されます。iPod touch では、多くのオーディオ添付ファイル(MP3、 AAC、WAV、AIFFなど)を再生できます。受信したメッセージに添付されているファイル(PDF、 Web ページ、テキスト、「Pages」、「Keynote」、「Numbers」、および Microsoft 社の「Word」、 「Excel」、「PowerPoint」の各書類)は、ダウンロードして表示することができます。 添付ファイルを開く: 添付ファイルをタップします。ファイルが iPod touch にダウンロードされて開 かれます。 添付ファイルをタップ するとダウンロードさ れます 添付ファイルは縦向きまたは横向きに表示できます。添付ファイルのフォーマットが、iPod touch が 対応していないフォーマットの場合には、ファイルの名前は表示されますが、開くことはできません。 iPod touch は次のタイプの書類に対応しています: .doc Microsoft Word .docx Microsoft Word(XML) .htm Web ページ .html Web ページ .key Keynote .numbers Numbers .pages Pages .pdf プレビュー、Adobe Acrobat .ppt Microsoft PowerPoint .pptx Microsoft PowerPoint(XML) .txt テキスト .vcf 連絡先情報 60 第 6章 メール第 6章 メール 61 .xls Microsoft Excel .xlsx Microsoft Excel(XML) 添付された写真をフォトライブラリに保存する: イメージを押したまま、「画像を保存」をタップします。 新着メッセージを確認する いつでも好きなときに、メールボックスを選択するか を タップできます。 メッセージのすべての受信者を確認する 「詳細」をタップします。 名前またはメールアドレスをタップすると、受信者の連絡 先情報が表示されます。その受信者に連絡するときは、メー ルアドレスまたはテキストメッセージをタップします。受信 者を隠すときは、「隠す」をタップします。 メール受信者を連絡先リストに追加する メッセージをタップします。必要に応じて「詳細」をタップ して、受信者を表示します。次に、名前またはメールアド レスをタップして、「新規連絡先を作成」または「既存の 連絡先に追加」をタップします。 メッセージを未開封にする メッセージを開き、「未開封にする」をタップします。 メールボックスリストのメッセージの横に青い点 が表示 されます。この青い点は再度メッセージを開いたときに消 えます。 会議の参加依頼を開く: 参加依頼をタップします。 主催者やほかの参加者の連絡先情報を入手したり、通知を設定したり、イベントにメモを追加したり、 主催者への返信メールに含めるコメントを追加したりできます。参加依頼を承認したり、仮承認したり、 拒否したりできます。76ページの「会議の参加依頼に返信する」を参照してください。 「プッシュ」の入/切を切り替える:「設定」で、「データの取得方法」を選択してから、「プッシュ」をタッ プします。89ページの「新しいデータを取得する」を参照してください。 メールを整理する メッセージを一度に 1つずつ削除したり、グループを選択して一度に全部削除したりできます。メッセー ジを別のメールボックスまたはフォルダに移動することもできます。 メッセージを削除する: メッセージを開いて、 をタップします。または、「編集」をタップしてから、メッ セージの横にある をタップします。 メールボックスのメッセージリストからメッセージを直接削除することもできます。それには、メッセー ジタイトル上で左から右に向かって指をさっと動かしてから、「削除」をタップします。「削除」ボタンを表示するには、 メッセージの上で左から右に 向かって指をさっと動かします。 複数のメッセージを削除する: メッセージのリストが表示されているときに、「編集」をタップし、削除 したいメッセージを選択してから、「削除」をタップします。 メッセージを別のメールボックスまたはフォルダに移動する: メッセージが表示されているときに、 をタップしてから、メールボックスまたはフォルダを選択します。 複数のメッセージを移動する: メッセージのリストが表示されているときに、「編集」をタップし、移動 したいメッセージを選択してから、「移動」をタップしてメールボックスまたはフォルダを選択します。 62 第 6章 メール63 マップ 「マップ」には、世界のさまざまな国の市街地図、航空写真、および地図+航空写真が用意されています。 運転経路の詳細を表示したり、交通情報を確認したりすることもできます。おおよその現在位置を確認 して、現在の場所から別の場所(またはその逆)への運転経路を知ることもできます。1 「マップ」を使用するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続さ れている必要があります。26ページの「インターネットに接続する」を参照してください。 警告:安全な運転とナビゲーションに関する重要な情報については、www.apple.com/jp/ support/manuals/ipodtouchにある「この製品についての重要なお知らせ」を参照してください。 場所を探して表示する 場所を探して地図を表示する: 1 検索フィールドをタップして、キーボードを表示します。 2 住所、交差点名、地域名、目印となる建物、ブックマーク、連絡先、または郵便番号を入力します。 3 「検索」をタップします。 その場所にピンが表示されます。ピンをタップすると、その場所の名前または説明が表示されます。 1 地図、経路、および場所情報は、収集されるデータおよび他社から提供されるサービスに依存しています。これらのデータサービスは変更される 可能性があり、すべての地域で利用できるわけではないため、地図、経路、または場所情報が利用できなかったり、不正確であったり、不完全で あったりする可能性があります。詳細については、www.apple.com/jp/ipodtouchを参照してください。場所情報を提供するために、個人を 識別できない形式でデータが収集されます。このようなデータを収集されることを希望しない場合は、この機能を使用しないでください。この機 能を使用しなくても、iPod touchの機能には影響しません。 7 その他のアプリケーション  をタップすると、その場所に関する 情報が表示されたり、経路が表示された り、ブックマークまたは連絡先リストに その場所が追加されたりします 地図の一部分を拡大する 2本の指で地図をピンチします。または、拡大したい部分 でダブルタップします。もう一度ダブルタップすると、さら に拡大されます。 縮小する 地図をピンチします。または、2本の指で地図をタップし ます。もう一度 2本の指でタップすると、さらに縮小され ます。 地図の別の部分にパンする/スクロールする 上、下、左、または右方向にドラッグします。 現在地を確認する: をタップします。 iPod touch では、位置情報サービスを使用しておおよその現在位置が特定されます。位置情報サー ビスでは、地域のWi-Fiネットワーク(Wi-Fiを入にしている場合)、から収集できる情報が使用されます。 情報が精密であるほど、より正確な現在地が示されます。この機能は、地域によっては利用できない ことがあります。 位置情報サービスが切になっている場合は、入にするように促すメッセージが表示されます。位置情報 サービスが切の場合は、現在地を確認することはできません。91ページの「位置情報サービス」を 参照してください。 おおよその現在地は円で示されます。円の大きさは、どれくらいの精度で現在地を決定できるかによっ て決まります。地図をドラッグしてもう一度 をタップすると、iPod touch の地図の中心が現在地に 戻ります。 参考:バッテリー寿命を節約するには、サービスを使用していないときに「位置情報サービス」をオ フにしてください。「設定」で、「一般」>「位置情報サービス」と選択します。 64 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 65 ドロップされたピンを使用する: をタップしてから、「ピンをドロップ」をタップします。 地図上にドロップされたピンは、そのあと好きな位置にドラッグできます。 ピンを現在の表示地域にすばやく移動する: をタップしてから、「ピンを置き換え」をタップします。 航空写真または地図+航空写真を表示する: をタップしてから、「航空写真」をタップすると航空 写真だけが表示され、「地図+航空写真」をタップすると市街地図と航空写真の組み合わせが表示さ れます。地図表示に戻るには、「マップ」をタップします。 連絡先リストに載っている人の住所の場所を表示する 検索フィールドで をタップしてから、「連絡先」をタッ プして連絡先を選択します。 この方法で住所を見つけるには、連絡先に少なくとも 1つ の住所が含まれている必要があります。連絡先に複数の住 所がある場合は、見つけたい住所を選択する必要がありま す。「連絡先」で住所を直接タップして、その住所の場所 を見つけることもできます。 連絡先リストに場所を追加する 場所を見つけて、その場所を指しているピンをタップし、 名前または説明の横にある をタップしてから「連絡先 に追加」をタップし、「新規連絡先を作成」または「既存 の連絡先に追加」をタップします。 場所をブックマークに追加する 後でまた参照したい場所をブックマークに追加することができます。 場所をブックマークに追加する: 場所を探して、そこを指しているピンをタップし、名前または説明の 横にある をタップしてから、「情報」画面下部にある「ブックマークに追加」をタップします。 ブックマークに追加した場所または最近表示した場所を表示する: 検索フィールドで をタップし てから、「ブックマーク」または「履歴」をタップします。 経路を表示する 目的地までの運転経路を区間ごとに順番に表示できます。 経路を表示する: 1 「経路」をタップします。 2 「出発」フィールドと「到着」フィールドに出発場所と到着場所を入力します。iPod touch では、現 在のおおよその場所(分かる場合)がデフォルトの出発場所になります。各フィールドで をタップし、 「ブックマーク」(現在のおおよその場所が分かる場合は、現在の場所とドロップされたピンを含みます)、 「履歴」、または「連絡先」で場所を選択します。 たとえば、友人の住所が連絡先リストに含まれている場合は、住所を入力する代わりに、「連絡先」を タップしてその友人の名前をタップしてもかまいません。 経路を逆にするときは、 をタップします。 3 「ルート」をタップします(場所を自分で入力した場合)。 66 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 67 4 次のいずれかを行います:  経路を区間ごとに表示していくときは、「出発」をタップしてから をタップすると、次の経路が表 示されます。戻るときは、 をタップします。  すべての経路をリストで表示するときは、 をタップしてから「リスト」をタップします。リストでい ずれかの項目をタップすると、その経路の地図が表示されます。「ルートの概要」をタップして、概 要画面に戻ります。 画面の上部には、おおよその距離と運転時間が表示されます。渋滞状況データを入手できる場合は、 運転時間はそれに応じて調整されます。 地図で場所を見つけて、地図上でその場所を指しているピンをタップし、 をタップしてから、「ここ への道順」または「ここからの道順」をタップする方法で、経路を表示することもできます。 逆の経路を見るために出発地点と到着地点を切り替える: をタップします。 が表示されない場合は、「リスト」をタップしてから「編集」をタップします。 最近表示した経路を表示する: 検索フィールドで をタップしてから、「履歴」をタップします。 渋滞状況を表示する 渋滞状況を入手できる場合は、地図上に高速道路の渋滞状況を表示することができます。 渋滞状況を表示する/隠す: をタップしてから、「渋滞状況を表示」または「渋滞状況を隠す」をタッ プします。高速道路は、車の流れに従って次のように色分けされます: 灰色 = 現在データを入手できません 赤色 =時速 40km(25マイル)未満 黄色 =時速 40~80km(25~50マイル) 緑色 =時速 80km(50マイル)超 高速道路が色分けされない場合は、主要な道路が見えるレベルまで縮小する必要があるか、その地域 の渋滞状況を入手できない可能性があります。 店舗・企業を探して連絡する 地域の店舗・企業を探す: 1 場所(都市、都道府県、国、番地など)を探すか、地図を場所までスクロールします。 2 テキストフィールドに業種を入力し、「検索」をタップします。 一致する場所にピンが表示されます。たとえば、都市を見つけてから、「映画」と入力して「検索」を タップすると、都市の映画館にピンが表示されます。 店舗・企業の名前または説明を表示するときは、そのピンをタップします。 最初に場所を探すのではなく店舗・企業を探す: 次のように入力します:  レストラン サンフランシスコ カリフォルニア  アップル (株 ) ニューヨーク 店舗・企業に連絡する/経路を表示する: 店舗・企業のピンをタップしてから、名前の横にある をタップします。 経路を表示します Web サイトにアクセス します   をタップすると、 連絡先情報が表示されます 68 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 69 ここから、次の操作を行うことができます:  メールを送信するときはメールアドレスを、Webサイトを表示するときは Webアドレスをタップし ます。  経路が必要な場合は、「ここへの道順」または「ここからの道順」をタップします。  その店舗・企業を連絡先リストに追加するときは、下方向にスクロールして「新規連絡先を作成」 または「既存の連絡先に追加」をタップします。 検索で見つかった店舗・企業のリストを表示する:「マップ」画面から「リスト」をタップします。 店舗・企業をタップすると、その場所が表示されます。店舗・企業の横にある をタップすると、そ の情報が表示されます。 YouTube YouTubeでは、世界中の人々が投稿した短いビデオを見ることができます。(一部の言語のみに対応 し、地域によっては利用できないことがあります。) 「YouTube」を使用するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接 続されている必要があります。26ページの「インターネットに接続する」を参照してください。 ビデオを検索、再生する YouTube内をブラウズするか、見たいビデオを検索することができます。 ビデオをブラウズする: 「おすすめ」、「人気」、または「ブックマーク」をタップします。または、「そ の他」をタップして、「最新」「トップレート」または「履歴」をブラウズすることができます。  おすすめ:YouTubeスタッフによってレビューされたおすすめのビデオです。  人気:YouTubeユーザに最も視聴されたビデオです。「すべて」をタップして今までで最も視聴さ れたビデオを見るか、「今日」、「昨日」、または「今週」をタップしてその期間に最も視聴されたビ デオを見ることができます。  ブックマーク:ブックマークを付けたビデオが表示されます。  最新:YouTubeに送られた最新のビデオです。  トップレート:YouTubeユーザによって高いレートが付けられたビデオです。www.youtube.jp でビデオのレートを付けることができます。  履歴:最近見たビデオの履歴です。 ビデオを検索する: 1 「検索」をタップし、YouTube検索フィールドをタップします。 2 探したいビデオの単語もしくはフレーズを入力して、「検索」をタップします。ビデオタイトル、説明、タグ、 およびユーザ名を元に、検索結果を表示します。ビデオを再生する: ビデオをタップします。 iPod touch へのビデオのダウンロードが開始され、進行状況バーが表示されます。再生するのに十 分なビデオがダウンロードされると、再生が開始されます。 をタップして、ビデオを開始することも できます。 ビデオ再生を制御する ビデオの再生が開始されると、ビデオの再生の邪魔にならないようにコントロールが隠れます。 ビデオコントロールの表示/非表示を切り替える: 画面をタップします。 次へ/早送り 再生/一時停止 メール 拡大/縮小 ダウンロード進行状況 音量 前へ/巻き戻し ブックマーク 再生ヘッド スクラブバー ビデオを再生または一時停止する または をタップします。 音量を上げる/下げる 音量スライダをドラッグします。または、iPod touch の横 にある音量ボタンを使用します。 ビデオの最初から再生する をタップします。 次または前のビデオに移動する をダブルタップして前のビデオに移動します。 をタッ プして次のビデオに移動します。 巻き戻し/早送り または を押し続けます。 ビデオの中の好きな場所に移動する スクラブバーの再生ヘッドを好きな場所にドラッグします。 ビデオが最後まで再生される前にビデオを止める 「完了」をタップします。またはホーム ボタンを押します。 ビデオをスクリーンに合わせる/ビデオ全体を表示する ビデオをダブルタップします。 をタップして、ビデオを スクリーンに合わせます。または、 をタップして、ビ デオ全体をスクリーンに表示します。 70 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 71 ビデオにブックマークを付ける ビデオタイトルの横にある をタップして、「ブックマー ク」をタップします。または、ビデオの再生を開始して、 をタップします。「ブックマーク」をタップして、ブック マークを付けたビデオを表示します。 ビデオへのリンクをメールで送信する ビデオの横にある をタップして、「共有」をタップしま す。または、ビデオの再生を開始して、 をタップします。 ビデオの詳細を表示して、関連のビデオをブラウズする ビデオをフルスクリーンで再生し、ビデオの再生中に「完 了」をタップします。または、リスト上のビデオの横にあ る をタップします。 iPod touch には、ビデオのレート、説明、追加日、その 他の情報が表示されます。また関連のビデオがリストで表 示され、ビデオをタップすると再生することができます。 ブラウズボタンを変更する 画面の下にある「おすすめ」、「人気」、「ブックマーク」、「検索」ボタンを、自分が頻繁に使う項目と 置き換えることができます。たとえば、トップレートビデオをよく見て、おすすめビデオはあまり見ない 場合は、「おすすめ」と「トップレート」を置き換えることができます。 ブラウズボタンを変更する:「その他」をタップして、「編集」をタップし、追加したいボタンを画面の 下の置き換えたいボタンの上にドラッグします。 下にあるボタンを左右にドラッグして、順序を入れ替えることができます。完了したら、「完了」をタッ プします。 ビデオをブラウズするときに、表示されていないブラウズボタンを使いたいときは、「その他」をタップ します。自分のビデオを YouTubeに追加する YouTubeにビデオを追加する方法については、www.youtube.jpのサイトで「ヘルプ」をタップし ます。 写真 iPod touch に写真を入れて持ち歩き、家族や友人などに見せることができます。 写真をコンピュータと同期する 「iTunes」では、次のアプリケーションから写真を同期できます:  Mac:iPhoto 4.0.3以降、または「Aperture」  PC:Adobe Photoshop Album 2.0 以降、または Adobe Photoshop Elements 3.0以降 5ページの「必要なもの」を参照してください。 写真を見る コンピュータから同期した写真は「写真」アプリケーションで見ることができます。 写真を見る: 1 「写真」で、次のいずれかの操作を行います:  「フォトライブラリ」をタップして、すべての写真を表示します。  フォトアルバムをタップします。 アルバムをタップするとその写真だけが表示されます。 2 サムネールをタップして、写真をフルスクリーンで表示します。 コントロールの表示/非表示を切り替える: コントロールを表示するときは、フルスクリーンの写真を タップします。隠すときは、もう一度タップします。 72 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 73 写真を横向きに表示する: iPod touch を横に回転させます。写真の向きが自動的に変わり、横向き の写真の場合はスクリーン全体に表示されます。 写真の一部を拡大する: 拡大したい部分をダブルタップします。再びダブルタップすると元のサイズに 戻ります。ピンチして拡大/縮小することもできます。 写真をパンする: 写真をドラッグします。 次/前の写真を見る: 人差し指で画面を右、または左にフリックします。または、画面をタップしてコ ントロールを表示し、 または をタップします。スライドショー 写真をスライドショーで見ることができます。バックグラウンド音楽を付けることもできます。 写真をスライドショーで見る: フォトアルバムを選択して、 をタップします。 個々の写真を見ているときに をタップすることによって、スライドショーを開始することもできます。 が表示されない場合は、写真をタップしてコントロールを表示します。 スライドショーを停止する: 画面をタップします。 スライドショーを設定する:「設定」で、「写真」を選択し、次のオプションを設定します:  各スライドの表示時間を設定するには、「各スライドの再生時間」をタップして、時間を選択します。  写真が切り替わるときのトランジション効果を設定するには、「トランジション」をタップして、トラン ジションの種類を選択します。  スライドの繰り返しを入または切にするには、「リピート」を入または切にします。  写真をランダムにまたは順番に表示するには、「シャッフル」を入または切にします。 スライドショー中に曲を再生する:「iPod」で曲を再生してから、ホーム画面で「写真」を選択し、 スライドショーを開始します。 壁紙 iPod touch をロック解除すると、壁紙が表示されます。 写真を壁紙として設定する: 1 写真を選択し、 をタップして、「壁紙として使う」をタップします。 2 写真をドラッグしてパンしたり、写真をピンチして拡大/縮小したりして、写真の外観を調整します。 3 「壁紙に設定」をタップします。 また、ホーム画面から「設定」>「壁紙」>「壁紙」と選択して、iPod touch にあらかじめ用意さ れているいくつかの壁紙から選択することもできます。 メールメッセージまたは Web ページ内の画像を保存する メールメッセージに添付された画像または Web ページ内の画像をフォトライブラリに追加できます。 写真をフォトライブラリに追加する: 写真を押したまま、「画像を保存」をタップします。 画像がフォトライブラリに追加されます。iPod touch をコンピュータに接続することによって、写真を コンピュータ上のフォトアプリケーションにアップロードすることができます。 写真をメールで送信する 写真をメールで送信する: 写真を選択し、 をタップして、「写真をメール」をタップします。 iPod touch が、メールを送信できるように設定されていて、インターネットに接続された Wi-Fiネッ トワークに接続されている必要があります。57ページの「メールアカウントを設定する」を参照してく ださい。 74 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 75 写真を MobileMeギャラリーに送信する MobileMeアカウントをお持ちの場合は、作成済みのギャラリーに iPod touch から写真を直接送信 できます。また、メール投稿が有効になっているほかの人の MobileMeギャラリーに写真を送信する こともできます。 写真を送信する前に、次の作業を行う必要があります:  iPod touch で MobileMeアカウントを設定します  MobileMeギャラリーを公開し、メールによる写真のアップロードを許可します  インターネットに接続された Wi-Fiネットワークに接続します ギャラリーの作成方法について詳しくは、MobileMeのヘルプを参照してください。 写真をギャラリーに送信する: 写真を選択し、 をタップして、「MobileMeに送信」をタップします。 写真を連絡先に割り当てる 写真を連絡先に割り当てることができます。 写真を連絡先に割り当てる: 1 iPod touch 上で写真を選んで、 をタップします。 2 「連絡先に割り当てる」をタップし、連絡先を選びます。 3 写真を好みの位置とサイズに調節します。 写真をドラッグしてパンしたり、ピンチして拡大/縮小します。 4 「写真を設定」をタップします。 「編集」をタップしてから写真アイコンをタップして、写真を連絡先に割り当てることもできます。 カレンダー 「カレンダー」では、イベントを連続リスト、日ごと、または月ごとに表示できます。お使いのコンピュー タ上のカレンダーと iPod touch を同期することができます。iPod touch 上で予定を作成、編集、 またはキャンセルした場合は、それらがコンピュータに同期されます。Microsoft Exchangeアカウン トを持っている場合は、会議の参加依頼を受信および返信することもできます。 カレンダーを同期する カレンダーは、次のいずれかの方法で同期できます:  「iTunes」の「iPod touch」環境設定パネルで、iPod touch をコンピュータに接続したときに、 Macの場合は「iCal」または「Microsoft Entourage」、PCの場合は「Microsoft Outlook 2003」または「Microsoft Outlook 2007」と同期するように設定します。6ページの「iTunes と同期する」を参照してください。 iPod touch の「設定」で、MobileMeまたは Microsoft Exchangeアカウントの「カレンダー」 を選択して、カレンダー情報を無線同期するように設定します。10 ページの「アカウントを設定す る」を参照してください。 カレンダーを同期するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続 されている必要があります。26ページの「インターネットに接続する」を参照してください。 カレンダーのイベントを iPod touch に追加する カレンダーのイベントを iPod touch で直接入力および編集することもできます。 イベントを追加する: をタップし、イベント情報を入力して、「完了」をタップします。 以下の項目を入力できます:  タイトル  場所  開始時刻と終了時刻(終日イベントの場合は「終日」を入にします)  繰り返し間隔̶なし、毎日、毎週、隔週、毎月、または毎年  通知時間̶イベントの 5分前から2日前まで 通知を設定する場合は、予備の通知を設定するオプションが表示されます。通知の時間になると、 iPod touch にメッセージが表示されます。また、音が鳴るように iPod touch を設定することも できます(下記を参照してください)。 重要:そのため、旅行中は iPod touch の通知が正しい現地時間で行われないことがあります。 手動で正しい時刻を設定するときは、93 ページの「日付と時刻」を参照してください。  メモ イベントを追加するカレンダーを選択するには、「カレンダー」をタップします。読み出し専用のカレン ダーはリストに表示されません。 イベントを編集する イベントをタップして、「編集」をタップします。 イベントを削除する イベントをタップし、「編集」をタップしてから、下方向に スクロールして「イベントを削除」をタップします。 会議の参加依頼に返信する iPod touch で Microsoft Exchangeアカウントを設定し、「カレンダー」を有効にしている場合 は、組織内の人から会議の参加依頼を受け取り、それに返信することができます。参加依頼を受け取 ると、カレンダーに会議が点線で囲まれて表示されます。画面右下にある アイコンは、新着の参 加依頼の合計数を示します。合計数は、ホーム画面の「カレンダー」のアイコンにも表示されます。 会議の参加依頼を受け取ってそれに返信するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続されている必要があります。 76 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 77 会議の参加依頼の数 カレンダー内の参加依頼に返信する: 1 カレンダーで会議の参加依頼をタップするか、 をタップして「イベント」画面を表示してから参加 依頼をタップします。  会議主催者の連絡先情報を調べるには、「依頼元」をタップします。その主催者にメッセージを送 信するには、メールアドレスをタップします。  ほかに会議への参加を依頼されている人を確認するには、「参加者」をタップします。参加者の連 絡先情報を調べるには、名前をタップします。その参加者にメッセージを送信するには、メールアド レスをタップします。  会議の前に iPod touch で通知が鳴るように設定するには、「通知」をタップします。  会議主催者に返信するメールにコメントを追加するには、「コメントを追加」をタップします。コメン トは、自分の会議の「情報」画面にも表示されます。「メモ」は、会議主催者によって作成されます。 2 「了解」、「仮承諾」、または「拒否」をタップします。 参加依頼を了解、仮承諾、または拒否すると、追加したコメントを含む返信メールが主催者に送られ ます。 会議を了解または仮承諾した場合は、後で返事を変更することができます。コメントを変更したい場合 は、「コメントを追加」をタップします。 Exchangeの会議参加依頼は、メールメッセージでも送られます。この場合は、「メール」で会議の「情 報」画面を開くことができます。 メールメッセージの会議参加依頼を開く: 参加依頼をタップします。 通知音 カレンダーの通知音を設定する:「設定」で、「一般」>「サウンド」と選択してから、「カレンダー の通知音」を入にします。「カレンダーの通知音」を切にした場合は、イベントの直前に音は鳴らず、 iPod touch にメッセージが表示されます。 参加依頼の通知音を設定する:「設定」で、「メール /連絡先 /カレンダー」を選択します。「カレンダー」 で、「新規参加依頼の通知音」をタップして入にします。 カレンダーを表示する カレンダーのイベントは、リスト、日ごと、または月ごとに表示できます。iPod touch では、同期さ れているすべてのカレンダーのイベントが同じカレンダーに表示されます。 表示を切り替える:「リスト」、「日」、または「月」をタップします。  リスト表示:スクロール可能なリストにすべての予定とイベントが表示されます。  日表示:上下にスクロールして1日のすべてのイベントを表示できます。 または をタップすると、 前の日または次の日のイベントが表示されます。  月表示:特定の日をタップすると、その日のイベントが表示されます。 または をタップすると、 前の月または次の月が表示されます。 78 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 79 点が付いている日には 予定されたイベントが あります イベントを追加する 表示を切り替える 選択された日のイベント 今日に移動 カレンダー参加依頼に 応答する イベントの詳細を表示する: イベントをタップします。 連絡先 連絡先を読み込む/同期する 次の方法で、iPod touch に連絡先を追加できます:  「iTunes」で、お使いのコンピュータ上のアプリケーションと連絡先を同期します(6ページの「iTunes と同期する」を参照してください)  iPod touch で MobileMeまたは Microsoft Exchangeアカウントを設定して、「連絡先」を有 効にします( 10 ページの「アカウントを設定する」を参照してください)  Exchangeアカウントを設定するプロファイルをインストールして、「連絡先」を有効にします(12ペー ジの「構成プロファイルをインストールする」を参照してください)  iPod touch で直接、連絡先を入力します 連絡先を検索する iPod touch の連絡先で名、姓、および会社名を検索できます。iPod touch で Microsoft Exchangeアカウントを設定した場合は、会社のグローバルアドレス一覧(GAL)で組織内の連絡先 を検索できることもあります。 検索情報を入力するときは、入力を開始すると同時に一致する連絡先が表示されます。 連絡先を検索する:「連絡先」で、連絡先リストの上部にある検索フィールドをタップし、名、姓、ま たは会社名を入力します。GALを検索する:「グループ」をタップし、リストの下部にある「ディレクトリ」をタップして、名、姓、 または会社名を入力します。 GALの連絡先は、編集したり iPod touch に保存したりできません。 iPod touch で連絡先を管理する iPod touch で連絡先を追加する: 「連絡先」をタップし、 をタップします。 連絡先を削除する 「連絡先」で、連絡先を選択して、「編集」をタップします。 下方向にスクロールして、「連絡先を削除」をタップします。 キーパッドから連絡先を追加する 「キーパッド」をタップし、番号を入力して、 をタッ プします。「新規連絡先を作成」をタップして情報を入力 するか、「既存の連絡先に追加」をタップして連絡先を選 択します。 連絡先情報を編集する 「連絡先」で、連絡先を選択して、「編集」をタップします。 項目を追加するには、 をタップします。項目を削除す るには、 をタップします。 番号にポーズを入れる をタップし、「一時停止」をタップします。番号を保 存すると、ポーズはカンマで表示されます。 写真を連絡先に割り当てる: 1 「連絡先」をタップし、連絡先を選択します。 2 「編集」をタップし、「写真を追加」をタップします。または既存の写真をタップします。 3 「写真を選択」をタップして写真を選択します。 4 写真をドラッグしてサイズを調整します。 5 「写真を設定」をタップします。 株価 「株価」では、選択した銘柄について入手できる最新の株式相場を確認できます。「株価」を使用する には、インターネットに接続された Wi-Fiネットワークに iPod touch が接続されている必要があり ます。26ページの「インターネットに接続する」を参照してください。 株式相場を表示する インターネットに接続されている状態で「株価」を開くと、そのたびに株式相場がアップデートされます。 株式相場がアップデートされるまでに、最大で 20分かかります。 株価リーダーに銘柄、指数、ファンドを追加する: 1 をタップしてから をタップします。 2 銘柄コード、会社名、指数、またはファンド名を入力してから、「検索」をタップします。 80 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 81 3 検索リストで項目を選択します。 長期または短期の株価の推移を表示する: 銘柄コードをタップしてから、「1日」、「1週」、「1月」、「3月」、 「6月」、「1年」、または「2年」をタップします。グラフが調整されて、1日、1週、1カ月、3カ月、 6カ月、1年、または 2年間の推移が表示されます。 銘柄を削除する: をタップし、銘柄の横にある をタップしてから、「削除」をタップします。 銘柄を並べ替える: をタップします。次に、銘柄の横にある を新しい位置までドラッグします。 変動額または変動率を表示する: 変動を示す数字をタップします。元に戻すときは、もう一度タップし ます。または、 をタップして「%」または「株価」をタップします。 詳細情報を見る Yahoo.comで銘柄に関する情報を見る: 銘柄を選択して、 をタップします。 株価に関連するニュース、情報、Webサイトなどを見ることができます。 天気 「天気」では、世界中の 1つまたは複数の都市の現在の気温と6日分の予報を見ることができます。「天 気」を使用するには、インターネットに接続された Wi-Fiネットワークに iPod touch が接続されてい る必要があります。26ページの「インターネットに接続する」を参照してください。 天気概況を見る ホーム画面から「天気」をタップすると、選択した都市の現在の天気が表示されます。 6 日分の予報 現在の気温 現在の状況 今日の最高気温と最低気温 都市を追加したり 削除したりします 保存されている都市の数 気象表示板が明るい青の場合には、その都市は日中(午前 6時~午後 6時まで)です。気象表示板 が濃い紫色の場合には、夜間(午後 6時~午前 6時)です。 都市を追加する: 1 をタップしてから をタップします。 2 都市名または郵便番号を入力してから、「検索」をタップします。3 検索リストで都市を選択します。 別の都市に切り替える: 左または右にフリックするか、点の列の左または右をタップします。気象表示 板の下の点の数は、保存されている都市の数です。 都市を並べ替える: をタップしてから、都市の横にある をドラッグして、リスト内の別の場所に 移動します。 都市を削除する: をタップし、都市の横にある をタップしてから、「削除」をタップします。 気温を華氏または摂氏で表示する: をタップしてから、「°F」または「°C」をタップします。 天気の詳細情報を見る その都市に関連するより詳細な気象情報、ニュース、Webサイトなどを見ることができます。 Yahoo.comで都市に関する情報を見る: をタップします。 メモ メモを書く/読む メモは、追加された日付順に表示されます。つまり、最新のメモが一番上に表示されます。リストには、 各メモの最初の数単語が表示されます。 メモを追加する: をタップしてから、メモを入力して、「完了」をタップします。 メモを読む: メモをタップします。 または をタップすると、次の日または前の日が表示されます。 メモを編集する: メモのどこかをタップして、キーボードを表示します。 メモを削除する: メモをタップしてから、 をタップします。 メモをメールで送信する メモをメールで送信する: メモをタップしてから、 をタップします。 メモをメールで送信するには、メールを送信できるように iPod touch が設定されている必要があり ます。57ページの「メールアカウントを設定する」を参照してください。 82 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 83 計算機 計算機を使用する 「計算機」では、数字や演算子をタップすることで、通常の計算機と同じように計算することができます。 「+」、「-」、「×」、「÷」をタップすると、ボタンが白い線で囲まれるので、どの計算を行っている のかが分かります。iPod touch を横向きにすれば、高度な関数電卓になります。 標準のメモリ機能  C:タップすると、表示されている数字が消去されます。  MC:タップすると、メモリに保存された数字が消去されます。  M+:タップすると、表示されている数字が、メモリに保存された数字に足されます。メモリに保存 されている数字がない場合は、このボタンをタップすると、表示されている数字をメモリに保存しま す。  M-:タップすると、表示されている数字から、メモリに保存された数字が引かれます。  MR:タップすると、表示されている数字が、メモリに保存された数字に置き換えられます。ボタン が白い輪で囲まれている場合は、メモリに保存されている数字があります。 標準の計算機と関数電卓を切り替えても、メモリに保存されている数字は残ります。 関数電卓のキー iPod touch を横向きにすると、関数電卓が表示されます。 2nd 三角関数のボタン(sin、cos、tan、sinh、cosh、tanh)をそれぞれの逆関数(sin -1 、cos -1 、 tan -1 、sinh -1 、cosh -1 、tanh -1 )に変更します。また、lnを log2に、e x を 2 x に変更します。「2nd」 をもう一度タップすると、元の関数に戻ります。 ( 括弧式を始めます。式は入れ子にすることができます。 ) 括弧式を終えます。% 百分率を計算し、値上を加算し、値引を減算します。百分率を計算するときは、乗算(×)キーを一 緒に使用します。たとえば、500の 8%を計算するには、次のように入力します。 500 x 8 % = 結果は 40になります。 値上を加算するとき、または値引を減算するときは、加算(+)キーまたは減算(-)キーを一緒に 使用します。たとえば、総額 500ドルの商品に 8%の売上税を加算するときは、次のように入力します。 500 + 8 % = 結果は 540になります。 1/x 値の逆数を小数で返します。 x 2 値を 2乗します。 x 3 値を 3乗します。 y x 2つの値の間をタップし、1つ目の値を 2つ目の値で累乗します。たとえば、3 4 を計算するには、次の ように入力します。 3 y x 4 = 結果は 81になります。 x! 値の階乗を計算します。 √ 値の平方根を計算します。 x √ y 2つの値の間で使って、yの x乗根を計算します。たとえば、4 √ 81を計算するには、次のように入力 します。 81 x √ y 4 = 結果は 3になります。 log 値の対数(10を底)を返します。 sin 値の正弦を計算します。 sin -1 値の逆正弦を計算します。(「2nd」ボタンをタップしたときに利用できます。) cos 値の余弦を計算します。 cos -1 値の逆余弦を計算します。(「2nd」ボタンをタップしたときに利用できます。) tan 値の正接を計算します。 tan -1 値の逆正接を計算します。(「2nd」ボタンをタップしたときに利用できます。) ln 値の自然対数を計算します。 log2 2を底とする対数を計算します。(「2nd」ボタンをタップしたときに利用できます。) sinh 値の双曲線正弦を計算します。 sinh -1 値の逆双曲線正弦を計算します。(「2nd」ボタンをタップしたときに利用できます。) cosh 値の双曲線余弦を計算します。 cosh -1 値の逆双曲線余弦を計算します。(「2nd」ボタンをタップしたときに利用できます。) tanh 値の双曲線正接を計算します。 tanh -1 値の逆双曲線正接を計算します。(「2nd」ボタンをタップしたときに利用できます。) e x 値を入力した後でタップし、定数“e”(2.718281828459045...)をその値で累乗します。 84 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 85 2 x 表示されている値で2を累乗します。たとえば、10 2 x =と入力すると、結果は1024になります。(「2nd」 ボタンをタップしたときに利用できます。) Rad 三角関数を弧度で表すモードに変更します。 Deg 三角関数を度で表すモードに変更します。 π 円周率の値(3.141592653589793...)を入力します。 EE 現在表示されている値に、次に入力した値で 10を累乗した値を乗算します。 Rand 0 ~ 1の間のランダムな数字を返します。 時計 「時計」では、さまざまな場所の時刻を表示したり、アラームを設定したり、ストップウォッチを使用し たり、タイマーを設定したりできます。 世界時計 世界のほかの主要都市および時間帯の時刻を表示する時計を追加できます。 時計を表示する:「世界時計」をタップします。 時計が白いときはその都市が昼間であることを示しています。時計が黒いときは夜間であることを示し ています。4つ以上の時計があるときは、フリックしてスクロールします。 時計を追加する: 1 「世界時計」をタップします。 2 をタップして、都市の名前を入力します。 入力に一致した都市名が下に表示されます。 3 都市名をタップして、その都市の時計を追加します。 探している都市が見つからないときは、同じ時間帯にある主要都市を入力してみてください。 時計を削除する: 「世界時計」をタップし、「編集」をタップします。次に、時計の横にある をタッ プし、「削除」をタップします。 時計を並べ替える:「世界時計」をタップし、「編集」をタップします。次に、時計の横にある を 新しい位置までドラッグします。アラーム 複数のアラームを設定することができます。各アラームについて、指定した日に繰り返し鳴るようにす るか、または 1回だけ鳴るようにするかを設定します。 アラームを設定する: 1 「アラーム」をタップして、 をタップします。 2 次の設定を調整します:  特定の日に繰り返し鳴るようにアラームを設定するには、「繰り返し」をタップして、日にちを選択 します。  アラームの時刻に鳴らす着信音を選択するには、「サウンド」をタップします。  アラームのスヌーズ機能を入/切にするには、「スヌーズ」を入または切にします。「スヌーズ」が 入のときに、アラームが鳴って「スヌーズ」をタップすると、アラームはいったん止まり、10 分後に 再び鳴ります。  アラームに説明を付けたいときは、「ラベル」をタップします。アラームが鳴るときに、iPod touch にラベルが表示されます。 少なくとも1つのアラームが設定されていて、入になっている場合は、iPod touch の画面上部のステー タスバーに が表示されます。 アラームを入または切にする: 「アラーム」をタップして、任意のアラームを入または切にします。ア ラームが切になっている場合は、もう一度入にしない限りはアラームが鳴りません。 アラームが 1度だけ鳴るように設定してある場合は、1度鳴った後に、自動的に切になります。再び 入にすると、有効にすることができます。 アラームの設定を変更する: 「アラーム」をタップして、「編集」をタップし、変更したいアラームの 横の をタップします。 アラームを削除する: 「アラーム」をタップして、「編集」をタップし、アラームの横にある をタッ プしてから、「削除」をタップします。 ストップウォッチ ストップウォッチで時間を計る: 1 「ストップウォッチ」をタップします。 2 「開始」を選択して、ストップウォッチを開始します。  ラップタイムを記録するには、各ラップの後に「ラップ」を選択します。  ストップウォッチを一時停止するには、「停止」をタップします。再開するときは「開始」をタップします。  ストップウォッチをリセットするには、ストップウォッチが一時停止のときに「リセット」をタップします。 ストップウォッチを開始して、iPod touch の別のアプリケーションに移動しても、ストップウォッチはバッ クグラウンドで動き続けます。 86 第 7章 その他のアプリケーション第 7章 その他のアプリケーション 87 タイマー タイマーを設定する: 「タイマー」をタップしてから、フリックして時間と分を設定します。「開始」を 選択して、タイマーを開始します。 サウンドを選択する:「タイマー終了時」をタップします。 スリープタイマーを設定する: タイマーを設定して「タイマー終了時」をタップして、「iPodをスリープ」 を選択します。 スリープタイマーを設定すると、タイマーの終了時に、iPod touch で音楽やビデオの再生が停止され ます。 タイマーを開始して、iPod touch の別のアプリケーションに移動しても、タイマーはバックグラウンド で動き続けます。 Nike + iPod Nike + iPodアプリケーションが「設定」で有効になっているときは、Nike + iPodセンサー(別売) を制御できるようにホーム画面に表示されます。Nike + iPodは、第 1世代の iPod touchでは使用 できません。Nike + iPodを有効にして使用するための手順については、Nike + iPodの製品ドキュ メントを参照してください。88 「設定」で、iPod touch のアプリケーションをカスタマイズしたり、日付と時刻を設定したり、ネットワー ク接続を構成したり、iPod touch のその他の環境設定を入力したりできます。 Wi-Fi Wi-Fi設定によって、iPod touch からインターネットに接続するときに地域の Wi-Fiネットワークを使 用するかどうかが決まります。 Wi-Fi接続のオン/オフを切り替える:「Wi-Fi」を選択し、Wi-Fiを入または切にします。 Wi-Fiネットワークに接続する: Wi-Fiネットワークを選択し、iPod touch が接続圏内にあるネット ワークを検出するまで待ち、ネットワークを選択します。必要な場合にはパスワードを入力してから、「参 加」をタップします。(パスワードが必要なネットワークには鍵 のアイコンが表示されます。) Wi-Fiネットワークに一度手動で接続すれば、その後は接続圏内にそのネットワークが見つかったとき に iPod touch が自動的にそのネットワークに接続されます。使用したことのあるネットワークが接続 圏内に複数ある場合は、iPod touch で最後に使用したネットワークに接続されます。 iPod touch が Wi-Fiネットワークに接続しているときは、Wi-Fiアイコン が画面上部のステータ スバーに表示され、アイコンで信号の強さを表示します。アイコンのバーの本数が多いほど、信号が 強いことを示します。 iPod touch が新しいネットワークに参加するときに確認するように設定する:「Wi-Fi」を選択し、「参 加を確認」を入または切にします。 「Safari」や「メール」などを使ってインターネットにアクセスしようとするときに、前回使用したWi-Fiネッ トワークの通信圏内にいない場合は、このオプションによって iPod touch は別のネットワークを探す ように設定されます。iPod touch が利用可能な Wi-Fネットワークをリストに表示し、利用したいネッ トワークを選択することができます。(パスワードが必要なネットワークには鍵のアイコンが表示され ます。)「接続を確認」がオフになっている場合に、前回使用したネットワークが利用できないときは、 手動でネットワークに接続してインターネットに接続する必要があります。 8 設定第 8章 設定 89 接続したネットワークを破棄して、iPod touch が自動的にそのネットワークに接続しないように設定 する:「Wi-Fi」を選択して、以前に接続したことのあるネットワークの横にある をタップします。 次に、「このネットワークを破棄」をタップします。 公開されていない Wi-Fiネットワークに接続する: Wi-Fiネットワークのリストに表示されない Wi-Fi ネットワークに接続するときは、「Wi-Fi」>「その他」と選択して、ネットワーク名を入力します。ネッ トワークにパスワードが必要な場合は、「セキュリティ」をタップし、ネットワークで使用されているセキュ リティの種類をタップして、パスワードを入力します。 あらかじめネットワーク名、パスワード、および非公開ネットワークに接続するときのセキュリティの種 類を知っている必要があります。 一部の Wi-Fiネットワークは、クライアントIDや IPアドレスなどの追加の設定を要求する場合があり ます。使用する設定についてはネットワーク管理者に問い合わせてください。 Wi-Fiネットワークに接続する設定を調整する:「Wi-Fi」を選択し、ネットワークの横にある をタッ プします。 VPN この設定は、iPod touch 上に VPNを構成しているときに表示され、VPNのオン/オフを切り替え ることができます。91ページの「ネットワーク」を参照してください。 新しいデータを取得する この設定を使って、iPod touch 上に構成した MobileMe、Microsoft Exchange、「Yahoo!メー ル」、およびその他の「プッシュ」アカウントの「プッシュ」のオン/オフを切り替えることができます。 プッシュアカウントでは、サーバが新しい情報で更新されると、それらが iPod touch に自動的に配布 されます(少し遅れる可能性があります)。プッシュされたデータを取得または同期するには、インター ネットに接続された Wi-Fiネットワークに iPod touch が接続されている必要があります。メールやそ の他の情報が配布されることを中断したいとき、またはバッテリー寿命を節約したいときは、「プッシュ」 をオフにすることをお勧めします。 「プッシュ」がオフのときやアカウントがプッシュに対応していないときでも、データを「取得」するこ とはできます。つまり、サーバに新しい情報があるかどうかを iPod touch から確認することができ ます。どのくらいの頻度でデータを要求するかを決定するときは、「データの取得方法」設定を使用し ます。バッテリー寿命を最適化したい場合は、あまり頻繁に取得しないでください。 「プッシュ」をオンにする:「データの取得方法」をタップしてから、「プッシュ」をタップしてオンにします。 データを取得する間隔を設定する:「データの取得方法」をタップしてから、すべてのアカウントのデー タ取得頻度を選択します。 バッテリー寿命を節約したい場合は、取得頻度を低くします。 アカウントごとに取得またはプッシュの設定を行う:「データの取得方法」で、「詳細」をタップしてか らアカウントをタップします。「データの取得方法」画面で「プッシュ」を「オフ」に設定するか「フェッチ」を「手動」を設定すると、 これらの設定は各アカウントの設定より優先されます。 明るさ 画面の明るさはバッテリー寿命に影響します。iPod touch を充電するまでの時間を延ばすときは、画 面を暗くします。そうでないときは、「明るさの自動調節」を使用します。 画面の明るさを調整する:「明るさ」を選択し、スライダをドラッグします。 iPod touch が自動的に画面の明るさを調整するかどうかを設定する:「明るさ」を選択し、「明るさ の自動調節」を入または切にします。「明るさの自動調節」を入にすると、iPod touch に内蔵の環 境光センサーを使って、現在の光の状態に応じて画面の明るさが調整されます。 一般 「一般」設定には、日付と時刻、セキュリティ、ネットワークなどの、複数のアプリケーションに影響す る設定が含まれています。またここでは、お使いの iPod touch に関する情報を見たり、iPod touch をオリジナルの状態にリセットしたりすることができます。 情報 「一般」>「情報」と選択して、iPod touch に関する情報を見ます。次の項目が表示されます:  曲、ビデオ、写真の数  合計保存容量  空き領域  ソフトウェアのバージョン  シリアル番号と機種番号  Wi-Fiアドレス  法的情報 壁紙 壁紙は iPod touch のロックを解除するときの画面に表示されます。iPod touch に用意されている イメージのいずれかを選択するか、コンピュータから iPod touch に同期した写真を使用することがで きます。 壁紙を設定する:「壁紙」を選択して、ピクチャを選びます。 サウンド 通知音の音量を調整する: 「一般」>「サウンド」と選択し、スライダをドラッグします。曲またはビ デオを再生していない場合は、iPod touch の側面にある音量ボタンを使用します。 参考:第 1世代の iPod touchでは、「一般」>「サウンド」と選択し、サウンド効果を鳴らす装置(内 蔵スピーカー、ヘッドフォン、またはその両方)を選びます。 通知音と効果音を設定する:「一般」>「サウンド」と選択して、項目のオン/オフを切り替えます。 90 第 8章 設定第 8章 設定 91 次の状態のときに、常に音が鳴るように iPod touch を設定できます:  メールメッセージを受信したとき  メールメッセージを送信したとき  通知するように設定した予約があるとき  iPod touch をロックする  キーボードを使って入力したとき ネットワーク 「ネットワーク」設定を使用して、VPN(Virtual Private Network)接続を構成したり、Wi-Fi設定 にアクセスしたりします。 新しい VPN構成を追加する:「一般」>「ネットワーク」>「VPN」>「VPN構成を追加」と選 択します。 組織の内部で VPNを使用するように構成することで、プライベートネットワークでないネットワークの ときにも機密情報を安全に送受信することができます。たとえば、iPod touch 上で職場のメールにア クセスするときに、VPNの構成が必要になります。 iPod touch からは、L2TP、PPTP、または Cisco IPSecプロトコルを使用する VPNに接続できます。 VPNは、Wi-Fi接続とパケット通信接続に対応しています。 どの設定を使用するかについては、ネットワーク管理者に問い合わせてください。ほとんどの場合、コ ンピュータ上に構成している VPN設定を、iPod touch でも使用できます。 VPN設定を入力すると、「設定」メニューの一番上に VPNスイッチが表示されるので、これを使って VPNのオン/オフを切り替えることができます。 VPN構成を変更する:「一般」>「ネットワーク」>「VPN」と選択して、アップデートしたい構成をタッ プします。 VPNのオン/オフを切り替える:「設定」をタップして、「VPN」のオン/オフを切り替えます。 VPN構成を削除する:「一般」>「ネットワーク」>「VPN」と選択して、構成名の右側にある青 い矢印をタップしてから、構成画面の下部にある「VPNを削除」をタップします。 Wi-Fiを使用する: 88ページの「Wi-Fi」を参照してください。 位置情報サービス 「位置情報サービス」を利用することで、「マップ」などのアプリケーションで自分がどこにいるかを示 すデータを収集して、それらを使用することができます。「位置情報サービス」で収集されたデータは、 個人を識別できる情報に関連付けられることはありません。現在のおおよその位置は、地域のWi-Fiネッ トワーク(Wi-Fiを入にしている場合)から収集できる情報を使って判断されます。 「位置情報サービス」を使用したくない場合は、オフにできます。「位置情報サービス」をオフにした 場合は、次回アプリケーションでこの機能を使用しようとするときに、もう一度オンに戻すことを求めら れます。 「位置情報サービス」の入/切を切り替える:「一般」>「位置情報サービス」と選択し、位置情報サー ビスのオン/オフを切り替えます。バッテリー寿命を節約するには、サービスを使用していないときに「位置情報サービス」をオフにして ください。 自動ロック iPod touch をロックすると、バッテリーを節約するために画面の表示が消え、意図しない iPod touch の操作を防ぐことができます。 iPod touch がロックするまでの時間を設定する:「一般」>「自動ロック」と選択して、ロックする までの時間を選択します。 パスコードロック デフォルトでは、iPod touch のロックを解除するためにパスコードを入力する必要はありません。 パスコードを設定する:「一般」>「パスコードロック」と選択し、4桁のパスコードを入力してから、 確認のためにそのパスコードをもう一度入力します。iPod touch から、パスコードを入力してロック を解除するか、パスコードロックの設定を表示するように求められます。 パスコードロックをオフにする:「一般」>「パスコードロック」と選択し、パスコードを入力してから「パ スコードをオフにする」をタップして、パスコードを再入力します。 パスコードを変更する:「一般」>「パスコードロック」と選択し、パスコードを入力してから、「パスコー ドを変更」をタップします。パスコードを再入力してから、新しいパスワードを入力および再入力します。 パスコードを忘れてしまった場合は、iPod touchソフトウェアを復元する必要があります。109 ペー ジの「iPod touchソフトウェアをアップデートする/復元する」を参照してください。 パスコードを要求するまでの時間を設定する:「一般」>「パスコードロック」と選択してから、パスコー ドを入力します。「パスコードを要求」をタップしてから、iPod touch の待機状態がどのくらい継続し たらロック解除するためのパスワードの入力を要求するかを選択します。 パスコードの入力に 10 回失敗したらデータを消去する:「一般」>「パスコードロック」と選択し、 パスコードを入力してから、「データを消去」をタップしてオンにします。 パスコードの入力に 10 回失敗すると、iPod touch 上に保存されているデータを上書きすることで、 設定がデフォルトにリセットされ、iPod touch 上のすべての情報とメディアが取り除かれます。 重要:データが上書きされているときに、iPod touch は使用できません。この処理には、 iPod touch の記憶領域の容量によって異なりますが、1~ 4時間、またはそれ以上かかることがあ ります。 機能制限 iPod touch 上の一部のアプリケーションで使用される iPodコンテンツに制限を設定することができ ます。たとえば親の場合は、露骨な音楽がプレイリストで視聴されることを制限したり、YouTubeへ のアクセスを完全に無効にしたりできます。 92 第 8章 設定第 8章 設定 93 iTunes Storeから購入した音楽やビデオに含まれる露骨な内容(EXPLICIT)が隠されます。iTunes Storeから販売される露骨な内容には、コンテンツプロバイダがマーク(レコードレーベルなど)を付 けています。 「Safari」が無効になり、アイコンがホーム画面から削除されます。Webをブラウズしたり、Webクリッ プにアクセスすることができません。 YouTubeが無効になり、アイコンがホーム画面から削除されます。 iTunes Wi-Fi Music Storeが無効になり、アイコンがホーム画面から削除されます。コンテンツをプ レビュー、購入、およびダウンロードできません。 App Storeが無効になり、アイコンがホーム画面から削除されます。iPod touch にアプリケーション をインストールすることはできません。 機能制限を設定する: 1 「一般」>「機能制限」と選択してから、「機能制限を設定」をタップします。 2 4桁のパスコードを入力します。 3 パスコードを再入力します。 4 各コントロールをタップしてオン/オフを切り替えることで、目的の機能制限を設定します。デフォルト では、すべてのコントロールがオンになっています(制限されていません)。特定の項目をオフにして 使用を制限するときは、その項目をタップします。 すべての機能制限をオフにする:「一般」>「機能制限」と選択してから、パスコードを入力します。「機 能制限を解除」をタップして、パスコードを再入力します。 パスコードを忘れてしまった場合は、「iTunes」から iPod touchソフトウェアを復元する必要があり ます。109 ページの「iPod touchソフトウェアをアップデートする/復元する」を参照してください。 日付と時刻 日付と時刻の設定は、画面の上部に表示されるステータスバー、および世界時計とカレンダーに適用 されます。 iPod touch で 24時間表示、または 12時間表示のどちらを使用するか設定する:「一般」>「日 付と時刻」を選択して、「24 時間表示」を入または切にします。(一部の国では利用できません。) 日付と時刻を設定する:「一般」>「日付と時刻」と選択します。「時間帯」をタップして、その時間 帯に含まれる主要都市の名前を入力します。「日付と時刻」に戻るボタンをタップしてから、「日付と時 刻を設定」をタップして日付と時刻を入力します。 キーボード 自動修正の入/切を切り替える:「一般」>「キーボード」と選択し、「自動修正」の入/切を切り 替えます。 デフォルトでは、選択した言語の既定のキーボードに辞書が内蔵されている場合、iPod touch は自 動的に修正候補を表示するか、入力に応じて文字を補完します。自動大文字入力のオン/オフを切り替える:「一般」>「キーボード」と選択し、「自動大文字入力」 の入/切を切り替えます。 iPod touch では、文の終わりを示す句読点や改行文字を入力した後に入力した単語の先頭は、デフォ ルトで自動的に大文字に変換されるようになっています。 Caps Lockの入/切を切り替える:「一般」>「キーボード」と選択して、「Caps Lockの使用」 の入/切を切り替えます。 Caps Lockを入にし、キーボードの Shift キーをダブルタップすると、入力する文字がすべて大文 字になります。Caps Lockが入のときは、Shiftキーが青色で表示されます。 ピリオドの簡易入力のオン/オフを切り替える:「一般」>「キーボード」と選択し、「ピリオドの簡易 入力」の入/切を切り替えます。 ピリオドの簡易入力を入にすると、入力中にスペースバーをダブルタップすることで、ピリオドと空白を 入力できるようになります。この機能はデフォルトで入になっています。 ほかの言語のキーボードの入/切を切り替える:「一般」>「キーボード」>「各国のキーボード」 と選択して、使用したいキーボードを入にします。 複数のキーボードを入にした場合、入力中にキーボードを切り替えるには、 をタップします。タップ すると、アクティブになったキーボードの名前が少しの間表示されます。23 ページの「各国のキーボー ド」を参照してください。 言語環境 「言語環境」設定を使って、iPod touch で使用する言語、ほかの言語のキーボードの入/切、およ びお住まいの地域の日付、時刻、電話番号の書式を設定します。 iPod touch で使用する言語を設定する:「一般」>「言語環境」>「言語」と選択し、使用した い言語を選んで、「完了」をタップします。 ほかの言語のキーボードの入/切を切り替える:「一般」>「言語環境」>「キーボード」と選択し て、使用したいキーボードを入にします。 複数のキーボードを入にした場合、入力中にキーボードを切り替えるには、 をタップします。タップ すると、アクティブになったキーボードの名前が少しの間表示されます。23 ページの「各国のキーボー ド」を参照してください。 日付、時刻、および電話番号の書式を設定する:「一般」>「言語環境」>「地域に応じた書式」 と選択して、お住まいの地域を選びます。 iPod touch をリセットする すべての設定をリセットする:「一般」>「リセット」と選択して、「すべての設定をリセット」をタッ プします。 すべての環境設定と設定がリセットされます。連絡先やカレンダーなどの情報および曲やビデオなどの メディアは削除されません。 すべてのコンテンツと設定を消去する: iPod touch をコンピュータまたは電源アダプタに接続します。 「一般」>「リセット」と選択して、「すべてのコンテンツと設定を消去」をタップします。 この機能を実行すると、iPod touch 上に保存されているデータを上書きすることで、すべての設定が デフォルトにリセットされ、iPod touch 上のすべての情報とメディアが取り除かれます。 94 第 8章 設定第 8章 設定 95 重要:データが上書きされているときに、iPod touch は使用できません。この処理には、 iPod touch の記憶領域の容量によって異なりますが、1~ 4時間、またはそれ以上かかることがあ ります。 キーボード辞書をリセットする:「一般」>「リセット」と選択して、「キーボード辞書をリセット」をタッ プします。 入力中に iPod touch に表示された入力候補を無視することで、単語がキーボード辞書に追加されま す。入力候補を無視して単語を辞書に追加するには、その単語をタップします。キーボード辞書をリセッ トすると、追加したすべての単語が消去されます。 ネットワーク設定をリセットする:「一般」>「リセット」と選択して、「ネットワーク設定をリセット」をタッ プします。 ネットワーク設定をリセットすると、今までに使用したネットワークのリストとVPN設定が消去されます。 Wi-Fiがいったん切になり、接続していたネットワークから接続解除されてから、入に戻ります。Wi-Fi および「参加を確認」の設定は入のままです。 ホーム画面のレイアウトをリセットする:「一般」>「リセット」と選択し、「ホーム画面レイアウトをリセッ ト」をタップします。 位置情報の警告をリセットする:「一般」>「リセット」と選択して、「位置情報の警告をリセット」をタッ プします。 位置情報の警告とは、アプリケーション(「マップ」など)で「位置情報サービス」を利用するときに、 それらのアプリケーションによって行われる要求のことです。「OK」を 2回タップすると、iPod touch 上にアプリケーションの警告が表示されなくなります。警告を再開するときは、「位置情報の警告をリセッ ト」をタップします。 ミュージック 「ミュージック」設定は、曲、Podcast、およびオーディオブックに適用されます。 曲が同じサウンドレベルで再生されるように「iTunes」を設定する:「iTunes」で、「iTunes」>「環 境設定」(Macの場合)、または「編集」>「設定」(PCの場合)と選択し、「再生」をクリックし、「サ ウンドチェック」を選択します。 「iTunes」の音量設定(音量の自動調整)を使用するように iPod touch を設定する:「ミュージック」 を選択して、「音量の自動調整」を入にします。 オーディオブックを、時間を短縮して聞くために速度を普通より速めたり、はっきり聞き取れるように普 通より速度を遅く設定することができます。 オーディオブックの再生速度を設定する:「ミュージック」>「オーディオブックの速度」と選択して、「遅 い」、「普通」、または「速い」を選びます。 特定のサウンドまたはスタイルに合うように、イコライザで iPod touch のサウンドを変更する:「ミュー ジック」>「イコライザ」と選択して、設定を選びます。 音楽およびビデオの音量制限を設定する:「ミュージック」>「音量制限」と選択し、スライダをドラッ グして最大音量を調節します。「音量制限をロック」をタップして、音量制限を変更できないように番号を設定することができます。 警告:聴覚の損傷を避けるための重要な情報については、www.apple.com/jp/support/ manuals/ipodtouchにある「この製品についての重要なお知らせ」を参照してください。 ビデオ レンタルムービーを含むビデオコンテンツには、ビデオ設定が適用されます。以前に途中まで見たビ デオを再度見るときの再生開始位置の設定、クローズドキャプションの入/切の切り替え、およびテレ ビでビデオを見るための iPod touch の設定ができます。 再生開始位置を設定する:「ビデオ」>「再生開始」と選択して、以前に途中まで見たビデオを再度 見るときに最初から見るか続きから見るかを選びます。 クローズドキャプションの入/切を切り替える:「ビデオ」を選択し、「クローズドキャプション」の入 /切を切り替えます。 テレビ出力 これらの設定を使って、iPod touch のビデオをテレビで見るときの設定を行います。iPod touch を 使ってテレビでビデオを見る方法について詳しくは、38ページの「ビデオをテレビで見る」を参照し てください。 ワイドスクリーンの入/切を切り替える:「ビデオ」を選択して、「ワイドスクリーン」の入/切を切り 替えます。 テレビ信号を NTSCまたは PALに設定する:「ビデオ」>「テレビ信号」と選択して、「NTSC」ま たは「PAL」を選びます。 NTSCおよび PALは、テレビ放送の規格です。iPod touch は、コンポーネントケーブルを使ってテ レビに接続するときは NTSC 480p/PAL 576pで表示され、コンポジットケーブルを使用するときは NTSC 480i/PAL 576iで表示されます。お使いのテレビは、購入した地域によって、これらの規格の いずれかを使用しています。お使いのテレビで使用している規格が分からない場合は、テレビに付属 のマニュアルを確認してください。 写真 「写真」設定を使って、スライドショーで写真を表示する方法を指定します。 各スライドの表示時間を設定する:「写真」>「各スライドの再生時間」と選択して、時間を選びます。 トランジションエフェクトを設定する:「写真」>「トランジション」と選択して、トランジションエフェ クトを選びます。 スライドショーを繰り返し再生するかどうかを設定する:「写真」を選択して、「リピート」の入/切を 切り替えます。 写真をランダムに表示するか順番通り表示するかを設定する:「写真」を選択して、「シャッフル」の 入/切を切り替えます。 96 第 8章 設定第 8章 設定 97 メール、連絡先、カレンダー 「メール」、「連絡先」、「カレンダー」の設定を使用して、iPod touch のアカウントを設定およびカス タマイズします: Microsoft Exchange  MobileMe   Googleメール  Yahoo!メール AOL   その他の POPおよび IMAPメールシステム アカウント 「アカウント」セクションでは、iPod touch のアカウントを設定できます。表示される設定は、設定し ているアカウントの種類によって異なります。入力する必要のある情報については、ご利用のサービス プロバイダまたはシステム管理者に問い合わせてください。 アカウントの追加について詳しくは、10 ページの「アカウントを設定する」を参照してください。 アカウントの設定を変更する:「メール /連絡先 /カレンダー」を選択し、アカウントを選択してから、 必要な変更を行います。 アカウントの設定に変更を加えても、コンピュータには同期されません。つまり、コンピュータのアカウ ント設定に影響を与えずに、iPod touch のアカウントを構成できます。 アカウントの使用を停止する:「メール /連絡先 /カレンダー」を選択し、アカウントを選択してから、「ア カウント」をオフにします。 アカウントがオフになっている場合は、オンに戻すまでは、iPod touch にそのアカウントは表示されず、 そのアカウントからメールが送信されたり、そのアカウントからのメールがチェックされたり、ほかの情 報がそのアカウントと同期されることはありません。 詳細設定を調整する:「メール /連絡先 /カレンダー」を選択し、アカウントを選択してから、次のい ずれかの操作を行います:  下書き、送信済みメッセージ、および削除済みメッセージを iPod touch に保存するか、またはメー ルサーバにリモート保存するか(IMAPアカウントのみ)を設定するには、「詳細」をタップしてから、 「下書きメールボックス」、「送信済メールボックス」、または「削除済メールボックス」を選択します。 メッセージを iPod touch に保存する場合は、iPod touch がインターネットに接続されていない ときでもメッセージを表示できます。  iPod touch の「メール」からメッセージを完全に削除するまでの時間を設定するには、「詳細」をタッ プし、「削除」をタップしてから、「しない」、「1日後」、「1週間後」、または「1ケ月後」のいず れかを選択します。  メールサーバ設定を調整するには、「受信メールサーバ」または「送信メールサーバ」の下の「ホ スト名」、「ユーザ名」、または「パスワード」をタップします。正しい設定については、ネットワー ク管理者またはインターネット・サービス・プロバイダに問い合わせてください。 SSLとパスワードの設定を調整するには、「詳細」をタップします。正しい設定については、ネットワー ク管理者またはインターネット・サービス・プロバイダに問い合わせてください。 アカウントを iPod touch から削除する:「メール /連絡先 /カレンダー」を選択し、アカウントを選 択してから、下方向にスクロールして「アカウントを削除」をタップします。 アカウントを削除すると、それ以降は iPod touch からそのアカウントにアクセスできなくなります。 そのアカウントに同期されているすべてのメール、および連絡先、カレンダー、ブックマークの情報は、 iPod touch から削除されます。ただし、アカウントを削除しても、そのアカウントまたはアカウントに 関連付けられている情報はコンピュータから削除されません。 メール 「メール」設定は、特に説明がある場合を除いて、iPod touch 上に設定したすべてのアカウントに適 用されます。 新しいメールが届いたことまたはメールが送信されたことを通知する音の入/切を切り替えるには、 「一般」>「サウンド」の設定を使用します。 iPod touch に表示するメッセージの数を設定する:「メール /連絡先 /カレンダー」>「表示」と 選択してから、設定を選択します。 最新の 25、50、75、100、または 200件のメッセージを表示することを選択します。「メール」でそ れ以上のメッセージをダウンロードするときは、受信ボックスの一番下までスクロールし、「さらにメッ セージを読み込む」をタップします。 参考:Microsoft Exchangeアカウントの場合は、「メール /連絡先 /カレンダー」を選択し、 Exchangeアカウントを選択します。「同期するメール日付」をタップし、サーバと同期したいメール の日数を選択します。 メッセージリストのプレビューに表示するメッセージ行数を設定する:「メール /連絡先 /カレンダー」 >「プレビュー」と選択してから、設定を選択します。 最大でメッセージの 5行を表示することを選択できます。このように設定すれば、メールボックスのメッ セージリストをスキャンして各メッセージの概要を知ることができます。 メッセージの最小フォントサイズを設定する:「メール /連絡先 /カレンダー」>「最小フォントサイズ」 と選択してから、「小」、「中」、「大」、「特大」、または「巨大」を選択します。 iPod touch のメッセージリストに宛先/ Ccラベルを表示するかどうかを設定する:「メール /連絡 先 /カレンダー」を選択してから、「宛先 /Ccラベルを表示」の入/切を切り替えます。 「宛先 /Ccラベルを表示」が入になっている場合は、リストの各メッセージの横にある To または Cc を見れば、自分に直接送信されたメッセージなのかまたはコピーを受信したのかが分かります。 メッセージを削除するかどうかを確認するように iPod touch を設定する:「メール /連絡先 /カレン ダー」を選択して、「削除前に確認」の入/切を切り替えます。 「削除前に確認」が入になっている場合は、メッセージを削除するときに、 をタップしてから「削除」 をタップして削除を確認する必要があります。 送信するすべてのメッセージのコピーを自分宛に送信するように iPod touch を設定する:「メール / 連絡先 /カレンダー」を選択してから、「常に Bccに自分を含める」の入/切を切り替えます。 98 第 8章 設定第 8章 設定 99 デフォルトのメールアカウントを設定する:「メール /連絡先 /カレンダー」>「デフォルトアカウント」 と選択してから、アカウントを選択します。 この設定によって、別の iPod touch アプリケーションからメッセージを作成するとき(「写真」から写 真を送信する、「マップ」で店舗・企業のメールアドレスをタップするなど)に、どのアカウントからメッ セージが送信されるかが決まります。別のアカウントからメッセージを送信するときは、メッセージの「差 出人」フィールドをタップして、別のアカウントを選びます。 メッセージに署名を追加する:「メール /連絡先 /カレンダー」>「署名」と選択してから、署名を 入力します。 よく使う引用句、自分の名前、役職、電話番号などの署名を、iPod touch から送信するすべてのメッ セージの下部に追加するように設定できます。 連絡先 連絡先の並べ替え方法を設定する:「メール /連絡先 /カレンダー」を選択してから、「連絡先」の下 にある「並べ替え順序」をタップして、次のいずれかの操作を行います:  名で並べ替えるときは、「名 , 姓」をタップします。  姓で並べ替えるときは、「姓 , 名」をタップします。 連絡先の表示方法を設定する:「メール /連絡先 /カレンダー」を選択してから、「連絡先」の下に ある「表示順序」をタップして、次のいずれかの操作を行います:  名を最初に表示するときは、「名 , 姓」をタップします。  姓を最初に表示するときは、「姓 , 名」をタップします。 カレンダー 会議の参加依頼を受け取ったときに通知音が鳴るように設定する:「メール /連絡先 /カレンダー」を 選択して、「カレンダー」の下にある「新規参加依頼の通知音」をタップしてオンにします。 iPod touch にどれくらい過去にさかのぼってカレンダーイベントを表示するかを設定する:「メール /連絡先 /カレンダー」>「同期」と選択してから、期間を選択します。 「カレンダー」の時間帯サポートを入にする:「メール /連絡先 /カレンダー」>「時間帯サポート」 と選択してから、「時間帯サポート」を入にします。カレンダーの時間帯を選択するには、「時間帯」をタッ プして主要都市の名前を入力します。 「時間帯サポート」が入のときは、カレンダーのイベントの日付と時刻が、選択した都市の時間帯で表 示されます。「時間帯サポート」が切のときは、カレンダーのイベントが、ネットワーク時間合わせで 決定される現在の場所の時間帯で表示されます。 重要:旅行中は、正しい現地時間に iPod touch のイベントが表示されなかったり、通知音が鳴らな かったりする場合があります。手動で正しい時刻を設定するときは、93 ページの「日付と時刻」を参 照してください。Safari 「Safari」設定では、インターネット検索エンジンを選択したり、セキュリティオプションを設定したり、 デベロッパの場合はデバッグをオンにしたりできます。 一般 インターネット検索を行うときは、Googleまたは Yahoo!を利用できます。 検索エンジンを選択する:「Safari」>「検索エンジン」と選択し、使用したい検索エンジンを選びます。 セキュリティ 「Safari」では、ムービー、アニメーション、Webアプリケーションなどの Web 機能を表示できるように、 デフォルトで設定されています。インターネットで起こり得るセキュリティ上の危険から iPod touch を 守るために、これらの機能の一部を切にすることができます。 セキュリティ設定を変更する:「Safari」を選択して、次のいずれかを実行します:  JavaScriptを有効または無効にするには、「JavaScript」の入/切を切り替えます。 Web ページの作成者は、JavaScriptを使ってページの要素を操作できます。たとえば、 JavaScriptを使って、現在の日付と時刻を表示したり、リンク先のページを新しいポップアップペー ジとして表示したりできます。  プラグインを有効または無効にするには、「プラグイン」の入/切を切り替えます。プラグインを使うと、 「Safari」で特定のタイプのオーディオファイルやビデオファイルを再生したり、Microsoft Word ファイルや Microsoft Excel 書類を表示したりできるようになります。  ポップアップをブロックまたは許可するには、「ポップアップブロック」の入/切を切り替えます。ポッ プアップブロックでは、ページを閉じるときまたはアドレスを入力してページを開いたときに表示さ れるポップアップだけがブロックされます。リンクをタップしたときに表示されるポップアップはブロッ クされません。  「Safari」が Cookieを受け入れるかどうかを設定するには、「Cookieを受け入れる」をタップして、 「しない」、「訪問先のみ」、または「常に」を選びます。 Cookieは、同じ訪問者がアクセスしてきたときに Webサイト側でその訪問者を見分けられるよう にするために、Webサイトが iPod touch 内に保存する小さい情報です。これにより、訪問者が 設定した情報などに基づいて、訪問者に合わせてWeb ページをカスタマイズできるようになります。 ページによっては、Cookieを受け入れるように iPod touch を設定しないと、正しく機能しないこ とがあります。  訪問した Web ページの履歴を消去するには、「履歴を消去」をタップします。  「Safari」からすべての Cookieを消去するには、「Cookieを消去」をタップします。  ブラウザのキャッシュを消去するには、「キャッシュを消去」をタップします。 ブラウザのキャッシュには、同じページにアクセスしたときにページをよりすばやく表示できるよう にするために、ページの内容が保存されます。開いたページに新しい内容が表示されない場合は、 キャッシュを消去すると解決できることがあります。 100 第 8章 設定第 8章 設定 101 デベロッパ 「デバッグコンソール」を使うと、Web ページのエラーを解決するのに役立ちます。入の場合は、 Web ページのエラーが起きたときにコンソールが自動的に表示されます。 デバッグコンソールの入/切を切り替える:「Safari」>「デベロッパ」と選択し、「デバッグコンソー ル」の入/切を切り替えます。 Nike + iPod Nike + iPodセンサー(別売)を有効にして設定を調整するときは、「Nike + iPod」設定を使用します。 Nike + iPodは、第 1世代の iPod touchでは使用できません。Nike + iPodを有効にして使用す るための手順については、Nike + iPodの製品ドキュメントを参照してください。 Nike + iPodのオン/オフを切り替える:「Nike + iPod」を選択して、Nike + iPodのオン/オフ を切り替えます。Nike + iPodがオンのときは、そのアイコンがホーム画面に表示されます。 Power Songを選択する:「Nike + iPod」>「Power Song」と選択して、音楽ライブラリから 曲を選びます。 音声フィードバックのオン/オフを切り替える:「Nike + iPod」>「音声フィードバック」と選択して、 ワークアウト中に聞こえる声を「男性」または「女性」から選択するか、または「オフ」を選択して 音声フィードバックをオフにします。 距離の環境設定を設定する:「Nike + iPod」>「距離」と選択し、ワークアウトの距離を測定する ための単位を「マイル」または「キロメートル」から選択します。 体重の環境設定を設定する:「Nike + iPod」>「体重」と選択してから、フリックして体重を入力します。 画面の向きを設定する:「Nike + iPod」>「画面をロック」と選択して、画面の向きの環境設定を 選択します。 Nike + iPodセンサーを有効にする:「Nike + iPod」>「センサー」と選択して、画面の指示に従っ てセンサー(別売)を有効にします。102 一般 バッテリー残量が少ないことを示すイメージが表示される iPod touch のバッテリー残量が少なくなっていて、使用できるようになるまでに 10 分以上充電する 必要があります。iPod touch の充電方法については、26ページの「バッテリーを充電する」を参照 してください。 または iPod touch が応答しない  iPod touch のバッテリー残量が少なくなっている可能性があります。iPod touch をコンピュータ または付属の電源アダプタに接続して充電してください。26ページの「バッテリーを充電する」を 参照してください。  画面の下にあるホーム ボタンを、使用していたアプリケーションが終了するまで 6秒以上押し続 けます。  上記の方法で解決しない場合は、iPod touch の電源を切って、もう一度入れます。iPod touch の上部にあるスリープ/スリープ解除ボタンを数秒間、赤いスライダが表示されるまで押し続けてか ら、スライダをドラッグします。それから、スリープ/スリープ解除ボタンを Appleロゴが表示され るまで押し続けます。  上記の方法で解決しない場合は、iPod touch をリセットします。スリープ/スリープ解除ボタンと ホーム ボタンを、Appleロゴが表示されるまで 10 秒以上押し続けます。 付 A 録 トラブルシューティング付録 A トラブルシューティング 103 iPod touch がリセット後も応答しない  iPod touch の設定をリセットします。ホーム画面から、「設定」>「一般」>「リセット」>「す べての設定をリセット」と選択します。すべての環境設定がリセットされます。データおよびメディア は削除されません。  上記の方法で解決しない場合は、iPod touch 上のすべてのコンテンツを消去します。94ページの 「iPod touch をリセットする」を参照してください。  上記の方法で解決しない場合は、iPod touchソフトウェアを復元します。109 ページの 「iPod touchソフトウェアをアップデートする/復元する」を参照してください。 「このアクセサリは iPod touch に対応していません」と表示される 接続したアクセサリが iPod touch で動作しない可能性があります。Dockコネクタにゴミなどが詰まっ ていないことを確認します。 「iTunesに接続」画面が表示される iPod touch を「iTunes」に登録する必要があります。iPod touch をコンピュータに接続し、「iTunes」 が自動的に開かない場合は開きます。 iTunesと同期 iPod touch が「iTunes」に表示されない  iPod touch のバッテリーの再充電が必要な場合もあります。iPod touch の充電方法については、 26ページの「バッテリーを充電する」を参照してください。  お使いのコンピュータからほかの USB装置を取り外し、iPod touch をコンピュータ(キーボード ではありません)の別の USB 2.0ポートに接続します。  コンピュータを再起動し、iPod touch をコンピュータに接続し直します。  www.apple.com/jp/itunesから最新バージョンの「iTunes」をダウンロードしてインストール(ま たは再インストール)します。 同期されない  iPod touch のバッテリーの再充電が必要な場合もあります。iPod touch の充電方法については、 26ページの「バッテリーを充電する」を参照してください。  お使いのコンピュータからほかの USB装置を取り外し、iPod touch をコンピュータ(キーボード ではありません)の別の USB 2.0ポートに接続します。  コンピュータを再起動し、iPod touch をコンピュータに接続し直します。  プッシュアカウントの場合は、インターネットに接続された Wi-Fiネットワークに iPod touch が接 続されていることを確認してください。26ページの「インターネットに接続する」を参照してください。  www.apple.com/jp/itunesから最新バージョンの「iTunes」をダウンロードしてインストール(ま たは再インストール)します。104 付録 A トラブルシューティング 連絡先、カレンダー、またはブックマークが同期されない  www.apple.com/jp/itunesから最新バージョンの「iTunes」をダウンロードしてインストール(ま たは再インストール)します。  プッシュアカウントの場合は、インターネットに接続された Wi-Fiネットワークに iPod touch が接 続されていることを確認してください。26ページの「インターネットに接続する」を参照してください。  iPod touch で MobileMeまたは Microsoft Exchangeアカウントを設定した場合、 iPod touch の「情報」環境設定パネルで同期するように設定した連絡先、カレンダー、またはブッ クマークは、「iTunes」では同期されません。「iTunes」で同期したい項目は、MobileMeまた は Exchangeアカウントで無効にする必要があります。「設定」で、「メール /連絡先 /カレンダー」 をタップし、MobileMeまたは Exchangeアカウントをタップして、「iTunes」で同期したい項目 の選択を解除します。MobileMeアカウントとExchangeアカウントの両方を持っている場合は、 両方のアカウントでそれらの項目の選択を解除する必要があります。 参考:MobileMeまたは Exchangeアカウントで「連絡先」または「カレンダー」の選択を解除 すると、それらの連絡先またはカレンダー情報は iPod touch からアクセスできなくなります。 iPod touch 上の情報をコンピュータに同期したくない iPod touch 上の連絡先、カレンダー、メールアカウント、またはブックマークをコンピュータからの 情報に置き換えます。 iPod touch の情報を置き換える: 1 「iTunes」を開きます。 2 コマンド+ Optionキー(Macの場合)または Shift + Ctrlキー(PCの場合)を押したまま iPod touch をコンピュータに接続し、「iTunes」のサイドバーに iPod touch が表示されるまでその ままにします。これによって、iPod touch の自動同期を避けることができます。 3 「iTunes」のサイドバーで iPod touch を選択し、「情報」タブをクリックします。 4 「この iPod touch 上で置き換わる情報」で、「アドレスデータ」、「カレンダー」、「Mailアカウント」、 または「ブックマーク」を選択します。必要に応じて、複数の項目を選択できます。 5 「適用」をクリックします。 選択した種類の情報が iPod touch から削除され、コンピュータ上の情報に置き換わります。次回同 期するときは、iPod touch は通常通りに同期され、iPod touch で入力した情報がコンピュータに追 加され、逆方向にも同様に同期されます。 Yahoo!アドレスブックまたは Google連絡先リストが同期されない 「iTunes」からYahoo!または Googleに接続できない可能性があります。インターネットに接続さ れた Wi-Fiネットワークに iPod touch が接続されていることを確認してください。インターネットに 接続されていること、および「iTunes」で入力した IDとパスワードが正しいことを確認してください。 iPod touch をコンピュータに接続し、「iTunes」で「情報」タブをクリックして、「アドレスデータ」 セクションの「設定」をクリックしてから、現在の IDとパスワードを入力します。付録 A トラブルシューティング 105 iPod touch から削除した連絡先が Yahoo!アドレスブックに残っている 「Yahoo!アドレスブック」では、メッセンジャー IDが含まれる連絡先を同期操作で削除することはでき ません。メッセンジャー IDが含まれる連絡先を削除するには、Yahoo!アカウントにオンラインでログ インし、「Yahoo!アドレスブック」を使って連絡先を削除してください。 サウンド、音楽、およびビデオ 音が聞こえない  ヘッドセットを取り外して、もう一度接続します。コネクタがしっかりと差し込まれていることを確認 します。  音量が一番下まで下がっていないことを確認します。  iPod touch で音楽が一時停止されている可能性があります。ホーム画面で「ミュージック」をタッ プし、「再生中」をタップしてから、 をタップします。  音量制限が設定されていないかどうかを確認します。ホーム画面から、「設定」>「iPod」>「音 量制限」と選択します。詳しくは、95ページの「ミュージック」を参照してください。  最新バージョンの「iTunes」を使用していることを確認します(www.apple.com/jp/itunesに アクセスしてください)。  オプションの Dockのライン出力ポートを使用している場合は、外部スピーカーまたはステレオ装 置の電源が入っており、正常に動作していることを確認します。 曲、ビデオ、その他の項目が再生されない iPod touch が対応していない形式で曲がエンコードされている可能性があります。iPod touch は 次のオーディオファイルの形式に対応しています。これらはオーディオブックおよび Podcast用の形式 を含みます:  AAC(M4A、M4B、M4P、最大 320 kbps)  Appleロスレス(高品質の圧縮形式)  MP3(最大 320 kbps)  MP3可変ビットレート(VBR)  WAV  AA(audible.com の format 2、3、および 4の朗読ファイル)  AAX(audible.com Spoken Word、AudibleEnhancedフォーマット) AIFF  iPod touch は次のビデオファイルの形式に対応しています:  H.264(ベースラインプロファイル・レベル 3.0)  MPEG-4(シンプルプロファイル)106 付録 A トラブルシューティング Appleロスレス形式を使ってエンコードした曲のサウンド品質は CDと同等ですが、使用する容量は AIFF形式または WAV 形式を使ってエンコードした曲の約半分で済みます。AAC形式または MP3形 式でエンコードした場合は、さらに少ない容量で済みます。「iTunes」を使用してCDから音楽を読 み込む場合、デフォルトで AAC形式に変換されます。 Windowsで「iTunes」を使用する場合は、保護されていない WMAファイルを AAC形式または MP3形式に変換できます。これは、WMA形式でエンコードされた音楽のライブラリがある場合に便 利です。 iPod touch は、WMA、MPEG Layer 1、MPEG Layer 2のオーディオファイル、または audible. com のフォーマット1には対応していません。 iTunesライブラリに iPod touch が対応していない曲やビデオがある場合は、iPod touch が対応し ている形式に変換できます。詳しくは、「iTunesヘルプ」を参照してください。 iTunes Store iTunes Wi-Fi Music Storeが利用できない iTunes Wi-Fi Music Storeで曲やアルバムを購入するには、インターネットに接続された Wi-Fiネッ トワークに iPod touch が接続されている必要があります。26ページの「インターネットに接続する」 を参照してください。iTunes Wi-Fi Music Storeは、一部の国のみで利用できます。 音楽またはアプリケーションを購入できない iTunes Wi-Fi Music StoreまたはApp Storeを使用するには、インターネットに接続されたWi-Fiネッ トワークに iPod touch が接続されている必要があります。26ページの「インターネットに接続する」 を参照してください。 iTunes Wi-Fi Music Store(一部の国のみで利用できます)から曲を購入するとき、または App Storeからアプリケーションを購入するときは、iTunes Storeアカウントが必要です。お使いのコン ピュータで「iTunes」を開き、「Store」>「アカウントを作成」と選択します。 Safari、メール、および連絡先 メールの添付ファイルが開かない 対応していないファイルタイプである可能性があります。iPod touch は、次のメール添付ファイル フォーマットに対応しています: .doc Microsoft Word .docx Microsoft Word(XML) .htm Web ページ .html Web ページ付録 A トラブルシューティング 107 .key Keynote .numbers Numbers .pages Pages .pdf プレビュー、Adobe Acrobat .ppt Microsoft PowerPoint .pptx Microsoft PowerPoint(XML) .txt テキスト .vcf 連絡先情報 .xls Microsoft Excel .xlsx Microsoft Excel(XML) メールが配信されない(ポート25タイムアウト) いずれかのメールアカウントの送信用メールサーバのポート設定を変更する必要がある可能性があり ます。詳しくは、www.apple.com/jp/support/ipodtouchにアクセスし、「iPod touch でメール を受信できるのに送信できない」で検索してください。 GALの連絡先が表示されない インターネットに接続された Wi-Fiネットワークに iPod touch が接続されていることを確認してくだ さい。Microsoft Exchangeの設定で、正しいサーバにアクセスしていることを確認します。「設定」で、 「メール /連絡先 /カレンダー」をタップし、設定を表示するアカウントを選択します。 「連絡先」で GALの連絡先を検索しようとしている場合は、「グループ」をタップし、リストの一番下 にある「ディレクトリ」をタップします。 iPod touch のバックアップを作成する 「iTunes」では、iPod touch 上の設定、ダウンロードしたアプリケーションとデータ、およびその他 の情報のバックアップが作成されます。バックアップを使用して、iPod touchソフトウェアの復元後に これらの項目を復元したり、情報を別の iPod touch に転送したりできます。 iPod touch のバックアップ作成またはバックアップからの復元は、コンテンツおよびその他の項目 (「iTunes」を使ってダウンロードした音楽、Podcast、着信音、写真、ビデオ、およびアプリケー ションなど)を iTunesライブラリと同期する操作とは異なります。バックアップには、iPod touch に 保存されている設定、ダウンロードしたアプリケーションとデータ、およびその他の情報が含まれます。 「iTunes」を使用してこれらの項目をバックアップから復元できますが、iTunesライブラリのコンテン ツの再同期も必要になることがあります。 App Storeからダウンロードしたアプリケーションは、次回「iTunes」に同期するときにバックアップ が作成されます。それ以降は、「iTunes」に同期するときにアプリケーションデータのバックアップだ けが作成されます。108 付録 A トラブルシューティング バックアップを作成する 次の方法でバックアップを作成できます:  特定のコンピュータと同期するように iPod touch を構成した場合は、「iTunes」によって、同期 の際に自動的にそのコンピュータ上に iPod touch のバックアップが作成されます。そのコンピュー タと同期するように構成されていない iPod touch のバックアップは、自動的には作成されません。 特定のコンピュータ上の「iTunes」と自動的に同期するように iPod touch を構成した場合は、 そのコンピュータに iPod touch を接続するたびにバックアップが作成されます。自動同期はデフォ ルトで有効になります。「iTunes」では、接続の解除中に同期を複数回実行した場合でも、1回の 接続につきバックアップは 1つしか作成されません。  iPod touch のソフトウェアをアップデートする場合は、そのコンピュータの「iTunes」と同期する ように iPod touch が構成されていないときでも、「iTunes」によって自動的にバックアップが作 成されます。  iPod touch のソフトウェアを復元する場合は、復元前に iPod touch のバックアップを作成するか どうかを尋ねられます。 バックアップから復元する 設定、ダウンロードしたアプリケーション、およびその他の情報をバックアップから復元できます。また、 この機能を利用して、これらの項目を別の iPod touch に転送することもできます。 バックアップから iPod touch を復元する: 1 普段同期しているコンピュータに iPod touch を接続します。 2 「iTunes」のサイドバーで iPod touch を選択して、「概要」タブをクリックします。 3 iPod touchソフトウェアを再インストールし、デフォルト設定を復元して、iPod touch に保存 されているデータを削除するには、「復元」をクリックします。「iTunes」を使用している場合は、 iPod touch に保存されているデータを削除せずにバックアップから復元することもできます。 削除されたデータは、iPod touch のユーザインターフェイスからはアクセスできなくなりますが、新 しいデータによって上書きされるまで、iPod touch から完全には消去されません。すべてのコンテン ツおよび設定を完全に消去する方法については、94ページの「iPod touch をリセットする」を参照 してください。 指示に従って、設定、ダウンロードしたアプリケーション、およびその他の情報をバックアップから復元 するためのオプションを選択し、使用したいバックアップを選択します。複数のバックアップが装置ごと に、新しい順に表示されます。最も新しい装置がリストの最初に表示されます。 バックアップを取り除く 「iTunes」では、iPod touch のバックアップのリストからバックアップを取り除くことができます。こ れは、ほかの人のコンピュータにバックアップが作成されてしまった場合などに便利です。 バックアップを取り除く: 1 「iTunes」で、「iTunes」の環境設定を開きます。  Windows:「編集」>「設定」と選択します。  Mac:「iTunes」>「環境設定」と選択します。付録 A トラブルシューティング 109 2 「デバイス」をクリックします(iPod touch を接続する必要はありません)。 3 取り除きたいバックアップを選択して、「バックアップを削除」をクリックします。 4 選択したバックアップを取り除いてよいかどうかを確認するメッセージが表示されたら、「バックアップ を削除」をクリックします。 5 「OK」をクリックして、「iTunes」の「環境設定」ウインドウを閉じます。 バックアップ、およびバックアップに保存される設定と情報について詳しくは、support.apple.com/ kb/HT1766?viewlocale=ja_JPを参照してください。 iPod touchソフトウェアをアップデートする/復元する 「iTunes」を使用して、iPod touchソフトウェアをアップデートまたは再インストールし、デフォルト 設定を復元して、iPod touch 上のすべてのデータを削除することができます。  アップデートを行う場合は、iPod touchソフトウェアがアップデートされますが、ダウンロードした アプリケーション、設定、および曲には影響しません。  復元を行う場合は、最新バージョンの iPod touchソフトウェアが再インストールされ、デフォルト 設定が復元されて、iPod touch に保存されたデータ(ダウンロードしたアプリケーション、曲、ビ デオ、連絡先、写真、カレンダー情報など)が削除されます。「iTunes」を使用している場合は、 iPod touch に保存されているデータを削除せずにバックアップから復元することもできます。 削除されたデータは、iPod touch のユーザインターフェイスからはアクセスできなくなりますが、新 しいデータによって上書きされるまで、iPod touch から完全には消去されません。すべてのコンテン ツおよび設定を完全に消去する方法については、94ページの「iPod touch をリセットする」を参照 してください。 iPod touch をアップデートまたは復元する: 1 お使いのコンピュータがインターネットに接続されていること、および最新バージョンの「iTunes」 (www.apple.com/jp/itunesからダウンロードできます)がインストールされていることを確認し ます。 2 iPod touch をコンピュータに接続します。 3 「iTunes」のサイドバーで iPod touch を選択し、「概要」タブをクリックします。 4 「アップデートを確認」をクリックします。新しいバージョンの iPod touchソフトウェアを入手できる 場合は、そのことを知らせるメッセージが表示されます。 5 「アップデート」(Mac OS Xの場合)または「更新」(Windowsの場合)をクリックして、最新バージョ ンのソフトウェアをインストールします。または、「復元」をクリックして、復元を行います。画面の説 明に従って復元操作を完了します。 iPod touchソフトウェアのアップデートと復元について詳しくは、support.apple.com/kb/ HT1414?viewlocale=ja_JPを参照してください。110 付録 A トラブルシューティング iPod touch のユーザ補助機能 次の機能は、操作が困難な場合に iPod touch を使いやすくするために役立ちます。 クローズドキャプション 使用できる場合は、ビデオのクローズドキャプションを入にできます。96 ページの「ビデオ」を参照し てください。 メールメッセージの最小フォントサイズ メールメッセージのテキストを読みやすくするときは、最小フォントサイズを「大」、「特大」、または「巨 大」に設定します。98ページの「メール」を参照してください。 拡大 Web ページ、写真、および地図をダブルタップするかピンチして拡大します。22ページの「拡大/ 縮小する」を参照してください。 Mac OS X のユニバーサルアクセス 「iTunes」を使って iPod touch に「iTunes」の情報や iTunesライブラリのコンテンツを同期する ときに、Mac OS Xのユニバーサルアクセス機能を利用します。「Finder」で、「ヘルプ」>「Mac ヘルプ」と選択して、「ユニバーサルアクセス」を検索してください。 iPod touchとMac OS Xのユーザ補助機能について詳しくは、www.apple.com/jp/ accessibilityを参照してください。111 安全性、ソフトウェア、およびサービスに関する情報 次の表に、iPod touch の安全性、ソフトウェア、およびサービスに関する詳しい情報の参照先を示し ます。 知りたい内容 手順 iPod touch を安全に使用する 安全性と法規制の順守に関する最新情報については、 www.apple.com/jp/support/manuals/ipodtouch にある「この製品についての重要なお知らせ」を参照して ください。 iPod touch のサービスとサポート情報、使いかたの ヒント、フォーラム、およびアップルのソフトウェアダウン ロード www.apple.com/jp/support/ipodtouchを参照して ください。 iPod touch の最新情報 www.apple.com/jp/ipodtouchを参照してください。 「iTunes」を使用する 「iTunes」を開いて「ヘルプ」>「iTunesヘルプ」と選 択します。「iTunes」のオンラインチュートリアル(一部 の地域でのみ利用可能です)については、www.apple. com/jp/support/itunesにアクセスしてください。 MobileMe www.me.comにアクセスしてください。 Mac OS Xで「iPhoto」を使用する 「iPhoto」を開き、「ヘルプ」>「iPhotoヘルプ」と選 択します。 Mac OS Xで「アドレスブック」を使用する 「アドレスブック」を開き、「ヘルプ」>「アドレスブックヘ ルプ」と選択します。 Mac OS Xで「iCal」を使用する 「iCal」を開き、「ヘルプ」>「iCal ヘルプ」と選択します。 「Microsoft Outlook」、「Windowsアドレス帳」、 「Adobe Photoshop Album」、および「Adobe Photoshop Elements」 各アプリケーションに付属のマニュアルを参照してくだ さい。 付 B 録 その他の参考資料112 付録 B その他の参考資料 知りたい内容 手順 保証サービスを受ける まず、このガイドおよびオンライン参考情報に記載さ れている指示に従います。次に、www.apple.com/ jp/supportを参照するか、www.apple.com/jp/ support/manuals/ipodtouchにある「この製品につ いての重要なお知らせ」を参照してください。 バッテリー交換サービス www.apple.com/jp/support/ipod/service/battery を参照してください。 iPod touch をエンタープライズ環境で使用する www.apple.com/jp/iphone/enterpriseを参照してく ださい。 iPod touch 用ユーザガイド iPod touch 上で表示するために最適化された「iPod touch ユーザガイド」は、help.apple.com/ ipodtouchから入手できます。 iPod touch 上でガイドを見る:「Safari」で、 をタップしてから、「iPod touch ユーザガイド」ブッ クマークをタップします。 ガイドの Webクリップをホーム画面に追加する: ガイドを表示しているときに、 をタップしてから、 「ホーム画面に追加」をタップします。 廃棄とリサイクルに関する情報 お使いの iPodを廃棄する際は、地域法および条例に従って適切に処分してください。この製品には バッテリーが内蔵されているため、家庭廃棄物とは分けて廃棄する必要があります。お使いの iPodが 製品寿命に達した場合は、リサイクルの方法についてアップルまたは地方自治体にお問い合わせくだ さい。 アップルのリサイクルプログラムについては、次の Webサイトを参照してください:www.apple. com/jp/environment/recycling Deutschland: Dieses Gerät enthält Batterien. Bitte nicht in den Hausmüll werfen. Entsorgen Sie dieses Gerätes am Ende seines Lebenszyklus entsprechend der maßgeblichen gesetzlichen Regelungen. Nederlands: Gebruikte batterijen kunnen worden ingeleverd bij de chemokar of in een speciale batterijcontainer voor klein chemisch afval (kca) worden gedeponeerd. Taiwan:付録 B その他の参考資料 113 バッテリーの交換: iPod touch 内の充電式バッテリーの交換は、必ず正規サービスプロバイダに依頼してください。バッ テリー交換サービスについては、www.apple.com/jp/support/ipod/service/batteryを参照し てください European Union̶Disposal Information: This symbol means that according to local laws and regulations your product should be disposed of separately from household waste. When this product reaches its end of life, take it to a collection point designated by local authorities. Some collection points accept products for free. The separate collection and recycling of your product at the time of disposal will help conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. 環境向上への取り組み アップルでは、事業活動および製品が環境に与える影響をできる限り小さくするよう取り組んでいます。 詳しくは、www.apple.com/jp/environmentを参照してくださいK © 2008 Apple Inc. All rights reserved. Apple、Appleロゴ、Cover Flow、FireWire、iCal、iPhoto、 iPod、iTunes、Keynote、Mac、Macintosh、Mac OS、 Numbers、Pages、および Safariは、米国その他の国で登録さ れた Apple Inc.の商標です。 AirMac、Finder、Multi-Touch、および Shuπeは、Apple Inc.の商標です。商標「iPhone」は、アイホン株式会社の許諾 を受けて使用しています iTunes Storeは、米国その他の国で登録された Apple Inc.の サービスマークです。 MobileMeは、Apple Inc.のサービスマークです。 NIKEおよび Swoosh Designは、NIKE, Inc.およびその系列会 社の商標です。商標の使用は実施権に基づいています。Nike + iPod Sport Kitは、単独で使用するときにも Nike + iPod対応 の iPodメディアプレーヤーと一緒に使用するときにも、米国特許 番号 6,018,705、6,052,654、6,493,652、6,298,314、6,611,789、 6,876,947、および 6,882,955 の 1つ以上の特許によって保護さ れています。 Adobeおよび Photoshopは、米国その他の国における Adobe Systems Incorporatedの商標または登録商標です。 本書に記載のその他の社名、商品名は、各社の商標または登録 商標である場合があります。 本書に記載の他社商品名は参考を目的としたものであり、それら の製品の使用を強制あるいは推奨するものではありません。また、 Apple Inc.は他社製品の性能または使用につきましては一切の 責任を負いません。すべての同意、契約、および保証は、ベンダー と将来のユーザとの間で直接行われるものとします。本書には正 確な情報を記載するように努めました。ただし、誤植や制作上の 誤記がないことを保証するものではありません。 米国特許 番号 4,631,603、4,577,216、4,819,098および 4,907,093における装置クレームは限られた範囲での視聴目的に 限り使用許諾されています。 J019-1378/2008-11 Mac OS X Server Administrator’s Guide 034-9285.S4AdminPDF 6/27/02 2:07 PM Page 1K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. Under the copyright laws, this publication may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. RealAudio is a trademark of Progressive Networks, Inc. © 1995–2001 The Apache Group. All rights reserved. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 062-9285/7-26-023 Contents Preface How to Use This Guide 39 What’s Included in This Guide 39 Using This Guide 40 Setting Up Mac OS X Server for the First Time 41 Getting Help for Everyday Management Tasks 41 Getting Additional Information 41 1 Administering Your Server 43 Highlighting Key Features 43 Ease of Setup and Administration 43 Networking and Security 44 File and Printer Sharing 44 Open Directory Services 45 Comprehensive Management of Macintosh Workgroups 45 High Availability 46 Extensive Internet and Web Services 46 Highlighting Individual Services 46 Directory Services 47 Open Directory 47 Password Validation 47 Search Policies 48 File Services 48 Sharing 48 Apple File Service 49 Windows Services 49 LL9285.Book Page 3 Tuesday, June 25, 2002 3:59 PM4 Contents Network File System (NFS) Service 49 File Transfer Protocol (FTP) 50 Print Service 50 Web Service 51 Mail Service 51 Macintosh Workgroup Management 52 Client Management 52 NetBoot 52 Network Install 53 Network Services 53 DHCP 54 DNS 54 IP Firewall 54 SLP DA 54 QuickTime Streaming Service 55 Highlighting Server Applications 56 Administering a Server From Different Computers 58 Server Assistant 58 Open Directory Assistant 58 Directory Access 59 Workgroup Manager 59 Opening and Authenticating in Workgroup Manager 59 Major Workgroup Manager Tasks 60 Server Settings 60 Server Status 61 Macintosh Manager 62 NetBoot Administration Tools 62 Network Install Administration Application 62 Server Monitor 62 Streaming Server Admin 63 Where to Find More Information 64 If You’re New to Server and Network Management 64 If You’re an Experienced Server Administrator 64 LL9285.Book Page 4 Tuesday, June 25, 2002 3:59 PMContents 5 2Directory Services 65 Storage for Data Needed by Mac OS X 66 A Historical Perspective 67 Data Consolidation 68 Data Distribution 69 Uses of Directory Data 70 Inside a Directory Domain 71 Discovery of Network Services 72 Directory Domain Protocols 73 Local and Shared Directory Domains 74 Local Data 74 Shared Data 75 Shared Data in Existing Directory Domains 78 Directory Domain Hierarchies 78 Two-Level Hierarchies 79 More Complex Hierarchies 81 Search Policies for Directory Domain Hierarchies 82 The Automatic Search Policy 83 Custom Search Policies 84 Directory Domain Planning 85 General Planning Guidelines 85 Controlling Data Accessibility 86 Simplifying Changes to Data in Directory Domains 86 Identifying Computers for Hosting Shared Domains 87 Open Directory Password Server 87 Authentication With a Password Server 88 Network Authentication Protocols 88 Password Server Database 88 Password Server Security 89 Overview of Directory Services Tools 89 Setup Overview 90 Before You Begin 91 Setting Up an Open Directory Domain and Password Server 92 Deleting a Shared Open Directory Domain 93 LL9285.Book Page 5 Tuesday, June 25, 2002 3:59 PM6 Contents Configuring Open Directory Service Protocols 93 Setting Up Search Policies 94 Using the Automatic Search Policy 95 Defining a Custom Search Policy 95 Using a Local Directory Search Policy 96 Changing Basic LDAPv3 Settings 97 Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers 97 Showing or Hiding Available LDAPv3 Configurations 97 Configuring Access to Existing LDAPv3 Servers 98 Creating an LDAPv3 Configuration 98 Editing an LDAPv3 Configuration 99 Duplicating an LDAPv3 Configuration 99 Deleting an LDAPv3 Configuration 100 Changing an LDAPv3 Configuration’s Connection Settings 100 Configuring LDAPv3 Search Bases and Mappings 101 Populating LDAPv3 Domains With Data for Mac OS X 103 Using an Active Directory Server 104 Creating an Active Directory Server Configuration 104 Setting Up an Active Directory Server 105 Populating Active Directory Domains With Data for Mac OS X 105 Accessing an Existing LDAPv2 Directory 106 Setting Up an LDAPv2 Server 106 Creating an LDAPv2 Server Configuration 106 Changing LDAPv2 Server Access Settings 107 Editing LDAPv2 Search Bases and Data Mappings 108 Using NetInfo Domains 110 Creating a Shared NetInfo Domain 110 Configuring NetInfo Binding 111 Adding a Machine Record to a Parent NetInfo Domain 113 Configuring Static Ports for Shared NetInfo Domains 113 Viewing and Changing NetInfo Data 114 Using UNIX Utilities for NetInfo 114 Using Berkeley Software Distribution (BSD) Configuration Files 115 Mapping BSD Configuration Files 115 LL9285.Book Page 6 Tuesday, June 25, 2002 3:59 PMContents 7 Setting Up Data in BSD Configuration Files 118 Configuring Directory Access on a Remote Computer 118 Monitoring Directory Services 119 Backing Up and Restoring Directory Services Files 119 3 Users and Groups 121 How User Accounts Are Used 122 Authentication 122 Password Validation 123 Information Access Control 124 Directory and File Owner Access 125 Directory and File Access by Other Users 125 Administration Privileges 125 Server Administration 125 Local Mac OS X Computer Administration 126 Directory Domain Administration 126 Home Directories 126 Mail Settings 127 Resource Usage 127 User Preferences 127 How Group Accounts Are Used 127 Information Access Control 127 Group Directories 128 Workgroups 128 Computer Access 128 Kinds of Users and Groups 128 Users and Managed Users 128 Groups, Primary Groups, and Workgroups 129 Administrators 129 Guest Users 129 Predefined Accounts 130 Setup Overview 132 Before You Begin 135 Administering User Accounts 137 Where User Accounts Are Stored 137 LL9285.Book Page 7 Tuesday, June 25, 2002 3:59 PM8 Contents Creating User Accounts in Directory Domains on Mac OS X Server 137 Creating Read-Write LDAPv3 User Accounts 138 Changing User Accounts 138 Working With Read-Only User Accounts 139 Working With Basic Settings for Users 139 Defining User Names 139 Defining Short Names 140 Choosing Stable Short Names 141 Avoiding Duplicate Names 141 Avoiding Duplicate Short Names 143 Defining User IDs 144 Defining Passwords 145 Assigning Administrator Rights for a Server 145 Assigning Administrator Rights for a Directory Domain 145 Working With Advanced Settings for Users 146 Defining Login Settings 146 Defining a Password Validation Strategy 147 Editing Comments 147 Working With Group Settings for Users 147 Defining a User’s Primary Group 148 Adding a User to Groups 148 Removing a User From a Group 149 Reviewing a User’s Group Memberships 149 Working With Home Settings for Users 149 Working With Mail Settings for Users 150 Disabling a User’s Mail Service 150 Enabling Mail Service Account Options 150 Forwarding a User’s Mail 151 Working With Print Settings for Users 151 Disabling a User’s Access to Print Queues Enforcing Quotas 152 Enabling a User’s Access to Print Queues Enforcing Quotas 152 Deleting a User’s Print Quota for a Specific Queue 153 Restarting a User’s Print Quota 153 Working With Managed Users 154 LL9285.Book Page 8 Tuesday, June 25, 2002 3:59 PMContents 9 Defining a Guest User 154 Deleting a User Account 154 Disabling a User Account 155 Administering Home Directories 155 Distributing Home Directories Across Multiple Servers 156 Setting Up Home Directories for Users Defined in Existing Directory Servers 157 Choosing a Protocol for Home Directories 160 Setting Up AFP Home Directory Share Points 160 Setting Up NFS Home Directory Share Points 160 Creating Home Directory Folders 161 Defining a User’s Home Directory 161 Defining No Home Directory 162 Defining a Home Directory for Local Users 162 Defining a Network Home Directory 163 Defining an Advanced Home Directory 163 Setting Disk Quotas 164 Defining Default Home Directories for New Users 165 Using Import Files to Create AFP Home Directories 165 Moving Home Directories 165 Deleting Home Directories 165 Administering Group Accounts 165 Where Group Accounts Are Stored 165 Creating Group Accounts in a Directory Domain on Mac OS X Server 165 Creating Read-Write LDAPv3 Group Accounts 166 Changing Group Accounts 167 Working With Read-Only Group Accounts 167 Working With Member Settings for Groups 167 Adding Users to a Group 168 Removing Users From a Group 168 Naming a Group 169 Defining a Group ID 170 Working With Volume Settings for Groups 170 Creating Group Directories 171 Automatically Creating Group Directories 171 LL9285.Book Page 9 Tuesday, June 25, 2002 3:59 PM10 Contents Customizing Group Directory Settings 172 Working With Group and Computer Preferences 173 Deleting a Group Account 173 Finding User and Group Accounts 173 Listing Users and Groups in the Local Directory Domain 174 Listing Users and Groups in Search Path Directory Domains 174 Listing Users and Groups in Available Directory Domains 174 Refreshing User and Group Lists 175 Finding Specific Users and Groups in a List 175 Sorting User and Group Lists 175 Shortcuts for Working With Users and Groups 176 Editing Multiple Users Simultaneously 176 Using Presets 176 Creating a Preset for User Accounts 176 Creating a Preset for Group Accounts 177 Using Presets to Create New Accounts 177 Renaming Presets 178 Deleting a Preset 178 Changing Presets 178 Importing and Exporting User and Group Information 178 Understanding What You Can Import 179 Using Workgroup Manager to Import Users and Groups 179 Using Workgroup Manager to Export Users and Groups 181 Using dsimportexport to Import Users and Groups 181 Using dsimportexport to Export Users and Groups 184 Using XML Files Created With Mac OS X Server 10.1 or Earlier 186 Using XML Files Created With AppleShare IP 6.3 186 Using Character-Delimited Files 187 Writing a Record Description 188 Using the StandardUserRecord Shorthand 189 Using the StandardGroupRecord Shorthand 189 Understanding Password Validation 189 Contrasting Password Validation Options 191 The Authentication Authority Attribute 192 LL9285.Book Page 10 Tuesday, June 25, 2002 3:59 PMContents 11 Choosing a Password 192 Migrating Passwords 193 Setting Up Password Validation Options 193 Storing Passwords in User Accounts 193 Enabling Basic Password Validation for a User 193 The Problem With Readable Passwords 194 Using a Password Server 195 Setting Up a Password Server 196 Enabling the Use of a Password Server for a User 196 Exporting Users With Password Server Passwords 197 Making a Password Server More Secure 197 Monitoring a Password Server 197 Using Kerberos 197 Understanding Kerberos 198 Integrating Mac OS X With a Kerberos Server 199 Enabling Kerberos Authentication for Mail 200 Enabling Kerberos Authentication for AFP 200 Enabling Kerberos Authentication for FTP 200 Enabling Kerberos Authentication for Login Window 200 Enabling Kerberos Authentication for Telnet 201 Solving Problems With Kerberos 201 Using LDAP Bind Authentication 201 Backing Up and Restoring Files 201 Backing Up a Password Server 201 Backing Up Root and Administrator User Accounts 202 Supporting Client Computers 202 Validating Windows User Passwords 202 Setting Up Search Policies on Mac OS X Client Computers 202 Solving Problems 202 You Can’t Modify an Account Using Workgroup Manager 202 A Password Server User’s Password Can’t Be Modified 203 Users Can’t Log In or Authenticate 203 You Can’t Assign Server Administrator Privileges 204 Users Can’t Access Their Home Directories 204 LL9285.Book Page 11 Tuesday, June 25, 2002 3:59 PM12 Contents Mac OS X User in Shared NetInfo Domain Can’t Log In 204 Kerberos Users Can’t Authenticate 204 4 Sharing 205 Privileges 205 Explicit Privileges 206 User Categories 206 Privileges Hierarchy 207 Client Users and Privileges 207 Privileges in the Mac OS X Environment 207 Network Globe Contents 207 Share Points in the Network Globe 208 Static Versus Dynamic Linking 208 Adding System Resources to the Network Library Folder 208 Setup Overview 208 Before You Begin 209 Organize Your Shared Information 210 Windows Users 210 Security Issues 210 Restricting Access by Unregistered Users (Guests) 210 Setting Up Sharing 211 Creating Share Points and Setting Privileges 211 Configuring Apple File Protocol (AFP) Share Points 212 Configuring Server Message Block (SMB) Share Points 212 Configuring File Transfer Protocol (FTP) Share Points 213 Sharing (Exporting) Items Using Network File System (NFS) 213 Automounting Share Points 214 Resharing NFS Mounts as AFP Share Points 215 Managing Sharing 215 Turning Sharing Off 216 Removing a Share Point 216 Browsing Server Disks 216 Viewing Share Points 216 Copying Privileges to Enclosed Items 217 Viewing Share Point Settings 217 LL9285.Book Page 12 Tuesday, June 25, 2002 3:59 PMContents 13 Changing Share Point Owner and Privilege Settings 217 Changing the Protocols for a Share Point 218 Deleting an NFS Client from a Share Point 218 Creating a Drop Box 218 Supporting Client Computers 219 Solving Problems 219 Users Can’t Access a CD-ROM Disc 219 Users Can’t Find a Shared Item 219 Users Can’t See the Contents of a Share Point 219 5 File Services 221 Before You Begin 221 Security Issues 222 Allowing Access to Registered Users Only 222 Client Computer Requirements 223 Setup Overview 223 Apple File Service 224 Automatic Reconnect 224 Find By Content 224 Kerberos Authentication 224 Apple File Service Specifications 224 Before You Set Up Apple File Service 225 Setting Up Apple File Service 225 Configuring Apple File Service General Settings 225 Configuring Apple File Service Access Settings 226 Configuring Apple File Service Logging Settings 227 Configuring Apple File Service Idle Users Settings 228 Starting Apple File Service 229 Managing Apple File Service 229 Viewing Apple File Service Status 229 Viewing Apple File Service Logs 230 Stopping Apple File Service 230 Starting Up Apple File Service Automatically 231 Changing the Apple File Server Name 231 Registering With Network Service Locator 231 LL9285.Book Page 13 Tuesday, June 25, 2002 3:59 PM14 Contents Enabling AppleTalk Browsing for Apple File Service 232 Setting Maximum Connections for Apple File Service 232 Turning On Access Logs for Apple File Service 232 Archiving Apple File Service Logs 233 Disconnecting a User From the Apple File Server 233 Disconnecting Idle Users From the Apple File Server 234 Allowing Guest Access to the Apple File Server 234 Creating a Login Greeting for Apple File Service 234 Sending a Message to an Apple File Service User 235 Windows Services 235 Windows Services Specifications 236 Before You Set Up Windows Services 236 Ensuring the Best Cross-Platform Experience 236 Windows User Password Validation 236 Setting Up Windows Services 237 Configuring Windows Services General Settings 237 Configuring Windows Services Access Settings 238 Configuring Windows Services Logging Settings 239 Configuring Windows Services Neighborhood Settings 239 Starting Windows Services 240 Managing Windows Services 240 Stopping Windows Services 240 Setting Automatic Startup for Windows Services 240 Changing the Windows Server Name 241 Finding the Server’s Workgroup Name 241 Checking Windows Services Status 241 Registering with a WINS Server 242 Enabling Domain Browsing for Windows Services 242 Setting Maximum Connections for Windows Services 242 Setting Up the Windows Services Log 243 Disconnecting a User From the Windows Server 243 Allowing Guest Access in Windows Services 243 Assigning the Windows Server to a Workgroup 244 File Transfer Protocol (FTP) Service 244 LL9285.Book Page 14 Tuesday, June 25, 2002 3:59 PMContents 15 Secure FTP Environment 244 User Environments 245 On-the-Fly File Conversion 247 Custom FTP Root 248 Kerberos Authentication 248 Before You Set Up FTP Service 248 Restrictions on Anonymous FTP Users (Guests) 249 Setup Overview 249 Setting Up File Transfer Protocol (FTP) Service 250 Configuring FTP General Settings 250 Configuring FTP Access Settings 251 Configuring FTP Logging Settings 251 Configuring FTP Advanced Settings 252 Starting FTP Service 252 Managing File Transfer Protocol (FTP) Service 252 Stopping FTP Service 252 Setting Up Anonymous FTP Service 253 Creating an Uploads Folder for Anonymous Users 253 Specifying a Custom FTP Root 253 Specifying the FTP Authentication Method 254 Configuring the FTP User Environment 254 Viewing FTP Logs 254 Displaying Banner and Welcome Messages to Users 255 Displaying Messages Using message.txt files 255 Using README Message 255 Network File System (NFS) Service 256 Before You Set Up NFS Service 256 Security Implications 256 Setup Overview 256 Setting Up NFS Service 257 Configuring NFS Settings 257 Managing NFS Service 258 Stopping NFS Service 258 Viewing NFS Service Status 258 LL9285.Book Page 15 Tuesday, June 25, 2002 3:59 PM16 Contents Viewing Current NFS Exports 258 Supporting Client Computers 259 Supporting Mac OS X Clients 259 Connecting to the Apple File Server in Mac OS X 259 Setting Up a Mac OS X Client to Mount a Share Point Automatically 260 Changing the Priority of Network Connections 260 Supporting Mac OS 8 and Mac OS 9 Clients 260 Connecting to the Apple File Server in Mac OS 8 or Mac OS 9 261 Setting up a Mac OS 8 or Mac OS 9 Client to Mount a Share Point Automatically 261 Supporting Windows Clients 261 TCP/IP 262 Using the Network Neighborhood to Connect to the Windows Server 262 Connecting to the Windows Server Without the Network Neighborhood 262 Supporting NFS Clients 262 Solving Problems With File Services 263 Solving Problems With Apple File Service 263 User Can’t Find the Apple File Server 263 User Can’t Connect to the Apple File Server 263 User Doesn’t See Login Greeting 263 Solving Problems With Windows Services 263 User Can’t See the Windows Server in the Network Neighborhood 263 User Can’t Log in to the Windows Server 264 Solving Problems With File Transfer Protocol (FTP) 264 FTP Connections Are Refused 264 Clients Can’t Connect to the FTP Server 265 Anonymous FTP Users Can’t Connect 265 Where to Find More Information About File Services 265 6 Client Management: Mac OS X 267 The User Experience 268 Logging In 268 Locating the Home Directory 268 Before You Begin 269 Designating Administrators 270 Setting Up User Accounts 270 LL9285.Book Page 16 Tuesday, June 25, 2002 3:59 PMContents 17 Setting Up Group Accounts 271 Setting Up Computer Accounts 271 Creating a Computer Account 272 Creating a Preset for Computer Accounts 273 Using a Computer Accounts Preset 273 Adding Computers to an Existing Computer Account 274 Editing Information About a Computer 274 Moving a Computer to a Different Computer Account 275 Deleting Computers From a Computer List 275 Deleting a Computer Account 276 Searching for Computer Accounts 276 Managing Guest Computers 277 Working With Access Settings 278 Restricting Access to Computers 278 Making Computers Available to All Users 279 Using Local User Accounts 279 Managing Portable Computers 280 Unknown Portable Computers 280 Portable Computers With Multiple Local Users 280 Portable Computers With One Primary Local User 280 Using Wireless Services 281 How Workgroup Manager Works With System Preferences 281 Managing Preferences 282 About the Preferences Cache 283 Updating the Managed Preferences Cache 283 Updating Cached Preferences Manually 283 How Preference Management Works 284 Preference Management Options 284 Managing a Preference Once 285 Always Managing a Preference 285 Never Managing a Preference 285 Managing User Preferences 285 Managing Group Preferences 286 Managing Computer Preferences 286 LL9285.Book Page 17 Tuesday, June 25, 2002 3:59 PM18 Contents Editing Preferences for Multiple Records 287 Disabling Management for Specific Preferences 287 Managing Applications Preferences 288 Applications Items Preferences 288 Creating a List of Approved Applications 288 Preventing Users From Opening Applications on Local Volumes 289 Managing Application Access to Helper Applications 289 Applications System Preferences 290 Managing Access to System Preferences 290 Managing Classic Preferences 291 Classic Startup Preferences 291 Making Classic Start Up After a User Logs In 291 Choosing a Classic System Folder 291 Classic Advanced Preferences 292 Allowing Special Actions During Restart 292 Keeping Control Panels Secure 292 Preventing Access to the Chooser and Network Browser 293 Making Apple Menu Items Available in Classic 293 Adjusting Classic Sleep Settings 294 Managing Dock Preferences 294 Dock Display Preferences 294 Controlling the User’s Dock 294 Dock Items Preferences 295 Adding Items to a User’s Dock 295 Preventing Users From Adding Additional Dock Items 296 Managing Finder Preferences 296 Finder Preferences 296 Keeping Disks and Servers From Appearing on the User’s Desktop 296 Controlling the Behavior of Finder Windows 297 Making File Extensions Visible 298 Selecting the User Environment 298 Hiding the Alert Message When a User Empties the Trash 298 Finder Commands Preferences 299 Controlling User Access to an iDisk 299 LL9285.Book Page 18 Tuesday, June 25, 2002 3:59 PMContents 19 Controlling User Access to Remote Servers 299 Controlling User Access to Folders 300 Preventing Users From Ejecting Disks 300 Hiding the Burn Disc Command in the Finder 301 Removing Restart and Shut Down Commands From the Apple Menu 301 Finder Views Preferences 302 Adjusting the Appearance and Arrangement of Desktop Items 302 Adjusting the Appearance of Finder Window Contents 303 Managing Internet Preferences 304 Setting Email Preferences 304 Setting Web Browser Preferences 304 Managing Login Preferences 305 Login Window Preferences 305 Deciding How a User Logs In 305 Helping Users Remember Passwords 306 Preventing Restarting or Shutting Down the Computer at Login 306 Login Items Preferences 307 Opening Applications Automatically After a User Logs In 307 Managing Media Access Preferences 308 Media Access Disc Media Preferences 308 Controlling Access to CDs and DVDs 308 Controlling the Use of Recordable Discs 309 Media Access Other Media Preferences 309 Controlling Access to Hard Drives and Disks 309 Ejecting Items Automatically When a User Logs Out 310 Managing Printing Preferences 311 Printer List Preferences 311 Making Printers Available to Users 311 Preventing Users From Modifying the Printer List 312 Restricting Access to Printers Connected to a Computer 312 Printer Access Preferences 313 Setting a Default Printer 313 Restricting Access to Printers 313 LL9285.Book Page 19 Tuesday, June 25, 2002 3:59 PM20 Contents 7 Print Service 315 What Printers Can Be Shared? 316 Who Can Use Shared Printers? 317 Setup Overview 317 Before You Begin 319 Security Issues 319 Setting Up Print Service 319 Starting Up and Configuring Print Service 319 Adding Printers 320 Configuring Print Queues 320 Adding Print Queues to Shared Open Directory Domains 321 Setting Up Print Quotas 322 Enforcing Quotas for a Print Queue 322 Setting Up Printing on Client Computers 323 Mac OS X Clients 323 Adding a Print Queue in Mac OS X Using AppleTalk 323 Adding a Print Queue in Mac OS X Using LPR 323 Adding a Print Queue From an Open Directory Domain 323 Mac OS 8 and Mac OS 9 Clients 324 Setting Up Printing on Mac OS 8 or 9 Client for an AppleTalk Printer 324 Setting Up Printing on Mac OS 8 or 9 Clients for an LPR Printer 324 Windows Clients 325 UNIX Clients 325 Managing Print Service 325 Monitoring Print Service 325 Stopping Print Service 326 Setting Print Service to Start Automatically 326 Managing Print Queues 326 Monitoring a Print Queue 326 Putting a Print Queue on Hold (Stopping a Print Queue) 327 Restarting a Print Queue 327 Changing a Print Queue’s Configuration 327 Renaming a Print Queue 328 Selecting a Default Print Queue 329 LL9285.Book Page 20 Tuesday, June 25, 2002 3:59 PMContents 21 Deleting a Print Queue 329 Managing Print Jobs 329 Monitoring a Print Job 329 Stopping a Print Job 330 Putting a Print Job on Hold 330 Restarting a Print Job 330 Holding All New Print Jobs 331 Setting the Default Priority for New Print Jobs 331 Changing a Print Job’s Priority 331 Deleting a Print Job 332 Managing Print Quotas 332 Suspending Quotas for a Print Queue 332 Managing Print Logs 332 Viewing Print Logs 333 Archiving Print Logs 333 Deleting Print Log Archives 334 Solving Problems 334 Print Service Doesn’t Start 334 Users Can’t Print 334 Print Jobs Don’t Print 334 Print Queue Becomes Unavailable 335 8 Web Service 337 Before You Begin 338 Configuring Web Service 338 Providing Secure Transactions 338 Setting Up Web Sites 338 Hosting More Than One Web Site 339 Understanding WebDAV 339 Defining Realms 339 Setting WebDAV Privileges 339 Understanding WebDAV Security 339 Understanding Multipurpose Internet Mail Extension (MIME) 340 Setting Up Web Service for the First Time 341 Managing Web Service 342 LL9285.Book Page 21 Tuesday, June 25, 2002 3:59 PM22 Contents Starting or Stopping Web Service 343 Starting Web Service Automatically 343 Modifying MIME Mappings 343 Setting Up Persistent Connections for Web Service 344 Limiting Simultaneous Connections for Web Service 344 Setting Up Proxy Caching for Web Service 345 Blocking Web Sites From Your Web Server Cache 345 Enabling SSL for Web Service 346 Setting Up the SSL Log for a Web Server 346 Setting Up WebDAV for a Web Server 346 Starting Tomcat 347 Checking Web Service Status 348 Viewing Logs of Web Service Activity 348 Setting Up Multiple IP Addresses for a Port 348 Managing Web Sites 349 Setting Up the Documents Folder for Your Web Site 349 Changing the Default Web Folder for a Site 349 Enabling a Web Site on a Server 350 Setting the Default Page for a Web Site 351 Changing the Access Port for a Web Site 351 Improving Performance of Static Web Sites 351 Enabling Access and Error Logs for a Web Site 352 Setting Up Directory Listing for a Web Site 352 Connecting to Your Web Site 353 Enabling WebDAV 353 Setting Access for WebDAV-Enabled Sites 354 Enabling a Common Gateway Interface (CGI) script 354 Enabling Server Side Includes (SSI) 355 Monitoring Web Sites 356 Setting Server Responses to MIME Types 356 Enabling SSL 357 Enabling PHP 357 WebMail 358 WebMail Users 358 LL9285.Book Page 22 Tuesday, June 25, 2002 3:59 PMContents 23 WebMail and Your Mail Server 359 WebMail Protocols 359 Enabling WebMail 359 Configuring WebMail 360 Setting Up Secure Sockets Layer (SSL) Service 361 Generating a Certificate Signing Request (CSR) for Your Server 361 Obtaining a Web Site Certificate 362 Installing the Certificate on Your Server 363 Enabling SSL for the Site 363 Solving Problems 364 Users Can’t Connect to a Web Site on Your Server 364 A Web Module Is Not Working as Expected 364 A CGI Will Not Run 364 Installing and Viewing Web Modules 365 Macintosh-Specific Modules 365 mod_macbinary_apple 365 mod_sherlock_apple 365 mod_auth_apple 365 mod_redirectacgi_apple 366 mod_hfs_apple 366 Open-Source Modules 366 Tomcat 366 PHP: Hypertext Preprocessor 366 mod_perl 366 MySQL 367 Where to Find More Information 367 9 Mail Service 369 Mail Service Protocols 370 Post Office Protocol (POP) 370 Internet Message Access Protocol (IMAP) 371 Simple Mail Transfer Protocol (SMTP) 371 SMTP Alternatives: Sendmail and Postfix 371 How Mail Service Uses SSL 372 How Mail Service Uses DNS 372 LL9285.Book Page 23 Tuesday, June 25, 2002 3:59 PM24 Contents Where Mail Is Stored 373 How User Account Settings Affect Mail Service 373 What Mail Service Can Do About Junk Mail 373 SMTP Authentication 374 Restricted SMTP Relay 374 SMTP Authentication and Restricted SMTP Relay Combinations 375 Rejected SMTP Servers 375 Mismatched DNS Name and IP Address 375 Blacklisted Servers 375 What Mail Service Doesn’t Do 376 Mail Service Configuration in the Local Directory 376 Overview of Mail Service Tools 376 Setup Overview 377 Overview of Ongoing Mail Service Management 379 Before You Begin 379 Working With General Settings for Mail Service 380 Starting and Stopping Mail Service 380 Starting Mail Service Automatically 380 Requiring or Allowing Kerberos Authentication 381 Adding or Removing Local Names for the Mail Server 381 Changing Protocol Settings for Mail Service 382 Monitoring and Archiving Mail 382 Working With Settings for Incoming Mail 382 Limiting Incoming Message Size 383 Deleting Email Automatically 383 Notifying Users Who Have New Mail 383 Working With Settings for Incoming POP Mail 384 Requiring Authenticated POP (APOP) 384 Changing the POP Response Name 384 Changing the POP Port Number 385 Working With Settings for Incoming IMAP Mail 385 Requiring Secure IMAP Authentication 385 Changing the IMAP Response Name 386 Using Case-Sensitive IMAP Folder Names 386 LL9285.Book Page 24 Tuesday, June 25, 2002 3:59 PMContents 25 Controlling IMAP Connections Per User 386 Terminating Idle IMAP Connections 387 Changing the IMAP Port Number 387 Working With Settings for Outgoing Mail 387 Sending Nonlocal Mail 388 Sending Only Local Mail 388 Suspending Outgoing Mail Service 388 Working With Settings for SMTP Mail 389 Requiring SMTP Authentication 389 Sending SMTP Mail via Another Server 389 Changing the SMTP Response Names 390 Changing the Incoming SMTP Port Number 391 Changing the Outgoing SMTP Port Number 391 Enabling an Alternate Mail Transfer Agent 391 Starting Sendmail 392 Working With the Mail Database 393 Converting the Mail Database From an Earlier Version 393 Changing Where Mail Is Stored 394 Configuring Automatic Mail Deletion 394 Allowing Administrator Access to the Mail Database and Files 394 Cleaning Up the Mail Files 395 Working With Network Settings for Mail Service 396 Specifying DNS Lookup for Mail Service 396 Updating the DNS Cache in Mail Service 397 Changing Mail Service Timeouts 397 Limiting Junk Mail 398 Restricting SMTP Relay 398 Rejecting SMTP Connections From Specific Servers 399 Checking for Mismatched SMTP Server Name and IP Address 399 Rejecting Mail From Blacklisted Senders 401 Allowing SMTP Relay for a Backup Mail Server 401 Filtering SMTP Connections 401 Working With Undeliverable Mail 402 Forwarding Undeliverable Incoming Mail 402 LL9285.Book Page 25 Tuesday, June 25, 2002 3:59 PM26 Contents Limiting Delivery Attempts in Mail Service 402 Sending Nondelivery Reports to Postmaster 403 Monitoring Mail Status 403 Viewing Overall Mail Service Activity 404 Viewing Connected Mail Users 404 Viewing Mail Accounts 404 Reviewing Mail Service Logs 404 Reclaiming Disk Space Used by Mail Service Logs 405 Supporting Mail Users 405 Configuring Mail Settings for User Accounts 405 Configuring Email Client Software 406 Creating Additional Email Addresses for a User 407 Performance Tuning 407 Backing Up and Restoring Mail Files 408 Where to Find More Information 408 Books 408 Internet 409 10 Client Management: Mac OS 9 and OS 8 411 The User Experience 412 Logging In 412 Logging In Using the All Other Users Account 413 Logging In Using the Guest Account 413 Locating the Home Directory 413 Finding Applications 414 Finding Shared Documents 414 Before You Begin 414 Client Computer Requirements 414 Administrator Computer Requirements 415 Using Update Packages 417 Choosing a Language for Macintosh Manager Servers and Clients 417 Changing the Apple File Service Language Script 418 Inside Macintosh Manager 418 Macintosh Manager Security 418 About the Macintosh Manager Share Point 419 LL9285.Book Page 26 Tuesday, June 25, 2002 3:59 PMContents 27 The Multi-User Items Folder 419 How the Multi-User Items Folder Is Updated 420 How Macintosh Manager Works With Directory Services 420 Where User Information Is Stored 421 How Macintosh Manager Works With Home Directories 422 How Macintosh Manager Works With Preferences 422 Where Macintosh Manager Preferences Are Stored 422 Using the MMLocalPrefs Extension 423 Using NetBoot With Macintosh Manager 423 Preparation for Using NetBoot 423 Setting Up Mac OS 9 or Mac OS 8 Managed Clients 424 Logging In to Macintosh Manager as an Administrator 425 Working With Macintosh Manager Preferences 426 Importing User Accounts 426 Applying User Settings With a Template 426 Importing All Users 427 Importing One or More Users 427 Collecting User Information in a Text File 428 Importing a List of Users From a Text File 428 Finding Specific Imported Users 429 Providing Quick Access to Unimported Users 429 Using Guest Accounts 429 Providing Access to Unimported Mac OS X Server Users 430 Setting Up a Guest User Account 431 Designating Administrators 431 About Macintosh Manager Administrators 431 Allowing Mac OS X Server Administrators to Use Macintosh Manager Accounts 432 About Workgroup Administrators 432 Creating a Macintosh Manager Administrator 432 Creating a Workgroup Administrator 432 Changing Your Macintosh Manager Administrator Password 433 Working With User Settings 433 Changing Basic User Settings 433 Allowing Multiple Logins for Users 434 LL9285.Book Page 27 Tuesday, June 25, 2002 3:59 PM28 Contents Granting a User System Access 434 Changing Advanced Settings 434 Limiting a User’s Disk Storage Space 435 Updating User Information From Mac OS X Server 435 Setting Up Workgroups 436 Types of Workgroup Environments 436 Creating a Workgroup 436 Using a Template to Apply Workgroup Settings 437 Creating Workgroups From an Existing Workgroup 437 Modifying an Existing Workgroup 438 Using Items Settings 438 Setting Up Shortcuts to Items for Finder Workgroups 438 Making Items Available to Panels or Restricted Finder Workgroups 439 Making Items Available to Individual Users 440 Using Privileges Settings 440 Protecting the System Folder and Applications Folder 440 Protecting the User’s Desktop 440 Preventing Applications From Altering Files 441 Preventing Access to FireWire Disks 441 Allowing Users to Play Audio CDs 441 Allowing Users to Take Screen Shots 442 Allowing Users to Open Applications From a Disk 442 Setting Access Privileges for Removable Media 442 Setting Access Privileges for Menu Items 443 Sharing Information in Macintosh Manager 443 Selecting Privileges for Workgroup Folders 444 Setting Up a Shared Workgroup Folder 444 Setting Up a Hand-In Folder 445 Using Volumes Settings 445 Connecting to AFP Servers 445 Providing Access to Server Volumes 446 Using Printers Settings 447 Making Printers Available to Workgroups 447 Setting a Default Printer 447 LL9285.Book Page 28 Tuesday, June 25, 2002 3:59 PMContents 29 Restricting Access to Printers 448 Setting Print Quotas 448 Allowing Users to Exceed Print Quotas 448 Setting Up a System Access Printer 449 Using Options Settings 449 Choosing a Location for Storing Group Documents 450 Making Items Open at Startup 450 Checking for Email When Users Log In 451 Creating Login Messages for Workgroups 451 Setting Up Computer Lists 451 Creating Computer Lists 451 Setting Up the All Other Computers Account 452 Duplicating a Computer List 452 Creating a Computer List Template 453 Disabling Login for Computers 453 Using Workgroup Settings for Computers 454 Controlling Access to Computers 454 Using Control Settings 454 Disconnecting Computers Automatically to Minimize Network Traffic 454 Setting the Computer Clock Using the Server Clock 455 Using a Specific Hard Disk Name 455 Creating Email Addresses for Managed Users 455 Using Security Settings for Computers 456 Keeping Computers Secure If a User Forgets to Log Out 456 Allowing Access to All CDs and DVDs 457 Allowing Access to Specific CDs or DVDs 457 Choosing Computer Security Settings for Applications 457 Allowing Specific Applications to Be Opened by Other Applications 458 Allowing Users to Work Offline 458 Allowing Users to Switch Servers After Logging In 459 Allowing Users to Force-Quit Applications 459 Allowing Users to Disable Extensions 459 Using Computer Login Settings 460 Choosing How Users Log In 460 LL9285.Book Page 29 Tuesday, June 25, 2002 3:59 PM30 Contents Creating Login Messages for Computers 460 Customizing Panel Names 460 Managing Portable Computers 461 Portable Computers With Network Users 461 Portable Computers With Local Users 461 Letting Users Check Out Computers 462 Using Wireless Services 462 Using Global Security Settings 462 Using Macintosh Manager Reports 463 Setting the Number of Items in a Report 463 Keeping the Administration Program Secure 463 Verifying Login Information Using Kerberos 464 Preventing Users From Changing Their Passwords 464 Allowing Administrators to Access User Accounts 464 Copying Preferences for Mac OS 8 Computers 464 Using Global CD-ROM Settings 465 Managing Preferences 466 Using Initial Preferences 466 Using Forced Preferences 467 Preserved Preferences 468 Solving Problems 470 I’ve Forgotten My Administrator Password 470 Administrators Can’t Get to the Finder After Logging In 470 Generic Icons Appear in the Items Pane 470 Selecting “Local User” in the Multiple Users Control Panel Doesn’t Work 471 Some Printers Don’t Appear in the Available Printers List 471 Users Can’t Log In to the Macintosh Manager Server 471 Users Can’t Log In as “Guest” on Japanese-Language Computers 471 A Client Computer Can’t Connect to the Server 471 The Server Doesn’t Appear in the AppleTalk List 472 The User’s Computer Freezes 472 Users Can’t Access Their Home Directories 472 Users Can’t Access Shared Files 472 Shared Workgroup Documents Don’t Appear in a Panels Environment 472 LL9285.Book Page 30 Tuesday, June 25, 2002 3:59 PMContents 31 Applications Don’t Work Properly or Don’t Open 472 Users Can’t Drag and Drop Between Applications 473 Users Can’t Open Files From a Web Page 473 Sometimes the Right Application Doesn’t Open for Users 473 Where to Find More Information 473 11 DHCP Service 475 Before You Set Up DHCP Service 475 Creating Subnets 476 Assigning IP Addresses Dynamically 476 Using Static IP Addresses 476 Locating the DHCP Server 476 Interacting With Other DHCP Servers 477 Assigning Reserved IP Addresses 477 Setting Up DHCP Service for the First Time 477 Managing DHCP Service 478 Starting and Stopping DHCP Service 478 Setting the Default DNS Server for DHCP Clients 479 Setting the LDAP Server for DHCP Clients 479 Setting Up Logs for DHCP Service 480 Deleting Subnets From DHCP Service 480 Changing Lease Times for Subnet Address Ranges 480 Monitoring DHCP Client Computers 481 Creating Subnets in DHCP Service 481 Changing Subnet Settings in DHCP Service 481 Setting DNS Options for a Subnet 482 Setting NetInfo Options for a Subnet 482 Disabling Subnets Temporarily 483 Viewing DHCP and NetBoot Client Lists 483 Viewing DHCP Log Entries 483 Solving Problems 484 Where to Find More Information 484 12NetBoot 485 Prerequisites 486 LL9285.Book Page 31 Tuesday, June 25, 2002 3:59 PM32 Contents Administrator Requirements 486 Server Requirements 486 Client Computer Requirements 487 Network Requirements 488 Capacity Planning 488 NetBoot Implementation 489 NetBoot Image Folder 489 Property List File 490 Boot Server Discovery Protocol (BSDP) 491 TFTP and the Boot ROM File 492 NetBoot Files and Directory Structure 493 Security 493 NetBoot and AirPort 493 Setup Overview 493 Setting Up NetBoot on a Mac OS X Server 496 Creating a Mac OS X Disk Image 496 Installing Classic (Mac OS 9) on a Mac OS X Disk Image 497 Installing the Mac OS 9 Disk Image 497 Modifying the Mac OS 9 Disk Image 498 Specifying the Default NetBoot Disk Image 500 Setting Up Multiple Disk Images 500 Configuring NetBoot on Your Server 501 Starting NetBoot on Your Server 501 Enabling NetBoot Disk Images 502 Managing NetBoot 502 Turning Off NetBoot 502 Disabling Disk Images 502 Updating Mac OS X Disk Images 503 Monitoring the Status of Mac OS X NetBoot Clients 503 Monitoring the Status of Mac OS 9 NetBoot Clients 503 Filtering NetBoot Client Connections 503 Load Balancing 504 Enabling Server Selection 504 Using Share Points to Spread the Load 505 LL9285.Book Page 32 Tuesday, June 25, 2002 3:59 PMContents 33 Supporting Client Computers 505 Updating the Startup Disk Control Panel 505 Setting Up “System-Less” Clients 506 Selecting a NetBoot Startup Image (from Mac OS X) 506 Selecting a NetBoot Startup Image (from Mac OS 9) 506 Starting Up Using the N Key 507 Solving Problems 507 A NetBoot Client Computer Won’t Start Up 507 You Are Using Macintosh Manager and a User Can’t Log In to a NetBoot Client 508 13 Network Install 509 Understanding Packages 509 Setup Overview 510 Setting Up Network Install 511 Creating a Network Install Disk Image 511 Creating Custom Packages for Network Install 512 Including Packages in an Installer Disk Image 512 Enabling Installer Disk Images 513 14 DNS Service 515 Before You Set Up DNS Service 516 DNS and BIND 516 Setting Up Multiple Name Servers 516 Using DNS With Mail Service 516 Setting Up DNS Service for the First Time 517 Managing DNS Service 518 Starting and Stopping DNS Service 518 Viewing DNS Log Entries 519 Viewing DNS Service Status 519 Viewing DNS Usage Statistics 519 Inside DNS Service (Configuring BIND) 520 What Is BIND? 520 BIND on Mac OS X Server 520 BIND Configuration File 520 Zone Data Files 521 LL9285.Book Page 33 Tuesday, June 25, 2002 3:59 PM34 Contents Practical Example 521 Setting Up Sample Configuration Files 521 Configuring Clients 522 Check Your Configuration 523 Load Distribution With Round Robin 523 Setting Up a Private TCP/IP Network 523 Where to Find More Information 524 15 Firewall Service 525 Before You Set Up Firewall Service 527 What Is a Filter? 527 IP Address 527 Subnet Mask 527 Using Address Ranges 528 IP Address Precedence 529 Multiple IP Addresses 529 Practical Examples 529 Block Access to Internet Users 529 Block Junk Mail 530 Allow a Customer to Access the Apple File Server 530 Setting Up Firewall Service for the First Time 530 Managing Firewall Service 531 Starting and Stopping Firewall Service 531 Setting Firewall Service to Start Automatically 531 Editing IP Filters 532 Creating an IP Filter 532 Searching for IP Filters 533 Viewing the Firewall Log 533 Configuring Firewall Service 533 Setting Up Logs for Firewall Service 534 Viewing Denied Packets 535 Filtering UDP Ports in Firewall Service 535 Blocking Multicast Services in Firewall Service 536 Allowing NetInfo Access to Certain IP Addresses 536 Changing the Any Port (Default) Filter 537 LL9285.Book Page 34 Tuesday, June 25, 2002 3:59 PMContents 35 Preventing Denial-of-Service Attacks 537 Creating IP Filter Rules Using ipfw 538 Reviewing IP Filter Rules 539 Creating IP Filter Rules 539 Deleting IP Filter Rules 539 Port Reference 540 Solving Problems 543 You Can’t Access the Server Over TCP/IP 543 You Can’t Locate a Specific Filter 543 Where to Find More Information 543 16 SLP DA Service 545 SLP DA Considerations 545 Before You Begin 545 Managing Service Location Protocol (SLP) Directory Agent (DA) Service 547 Starting and Stopping SLP DA Service 547 Viewing Scopes and Registered Services in SLP 547 Creating New Scopes in SLP DA Service 548 Registering a Service With SLP DA 548 Deregistering Services in SLP DA Service 549 Setting Up Logs for SLP DA Service 549 Logging Debugging Messages in SLP DA Service 549 Viewing SLP DA Log Entries 549 Using the Attributes List 550 Where to Find More Information 550 17 Tools for Advanced Users 551 Terminal 552 Using the Terminal Application 552 Understanding UNIX Command-Line Structure 553 Secure Shell (SSH) Command 553 Enabling and Disabling SSH Access 553 Opening an SSH Session 553 Executing Commands in an SSH Session 554 Closing an SSH Session 554 LL9285.Book Page 35 Tuesday, June 25, 2002 3:59 PM36 Contents Understanding Key Fingerprints 554 dsimportexport 555 Log Rolling Scripts 555 diskspacemonitor 556 diskutil 557 installer 558 Using installer 558 Full Operating System Installation 559 softwareupdate 561 systemsetup 561 Working With Server Identity and Startup 561 Working With Date and Time Preferences 562 Working With Sleep Preferences 562 networksetup 562 Reverting to Previous Network Settings 563 Retrieving Your Server’s Network Configuration 563 Configuring TCP/IP Settings 564 Configuring DNS Servers and Search Domains 564 Managing Network Services 564 Designating Proxy Servers 565 MySQL Manager 565 Simple Network Management Protocol (SNMP) Tools 566 diskKeyFinder 566 Enabling IP Failover 567 Requirements 567 Hardware 567 Software 567 Failover Operation 567 Enabling IP Failover 569 Configuring IP Failover 569 Notification Only 570 Pre And Post Scripts 570 LL9285.Book Page 36 Tuesday, June 25, 2002 3:59 PMContents 37 Appendix A Open Directory Data Requirements 573 User Data That Mac OS X Server Uses 573 Standard Data Types in User Records 574 Format of the MailAttribute Data Type 577 Standard Data Types in Group Records 580 Glossary 581 Index 591 LL9285.Book Page 37 Tuesday, June 25, 2002 3:59 PMLL9285.Book Page 38 Tuesday, June 25, 2002 3:59 PM39 P R E F A C E How to Use This Guide What’s Included in This Guide This guide consists primarily of chapters that tell you how to administer individual Mac OS X Server services: m Chapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X Server’s services and takes you on a tour of its administration applications. m Chapter 2, “Directory Services,” describes the services that Mac OS X computers use to find information about users, groups, and devices on your network. The Mac OS X directory services architecture is referred to as Open Directory. m Chapter 3, “Users and Groups,” covers user and group accounts, describing how to administer settings for server users and collections of users (groups), including Open Directory Password Server and other password authentication options. m Chapter 4, “Sharing,” tells you how to share folders, hard disks, and CDs among network users, as well as how to make them automatically visible after logging in to Mac OS X computers. m Chapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple file service, Windows services, Network File System (NFS) service, and File Transfer Protocol (FTP) service. m Chapter 6, “Client Management: Mac OS X,” addresses client management for Mac OS X computer users. Client management lets you customize a user’s working environment and restrict a user’s access to network resources. m Chapter 7, “Print Service,” tells you how to share printers among users on Macintosh, Windows, and other computers. m Chapter 8, “Web Service,” describes how to set up and administer a Web server and host multiple Web sites on your server. m Chapter 9, “Mail Service,” describes how to set up and administer a mail server on your server.40 Preface m Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage their day-to-day working environments. m Chapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP) service, which lets you dynamically allocate IP addresses to the computers used by server users. m Chapter 12, “NetBoot,” describes the application that lets Macintosh Mac OS 9 and X computers boot from a network-based system image. m Chapter 13, “Network Install,” tells you how to use the centralized network software installation service that automates installing, restoring, and upgrading Macintosh computers on your network. m Chapter 14, “DNS Service,” describes Dynamic Name Service (DNS), a distributed database that maps IP addresses to domain names. m Chapter 15, “Firewall Service,” addresses how to protect your server by scanning incoming IP packets and rejecting or accepting these packets based on filters you create. m Chapter 16, “SLP DA Service,” describes Service Location Protocol Directory Assistant (SLP DA), which you can use to make devices on your network visible to your server users. m Chapter 17, “Tools for Advanced Users,” describes server applications, tools, and techniques intended for use by experienced server administrators. m Appendix A, “Open Directory Data Requirements,” provides information you’ll need when you must map directory services information needed by Mac OS X to information your server will retrieve from another vendor’s server. m The Glossary defines terms you’ll encounter as you read this guide. Using This Guide Review the first chapter to acquaint yourself with the services and applications that Mac OS X Server provides. Then read any chapter that’s about a service you plan to provide to your users. Each service’s chapter includes an overview of how the service works, what it can do for you, strategies for using it, how to set it up for the first time, and how to administer it over time. Also take a look at any chapter that describes a service with which you’re unfamiliar. You may find that some of the services you haven’t used before can help you run your network more efficiently and improve performance for your users. Most chapters end with a section called “Where to Find More Information.” This section points you to Web sites and other reference material containing more information about the service.How to Use This Guide 41 Setting Up Mac OS X Server for the First Time If you haven’t installed and set up Mac OS X Server, do so now. m Refer to Getting Started With Mac OS X Server, the document that came with your software, for instructions on server installation and setup. For many environments, this document provides all the information you need to get your server up, running, and available for initial use. m Review Chapter 1, “Administering Your Server,” in this guide to determine which services you’d like to refine and expand, to identify new services you’d like to set up, and to learn about the server applications you’ll use during these activities. m Read specific chapters to learn how to continue setting up individual services. Pay particular attention to the information in these sections: “Setup Overview,” “Before You Begin,” and “Setting Up for the First Time.” Getting Help for Everyday Management Tasks If you want to change settings, monitor services, view service logs, or do any other day-to-day administration task, you can find step-by-step procedures by using the online help available with server administration programs. While all the administration tasks are also documented in this guide, sometimes it’s more convenient to retrieve information in online help form while using your server. Getting Additional Information In addition to this document, you’ll find information about Mac OS X Server m in Getting Started With Mac OS X Server, which tells you how to install and set up your server initially m in Upgrading to Mac OS X Server, which provides instructions for migrating data to Mac OS X Server from existing Macintosh computers m at www.apple.com/macosx/server m in online help on your server m in Read Me files on your server CD43 C H A P T E R 1 1 Administering Your Server Mac OS X Server is a powerful server platform that delivers a complete range of services to users on the Internet and local network: m You can connect users to each other, using services such as mail and file sharing. m You can share system resources, such as printers and computers—maximizing their availability as users move about and making sure that disk space and printer usage remain equitably shared. m You can host Internet services, such as Web sites and streaming video. m You can customize working environments—such as desktop resources and personal files—of networked users. This chapter is a tour of Mac OS X Server capabilities and administration. The chapter begins by pointing out some of Mac OS X Server’s key features. Then it summarizes the services you can set up to support the clients you want your server to host. Finally, it introduces the applications you use to set up and administer your server. Highlighting Key Features Mac OS X Server has a wide range of features that characterize it as easy to use, yet robust and high performing. Ease of Setup and Administration From the time you first unpack your server throughout its initial setup and deployment, its ease of use is prominent. Setup assistants quickly walk you through the process of making basic services initially available. While your network users take advantage of the initial file sharing, mail, Web and other services, you can add on additional client support and manage day-to-day server operations using graphical administrative applications. From one administrator computer, you can set up and manage all the Mac OS X Servers on your network.44 Chapter 1 Networking and Security You can choose from several user authentication options, ranging from Kerberos or Lightweight Directory Access Protocol (LDAP) to Mac OS X Server’s Open Directory Password Server. Password Server lets you implement password policies and supports a wide variety of client protocols. The Password Server is based on a standard known as SASL (Simple Authentication and Security Layer), so it can support a wide range of network user authentication protocols that are used by clients of Mac OS X Server services, such as mail and file servers, that need to authenticate users. Kerberos authentication is available for file services—Apple Filing Protocol (AFP) and File Transfer Protocol (FTP)—as well as for mail services (POP, IMAP, and SMTP). External network communication requests can be controlled with built-in Internet Protocol (IP) firewall management. And data communications can be encrypted and authenticated with protocol-level data security provided with Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH). File and Printer Sharing File sharing offers flexible support for various native protocols as well as security and high availability: m It’s easy to share files with Macintosh, Windows, UNIX, Linux, and anonymous Internet clients. m You can control how much file space individual users consume by setting up mail and file quotas. Quotas limit the number of megabytes a user can use for mail or files. m Kerberos authentication is available for AFP and FTP file servers. m You can improve the security of NFS volumes by setting up share points on them that let users access them using the more secure AFP protocol. This feature is referred to as resharing NFS mounts. m AFP autoreconnect lets client computers keep Apple file servers mounted after long periods of inactivity or after sleep/wake cycles. Mac OS X Server printer sharing includes m the ability to set up print quotas. Print quotas can be set up for each user and each print queue, letting you limit the number of pages that can be printed during a particular period. m support for sharing printers among Mac OS 9 users (AppleTalk and LaserWriter 8 support), Mac OS X, Windows, and UNIX usersAdministering Your Server 45 Open Directory Services User and group information is used by your server to authenticate users and authorize their access to services and files. Information about other network resources is used by your server to make printers and other devices available to particular users. To access this information, the server retrieves it from centralized data repositories known as directory domains. The term for the services that locate and retrieve this data is directory services. The Mac OS X directory services architecture is referred to as Open Directory. It lets you store data in a way that best suits your environment. Mac OS X Server can host directory domains using Apple’s NetInfo and LDAP directory domains. Open Directory also lets you take advantage of information you have already set up in non-Apple directory domains—for example, LDAP or Active Directory servers or Berkeley Software Distribution (BSD) configuration files. Comprehensive Management of Macintosh Workgroups Workgroup management services let you simplify and control the environment that Macintosh client users experience. Mac OS X Server client management support helps you personalize the computing environment of Macintosh clients. You can set up Mac OS 8, 9, and X computers to have particular desktop environments and access to particular applications and network resources. You can design your Macintosh users’ experience as circumstances warrant. You can also use NetBoot and Network Install to automate the setup of software used by Macintosh client computers: m NetBoot lets Macintosh Mac OS 9 and X computers boot from a network-based system image, offering quick and easy configuration of department, classroom, and individual systems as well as Web and application servers throughout a network. When you update NetBoot images, all NetBooted computers have instant access to the new configuration. m Network Install is a centralized network software installation service. It lets you selectively and automatically install, restore, or upgrade network-based Macintosh systems anywhere in the organization. Mac OS X Server also lets you automatically configure the directory services you want Mac OS X clients to have access to. Automatic directory services configuration means that when a user logs into a Mac OS X computer, the user’s directory service configuration is automatically downloaded from the network, setting up the user’s network access policies, preferences, and desktop configuration without the need to configure the client computer directly.46 Chapter 1 High Availability To maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and reclaiming disk space, automatically restarting malfunctioning services, and automatically restarting the server following a power failure. You can also configure IP failover. IP failover is a way to set up a standby server that will take over if the primary server fails. The standby server takes over the IP address of the failed server, which takes the IP address back when it is online again. IP failover is useful for DNS servers, Web servers hosting Web sites, media broadcast servers, and other servers that require minimal data replication. Extensive Internet and Web Services Powerful Internet and Web services are built into Mac OS X Server: m Apache, the most popular Web server, provides reliable, high-performance Web content delivery. Integrated into Apache is Web-Based Distributed Authoring and Versioning ( WebDAV ), which simplifies the Web publishing and content management environment. m If your Web sites contain static HTML files that are frequently requested, you can enable a performance cache to improve server performance. m Web services include a comprehensive assortment of open-source services—Ruby, Tomcat, MySQL, PHP, and Perl. m Mac OS X Server includes a high-performance Java virtual machine. m SSL support enables secure encryption and authentication for ecommerce Web sites and confidential materials. m QuickTime Streaming Server (QTSS) lets you stream both live and stored multimedia content on the Internet using industry-standard protocols. m Mail service lets you set up a mail server your network users can use to send and receive email. m WebMail service bundled with Mac OS X Server enables your users to access mail service via a Web browser. Highlighting Individual Services This section highlights individual Mac OS X Server services and tells you where in this guide to find more information about them.Administering Your Server 47 Directory Services Directory services let you use a central data repository for user and network information your server needs to authenticate users and give them access to services. Information about users (such as their names, passwords, and preferences) as well as printers and other resources on the network is consolidated rather than distributed to each computer on the network, simplifying the administrator’s tasks of directory domain setup and maintenance. Open Directory On Mac OS X computers, the directory services are collectively referred to as Open Directory. Open Directory acts as an intermediary between directory domains that store information and Mac OS X processes that need the information. Open Directory supports a wide variety of directory domains, letting you store your directory information on Mac OS X Server or on a server you already have set up for this purpose: m You can define and manage information in directory domains that reside on Mac OS X Server. Open Directory supports both NetInfo and LDAPv3 protocols and gives you complete control over directory data creation and management. m Mac OS X Server can also retrieve directory data from LDAP and Active Directory servers and BSD configuration files you’ve already set up. Your server provides full read/write and SSL communications support for LDAPv3 directory domains. Chapter 2, “Directory Services,” provides complete information about all the Open Directory options, including instructions for how to create Mac OS X–resident directory domains and how to configure your server and your clients to access directory domains of all kinds. Chapter 3, “Users and Groups,” describes how to work with user and group accounts stored in Open Directory domains. Password Validation Open Directory gives you several options for validating a user’s password: m Using a value stored as a readable attribute in the user’s account. m Using a value stored in the Open Directory Password Server. This strategy lets you set up user-specific password policies for users. For example, you can require a user to change his password periodically or use only passwords having more than a minimum number of characters. Password Server supports a wide range of client authentication protocols. m Using a Kerberos server. m Using LDAP bind authentication with a non-Apple LDAPv3 directory server. “Understanding Password Validation” on page 189 provides more information about these options and tells you how to implement them.48 Chapter 1 Search Policies Before a user can log in to or connect with a Mac OS X client or server, he or she must enter a name and password associated with a user account that the computer can find. A Mac OS X computer can find user accounts that reside in a directory domain of the computer’s search policy. A search policy is a list of directory domains the computer searches when it needs configuration information. You can configure the search policy of Mac OS X computers on the computers themselves. You can automate Mac OS X client directory setup by using your server’s built-in DHCP Option 95 support. Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X computer. File Services Mac OS X Server makes it easy to share files using the native protocols of different kinds of client computers. Mac OS X Server includes four file services: m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems. m Windows services use Server Message Block (SMB) protocol to let you share resources with clients who use Windows, and to provide name resolution service for Windows clients. m File Transfer Protocol (FTP) service lets you share files with anyone using FTP. m Network File System (NFS) service lets you share files and folders with users who have NFS client software (UNIX users). You can deploy network home directories for Mac OS X clients using AFP and for UNIX clients using NFS. With a network home directory, users can access their applications, documents, and individual settings regardless of the computer to which they log in. You can impose disk quotas on network home directories to regulate server disk usage for users with home directories. Sharing You share files among users by designating share points. A share point is a folder, hard disk (or hard disk partition), or CD that you make accessible over the network. It’s the point of access at the top level of a group of shared items. On Mac OS X computers, share points can be found in the /Network directory and by using the Finder’s Connect To Server command. On Mac OS 8 and 9 computers, users access share points using the Chooser. On Windows computers, users use Network Neighborhood. Chapter 4, “Sharing,” tells you how to set up and manage share points.Administering Your Server 49 Static file server listings can also be published in a non-Apple directory domain, making it easy for computers in your company that are not on your local network to discover and connect to Mac OS X Server. Apple File Service Apple Filing Protocol (AFP) allows Macintosh client users to connect to your server and access folders and files as if they were located on the user’s own computer. AFP offers m file sharing support for Macintosh clients over TCP/IP m autoreconnect support when a file server connection is interrupted m encrypted file sharing (AFP through SSH) m automatic creation of user home directories m Kerberos v5 authentication for Mac OS X v10.2 and later clients m fine-grain access controls for managing client connections and guest access m automatic disconnect of idle clients after a period of inactivity AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not on the local network to access NFS volumes via a secure, authenticated AFP connection. It also lets Mac OS 9 clients access NFS file services on traditional UNIX networks. See “Apple File Service” on page 224 for details about AFP. Windows Services Windows services in Mac OS X Server provide four native services to Windows clients: m file service, which allows Windows clients to connect to Mac OS X Server using Server Message Block (SMB) protocol over TCP/IP m print service, which uses SMB to allow Windows clients to print to PostScript printers on the network m Windows Internet Naming Service ( WINS), which allows clients across multiple subnets to perform name/address resolution m browsing, which allows clients to browse for available servers across subnets See “Windows Services” on page 235 for more information about Windows services. Network File System (NFS) Service NFS is the protocol used for file services on UNIX computers. The NFS term for sharing is export. You can export a shared item to a set of client computers or to “World.” Exporting an NFS volume to World means that anyone who can access your server can also access that volume.50 Chapter 1 NFS does not support name/password authentication. It relies on client IP addresses to authenticate users and on client enforcement of privileges—not a secure approach in most networks. Therefore use NFS only if you are on a local area network (LAN) with trusted client computers or if you are in an environment that can’t use Apple file sharing or Windows file sharing. If you have Internet access and plan to export to World, your server should be behind a firewall. See “Network File System (NFS) Service” on page 256 for more information about NFS. File Transfer Protocol (FTP) FTP allows computers to transfer files over the Internet. Clients using any operating system that supports FTP can connect to your FTP file server and download files, depending on the permissions you set. Most Internet browsers and a number of freeware applications can be used to access your FTP server. FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic file conversion, allowing users to request compressed or decompressed versions of information on the server. FTP is considered to be an insecure protocol, since user names and passwords are distributed across the Internet in clear text. Because of the security issues associated with FTP authentication, most FTP servers are used as Internet file distribution servers for anonymous FTP users. Mac OS X Server supports anonymous FTP and by default prevents anonymous FTP users from deleting files, renaming files, overwriting files, and changing file permissions. Explicit action must be taken by the server administrator to allow uploads from anonymous FTP users, and then only into a specific share point. See “File Transfer Protocol (FTP) Service” on page 244 for details about FTP. Print Service Print service in Mac OS X Server lets you share network and direct-connect printers among clients on your network. Print service also includes support for managing print queues, monitoring print jobs, logging, and using print quotas. Print service lets you m share printers with Mac OS 9 (PAP, LaserWriter 8), Mac OS X (IPP, LPR/LPD), Windows (SMB/CIFS), and UNIX (LPR/LPD) clients m share direct-connect USB printers with Mac OS X version 10.2 and later clients m connect to network printers using AppleTalk, LPR, and IPP and connect to direct-connect printers using USB m make printers visible using Open Directory directory domainsAdministering Your Server 51 m impose print quotas to limit printer usage See Chapter 7, “Print Service,” for information about print service. Web Service Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web server responds to requests for HTML Web pages stored on your site. Open-source software allows anyone to view and modify the source code to make changes and improvements. This has led to Apache’s widespread use, making it the most popular Web server on the Internet today. Web service includes a high-performance, front-end cache that improves performance for Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed by the server each time it is requested. Web service also includes support for Web-based Distributed Authoring and Versioning, ( WebDAV ). With WebDAV capability, your client users can check out Web pages, make changes, and then check the pages back in while the site is running. In addition, Mac OS X users can use a WebDAV-enabled Web server as if it were a file server. Web service’s Secure Sockets Layer (SSL) support enables secure encryption and authentication for ecommerce Web sites and confidential materials. An easy-to-use digital certificate provides non-forgeable proof of your Web site identity. Mac OS X Server offers extensive support for dynamic Web sites: m Web service supports Java Servlets, JavaServer Pages, MySQL, PHP, Perl, and UNIX and Mac CGI scripts. m Mac OS X Server also includes WebObjects deployment software. WebObjects offers a flexible and scalable way to develop and deploy ecommerce and other Internet applications. WebObjects applications can connect to multiple databases and dynamically generate HTML content. You can also purchase the WebObjects development tools if you want to create WebObjects applications. For more information and documentation on WebObjects, go to the WebObjects Web page: www.apple.com/webobjects See Chapter 8, “Web Service,” for details about Web service. Mail Service Mail services support the SMTP, POP, and IMAP protocols, allowing you to select a local or server-based mail storage solution for your users. 52 Chapter 1 With remote mail administration you can manage the message database from any IMAP client. Realtime Blackhole List support allows you to block messages from known spam sources. Support for single or dual IMAP/POP3 mail inboxes gives flexibility in mail retrieval; a user can have a POP mailbox for office use and an IMAP mailbox for mobile use. Automatic blind copying (BCC) on incoming mail from specified hosts lets you track email coming from specific sites. You can limit the amount of disk space a user consumes for mail messages. To protect email communication from eavesdroppers, mail service features SSL encryption of IMAP connections between the mail server and clients, SMTP AUTH authentication using LOGIN and PLAIN, and APOP and Kerberos v5 authentication for POP, IMAP, and SMTP clients. For complete information about mail services, see Chapter 9, “Mail Service.” Macintosh Workgroup Management Mac OS X Server provides work environment personalization for Mac OS 8, 9, and X computer users, ranging from preference management to operating system and application installation automation. Client Management You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X clients. Preferences you define for individual users, groups of users, and computers provide your Macintosh users with a consistent desktop, application, and network appearance regardless of the Macintosh computer to which they log in. To manage Mac OS 8 and 9 clients, you use Macintosh Manager, described in Chapter 10, “Client Management: Mac OS 9 and OS 8.” To manage Mac OS X clients, you use Workgroup Manager, as Chapter 6, “Client Management: Mac OS X,” describes. Mac OS X client management has several advantages: m You can take advantage of the directory services autoconfiguration capability to automatically set up the directory services used by Mac OS X client computers. m When you update user, group, and computer accounts, managed Mac OS X users inherit changes automatically. You update Mac OS 8 and 9 accounts independently, using Macintosh Manager. m You have more direct control over individual system preferences. m Network home directories and group directories can be mounted automatically at login. NetBoot NetBoot lets Macintosh clients boot from a system image located on Mac OS X Server instead of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments for different groups of clients.Administering Your Server 53 NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an organization with a number of client computers that need to be identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple identically configured Web and application servers. NetBoot allows administrators to configure and update client computers instantly by simply updating a boot image stored on the server. Each image contains the operating system and application folders for all clients on the server. Any changes made on the server are automatically reflected on the clients when they reboot. Systems that are compromised or otherwise altered can be instantly restored simply by rebooting. See Chapter 12, “NetBoot,” for information about setting up and managing NetBoot. Network Install Network Install is a centrally managed installation service that allows administrators to selectively install, restore, or upgrade client computers. Installation images can contain the latest release of Mac OS X, a software update, site-licensed or custom applications, even configuration scripts: m Network Install is an excellent solution for operating system migrations, installing software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers. m You can define custom installation images for various departments in an organization, such as marketing, engineering, and sales. With Network Install you don’t need to insert multiple CDs to configure a system. All the installation files and packages reside on the server and are installed onto the client computer at one time. Network Install also includes pre- and post-installation scripts you can use to invoke actions prior to or after the installation of a software package or system image. See Chapter 13, “Network Install,” for more information about Network Install. Network Services Mac OS X Server includes these network services for helping you manage Internet communications on your TCP/IP network: m Dynamic Host Configuration Protocol (DHCP) m Domain Name System (DNS) m IP firewall m Service Location Protocol Directory Agent (SLP DA)54 Chapter 1 DHCP DHCP helps you administer and distribute IP addresses dynamically to client computers from your server. From a block of IP addresses that you define, your server locates an unused address and “leases” it to client computers as needed. DHCP is especially useful when an organization has more clients than IP addresses. IP addresses are assigned on an as-needed basis, and when they are not needed they are available for use by other clients. As you learned in “Search Policies” on page 48, you can automate the directory services setup of Mac OS X clients using your DHCP server’s Option 95 support. This option lets client computers learn about their directory settings from an LDAP server. Chapter 11, “DHCP Service,” provides information about your server’s DHCP capabilities. DNS DNS service lets users connect to a network resource, such as a Web or file server, by specifying a host name (such as server.apple.com) rather than an IP address (192.168.11.12). DNS is a distributed database that maps IP addresses to domain names. A server that provides DNS service keeps a list of names and the IP addresses associated with the names. When a computer needs to find the IP address for a name, it sends a message to the DNS server (also known as a name server). The name server looks up the IP address and sends it back to the computer. If the name server doesn’t have the IP address locally, it sends messages to other name servers on the Internet until the IP address is found. You will use DNS if you use SMTP mail service or if you want to create subdomains within your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t have an Internet service provider (ISP) who handles DNS for your network, you can set up a DNS server on your Mac OS X Server. You’ll find complete information about DNS in Chapter 14, “DNS Service.” IP Firewall IP firewall service protects your server and the content you store on it from intruders. It provides a software firewall, scanning incoming IP packets and accepting or rejecting them based on filters you define. You can set up server-wide restrictions for packets from specific IP addresses. You can also restrict access to individual services—such as Web, mail, and FTP—by defining filters for the ports used by the services. See Chapter 15, “Firewall Service,” for more information about this service. SLP DA Service Location Protocol (SLP) provides structure to the services available on a network and gives users easy access to them. Administering Your Server 55 Anything that can be addressed using a URL can be a network service—for example, file servers and WebDAV servers. When a service is added to your network, the service uses SLP to register itself on the network; you don’t need to configure it manually. When a client computer needs to locate a network service, it uses SLP to look for services of that type. All registered services that match the client computer’s request are displayed for the user, who then can choose which one to use. SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository for registered network services. You can set up a DA to keep track of services for one or more scopes (groups of services). When a client computer looks for network services, the DA for the scope in which the client computer is connected responds with a list of available network services. Because a client computer only needs to look locally for services, network traffic is kept to a minimum and users can connect to network services more quickly. See Chapter 16, “SLP DA Service,” for information about this service. QuickTime Streaming Service QuickTime Streaming Server (QTSS) lets you stream multimedia in real time using the industry-standard RTSP/RTP protocols. QTSS supports MPEG-4, MP3, and QuickTime file formats. You can deliver live and prerecorded media over the Internet to both Macintosh and Windows users, or relay streamed media to other streaming servers. You can provide unicast streaming, which sends one stream to each individual client, or multicast streaming, which sends the stream to a group of clients. For more information about QTSS, refer to the QuickTime Web site: www.apple.com/quicktime/products/qtss/ You can use QuickTime Broadcaster in conjunction with QTSS when you want to produce a live event. QuickTime Broadcaster allows you to stream live audio and video over the Internet. QuickTime Broadcaster meets the needs of both beginners and professionals by providing preset broadcast settings and the ability to create custom settings. Built on top of the QuickTime architecture, QuickTime Broadcaster enables you to produce a live event using most codecs that QuickTime supports. When teamed with QuickTime Streaming Server or Darwin Streaming Server, QuickTime Broadcaster can produce a live event for delivery to an audience of any size, from an individual to a large global audience. For information about QuickTime Broadcaster, go to this Web site and navigate to the QuickTime Broadcaster page: www.apple.com/quicktime/56 Chapter 1 Highlighting Server Applications This section introduces you to the applications, tools, and techniques you use to set up and administer your Mac OS X Server. The following table summarizes them and tells you where to find more information about them. Application, tool, or technique Use to For more information, see Server Assistant Initialize services page 58 Open Directory Assistant Create or set up access to existing NetInfo and LDAPv3 directory domains and create and configure Password Servers page 58 Directory Access Configure access to data in existing directory domains and define a search policy page 59 Workgroup Manager Administer accounts, manage share points, and administer client management for Mac OS X users page 59 Server Settings Configure file, print, mail, Web, NetBoot, and network services page 60 Server Status Monitor services page 61 Macintosh Manager Administer client management for Mac OS 8 and 9 users page 62 NetBoot administration tools Manage NetBoot disk images page 62 Package Maker Create Network Install installation packages page 62 Server Monitor Review information about Xserve hardware page 62 Streaming Server Admin Set up and manage QuickTime Streaming Server (QTSS) page 63 Terminal Run command-line tools page 552 Secure shell (SSH) Use Terminal to run command-line tools for remote servers securely page 553 dsimportexport Import and export user and group accounts using XML or text files page 555Administering Your Server 57 log rolling scripts Periodically roll, compress, and delete server log files page 555 diskspacemonitor Monitor percentage-full disk thresholds and execute scripts that generate email alerts and reclaim disk space when thresholds are reached page 556 diskutil Manage Mac OS X Server disks and volumes remotely page 557 installer Install software packages remotely page 558 softwareupdate Find new versions of software and install them remotely on a server page 561 systemsetup Configure system preferences on a remote server page 561 networksetup Configure network services for a particular network hardware port on a remote server page 562 MySQL Manager Manage the version of MySQL that is installed with Mac OS X Server page 565 Simple Network Management Protocol (SNMP) administration tools Monitor your server using the SNMP interface page 566 diskKeyFinder Verify the physical location of a remote headless server volume that you want to manage page 566 Enabling IP failover Set up a standby server that takes over if the primary server fails page 567 Application, tool, or technique Use to For more information, see58 Chapter 1 Administering a Server From Different Computers You can use the server applications to manage the local server or to manage a remote server, including headless servers. You can also manage Mac OS X Servers remotely from an administrator computer. An administrator computer is a Mac OS X computer onto which you have installed the server applications from the Mac OS X Server Administration Tools CD. The following sections give you more information about the first 11 applications in the table above, including instructions for using them to manage a remote server. The remaining applications and tools are for use by experienced server administrators; see Chapter 17, “Tools for Advanced Users,” for information about them. Server Assistant Server Assistant is the application you use to perform initial service setup of a Mac OS X Server. You can use Server Assistant the first time you set up a local or remote Mac OS X Server. See Getting Started With Mac OS X Server for instructions. Open Directory Assistant Use Open Directory Assistant to create shared server–resident NetInfo or LDAPv3 directory domains, set up Password Servers, and configure access to shared domains and Password Servers. You can run Open Directory Assistant immediately after running Server Assistant, or you can run it later, as many times as you like. Administrator computer Mac OS X ServersAdministering Your Server 59 You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to use the application, see Chapter 2, “Directory Services.” Directory Access Directory Access is the primary application for setting up a Mac OS X computer’s connections with directory domains as well as defining the computer’s search path. Unlike Open Directory Assistant, Directory Access does not create directory domains. It m configures connections with existing domains m enables or disables service discovery protocols (AppleTalk, Rendezvous, SLP, and SMB) m enables or disables directory protocols (LDAPv2, LDAPv3, NetInfo, and BSD configuration files) In addition, Directory Access is available on both Mac OS X Servers and Mac OS X client computers, whereas Open Directory Assistant is available only on servers. You’ll find Directory Access in /Applications/Utilities/. For information about how to use it, see Chapter 2, “Directory Services.” Workgroup Manager You use Workgroup Manager to administer user, group, and computer accounts; manage share points; and administer client management for Mac OS X users. For information about using Workgroup Manager to administer user and group accounts, see Chapter 3, “Users and Groups.” For information about using it to administer computer accounts and client management settings, see Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8.” Chapter 4, “Sharing,” describes how to use Workgroup Manager to manage share points. Opening and Authenticating in Workgroup Manager Workgroup Manager is installed in /Applications/Utilities/ when you install your server or set up an administrator computer. To open Workgroup Manager, click the Workgroup Manager icon in the Dock of Mac OS X Server or in the toolbar of Server Status: m To open Workgroup Manager on the server you are using without authenticating, choose View Directories from the Server menu. You will have read-only access to information displayed in Workgroup Manager. To make changes, click the lock icon to authenticate as an administrator. This approach is most useful when you are administering different servers and working with different directory domains. m To authenticate as an administrator for a particular server, enter the server’s IP address or DNS name in the login window, or click Browse to choose from a list of servers. Specify the user name and password for an administrator of the server, then click Connect. Use this approach when you will be working most of the time with a particular server.60 Chapter 1 Major Workgroup Manager Tasks After login, the user account window appears, with lists of user, group, and computer accounts in the server’s local directory domain. Here is how to get started with the major tasks you’ll be performing with this application: m To administer user, group, or computer accounts, click the Accounts icon in the toolbar. See Chapter 3, “Users and Groups,” for information about user and group accounts and Chapter 6, “Client Management: Mac OS X,” for information about computer accounts. m To work with preferences for managed users, groups, or computers, click the Preferences icon in the toolbar. See Chapter 6, “Client Management: Mac OS X,” for instructions. m To work with share points, click the Sharing icon in the toolbar. See Chapter 4, “Sharing,” for instructions. m To work with accounts in different directory domains at the same time, open multiple Workgroup Manager windows by choosing New Workgroup Manager Window from the Server menu. m To open Server Status so you can monitor the status of a particular server, click the Status icon in the toolbar. See “Server Status” on page 61 for information about the Server Status application. m To open Server Settings so you can work with a server’s file, print, mail, Web, NetBoot, and network settings, choose Configure Services from the Server menu. See “Server Settings” on page 60 for information about the Server Settings application. m To control the way Workgroup Manager lists users and groups, whether it should use SSL transactions, and other behaviors, choose Preferences from the Workgroup Manager menu. m To customize the Workgroup Manager toolbar, choose Customize Toolbar from the View menu. m To retrieve online information, use the Help menu. It provides help for server administrators about Workgroup Manager as well as other Mac OS X Server topics. Server Settings You use Server Settings to administer file, print, mail, Web, NetBoot, and network services on a server. Server Settings is installed in /Applications/Utilities/ when you install your server or set up an administrator computer. To open Server Settings, click the Server Settings icon in the Dock of Mac OS X Server or choose Configure Services from the Server menu in Workgroup Manager. To select a server to work with, enter its IP address or DNS name in the login window, or click Browse to choose from a list of servers. Specify the user name and password for an administrator, then click Connect.Administering Your Server 61 Click the service modules arranged on the Server Settings tabs to choose commands that let you work with individual services: m For administering file and print services, select the File & Print tab to access modules. m For administering mail and Web service, select the Internet tab to access modules. m For administering IP Firewall, DHCP, NetBoot, DNS, and SLP DA services, select the Network tab to access modules. m To retrieve online information, use the Help menu. It provides help for server administrators about Server Settings as well as other Mac OS X Server topics. Server Settings is not compatible with versions of Mac OS X Server earlier than version 10.2. Server Status You use Server Status to monitor the services running on Mac OS X Servers. Server Status is installed in /Applications/Utilities/ when you install your server or set up an administrative computer. To open Server Status, click the Server Status icon in the Dock of Mac OS X Server or the Status icon in Workgroup Manager. To select a server to monitor, click the Connect button in the Server Status toolbar. Enter the IP address or DNS name of the server you want to monitor in the login window, or click Browse to choose from a list of servers. Specify the user name and password for an administrator, then click Connect. Select items in the Devices & Services list to monitor specific servers and services running on the servers: m To review general status information for a particular server, select the server name. m To review status information for a particular service running on a server, click the disclosure triangle next to the server name to see a list of its services. Then select the service of interest. m To add a server to the Devices & Services list, click Connect in the toolbar and log in to the server. The next time you open Server Status, any server you have added is displayed in the Devices & Services list and can be monitored again by selecting a server in the list. If a server in the list appears grey, double-click the server or click the Reconnect button in the toolbar to log in again. Check the Add to Keychain option while you log in to enable autoreconnect the next time you open Server Status. m To remove a server from the Devices & Services list, select the server, click the Disconnect button in the toolbar, and choose Remove From List from the Server menu. m To control the way Server Status lists servers and services, how often status data is refreshed, and other behaviors, choose Preferences from the Server Status menu. m To customize the Server Status toolbar, choose Customize Toolbar command from the View menu.62 Chapter 1 m To retrieve online information, use the Help menu. It provides help for server administrators about Server Status as well as other Mac OS X Server topics. Macintosh Manager You use Macintosh Manager to administer client management for Mac OS 8 and 9 client computers. You can use it locally (at the server) or remotely (from a Mac OS 9 or X computer on the same network as your Mac OS X Server). Open Macintosh Manager by clicking its icon in the Dock. Log in using a server, Macintosh Manager, or workgroup administrator user name and password. As a server administrator, you automatically have global administrator privileges for Macintosh Manager. See Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more information. NetBoot Administration Tools There are several applications you use to administer NetBoot: m NetBoot Desktop Admin lets you modify Mac OS 9 images. m Network Image Utility lets you create and modify Mac OS X images. m The DHCP/NetBoot module of Server Settings lets you save NetBoot images. See Chapter 12, “NetBoot,” for information about these tools. Network Install Administration Application You use Package Maker to create Network Install packages. See Chapter 13, “Network Install,” for information about this application. Server Monitor You use Server Monitor to monitor Xserve hardware and trigger email notifications when circumstances warrant attention. Server Monitor shows you information about the installed operating system, drives, power supply, enclosure and processor temperature, cooling blowers, security, and network. Server Monitor is installed in /Applications/Utilities/ when you install your server or set up an administrator computer. Use the application to monitor local or remote servers: m To specify the Xserve server to monitor, click Add Server, identify the server of interest, and enter user name and password information for an administrator of the server. m Use the “Update every” pop-up menu to specify how often you want to refresh data. m Use the Export Items and Import Items buttons to manage different lists of Xserve servers you want to monitor. The Merge Items button lets you consolidate lists into one.Administering Your Server 63 m The system identifier lights on the front and back of an Xserve server light when service is required. Use Server Monitor to understand why the lights are on. You can also turn the lights on to identify a particular Xserve server in a rack of servers by selecting the server and clicking “system identifier light on” on the Info tab. m You can set Server Monitor to notify you by email when an Xserve server’s status changes. For each server, you set up the conditions that you want notification about. The email message can come from Server Monitor or from the server. m Server Monitor keeps logs of Server Monitor activity for each Xserve server. (The logs do not include system activity on the server.) The log shows, for example, the times Server Monitor attempted to contact the server, and whether a connection was successful. The log also shows server status changes. You can also use Server Monitor to get an Apple System Profiler report on a remote server. Streaming Server Admin To set up and manage QTSS, you use the Web-based Streaming Server Admin program. Streaming Server Admin lets you easily create and serve playlists, customize general settings, monitor connected users, view log files, manage user and bandwidth usage, and relay a stream from one server to another for scalability. To use Streaming Server Admin: 1 From Mac OS X Server, click the Streaming Server Admin icon in the Dock, then go to step 3. Alternatively, from a server with QTSS installed, open a Web browser. You can also use a Web browser from a remote Mac OS X computer. 2 Enter the URL for your Streaming Server Admin. For example, myserver.com:1220 Replace “myserver.com” with the name of your Streaming Server computer. 1220 is the port number. 3 The first time you run Streaming Server Admin, the Setup Assistant prompts you for your user name and password. To display online help information about using Streaming Server Admin, setting up secure administration (SSL), and setting up your server to stream hinted media, click the question mark button in the application. Information about QTSS is also available at the QuickTime Web site: www.apple.com/quicktime/products/qtss/64 Chapter 1 Where to Find More Information Regardless of your server administration experience, you may want to take advantage of the wide range of Apple customer training courses. To learn more, go to train.apple.com If You’re New to Server and Network Management If you want to learn more about Mac OS X Server, see the Mac OS X Server Web site: www.apple.com/macosx/server/ Online discussion groups can put you in touch with your peers. Many of the problems you encounter may already have been solved by other server administrators. To find the lists available through Apple, see the following site: www.lists.apple.com The AppleCare support site’s discussion boards are an additional source of information: www.info.apple.com/ Consider obtaining some of these reference materials. They contain background information, explanations of basic concepts, and ideas for getting the most out of your network. m Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books Worldwide, 1998). m Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997). In addition, NetworkMagazine.com offers a number of online tutorials on its Web site: www.networkmagazine.com If You’re an Experienced Server Administrator If you’re already familiar with network administration and you’ve used Mac OS X Server, Linux, UNIX, or a similar operating system, you may find these additional references useful. m A variety of books from O’Reilly & Associates cover topics applicable to Mac OS X Server, such as Internet Core Protocols: The Definitive Reference, DNS and BIND, and TCP/IP Network Administration. For more advanced information, see Apache: The Definitive Guide, Writing Apache Modules with Perl and C, Web Performance Tuning, and Web Security & Commerce, also published by O’Reilly and Associates. See the O’Reilly & Associates Web site: www.ora.com m See the Apache Web site for detailed information about Apache: www.apache.org/65 C H A P T E R 2 2 Directory Services Directory services provide a central repository for information about the systems, applications, and users in an organization. In education and enterprise environments, directory services are the ideal way to manage users and computing resources. Organizations with as few as 10 people can benefit by deploying directory services. Directory services can be doubly beneficial. They centralize system and network administration, and they simplify a user’s experience on the network. With directory services, information about all the users—such as their names, passwords, and preferences—as well as printers and other resources on a network can be maintained in a single location rather than on each computer on the network. Using directory services can reduce the system administrator’s user management burden. In addition, users can log in to any authorized computer on the network. Anywhere a user logs in, the user’s personal Desktop appears, customized for the user’s individual preferences. The user always has access to personal files and can easily locate and use authorized network resources. Apple has built an open, extensible directory services architecture, called Open Directory, into Mac OS X and Mac OS X Server. A Mac OS X Server or Mac OS X client computer can use Open Directory to retrieve authoritative information about users and network resources from a variety of sources: m directory domains on the computer itself and on other Mac OS X Servers m directory domains on other servers, including LDAP directory domains and Active Directory domains on non-Apple servers m BSD configuration files located on the computer itself m network services, such as file servers, that make themselves known with the Rendezvous, AppleTalk, SLP, or SMB service discovery protocols Mac OS 9 and Mac OS 8 managed clients also use Open Directory to retrieve some user information. For more information, see “How Macintosh Manager Works With Directory Services” on page 420 in Chapter 10, “Client Management: Mac OS 9 and OS 8.”66 Chapter 2 The Open Directory architecture also includes Open Directory Password Server. A Password Server can securely store and validate the passwords of users who want to log in to client computers on your network or use other network resources that require authentication. A Password Server can also enforce such policies as password expiration and minimum length. To understand the information in this chapter, you should be comfortable with Mac OS X. You do not need advanced network administrator or UNIX experience to use directory services provided by Mac OS X Servers. If you want to integrate LDAP directories from other servers, you need to be familiar with LDAP. If you want to integrate Active Directory servers, you need to be familiar with Active Directory and LDAP. You need to be comfortable with UNIX if you want to integrate BSD configuration files. Storage for Data Needed by Mac OS X Directory services act as an intermediary between directory domains, which store information about users and resources, and the application and system software processes that want to use the information. A directory domain stores information in a specialized database that is optimized to handle a great many requests for information and to find and retrieve information quickly. Information may be stored in one directory domain or in several related directory domains. Processes running on Mac OS X computers can use directory services to save information in a directory domain. For example, when you set up a user account, the application that you use to do this has directory services store information about the user in a directory domain. m On a computer with Mac OS X version 10.2, you use the My Account pane or the Accounts pane of System Preferences to set up user accounts that are valid only on the one computer. m On a computer with Mac OS X Server version 10.2, you use the Accounts module of Workgroup Manager to set up user accounts that are valid on all Mac OS X computers on your network. You can specify additional user attributes in a network user account, such as the location of the user’s home directory. Printers Groups Servers Users Mounts Processes Directory domains Directory servicesDirectory Services 67 Whether you use Workgroup Manager or System Preferences to create a user account, the user information is stored in a directory domain. When someone attempts to log in to a Mac OS X computer, the login process uses Mac OS X directory services—Open Directory—to validate the user name and password. A Historical Perspective Like Mac OS X, Open Directory has a UNIX heritage. Open Directory provides access to administrative data that UNIX systems have generally kept in configuration files, which require much painstaking work to maintain. (Some UNIX systems still rely on configuration files.) Open Directory consolidates the data and distributes it for ease of access and maintenance. Directory domain Directory services Accounts Accounts68 Chapter 2 Data Consolidation For years, UNIX systems have stored administrative information in a collection of files located in the /etc directory. This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer read its files when they need administrative information. If you’re experienced with UNIX, you probably know about the files in the /etc directory—group, hosts, hosts.eq, passwd, and so forth. For example, a UNIX process that needs a user’s password consults the /etc/passwd file, which contains a record for each user account. A UNIX process that needs group information consults the /etc/group file. Open Directory consolidates administrative information, simplifying the interactions between processes and the administrative data they create and use. UNIX processes /etc/ passwd /etc/ hosts /etc/ group Mac OS X processes Directory servicesDirectory Services 69 Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a process needs the location of a user’s home directory, the process simply has Open Directory retrieve the information. Open Directory finds the requested information, and then returns it, insulating the process from the details of how the information is stored. If you set up Open Directory to access administrative data in several directory domains, Open Directory automatically consults them as needed. Some of the data stored in a directory domain is identical to data stored in UNIX configuration files. For example, the authentication attributes, home directory location, real name, user ID, and group ID—all stored in the user records of a directory domain—have corresponding entries in the standard /etc/passwd file. However, a directory domain stores much additional data to support functions that are unique to Mac OS X, such as support for managed clients and Apple Filing Protocol (AFP) directories. Data Distribution Another characteristic of UNIX configuration files is that the administrative data they contain is available only to the computer on which they are stored. Each computer has its own UNIX configuration files. With UNIX configuration files, each computer that someone wants to use must have that person’s user account settings stored on it, and each computer must store the account settings for every person who may want to use the computer. To set up a computer’s network settings, the administrator needs to go to the computer and directly enter the IP address and other information that identifies the computer on the network. Similarly, when user or network information needs to be changed in UNIX configuration files, the administrator must make the changes on the computer where the files reside. Some changes, such as network settings, require the administrator to make the same changes on multiple computers. This approach becomes unwieldy as networks grow in size and complexity. Directory domain Mac OS X processes Directory domain Directory services70 Chapter 2 Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a system administrator from one location. Open Directory lets you distribute the information so that it is visible on a network to the computers that need it and the administrator who manages it: Uses of Directory Data Open Directory makes it possible to consolidate and maintain network information easily in a directory domain, but this information has value only if application and system software processes running on network computers actually access the information. The real power of Open Directory is not that it provides directory services, but the fact that Mac OS X software accesses data through Open Directory. Here are some of the ways in which Mac OS X system and application software use directory data: m Authentication. As mentioned already, the Accounts module of Workgroup Manager or the Accounts pane of System Preferences creates user records in a directory domain, and these records are used to authenticate users who log in to Mac OS X computers. When a user specifies a name and a password in the Mac OS X login window, the login process asks Open Directory for the user record that corresponds to the name that the user specified. Open Directory finds the user record in a directory domain and retrieves the record. Directory services System administrator Users Directory domainDirectory Services 71 m Folder and file access. After logging in successfully, a user can access files and folders. Mac OS X uses another data item from the user record—the user ID (UID)—to determine the user’s access privileges for a file or folder that the user wants to access. When a user accesses a folder or file, the file system compares this user’s UID to the UID assigned to the folder or file. If the UIDs are the same, the file system grants owner privileges (usually read and write privileges) to the user. If the UIDs are different, the user doesn’t get owner privileges. m Home directories. Each user record in a directory domain stores the location of the user’s home directory, which is also known as the user’s home folder. This is where the user keeps personal files, folders, and preferences. A user’s home directory can be located on a particular computer that the user always uses or on a network file server. m Automount share points. Share points can be configured to automount (appear automatically) in the /Network folder (the Network globe) in the Finder windows of client computers. Information about these automount share points is stored in a directory domain. Share points are folders, disks, or disk partitions that you have made accessible over the network. m Mail account settings. Each user’s record in a directory domain specifies whether the user has mail service, which mail protocols to use, how to present incoming mail, whether to alert the user when mail arrives, and more. m Resource usage. Disk, print, and mail quotas can be stored in each user record of a directory domain. m Managed client information. A user’s personal preference settings, as well as preset preferences that affect the user, are stored in a directory domain. m Group management. In addition to user records, a directory domain also stores group records. Each group record affects all users who are in the group. Information in group records specifies preferences settings for group members. Group records also determine access to files, folders, and computers. Inside a Directory Domain Information in a directory domain is organized into record types, which are specific categories of records, such as users, machines, and mounts. For each record type, a directory domain may contain any number of records. Each record is a collection of attributes, and each attribute has one or more values. If you think of each record type as a spreadsheet that contains a category of information, then records are like the rows of the spreadsheet, attributes are like spreadsheet columns, and each spreadsheet cell contains one or more values.72 Chapter 2 For example, when you define a user by using the Accounts module of Workgroup Manager, you are creating a user record (a record of the user’s record type). The settings that you configure for the user—short name, full name, home directory location, and so on—become values of attributes in the user record. The user record and the values of its attributes reside in a directory domain. Discovery of Network Services Open Directory can provide more than administrative data from directories. Open Directory can also provide information about services that are available on the network. For example, Open Directory can provide information about file servers that are currently available. Information about file servers and other services tends to change much more frequently than information about users. Therefore, information about network services typically isn’t stored in directory domains. Instead, information about file servers and other network servers is discovered as the need arises. Open Directory can discover network services that make their existence and whereabouts known. Services make themselves known by means of standard protocols. Open Directory supports the following service discovery protocols: m Rendezvous, the Apple protocol that uses multicast DNS m AppleTalk, the legacy Mac OS protocol for file services m Service Location Protocol (SLP), an open standard for discovering file and print services m Server Message Block (SMB), the protocol used by Microsoft Windows Directory services File server File serverDirectory Services 73 In fact, Open Directory can provide information about network services both from service discovery protocols and from directory domains. To accomplish this, Open Directory simply asks all its sources of information for the type of information requested by a Mac OS X process. The sources that have the requested type of information provide it to Open Directory, which collects all the provided information and hands it over to the Mac OS X process that requested it. For example, if Open Directory requests information about file servers, the file servers on the network respond via service discovery protocols with their information. A directory domain that contains relatively static information about some file servers also responds to the request. Open Directory collects the information from the service discovery protocols and the directory domains. When Open Directory requests information about a user, service discovery protocols don’t respond because they don’t have user information. (Theoretically, AppleTalk, Rendezvous, SMB, and SLP could provide user information, but in practice they don’t have any user information to provide.) The user information that Open Directory collects comes from whatever sources have it—from directory domains. Directory Domain Protocols Administrative data needed by directory services is stored on Mac OS X Servers in Open Directory databases. An Open Directory database is one type of directory domain. Open Directory can use either of two protocols to store and retrieve directory data: Directory File server services File server Directory domain74 Chapter 2 m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in mixed environments m NetInfo, the Apple directory services protocol for Mac OS X The directory services of Mac OS X version 10.2—Open Directory—can also store and retrieve administrative data that resides in existing directory domains on other servers. Open Directory can read and write data in the following domains: m Shared NetInfo domains on other Mac OS X computers (servers or clients) m OpenLDAP directories on various UNIX servers m Active Directory domains on Windows servers m Other LDAPv3-compliant directories that are configured to allow remote administration and read and write access In addition, Open Directory can retrieve but not store administrative data in the following domains: m BSD configuration files located on the Mac OS X Server m LDAPv2 domains and read-only LDAPv3 domains on other servers Local and Shared Directory Domains Where you store your server’s user information and other administrative data is determined by whether the data needs to be shared. Local Data Every Mac OS X computer has a local directory domain. A local domain’s administrative data is visible only to applications and system software running on the computer where the domain resides. It is the first domain consulted when a user logs in or performs some other operation that requires data stored in a directory domain. When the user logs in to a Mac OS X computer, Open Directory searches the computer’s local directory domain for the user’s record. If the local directory domain contains the user’s record (and the user typed the correct password), the login process proceeds and the user gets access to the computer. Local domain Local domain Log in to Mac OS X Connect to Mac OS X ServerDirectory Services 75 After login, the user may choose Connect To Server from the Go menu and connect to a file server on a computer running Mac OS X Server. In this case, Open Directory on the server searches for the user’s record in the server’s local directory domain. If the server’s local directory domain has a record for the user (and the user types the correct password), the server grants the user access to the file services. When you first set up a Mac OS X computer, its local directory domain is automatically created and populated with records. For example, a user record is created for the user who performed the installation. It contains the user name and password entered during setup, as well as other information, such as a unique ID for the user and the location of the user’s home directory. Shared Data While Open Directory on any Mac OS X computer can store administrative data in the computer’s local directory domain, the real power of Open Directory is that it lets multiple Mac OS X computers share administrative data by storing the data in shared directory domains. When a computer is configured to use a shared domain, any administrative data in the shared domain is also visible to applications and system software running on that computer. If Open Directory does not find a user’s record in the local domain of a Mac OS X computer, Open Directory automatically searches for the user’s record in any shared domains to which the computer has access. In the following example, the user can access both computers because the shared domain accessible from both computers contains a record for the user. Shared domains generally reside on Mac OS X Servers, because servers are equipped with the tools, such as Workgroup Manager and Server Settings, that facilitate managing network resources and network users. Shared domain Local domain Local domain Log in to Mac OS X Connect to Mac OS X Server76 Chapter 2 Similarly, you can make network resources such as printers visible to certain computers by setting up printer records in a shared domain accessed by those computers. For example, graphic artists in a company might need to access color printers, while copy center personnel need to use high-speed laser printers. Rather than configuring printer access for each computer individually, you could use the Print module of Server Settings to add printers to two shared domains: Graphics and Repro. Printers visible in the Print Center of graphic artists’ computers would be those in the Graphics domain, while printers in the Repro domain would be visible to computers used by copy center personnel. Printers that have records in shared domains appear in the Directory Services printer list in Print Center. Repro domain Graphics domain Graphic artists Copy center personnelDirectory Services 77 While some devices may need to be used only by specific departments, other resources, such as personnel forms, may need to be shared by all employees. You could make a folder of those forms available to everybody by setting up a share point for the folder in another shared domain that all computers can access. The shared domain at the top of a hierarchy of directory domains is sometimes called the root domain. Repro domain Company domain Graphics domain Graphic artists Copy center personnel78 Chapter 2 Shared Data in Existing Directory Domains Some organizations—such as universities and worldwide corporations—maintain user information and other administrative data in directory domains on UNIX or Windows servers. Open Directory can be configured to search these non-Apple domains as well as shared Open Directory domains of Mac OS X Servers. When a user logs in to a computer on your network, Open Directory still searches for the user in the computer’s local domain and in shared domains on Mac OS X Servers. But if the user is not found and Open Directory has been configured to search an LDAP domain on a UNIX server, Open Directory consults the LDAP domain for information about the user. Directory Domain Hierarchies Local and shared domains are organized into hierarchies, tree-like topologies that have a shared domain at the top and local domains at the bottom of the tree. A hierarchy can be as simple as a local domain and a shared domain, or it can contain more shared domains. Mac OS 9 user Mac OS X user Windows user Mac OS X Server Local domain Shared domain LDAP server 2 1 3Directory Services 79 Two-Level Hierarchies The simplest hierarchy is a two-level hierarchy: Here’s a scenario in which a two-level hierarchy might be used: Each department (English, Math, Science) has its own computer. The students in each department are defined as users in the local domain of that department’s computer. All three of these local domains have the same shared domain, in which all the instructors are defined. Instructors, as members of the shared domain, can use services on all the departmental computers. The members of each local domain can only use services on the server where their local domain resides. Shared directory domain Local directory domain Local domain on English department’s computer Local domain on Math department’s computer Local domain on Science department’s computer Shared domain80 Chapter 2 While local domains reside on their respective servers, a shared domain can reside on any Mac OS X Server accessible from the local domain’s computer. In this example, the shared domain can reside on any server accessible from the departmental servers. It can reside on one of the departmental servers, or—as shown here—on an entirely different server on the network: When an instructor logs in to any of the three departmental servers and cannot be found in the local domain, the server searches the shared domain. In this example, there is only one shared domain, but in more complex hierarchies, there may be many shared domains. Faculty Mac OS X Server English department’s computer Math department’s computer Local domain Shared domain Local domain Science department’s computer Local domain Local domainDirectory Services 81 More Complex Hierarchies Open Directory also supports multilevel domain hierarchies. Complex networks with large numbers of users may find this kind of organization useful, although it’s much more complex to administer. In this scenario, an instructor defined in the Campus domain can use Mac OS X computers on which any of the local domains reside. A student defined in the Students domain can log in to any Mac OS X computers that are below the Graduates domain or Undergraduates domain. A directory domain hierarchy affects which Mac OS X computers can see particular administrative data. The “subtrees” of the hierarchy essentially hide information from other subtrees in the hierarchy. In the education example, computers using the subtree that includes the Graduates domain do not have access to records in the Undergraduates domain. But records in the Campus domain are visible to any computer. Directory domain visibility depends on the computer, not the user. So when a user logs in to a different computer, administrative data from different directory domains may be visible to that computer. In the education scenario described here, an undergraduate can log in to a graduate student’s computer if the undergraduate’s user record resides in the Students domain. But the devices that are defined in the Undergraduates domain are not visible unless they are also defined in the Graduates, Students, or Campus domain. Employees domain Students domain Campus domain Undergraduates domain Graduates domain Faculty domain Local domains on Mac OS X clients or servers82 Chapter 2 You can affect an entire network or just a group of computers by choosing which domain to publish administrative data in. The higher the administrative data resides in a directory domain hierarchy, the fewer places it needs to be changed as users and system resources change. Probably the most important aspect of directory services for administrators is planning directory domains and hierarchies. These should reflect the resources you want to share, the users you want to share them among, and even the way you want to manage your directory data. Search Policies for Directory Domain Hierarchies In a hierarchy of directory domains, each Mac OS X computer has a search policy that specifies the order in which Open Directory searches the domains. A search policy, also known as a search path, is simply a list of directory domains. On a Mac OS X computer, Open Directory goes down this list of directory domains whenever an application or system software running on the computer needs administrative data. The list of directory domains defines the computer’s search policy. The search policy effectively establishes the computer’s place in the hierarchy. A computer’s local directory domain is always first on the list. It may be followed by shared Open Directory domains on Mac OS X Servers and LDAP domains on other servers. It may also include a set of BSD configuration files that are on the computer. For example, when someone tries to log in to a Mac OS X computer, Open Directory searches the computer’s local domain for the user’s record. The local directory domain is always first on a computer’s search policy. Graduates domain Local domain Is the user defined here?Directory Services 83 If the local domain does not contain the user’s record, Open Directory goes to the next directory domain in the search policy. If the second directory domain also does not contain the user’s record, Open Directory searches the remaining directory domains in the search policy one by one until it searches the last shared domain. The Automatic Search Policy Initially, every computer with Mac OS X version 10.2 is set to use an automatic search policy. It consists of three parts, two of which are optional: m local directory domain m shared NetInfo domains (optional) m shared LDAPv3 domains (optional) A computer’s automatic search policy always begins with the computer’s local directory domain. Graduates domain Local domain Is the user defined here? No Is the user defined here? Campus domain Students domain Graduates domain Local domain No No No84 Chapter 2 Next the automatic search policy looks at the binding of shared NetInfo domains. The computer’s local domain may be bound to a shared NetInfo domain, which may in turn be bound to another shared NetInfo domain, and so on. The NetInfo binding, if any, constitutes the second part of the automatic search policy. See “Configuring NetInfo Binding” on page 111 for additional information. The third and final part of a computer’s automatic search policy consists of shared LDAPv3 domains. They are included only if the computer uses a DHCP service that’s configured to supply the addresses of one or more LDAPv3 servers. The DHCP service of Mac OS X Server can supply LDAPv3 servers. See “Setting the LDAP Server for DHCP Clients” on page 479 in Chapter 11, “DHCP Service.” A computer’s automatic search policy may change if the computer is moved to a part of the network served by a different DHCP service. When the user logs in at the new location, the computer connects to the new DHCP service. The new DHCP service may change the NetInfo binding and may supply a different list of LDAPv3 servers than the DHCP service at the former location. Custom Search Policies If you don’t want a Mac OS X version 10.2 computer—server or client—to use the automatic search policy supplied by DHCP, you can define a custom search policy for the computer. In this scenario, a custom search policy specifies that LDAP Server 1 be consulted when a user record or other administrative data cannot be found in the directory domains of the automatic search policy. The custom search policy also specifies that if the user information or other administrative data is not found on the LDAP server, a shared Open Directory domain named “Campus” is searched. Students domain Graduates domain Local domain LDAP Server 1 Campus domainDirectory Services 85 Directory Domain Planning Keeping information in shared directory domains gives you more control over your network, allows more users access to the information, and makes maintaining the information easier for you. But the amount of control and convenience depends on the effort you put into planning your shared domains. The goal of directory domain planning is to design the simplest hierarchy of shared domains that gives your Mac OS X users easy access to the network resources they need and minimizes the time you spend maintaining administrative data. General Planning Guidelines If you do not need to share user and resource information among multiple Mac OS X computers, there is very little directory domain planning necessary. Everything can be accessed from local directory domains. Just ensure that all individuals who need to use a particular Mac OS X computer are defined as users in the local directory domain on the computer. If you want to share information among Mac OS X computers, you need to set up at least one shared domain. A hierarchy this simple may be completely adequate when all your network computer users share the same resources, such as printers and share points for home directories, applications, and so forth. Local domain Local domain Log in to Mac OS X Connect to Mac OS X Server Shared domain Local domain Local domain Log in to Mac OS X Connect to Mac OS X Server86 Chapter 2 Larger, more complex organizations can benefit from a deeper directory domain hierarchy. Controlling Data Accessibility Hierarchies that contain several shared domains let you make directory information visible to only subsets of a network’s computers. In the foregoing example hierarchy, the administrator can tailor the users and resources visible to the community of Mac OS X computers by distributing directory information among six shared domains. If you want all computers to have access to certain administrative data, you store that data in the shared domain at the top of your hierarchy, where all computers can access it. To make some data accessible only to a subset of computers, you store it in a shared domain that only those computers can access. You might want to set up multiple shared directory domains to support computers used by specific groups within an organization. For example, you might want to make share points containing programming applications and files visible only to engineering computers. On the other hand, you might give technical writers access to share points that store publishing software and document files. If you want all employees to have access to each other’s home directories, you would store mount records for all the home directories in the topmost shared domain. Simplifying Changes to Data in Directory Domains If you need more than one shared directory domain, you should organize your hierarchy of shared domains to minimize the number of places data has to change over time. You should also devise a plan that addresses how you want to manage such ongoing events as m new users joining and leaving your organization m file servers being added, enhanced, or replaced Undergraduates domain Graduates domain Faculty domain Employees Students domain domain Campus domainDirectory Services 87 m printers being moved among locations You’ll want to try to make each directory domain applicable to all the computers that use it so you don’t have to change or add information in multiple domains. In the education hierarchy example, all students may have user records in the Students domain and all employees have accounts in the Employees domain. As undergraduate students leave or become graduate students, or as employees are hired or retire, the administrator can make adjustments to user information simply by editing one domain. If you have a widespread or complex hierarchy of directory domains in a network that is managed by several administrators, you need to devise strategies to minimize conflicts. For example, you can predefine ranges of user IDs (UIDs) to avoid inadvertent file access. (For more information, see “Defining User IDs” on page 144 in Chapter 3, “Users and Groups.”) Identifying Computers for Hosting Shared Domains If you need more than one shared domain, you need to identify the computers on which shared domains should reside. Shared domains affect many users, so they should reside on Mac OS X Servers that have the following characteristics: m restricted physical access m limited network access m equipped with high-availability technologies, such as uninterruptible power supplies You should select computers that will not be replaced frequently and that have adequate capacity for growing directory domains. While you can move a shared domain after it has been set up, you may need to reconfigure the search policies of computers that bind to the shared domain so that their login hierarchies remain intact. Open Directory Password Server Besides providing directory services on Mac OS X Servers and other Mac OS X computers, Open Directory can also provide authentication services. An Open Directory Password Server can store and validate user passwords for login and other network services that require authentication. A Password Server supports basic authentication as well as authentication protocols that protect the privacy of a password during transmission on the network. A Password Server lets you set up specific password policies for each user, such as automatic password expiration and minimum password length. Your Mac OS X Server can host a Password Server, or it can get authentication services from a Password Server hosted by another Mac OS X Server. 88 Chapter 2 Authentication With a Password Server When a user’s account is configured to use a Password Server, the user’s password is not stored in a directory domain. Instead, the directory domain stores a unique password ID assigned to the user by the Password Server. To authenticate a user, directory services pass the user’s password ID to the Password Server. The Password Server uses the password ID to find the user’s actual password and any associated password policy. For example, the Password Server may locate a user’s password but discover that it has expired. If the user is logging in, the login window asks the user to replace the expired password. Then the Password Server can authenticate the user. A Password Server can’t authenticate a user during login on a computer with Mac OS X version 10.1 or earlier. You’ll find more information about configuring user accounts to use a Password Server in “Understanding Password Validation” on page 189 of Chapter 3, “Users and Groups.” Network Authentication Protocols The Password Server is based on a standard known as Simple Authentication and Security Layer (SASL). This standard enables a Password Server to support the wide range of network user authentication protocols used by various network services of Mac OS X Server, such as mail service and file services. Here are a few of the network authentication protocols that the Password Server supports: m CRAM-MD5 m MD5 m APOP m NT and LAN Manager (for SMB) m SHA-1 m DHX m AFP 2-Way Random m WebDAV Digest Password Server Database The Password Server maintains a record for each user that includes the following: m Password ID, a 128-bit value assigned when the password is created. The value includes a key for finding a user’s Password Services record.Directory Services 89 m The password, stored in recoverable or hashed form. The form depends on the network authentication protocols enabled for the Password Server (using Open Directory Assistant). If APOP or 2-Way Random is enabled, the Password Server stores a recoverable (encrypted) password. If neither of these methods is enabled, only hashes of the passwords are stored. m Data about the user that is useful in log records, such as the user’s short name. m Password policy data. Password Server Security The Password Server stores passwords, but never allows passwords to be read. Passwords can only be set and verified. Malicious users who want to gain access to your server must try to log in over the network. Invalid password instances, logged by the Password Server, can alert you to such attempts. Using a Password Server offers flexible and secure password validation, but you need to make sure that the server on which a Password Server runs is secure: m Set up Password Servers on a server that is not used for any other activity. m Since the load on a Password Server is not particularly high, you can have several (or even all) of your Open Directory server domains share a single Password Server. m Set up IP firewall service so nothing is accepted from unknown ports. Password Server uses a well-known port. m Make sure that the Password Server’s computer is located in a physically secure location, and don’t connect a keyboard or monitor to it. m Equip the server with an uninterruptible power supply. The Password Server must remain available to provide authentication services. If the Password Server goes down, password validation cannot occur, because you cannot replicate a Password Server. Overview of Directory Services Tools The following applications help you set up and manage directory domains and Password Servers. m Open Directory Assistant. Use to create and configure shared or standalone Open Directory domains (NetInfo or LDAPv3) and to set up Open Directory Password Servers. Located in /Applications/Utilities. m Directory Access. Use to enable or disable individual directory service protocols; define a search policy; configure connections to existing LDAPv3, LDAPv2, and NetInfo domains; and configure data mapping for LDAPv3 and LDAPv2 domains. Located in /Applications/Utilities.90 Chapter 2 m Server Status. Use to monitor directory services and view directory services logs. Located in /Applications/Utilities. Experts can also use the following applications to manage directory domains: m Property List Editor. Use to add BSD configuration files that you want Open Directory to access for administrative data, and change the mapping of the data in each BSD configuration file to specific Mac OS X record types and attributes. Located in /Developer/ Applications if you have installed the developer tools from the Developer Tools CD. m NetInfo Manager. Use to view and change records, attributes, and values in an Open Directory domain (LDAPv3 or NetInfo) or in a NetInfo domain; manage a NetInfo hierarchy; and back up and restore a NetInfo domain. Located in /Applications/Utilities. m Terminal. Open to use UNIX command-line tools that manage NetInfo domains. Located in /Applications/Utilities. Setup Overview Here is a summary of the major tasks you perform to set up and maintain directory services. See the pages indicated for detailed information about each task. Step 1: Before you begin, do some planning See “Before You Begin” on page 91 for a list of items to think about before you start configuring directory domains. Step 2: Set up Open Directory domains and Password Servers Create shared directory domains on the Mac OS X Servers that you want to host them. At the same time, set up Open Directory Password Servers. See the following sections: m “Setting Up an Open Directory Domain and Password Server” on page 92 m “Deleting a Shared Open Directory Domain” on page 93 Step 3: Set up access to directory domains on other servers If some of your user information and other administrative data will not reside in Open Directory domains, you must make sure your other sources of data are set up for Mac OS X. For instructions, see the following sections of this chapter: m “Configuring Access to Existing LDAPv3 Servers” on page 98 m “Using an Active Directory Server” on page 104 m “Accessing an Existing LDAPv2 Directory” on page 106 m “Using NetInfo Domains” on page 110 m “Using Berkeley Software Distribution (BSD) Configuration Files” on page 115Directory Services 91 Step 4: Implement search policies Set up search policies so that all computers have access to the shared directory domains they need. Note that if all computers have Mac OS X version 10.2 and can use the automatic search policy, there is nothing to set up. Otherwise, see “Setting Up Search Policies” on page 94. If your network includes computers with Mac OS X versions earlier than 10.2, configure the local domain on each of them so that it binds to a shared NetInfo domain. See “Using NetInfo Domains” on page 110. Step 5: Configure Open Directory service protocols (optional) You may want to disable some of the protocols that Open Directory uses to access directory domains and to discover network services. See “Configuring Open Directory Service Protocols” on page 93. Before You Begin Before setting up directory services for the first time: m Understand why clients need directory data, as discussed in the first several sections of this chapter. m Assess your server access requirements. Identify which users need to access your Mac OS X Servers. Users whose information can be managed most easily on a server should be defined in a shared Open Directory domain on a Mac OS X Server. Some of these users may instead be defined in Active Directory domains or LDAP domains on other servers. For more information, see “Local and Shared Directory Domains” on page 74 and “Directory Domain Hierarchies” on page 78. m Understand search policies, as described in “Search Policies for Directory Domain Hierarchies” on page 82. m Design the hierarchy of shared directory domains. Determine whether user information should be stored in a local directory domain or in a directory domain that can be shared among servers. Design your directory domain hierarchy, identifying the shared and local domains you want to use, the servers on which the shared domains should reside, and the relationships between shared domains. In general, try to limit the number of users associated with any directory domain to no more than 10,000. “Directory Domain Planning” on page 85 provides some guidelines that will help you decide what your directory domain hierarchy should look like. m Assess your authentication needs.92 Chapter 2 Decide whether to use an Open Directory Password Server. Decide which Mac OS X Server will host the Password Server. See “Open Directory Password Server” on page 87. m Consider the best equipment and location for your servers. Choose computers and locations that are reliable and accessible. If possible, use a dedicated Mac OS X Server for directory services. Make the server physically secure. It shouldn’t have a keyboard or monitor, especially if it hosts a Password Server. m Pick server administrators very carefully. Give only trusted people administrator passwords. Have as few administrators as possible. Don’t delegate administrator access for minor tasks, such as changing settings in a user record. Always remember: directory information is authoritative. It vitally affects everyone whose computers use it. Setting Up an Open Directory Domain and Password Server You can use the Open Directory Assistant application to configure how a Mac OS X Server works with directory information and a Password Server. This application can configure a server to use a directory domain in one of the following ways: m Use a shared directory domain hosted by another server. m Host a shared Open Directory domain. m Use only the server’s own local directory domain. m Delete the server’s shared directory domain. In addition, Open Directory Assistant can configure a server to use a Password Server in one of the following ways: m Use an existing Password Server. m Host a Password Server. m Don’t use a Password Server. Open Directory Assistant runs automatically as part of the installation and setup process of Mac OS X Server. At any other time, you can open Open Directory Assistant from the Finder. To configure how your server works with directory information and a Password Server: 1 Open the Open Directory Assistant application. It is located in the /Applications/Utilities folder. 2 Enter the connection and authentication information for the Mac OS X Server that you want to configure, then click Connect.Directory Services 93 For Address, enter the DNS name or IP address of the server that you want to configure. For User Name, enter the user name of an administrator on the server. For Password, enter the password for the user name you entered. 3 Follow the self-guided steps for configuring the server’s use of a directory domain and a Password Server. Deleting a Shared Open Directory Domain You can delete a shared Open Directory domain that is hosted by a Mac OS X Server. Use Open Directory Assistant to do this. To delete a shared directory domain hosted by a Mac OS X Server: 1 Start Open Directory Assistant. 2 Enter the connection and authentication information for the Mac OS X Server that hosts the shared domain you want to delete, then click Connect. For Address, enter the DNS name or IP address of the server. For User Name, enter the user name of an administrator on the server. For Password, enter the password for the user name you entered. 3 Choose Delete Hosted Domain from the Domain menu. After deleting a shared domain that is supplied automatically by DHCP, you must remove it from the DHCP service. Otherwise client computers may pause for long periods of time while trying to access the deleted domain. For instructions, see “Setting the LDAP Server for DHCP Clients” on page 479 in Chapter 11, “DHCP Service.” Configuring Open Directory Service Protocols Open Directory uses many protocols to access administrative data in directory domains and discover services on the network. You can enable or disable each of the protocols individually by using the Directory Access application. The protocols include m AppleTalk, the legacy Mac OS protocol for file and print services m BSD Configuration Files, the original method still used by some organizations for accessing administrative data on UNIX computers m Lightweight Directory Access Protocol version 2 (LDAPv2), an open standard that Open Directory can use to access (read-only) directory domains on a variety of servers Warning When you delete a directory domain, all user account information and other administrative data that it contains is lost.94 Chapter 2 m LDAPv3, a newer version of the popular directory services protocol, which Open Directory uses to access (read and write) data in Open Directory domains on computers and servers with Mac OS X version 10.2, Active Directory domains on Windows servers, and directory domains on various other servers m NetInfo, an Apple directory services protocol that Open Directory can use to access (read and write) data in directory domains on all Mac OS X computers m Rendezvous, an Apple protocol for discovering file, print, and other services on Internet Protocol (IP) networks m Service Location Protocol (SLP), an open standard for discovering file and print services on IP networks m Server Message Block (SMB), a protocol used by Microsoft Windows for file and print services If you disable a protocol on a computer, Open Directory does not use it for directory access or service discovery on the computer. Other network services may still use the protocol, however. For example, if you disable the AppleTalk protocol, Open Directory does not use it to discover file servers, but you can still connect to an AppleTalk file server if you know its URL. To enable or disable protocols used by Open Directory: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Click the checkbox next to the protocol that you want to enable or disable. 4 Click Apply. Setting Up Search Policies This section describes how to configure the search policy that Open Directory uses when it retrieves authentication information and other administrative data from directory domains. The search policy can also include protocols for discovering services on the network, such as file and print services. A Mac OS X computer—server or client—actually has more than one search policy. The authentication search policy is used to find authentication information and most other administrative data. The contacts search policy is used by mail, address book, personal information manager, and similar applications to locate name, address, and other contact information.Directory Services 95 You can configure the authentication search policy for a Mac OS X Server or other Mac OS X computer by using the Directory Access application. You can use the same application to configure the computer’s contacts search policy. (The Open Directory Assistant application also configures the authentication search policy of a Mac OS X Server, but does not offer as many options as Directory Access.) You can configure the search policy of the computer on which you are running Directory Assistant as follows: m Use the automatic search policy—shared NetInfo domains, list of LDAP servers supplied by DHCP, or both. m Define a custom search policy for the computer if it needs to search additional directory servers, BSD configuration files, or service discovery protocols. m Use only the computer’s local directory domain. Using the Automatic Search Policy You can configure a Mac OS X computer to use the automatic search policy. This is the default configuration. You can configure a computer to use the automatic search policy by using the Directory Access application on the computer. The automatic search policy always includes the local directory domain. The automatic search policy also includes shared NetInfo domains to which the computer is bound and shared LDAPv3 domains supplied by DHCP. The shared NetInfo domains are optional, as are the shared LDAPv3 domains. For more information, see “Using NetInfo Domains” on page 110 and “Setting the LDAP Server for DHCP Clients” on page 479. To use the automatic search policy supplied by DHCP: 1 In Directory Access, click the Authentication tab or the Contacts tab. Click Authentication to configure the search policy used for authentication and most other administrative data. Click Contacts to configure the search policy used for contact information in some mail, address book, and personal information manager applications. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Choose Automatic from the Search pop-up menu, then click Apply. Defining a Custom Search Policy You can configure a Mac OS X computer to search specific Open Directory servers, LDAP servers, NetInfo domains, BSD configuration files, or directory service protocols in addition to the servers in the automatic search policy. You define a custom search policy with the Directory Access application on the computer that you want to configure.96 Chapter 2 Note: Make sure the computer has been configured to access the LDAP servers, Active Directory servers, NetInfo domains, and BSD configuration files that you want to add to the search policy. For instructions, see the subsequent sections of this chapter. To define a custom search policy for the computer: 1 In Directory Access, click the Authentication tab or the Contacts tab. Click Authentication to configure the search policy used for authentication and most other administrative data. Click Contacts to configure the search policy used for contact information in some mail, address book, and personal information manager applications. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Choose “Custom path” from the Search pop-up menu. 4 Click Add. 5 Select from the list of available directories and click Add. To add multiple directories, select more than one and click Add. 6 Change the order of the listed directory domains as needed, and remove listed directory domains that you don’t want in the search policy. Move a listed directory domain by dragging it up or down. Remove a listed directory domain by selecting it and clicking Remove. 7 Click Apply. Using a Local Directory Search Policy If you want to limit the access that a computer has to authentication information and other administrative data, you can restrict the computer’s authentication search policy to the local directory domain. If you do this, users without local accounts on the computer will be unable to log in or authenticate for any services it provides. You can configure a computer to use only its local directory domain by using the Directory Access application on the computer. To restrict a computer to its local directory domain: 1 In Directory Access, click the Authentication tab or the Contacts tab. Click Authentication to configure the search policy used for authentication and most other administrative data. Click Contacts to configure the search policy used for contact information in some mail, address book, and personal information manager applications. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Choose “Local directory” from the Search pop-up menu, then click Apply.Directory Services 97 Changing Basic LDAPv3 Settings You can use the Directory Access application to change basic settings for accessing LDAPv3 servers, including the shared Open Directory domains of Mac OS X Servers: m Enable or disable use of LDAPv3 servers supplied by DHCP. m Reveal an intermediate level of LDAPv3 information and options. The Open Directory Assistant application also configures use of LDAPv3 servers supplied by DHCP, but does not offer as many options as Directory Access. Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers Your Mac OS X computer can automatically access LDAPv3 servers via DHCP. This automatic access requires that the DHCP service be configured to supply an LDAPv3 server on request. You can enable or disable this method of accessing an LDAPv3 server for each network location that is defined in the Network pane of System Preferences. To enable or disable automatic access to an LDAPv3 server: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 From the Location pop-up menu, choose the network location that you want to affect, or use Automatic. 5 Click the checkbox to enable or disable use of the LDAPv3 server supplied by DHCP. If you disable this setting, this computer doesn’t use any LDAPv3 servers supplied by DHCP. However, the computer may automatically access shared NetInfo domains. See “Using NetInfo Domains” on page 110 for more information. If you enable this setting, the DHCP service should be configured to supply one or more LDAPv3 server addresses. For instructions, see “Setting the LDAP Server for DHCP Clients” on page 479 in Chapter 11, “DHCP Service.” Showing or Hiding Available LDAPv3 Configurations You can show or hide a list of available LDAPv3 server configurations. When you show the list, you see and can change some settings for each LDAPv3 configuration. To show or hide the available LDAPv3 configurations: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure.98 Chapter 2 4 From the Location pop-up menu, choose the network location that you want to see, or use Automatic. 5 Click Show Options or Hide Options. Configuring Access to Existing LDAPv3 Servers On a Mac OS X computer that is not configured to access an LDAPv3 server automatically via DHCP, you can manually configure access to one or more LDAPv3 servers. You can do the following: m Create server configurations and enable or disable them individually. For instructions, see “Creating an LDAPv3 Configuration” on page 98. m Edit the settings of a server configuration. For instructions, see “Editing an LDAPv3 Configuration” on page 99. m Duplicate a configuration. For instructions, see “Duplicating an LDAPv3 Configuration” on page 99. m Delete a configuration. For instructions, see “Deleting an LDAPv3 Configuration” on page 100. m Change the connection settings for an LDAPv3 configuration. For instructions, see “Changing an LDAPv3 Configuration’s Connection Settings” on page 100. m Define custom mappings of Mac OS X record types and attributes to LDAPv3 record types, search bases, and attributes. For instructions, see “Configuring LDAPv3 Search Bases and Mappings” on page 101. m Populate LDAPv3 directory domains with records and data. For instructions, see “Populating LDAPv3 Domains With Data for Mac OS X” on page 103. Creating an LDAPv3 Configuration You can use Directory Access to create a configuration for an LDAPv3 server. To create an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Click New and enter a name for the configuration. 6 Press Tab and enter the LDAPv3 server’s DNS name or IP address. 7 Choose a mapping template from the inline pop-up menu, or choose From Server.Directory Services 99 8 Enter the search base for your LDAPv3 server and click OK. If you chose a template in step 7, you must enter a search base, or the LDAPv3 server will not function. If you chose From Server in step 7, you may be able to leave the search base blank and have the LDAPv3 server function. In this case, Open Directory will look for the search base at the first level of the LDAPv3 server. 9 Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAPv3 server. After creating a new server configuration, you should add the server to an automatic search policy supplied by a DHCP server or to a custom search policy. A computer can access an LDAP server only if the server is included in the computer’s search policy, either automatic or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.” Editing an LDAPv3 Configuration You can use Directory Access to change the settings of an LDAPv3 server configuration. To edit an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Change any of the settings displayed in the list of server configurations. Click an Enable checkbox to activate or deactivate a server. To change a configuration name, double-click it in the list. To change a server name or IP address, double-click it in the list. Choose a mapping template from the inline pop-up menu. Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections. Duplicating an LDAPv3 Configuration You can use Directory Access to duplicate an LDAPv3 server configuration. After duplicating a configuration, you can change its settings. To duplicate an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator.100 Chapter 2 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Select a server configuration in the list, then click Duplicate. 6 Change any of the duplicate configuration’s settings. Click an Enable checkbox to activate or deactivate a server. To change a configuration name, double-click it in the list. To change a server name or IP address, double-click it in the list. Choose a mapping template from the inline pop-up menu. Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections. After duplicating a server configuration, you should add the duplicate to an automatic search policy supplied by a DHCP server or to a custom search policy. A computer can access an LDAP server only if the server is included in the computer’s search policy, either automatic or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.” Deleting an LDAPv3 Configuration You can use Directory Access to delete an LDAPv3 server configuration. To delete an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Select a server configuration in the list, then click Delete. Changing an LDAPv3 Configuration’s Connection Settings You can use Directory Access to change the connection settings for an LDAPv3 server configuration. To change the connection settings of an LDAPv3 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Select a server configuration in the list, then click Edit.Directory Services 101 6 Click the Connection tab and change any of the settings. Configuration Name identifies this configuration in the list of LDAPv3 configurations. ( You can also change the name directly in the list of LDAPv3 configurations.) Server Name or IP Address specifies the server’s DNS name or its IP address. ( You can also change this directly in the list of LDAPv3 configurations.) “Open/close times out in” specifies the number of seconds that Open Directory waits before cancelling an attempt to connect to the LDAPv3 server. “Connection times out in” specifies the number of seconds that Open Directory allows an idle or unresponsive connection to remain open. “Use authentication when connecting” determines whether Open Directory authenticates itself as a user of the LDAPv3 server by supplying the Distinguished Name and Password when connecting to the server. “Encrypt using SSL” determines whether Open Directory encrypts communications with the LDAPv3 server by using Secure Sockets Layer (SSL) connection. ( You can also change this setting directly in the list of LDAPv3 configurations.) “Use custom port” specifies a port number other than the standard port for LDAPv3 connections (389 without SSL or 636 with SSL). Configuring LDAPv3 Search Bases and Mappings Each LDAPv3 configuration that you create specifies where data needed by Mac OS X resides on the LDAPv3 server. You can edit the LDAPv3 search base for each Mac OS X record type. You can edit the mapping of each Mac OS X record type to one or more LDAPv3 object classes. For each record type, you can also edit the mapping of Mac OS X data types, or attributes, to LDAPv3 attributes. You edit search bases and mappings with the Directory Access application. Note: The mapping of Mac OS X data types to LDAPv3 attributes can be different for each record type. Mac OS X has separate LDAPv3 mappings for each record type. For detailed specifications of record types and attributes required by Mac OS X, see Appendix A, “Open Directory Data Requirements.” To edit the search bases and mappings for an LDAPv3 server: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Select a server configuration in the list, then click Edit.102 Chapter 2 6 Click the Search & Mappings tab. 7 Select the mappings that you want to use as a starting point, if any. Click “Read from Server” to edit the mappings currently stored in the LDAPv3 server whose configuration you are editing. Click the “Access this LDAPv3 server using” pop-up menu, choose a mapping template to use its mappings as a starting point, or choose Custom to begin with no predefined mappings. 8 Add record types and change their search bases as needed. To add record types, click the Add button below the Record Types and Attributes list. In the sheet that appears, select Record Types, select one or more record types from the list, and then click OK. To change the search base of a record type, select it in the Record Types and Attributes List. Then click the “Search base” field and edit the search base. To remove a record type, select it in the Record Types and Attributes List and click Delete. To add a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the Add button below “Map to __ items in list” and enter the name of an object class from the LDAPv3 domain. To add another LDAPv3 object class, you can press Return and enter the name of the object class. Specify whether to use all or any of the listed LDAPv3 object classes by using the pop-up menu above the list. To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAPv3 object class that you want to change in the “Map to __ items in list” and edit it. Specify whether to use all or any of the listed LDAPv3 object classes by using the pop-up menu above the list. To remove a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the LDAPv3 object class that you want to remove from the “Map to __ items in list” and click the Delete button below “Map to __ items in list.” 9 Add attributes and change their mappings as needed. To add attributes to a record type, select the record type in the Record Types and Attributes List. Then click the Add button below the Record Types and Attributes list. In the sheet that appears, select Attribute Types, select one or more attribute types, and then click OK. To add a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the Add button below “Map to __ items in list” and enter the name of an attribute type from the LDAPv3 domain. To add another LDAPv3 attribute type, you can press Return and enter the name of the attribute type. To change a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then double-click the item that you want to change in the “Map to __ items in list” and edit the item name.Directory Services 103 To remove a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the item that you want to remove from the “Map to __ items in list” and click the Delete button below “Map to __ items in list.” 10 Click Write to Server if you want to store the mappings on the LDAPv3 server so that it can supply them automatically to its clients. You must enter a search base to store the mappings, a distinguished name of an administrator (for example, cn=admin,dc=example,dc=com) and a password. The LDAPv3 server supplies its mappings to clients that are configured to use an automatic search policy. For instructions on configuring the client search policy, see “Setting Up Search Policies” on page 94. The LDAPv3 server also supplies its mappings to clients that have been configured manually to get mappings from the server. For instructions on configuring client access to the server, see “Creating an LDAPv3 Configuration” on page 98 through “Changing an LDAPv3 Configuration’s Connection Settings” on page 100. Populating LDAPv3 Domains With Data for Mac OS X After configuring LDAPv3 directory domains and setting up their data mapping, you can populate them with records and data for Mac OS X. For directory domains that allow remote administration (read/write access), use the Workgroup Manager application and the Server Settings application as follows: m Identify share points and shared domains that you want to mount automatically in a user’s /Network directory (the Network globe in Finder windows). Use the Sharing module of Workgroup Manager. For instructions, see Chapter 4, “Sharing.” m Define users records and group records and configure their settings. Use the Accounts module of Workgroup Manager. For instructions, see Chapter 3, “Users and Groups.” m Define lists of computers that have the same preference settings and are available to the same users and groups. Use the Computers module of Workgroup Manager. For instructions, see Chapter 6, “Client Management: Mac OS X.” m Create records for shared printers that you want to appear in the Directory Services printer list in Print Center. Use the Print module of Server Settings. For instructions, see Chapter 7, “Print Service.” Note: To add records and data to a read-only LDAPv3 domain, you must use tools on the server that hosts the LDAPv3 domain.104 Chapter 2 Using an Active Directory Server Your Mac OS X Server, like any computer with Mac OS X version 10.2, can use Open Directory to access an Active Directory domain hosted by a Microsoft Windows server. This section explains how to configure your Mac OS X Server and client Mac OS X computers to access an Active Directory server. This section also explains how to use your Mac OS X Server to populate the Active Directory domain with records and data. In addition, you can edit, duplicate, or delete an Active Directory server configuration. You can also change the connection settings and customize the mappings of an Active Directory server configuration. The procedures for all these tasks are the same for Active Directory servers as for LDAPv3 servers. For instructions, see “Configuring Access to Existing LDAPv3 Servers” on page 98. Creating an Active Directory Server Configuration You can use Directory Access to create a configuration for an Active Directory server. To create an Active Directory server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Click New and enter a name for the configuration. 6 Press Tab and enter the Active Directory server’s DNS name or IP address. 7 Click the inline pop-up menu and choose Active Directory. 8 Enter the search base for your Active Directory server, then click OK. 9 Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the Active Directory server. Important Open Directory uses the LDAPv3 protocol, not Microsoft’s proprietary Active Directory Services Interface (ADSI), to connect to Microsoft’s Active Directory. This chapter does not explain how to configure Active Directory on a Windows server for LDAPv3 read/ write access. If you need assistance, consult an individual with Windows and Active Directory expertise, refer to the documentation for these products, or go to the Microsoft Web site: www.microsoft.com/support/Directory Services 105 After creating a new Active Directory server configuration, you should add the server to an automatic search policy supplied by a DHCP server or to a custom search policy. A computer can access an Active Directory server only if the server is included in the computer’s search policy, either automatic or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.” Setting Up an Active Directory Server If you want a Mac OS X computer to get administrative data from an Active Directory server, the data must exist on the Active Directory server in the format required by Mac OS X. You may need to add, modify, or reorganize data on the Active Directory server. You must make the necessary modifications by using tools on the Active Directory server. To set up an Active Directory server for Mac OS X directory services: 1 Go to the Active Directory server and configure it to support LDAPv3-based authentication and password checking. 2 Modify the Active Directory object classes and attributes as necessary to provide the data needed by Mac OS X. For detailed specifications of the data required by Mac OS X directory services, see Appendix A, “Open Directory Data Requirements.” Populating Active Directory Domains With Data for Mac OS X After creating an Active Directory server configuration and setting it up for Mac OS X directory services, you can populate it with records and data for Mac OS X. If the Active Directory server allows remote administration (read/write access), use the Workgroup Manager application and the Server Settings applications as follows: m Identify share points and shared domains that you want to mount automatically in a user’s /Network directory (the Network globe in Finder windows). Use the Sharing module of Workgroup Manager. For instructions, see Chapter 4, “Sharing.” m Define user records and group records and configure their settings. Use the Accounts module of Workgroup Manager. For instructions, see Chapter 3, “Users and Groups.” m Define lists of computers that have the same preference settings and are available to the same users and groups. Use the Computers module of Workgroup Manager. For instructions, see Chapter 6, “Client Management: Mac OS X.” m Create records for shared printers that you want to appear in the Directory Services printer list in Print Center. Use the Print module of Server Settings. For instructions, see Chapter 7, “Print Service.” Note: To add records and data to a read-only Active Directory server, you must use tools on the Windows server.106 Chapter 2 Accessing an Existing LDAPv2 Directory You can configure a Mac OS X computer to retrieve administrative data from one or more LDAPv2 servers. For each LDAPv2 server that you want the computer to access, you generally do the following: m Prepare the LDAPv2 server data. For instructions, see “Setting Up an LDAPv2 Server” on page 106. m Create an LDAPv2 server configuration. For instructions, see “Creating an LDAPv2 Server Configuration” on page 106. m Change LDAPv2 server access settings as needed. For instructions, see “Changing LDAPv2 Server Access Settings” on page 107. m Edit LDAPv2 search bases and data mappings as needed. For instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 108. m Make sure the LDAPv2 server is included in a custom search policy. For more information, see “Setting Up Search Policies” on page 94. Setting Up an LDAPv2 Server If you want a Mac OS X computer to get administrative data from an LDAPv2 server, the data must exist on the LDAPv2 server in the format required by Mac OS X. You may need to add, modify, or reorganize data on the LDAPv2 server. Mac OS X cannot write data to an LDAPv2 directory, so you must make the necessary modifications by using tools on the server that hosts the LDAPv2 directory. To set up an LDAPv2 server for Mac OS X: 1 Go to the LDAPv2 server and configure it to support LDAPv2-based authentication and password checking. 2 Modify LDAPv2 server object classes and attributes as necessary to provide the data needed by Mac OS X. For detailed specifications of the data required by Mac OS X directory services, see Appendix A, “Open Directory Data Requirements.” Creating an LDAPv2 Server Configuration You need to create a configuration for an LDAPv2 server from which you want your computer to get administrative data. Use the Directory Access application to create an LDAPv2 configuration. To create an LDAPv2 server configuration: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator.Directory Services 107 3 Select LDAPv2 in the list of services, then click Configure. 4 Create a new configuration or duplicate an existing configuration. Click New to create a new configuration. Click Duplicate to create a copy of the currently selected configuration. 5 Click the Identity tab, then enter a configuration name and server address. In the Name field, enter a descriptive name for the LDAPv2 server. In the Address field, enter the LDAPv2 server’s DNS name or IP address. 6 Click the Access tab, then change the access settings as needed. For detailed instructions, see “Changing LDAPv2 Server Access Settings” on page 107. 7 Click the Records tab and for any Mac OS X record type listed on the left, edit the LDAPv2 search base as needed on the right. For detailed instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 108. 8 Click the Data tab and for any Mac OS X data type listed on the left, edit the corresponding LDAPv2 attributes on the right. For detailed instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 108. 9 Click OK. 10 Select the Enable checkbox to make the LDAPv2 server you just configured available for use by directory services, then close the window and click Save. After creating a new LDAPv2 server configuration, you should add the server to a custom search policy. A computer can access an LDAPv2 server only if the server is included in the computer’s custom search policy. For more information, see “Setting Up Search Policies” on page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.” Changing LDAPv2 Server Access Settings You can change settings that determine how your computer accesses an LDAPv2 server. Use the Directory Access application to change the settings. To change access settings for an LDAPv2 server: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv2 in the list of services, then click Configure. 4 Select a server configuration in the list, then click Edit. 5 Click the Access tab, then change the access settings as needed.108 Chapter 2 Select “Use anonymous access” if Open Directory should connect to the LDAPv2 server without using a name and password. Select “Use the username and password below” if Open Directory should not connect anonymously. Enter the distinguished name (for example, cn=admin, cn=users, dc=example, dc=com) and password that Open Directory should use to establish an LDAPv2 server connection. Ensure that the LDAPv2 server is configured to accept any name and password you specify. Enter the number of seconds for “Open & close timeout,” which defines the maximum time to wait before cancelling an attempt to connect to the LDAPv2 server. The default is 120 seconds. Enter the number of seconds for “Search timeout,” which defines the maximum time to spend searching for data on the LDAPv2 server. The default is 120 seconds. Identify the port that should be used for the connection. The default is port 389. Ensure that any number you specify is actually used by the LDAPv2 server. 6 Click OK, then close the window and click Save. Editing LDAPv2 Search Bases and Data Mappings Each LDAPv2 configuration that you create specifies where data needed by Mac OS X resides on the LDAPv2 server. You can edit the LDAPv2 search base for each Mac OS X record type. You can also edit the mapping of Mac OS X data types, or attributes, to LDAPv2 attributes. You edit search bases and data mappings with the Data Access application. Note: The mapping of Mac OS X data types to LDAPv2 attributes is the same for all record types. Mac OS X cannot have different LDAPv2 mappings for different record types. For detailed specifications of record types and attributes required by Mac OS X, see Appendix A, “Open Directory Data Requirements.” To edit the search bases and data mappings for an LDAPv2 server: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select LDAPv2 in the list of services, then click Configure. 4 Select a server configuration in the list, then click Edit. 5 Click the Records tab and for any Mac OS X record type listed on the left, edit the LDAPv2 search base as needed on the right. Select an item in the Record Type list, and then edit the “Maps to” value to specify a search base on the LDAPv2 server that provides appropriate information.Directory Services 109 Select Users in the Record Type list. Then edit the “Maps to” value to specify a search base on the LDAPv2 server that provides user information. The default search base for the Users record type is ou=people, o=company name. Select Groups in the Record Type list. Then edit the “Maps to” value to specify a search base on the LDAPv2 server that provides group information. The default search base for the Groups record type is ou=groups, o=company name. As needed, select other items in the Record Types list and edit their “Maps to” values to specify a search base on the LDAPv2 server that specifies the appropriate information. 6 Click the Data tab and for any Mac OS X data type listed on the left, edit the corresponding LDAPv2 attributes on the right. Select RecordName in the Data Type column. Then edit the “Maps to” value to identify one or more LDAPv2 attributes that store the names a user can be known by, including the user’s short name. This same mapping identifies the LDAPv2 attributes that store a group name for the Groups record type. Select UniqueID in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that uniquely identifies a user. This same mapping identifies the LDAPv2 attribute that uniquely identifies a group in the Groups record type. Select RealName in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the full user name. Select MailAttribute in the Data Type column if users will be using mail service on the server. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the user’s mail settings in the required format. Select EMailAddress in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attributes that store the forwarding address. This attribute is used for users without a mail attribute. Select Password in the Data Type column only if the LDAPv2 server stores user passwords in UNIX crypt format. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the password. Select PrimaryGroupID in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the ID number for the user’s primary group. Select HomeDirectory in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attributes that store the home directory information in the required format. Select UserShell in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the path and filename of the user login shell. This is the default shell used for command-line interactions with the server. Enter “None” to prevent users who are defined in this directory from accessing the server remotely via a command line.110 Chapter 2 Select GroupMembership in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores a list of users associated with the group. Users should be identified using their short names. If other items in the Data Type column will be retrieved from the LDAPv2 server, select them one by one. When you select an item, edit the “Maps to” value to identify one or more LDAPv2 attributes that store the appropriate information. 7 Click OK, then close the window and click Save. Using NetInfo Domains Your Mac OS X Server can be part of a hierarchy of shared NetInfo domains. If you create a shared directory domain on your server, other Mac OS X computers can access it via the NetInfo protocol (as well as the LDAPv3 protocol). This makes your server a NetInfo parent, and the other computers that bind to it are NetInfo children. Instructions for creating a shared NetInfo domain are next. You can also configure your Mac OS X Server to bind to a shared NetInfo domain on another Mac OS X Server. This makes your server a NetInfo child of a NetInfo parent. For instructions, see “Configuring NetInfo Binding” on page 111. Expert system administrators can manage NetInfo domains as follows: m Create machine records for broadcast binding to a shared NetInfo domain. For instructions, see “Adding a Machine Record to a Parent NetInfo Domain” on page 113. m Configure a shared NetInfo domain to use a particular port number instead of a dynamically assigned port number. For instructions, see “Configuring Static Ports for Shared NetInfo Domains” on page 113. m View the contents of any NetInfo domain. For instructions, see “Viewing and Changing NetInfo Data” on page 114. m Perform other operations by using the Terminal application. For more information, see “Using UNIX Utilities for NetInfo” on page 114. Creating a Shared NetInfo Domain Your Mac OS X Server can host a shared NetInfo domain. Then other Mac OS computers can access the shared NetInfo domain for information about users and resources. The server that hosts a shared NetInfo domain is called a parent, and a computer that accesses it is known as a child. The shared domain is actually a shared Open Directory domain that other computers access using the NetInfo protocol. You set it up with the Open Directory Assistant application.Directory Services 111 To create a shared NetInfo domain: 1 Open the Open Directory Assistant application. 2 Enter the connection and authentication information for the Mac OS X Server where you want to create the shared NetInfo domain, then click Connect. 3 Click the right arrow to get to the Location step, and then select the setting that indicates the server is at its permanent network location. You cannot set up a shared NetInfo domain on a server that is in a temporary location. 4 Advance to the Directory Use step, and then select the option to provide directory information to other servers. 5 Go to the Configure step, where you may select the option to enable LDAP support. The shared directory automatically supports the NetInfo protocol. LDAP support is optional. 6 Go through the steps for configuring a Password Server. As you go through each step, Open Directory Assistant displays the current Password Server settings of the Mac OS X Server that you are configuring. If you want the Password Server configuration to remain as-is, do not change any settings as you go through these steps. 7 When you reach the Finish Up step, review its configuration summary and click Go Ahead to apply the settings. If you want to change any of the settings in the configuration summary, click the left arrow. Keep clicking the left arrow until you get back to the step where you can make the desired change. After changing the setting, click the right arrow until you get to the Finish Up step again. Configuring NetInfo Binding When a Mac OS X computer starts up, it can bind its local directory domain to a shared NetInfo domain. The shared NetInfo domain can bind to another shared NetInfo domain. The binding process creates a hierarchy of NetInfo domains. A NetInfo hierarchy has a structure like an upside-down tree. Local domains at the bottom of the hierarchy bind to one or more shared domains, which may in turn bind to one or more other shared domains, and so on. Each domain binds to only one shared domain, but a shared domain can have any number of domains bind to it. A shared domain is called parent domain, and each domain that binds to it is a child domain. At the top of the hierarchy is one shared domain that doesn’t bind to another domain; this is the root domain. A Mac OS X computer can bind to a shared NetInfo domain by using any combination of three protocols: static, broadcast, or DHCP. 112 Chapter 2 m With static binding, you specify the address and NetInfo tag of the shared NetInfo domain. This is most commonly used when the shared domain’s computer is not on the same IP subnet as the computer that needs to access it. m With DHCP binding, a DHCP server automatically supplies the address and NetInfo tag of the shared NetInfo domain. To use DHCP binding, the DHCP server must be configured to supply a NetInfo parent’s address and tag. For instructions, see “Setting NetInfo Options for a Subnet” on page 482 in Chapter 11, “DHCP Service.” m With broadcast binding, the computer locates a shared NetInfo domain by sending out an IP broadcast request. The computer hosting the shared domain responds with its address and tag. For broadcast binding, both computers must be on the same IP subnet or on a network that is configured for IP broadcast forwarding. The parent domain must have the NetInfo tag “network.” The parent domain must have a machine record for each of its child domains. See “Adding a Machine Record to a Parent NetInfo Domain” on page 113 for more information. If you configure a computer to use multiple binding protocols and a parent is not located with one protocol, another one is used. The protocols are used in this order: static, DHCP, broadcast. You can configure NetInfo binding by using the Directory Access application. To bind a Mac OS X computer to a shared NetInfo domain: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select NetInfo in the list of services, then click Configure. 4 Select the binding protocols that you want the computer to use. For broadcast binding, select “Attempt to connect using Broadcast protocol.” For DHCP binding, select “Attempt to connect using DHCP protocol.” For static binding, select “Attempt to connect to a specific NetInfo server.” Then enter the IP address of the parent domain’s computer in the Server Address field and the parent domain’s NetInfo tag in the Server Tag field. 5 Click OK, then click Apply. 6 Restart the computer.Directory Services 113 Adding a Machine Record to a Parent NetInfo Domain Mac OS X computers can bind their directory domains to a parent NetInfo domain by using broadcast binding. The parent NetInfo domain must have a machine record for each Mac OS X computer that can bind to it with broadcast binding. You can create a machine record with the NetInfo Manager application. To add a machine record to a parent NetInfo domain: 1 Open NetInfo Manager on the computer where the parent domain resides, then open the domain. 2 Click the lock and log in using the user name and password specified when the domain was created. 3 Select the machines directory in the Directory Browser list. 4 Choose New Subdirectory from the Directory menu,. 5 Double-click new_directory in the lower list and enter the DNS name of the child computer. 6 Choose New Property from the Directory menu. 7 In the lower list, change new_property to ip_address and change new_value to the IP address of the child computer. 8 Choose New Property from the Directory menu. 9 Change new_property to “serves” and then change new_value to the name and NetInfo tag of the child’s local domain, using a “/” to separate them. For example, you would change new_value to marketing.demo/local for the local domain of the computer named marketing.demo. 10 Choose Save Changes from the Domain menu, then click Update This Copy. Configuring Static Ports for Shared NetInfo Domains By default, Mac OS X dynamically selects a port in the range 600 through 1023 when it accesses a shared NetInfo domain. You can configure a shared domain for NetInfo access over specific ports. Use the NetInfo Manager application to do this. To configure specific ports for NetInfo access to shared domains: 1 Open NetInfo Manager on the computer where the shared domain resides, then open the domain. 2 Click the lock icon and log in using the administrator name and password specified when the domain was created. 3 Select the “/” directory in the Directory Browser list. 4 To change the value of an existing port property, double-click the value in the Value(s) column and make the change. 114 Chapter 2 5 To delete a port property, select it and choose Delete from the Edit menu. 6 To add a property, choose New Property from the Directory menu and proceed as follows. If you want to use one port for both TCP and UDP packets, double-click new_property and change it to port. Then change new_value to the port number you want to use. If you want separate TCP and UDP ports, double-click new_property and change it to tcp_port. Then change new_value to the TCP port number you want to use. Next doubleclick new_property and change it to udp_port. This time, change new_value to the UDP port number you want to use. Viewing and Changing NetInfo Data Information in a NetInfo database is organized into directories, which are specific categories of NetInfo records, such as users, machines, and mounts. For example, the users directory contains a record for each user defined in the domain. Each record is a collection of properties. Each property has a key (listed in the Property column) and one or more values (shown in the Value(s) column). The key is used by processes to retrieve values. The user named “root” in a domain can change any of its properties or add new ones. Properties with the prefix “_writers_” list the short names of other users authorized to change the value of a particular property. For example, _writers_passwd is the short name of the user who can change this user’s password. You can use NetInfo Manager, located in /Applications/Utilities, on any Mac OS X computer to view the administrative data in a NetInfo domain. Using UNIX Utilities for NetInfo Several UNIX command-line utilities that interact with NetInfo are available through the Terminal application. To find out more about these utilities, view their man pages. Utility Description niload Loads data from UNIX configuration files (such as /etc/passwd) into a NetInfo database. nidump Converts data from a NetInfo database to a UNIX configuration file. niutil Reads from a NetInfo database and writes to one. nigrep Searches all NetInfo domains for all instances of a string you specify. nicl Creates, reads, or manages NetInfo data.Directory Services 115 Using Berkeley Software Distribution (BSD) Configuration Files Historically, UNIX computers have stored administrative data in configuration files such as /etc/passwd /etc/group /etc/hosts Mac OS X is based on a BSD version of UNIX, but normally gets administrative data from directory domains for the reasons discussed at the beginning of this chapter. In Mac OS X version 10.2 and later (including Mac OS X Server version 10.2 and later), Open Directory can retrieve administrative data from BSD configuration files. This capability enables organizations that already have BSD configuration files to use copies of the existing files on Mac OS X computers. BSD configuration files can be used alone or in conjunction with other directory domains. To use BSD configuration files, you must do the following: m Specify which BSD configuration files to use, and map their contents to Mac OS X record types and attributes. Instructions for doing this are next. m Set up each BSD configuration file with the data required by Mac OS X directory services. See “Setting Up Data in BSD Configuration Files” on page 118 for instructions. m Create a custom search policy that includes the BSD configuration files domain. For instructions, see “Defining a Custom Search Policy” on page 95. Mapping BSD Configuration Files A computer with Mac OS X version 10.2 or later can get information about users and resources from BSD configuration files. Mac OS X determines which BSD configuration files to use by inspecting the file DSFFPlugin.plist (located in /Library/Preferences/ DirectoryService). This file identifies each BSD configuration file that contains administrative data. In addition, DSFFPlugin.plist maps the data in each BSD configuration file to specific Mac OS X record types and attributes. In other words, DSFFPlugin.plist tells Mac OS X how to extract particular data items from BSD configuration files. The DSFFPlugin.plist file initially specifies four BSD configuration files for administrative data: /etc/master.passwd /etc/group /etc/hosts /etc/fstab116 Chapter 2 You can specify different BSD configuration files by editing the DSFFPlugin.plist file. This file contains structured text in XML format and is known as a property list or plist. You can edit this file with a text editor, but the Property List Editor application makes the job easier. Property List Editor is specifically designed to work with plist files. You may not have Property List Editor on your computer, because it is not part of a standard installation of Mac OS X. However, Property List Editor is included if you install the Mac OS X Developer Tools from the Developer Tools CD. (The Developer Tools CD comes with the Mac OS X CD.) Then Property List Editor is located in /Developer/Applications. You can use Directory Access to open the DSFFPlugin.plist file with Property List Editor. Note: To use the files specified by DSFFPlugin.plist, a computer must have a custom search policy that includes the BSD configuration files domain. An automatic search policy does not include the BSD configuration files domain. See “Defining a Custom Search Policy” on page 95 for instructions. To map BSD configuration files to Mac OS X record types and attributes: 1 In Directory Access, click the Services tab. 2 If the lock icon is locked, click it and type the name and password of a server administrator. 3 Select BSD Configuration Files in the list of services, then click Configure. Directory Access tells Property List Editor to open /Library/Preferences/DirectoryService/ DSFFPlugin.plist. 4 With DSFFPlugin.plist open in Property List Editor, click disclosure triangles in the Property List column to see the contents of FileTypeArray. FileTypeArray contains dictionary items. Each dictionary identifies one BSD configuration file and maps its contents. Each dictionary is identified by a number. Initially, dictionary 0 maps data in the /etc/hosts file; dictionary 1 maps data in the /etc/group file; dictionary 2 maps data in the /etc/master.passwd file, and directory 3 maps to data in the /etc/fstab file. 5 To include another BSD configuration file, add a new dictionary under FileTypeArray and add fields under the new dictionary to specify the file name and path, record type, attributes, and so on. Add a dictionary for another BSD configuration file by selecting FileTypeArray and clicking New Child. Then click the class of the new dictionary and choose Dictionary from the pop-up menu. Add a field under a dictionary by selecting the dictionary, clicking its disclosure triangle so it points down, and clicking New Child. Type a name for the field. Then click the class of the field and select the appropriate class from the pop-up menu. Next, change the field’s value as needed.Directory Services 117 The dictionary that defines a BSD configuration file has the fields specified in the table below. You can see examples of these fields in the preconfigured dictionaries for /etc/hosts, /etc/group, /etc/master.passwd, and /etc/fstab. For detailed specifications of the data required by Mac OS X directory services, see Appendix A, “Open Directory Data Requirements.” 6 If necessary, you can delete any line, including a dictionary line, by selecting the line and clicking Delete. If you delete a line by mistake, immediately choose Undo from the Edit menu. 7 When you finish, save and close the file. Field name Purpose AlternateRecordNameIndex (optional) An index that can be used as a second field to be searched as the record name CommentChar (optional) A string that contains the hexadecimal ASCII code of a character to be used to denote comment lines. This character must appear at the beginning of any line that is to be interpreted as a comment. Typically this character is # (hexadecimal 23) FieldDelimiter A string that contains the hexadecimal ASCII code of a character to be used to delimit each field within a record. Typically this character is a colon (hexadecimal 3A) FieldNamesAndPositions An array of dictionaries. Each dictionary is one field within the record. Each dictionary contains the FieldName and its position (zero based) within the record. The field names must be Mac OS X directory services attributes such as dsAttrTypeStandard:RecordName FilePath The path to the BSD configuration file NumberOfFields Specifies how many fields are in each record PasswordArrayIndex (optional) Specifies which field in each record contains the password RecordDelimiter Specifies the hexadecimal ASCII codes of up to eight characters used to delimit the end of a record. Typically this is the newline character (hexadecimal 0A). RecordNameIndex An index of the field to be used as the record name118 Chapter 2 Setting Up Data in BSD Configuration Files If you want a Mac OS X computer to get administrative data from BSD configuration files, the data must exist in the files and must be in the format required by Mac OS X. You may need to add, modify, or reorganize data in the files. Mac OS X cannot write data to BSD configuration files, so you must make the necessary modifications by using a text editor or other tools. For detailed specifications of the data required by Mac OS X directory services, see Appendix A, “Open Directory Data Requirements.” Configuring Directory Access on a Remote Computer You can use the Directory Access application to configure a computer that uses Mac OS X version 10.2 or later. Remote configuration is initially disabled on Mac OS X client computers and is initially enabled on Mac OS X Servers. Note: Apple recommends that remote configuration never be disabled on a Mac OS X Server. To configure directory access on a remote computer: 1 Make sure the remote computer has remote access enabled. On the remote computer, open Directory Access. If its Sever menu includes Enable Remote Configuration, choose this item. 2 In Directory Access on your computer, choose Connect from the Server menu. 3 Enter the connection and authentication information for the computer that you want to configure, then click Connect. For Address, enter the DNS name or IP address of the server that you want to configure. For User Name, enter the user name of an administrator on the server. For Password, enter the password for the user name you entered. 4 Click the Services, Authentication, and Contacts tabs and change settings as needed. All the changes you make affect the remote computer to which you connected in the foregoing steps. RecordType The directory services record type of this record ValueDelimiter (optional) A string that contains the hexadecimal ASCII code of a character to be used to delimit values within a multivalued field. Typically this is a comma (hexadecimal 2C). Field name PurposeDirectory Services 119 5 When you finish configuring the remote computer, choose Disconnect from the Server menu on your computer. Monitoring Directory Services You can use the Server Status application to view directory service status and directory service logs. The following logs are available: m Local directory client log m LDAP server log m NetInfo server log To see directory services status or logs: 1 In Server Status, select Directory Servers in the Devices & Services list. 2 Click the Overview tab to see status information. 3 Click the Logs tab and choose a log from the Show pop-up menu. Backing Up and Restoring Directory Services Files You can back up the following directory services data: m Open Directory domain data: Information associated with Open Directory domains is stored in files that reside in /var/db/netinfo/. Back up the entire directory. m Authentication Manager for Windows data: If you upgraded your Mac OS X Server from an earlier version and enabled the Authentication Manager for Windows clients before upgrading, a file containing the encrypted password for each NetInfo domain on the server is stored in /var/db/netinfo/. If the NetInfo database name is MyDomain, the encryption key file is .MyDomain.tim. After restoring the domain, restore the corresponding .tim file to ensure proper authentication for Windows users who are configured to use Authentication Manager. m Directory services configuration: Configurations set up using the Directory Access application are stored in /Library/Preferences/DirectoryService/. Back up the entire directory. Before backing up this data, quit Directory Access.121 C H A P T E R 3 3 Users and Groups User and group accounts play a fundamental role in a server’s day-to-day operations: m A user account stores data Mac OS X Server needs to validate a user’s identity and provide services for the user, such as access to particular files on the server and preferences that various services use. m A group account offers a simple way to manage a collection of users with similar needs. A group account stores the identities of users who belong to the group as well as information that lets you customize the working environment for members of a group. This chapter begins by highlighting the main characteristics of user and group accounts, then goes on to summarize the aspects of account administration and tell you how to m manage user accounts m manage home directories m manage group accounts m find user and group accounts defined on your network m use Workgroup Manager shortcuts for defining users and groups m import user and group accounts from a file m set up a password validation scheme for each user Most of the information in this chapter does not require extensive server administration or UNIX experience, but here are several suggestions for server administrators: m An understanding of Mac OS X Server’s directory service options is very useful for working with user and group accounts in different kinds of directory domains and for creating and using Password Servers. Chapter 2, “Directory Services,” provides conceptual information as well as directory domain and Password Server setup instructions. m The dsimportexport tool information may be easier to understand if you have experience with command-line tools. m Kerberos information presumes a working familiarity with Kerberos. 122 Chapter 3 How User Accounts Are Used When you define a user’s account, you specify the information needed to prove the user’s identity: user name, password, and user ID. Other information in a user’s account is needed by various services—to determine what the user is authorized to do and perhaps to personalize the user’s environment. Authentication Before a user can log in to or connect with a Mac OS X computer, he or she must enter a name and password associated with a user account that the computer can find. A Mac OS X computer can find user accounts that are stored in a directory domain of the computer’s search policy. A directory domain is like a database that a computer is configured to access in order to retrieve configuration information. A search policy is a list of directory domains the computer searches when it needs configuration information, starting with the local directory domain on the user’s computer. Chapter 2, “Directory Services,” describes the different kinds of directory domains and tells you how to configure search policies on any Mac OS X computer. In the following picture, for example, a user logs in to a Mac OS X computer that can locate the user’s account in a directory domain of its search policy. After login, the user can connect to a remote Mac OS X computer if the user’s account can be located within the search policy of the remote computer Log in to Mac OS X Directory domains in search policy Connect to Mac OS X Server Directory domains in search policyUsers and Groups 123 If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password can be validated, the user is authenticated and the login or connection process is completed. After logging in to a Mac OS X computer, a user has access to all the resources, such as printers and share points, defined in directory domains of the search policy set up for the user’s computer. A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder that contains files you want users to share. The user can access his home directory by clicking Home in a Finder window or in the Finder’s Go menu. A user does not have to log in to a server to gain access to resources on a network, however. For example, when a user connects to a Mac OS X computer, the user can access files he or she is authorized to access on the computer, although the file system may prompt the user to enter a user name and password first. When a user accesses a server’s resources without logging in to the server, the search policy of the user’s computer is still in force, not the search policy of the computer the user has connected with. Password Validation When authenticating a user, Mac OS X first locates the user’s account and then uses the password strategy designated in the user’s account to validate the user’s password. There are several password strategies from which to choose: m The password a user provides can be validated using a value stored in the user’s account. The account can be stored in a server-resident directory domain or in a directory domain that resides on another vendor’s directory server, such as an LDAP or Active Directory server. m The password a user provides can be validated using a value stored in an Open Directory Password Server m A Kerberos server can be used to validate the password.124 Chapter 3 m A non-Apple LDAP server can be used to validate the password. Clients needing password validation, such as login window and the AFP server, call Mac OS X directory services. Directory services determine from the user’s account how to validate the password. m Directory services can validate a password stored in the account or by interacting with the Password Server or a remote LDAP directory server (using LDAP bind authentication). m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client, such as Mac OS X AFP or mail, the client interacts directly with the Kerberos server to validate the user. Then the client interacts with directory services to retrieve the user’s record for other information it needs, such as the user ID (UID) or primary group ID. Information Access Control All directories (folders) and files on Mac OS X computers have access privileges for the file’s owner, a group, and everyone else. Mac OS X uses a particular data item in a user’s account—the UID—to keep track of directory and file access privileges. Directory services Password Server Kerberos server Directory server User account Password provided can be validated using value stored in account. Password can also be validated using value stored on another server on the network. Owner 127 can: Read & Write Group 2017 can: Read only Everyone else can: None MyDocUsers and Groups 125 Directory and File Owner Access When a directory or file is created, the file system stores the UID of the user who created it. When a user with that UID accesses the directory or file, he or she has read and write privileges to it by default. In addition, any process started by the creator has read and write privileges to any files associated with the creator’s UID. If you change a user’s UID, the user may no longer be able to modify or even access files and directories he or she created. Likewise, if the user logs in as a user whose UID is different from the UID he or she used to create the files and directories, the user will no longer have owner access privileges for them. Directory and File Access by Other Users The UID, in conjunction with a group ID, is also used to control access by users who are members of particular groups. Every user belongs to a primary group. The primary group ID for a user is stored in his user account. When a user accesses a directory or file and the user is not the owner, the file system checks the file’s group privileges. m If the user’s primary group ID matches the ID of the group associated with the file, the user inherits group access privileges. m If the user’s primary group ID does not match the file’s group ID, Mac OS X searches for the group account that does have access privileges. The group account contains a list of the short names of users who are members of the group. The file system maps each short name in the group account to a UID, and if the user’s UID matches a UID of a group member, the user is granted group access privileges for the directory or file. Administration Privileges A user’s administrator privileges are stored in the user’s account. Administrator privileges determine the extent to which the user can view information about or change the settings of a particular Mac OS X Server or a particular directory domain residing on Mac OS X Server. Server Administration Server administration privileges control the powers a user has when logged in to a particular Mac OS X Server. For example: m A user who is a server administrator can use Server Status and can make changes to a server’s search policy using Directory Access. m A server administrator can see all the AFP directories on the server, not just share points. When you assign server administration privileges to a user, the user is added to the group named “admin” in the local directory domain of the server. Many Mac OS X applications— such as Server Status, Directory Access, and System Preferences—use the admin group to determine whether a particular user can perform certain activities with the application.126 Chapter 3 Local Mac OS X Computer Administration Any user who belongs to the group “admin” in the local directory domain of any Mac OS X computer has administrator rights on that computer. Directory Domain Administration When you want certain users to be able to use Workgroup Manager to manage only certain user, group, and computer accounts residing in Apple’s directory domains, you can make them directory domain administrators. For example, you may want to make a network administrator the server administrator for all your classroom servers, but give individual teachers the privileges to manage student accounts in particular directory domains. Any user who has a user account in a directory domain can be made an administrator of that domain. You can control the extent to which a directory domain administrator can change account data stored in a domain. For example, you may want to set up directory domain privileges so that your network administrator can add and remove user accounts, but other users can change the information for particular users. Or you may want different users to be able to manage different groups. When you assign directory domain administration privileges to a user, the user is added to the admin group of the server on which the directory domain resides. Home Directories The location of a user’s home directory is stored in the user account. A home directory is a folder where a user’s files and preferences are stored. Other users can see a user’s home directory and read files in its Public folder, but they can’t (by default) access anything else in that directory. When you create a user in a directory domain on the network, you specify the location of the user’s home directory on the network, and the location is stored in the user account and used by various services, including the login window and Mac OS X managed user services. Here are several examples of activities that use the location of the home directory: m A user’s home directory is displayed when the user clicks Home in a Finder window or chooses Home from the Finder’s Go menu. m Home directories that are set up for mounting automatically in a network location, such as /Network/Servers, appear in the Finder on the computer where the user logs in. m System preferences and managed user settings for Mac OS X users are retrieved from their home directories and used to set up their working environments when they log in.Users and Groups 127 Mail Settings You can create a Mac OS X Server mail service account for a user by setting up mail settings in the user’s account. To use the mail account, the user simply configures a mail client using the user name, password, mail service, and mail protocol you specify in the mail settings. Mail account settings let you enable and disable the user’s access to mail services running on a particular Mac OS X Server. You can also manage such account characteristics as how to handle automatic message arrival notification. Settings for Mac OS X mail service are configured using Server Settings, as Chapter 9, “Mail Service,” describes. Resource Usage Disk, print, and mail quotas can be stored in a user account. Mail and disk quotas limit the number of megabytes a user can use for mail or files. Print quotas limit the number of pages a user can print using Mac OS X Server print services. Print quotas also can be used to disable a user’s print service access altogether. User print settings work in conjunction with print server settings, which are explained in “Enforcing Quotas for a Print Queue” on page 322. User Preferences Any preferences you define for a Mac OS X user are stored in the user’s account. Preferences you define for Mac OS 8 and 9 users are stored using Macintosh Manager. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for information about user preferences. How Group Accounts Are Used A group is simply a collection of users who have similar needs. For example, you can add all English teachers to one group and give the group access privileges to certain files or folders on Mac OS X Server. Groups simplify the administration of shared resources. Instead of granting access to various resources to each individual who needs them, you can simply add the users to a group and grant access to the group. Information Access Control Information in group accounts is used to help control user access to directories and files. See “Directory and File Access by Other Users” on page 125 for a description of how this works.128 Chapter 3 Group Directories When you define a group, you can also specify a directory for storing files you want group members to share. The location of the directory is stored in the group account. You can grant administration privileges for a group directory to a user. A group directory administrator has owner privileges for the group directory and can use the Finder to change group directory attributes. Workgroups When you define preferences for a group it is known as a workgroup. A workgroup provides you with a way to manage the working environment of group members. Any preferences you define for a Mac OS X workgroup are stored in the group account. Preferences for Mac OS 8 and 9 workgroups are stored using Macintosh Manager. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for a description of workgroup preferences. Computer Access You can set up computer accounts, which let you restrict access to particular computers by members of specific groups. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for a description of how to set up computer accounts and specify preferences for them. Kinds of Users and Groups Mac OS X Server uses several different kinds of users and groups. Most of these are userdefined—user and group accounts that you create. There are also some pre-defined user and group accounts, which are reserved for use by Mac OS X. Users and Managed Users Depending on how you have your server and your user accounts set up, users can log in using Mac OS 8, 9, and X computers; Windows computers; or UNIX computers—stationary or portable—and be supported by Mac OS X Server in their work. Most users have an individual account, which is used to authenticate them and control their access to services. When you want to personalize a user’s environment, you define user, group, and/or computer preferences for the user. Sometimes the term “managed client” or “managed user” is used for a user who has preferences associated with his account. “Managed client” is also used to refer to computer accounts that have preferences defined for them.Users and Groups 129 When a managed user logs in, the preferences that take effect are a combination of his user preferences and preferences set up for any workgroup or computer list he or she belongs to. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,”for managed user information. Groups, Primary Groups, and Workgroups As noted earlier, when you define preferences for a group, the group is known as a workgroup. A primary group is the user’s default group. As “Directory and File Access by Other Users” on page 125 describes, primary groups can expedite the checking done by the Mac OS X file system when a user accesses a file. Administrators Users with server or directory domain administration privileges are known as administrators. Administrators are always members of the predefined “admin” group. Guest Users Sometimes you want to provide services for individuals who are anonymous—that is, they can’t be authenticated because they don’t have a valid user name or password. These users are known as guest users. Some services, such as AFP, let you indicate whether you want to let guest users access files. If you enable guest access, users who connect anonymously are restricted to files and folders with privileges set to Everyone. Another kind of guest user is a managed user that you can define to allow easy setup of public computers or kiosk computers. See Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more about these kinds of users.130 Chapter 3 Predefined Accounts The following table describes the user accounts that are created automatically when you install Mac OS X (unless otherwise indicated). Predefined user name Short name UID Use Anonymous FTP User ftp 98 The user name given to anyone using FTP as an anonymous user. This user is created the first time the FTP server is accessed if the FTP server is turned on, if anonymous FTP access is enabled, and if the anonymous-ftp user does not already exist. Macintosh Manager User mmuser -17 The user created by Macintosh Management Server when it is first started on a particular server. It has no home directory, and its password is changed periodically. System Administrator root 0 The most powerful user. System Services daemon 1 A legacy UNIX user. Sendmail User smmsp 25 The user that sendmail runs as. Unknown User unknown 99 The user that is used when the system doesn’t know about the hard drive. Unprivileged User nobody -2 This user was originally created so that system services don’t have to run as System Administrator. Now, however, service-specific users, such as World Wide Web Server, are often used for this purpose. World Wide Web Server www 70 The nonprivileged user that Apache uses for its processes that handle requests. My SQL Server mysql 74 The user that the MySQL database server uses for its processes that handle requests.Users and Groups 131 The following table characterizes the group accounts that are created automatically when you install Mac OS X. Predefined group name Group ID Use admin 80 The group to which users with administrator privileges belong. bin 7 A group that owns all binary files. daemon 1 A group used by system services. dialer 68 A group for controlling access to modems on a server. guest 31 kmem 2 A legacy group used to control access to reading kernel memory. mail 6 The group historically used for access to local UNIX mail. mysql 74 The group that the MySQL database server uses for its processes that handle requests. network 69 This group has no specific meaning. nobody -2 A group used by system services. nogroup -1 A group used by system services. operator 5 This group has no specific meaning. smmsp 25 The group used by sendmail. staff 20 The default group into which UNIX users are traditionally placed. sys 3 This group has no specific meaning. tty 4 A group that owns special files, such as the device file associated with an SSH or telnet user. unknown 99 The group used when the system doesn’t know about the hard drive. utmp 45 The group that controls what can update the system’s list of logged-in users. uucp 66 The group used to control access to UUCP spool files.132 Chapter 3 Setup Overview These are the major user and group administration activities: m Step 1: Before you begin, do some planning. m Step 2: Set up directory domains in which user and group accounts will reside. m Step 3: Configure server search policies so servers can find user and group accounts. m Step 4: Set up share points for home directories. m Step 5: Set up share points for group directories. m Step 6: Create users. m Step 7: Create groups. m Step 8: Set up client computers. m Step 9: Review user and group account information as needed. m Step 10: Update users and groups as needed. m Step 11: Perform ongoing user and group account maintenance. Following is a summary of each of these activities. See the pages indicated for detailed information. Step 1: Before you begin, do some planning See “Before You Begin” on page 135 for a list of items to think about before you start creating a large number of users and groups. Step 2: Set up directory domains in which user and group accounts will reside Make sure you have created any directory domain in which you’ve decided to store user and group accounts. See Chapter 2, “Directory Services,” for instructions on creating shared, or network-visible, domains. wheel 0 Another group (in addition to the admin group) to which users with administrator privileges belong. www 70 The nonprivileged group that Apache uses for its processes that handle requests. Predefined group name Group ID UseUsers and Groups 133 Make sure that any user who will be using Workgroup Manager to add and change users and groups in directory domains has directory domain administration privileges in the domains for which the user is responsible. You can use Workgroup Manager to add and change user and group accounts that reside in NetInfo or LDAPv3 directory domains. If you will be using LDAPv2, read-only LDAPv3, BSD configuration file, or other read-only directory domains, make sure the domains are configured to support Mac OS X Server access and that they provide the data you need for user and group accounts. It may be necessary to add, modify, or reorganize information in a directory to provide the information in the format needed: m Chapter 2, “Directory Services,” describes how to configure Mac OS X Server to access remote servers on which these domains reside to retrieve information. m Appendix A, “Open Directory Data Requirements,” describes the user and group account data formats that Mac OS X expects. When you configure your Mac OS X Server directory services to use directory domains that do not reside on Mac OS X Server, you may need to refer to this appendix to determine the data mapping requirements for particular kinds of directory domains. Step 3: Configure server search policies so servers can find user and group accounts Make sure that the search policy of any server which needs to access user and group information to provide services for particular users is configured to do so. Chapter 2, “Directory Services,” tells you how to set up search policies. Step 4: Set up share points for home directories Before you assign a home directory to a user, you need to define the share point in which the home directory will reside. You also need to configure the share point to automatically mount on the user’s computer when he or she logs in. See “Distributing Home Directories Across Multiple Servers” on page 156 through “Setting Up NFS Home Directory Share Points” on page 160 for information about setting up share points. Step 5: Set up share points for group directories A group directory is like a home directory for group users. It is a directory for storing documents, applications, and other items you want to share among group members. See “Working With Volume Settings for Groups” on page 170 for information about setting up group directories. Step 6: Create users You can use Workgroup Manager to create user accounts in directory domains that reside on Mac OS X Server and in non-Apple LDAPv3 directory domains that have been configured for write access. See these sections for instructions:134 Chapter 3 m “Creating User Accounts in Directory Domains on Mac OS X Server” on page 137 and “Creating Read-Write LDAPv3 User Accounts” on page 138 m “Shortcuts for Working With Users and Groups” on page 176 m “Using Presets” on page 176 m “Importing and Exporting User and Group Information” on page 178 For working with read-only user accounts, see “Working With Read-Only User Accounts” on page 139. For details about all the settings for a user account, see “Working With Basic Settings for Users” on page 139 through “Working With Managed Users” on page 154. For details about setting up managed users, see Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8.” When you use managed users, creating users in a network directory domain is optional. All users can be locally defined on client computers. Step 7: Create groups You can use Workgroup Manager to create group accounts in directory domains that reside on Mac OS X Server and in non-Apple LDAPv3 directory domains that have been configured for write access. See these sections for instructions: m “Creating Group Accounts in a Directory Domain on Mac OS X Server” on page 165 and “Creating Read-Write LDAPv3 Group Accounts” on page 166 m “Shortcuts for Working With Users and Groups” on page 176 m “Using Presets” on page 176 m “Importing and Exporting User and Group Information” on page 178 For working with read-only group accounts, see “Working With Read-Only Group Accounts” on page 167. For details about all the settings for a group account, see “Working With Member Settings for Groups” on page 167 through “Working With Group and Computer Preferences” on page 173. Step 8: Set Up Client Computers Make sure that the directory services of Mac OS X computers are set up so they can access user accounts at login. See “Supporting Client Computers” on page 202 for details about how to configure Mac OS X computers as well as other client computers so that users can be authenticated and access the services you want them to.Users and Groups 135 Step 9: Review user and group account information as needed Workgroup Manager makes it easy for you to review and optionally update information for users and groups. See the sections starting with “Finding User and Group Accounts” on page 173 for details. Step 10: Update users and groups as needed As users come and go and the requirements for your servers change, keep user and group records up to date. Information in these sections will be useful: m “Working With Basic Settings for Users” on page 139 through “Working With Print Settings for Users” on page 151 describe all the user account settings you may need to change. m “Defining a Guest User” on page 154 through “Disabling a User Account” on page 155 describe common user account maintenance activities. m “Working With Member Settings for Groups” on page 167 describes the group account settings you may need to change. m “Adding Users to a Group” on page 168, “Removing Users From a Group” on page 168, and “Deleting a Group Account” on page 173 describe some group maintenance activities. Step 11: Perform ongoing user and group account maintenance Information in these sections will help you with your day-to-day account maintenance activities: m “Monitoring a Password Server” on page 197 m “Solving Problems” on page 202 m “Backing Up and Restoring Files” on page 201 Before You Begin Before setting up user and group accounts for the first time: m Identify the directory domains in which you will store user and group account information. If you have an Active Directory or LDAP server already set up, you might be able to take advantage of existing records. See Chapter 2, “Directory Services,” for details about the directory domain options available to you. If you have an earlier version of an Apple server, you might be able to migrate existing records. See Upgrading to Mac OS X Server for available options. Create new directory domains as required to store user records. See Chapter 2, “Directory Services,” for instructions.136 Chapter 3 Note: If all the domains have not been finalized when you are ready to start adding accounts, simply add them to any domain that already exists on your server. ( You can use the local directory domain—it’s always available.) You can move users and groups to another directory domain later by using your server’s export and import capabilities, described in “Importing and Exporting User and Group Information” on page 178. m Determine which password verification policy or policies you will use. See “Understanding Password Validation” on page 189 for information about the options. m Determine which users you want to make managed users. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for planning guidelines. m Devise a home directory strategy. Determine which users need home directories and identify the computers on which you want user home directories to reside. For performance reasons, avoid using network home directories over network connections slower than 100 Mbps. A user’s network home directory does not need to be stored on the same server as the directory domain containing the user’s account. In fact, distributing directory domains and home directories among various servers can help you balance your network workload. “Distributing Home Directories Across Multiple Servers” on page 156 and “Setting Up Home Directories for Users Defined in Existing Directory Servers” on page 157 describe several such scenarios. You may want to store home directories for users with last names from A to F on one computer, G to J on another, and so on. Or you may want to store home directories on a Mac OS X Server but store user and group accounts on an Active Directory or LDAP server. Pick a strategy before creating users. You can move home directories, but if you do, you may need to change a large number of user and share point (mount) records. Determine the access protocol to use for the home directories. Most of the time you will use AFP, but if you support a large number of UNIX clients with your server, you may want to use NFS for them. “Choosing a Protocol for Home Directories” on page 160 provides some information on this topic. Once you have decided how many and which computers you want to use for home directories, plan the domain name or IP address of each computer. Also determine the names and any share points on computers that will be used for home directories. m Determine the groups and workgroups you will need. Users with similar server requirements should be placed in the same group. Workgroups are useful when you want to set up group preferences. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for guidelines on using workgroups. Determine where you want to store group directories.Users and Groups 137 m Decide who you want to be able to administer users and groups and make sure they have administrator privileges. “Administration Privileges” on page 125 describes administrator privileges. When you use Server Assistant to initially configure your server, you specify a password for the owner/administrator. The password you specify also becomes the root password for your server. Use Workgroup Manager to create an administrator user with a password that is different from the root password. Server administrators do not need root privileges. The root password should be used with extreme caution and stored in a secure location. The root user has full access to the system, including system files. If you need to, you can use Workgroup Manager to change the root password. m Decide how you want to configure client computers so that the users you want to support can effortlessly log in and work with your server. Chapter 2, “Directory Services,” provides some information about this topic. Administering User Accounts This section describes how to administer user accounts stored in various kinds of directory domains. Where User Accounts Are Stored User accounts, as well as group accounts and computer accounts, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs to access the account. A directory domain can reside on a Mac OS X computer (for example, a NetInfo or LDAPv3 domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server). You can use Workgroup Manager to work with accounts in all kinds of directory domains, but you can update only NetInfo and LDAPv3 directory domains using Workgroup Manager. See Chapter 2, “Directory Services,” for complete information about the different kinds of Open Directory domains. Creating User Accounts in Directory Domains on Mac OS X Server You need administrator privileges for a directory domain to create a new user account in it. To create a user account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the domain of interest. See Chapter 2, “Directory Services,” for instructions. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the domain in which you want the user’s account to reside.138 Chapter 3 4 Click the lock to be authenticated as a directory domain administrator. 5 From the Server menu, choose New User. 6 Specify settings for the user in the tabs provided. See “Working With Basic Settings for Users” on page 139 through “Working With Print Settings for Users” on page 151 for details. You can also use a preset or an import file to create a new user. See “Using Presets” on page 176 and “Importing and Exporting User and Group Information” on page 178 for details. Creating Read-Write LDAPv3 User Accounts You can create a user account on a non-Apple LDAPv3 server if it has been configured for write access. To create an LDAPv3 user account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to use the LDAP server for user accounts. See Chapter 2, “Directory Services,” for details about how to use Directory Access to configure an LDAP connection and Appendix A, “Open Directory Data Requirements,” for information about the user account elements that may need to be mapped. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the LDAPv3 domain in which you want the user’s account to reside. 4 Click the lock to be authenticated. 5 From the Server menu, choose New User. 6 Specify settings for the user in the tabs provided. See “Working With Basic Settings for Users” on page 139 through “Working With Print Settings for Users” on page 151 for details. You can also use a preset or an import file to create a new user. See “Using Presets” on page 176 and “Importing and Exporting User and Group Information” on page 178 for details. Changing User Accounts You can use Workgroup Manager to change a user account that resides in a Mac OS X or nonApple LDAPv3 directory domain. To make changes to a user account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the directory domain of interest. See Chapter 2, “Directory Services,” for instructions. 2 In Workgroup Manager, click the Accounts button.Users and Groups 139 3 Use the At pop-up menu to open the domain in which the user’s account resides. 4 Click the lock to be authenticated. 5 Click the User tab to select the user you want to work with. 6 Edit settings for the user in the tabs provided. See “Working With Basic Settings for Users” on page 139 through “Working With Print Settings for Users” on page 151 for details. Working With Read-Only User Accounts You can use Workgroup Manager to review information for user accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files. To work with a read-only user account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the directory domain in which the account resides. See Chapter 2, “Directory Services,” for information about using Directory Access to configure server connections and Appendix A, “Open Directory Data Requirements,” for information about the user account elements that need to be mapped. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the directory domain in which the user’s account resides. 4 Use the tabs provided to review the user’s account settings. See “Working With Basic Settings for Users” on page 139 through “Working With Print Settings for Users” on page 151 for details. Working With Basic Settings for Users Basic settings are a collection of attributes that must be defined for all users. In Workgroup Manager, use the Basic tab in the user account window to work with basic settings. Defining User Names The user name is the long name for a user. Sometimes the user name is referred to as the “real” name. Users can log in using the user name or a short name associated with their accounts. A user name can contain as many as 255 characters (127 double-byte characters). Use only these characters: m a through z m A through Z140 Chapter 3 m 0 through 9 m _ (underscore) m - (hyphen) m . (period) m (space) For example, Dr. Arnold T. Smith. You can use Workgroup Manager to edit the user name of an account stored in a directory domain residing on Mac OS X Server or in a non-Apple LDAPv3 directory domain or to review the user name in any directory domain accessible from the server you are using. To work with the user name using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To change the name, click the lock to be authenticated. Select the user in the user list. 2 In the Name field on the Basic tab, review or edit the user name. Initially, the value of user name is “Untitled .” After changing the name, Workgroup Manager does not check to verify that the user name is unique. Defining Short Names A short name is an abbreviated name for a user. Users can log in using the short name or the user name associated with their accounts. The short name is used by Mac OS X for home directories and groups: m When Mac OS X automatically creates a user’s home directory, it names the directory after the user’s short name. See “Administering Home Directories” on page 155 for more information about home directories. m When Mac OS X checks to see whether a user belongs to a group authorized to access a particular file, it uses short names to find UIDs of group members. See “Avoiding Duplicate Short Names” on page 143 for an example. You can have as many as 16 short names associated with a user account, but the first one in the list must consist of all 7-bit ASCII characters, with no symbols or spaces. The first short name is the name used for home directories and group membership lists. A short name can contain as many as 255 characters (127 double-byte characters). Use only these characters: m a through z m A through Z m 0 through 9Users and Groups 141 m _ (underscore) m - (hyphen) m . (period) Typically, short names contain eight or fewer characters. You can use Workgroup Manager to edit the short name of an account stored in a directory domain on Mac OS X Server or a non-Apple LDAPv3 directory domain or to review the short name in any directory domain accessible from the server you are using. To work with a user’s short name using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To change the short name, click the lock to be authenticated. Select the user in the user list. 2 In the Short Names field on the Basic tab, review or edit the short names. Initially, the value of the short name is “untitled_.” If you specify multiple short names, each should be on its own line. After the user’s account has been saved, you cannot change the first short name, but you can change others in a list of short names. Choosing Stable Short Names When you create groups, Mac OS X identifies users in them by their first short name, which can’t be changed. If a short name change is unavoidable, you can create a new account for the user (in the same directory domain) that contains the new short name, but retains all other information (UID, primary group, home directory, and so forth). Then disable login for the old user account. Now the user can log in using the changed name, yet have the same access to files and other network resources as before. (See “Disabling a User Account” on page 155 for information on disabling use of an account for login.) Avoiding Duplicate Names If separate user accounts have the same name (user name or short name) and password, a Mac OS X computer may authenticate a user different from the one you want it to authenticate. Or it may mask the user record that should be used for authentication.142 Chapter 3 Consider an example that consists of three shared directory domains. Tony Smith has an account in the Students domain, and Tom Smith has an account in the root domain. Both accounts contain the short name “tsmith” and the password “smitty.” When Tony logs in to his computer with a user name “tsmith” and the password “smitty,” he is authenticated using the record in the Students domain. Similarly, Tom can use the same login entries at his computer and be authenticated using his record in the root domain. If Tony and Tom ever logged in to each other’s computers using tsmith and smitty, they would both be authenticated, but not with the desired results. Tony could access Tom’s files, and vice versa. Now let’s say that Tony and Tom have the same short name, but different passwords. If Tom attempts to log in to Tony’s computer using the short name “tsmith” and his password (smitty), his user record is masked by Tony’s user record in the Students domain. Mac OS X finds “tsmith” in Students, but its password does not match the one Tom used to log in. Tom is denied access to Tony’s computer, and his record in the root domain is never found. Faculty Tony’s computer Tom’s computer Faculty Tony’s computer Tom’s computerUsers and Groups 143 If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domain, the Students domain’s record for Tony would be masked. Tony’s local domain should offer a name/password combination that distinguishes it from the Students domain’s record. If the Students domain is not accessible (when Tony works at home, for example), he can log in using the local name and continue using his computer. Tony can still access local files created when he logged in using the Students domain if the UID in both records is the same. Duplicate short names also have undesirable effects in group records, described in the next section. Avoiding Duplicate Short Names Since short names are used to find UIDs of group members, duplicate short names can result in file access being granted to users you hadn’t intended to give access. Return to the example of Tony and Tom Smith, who have duplicate short names. Assume that the administrator has created a group in the root domain to which all students belong. The group—AllStudents—has a GID of 2017. Now suppose that a file, MyDoc, resides on a computer accessible to both Tony and Tom. The file is owned by a user with the UID 127. It has read-only access privileges for AllStudents. Tom is not a member of AllStudents, but the short name in his user record, “tsmith,” is the same as Tony’s, who is in AllStudents. Faculty Owner 127 can: Read & Write Group 2017 can: Read only Everyone else can: None MyDoc Tony’s computer Tom’s computer144 Chapter 3 When Tom attempts to access MyDoc, Mac OS X searches the login hierarchy for user records with short names that match those associated with AllStudents. Tom’s user record is found because it resides in the login hierarchy, and the UID in the record is compared with Tom’s login UID. They match, so Tom is allowed to read MyDoc, even though he’s not actually a member of AllStudents. Defining User IDs A user ID (UID) is a number that uniquely identifies a user. Mac OS X computers use the UID to keep track of a user’s directory and file ownership. When a user creates a directory or file, the UID is stored as the creator ID. A user with that UID has read and write privileges to the directory or file by default. The UID should be a unique string of digits from 500 through 2,147,483,647. Assigning the same UID to different users is risky, since two users with the same UID have identical directory and file access privileges. The UID 0 is reserved for the root user. UIDs below 100 are reserved for system use; users with these UIDs can’t be deleted and shouldn’t be modified except to change the password of the root user. You can use Workgroup Manager to edit the UID of an account stored in a NetInfo or LDAPv3 directory domain or to review the UID in any directory domain accessible from the server you are using. To work with the UID using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To change the UID, click the lock to be authenticated. Select the user in the user list. 2 If you specify a value in the User ID field on the Basic tab, make sure it will be unique in the search policy of computers the user will log in to. When creating new user accounts in any shared directory domain, UIDs are automatically assigned; the value assigned is an unused UID (1025 or greater) in the server’s search path. (New users created using the Accounts Preferences pane on Mac OS X Desktop computers are assigned UIDs starting at 501.) Once UIDs have been assigned and users start creating files and directories throughout a network, you shouldn’t change UIDs. One possible scenario in which you may need to change a UID is when merging users created on different servers into one new server or cluster of servers. The same UID may have been associated with a different user on the previous server.Users and Groups 145 Defining Passwords See “Understanding Password Validation” on page 189 for details about setting up and managing passwords. Assigning Administrator Rights for a Server A user who has server administration privileges can control most of the server’s configuration settings and use applications, such as Server Status, that require a user to be a member of the server’s admin group. You can use Workgroup Manager to assign server administrator privileges to an account stored in a NetInfo or LDAPv3 directory domain or to review the server administrator privileges in any directory domain accessible from the server you are using. To work with server administrator privileges in Workgroup Manager: 1 To edit server administrator privileges, log in to Workgroup Manager by specifying the name or IP address of the server for which you want to grant administrator privileges. 2 Click the Account button. 3 Use the At pop-up menu to open the directory domain in which the user’s account resides. 4 To change the privileges, click the lock to be authenticated. 5 In the Basic tab, select the “User can administer the server” option to grant server administrator privileges. Assigning Administrator Rights for a Directory Domain A user who has administration privileges for an Apple directory domain is able to make changes to user, group, and computer accounts stored in that domain using Workgroup Manager. The changes the user can make are limited to those you specify. You can use Workgroup Manager to assign directory domain administrator privileges for an account stored in a NetInfo or LDAPv3 directory domain or to review these privileges in any directory domain accessible from the server you are using. To work with directory domain administrator privileges in Workgroup Manager: 1 To assign directory domain privileges, ensure the user has an account in the directory domain. 2 In Workgroup Manager, click the Account button. 3 Use the At pop-up menu to open the directory domain in which the user’s account resides. 4 To edit privileges, click the lock to be authenticated. 5 In the Basic tab, select the “User can administer this directory domain” option to grant privileges.146 Chapter 3 6 Click Privileges to specify what the user should be able to administer in the domain. By default, the user has no directory domain privileges. 7 To work with privileges to change user, group, or computer accounts, click the Users, Groups, or Computers tab, respectively. 8 Select a checkbox to indicate whether you want the user to be able to change account and/or preference settings. If a box is not checked, the user can view the account or preference information in Workgroup Manager, but not change it. 9 Select “For all ...” to allow the user to change information for all users, groups, or computers in the directory domain. Select “For ... listed below” to limit the items a user can change to the list on the right. To add an item to the list, double-click the item in the “Available” list. To remove an item from the list, double-click it. 10 To give the user the ability to add and delete users, groups, or computer accounts, check the “Edit ... accounts” box and select “For all ...” . Working With Advanced Settings for Users Advanced settings include login settings, password validation policy, and a comment. In Workgroup Manager, use the Advanced tab in the user account window to work with advanced settings. Defining Login Settings By specifying user login settings, you can m Control whether the user can be authenticated using the account. m Allow a managed user to simultaneously log in to more than one managed computer at a time or prevent the user from doing so. m Indicate whether a user of a managed computer can or must select a workgroup during login or whether you want to avoid showing workgroups when the user logs in. m Identify the default shell the user will use for command-line interactions with Mac OS X, such as /bin/csh or /bin/tcsh. The default shell is used by the Terminal application on the computer the user is logged in to, but Terminal has a preference that lets you override the default shell. The default shell is used by SSH (Secure Shell) or Telnet when the user logs in to a remote Mac OS X computer. You can use Workgroup Manager to define login settings of an account stored in a NetInfo or LDAPv3 directory domain or to review login settings in any directory domain accessible from the server you are using.Users and Groups 147 To work with login settings using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit settings, click the lock to be authenticated. Select the user in the user list. 2 Click the Advanced tab. 3 Select “Allow simultaneous login” to let a user log in to more than one managed computer at a time. 4 During Login pop-up menu options let you choose a workgroup option if the user is using a managed computer. Choose an option if appropriate. 5 Choose a shell from the Login Shell pop-up menu to specify the default shell for the user when logging in to a Mac OS X computer. Click Custom if you want to enter a shell that does not appear on the list. To make sure a user cannot access the server remotely using a command line, use the option None. Defining a Password Validation Strategy For details about setting up and managing passwords, see “Understanding Password Validation” on page 189. Editing Comments You can save a comment in a user’s account to provide whatever documentation might help with administering the user. A comment can be as long as 32,676 characters. You can use Workgroup Manager to define the comment of an account stored in a NetInfo or LDAPv3 directory domain or to review the comment in any directory domain accessible from the server you are using. To work with a comment using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit a comment, click the lock to be authenticated. Select the user in the user list. 2 Click the Advanced tab. 3 Edit or review the contents of the Comment field. Working With Group Settings for Users Group settings identify the groups a user is a member of.148 Chapter 3 In Workgroup Manager, use the Groups tab in the user account window to work with group settings. See “Administering Group Accounts” on page 165 for information on administering groups. Defining a User’s Primary Group A primary group is the group to which a user belongs by default. The ID of the primary group is used by the file system when the user accesses a file he or she does not own. The file system checks the file’s group privileges, and if the primary group ID of the user matches the ID of the group associated with the file, the user inherits group access privileges. The primary group offers the fastest way to determine whether a user has group privileges for a file. The primary group ID should be a unique string of digits. By default, it is 20 (which identifies the group named “staff ”), but you can change it. The maximum value is 2,147,483,647. You can use Workgroup Manager to define the primary group ID of an account stored in a NetInfo or LDAPv3 directory domain or to review the primary group information in any directory domain accessible from the server you are using. To work with a primary group ID using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the primary group, click the lock to be authenticated. Select the user in the user list. 2 Click the Groups tab. 3 Edit or review the contents of the Primary Group ID field. The value must be associated with a group that already exists and that is accessible in the search path of computers using the user account. Workgroup Manager displays the full and short names of the group after you enter a primary group ID. Adding a User to Groups Add a user to a group when you want multiple users to have the same file access privileges or when you want to manage their Mac OS X preferences using workgroups or computer lists. You can use Workgroup Manager to add a user to a group if the user and group accounts are in a NetInfo or LDAPv3 directory domain. To add a user to a group using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. Users and Groups 149 To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Groups tab. 3 Click Add to open a drawer listing the groups defined in the directory domain you are working with. (To include system groups in the list, choose Preferences on the Workgroup Manager menu, then select “Show system users and groups.”) 4 Select the group, then drag it into the Other Groups list on the Groups tab. Removing a User From a Group You can use Workgroup Manager to remove a user from a group if the user and group accounts reside in a NetInfo or LDAPv3 directory domain. To remove a user from a group using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Groups tab. 3 Select the group or groups from which you want to remove the user, then click Remove. Reviewing a User’s Group Memberships You can use Workgroup Manager to review the groups a user belongs to if the user account resides in a directory domain accessible from the server you are using. To review group memberships using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Select the user in the user list. 2 Click the Groups tab. The primary group to which the user belongs is displayed, and other groups the user belongs to are listed in the Other Groups list. Working With Home Settings for Users Home settings describe a user’s home directory attributes. See “Administering Home Directories” on page 155 for information about using and setting up home directories.150 Chapter 3 Working With Mail Settings for Users You can create a Mac OS X Server mail service account for a user by specifying mail settings for the user in the user’s account. To use the account, the user simply configures a mail client to identify the user name, password, mail service, and mail protocol you specify in the mail settings. In Workgroup Manager, use the Mail tab in the user account window to work with a user’s mail service settings. See Chapter 9, “Mail Service,” for information about how to set up and manage Mac OS X Server mail service. Disabling a User’s Mail Service You can use Workgroup Manager to disable mail service for a user whose account is stored in a NetInfo or LDAPv3 directory domain. To disable a user’s mail service using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Mail tab. 3 Select None. Enabling Mail Service Account Options You can use Workgroup Manager to enable mail service and set mail options for a user account stored in a NetInfo or LDAPv3 directory domain or to review the mail settings of accounts stored in any directory domain accessible from the server you are using. To work with a user’s mail account options using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Mail tab. 3 Selecting the Enabled button enables the user to use mail service.Users and Groups 151 4 The Mail Server field contains the DNS name or IP address of the server to which the user’s mail should be routed. When you enter a value, Workgroup Manager does not check to ensure it is valid. 5 The Mail Quota field specifies the maximum number of megabytes for the user’s mailbox. A 0 or null value means no quota is used. When the user’s message space approaches or surpasses the mail quota you specify, mail service displays a message prompting the user to delete unwanted messages to free up space. 6 The Mail Access selection identifies the protocol used for the user’s mail account: Post Office Protocol (POP) and/or Internet Message Access Protocol (IMAP). 7 The Options setting determines inbox characteristics for mail accounts that access email using both POP and IMAP. “Use separate inboxes for POP and IMAP” creates an inbox for POP mail and a separate inbox for IMAP mail. “Show POP Mailbox in IMAP folder list” shows an IMAP folder named POP Inbox. 8 “Enable NotifyMail” lets you automatically notify the user’s mail application when new mail arrives. The IP address to which the notification is sent can be either the last IP address from which the user logged in or an address you specify. Forwarding a User’s Mail You can use Workgroup Manager to set up email forwarding for a user whose account is stored in a NetInfo or LDAPv3 directory domain. To forward a user’s mail using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Mail tab. 3 Select Forward and enter the forwarding email address in the Forward To field. The existence of the address is not verified by Workgroup Manager. Working With Print Settings for Users Print settings associated with a user’s account define the ability of a user to print to accessible Mac OS X Server print queues for which print service enforces print quotas. “Enforcing Quotas for a Print Queue” on page 322 tells you how to set up quota-enforcing print queues.152 Chapter 3 In Workgroup Manager, use the Print tab in the user account window to work with a user’s print quotas: m Select None (the default) to disable a user’s access to print queues enforcing print quotas. m Select All Queues to let a user print to all accessible print queues that enforce quotas. m Select Per Queue to let a user print to specific print queues that support quotas. Disabling a User’s Access to Print Queues Enforcing Quotas You can use Workgroup Manager to prevent a user from printing to any accessible Mac OS X print queue that enforces quotas. To use Workgroup Manager, the user’s account must be stored in a NetInfo or LDAPv3 directory domain. To disable a user’s access to print queues enforcing quotas: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Print tab. 3 Select None. Enabling a User’s Access to Print Queues Enforcing Quotas You can use Workgroup Manager to allow a user to print to all or only some accessible Mac OS X print queues that enforce quotas. To use Workgroup Manager, the user’s account must be stored in a NetInfo or LDAPv3 directory domain. To set a user’s print quota for print queues enforcing quotas: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Print tab. To set up a quota that applies to all queues, go to step 3. Alternatively, to set up quotas for specific print queues, go to step 4. 3 Click “All Queues,” then specify the maximum number of pages the user should be able to print in a certain number of days for any print queue enforcing quotas.Users and Groups 153 4 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue for which you want to define a user quota. If the print queue you want to specify is not on the Queue Name pop-up menu, click Add to enter the queue name and specify, in the Print Server field, the IP address or DNS name of the server where the queue is defined. To give the user unlimited printing rights to the queue, click “Unlimited printing.” Otherwise, specify the maximum number of pages the user should be able to print in a certain number of days. Then click Save. Deleting a User’s Print Quota for a Specific Queue To delete a user’s print quota using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Print tab. 3 Use the Queue Name pop-up menu and the Print Server field to identify the print queue to which you want to disable a user’s access. 4 Click Delete. Restarting a User’s Print Quota To restart a user’s print quota using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Click the Print tab. 3 If the user is set up for printing to all print queues supporting quotas, click Restart Print Quota. If the user’s print quotas are print queue–specific, use the Queue Name pop-up menu and the Print Server field to identify a print queue, then click Restart Print Quota.154 Chapter 3 Working With Managed Users See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for information about how you can make a user a managed user, which lets you set up preferences for the user. Defining a Guest User You can set up some services to support users who are anonymous, that is, they can’t be authenticated because they do not have a valid user name or password. The following services can be set up this way: m Windows services (see “Windows Services” on page 235 for information about configuring guest access) m Apple file service (see “Apple File Service” on page 224 for information about configuring guest access) m FTP service (see “File Transfer Protocol (FTP) Service” on page 244 for information about configuring guest access) m Web service (see Chapter 8, “Web Service,” for information about configuring guest access) Users who connect to a server anonymously are restricted to files, folders, and Web sites with privileges set to Everyone. Another kind of guest user is a managed user that you can define to allow easy setup of public computers or kiosk computers. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more about these kinds of users. Deleting a User Account You can use Workgroup Manager to delete a user account stored in a NetInfo or LDAPv3 directory domain. To delete a user account using Workgroup Manager: 1 In Workgroup Manager, open the user account you want to delete if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the user in the user list. 2 Choose Delete Selected User from the Server menu.Users and Groups 155 Disabling a User Account To disable a user account, you can m delete the account (see “Deleting a User Account” on page 154) m change the user’s password to an unknown value (see “Defining Passwords” on page 145) Administering Home Directories A home directory is a folder for a user’s personal use. Mac OS X also uses the home directory, for example, for storing system preferences and managed user settings for Mac OS X users. A user’s home directory does not need to be stored on the same server as the directory domain containing the user’s account. In fact, distributing directory domains and home directories among various servers can help you balance your workload among several servers. “Distributing Home Directories Across Multiple Servers” on page 156 and “Setting Up Home Directories for Users Defined in Existing Directory Servers” on page 157 describe several such scenarios. After deciding where you want home directories to reside, you need to set up share points for them and configure the share points to automount. You may also need to create home directory folders. See “Setting Up AFP Home Directory Share Points” on page 160 and “Creating Home Directory Folders” on page 161 for details. To assign a home directory to a user, follow the instructions in “Defining a User’s Home Directory” on page 161 through “Using Import Files to Create AFP Home Directories” on page 165.156 Chapter 3 Distributing Home Directories Across Multiple Servers The following illustration depicts using one Mac OS X Server for storing user accounts and two other Mac OS X Servers for storing AFP home directories. When a user logs in, he or she is authenticated using an account stored on the accounts server. The location of the user’s home directory, stored in his account, is used to mount his or her home directory, which resides physically on one of the home directory servers. Here are the steps you could use to set up this scenario for AFP home directories: 1 Set up the directory services of the client computers so their search policy includes the server where the user accounts are stored. See Chapter 2, “Directory Services,” for instructions. 2 On each home directory server, create the folder that will serve as the share point for the home directories. Set up automounting for each share point. Doing so ensures that a user can automatically see his home directory after logging in because it is mounted on his computer. See “Setting Up AFP Home Directory Share Points” on page 160 for more information about setting up AFP share points for home directories. When you set up automounting, Mac OS X Server creates a mount record for the share point in the directory domain you designate. The mount record that describes home directory share points can reside in the same directory domain as the user account or in a directory domain in the search path used to find related user records. 3 Set up the user accounts on the account server so that the home directory share point is one of the two you created in step 1. See “Defining a Network Home Directory” on page 163. Because the home directories are accessed using AFP, the first time a user logs in his or her home directory is created automatically on the appropriate server and is visible on the user’s computer. Mac OS X Servers User accounts Home directories A thru M Home directories N thru ZUsers and Groups 157 Setting Up Home Directories for Users Defined in Existing Directory Servers When you integrate Mac OS X Server into an environment that uses an existing directory server for storing user information, you can take advantage of that information for authenticating users, but use one or more Mac OS X Servers to store home directories for users. The following picture illustrates this scenario. A user has access to his home directory on Mac OS X Server after logging in to a Mac OS X computer and being authenticated using Active Directory information. The numbers in this figure illustrate the sequence of interactions that occur between the time a user logs in to the Mac OS X client computer and can choose Home from the Go menu to access his home directory: Windows 2000 server hosting Active Directory Mac OS X client computer Mac OS X Server hosting home directories 1 3 2 4158 Chapter 3 1 Retrieving user information. When the user logs in, the Mac OS X computer retrieves the user’s account from Active Directory and authenticates the user. Home directory information in the user’s record indicates that the home directory resides on the network, so a mount record for the home directory is retrieved from Active Directory. The mount record identifies the home directory share point and its access protocol—AFP in this case. In this example, the user and mount records reside in the search bases indicated in Active Directory on the Windows 2000 Server. A search base is like a directory you use to access particular kinds of records. 2 Requesting authorization to mount the home directory. The Mac OS X client computer then sends the user’s information to the Mac OS X Server hosting the home directory to request authorization to mount the home directory. The home directories, named using the user short names, reside under the share point named “Homes” on Mac OS X Server. Windows 2000 server hosting Active Directory 10.43.12.172 supergirl.corp.apple.com user: jdm Mac OS X client computer ou=mounts,dc=supergirl, dc=corp,dc=apple, dc=com Users cn=Users,dc=supergirl, dc=corp,dc=apple, dc=com Mounts 10.43.12.40 bigmac.corp.apple.com /Homes/jdm Mac OS X client computer Mac OS X Server hosting home directoriesUsers and Groups 159 3 Setting up home directory access. Next, the server retrieves the user’s Active Directory record and authenticates the user. The server uses the UID and group ID in the record to set up file access permissions for the user. 4 Accessing the home directory. The home directory is now mounted and visible on the user’s computer in the Mac OS X Finder under /Network/Servers/bigmac/Homes, and login is complete. Here are the steps you would use to set up this scenario: 1 Set up the Windows server to make sure Active Directory contains the necessary user account and mount data. 2 Set up directory service mappings for Mac OS X computers, both clients and server, so they can access the Active Directory data. See Chapter 2, “Directory Services,” information about using the Active Directory mapping template and add the Windows server to the Mac OS X computer’s search policies. 3 Set up share points on Mac OS X Server. Because the home directories are accessed using AFP, the first time a user logs in his home directory is created automatically and is visible on the user’s computer. Users /Homes/jdm Windows 2000 server hosting Active Directory Mac OS X Server hosting home directories Mac OS X client computer Mac OS X Server hosting home directories /Network/Servers/bigmac/Homes/jdm160 Chapter 3 Choosing a Protocol for Home Directories You can set up home directories so they can be accessed using either AFP or NFS. The preferred protocol is AFP, because it provides authentication-level access security; a user has to log in with a valid name and password to access files. AFP also simplifies the setup of home directories; home directories are automatically created the first time a user logs in. Use NFS only if you need to provide home directories for a large number of users who use UNIX workstations. NFS file access is based not on user authentication, but on client IP address, so it is generally less secure than AFP. In addition, NFS home directories need to be created manually. See the next two sections information about using AFP and NFS protocols for home directories. Setting Up AFP Home Directory Share Points Before setting up an AFP home directory for a user, define an automountable share point in which the home directory will reside. Setting up a home directory in an automountable share point makes the home directory available in /Network/Servers and lets other users access the home directory using the ~username shortcut. Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different from other share points. See “Setting Disk Quotas” on page 164 for more information. To define an AFP share point for home directories: 1 Create a folder on the server where you want the home directories to reside, and share the folder using AFP. See Chapter 4, “Sharing,” for complete instructions on how to accomplish this and the remaining steps. 2 Enable guest access to the share point so users can access other users’ public folders without authenticating. Also, ensure that the share point owner has Read & Write privileges and that Group and Everyone have Read privileges. 3 Configure a mount record for the share point. To do so, set up the share point to automount, using AFP, in a directory domain in the search path of Mac OS X computers that need to use it. Setting Up NFS Home Directory Share Points Before setting up an NFS home directory for users, define the share point in which the home directories will reside. Because NFS offers less access security than AFP, define one NFS share point for use by all UNIX users who need home directories.Users and Groups 161 Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different from other share points. See “Setting Disk Quotas” on page 164 for more information. To define an NFS share point for home directories: 1 Create a folder on the server where you want the home directories to reside, and share the folder using NFS. See Chapter 4, “Sharing,” for complete instructions on setting up NFS share points. 2 Export the share point, use the pop-up menu to select the clients to whom you want to export the share point, and map the “root” user to “nobody.” 3 Configure a mount record for the share point. To do so, set up the share point so it is automounted, using NFS, in a directory domain in the search path of Mac OS X computers that need to use it. 4 In the share point folder, manually create the home directory folder and all its subfolders for each user. UNIX users are accustomed to using SSH to obtain command-line access to a server. With this kind of access, the user’s home directory isn’t mounted, and the user has only guest access to it. Creating Home Directory Folders AFP home directories and their subfolders are created automatically when users first log in. NFS home directories must be created manually within the folder that serves as the NFS share point. Defining a User’s Home Directory In Workgroup Manager, use the Home tab in the user account window to work with home directory settings for a user. m Select Local to define a home directory on the server you are using for a user defined in a local directory domain on that server. m Select Network to set up a home directory for users defined in shared directory domains. The home directory resides immediately under a share point you select from a list of automountable share points in directory domains of the server’s search path. m Select the Advanced option to set up a home directory that has characteristics not available using the Local or Network options. For example, the Advanced option lets you set up a network home directory that is not immediately below the share point. The next four sections describe how to use the user account Home tab. You can also use an import file to set up home directories. See “Using Import Files to Create AFP Home Directories” on page 165 for details.162 Chapter 3 Defining No Home Directory You can use Workgroup Manager to avoid creating a home directory for a user whose account is stored in a NetInfo or LDAPv3 directory domain. By default, new users have no home directory. To define no home directory: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the local directory domain. To edit the home directory information, click the lock to be authenticated, then select the user in the user list. 2 Click the Home tab. 3 Select No Home. Defining a Home Directory for Local Users You can use Workgroup Manager to define a home directory for a user whose account is stored in the local directory domain on the server you are logged in to. Local user accounts are visible only on the server itself, not over the network. Local user accounts on Mac OS X Server are most useful for standalone servers (servers not accessible from a network) and server administrator accounts. To create a home directory for a local user account: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the local directory domain. To edit the home directory information, click the lock to be authenticated, then select the user in the user list. 2 Click the Home tab. 3 Select Local, then choose the share point from the Share Point pop-up menu in which you want the home directory to reside. By default, /Users is assumed, but you can select any other share point that has been defined in the local directory domain. The share point does not have to be configured for automounting. If the home directory share point is an AFP share point, the home directory is created automatically when the user logs in if it does not already exist; the name of the home directory created is the same as the user’s short name (the user’s first short name if there are multiple short names). If it is an NFS share point, you must create the home directory and its subfolders manually.Users and Groups 163 Defining a Network Home Directory In Workgroup Manager, you can set up a home directory for users defined in shared directory domains. The home directory resides immediately under an automountable share point. You can use Workgroup Manager to define a network home directory for a user whose account is stored in a NetInfo or LDAPv3 directory domain or to review home directory information in any directory domain accessible from the server you are using. To create a network home directory using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the home directory information, click the lock to be authenticated, then select the user in the user list. 2 Click the Home tab, then select Network. 3 Select a share point from the list, which displays all the network-visible share points in the search path of the server you are using. If the home directory share point you select is an AFP share point, the home directory is created automatically when the user logs in if it does not already exist; the home directory is named after the user’s short name (the first short name if the user has multiple short names). If it is an NFS share point, you must create the home directory and its subfolders manually. Defining an Advanced Home Directory In Workgroup Manager, you can customize a user’s home directory settings using the Advanced home directory option. You’ll want to customize home directory settings when m You want the user’s home directory to reside in directories not immediately below the home directory share point. For example, you may want to organize home directories into several subdirectories within a share point. If Homes is the home directory share point, you may want to place teachers’ home directories in Homes/Teachers and student home directories in Homes/Students. m You want to specify a home directory name different from the user’s short name. You can use Workgroup Manager to define an advanced home directory for a user whose account is stored in a NetInfo or LDAPv3 directory domain or to review home directory information in any directory domain accessible from the server you are using. To create an advanced home directory using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. 164 Chapter 3 To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the home directory information, click the lock to be authenticated, then select the user in the user list. 2 Click the Home tab, then select Advanced. 3 In the Server/Share Point URL field, enter the full URL to an existing share point. For example, enter “AFP://server.example.com/Homes”. Make sure that the share point has been set up as an automount. 4 In the Path field, enter the path from the share point to the home directory if there is one. Any directories you enter must exist. For example, if the share point is Homes, you might enter Teachers/SecondGrade 5 In the Home field, enter the full path to the home directory. For example, /Network/Servers/server.example.com/Homes/Teachers/SecondGrade/Smith. If the home directory share point you select is an AFP share point on Mac OS X Server, the home directory is created automatically when the user logs in if it does not already exist; the home directory is named after the user’s short name (the first short name if the user has multiple short names). If it is an NFS share point, you must create the home directory and its subfolders manually. Setting Disk Quotas You can limit the disk space a user can consume to store files he or she owns in the partition where his home directory resides. This quota does not apply to the home directory share point or to the home directory, but to the entire partition within which the home directory share point and the home directory reside. Therefore when a user places files into another user’s folder, it can have implications on the user’s disk quota: m When you copy a file to a user’s AFP drop box, the owner of the drop box becomes the owner of the file. m In NFS, however, when you copy a file to another folder, you remain the owner and the copy operation decrements your disk quota on a particular partition. To set up a home directory share point disk quota using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. To edit the disk quota, click the lock to be authenticated, then select the user in the user list. 2 Click the Home tab. Users and Groups 165 3 Specify the disk quota using the Disk Quota field and the adjacent pop-up menu. Defining Default Home Directories for New Users You can define default home directory settings to use for new users by using a preset to predefine them. See “Using Presets” on page 176 for information about defining and using presets. Using Import Files to Create AFP Home Directories The fastest way to create AFP home directories for a large number of users is to use an import file. See “Importing and Exporting User and Group Information” on page 178 for details. Moving Home Directories If you need to move a home directory, create the new one and manually delete the existing one to deallocate disk space it uses if you no longer need the existing one. Deleting Home Directories When you delete a user account, the associated home directory is not automatically deleted. You must delete it manually. Administering Group Accounts This section describes how to administer group accounts stored in various kinds of directory domains. Where Group Accounts Are Stored Group accounts, as well as user accounts and computer accounts, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs to access the account. A directory domain can reside on a Mac OS X computer (for example, a NetInfo or LDAPv3 domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server). You can use Workgroup Manager to work with accounts in all kinds of directory domains, but you can only update NetInfo and LDAPv3 directory domains using Workgroup Manager. See Chapter 2, “Directory Services,” for complete information about the different kinds of Open Directory domains. Creating Group Accounts in a Directory Domain on Mac OS X Server You need administrator privileges for a directory domain to create a new group account in it.166 Chapter 3 To create a group account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the domain of interest. See Chapter 2, “Directory Services,” for instructions. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the domain in which you want the group account to reside. 4 Click the lock to be authenticated as a directory domain administrator. 5 From the Server menu, choose New Group. 6 Specify settings for the group in the tabs provided. See “Working With Member Settings for Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for details. You can also use a preset or an import file to create a new group. See “Using Presets” on page 176 and “Importing and Exporting User and Group Information” on page 178 for details. Creating Read-Write LDAPv3 Group Accounts You can create a group account on a non-Apple LDAPv3 server if it has been configured for write access. To create an LDAPv3 group account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to use the LDAP server for group accounts. See Chapter 2, “Directory Services,” for information about using Directory Access to configure an LDAP connection and Appendix A, “Open Directory Data Requirements,” for information about the group account elements that may need to be mapped. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the LDAPv3 domain in which you want the group account to reside. 4 Click the lock to be authenticated. 5 From the Server menu, choose New Group. 6 Specify settings for the group in the tabs provided. See “Working With Member Settings for Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for details. You can also use a preset or an import file to create a new group. See “Using Presets” on page 176 and “Importing and Exporting User and Group Information” on page 178 for details.Users and Groups 167 Changing Group Accounts You can use Workgroup Manager to change a group account that resides in a NetInfo or LDAPv3 directory domain. To make changes to a group account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the directory domain of interest. See Chapter 2, “Directory Services,” for instructions. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the domain in which the group account resides. 4 Click the lock to be authenticated. 5 Click the Group tab to select the group you want to work with. 6 Edit settings for the group in the tabs provided. See “Working With Member Settings for Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for details. Working With Read-Only Group Accounts You can use Workgroup Manager to review information for group accounts stored in readonly directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files. To work with a read-only group account: 1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the directory domain in which the account resides. See Chapter 2, “Directory Services,” for information about using Directory Access to configure server connections and Appendix A, “Open Directory Data Requirements,” for information about the group account elements that need to be mapped. 2 In Workgroup Manager, click the Accounts button. 3 Use the At pop-up menu to open the directory domain in which the group account resides. 4 Use the tabs provided to review the group account settings. See “Working With Member Settings for Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for details. Working With Member Settings for Groups Member settings include a group’s names, its ID, and a list of the users who are members of the group. 168 Chapter 3 In Workgroup Manager, use the Members tab in the group account window to work with member settings. When the name of a user in the Members list appears in italics, the group is the user’s primary group. Adding Users to a Group Add users to a group when you want multiple users to have the same file access privileges or when you want to make them managed users. When you create a user account and assign the new user a primary group, the user is automatically added to the group you specify; you do not need to explicitly do so. Otherwise, you explicitly add users to a group. You can use Workgroup Manager to add users to a group if the user and group accounts are in a NetInfo or LDAPv3 directory domain. To add users to a group using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the group in the group list. 2 Click the Members tab. 3 Click Add to open a drawer listing the users defined in the directory domain you are working with. (To include system users in the list, choose Preferences on the Workgroup Manager menu, then select “Show system users and groups.”) Make sure that the group account resides in a directory domain specified in the search policy of computers the user will log in to. 4 Select the user, then drag it into the Members list on the Members tab. Removing Users From a Group You can use Workgroup Manager to remove a user from a group that is not the user’s primary group if the user and group accounts reside in a NetInfo or LDAPv3 directory domain. To remove a user from a group using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the group in the group list.Users and Groups 169 2 Click the Members tab. 3 Select the user or users you want to remove from the group, then click Remove. Naming a Group A group has two names: a full name and a short name: m The full group name, which is used for display purposes only, can contain as many as 255 characters (127 double-byte characters). Use only these characters: a through z A through Z 0 through 9 _ (underscore) - (hyphen) . (period) (space) For example, English Department Students. m The short name can contain as many as 255 characters (127 double-byte characters). Use only these characters: a through z A through Z 0 through 9 _ (underscore) - (hyphen) . (period) The short name, typically 8 or fewer characters, is used by Mac OS X to find UIDs of group members when determining whether a user can access a file as a result of his or her group membership. You can use Workgroup Manager to edit the names of a group account stored in a NetInfo or LDAPv3 directory domain or to review the names in any directory domain accessible from the server you are using. To work with group names using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. To change a name, click the lock to be authenticated. Select the group in the group list.170 Chapter 3 2 In the Name or “Short name” field on the Members tab, review or edit the names. Before saving a new name, Workgroup Manager checks to ensure that it is unique. Defining a Group ID A group ID is a string of ASCII digits that uniquely identifies a group. The maximum value is 2,147,483,647. The minimum value is 101. You can use Workgroup Manager to edit the ID for a group account stored in a NetInfo or LDAPv3 directory domain or to review the group ID in any directory domain accessible from the server you are using. To work with a group ID using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. To change a group ID, click the lock to be authenticated. Select the group in the group list. 2 In the Group ID field on the Members tab, review or edit the ID. Before saving a new group ID, Workgroup Manager checks to ensure that it is unique in the directory domain you are using. Working With Volume Settings for Groups You can designate a directory for use exclusively by members of a particular group. A group directory offers a way to organize documents and applications of special interest to group members and gives group members a directory to use to pass information back and forth among them. If the group is a workgroup (if you want to define Mac OS X preferences for the group), you must set up a group volume. A workgroup’s preferences are stored in the group volume you associate with the workgroup. In Workgroup Manager, use the Volumes tab in the group account window to work with group volume settings: m Select None to avoid creating a group directory. m Select Network to automate the creation of group volumes. m Select Advanced to customize your group volume settings. Before you can set up a group directory, you must create the share point for it to reside in, as the next section describes.Users and Groups 171 Creating Group Directories Before you can designate a directory as a group directory, you must create a share point for the directory. Chapter 4, “Sharing,” tells you how to use Workgroup Manager to create a folder and share it. If you are using AFP to share the group directory, you can take advantage of automatic group share point and group directory creation by choosing the Network option on the Volumes tab for the group account in Workgroup Manager. To work with other sharing protocols and share points, you must use the Advanced option on that tab. Automatically Creating Group Directories When you initially set up a server, an AFP share point named /groups is created automatically. You can automate the (overnight) creation of group directories in the /groups share point when you use Workgroup Manager to define groups in a NetInfo or LDAPv3 directory domain. To set up an automatically created group directory: 1 In Workgroup Manager, open the group account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. To edit the group directory information, click the lock to be authenticated. Select the group in the group list. 2 Click the Volumes tab. 3 Select Network. 4 Click Select to choose a server from a list of servers that host a /groups share point in a directory domain in your current search path. The group directory is created immediately below it using the group’s short name. The server name you choose appears in the Server field. Alternatively, enter a server name in the Server field. The group directory is created automatically only if the server you specify hosts a /groups share point in your current search path. Otherwise, you need to create an AFP share point on that server named /groups and, within it, a group directory with the short name of the group. 5 In the Owner Name field, enter the name of the user you want to own the group directory so he or she can act as group directory administrator. Click Users to choose an owner from a list of users in the current directory domain. 6 Optionally check one of the boxes that automate visibility of the group directory for group members when they log in to a Mac OS X computer. Check “Show group documents” to automatically display the group directory in the Dock.172 Chapter 3 Check “Mount group volume at startup” to automatically display the group directory in the Finder. Customizing Group Directory Settings When you need more control over group directory settings than the network group directory option provides, you can use Workgroup Manager to customize group directory settings. The group whose directory you want to customize must be defined in a NetInfo or LDAPv3 directory domain. For example, you may want to organize group directories as several folders within a share point. If LanguageGroups is a group directory share point, you may want to place the group directory for English students in LanguageGroups/English and for French students in LanguageGroups/French. To customize group settings: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the group account resides. To edit the group directory information, click the lock to be authenticated, then select the group in the group list. 2 Click the Volumes tab, then select Advanced. 3 In the URL field, enter the full URL to the group directory’s share point. For example, enter “SMB://ntserver.com/macgroups” to identify an SMB share point named “macgroups” on a server whose domain name is “ntserver.com”. The share point must already exist on the server. 4 In the Path field, enter the path from the share point to the group directory For example, if the share point is GroupDirs and the full path to the group directory is GroupDirs/Teachers/Primary/, enter Teachers/Primary in the Path field. These directories must already exist. 5 In the Owner Name field, enter the name of the user you want to own the group directory so he or she can act as group directory administrator. Click Users to choose an owner from a list of users in the current directory domain. 6 Optionally check one of the boxes that automate visibility of the group directory for group members when they log in to a Mac OS X computer. Check “Show group documents” to automatically display the group directory in the Dock. Check “Mount group volume at startup” to automatically display the group directory in the Finder.Users and Groups 173 Working With Group and Computer Preferences See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for information about how you can use groups when you want managed Mac OS X users to have workgroup and computer list preferences. Deleting a Group Account You can use Workgroup Manager to delete a group account stored in a NetInfo or LDAPv3 directory domain. To delete a group account using Workgroup Manager: 1 In Workgroup Manager, open the group account you want to delete if it is not already open. To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account resides. Click the lock to be authenticated. Select the group in the group list. 2 Choose Delete Selected Group from the Server menu. Finding User and Group Accounts In Workgroup Manager, user and group accounts are listed in tabs at the left side of the Workgroup Manager window. Workgroup Manager preferences affect the lists. Choose the Preferences command on the Workgroup Manager menu to control whether system users and groups are listed and the order in which items are listed. To work with one or more of the accounts listed, select them. Data about the selected accounts appears in tabs to the right of the list. To populate the list, use the At menu to select the directory domain(s) you want to work with. Initially, the local directory domain accounts are listed. The domains available for selection include all directory domains configured for access by the server you are logged in to. “Listing Users and Groups in the Local Directory Domain” on page 174 through “Refreshing User and Group Lists” on page 175 tell you how to use the At menu. Choose the Show Status Bar command on the View menu to display information related to your current At menu selection: m When Search Path is selected, the status bar identifies the computer you are currently logged in to and the user name under which you are logged in. m When “Other” or “Local” is selected, the status bar identifies the directory domain in which you are currently authenticated and the user name under which you are authenticated.174 Chapter 3 After you choose directory domains, all the accounts residing in those domains are listed. You can sort the list by clicking a column heading. You can filter the list to find specific users or groups by using the filter options above the list. See “Finding Specific Users and Groups in a List” on page 175 and “Sorting User and Group Lists” on page 175 for details. Listing Users and Groups in the Local Directory Domain The local directory domain is a server-resident domain that is visible only when you are logged in to the server where it resides. To list accounts in the local domain of the server you are working with: 1 In Workgroup Manager, log in to the server hosting the domain, then select Local in the At pop-up menu. 2 User accounts residing in the local domain are listed in the user tab, and local group accounts are listed in the group tab. To work with a particular account, select it. To change the account, which requires that you have server or domain administrator privileges, click the lock to authenticate. Listing Users and Groups in Search Path Directory Domains The search path directory domains are those in the search policy defined for the Mac OS X Server you are logged in to. To list accounts in search path domains of the server you are working with: 1 In Workgroup Manager, log in to a server whose search policy contains the directory domains of interest. 2 Select Search Path in the At pop-up menu. User accounts residing in all directory domains in the search path are listed in the user tab, and group accounts are listed in the group tab. 3 To work with a particular account, select it. To change the account, which requires that you have server or domain administrator privileges, click the lock to authenticate. Listing Users and Groups in Available Directory Domains You can list user and group accounts residing in any specific directory domain accessible from the server you are logged in to using Workgroup Manager. You select the domain from a list of all the directory domains configured to be visible from the server you are using. Note that “available” directory domains are not the same as directory domains in a search policy. A search policy consists of the directory domains a server searches routinely when it needs to retrieve, for example, a user’s account. But the same server might be configured to access directory domains that have not been added to its search policy. Users and Groups 175 To list accounts in directory domains accessible from a server: 1 In Workgroup Manager, log in to a server from which the directory domains of interest are visible. 2 Select Other in the At pop-up menu. 3 In the dialog box that appears, select the domain(s), then click OK. User accounts residing in selected directory domains are listed in the user tab, and group accounts are listed in the group tab. 4 To work with a particular account, select it. To change a NetInfo or LDAPv3 account, which requires that you have server or domain administrator privileges, click the lock to authenticate. Refreshing User and Group Lists To refresh the list of user and group accounts currently displayed in Workgroup Manager, you can m type in the field above the list m choose another item in the At pop-up menu, then reselect the domain(s) you had been working with User and group lists are automatically refreshed at the rate specified in the Workgroup Manager preferences. Choose the Preferences command on the Workgroup Manager menu to display the current setting for automatic refresh and optionally change it. Finding Specific Users and Groups in a List After you have displayed a list of users or groups in Workgroup Manager, you can filter the list to find particular users or groups of interest. To filter items in the list of accounts: 1 After listing accounts, select the user or group tab. 2 In the pop-up menu above the account list, select an option to describe what you want to find. When you enter a name option, both full and short names of users or groups are searched. The original list is replaced by items that satisfy your search criteria. Sorting User and Group Lists After displaying a list of accounts in Workgroup Manager, click a column heading to sort entries using the values in that column. Click the heading again to reverse the order of the entries in the list.176 Chapter 3 Shortcuts for Working With Users and Groups When using Workgroup Manager to work with user and group accounts, several shortcuts can save you time: m You can make changes to multiple user or group accounts at once. See “Editing Multiple Users Simultaneously” on page 176. m You can use presets, which are like templates that let you predefine attributes to apply to new user or group accounts by default. See “Creating a Preset for User Accounts” on page 176 through “Changing Presets” on page 178. m You can import user and group accounts from a file. See “Understanding What You Can Import” on page 179 through “Using Character-Delimited Files” on page 187. Editing Multiple Users Simultaneously You can use Workgroup Manager to make the same change to multiple user accounts in a NetInfo or LDAPv3 domain at the same time. To edit multiple users: 1 In Workgroup Manager, list the users in the directory domain of interest. Click the Account button, then use the At pop-up menu to open the directory domain. Click the lock to be authenticated, then select the users in the user list. Use Command-click to select each user whose account you want to change. 2 Click the tab you want to work with and make changes as required for fields that Workgroup Manager lets you update. Using Presets Presets are Workgroup Manager account templates. They let you set up initial attributes for new accounts you create using Workgroup Manager. Presets can be used only during account creation. If you change a preset after it has been used to create an account, accounts already created using the preset are not updated to reflect those changes. Creating a Preset for User Accounts To create a preset for user accounts: 1 Open Workgroup Manager on the server from which you will be creating user accounts. Ensure that the server has been configured to access the Mac OS X directory domain or nonApple LDAPv3 directory domain in which the preset will be used to create new accounts. 2 Click the Accounts button.Users and Groups 177 3 To create a preset using data in an existing user account, open the account. To create a preset using an empty user account, create a new user account. 4 Fill in the fields with values you want new user accounts to inherit. Delete any values you do not want to prespecify if you are basing the preset on an existing account. The following attributes can be defined in a user account preset: password settings, home directory settings, quotas, default shell, primary group ID, group membership list, and mail settings. 5 On the Presets pop-up menu, choose Save Preset, enter a name for the preset, then click OK. Creating a Preset for Group Accounts To create a preset for group accounts: 1 Open Workgroup Manager on the server from which you will be creating group accounts. Ensure that the server has been configured to access the Mac OS X directory domain or nonApple LDAPv3 directory domain in which the preset will be used to create new accounts. 2 Click the Accounts button. 3 To create a preset using data in an existing group account, open the account. To create a preset using an empty group account, create a new group account. 4 Fill in the fields with values you want new user groups to inherit. Delete any values you do not want to prespecify if you are basing the preset on an existing account. 5 On the Presets pop-up menu, choose Save Preset, enter a name for the preset, then click OK. Using Presets to Create New Accounts To create a new account using a preset: 1 Open Workgroup Manager on a server configured to access the Mac OS X directory domain or non-Apple LDAPv3 directory domain in which the preset will be used to create the new account. 2 Click the Accounts button. 3 Use the At pop-up menu to open the directory domain in which you want the new account to reside. 4 Click the lock to be authenticated as a directory domain administrator. 5 From the Presets pop-up menu, choose the preset you want to use. 6 Create a new account. 7 Add or update attribute values as appropriate, either interactively or using an import file.178 Chapter 3 Renaming Presets To rename a preset: 1 Open Workgroup Manager on the server where the preset has been defined. 2 Click the Accounts button. 3 From the Presets pop-up menu, choose Rename Preset and enter the new name. 4 Click OK. Deleting a Preset To delete a preset: 1 Open Workgroup Manager on the server where the preset has been defined. 2 Click the Accounts button. 3 From the Presets pop-up menu, choose Delete Preset. 4 Select the preset you want to delete then click Delete. Changing Presets When you change a preset, existing accounts created using it are not updated to reflect your changes. To change a preset: 1 Open Workgroup Manager on the server where the preset has been defined. 2 Click the Accounts button. 3 From the Presets pop-up menu, choose the preset you want to change. 4 After completing your changes, choose Save Preset on the Presets pop-up menu. You can also change a preset while using it to create a new account by changing any of the fields defined by the preset, then saving the preset. Importing and Exporting User and Group Information Importing user and group accounts from a file is useful when you want to m Create a large number of users or groups in a batch. m Migrate user or group accounts from another server. You can import users and groups from AppleShare IP 6.3 or Mac OS X Server version 10.1 and earlier. m Update a large number of user or group accounts with new information. You can import accounts into a NetInfo or LDAPv3 directory domain from m XML files created by exporting accounts on AppleShare IP 6.3 servers.Users and Groups 179 m XML files created by exporting accounts on Mac OS X Server versions 10.1 and earlier. m Character-delimited files created by exporting accounts on Mac OS X Server versions later than 10.1 or created by hand or using a database or spreadsheet application. There are two ways to import and export accounts: using Workgroup Manager or using the dsimportexport command-line tool. dsimportexport gives you more control over the import and export processes, while Workgroup Manager offers a simpler, graphical user experience. During import and export processing, dsimportexport displays status information and writes to a log file: m Status information is provided for each user or group imported or exported. Status data includes the total number of records processed so far, the number of bytes processed so far, and the identity of the record being processed currently. m The log file is created in /Users//Library/Logs/ImportExport/ DSImportExport.logYYYY.MMDD.mmmmmm, where identifies the user who invoked dsimportexport and mmmmmm is milliseconds. The log file provides both processing information and error indications. Information logged includes the date and time that the import or export operation started, the total number of users and groups imported or exported, and the identity of any accounts that generated errors during import or export. This section describes how to prepare files for importing and how to conduct import and export operations using Workgroup Manager and dsimportexport. Understanding What You Can Import The user and group account attributes you can import vary with the kind of import file you use: m XML files created with Mac OS X Server 10.1 or earlier (see page 186) m XML files created with AppleShare IP 6.3 (see page 186) m character-delimited files (see page 187) You cannot use an import file to change these predefined users: daemon, root, nobody, unknown, or www. Nor can you use an import file to change these predefined groups: admin, bin, daemon, dialer, mail, network, nobody, nogroup, operator, staff, sys, tty unknown, utmp, uucp, wheel, or www. You can, however, add users to the wheel and admin groups. Using Workgroup Manager to Import Users and Groups You can use Workgroup Manager to import user and group accounts into a NetInfo or LDAPv3 directory domain. 180 Chapter 3 To import accounts using Workgroup Manager: 1 Create a character-delimited or XML file containing the accounts to import, and place it in a location accessible from the server on which you will use Workgroup Manager. Ensure the file contains no more than 10,000 records. See “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186, “Using XML Files Created With AppleShare IP 6.3” on page 186, and “Using Character-Delimited Files” on page 187 for information on creating files to import. 2 In Workgroup Manager, click the Account button, then use the At pop-up menu to open the directory domain into which you want to import accounts. 3 Click the lock to authenticate as domain administrator. 4 Choose Import from the Server menu, then select the import file. 5 Select one of the Duplicate Handling options to indicate what to do when the short name of an account being imported matches that of an existing account. “Overwrite existing record” overwrites any existing record in the directory domain. “Ignore new record” ignores an account in the import file. “Add to empty fields” merges data from the import file into the existing account when the data is for an attribute that currently has no value. “Append to existing record” appends data to existing data for a particular multivalue attribute in the existing account. Duplicates are not created. This option might be used, for example, when importing new members into an existing group. 6 Select one of the Record Format options. “Import standard users” indicates your import file contains user accounts with these attributes in the order listed: short name, password, UID, primary group ID, full name, path to the home directory on the user’s computer, and default shell. The first line of the file must contain “StandardUserRecord.” “Import standard groups” indicates your import file contains group accounts with these attributes in the order listed: group name, group ID, and short names of group members. The first line of the file must contain “StandardGroupRecord.” “Use record description in file” indicates that the first line of the file is a complete record description. “Using Character-Delimited Files” on page 187 describes what the record description must look like. “Import XML from AppleShare IP” indicates your import file is an XML file created using AppleShare IP. “Import XML from Server Admin” indicates your import file is an XML file created using Server Admin on Mac OS X Server 10.1 or earlier.Users and Groups 181 7 In the First User ID field, enter the UID at which to begin assigning UIDs to new user accounts for which the import file contains no UID. 8 In the Primary Group ID field, enter the group ID to assign to new user accounts for which the import file contains no primary group ID. 9 Click Import to start the import operation. Using Workgroup Manager to Export Users and Groups You can use Workgroup Manager to export user and group accounts from a NetInfo or LDAPv3 directory domain into a character-delimited file that you can import into a different NetInfo or LDAPv3 directory domain. To export accounts using Workgroup Manager: 1 In Workgroup Manager, click the Account button, then use the At pop-up menu to open the directory domain from which you want to import accounts. 2 Click the lock to authenticate as domain administrator. 3 Choose Export from the Server menu. 4 Specify the name to assign to the export file and the location where you want it created. 5 Click Export. Using dsimportexport to Import Users and Groups You can use dsimportexport to import user and group accounts into a NetInfo or LDAPv3 directory domain. Here are the parameters that dsimportexport accepts when importing user and group accounts. Parameters are delimited using angle brackets (<>) if they are required and square brackets ([]) if they are optional: dsimportexport <-g or -s or -p> <-s startingUID> [-r primaryGroupID] [-k keyIndex ...] [-n recNameIndex] [-v] [-T standardRecordType] [-yrnm userName] [-yrpwd password] [-y ipAddress] [-V] [-h] [-err] where -g imports accounts from a character-delimited file. See “Using Character-Delimited Files” on page 187 for information about the format of this kind of file.182 Chapter 3 -s imports accounts from an XML file formatted as “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186 describes. -p imports accounts from an XML file formatted as “Using XML Files Created With AppleShare IP 6.3” on page 186 describes. file names the file from which you want to import accounts, including the path to the file. For example, /tmp/Import1. directoryDomain is the full path to the NetInfo or LDAPv3 directory domain into which you want to import the accounts. For a NetInfo domain, you might type “NetInfo/root/someDomain”. For an LDAPv3 domain, an example is “LDAPv3/ldap.example.com”. userName is the full or short name of a user who has domain administrator privileges for the directory domain. password is the password associated with the userName you specify. O overwrites any existing record in the directory domain with the value(s) in the attribute(s) identified using the -k option. M merges data from the import file into an existing account, using the value(s) in the attribute(s) identified using the -k option when the data is for an attribute that currently has no value. I ignores an account in the import file if a record with the same value(s) in the attribute(s) identified using the -k option already exists in the directory domain. A appends data to existing data for a particular multivalue attribute in an account in the directory domain with the value(s) in the attribute(s) identified using the -k option. Duplicates are not created. This option might be used, for example, when importing new members into an existing group. Users and Groups 183 -s startingUID specifies the starting UID to use when importing from an ASIP XML file or a characterdelimited file that contains new user accounts with no UIDs specified. You can omit this argument if all the accounts in the import file contain UIDs, but use it if some or all of the accounts do not contain UIDs. For example, -s 559 assigns UIDs to imported users starting at 559 and incrementing by one for each new user. -r primaryGroupID identifies the primary group ID to assign a new user when an account in the import file has no group ID specified. For example, -r 20 makes the group with a group ID of 20 the primary group of an imported user with no group ID defined in the file. -k keyIndex ... is for character-delimited import files only. It is used to identify as many as four attributes of an account in the file that you want to use to determine whether the account already exists. The keyIndex is 0 based, so -k 0 points to the first attribute of an account in the import file. Separate multiple keyIndex values using commas, for example, -k 1,5,6,8. If you omit the -k parameter, -k 0 is assumed. -n recNameIndex is for character-delimited import files only. It is used to identify the attribute providing a user’s short name or a group name. The nameIndex is 0 based, so -n 0 points to the first attribute. If you omit the -n parameter, -n 0 is assumed. -v generates verbose output during import. Because this option generates a large amount of status data for each account (including all data in the import file), use this option only when debugging import files. The default status data are counts of the number of accounts and bytes processed and the record name of the account currently being processed. -T standardRecordType is for character-delimited import files only. It is used to indicate that the first line of the file does not contain a record description because the file contains accounts in standard formats. A standardRecordType value of xDSStandardUser is used for standard user accounts, and xDSSttandardGroup is used for standard group accounts. See “Using Character-Delimited Files” on page 187 for details about account formatting. -yrnm userName is the user name for logging in to a remote Mac OS X Server identified in the -y parameter. -yrpwd password is the password for logging in to a remote Mac OS X Server identified in the -y parameter.184 Chapter 3 -y ipAddress is the IP address of a remote Mac OS X Server from which the directory domain is visible. -V adds the version number of dsimportexport to the log file. -h displays usage information for dsimportexport. -err displays error information. To use dsimportexport to import users and groups: 1 Create a character-delimited or XML file containing the accounts to import, and place it in a location accessible from the server from which you will use the tool. Ensure the file contains no more than 10,000 records. See “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186, “Using XML Files Created With AppleShare IP 6.3” on page 186, and “Using Character-Delimited Files” on page 187 for information on creating files to import. 2 As domain administrator, log in to a server that has access to the directory domain into which you want to import accounts. 3 Open the Terminal application and type the dsimportexport command. The dsimportexport tool is located in /usr/sbin. Using dsimportexport to Export Users and Groups You can use dsimportexport to export user and group accounts from NetInfo or LDAPv3 directory domains into a character-delimited file that you can import into a different Mac OS X or non-Apple LDAPv3 directory domain. Here are the parameters that dsimportexport accepts when exporting user and group accounts. Parameters are delimited using angle brackets (<>) if they are required and square brackets ([]) if they are optional: dsimportexport -x [-v] [-d delimiter ...] [-yrnm userName] [-yrpwd password] [-y ipAddress] [-V] [-h] [-err] where -x exports accounts into a character-delimited text file. See “Using Character-Delimited Files” on page 187 for information about the format of this kind of file.Users and Groups 185 file names the file to which you want to export accounts, including the path to the file. For example, /tmp/Export1. The file should not already exist. directoryDomain is the full path to the NetInfo or LDAPv3 directory domain from which you want to export the accounts. For a NetInfo domain, you might type “NetInfo/root/someDomain”. For an LDAPv3 domain, an example is “LDAPv3/ldap.example.com”. -v generates verbose output during export. Because this option generates a large amount of status data for each account (including all data in the export file), use this option only when debugging export files. The default status data are a count of the number of accounts processed and the record name of the account currently being processed. -d delimiter is for character-delimited export files only. This parameter specifies four delimiters in this order: end of record, escape, end of field, and end of value. The delimiters values must be expressed using hex strings, for example, 0x0A. If you omit this parameter, the default delimiters are \n (end of record, 0x0A), \ (escape, 0x5C), : (end of field, 0x3A), and , (end of value, 0x2C). -yrnm userName is the user name for logging in to a remote Mac OS X Server identified in the -y parameter. -yrpwd password is the password for logging in to a remote Mac OS X Server identified in the -y parameter. -y ipAddress is the IP address of a remote Mac OS X Server from which the directory domain is visible. -V adds the version number of dsimportexport to the log file. -h displays usage information for dsimportexport. -err displays error information. To use dsimportexport to export users and groups: 1 As domain administrator, log in to a server that has access to the directory domain from which you want to export accounts. 186 Chapter 3 2 Open the Terminal application and type the dsimportexport command. The dsimportexport tool is located in /usr/sbin. Using XML Files Created With Mac OS X Server 10.1 or Earlier You can use Server Admin to create an export file from Mac OS X Server versions 10.1 or earlier, and import that file into a NetInfo or LDAPv3 directory domain using Workgroup Manager or dsimportexport. The following user account attributes are exported into these XML files. Attributes in angle brackets (<>) are required and will generate an error if absent when you use the file as an import file: m indication of whether user can log in m indication of whether user is a server administrator m m m shell m comment m m m and . m Apple mail data m ara (Apple Remote Access; this data is ignored.) The following group account attributes might be present in these XML files: m m m m other members’ short names Using XML Files Created With AppleShare IP 6.3 You can use the Web & File Admin application to create an export file on an AppleShare IP 6.3 server and import that file into a NetInfo or LDAPv3 directory domain using Workgroup Manager or dsimportexport. The following user account attributes are exported into these XML files. Attributes in angle brackets (<>) are required and will generate an error if absent when you use the file as an import file: m (mapped to a full name) m inetAlias (mapped to a short name)Users and Groups 187 m comment m indication of whether user can log in m and . m Apple mail data m indicator for whether the user is a server administrator, password change data, and indicator for forcing a password to change (this data is ignored) The dsimportexport tool generates UIDs when you import this XML file, using the -s parameter to determine the UID to start with and incrementing each subsequently imported account’s UID by one. It generates primary group IDs using the -r parameter. When you import using Workgroup Manager, UIDs and primary group IDs are generated as you indicate in the dialog box provided. The following group account attributes might be present in these XML files: m m m other members’ short names dsimportexport generates group IDs when you import this XML file, using the -r parameter to determine the group ID to start with and incrementing each subsequently imported group’s ID by one. When you import using Workgroup Manager, group IDs are generated using the information you provide for primary group IDs in the import dialog box. Using Character-Delimited Files You can create a character-delimited file by using Workgroup Manager or dsimportexport to export accounts in NetInfo or LDAPv3 directory domains into a file. You can also create a character-delimited file by hand or by using a database or spreadsheet application. The first record in the file must characterize the format of each account in the file. There are three options: m Write a full record description. m Use the shorthand “StandardUserRecord.” m Use the shorthand “StandardGroupRecord.” The other records in the file describe user or group accounts, encoded in the format described by the first record. Any line of a character-delimited file that begins with “#” is ignored during importing.188 Chapter 3 Writing a Record Description A record description identifies the fields in each record you want to import from a characterdelimited file; indicates how records, fields, and values are separated; and describes the escape character that precedes special characters in a record. Encode the record description using the following elements in the order specified, separating them using a space: End-of-record indicator (in hex notation) Escape character (in hex notation) Field separator (in hex notation) Value separator (in hex notation) Type of accounts in the file (DSRecTypeStandard:Users or DSRecTypeStandard:Groups) Number of attributes per account List of attributes For user accounts, the list of attributes must include the following, although you can omit UID and PrimaryGroupID if you specify a starting UID and a default primary group ID when you import the file: RecordName (the user’s short name) Password UniqueID (the UID) PrimaryGroupID RealName (the user’s full name) In addition, you can include UserShell (the default shell) NFSHomeDirectory (the path to the user’s home directory on the user’s computer) Other user attributes, described in Appendix A For group accounts, the list of attributes must include RecordName (the group name) PrimaryGroupID (the group ID) GroupMembership In addition, you can include other user attributes, described in Appendix A. Here is an example of a record description: 0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Users 7 RecordName Password UniqueID PrimaryGroupID RealName NFSHomeDirectory UserShell Here is an example of a record encoded using the description:Users and Groups 189 jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/Homes/jim:/bin/csh Using the StandardUserRecord Shorthand When the first record in a character-delimited import file contains “StandardUserRecord,” the record description assumed is 0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Users 7 RecordName Password UniqueID PrimaryGroupID RealName NFSHomeDirectory UserShell An example user account looks like this: jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/Homes/jim:/bin/csh Using the StandardGroupRecord Shorthand When the first record in a character-delimited import file contains “StandardGroupRecord,” the record description assumed is 0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Groups 4 Record Name PrimaryGroupID GroupMembership Here is an example of a record encoded using the description: students:Ad147:88:jones,thomas,smith,wong Understanding Password Validation A user’s password can be validated using one of these options: m Using a value stored as a readable attribute in the user’s account. The account can be stored in a directory domain residing on Mac OS X Server or on another vendor’s directory server, such as an LDAP or Active Directory server. m Using a value stored in the Open Directory Password Server. m Using a Kerberos server.190 Chapter 3 m Using LDAP bind authentication with a non-Apple LDAPv3 directory server. Clients needing password validation, such as login window and the AFP server, call Mac OS X directory services. Directory services determines from the user’s account how to validate the password. m Directory services can validate a password stored in the account or by interacting with the Password Server or a remote LDAP directory server (using LDAP bind authentication). m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client, such as the AFP server in the following picture, the client interacts directly with the Kerberos server to validate the user. Then the client interacts with directory services to retrieve the user’s record for other information it needs, such as the UID or primary group ID. See “The Authentication Authority Attribute” on page 192 for information about the attribute in a user’s account that indicates how to validate a particular user’s password. Directory services Password Server Kerberos server Directory server User account Password provided can be validated using value stored in account. Password can also be validated using value stored on another server on the network. Directory services Login window Telenet and SSH AFP file server Kerberos server Password Server Mac OS X lock icon User accountUsers and Groups 191 Contrasting Password Validation Options Here are the pros and cons of the options for validating a user’s password: m Storing a password in the user’s account. This approach, referred to as the “basic” password validation strategy, is the default strategy. It is the simplest and fastest strategy, since it does not depend on another infrastructure for password validation. It is the strategy most compatible with software that needs to access user records directly, such as legacy UNIX software. It supports users logging in to computers running Mac OS X version 10.1 and earlier as well as Windows users authenticated using Authentication Manager when they log in to a Mac OS X Server version 10.1. When integrating with existing directory systems, such as LDAP and Active Directory servers, this strategy offers the greatest opportunity for both Mac OS X Server and the directory server to use the same record to authenticate a user who wants to use that server. This strategy may not support clients that require certain network-secure authentication protocols (such as SMB, APOP, or CRAM-MD5) when transmitting passwords to a particular service. Also, this strategy can make your server vulnerable to offline attacks, since readable versions of passwords are used. See “The Problem With Readable Passwords” on page 194 for more information about offline attacks. See “Storing Passwords in User Accounts” on page 193 for details about this strategy. m Using a Password Server. This strategy lets you set up user-specific password policies for users. You can require a user to change his password periodically or use only passwords having more than a minimum number of characters. It supports clients that can use basic authentication as well as clients requiring network-secure authentication protocols that protect the privacy of a password during transmission. It is the recommended method to use for Windows clients. It is the only way to authenticate AFP clients prior to version 3.8.3, because they require AFP 2-Way Random authentication, which Password Server supports. Password Server passwords can’t be used during login to computers running Mac OS X version 10.1 or earlier. In addition, this strategy relies on the availability of a Password Server on a Mac OS X Server; if the Password Server goes down, password validation cannot occur, because you cannot replicate a Password Server. Also, you must ensure that physical access to the server on which Password Server resides is controlled. See “Using a Password Server” on page 195 for details about this strategy. m Using a Kerberos server. This option is not supported by all services but offers the opportunity to integrate into existing Kerberos environments. As in the case of the Password Server, if the Kerberos server is unavailable, users whose passwords are verified using it are unable to use your server. See “Using Kerberos” on page 197 for details about this strategy.192 Chapter 3 m Using an LDAP server. This option, like Kerberos, offers a way to integrate your Mac OS X Server into an existing authentication scheme. See “Using LDAP Bind Authentication” on page 201 for details about this strategy. The Authentication Authority Attribute To authenticate a user, Mac OS X directory services first locates the user’s record using the user name provided by the user. Then it determines which password validation scheme to use by consulting the “authentication authority” attribute in the user’s account. The authentication authority attribute identifies the password validation scheme and provides additional information as required. For example, if a Password Server is being used, the location of the Password Server is part of the authentication authority value. If a user’s account contains no authentication authority attribute, the basic strategy is used. For example, user accounts created using Mac OS X version 10.1 and earlier contain no authentication authority attribute. Choosing a Password The password associated with a user’s account must be entered by the user before he or she can be authenticated. The password is case-sensitive (except for SNB LAN Manager passwords) and does not appear on the screen as it is entered. Regardless of the password validation option you use for any user, here are some guidelines for composing a password for Mac OS X Server users. A password should contain letters, numbers, and symbols in combinations that won’t be easily guessed by unauthorized users. Avoid spaces and Option-key combinations. Also avoid characters that can’t be entered on computers the user will be using. (Some computers do not support passwords that contain double-byte characters, leading spaces, embedded spaces, and so forth.) A zero-length password is not recommended, and some systems (such as LDAP bind) do not allow them. Most of the Mac OS X Server applications and services that require passwords support 7-bit or 8-bit ASCII passwords without leading or trailing spaces. Use the following information to determine whether you need to take these restrictions into account when defining passwords for server users: m Apple file service accepts 7-bit or 8-bit ASCII passwords. m File Transfer Protocol (FTP) service accepts 7-bit ASCII passwords. m IMAP accepts 7-bit ASCII passwords. Some IMAP clients accept 8-bit ASCII passwords. m Macintosh Manager accepts 7-bit or 8-bit ASCII passwords. m POP3 accepts 7-bit ASCII passwords. m Web service accepts 7-bit ASCII passwords.Users and Groups 193 m Windows service accepts 7-bit ASCII passwords. m Server Settings accepts 7-bit or 8-bit ASCII passwords. Migrating Passwords When you import user accounts from computers running Mac OS X Server version 10.1 or earlier, no authentication authority attribute exists. Therefore all these users have basic password validation enabled initially. When importing users from servers supporting Windows users, Authentication Manager passwords may have been used to set the passwords. While all the existing passwords can continue to be used after importing the users, if you want to use the Password Server for imported users, you’ll need to reset their passwords after importing them. “Enabling the Use of a Password Server for a User” on page 196 describes how to change a basic password to a Password Server password. Setting Up Password Validation Options The sections that follow describe how to set up the different kinds of password validation for individual users: m To store a password in a user’s account, see “Storing Passwords in User Accounts” on page 193. m To use a Password Server to validate a user’s password, see “Enabling the Use of a Password Server for a User” on page 196. m To use a Kerberos server, see “Integrating Mac OS X With a Kerberos Server” on page 199. m To use LDAP bind authentication, see “Using LDAP Bind Authentication” on page 201. Storing Passwords in User Accounts This password management strategy is the default strategy, but cannot be used to validate the passwords of clients that require network-secure authentication protocols. (The single exception is users created using Mac OS X Server version 10.1 in NetInfo domains with Authentication Manager enabled.) Use the Password Server if you need to support these kinds of client computers. Enabling Basic Password Validation for a User Basic password validation is the simplest form of password validation. It relies on a readable version of a user’s password, stored in the user account. Only the first 8 characters are used for password validation. 194 Chapter 3 A user’s password is stored in the user account in an encrypted form, derived by feeding a random number along with the clear text password to a mathematical function, known as a one-way hash function. A one-way hash function always generates the same encrypted value from particular input, but cannot be used to re-create the original password from the encrypted output it generates. To validate a password using the encrypted value, Mac OS X applies the function to the password entered by the user and compares it with the value stored in the user account. If the values match, the password is considered valid. You can use Workgroup Manager to enable using the basic password validation strategy for user accounts stored in a Mac OS X directory or non-Apple LDAPv3 directory domain. To enable basic password validation using Workgroup Manager: 1 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. Click the lock to be authenticated, then select the user in the list. 2 On the Advanced tab, choose Basic from the “Use Password Type” pop-up menu. 3 If the user’s password validation strategy is currently a different one, you will be prompted to enter and verify a new password. If you are working with a new user, enter the password on the Basic tab in the Password field, then reenter it in the Verify field. “Choosing a Password” on page 192 provides guidelines for choosing passwords. The Problem With Readable Passwords Whenever you store passwords in a readable form, they are potentially subject to hacking. Consider, for example, NetInfo user records. Although the passwords in NetInfo user records are encrypted using one-way encryption, they are readable because the nidump utility can be used to copy user records to a file. The file can be transported to a system where a malicious user can use various techniques to figure out which password values generate the encrypted values stored in the user records. This form of attack is known as an offline attack, since it does not require successive login attempts to gain access to a system. As soon as a password is identified, the correct user name and password can be supplied and the malicious user can log in successfully without notice.Users and Groups 195 Using a Password Server The Password Server stores passwords, but never allows passwords to be read. Passwords can only be set and verified. Malicious users must log in over the network to attempt to gain system access, and invalid password instances, logged by the Password Server, can alert you to such attempts. The Password Server is based on a standard known as SASL (Simple Authentication and Security Layer). This approach helps it support a wide range of network user authentication protocols that are used by clients of Mac OS X Server services, such as mail and file servers, that need to authenticate users. Some of the protocols also support clients that require clear text or unique hashes. Here are a few of the network authentication protocols that the Password Server supports: m CRAM-MD5 m MD5 m APOP m NT and LAN Manager (for SMB) m SHA-1 m DHX m AFP 2-Way Random m WebDAV Digest The account for a user whose password is validated using the Password Server does not store the user’s password. Instead, it stores—in its authentication authority attribute—a unique password ID, assigned by the Password Server when the account was set up to use the Password Server. To validate a password, directory services passes the password ID to the Password Server, which it locates using its network address, also stored in the authentication authority attribute. The Password Server uses the password ID as a key for finding the actual password and any associated password policy. For example, the Password Server may locate a user’s password, but discover that it has expired. If the user is logging in, login window presents the user with a dialog box for changing the password. After providing a new password, the user can be authenticated. The Password Server maintains a record for each user that includes m The password ID, a 128-bit value assigned when the password is created. The value includes a key for finding a user’s password record. m The password, stored in recoverable or hashed form. The form depends on the network authentication protocols enabled for the Password Server (using Open Directory Assistant). If APOP or 2-way Random is enabled, the Password Server stores a recoverable (encrypted) password. If neither of these methods is enabled, only hashes of the passwords are stored.196 Chapter 3 m Data about the user that is useful in log records, such as the short name. m Password policy data. Setting Up a Password Server The account for a user validated using the Password Server is stored in a NetInfo or LDAPv3 directory domain that resides on Mac OS X Server. Before you set up a user’s account to use a Password Server, you need to set up the Password Server. See Chapter 2, “Directory Services,” for instructions on how to set up a Password Server. It describes how to use Open Directory Assistant to m create a Password Server m associate a directory domain with a Password Server m designate an administrator for the Password Server Any user you designate to be an administrator for the Password Server becomes the domain administrator for the directory domain with which the server is associated. This administrator’s password is validated using that Password Server, so that the administrator is able to update passwords for user accounts that use that Password Server. Enabling the Use of a Password Server for a User Use Workgroup Manager to enable the use of a Password Server for validating passwords for user accounts stored in a NetInfo or LDAPv3 directory domain residing on Mac OS X Server. To enable the use of a Password Server for a user: 1 Make sure a Password Server has been associated with the directory domain in which the user’s account resides. 2 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account resides. Click the lock to be authenticated, then select the user in the list. 3 On the Advanced tab, choose “Password Server” from the “Use Password Type” pop-up menu. 4 If the user’s password is currently being validated using a different strategy, you will be prompted to enter and verify a new password. If you are working with a new user, enter the password on the Basic tab in the Password field, then reenter it in the Verify field. The password must contain no more than 512 characters, although there may be different limits imposed by the network authentication protocol; for example, 128 characters for SMB NT, 14 for SMB LAN Manager, 8 for AFP 2-way random, and 8 for Crypt (basic). “Choosing a Password” on page 192 provides guidelines for choosing passwords.Users and Groups 197 5 On the Advanced tab, click Options to set up the user’s password policy. Click OK when you are done. The password ID is a unique 128-bit number assigned when the password is created on the Password Server. It may be helpful in troubleshooting, since it appears in the Password Server log when a problem occurs. View this log in the directory services section of Server Status. Exporting Users With Password Server Passwords The Password Server does not let you read passwords. Therefore when you export user accounts that have Password Server passwords, passwords are not exported. When you import such users, you must reset all their passwords after importing their accounts. “Enabling the Use of a Password Server for a User” on page 196 describes how. Making a Password Server More Secure Using a Password Server offers flexible and secure password validation, but you need to make sure that the server on which a Password Server runs is secure: m Set up Password Servers on a server that is not used for any other activity. m Since the load on a Password Server is not particularly high, you can have several (or even all) of your server-resident directory domains share a single Password Server. m Make sure that the Password Server’s computer is located in a physically secure location. Monitoring a Password Server Use the Password Server logs, visible using Server Status, to monitor failed login attempts. Password Server logs all failed authentication attempts, including IP addresses that generate them. Periodically review the logs to determine whether there are a large number of failed trials for the same password ID, indicating that somebody may be generating login guesses. Using Kerberos If you already use Kerberos to authenticate users, you can use Kerberos to validate passwords for the following services of Mac OS X Server version 10.2 and later: m Login window m Mail service m FTP m AFP server and client198 Chapter 3 m Telnet server These services have been “Kerberized.” Only services that have been Kerberized can use Kerberos to validate a user. Understanding Kerberos Like the Password Server, a Kerberos server is dedicated to handling data needed for user validation. Other user data is maintained in a separate server. Kerberized services are configured to authenticate principals who are known to a particular Kerberos realm. You can think of a “realm” as a particular Kerberos database or authentication domain, which contains validation data for users, services, and sometimes servers (known as “principals”). For example, a realm contains principals’ private keys, which are the result of a one-way function applied to passwords. Service principals are generally based on randomly generated secrets rather than passwords. Here are examples of realm and principal names; note that realm names are capitalized by convention to distinguish them from DNS domain names: m Realm: MYREALM.EXAMPLE.COM m User principal: smitty@MYREALM.EXAMPLE.COM m Service principal: afpserver/anothername.example.com@MYREALM.EXAMPLE.COM There are several phases to Kerberos authentication. In the first phase, the client obtains credentials to be used to request access to Kerberized services. In the second phase, the client requests authentication for a specific service. In the final phase, the client presents those credentials to the service. The following illustration summarizes these activities. Note that the service and the client in this picture may be the same entity (such as login window) or two different entities (such as a mail client and the mail server). 1 The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with realms to access authentication data. This is the only step in which passwords and associated password policy information needs to be checked. 2 The KDC issues the client a ticket-granting ticket, the credential needed when the client wants to use Kerberized services. the ticket-granting ticket is good for a configurable period of time, but can be revoked before expiration. It is cached on the client until it expires. Key Distribution Center (KDC) Kerberized service 1 2 3 4 5 6 ClientUsers and Groups 199 3 The client contacts the KDC with the ticket-granting ticket when it wants to use a particular Kerberized service. 4 The KDC issues a ticket for that service. 5 The client presents the ticket to the service. 6 The service verifies that the ticket is valid. If the ticket is valid, usage of the service is granted to the client if the client is authorized to use the service. (Kerberos only authenticates clients; it does not authorize them to use services. An AFP server, for example, needs to consult a user’s account in a directory domain to obtain the UID.) The service uses information in the ticket if required to retrieve additional information about the user from a directory domain. Note that the service does not need to know any password or password policy information. Once a ticket-granting ticket has been obtained, no password information needs to be provided. For more information on Kerberos, go to the MIT Kerberos home page: web.mit.edu/kerberos/www/index.html Integrating Mac OS X With a Kerberos Server To integrate Mac OS X with a Kerberos server: 1 Make sure that one or more realms supported by your Kerberos server contain information for all the users to be validated using Kerberos and for all the Mac OS X Kerberized services they will use. The Kerberos principal name must be the same as the short name in the user’s directory domain account. 2 Create user accounts for each of the same users in directory domains accessible from Mac OS X computers on which Kerberized services will be used. Set the password type to Basic, and specify passwords that will never be used to authenticate the users. Kerberized services on Mac OS X computers retrieve user accounts by extracting the user name part of the principal out of the KDC certificate, which is passed to directory services to find the account. 3 Before enabling Kerberos for a specific Kerberized service, create one or more principals in the KDC for it, save the shared secrets into a keytab file, and copy the keytab file from the KDC to /etc/krb5.keytab on your Mac OS X Server. Use the kadmin command-line tool to create principals and a keytab file, and use a file sharing protocol to transfer the keytab file from the Kerberos server to Mac OS X Server. FTP or SCP (secure copy over SSH) are most likely to be present on the KDC. Keytab files are sensitive, because they contain information used to determine whether a client or service is trustworthy.200 Chapter 3 4 On Mac OS X Server, place the edu.mit.Kerberos configuration file in /Library/Preferences/. This file is not sensitive, so it can be placed on a guest-accessible volume. This file must also reside in /Library/Preferences/ in the home directory of users you want to authenticate using Kerberos. 5 Enable individual services (mail, AFP, and FTP) and clients (login window, AFP client, mail client) to support Kerberos authentication. 6 Make sure that users you want authenticated using Kerberos are in the search path of the server hosting the Kerberized services. Enabling Kerberos Authentication for Mail Use Server Settings to enable mail server support for Kerberos. See “Requiring or Allowing Kerberos Authentication” on page 381 for details. To enable mail client support, set up Mac OS X Mail application account preferences to use Kerberos V5 authentication. Also make sure that edu.mit.Kerberos resides in /Library/ Preferences/ on the user’s computer. Enabling Kerberos Authentication for AFP Use Server Settings to enable AFP server support for Kerberos. See Chapter 5, “File Services,” for details. AFP client has no special requirements beyond access to /Library/Preferences/ edu.mit.Kerberos. Enabling Kerberos Authentication for FTP Use Server Settings to enable FTP server support for Kerberos. See Chapter 5, “File Services,” for details. Enabling Kerberos Authentication for Login Window In addition to access to /Library/Preferences/edu.mit.Kerberos, login window depends on these settings in /etc/authorization: system.login.done eval switch_to_user,krb5auth:login Users and Groups 201 Enabling Kerberos Authentication for Telnet To set up Telnet support, edit the /etc/inetd.conf file to enable Telnet. Solving Problems With Kerberos See “Kerberos Users Can’t Authenticate” on page 204 for troubleshooting tips. Using LDAP Bind Authentication When you use this password validation technique, you rely on an LDAPv2 or LDAPv3 server to authenticate a user’s password. Because it supports the Secure Socket Layer (SSL) protocol, LDAPv3 is preferred. You can use Workgroup Manager to enable the use of LDAP bind authentication for user accounts stored in a NetInfo or LDAPv3 directory domain. To enable LDAP bind user authentication using Workgroup Manager: 1 Make sure the account for a user whose password you want to validate using LDAP bind resides on an LDAPv3 server in the search path of the Mac OS X computer that needs to validate the password. See Chapter 2, “Directory Services,” for information about configuring LDAPv3 server connections. Avoid mapping the password attribute when configuring the connection; bind authentication will occur automatically. Also, set up the connection so it uses SSL in order to protect the password, passed in clear text, while it is in transit. 2 In Workgroup Manager, open the account you want to work with if it is not already open. To open an account, click the Account button, then use the At pop-up menu to open the LDAPv3 directory domain where the user’s account resides. Click the lock to be authenticated, then select the user in the user list. 3 On the Advanced tab, choose Basic from the “Use Password Type” pop-up menu. 4 On the Basic tab, make sure the Password field is empty. Backing Up and Restoring Files Regularly back up your Password Server as well as your root and administrator user accounts. Backing Up a Password Server Back up your Password Server frequently. When you do so, also back up any directory domain(s) that use the Password Server: 202 Chapter 3 m To back up a Password Server, back up these two files: /var/db/authserver/ authservermain and /var/db/authserver/authserverfree. Make sure that your Password Server backup files are as carefully secured as the computer hosting your Password Server. m See Chapter 2, “Directory Services,” for information on backing up directory domains. If you restore the Password Server, make sure you also restore the corresponding directory domains at the same time. Backing Up Root and Administrator User Accounts System files are owned by root or system administrator user IDs that exist at the time they are created. Should you need to restore system files, the same IDs should exist on the server so that the original permissions are preserved. To ensure that you can recreate these user IDs, periodically export the server’s user and group information to a file as “Importing and Exporting User and Group Information” on page 178 describes. Supporting Client Computers Validating Windows User Passwords Using the Password Server is recommended for validating passwords of Windows users supported by your server. Windows users supported by Mac OS X Server 10.1 and earlier were optionally authenticated using Authentication Manager, which offered encrypted password support. If you export users such as these and import them, Basic password validation is assumed and the Authentication Manager information is lost. You need to reset the passwords for such users before they can be used with certain network protocols. Setting Up Search Policies on Mac OS X Client Computers Mac OS X client computer search policies must be set up so that accounts and shared resources (such as network file servers and printers) are visible from the Mac OS X computer. See Chapter 2, “Directory Services,” for client configuration options and instructions. Solving Problems Follow the suggestions in this section when problems with user and group account administration arise. You Can’t Modify an Account Using Workgroup Manager Before you can modify an account using Workgroup Manager:Users and Groups 203 m You must be a domain administrator for any Apple directory domain storing the account. m The directory domain must be a NetInfo or LDAPv3 directory domain. Only these domains can be updated using Workgroup Manager. A Password Server User’s Password Can’t Be Modified Before you can modify the password of a user whose password is validated using a Password Server, you must m be a domain administrator for the directory domain storing the user’s account m have your own password validated by the same Password Server Users Can’t Log In or Authenticate Try these techniques to determine whether the source of the authentication problem is configuration or the password itself: m Reset the password to a known value, then determine whether there is still a problem. Try using a 7-bit ASCII password, which is supported by most clients. m If a Password Server is being used for the user and it is not set up to support the authentication protocol needed by the user’s client, you can use Open Directory Assistant to enable additional Password Server protocols. You may need to reset the user’s password after changing the Password Server configuration. m Basic authentication does not support many authentication protocols. To increase the possibility that a user’s client applications will be supported, use the Password Server or suggest that the user try a different application. m For Kerberos troubleshooting tips, see “Kerberos Users Can’t Authenticate” on page 204. m If a Password Server or non-Apple directory server used for password validation is not available, reset the user’s password to use a server that is available. m Make sure that the password contains characters supported by the authentication protocol. Leading, embedded, and trailing spaces as well as special characters (for example, option-8) are not supported by some protocols. For example, leading spaces work over POP or AFP, but not over IMAP. m Make sure that the keyboard being used by the user supports the characters necessary for authentication. m Make sure the client software encodes the password so that it is recognized correctly. For example, Password Server recognizes UTF-8 encoded strings, which may not be sent by some clients. m Make sure that the client being used by the user supports the password length. For example, LAN Manager only supports 14-character passwords, so passwords longer than 14 characters would cause an authentication failure even though Mac OS X Server’s Windows service supports longer passwords.204 Chapter 3 m If an AFP client prior to version 3.8.3 fails to authentiocate, use AFP 2-Way Random authentication in Password Server for these older clients. You Can’t Assign Server Administrator Privileges In order to assign server administrator privileges to a user for a particular server, first log in to that server in Workgroup Manager. Users Can’t Access Their Home Directories Make sure that users have access to the share point in which their home directories are located and to their home directories. Users need Read access to the share point and Read & Write access to their home directories. Mac OS X User in Shared NetInfo Domain Can’t Log In This problem occurs when a user tries to log in to a Mac OS X computer using an account in a shared NetInfo domain, but the server hosting the domain isn’t accessible. The user can log in to the Mac OS X computer by using the local user account created automatically when he or she set up the computer to use a NetInfo account. The user name is “administrator” (short name is “admin”) and the password is the NetInfo password. Kerberos Users Can’t Authenticate When a user or service that uses Kerberos experiences authentication failures, try these techniques: m Kerberos behavior is based on encrypted timestamps. If there’s more than 5 minutes difference between the KDC, client, and service computers, authentication may fail. Make sure that the clocks for all computers are synchronized using a network time server. m If Kerberos is being used, make sure that Kerberos authentication is enabled for the service in question. m If a Kerberos server used for password validation is not available, reset the user’s password to use a server that is available. m Make sure that the server providing the Kerberized service has access to directory domains containing accounts for users who are authenticated using Kerberos. One way to do this is to use a shared directory domain on the KDC server that hosts user records that correspond to all the user principals. m Refer to the KDC log (kdc.log) for information that can help you solve problems. Incorrect setup information such as wrong configuration file names can be detected using the logs. m Make sure all your configuration files are complete and correct. For example, make sure the keytab file on your server has the principals of interest in it.205 C H A P T E R 4 4 Sharing The Sharing module of Workgroup Manager lets you share information with clients of the Mac OS X Server and control access to shared information by assigning access privileges. You share information by designating share points. A share point is a folder, hard disk (or hard disk partition), or CD that you make accessible over the network. It’s the point of access at the top level of a group of shared items. Users see share points as volumes mounted on their desktops, and as volumes in the Finder in Mac OS X. Setting up share points and assigning privileges is an integral part of setting up file services. See Chapter 5, “File Services.” Privileges Privileges define the kind of access users have to shared items. There are four types of privileges that you can assign to a share point, folder, or file: Read & Write, Read Only, Write Only, and None. The table below shows how the privileges affect user access to different types of shared items (files, folders, and share points). You can assign Write Only privileges to a folder to create a drop box. The folder’s owner can see and modify the drop box’s contents. Everyone else can only copy files and folders into the drop box, without seeing what it contains. Users can Read & Write Read Only Write Only None Open a shared file Yes Yes No No Copy a shared file Yes Yes No No Open a shared folder or share point Yes Yes No No Copy a shared folder or share point Yes Yes No No Edit a shared file’s contents Yes No No No Move items into a shared folder or share point Yes No Yes No Move items out of a shared folder or share point Yes No No No206 Chapter 4 Note: QuickTime Streaming Server and WebDAV have their own privileges settings. For information about QTSS, refer to the QTSS online help and the QuickTime Web site (www.apple.com/quicktime/products/qtss/). You’ll find information on Web privileges in “Understanding WebDAV” on page 339. Explicit Privileges Share points and the shared items contained in share points (including both folders and files) have their own individual privileges. If you move an item to another folder, it retains its own privileges and doesn’t automatically adopt the privileges of the folder where you moved it. In the following illustration, the second folder (Designs) and the third folder (Documents) were assigned privileges that are different from those of their “parent” folders: When new files and folders are created, however, they inherit the privileges of their parent folder. See “Privileges in the Mac OS X Environment” on page 207. User Categories You can assign access privileges separately to three categories of users: Owner A user who creates a new item (file or folder) on the file server is its owner and automatically has Read & Write privileges to that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges—allow a group or everyone to use the item. The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on an Apple file server, ownership of that item is transferred to the owner of the drop box. This is done because only the owner of the drop box has access to items copied to it. Group You can put users who need the same access to files and folders into group accounts. Only one group can be assigned access privileges to a shared item. For more information on creating groups see Chapter 3, “Users and Groups.” Engineering Read & Write Designs Documents Read Only Read & WriteSharing 207 Everyone Everyone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors. Privileges Hierarchy If a user is included in more than one category of users, each of which has different privileges, these rules apply: m Group privileges override Everyone privileges. m Owner privileges override Group privileges. For example, when a user is both the owner of a shared item and a member of the group assigned to it, the user has the privileges assigned to the owner. Client Users and Privileges Users of AppleShare Client software can set access privileges for files and folders they own. Windows file sharing users can set folder properties, but not privileges. Privileges in the Mac OS X Environment If you are new to Mac OS X and are not familiar with UNIX, it is important to know that there are some differences from the Mac OS 9 environment in how ownership and privileges are handled. To increase security and reliability, Mac OS X sets many system directories, such as /Library, to be owned by the root user. Files and folders owned by root can’t be changed or deleted by you unless you are logged in as the root user. Be careful when you log in as the root user since changing system data can cause problems. As mentioned above, files and folders are, by default, owned by the user who created them. They inherit the privileges of the folder in which they are created. After they are created items keep their privileges even when moved, unless the privileges are explicitly changed by their owners or an administrator. Therefore new files and folders you create are not accessible by client users if they are created in a folder for which the users do not have privileges. When setting up share points, make sure that items allow appropriate access privileges for the users with whom you want to share them. Network Globe Contents You can customize the directory structure and contents of the Network Globe for clients by setting up automounting for share points. You can add system resources such as fonts and preferences by automounting share points in specific directory locations.208 Chapter 4 Share Points in the Network Globe The Network globe on OS X clients represents the Darwin /Network directory. By default, the Network globe contains the following four folders: m Applications m Library m Servers m Users You can mount share points into any of these folders. See “Automounting Share Points” on page 214 for instructions. Static Versus Dynamic Linking Share points can be automounted statically or dynamically. Statically mounted share points are mounted when the client computer starts up. A connection to the server is opened for static mounts during startup and remains open until the user shuts down the computer. Dynamically mounted share points are not mounted until the user opens the directory. Although an icon for the directory appears in the Network globe during startup, the actual connection to the server where the directory resides is not made until the user selects the icon and attempts to access the directory’s contents. In both cases, when an automounted share point is defined on the server it is not available to a client computer until the client has restarted. Adding System Resources to the Network Library Folder This Library folder in the Network globe is included in the system search path. This gives you the ability to make available, from the network, any type of system resource that resides in the local Library folder. These resources could include fonts, application preferences, ColorSync profiles, desktop pictures, and so forth. OS X accesses the network Library folder before the local Library folder, so network resources with the same name take precedence. You can use this capability to customize your managed client environment. For example, suppose you wish to have a specific set of fonts available to each user in a given Open Directory domain. You would create a share point containing the desired fonts and then set the share point to automount into the /Network/Library/Fonts folder on client machines. See “Automounting Share Points” on page 214 for instructions on setting up automounting. Setup Overview You use the Sharing module of Workgroup Manager to create share points and set privileges for them. Here is an overview of the basic steps for setting up sharing:Sharing 209 Step 1: Read “Before You Begin” Read “Before You Begin” on page 209 for issues you should consider before sharing information on your network. Step 2: Locate or create the information you want to share Decide which volumes, partitions, folders, and CDs you want to share. You may want to move some folders and files to different locations before setting up sharing. You may want to partition a disk into volumes to give each volume different access privileges or create folders that will have different levels of access. See “Organize Your Shared Information” on page 210. Step 3: Designate share points and set privileges When you designate an item to be a share point, you set its privileges at the same time. You create share points and set privileges in the Sharing module of Workgroup Manager. See “Setting Up Sharing” on page 211. Step 4: Turn file services on In order for users to be able to access share points, you must turn on the Mac OS X Server file services. Turn on each file service that you use to share items. For example, if you use Apple File Protocol with your share point, you must turn on Apple File Server. You can share an item using more than one protocol. See Chapter 5, “File Services,” on page 221. Before You Begin Before you assign privileges, you need to understand how privileges for shared items work. Consider which users need access to shared items and what type of privileges you want those users to have. Privileges are described at the beginning of this chapter—see “Privileges” on page 205. You also need to determine which protocols clients will use to access share points. In general, you will want to set up independent share points for each type of client, and share the item using a single protocol: m Mac OS clients—Apple Filing Protocol (AFP) m Windows clients—Server Message Block (SMB) m FTP clients—File Transfer Protocol (FTP) m UNIX clients—Network File System (NFS) In some cases you will want to share an item using more than one protocol. If client users will be sharing files that have common formats across platforms, you will want to create a share point that supports users of each platform. For example, Mac OS and Windows users might want to share graphics or word processing files that can be used on either platform. 210 Chapter 4 Conversely, you might want to set up share points using a single protocol even though you have different kinds of clients. For example, if almost all of your clients are UNIX users and just a couple are Mac OS clients, you may want to share items using only NFS in order to keep your setup simple. Keep in mind, however, that Mac OS users will not enjoy the features of AFP not provided by NFS, such as the ability to search server contents using Sherlock, and performance optimization. See Chapter 5, “File Services,” on page 221 for more information. Organize Your Shared Information Once you have created share points, users will start to form “mental maps” of the share points you have set up and the items contained in them. Changing share points and moving information around could cause confusion. If you can, organize the information you share before you start creating share points. This is especially important if you are setting up network home directories (see “Administering Home Directories” on page 155). Windows Users If you have Windows clients, you should set up at least one share point to be used only by your Windows users. This provides a single point of access for the Windows users. Security Issues Security of your data and your network is critical. The most effective method of securing your network is to assign appropriate privileges for each file, folder, and share point as you create it. Be careful when creating and granting access to share points, especially if you’re connected to the Internet. Granting access to Everyone, or to World (in NFS service), could potentially expose your data to anyone on the Internet. NFS share points don’t have the same level of security as AFP and SMB, which require user authentication (typing a user name and password) to gain access to a share point’s contents. If you have NFS clients, you may want to set up a share point to be used only by NFS users. Restricting Access by Unregistered Users (Guests) When you configure any file service, you have the option of turning on guest access. Guests are users who can connect to the server anonymously without entering a valid user name or password. Users who connect anonymously are restricted to files and folders with privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, you can take these precautions using the Sharing module of Server Settings: m Share individual folders instead of entire volumes. The folders should contain only those items you want to share.Sharing 211 m Set privileges for Everyone to None for files and folders that guest users should not access. Items with this privilege setting can only be accessed by the item’s owner or group. m Put all files available to guests in one folder or set of folders. Assign the Read Only privilege to the Everyone category for that folder and each file within it. m Assign Read & Write privileges to the Everyone category for a folder only if guests must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder. m Check folders frequently for changes and additions and check the server for viruses regularly with a virus-protection program. m Disable anonymous FTP access using the FTP module of Server Settings. m Don’t export NFS volumes to World. Restrict NFS exports to a specific set of computers. Setting Up Sharing This section describes how to create share points and set access privileges for the share points. It also tells you how to configure the different protocols (AFP, SMB, FTP, and NFS) that you use to share items and how to automount share points on clients’ desktops. See “Managing Sharing” on page 215 for additional tasks that you might perform after you have set up sharing on your server. Creating Share Points and Setting Privileges You designate volumes, partitions, folders, or CDs to be share points using the Sharing module of Workgroup Manager. To create a share point and set privileges: 1 In Workgroup Manager, click the Sharing button. 2 Select the volume or folder in the All list that you want to make a share point. 3 Click the Sharing tab. 4 Select “Share the selection and its contents.” Change the owner and group of the shared item by typing names into those fields or by dragging names from the Users & Groups drawer. You can open the drawer by clicking “Users & Groups.” Use the pop-up menus next to the fields to change the privileges for the Owner, Group, and Everyone. Everyone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors. If you don’t want everyone to have access, set the Everyone access privileges to None.212 Chapter 4 Note: You should not assign Write Only access privileges to a file or share point. Only folders inside a share point should be assigned Write Only access privileges. Otherwise users won’t be able to see the file or the contents of the share point. Click the Copy button to apply the ownership and privileges to all items (files and folders) contained within the share point. This will override privileges that other users may have set. By default, the new share point is shared through AFP, SMB, and FTP protocols. Use the Advanced pane to change the settings or stop sharing via these protocols or to export the item using NFS. The Advanced settings are described in the following sections. Configuring Apple File Protocol (AFP) Share Points You can make share points available to Mac OS 8, Mac OS 9, and Mac OS X clients by sharing them using AFP. To configure an AFP share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to share using AFP. 3 Click the Advanced tab and choose AFP Settings from the pop-up menu. 4 Select the “Share this item using Apple File Protocol” option. 5 Select “Allow AFP guest access” to allow clients to have guest access to this item. For greater security, do not select this item. 6 Select “AFP clients see custom name for this item” if you want the share point to appear with a name different from its real one. 7 Enter the name you want AFP users to see in the text field. 8 Click Save. Configuring Server Message Block (SMB) Share Points You can make share points available to Windows clients by sharing them using Windows SMB. To configure an SMB share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to share using SMB. 3 Click the Advanced tab and choose SMB Settings from the pop-up menu. 4 Select the “Share this item using Server Message Block” option.Sharing 213 5 Select “SMB clients see custom name for this item” if you want the item to appear with a name different from its real one. 6 Enter the name you want SMB users to see in the text field. 7 Click Save. Configuring File Transfer Protocol (FTP) Share Points You can make share points available to clients over the Internet by sharing them using FTP. To configure an FTP share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to share using FTP. 3 Click the Advanced tab and choose FTP Settings from the pop-up menu. 4 Select the “Share this item using FTP” option. 5 Select “Allow FTP guest access” to allow FTP users with guest access to use this item. For greater security, do not select this item. 6 Select “FTP clients see custom name for this item” if you want the item to appear with a name different from its real one. 7 Enter the name you want FTP users to see in the text field. 8 Click Save. Sharing (Exporting) Items Using Network File System (NFS) You can export share points to UNIX clients using NFS. (Export is the NFS term for sharing.) To export an item using NFS: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to share using NFS. 3 Click the Advanced tab and choose NFS Export Settings from the pop-up menu. 4 Select “Export this item and its contents to” to export the item using NFS. 5 Use the pop-up menu to select who you want to be able to use this information—Client or World. By default, NFS exports to the client address 127.0.0.1, which is a loopback to the server computer. This prevents you from inadvertently exporting a folder to World. For greater security, do not export to World. 6 Click Add to specify clients who can receive this export. 214 Chapter 4 7 In the text box that appears, type the IP address or host name to add the client to the “Computer or Netgroup” list. 8 Select ”Map Root user to nobody” if you want users identified as “root” on the remote client system to have only minimal privileges to read, write, and execute commands. 9 Select “Map All users to nobody” if you want all users to have minimal privileges to read, write, and execute. 10 Select “Read-only” if you don’t want client users to be able to modify the contents of the shared item in any way. This overrides any other privileges set for the shared item. For example, if you allow the “Everybody” category Read & Write privileges for the item (a setting in the General tab), you can also define it as an NFS export to “World” with “Read only” privileges. 11 Click Save. Automounting Share Points Automount lets you have share points appear automatically on client computers when their computers start up or in their /Network/Servers folders. You can use the automount feature with AFP or NFS. When you configure a share point to mount automatically, a mount record is created in the Open Directory database. You should publish automounts in the same shared domain in which the user records exist. This ensures that the users will always have access to the share point. Be sure to enable guest access both for the share point and for the protocol under which it is shared. Note: Automounted share points are available to clients only when their computers start up. To automount a share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to automount. 3 Click the Advanced tab and choose Automount Settings from the pop-up menu. 4 Select “Automount to client in domain.” 5 Use the pop-up menu to choose the shared directory domain to which you want to publish (automount) this item. The share point will be mounted automatically on any computer configured to use the shared domain. 6 Enter your user name and password. Note: You must be authorized (have write privileges) to change the domain. 7 After you are authenticated, click “Automount this item to clients in domain.”Sharing 215 8 For the Mount option: Choose “dynamically in Network/Servers” if you want client users to see share points in the /Network/Servers folder of their computers. When a user selects a share point in the folder, the share point is mounted on the user’s computer. You should choose this option for home directories. Choose “statically in” if you want the share point to mount automatically when the client computer starts up and enter the location in the user’s directory hierarchy where you want the item to appear. The share point appears as a folder in the location you specify. 9 For the “Mount using” option, choose whether you want to automount the share point using AFP or NFS. 10 Click Save. Resharing NFS Mounts as AFP Share Points Resharing NFS mounts (NFS volumes that have been exported to the Mac OS X Server) as AFP share points allows clients to access NFS volumes using the secure authentication of an AFP connection. Resharing NFS mounts also allows Mac OS 9 clients to access NFS file services on traditional UNIX networks. To reshare an NFS mount as an AFP share point: 1 From the NFS server, export the directories you want to reshare to the Mac OS X server. Since AFP runs as root, the NFS export must map root-to-root so that AFP will be able to access the files for the clients. Restrict the export to the single AFP server (seen as the client to the NFS server). This can be made even more secure by having a private network for the AFP-to-NFS connection. 2 On the AFP server, create a mount record that mounts the reshared volumes in the /nfsreshare directory. 3 Use the Sharing module in Workgroup Manager to share the NFS mounts as AFP share points. The NFS mounts appear as normal volumes in the All list. ( You can also share the NFS mounts using SMB and FTP, but it is recommended that you only use AFP.) You can change privileges and ownership, but not enable quotas (quotas work only on local volumes). However, if quotas are enabled on the NFS server, they should apply to the reshared volume as well. Managing Sharing This section describes tasks you might perform after you have set up sharing on your server. Setup information appears in “Setting Up Sharing” on page 211.216 Chapter 4 Turning Sharing Off Because sharing is not a service, you cannot turn sharing on and off on a Mac OS X Server. You “turn sharing off ” by no longer sharing an item. You can also remove the share point or stop the file service that clients are using to access the share point. To stop sharing an item: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the item you want to stop sharing. 3 Click the Advanced tab and choose the protocol used to share the item. 4 Deselect the “Share this item” option. To completely stop sharing an item, repeat steps 3 and 4 for each protocol you used to share the item. 5 Click Save. Removing a Share Point To “remove a share point” is to stop sharing a volume or folder. You may want to notify users that you are removing a share point so that they know why the share point is no longer available. To remove a share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the share point you want to remove. 3 In the Sharing pane, deselect the “Share the selection and its contents” option. Any Advanced and Automount settings that you have configured for the item are discarded. Browsing Server Disks You can view the folders (but not files) located on servers using the Sharing module of Workgroup Manager. To browse the folders on a share point or server: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab to browse the folders of share items, or click the All tab to browse all the folders on the local server. Viewing Share Points Workgroup Manager lets you view all volumes and folders on a server or just the share points.Sharing 217 To view share points on a server: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab. Copying Privileges to Enclosed Items When you set the privileges for a share point, volume, or folder, you can copy the ownership and privileges to all the items contained on it. To copy privileges: 1 In Workgroup Manager, click Sharing. 2 Select the item whose privileges you want to propagate. To see shared items, select the Share Points tab. To see all volumes and folders on the server, select the All tab. 3 Click Copy. Viewing Share Point Settings You use Workgroup Manager to view the sharing and privilege settings for a share point. To view sharing and privileges for a share point: 1 In Workgroup Manager, click Sharing. 2 Select the Share Points tab and select the share point you want to view. 3 Select the Sharing tab. Changing Share Point Owner and Privilege Settings You use the Workgroup Manager to view and change the owner and privileges for a share point. To change privileges for a share point: 1 In Workgroup Manager, click Sharing. 2 Select the Share Points tab and select the share point you want to update. 3 Select the Sharing tab. Change the owner and group of the shared item by typing names into those fields, or by dragging names from the Users & Groups drawer. You can open the drawer by clicking “Users & Groups.” Use the pop-up menus next to the fields to change the privileges for the Owner, Group, and Everyone. Everyone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors.218 Chapter 4 Changing the Protocols for a Share Point You use the Advanced pane of Workgroup Manager to change the protocols for a share point. To change the protocols for a share point: 1 In Workgroup Manager, click Sharing. 2 Select the share point you want to change. Select the Share Points tab to see shared items. 3 Select the Advanced tab. 4 Use the pop-up menu to choose the protocol settings you want to change. See the following sections for descriptions of the protocol settings: m “Configuring Apple File Protocol (AFP) Share Points” on page 212 m “Configuring Server Message Block (SMB) Share Points” on page 212 m “Configuring File Transfer Protocol (FTP) Share Points” on page 213 m “Sharing (Exporting) Items Using Network File System (NFS)” on page 213 Deleting an NFS Client from a Share Point You use the Advanced pane of Workgroup Manager to delete an NFS client from a share point. To delete an NFS client from a share point: 1 In Workgroup Manager, click Sharing. 2 Click the Share Points tab and select the NFS share point you want to change. 3 Click the Advanced tab and choose NFS Export Settings from the pop-up menu. 4 Select an IP address from the list and click Remove. 5 Click Save. Creating a Drop Box A drop box is a shared folder that you set up to allow others to write to, but not read its contents. Note: You should create drop boxes only within AFP share points. AFP is the only protocol that will automatically change the owner of an item put into a drop box to be the same as the owner of the drop box. For other protocols, the ownership of the item is not transferred even though the owner will no longer have access to the item. To create a drop box: 1 If the folder you want to make into a drop box doesn’t exist, create the folder within an AFP share point.Sharing 219 2 In Workgroup Manager, click Sharing. 3 Select Share Points and select the folder you want to use as a drop box. 4 Select the Sharing tab. 5 Set “Write Only” privileges for the users you want to have access to the drop box. To create a drop box for a select group of users, enter the group name (or drag the group from the U&G Drawer) and choose “Write Only” privileges from the Group pop-up menu. To create a drop box for all users, choose “Write Only” privileges from the Everyone pop-up menu. (For greater security, do not allow access to everyone—assign “None” for the Everyone privileges.) 6 Click Save. Supporting Client Computers Users can set some privileges for files or folders that they create on the server or in shared folders on their desktops. Users of AppleShare client software can set access privileges for folders they own. Windows file sharing users can set folder properties, but not privileges. Solving Problems Users Can’t Access a CD-ROM Disc m Make sure the CD-ROM disc is a share point. m If you share multiple CDs, make sure each CD is shared using a unique name in the Sharing pane. Users Can’t Find a Shared Item m If a user can’t find a shared item, check the access privileges for the item. The user must have Read access privileges to the share point where the item is located and to each folder in the path to the item. m Keep in mind that server administrators don’t see share points the same way a user does over AFP because administrators see everything on the server. To see share points from a user’s perspective, log in using a user’s name and password. m Although DNS is not required for file services, an incorrectly configured DNS could cause a file service to fail. Users Can’t See the Contents of a Share Point m If you set Write Only access privileges to a share point, users won’t be able to see its contents.221 C H A P T E R 5 5 File Services File services enable clients of the Mac OS X Server to access files, applications, and other resources over a network. Mac OS X Server includes four distinct file services: m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources with clients who use Macintosh or Macintosh-compatible operating systems. m Windows services use Server Message Block (SMB) protocol to let you share resources with clients who use Windows or Windows-compatible operating systems, and to provide name resolution service for Windows clients. m File Transfer Protocol (FTP) service lets you share files with anyone using FTP. m Network File System (NFS) service lets you share files and folders with users who have NFS client software (UNIX users). The following applications help you set up and manage file services: m Server Settings—configure and turn file services on and off m Workgroup Manager—share information and set access privileges m Server Status—monitor the status of file services Before You Begin Before you start setting up file services you should determine which of the file services you need. In general, you will want to turn on and configure the file services needed to support all of your clients: m Apple file service for Mac OS clients m Windows services for Windows clients m FTP service for clients using FTP to connect via the Internet m NFS service for UNIX clients222 Chapter 5 You must configure and turn on file services in order for clients to be able to access shared information—the volumes and folders that you designate as share points—as described in Chapter 4, “Sharing.” You must also turn on Windows services if you want to share network printers using Windows Printing (SMB). Print service is described in Chapter 7, “Print Service,” on page 315. For descriptions of the file services, see m “Apple File Service” on page 224 m “Windows Services” on page 235 m “File Transfer Protocol (FTP) Service” on page 244 m “Network File System (NFS) Service” on page 256 Security Issues Security of your data and your network is the most critical issue you must consider when setting up your file services. The most important protection for your server is how you set the privileges for individual files. In Mac OS X, every file has its own privilege settings that are independent of the privileges for its parent folder. Users can set privileges for files and folders they place on the server, and the server administrator can do the same for share points. See “Privileges” on page 205. Allowing Access to Registered Users Only If you do not want to allow guests to access your server, make sure guest access is turned off for each file service. If you see a checkmark next to Allow Guest Access in AFP or SMB Access settings, guest access is turned on for that service. For FTP, guest access is called “anonymous” access. Click the box to remove the checkmark and turn guest (or anonymous) access off. AFP also allows you to control guest access for individual share points, if you allow guest access for the service. See “Configuring Apple File Protocol (AFP) Share Points” on page 212. The equivalent to allowing guest access for NFS service is to export a shared item to World. Unlike guest access, which you set when configuring a service, exporting to World for NFS is an option you set when sharing an item. See “Sharing (Exporting) Items Using Network File System (NFS)” on page 213. Note: NFS lacks authentication. NFS service allows users access to shared information based on their computers’ IP addresses. This is not as secure a method of preventing unauthorized access as the authentication techniques employed by the other file services that require users to enter their user names and passwords in order to gain access to shared information. File Services 223 Client Computer Requirements For information on client computer requirements, see “Supporting Client Computers” on page 259. Setup Overview Here’s is an overview of the basic steps for setting up file services. Step 1: Read “Before You Begin” Read “Before You Begin” on page 221 for issues you should consider before setting up file services. Step 2: Define users In order for users to be able access shared information, they must be given accounts that register them with the server. See Chapter 3, “Users and Groups,” for information about setting up user accounts. Step 3: Create share points and set privileges You share information on the network by designating volumes and folders as share points. Chapter 4, “Sharing,” tells you how to create share points and define access privileges for the shared information. Step 4: Configure and start up file services You use Server Settings to configure and start up file services. See these sections for setting up the individual services: m “Setting Up Apple File Service” on page 225 m “Setting Up Windows Services” on page 237 m “Setting Up File Transfer Protocol (FTP) Service” on page 250 m “Setting Up NFS Service” on page 257 Step 5: Check client configurations After you set up file services, you should make sure client computers are configured properly to connect to the server. Macintosh, Windows, and UNIX client computers all require TCP/IP in order to make connections to the server. See “Supporting Client Computers” on page 259.224 Chapter 5 Apple File Service Apple file service allows Macintosh client users to connect to your server and access folders and files as if they were located on the user’s own computer. If you are familiar with AppleShare IP 6.3, you will find that Apple file service in Mac OS X Server functions in the same way. It uses a new version of the Apple Filing Protocol (AFP), version 3.1, which supports new features such as Unicode file names and 64-bit file sizes. Unicode is a standard that assigns a unique number to every character regardless of language or the operating system used to display the language. One difference in the new Apple file service is that AppleTalk is no longer supported as a connection method. Mac OS X Server advertises its services over AppleTalk so clients using AppleTalk can see servers in the Chooser, but they will need to connect to the server using TCP/IP. See “Supporting Mac OS X Clients” on page 259 and “Supporting Mac OS 8 and Mac OS 9 Clients” on page 260. Automatic Reconnect Mac OS X Server provides the ability to automatically reconnect Mac OS X clients that have become idle or gone to sleep. When clients become idle or go to sleep, the Mac OS X Server disconnects those clients to free up server resources. Mac OS X Server can save Mac OS X client sessions, however, allowing these clients to resume work on open files without loss of data. You configure this setting in the Idle Users pane of the Apple file service configuration window. See “Configuring Apple File Service Idle Users Settings” on page 228. Find By Content Mac OS X clients can use Sherlock to search the contents of AFP servers. This feature enforces privileges so that only files to which the user has access are searched. Kerberos Authentication Apple File Service supports Kerberos authentication. Kerberos is network authentication protocol developed at MIT to provide secure authentication and communication over open networks. In addition to the standard authentication method, Mac OS X Server utilizes Generic Security Services Application Programming Interface (GSSAPI) authentication protocol to support Kerberos v.5. You specify the authentication method using the Access pane of Configure Apple File Service. See “Configuring Apple File Service Access Settings” on page 226. For information about integrating your Mac OS X Server with Kerberos, see “Understanding Kerberos” on page 198. Apple File Service Specifications Maximum number of connected users, depending on your license agreement Unlimited (hardware dependent) Maximum volume size 2 terabytes File Services 225 Before You Set Up Apple File Service If you asked the Server Assistant to configure Apple file service when you installed Mac OS X Server, you don’t have to do anything else to use Apple file service. However, you should check to see if the default settings meet all your needs. The following section steps you through each of the Apple file service settings. Setting Up Apple File Service You set up Apple file service by configuring four groups of settings in the Configure Apple File Service window: m General—set information that identifies your server, enable automatic startup, and create a login message for Apple file service m Access—set up client connections and guest access m Logging—configure and manage logs for Apple file service m Idle Users—configure and administer idle user settings The following sections describe the tasks for configuring these settings. A fifth section tells you how to start up Apple file service after you have completed its configuration. Configuring Apple File Service General Settings You use the General pane to set identifying information about your server, enable automatic startup, and create a login message for Apple file service. To configure Apple file service General settings: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the General tab. 4 In the Computer Name field, type the name for the server you want users to see when using the Chooser or the Network Browser. The name you enter here must be unique among all computers connected to the network. If you leave this field blank, the server will register itself on the network using its IP address and the server’s DNS name will show in this field. 5 Select “Start Apple File Service on system startup” to ensure that file services will be available if the server is restarted after a power failure or other unexpected event. TCP port number 548 Log file location /Library/Logs in the AppleFileService folder226 Chapter 5 This option is selected automatically when you start the server and in most cases it’s best to leave it selected. 6 Select “Enable browsing with Network Service Location” if you want to allow users to see this server in the “Connect to Server” pane in Mac OS X or in the Network Browser in Mac OS 9. This option also registers with Rendezvous and is available to client computers that have Mac OS 9 or later installed. If you turn on this option, you must also enable IP multicasting on your network router. See Chapter 16, “SLP DA Service,” for more information about Service Location Protocol (SLP) and IP multicasting. 7 Select “Enable browsing with AppleTalk” if you want Mac OS 8 and Mac OS 9 clients to be able to find your file server using the Chooser. To find the server using the Chooser, AppleTalk must be enabled on both the client computer and the server. Clients will be able to see the server in the Chooser, but will need to connect using TCP/IP. 8 Choose a character set in the “Encoding for older clients” pop-up menu for the server that matches the character set used by your Mac OS 8 and Mac OS 9 client users. When Mac OS 9 and earlier clients are connected, the server converts file names from the system’s UTF-8 to the chosen set. This has no effect on Mac OS X client users. 9 Select “Do not send same message twice to the same user” if you want users to see your greeting only the first time they log in to the server. If you change the message, users will see the new message the next time they connect to the server. 10 In the Logon Greeting field, type the message that you want users to see when they connect. Note: The logon message does not appear when a user logs into his or her home directory. 11 Click Save. Configuring Apple File Service Access Settings You use the Access pane to control client connections and guest access. To configure Apple file service Access settings: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab. 4 Choose the authentication method you want to use: Standard, Kerberos, or Any Method. 5 Select “Enable Guest access” if you want to allow unregistered users to access the file server. File Services 227 Guest access is a convenient way to provide occasional users with access to files and other items in share points that allow guest access. For better security, do not select this option. Note: If you allow guest access for Apple file service, AFP lets you control guest access for individual share points. See “Configuring Apple File Protocol (AFP) Share Points” on page 212. 6 Select “Enable secure connections” if you want to allow clients to connect using secure AFP (uses SSH). 7 Under the “Maximum client connections (including Guests)” option: Select Unlimited if you don’t want to limit the number of users who can be connected to your server at one time. Enter a number if you want to limit the number of simultaneous users. The maximum number of simultaneous users is also limited by the type of license you have. For example, if you have a 10-user license, then a maximum of 10 users can connect at one time. Limiting the number of connections can free resources to be used by other services and applications. 8 Under the “Maximum Guest connections” option: Select Unlimited if you don’t want to limit the number of guest users who can be connected to your server at one time. Enter a number if you want to limit how many of your maximum client connections can be used by guests. This number cannot be greater than the number of client connections allowed. 9 Click Save. Configuring Apple File Service Logging Settings You use the Logging pane to configure and manage logs for Apple file service. To configure Apple file service Logging settings: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Logging tab. 4 Select “Enable Access log” if you want to create an access log. The access log stores information about any of the events you select. 5 Select “Archive every __ days” and type the number of days to specify how often the log file contents are saved to an archive. 228 Chapter 5 The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file. You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting is 7 days. 6 Select the events that you want Apple file service to log. Entries are logged each time a user performs one of the actions you select. Consider your server’s disk size when choosing events to log. The more events you choose, the larger the log file. 7 Select “Error Log: Archive every __ days” and type the number of days to specify how often the error log file contents are saved to an archive. The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file. You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting is 7 days. 8 Click Save. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555. Configuring Apple File Service Idle Users Settings You use the Idle Users pane to configure and administer idle user settings. Idle users are users who are connected to the server but haven’t used the server volume for a period of time. To configure Apple file service Idle Users settings: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Idle Users tab. 4 Select “Allow clients to sleep __ hour(s)—will not show as idle” and type the number of hours to allow clients to automatically reconnect to the server after becoming idle or going to sleep. Although the server disconnects clients when they become idle or go to sleep, the clients’ sessions are maintained for the specified period. When a user resumes work within that time, the client is reconnected with no apparent interruption. If a longer period elapses, open files are closed and any unsaved work is lost. 5 Select “Disconnect idle users after __ minutes” and type the number of minutes to disconnect idle users after the specified time. File Services 229 This ensures that server resources are available to active users. Mac OS X version 10.2 (and later) clients will be able to resume work on open files within the limits of the “Save sleep and reconnect session” setting. 6 Select the users that you want to exempt from being disconnected: Guests, Registered users (any user who is not also an administrator or guest), Administrators, or Idle users who have open files. 7 Type the message in the “Disconnect Message” field that you want users to see when they’re disconnected. If you do not type a message, a default message appears stating that the user has been disconnected because the connection has been idle for a period of time. Not all client computers can display disconnect messages. For example, Mac OS X version 10.2 (and later) clients will not see this message since they can automatically reconnect to the server. 8 Click Save. Starting Apple File Service Start Apple file service to make the service available to your client users. To start Apple file service: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Start Apple File Service. A globe appears on the service icon when the service is turned on. You can also set Apple file service to start up automatically each time your server starts up. See “Starting Up Apple File Service Automatically” on page 231. Managing Apple File Service This section tells you how to perform day-to-day management tasks for Apple file service once you have it up and running. Viewing Apple File Service Status You use Server Status to check the status of all Mac OS X Server devices and services. Important If you don’t select the last option, any idle user (guest, registered user, or administrator) who has open files will be disconnected and may lose unsaved changes to their work.230 Chapter 5 To view Apple file service status: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select AppleFile in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Overview tab to see whether the service is running and when it started, its throughput and number of connections, and whether guest access and logging are enabled. 3 Click the Logs tab to see the access and error logs. Use the Show pop-up menu to choose which log to view. 4 Click the Connections tab to see a list of the users currently connected to Apple file service. The table includes the user name, type of connection, user’s IP address or domain name, duration of connection, and the time since the last data transfer (idle time). Buttons at the bottom of the pane let you send a message to a user and disconnect the user. 5 Click the Graphs tab to see graphs of connected users or throughput. Use the pop-up menu to choose which graph to view. Adjust the time scale using the slider at the bottom of the pane. Viewing Apple File Service Logs You use Server Status to view the error and access logs for Apple file service (if you have enabled them). You can also save selected log entries in another file or folder. To view logs: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select AppleFile in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Logs tab and use the Show pop-up menu to choose between the access and error logs. Stopping Apple File Service To stop Apple file service: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Stop Apple File Service. 3 Enter the length of time you want to wait before file service stops. 4 Type a message in the Additional Message field if you want to send a message to users in addition to the default message when the service is stopped. Important When you stop Apple file service, connected users may lose any information they have not saved.File Services 231 5 Click Shutdown. Note: Stopping the server disables the “Start Apple File Service on system startup” option. Starting Up Apple File Service Automatically You can set Apple file service to start up automatically each time your server starts up. Note: Apple file service must already be running before you can set this option. See “Starting Apple File Service” on page 229. To set Apple file service to start up automatically: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the General tab. 4 Select “Start Apple File Service on system startup” and click Save. Changing the Apple File Server Name By default, Apple file service registers itself on the network using its IP address, and the server’s DNS name is the name users see when using the Chooser or the Network Browser. To change the name of the file server: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the General tab. 4 Type a new name for your server in the Computer Name field and click Save. The name you enter here must be unique among all computers connected to the network. Registering With Network Service Locator You can register your Apple file server with Network Service Locator (NSL) to allow users to find the server by browsing through available servers. Otherwise, users must type the server’s host name or IP address. To register with NSL: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the General tab, select “Register with Network Service Location,” and click Save. This option also registers with Rendezvous. If you turn on this option, you must also enable and configure Service Location Protocol (SLP) service on your network router. See Chapter 16, “SLP DA Service,” for more information about SLP.232 Chapter 5 Enabling AppleTalk Browsing for Apple File Service If you enable browsing with AppleTalk, users can see your servers and other network resources using the Chooser. To enable browsing via AppleTalk: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab and select “Allow clients to browse using AppleTalk.” 4 Click Save. Setting Maximum Connections for Apple File Service If your server provides a number of services, you can improve server performance by limiting the number of clients and guests who can be connected at the same time. To set the maximum number of connections: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab. 4 Under the “Maximum client connections (including Guests)” option type the maximum number of connections you want to allow. 5 Click Save. Turning On Access Logs for Apple File Service The access log can record any time a user logs in or out, opens a file, creates a file or folder, or deletes a file or folder. To turn on access logs: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Logging tab and select “Enable access log.” 4 Select the events that you want Apple file service to log. Entries are logged each time a user performs one of the actions you select. Consider your server’s disk size when choosing events to log. The more events you choose, the larger the log file. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555.File Services 233 Archiving Apple File Service Logs You can specify how often the contents of the access and error logs for Apple file service are saved to an archive file. To set how often logs are archived: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Logging tab. 4 Make sure the “Enable Access log” option is selected. 5 Select “Archive every __ days” and type the number of days to specify how often the log file contents are saved to an archive. The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file. You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting is 7 days. 6 Select “Error Log: Archive every __ days” and type the number of days to specify how often the error log file contents are saved to an archive. The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file. You can keep the archived logs for your records or delete them to free disk space when they are no longer needed. The default setting is 7 days. 7 Click Save. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555. Disconnecting a User From the Apple File Server To disconnect a user: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Show Apple File Service Status. 3 Select the user and click Disconnect. 4 Enter the amount of time before the user is disconnected, and type a disconnect message. If you don’t type a message, a default message will appear. 5 Click Disconnect. 234 Chapter 5 Disconnecting Idle Users From the Apple File Server You can set Apple file service to automatically disconnect users who are connected to the server but have not used the server volume for a period of time. To set how the server handles idle users: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Idle Users tab and choose the settings you want to use. 4 In the Disconnect Message field, type the message you want client users to see when they are disconnected. If you don’t enter a message, a default message will appear. 5 Click Save. Allowing Guest Access to the Apple File Server Guests are users who can see information on your server without using a name or password to log in. For better security, do not allow guest access. To enable guest access: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the Access tab and select “Allow Guest access.” 4 Under the “Maximum guest connections” option: Select Unlimited if you don’t want to limit the number of guest users who can be connected to your server at one time. Enter a number if you want to limit how many of your maximum client connections can be used by guests 5 Click Save. Creating a Login Greeting for Apple File Service The login greeting is a message users see when they log in the server. To create a login greeting: 1 In Server Settings, click the File & Print tab. 2 Click Apple and choose Configure Apple File Service. 3 Click the General tab and type your message in the Logon Greeting field. 4 Select “Do not send same message twice to the same user” if you want users to see your greeting only the first time they log in to the server.File Services 235 If you change the message, users will see the new message the next time they connect to the server. 5 Click Save. Sending a Message to an Apple File Service User You use the Connections pane of Server Status to send messages to clients using Apple file service. To send a user a message: 1 In Server Status, locate the name of the server in the Devices & Services list to which the user is connected and select AppleFile in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click Connections and select the user’s name in the list. 3 Click Send Message. 4 Type the message you want to send and click Send. Windows Services Windows services in Mac OS X Server provide four native services to Windows clients. These services are m file service—allows Windows clients to connect to the Mac OS X Server using Server Message Block (SMB) protocol over TCP/IP m print service—uses SMB to allow Windows clients to print to PostScript printers on the network m Windows Internet Naming Service ( WINS)—allows clients across multiple subnets to perform name/address resolution m browsing—allows clients to browse for available servers across subnets Windows services use the Windows code page setting to display the correct language for the client. Samba is public-domain software that provides file and print services to Windows clients. For more information about Samba, refer to the Samba web site: www.samba.org236 Chapter 5 Windows Services Specifications Before You Set Up Windows Services If you plan to provide Windows services on your Mac OS X Server, read the following sections for issues you should keep in mind. You should also check the Microsoft documentation for your version of Windows to find out more about the capabilities of the client software. Although Mac OS X Server does not require any special software or configuration on Windows client computers, you may want to read “Supporting Windows Clients” on page 261. Ensuring the Best Cross-Platform Experience Mac OS and Windows computers store and maintain files differently. For the best crossplatform experience, you should set up at least one share point to be used only by your Windows users. See “Creating Share Points and Setting Privileges” on page 211. In addition, you can improve the user experience by following these guidelines: m Use comparable versions of application software on both platforms. m Modify files only with the application they were created in. m Limit Windows file names to 31 characters (the limit for Mac OS 8 and Mac OS 9 clients). m Don’t use symbols or characters with accents in the names of shared items. Windows User Password Validation Mac OS X Server supports several methods of validating Windows user passwords. Password Server is the recommended method. It supports LDAP as well as NetInfo because the directory does not store the password, just a pointer to the proper Password Server and user ID. The Password Server database is a root readable file, and the contents are encrypted. Passwords are not accessible over the network for reading—they can only be verified. See “Using a Password Server” on page 195 and “Setting Up an Open Directory Domain and Password Server” on page 92. Maximum number of connected users, depending on your license agreement 1000 Maximum volume size 2 terabytes TCP port number 139 UDP port numbers 137, 138 Log file location /Library/Logs in the WindowsFileServices folderFile Services 237 Authentication Manager is supported for upgrades from earlier versions of Mac OS X Server (10.1 and earlier). Existing users will continue to use Authentication Manager. (If you export from Mac OS X Server and reimport, you do not get the tim_password set. You must manually set the password for each user after import.) You can enable Authentication Manager from the command line. Use Basic password validation. You should set Authentication Manager passwords on the server which is hosting the domain you are editing. See Understanding and Using NetInfo for information on how to use the command line utilities for Authentication Manager. This document is available on the Mac OS X Server Web site: www.apple.com/macosx/server/ Note: Authentication Manager is only supported with NetInfo. Setting Up Windows Services You set up Windows services by configuring four groups of settings: m General—set information that identifies your Windows server and enable automatic startup m Access—allow guest access and set the maximum number of client connections m Logging—choose the level of detail you want in your log m Idle Users—set up name resolution and enable browsing across subnets Because the default settings will work well in most cases, it may be that all you need to do to set up Windows services is to start it. Nonetheless, you should take a look at the settings and change anything that isn’t appropriate for your network. Each of the settings is described in the following sections on configuration. After the configuration tasks, other topics tell you how to start up Windows services. Configuring Windows Services General Settings You use the General pane to set identifying information about your Windows server and to enable automatic startup. To configure Windows General settings: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the General tab. 4 In the Server Name field, type the server name you want users to see when they connect. The default name is the NetBIOS name of the Windows file server. The name should contain no more than 15 characters, and no special characters or punctuation.238 Chapter 5 If practical, make the server name match its unqualified DNS host name. For example, if your DNS server has an entry for your server as “server.apple.com,” give your server the name “server.” 5 In the Workgroup field, type the name of the workgroup that you want users to see in the Network Neighborhood window. If you have Windows domains on your subnet, use one of them as the workgroup name to make it easier for clients to communicate across subnets. Otherwise, consult your Windows network administrator for the correct group name. The workgroup name cannot exceed 15 characters. 6 In the Description field, type a description that is meaningful to you or your users. This description appears in the Network Neighborhood window on client computers, and it is optional. The Description cannot exceed 48 characters. 7 Use the Code Page pop-up menu to choose the code page for the language client computers will use. 8 Select the “Start Windows Services on system startup” option if you want to ensure that the server is restarted after a power failure or other unexpected event. This option is automatically selected when you start the server and in most cases it’s best to leave it selected. Configuring Windows Services Access Settings You use the Access pane to allow guest access and set the maximum client connections. To configure Windows services Access settings: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Access tab. 4 Select “Allow Guest access” only if you want to allow people who are not registered users to use Windows file sharing. This is a convenient way to provide occasional users with access to files and other items for which the appropriate privileges have been set. For better security, do not select this option. 5 Below “Maximum client connections” choose Unlimited if you do not want to limit the number of users who can be connected to your server at one time. 6 If you want to limit the number of simultaneous users, click the button below Unlimited and enter the number of connections.File Services 239 The maximum number of simultaneous users is also limited by the type of license you have. For example, if you have a 10-user license, then a maximum of 10 users can connect at one time. Limiting the number of connections can free resources to be used by other services and applications. Configuring Windows Services Logging Settings You use the Logging pane to choose the level of detail you want in your logs. To configure Windows services Logging settings: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Logging tab. 4 Use the Detail Level pop-up menu to choose the level of detail you want logged: None, Minimal, or Verbose. The more detailed the logging, the larger the log file. The table below shows the level of detail you get for each option. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555. Configuring Windows Services Neighborhood Settings You use the Neighborhood pane to set up name resolution and enable browsing across subnets. To configure Windows services Neighborhood settings: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. Events logged None Minimal Verbose Starting and stopping the server No Yes Yes When users try and fail to log in No Yes Yes Warnings and errors Yes Yes Yes When browser name registration occurs No Yes Yes Access events (each time a file is opened, modified, read, and so on) No No Yes240 Chapter 5 3 Click the Neighborhood tab. 4 Under WINS Registration, choose whether you want to register with a WINS server, either locally or externally: Choose “Off ” to prevent your server from registering itself with any external WINS server or local name resolution server. Choose “Enable WINS server” to have the file server provide local name resolution services. This allows clients across multiple subnets to perform name/address resolution. Choose “Register with WINS server” if your Windows clients and Windows server are not all on the same subnet, and your network has a WINS server. Then enter the IP address or DNS name of the WINS server. 5 Under Workgroup/Domain Services, choose whether to enable domain browsing services: “Master Browser” provides browsing and discovery of servers in a single subnet. “Domain Master Browser” provides browsing and discovery of servers across subnets. Starting Windows Services Start Windows services to make the services available to your client users. To start Windows services: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Start Windows Service. A globe appears on the service icon when the service is turned on. Managing Windows Services This section tells you how to perform day-to-day management tasks for Windows services once you have the services up and running. Stopping Windows Services To stop Windows services: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Stop Windows Services. Setting Automatic Startup for Windows Services You can set Windows services to start automatically each time your server starts up. Important When you stop Windows services, connected users will lose any information they haven’t saved.File Services 241 To set automatic startup: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the General tab, then click “Start Windows Services on system startup.” 4 Click Save. Changing the Windows Server Name The default server name is the NetBIOS name of the Windows file server. The name should contain no more than 15 characters and no special characters or punctuation. To change the file server name: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the General tab and enter a name in the Server Name field. 4 Click Save. Finding the Server’s Workgroup Name You can discover the server’s workgroup name in the General pane of Configure Windows Services. To find the server’s workgroup name: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. The Workgroup name is shown in the General pane. Checking Windows Services Status You use Server Status to check the status of all Mac OS X Server devices and services. To view Windows services status: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select Windows in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Overview tab to see whether the services are running and when they started, the number of connections, and whether guest access and logging are enabled. 3 Click the Logs tab to see the Windows file service and name service logs. Use the Show pop-up menu to choose which log to view. 4 Click the Connections tab to see a list of the users currently connected to the Windows services.242 Chapter 5 The list includes the users’ names, IP addresses, and duration of connections. A button at the bottom of the pane lets you disconnect a user. 5 Click the Graphs tab to see graphs of connected users or throughput. The connected users are shown as a column chart. Use the slider to adjust the time scale. Registering with a WINS Server Windows Internet Naming Service ( WINS) matches server names with IP addresses. You can use your server as the local name resolution server, or you can register with an external WINS server. To register your server with a WINS server: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Neighborhood tab and select one of the options under WINS Registration. If you select “Register with WINS server,” enter the IP address or DNS name of the external WINS server you want to use. 4 Click Save. Enabling Domain Browsing for Windows Services If there are no Microsoft servers on your subnet or network to control domain browsing, use these options to restrict domain browsing to a single subnet or allow browsing across your network. To enable domain browsing: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Neighborhood tab, then select Master Browser or Domain Master Browser. Select Master Browser to let clients browse for and locate servers in a single subnet. Select Domain Master Browser to let clients browse for and locate servers across your network (subnets). 4 Click Save. Setting Maximum Connections for Windows Services You can limit the potential resources consumed by Windows services by limiting the maximum number of connections. To set the maximum number of connections: 1 In Server Settings, click the File & Print tab.File Services 243 2 Click Windows and choose Configure Windows Services. 3 Click the Access tab. 4 Click Unlimited, or type the maximum number of connections you want to allow. 5 Click Save. Setting Up the Windows Services Log When you set up logging for Windows services, you can choose the level of detail you want to log. To set up a log for Windows services: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Logging tab, then use the Detail Level pop-up menu to choose the level of detail you want to log: None, Minimal, or Verbose. The more detailed the logging, the larger the log file. 4 Click Save. Disconnecting a User From the Windows Server To disconnect a user: 1 In Server Status, locate the name of the server the user is connected to in the Devices & Services list. 2 Select Windows in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 3 Click the Connections tab and select the user you want to disconnect. 4 Click the Disconnect button. Allowing Guest Access in Windows Services Guests are users who can see information on your server without using a name or password to log in. For better security, do not allow guest access. To enable guest access to the server: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the Access tab and select “Allow Guest access.” 4 Click Save. Important Users who are disconnected will lose any information they haven’t saved.244 Chapter 5 Assigning the Windows Server to a Workgroup Users see the workgroup name in the Network Neighborhood window. If you have Windows domains on your subnet, use one of them as the workgroup name to make it easier for clients to communicate across subnets. Otherwise, consult your Windows network administrator for the correct name. To assign a workgroup name: 1 In Server Settings, click the File & Print tab. 2 Click Windows and choose Configure Windows Services. 3 Click the General tab and type a name in the Workgroup field. 4 Click Save. File Transfer Protocol (FTP) Service FTP allows computers to transfer files over the Internet. Clients using any operating system that supports FTP can connect to your file server and download files, depending on the permissions you set. Most Internet browsers and a number of freeware applications can be used to access your FTP server. FTP service in Mac OS X Server is based on the source code for Washington University’s FTP server, known as “wu-FTPd.” However, modifications have been made to the original source code to deliver a better user experience. Some of these differences are described in the following sections. Secure FTP Environment Most FTP servers provide a restricted directory environment that confines FTP users to a specific area within a server. Users can only see directories and data in this area, so the server is kept quite secure. However, users cannot access volumes mounted outside this restricted area. Symbolic links and aliases don’t reach across the boundaries set within the server. FTP service in Mac OS X Server expands the restricted environment to allow access to symbolic links and aliases while still providing a secure FTP environment. FTP users can potentially access directories and their contents located anywhere on the server, as long as the directories are share points configured for FTP. Access to the FTP root and FTP share points for individual users is determined by the user environment you specify (as described in the following section) and the access privileges set for the users. For information about creating share points and setting access privileges, see Chapter 4, “Sharing.” See “Configuring the FTP User Environment” on page 254.File Services 245 User Environments Mac OS X Server provides three different user environments that determine how the FTP root, share points, and home directories are made available to FTP users: m FTP root and share points m Home directory and FTP root m Home directory only You specify the user environment in the Advanced pane of Configure FTP Service. See “Configuring FTP Advanced Settings” on page 252. FTP Root and Share Points The “FTP Root and Share Points” user environment gives access—for both real and anonymous users—to the FTP root and any FTP share points to which the users have access privileges, as shown in the following figure. Users access FTP share points through symbolic links attached to the FTP Root directory. The symbolic links are created automatically when you create the FTP share points. bin etc Library system Data Volumes FTP server FTP root Looks like "/ " FTP share point incorporated within virtual root Bob Betty Data Users Photos Photos Share point Symbolic link Users246 Chapter 5 Note that in this example, /Users, /Volumes/Data, and /Volumes/Photos are FTP share points. All users can see the home directories of other users because they are subdirectories of the Users share point. Home Directory and FTP Root When the user environment option is set to “Home Directory and FTP Root,” real users are logged into their home directories and have access to the FTP root by means of a symbolic link automatically created in their home directories. Other FTP share points are accessible through symbolic links in the FTP root. As always, access to the FTP share points is controlled by the access privileges they are assigned. In this scenario, the /Users folder is not an FTP share point and users are not able to see the home directories of other users. If you create a custom FTP root, then the symbolic link in users’ home directories will reflect that custom name. For example, if you set a custom FTP root directory to be /Volumes/Extra/ NewRoot, the symbolic link created in the user’s home directory would be called NewRoot. Important Regardless of the user environment setting, anonymous users and users without home directories are always logged into the “FTP Root and Share Points” environment. bin etc Library system Data Volumes FTP server FTP root FTP Root Looks like "/ " FTP share point incorporated within virtual root Bob Betty Data Users Photos Photos Symbolic link Share point FTP RootFile Services 247 Home Directory Only In the Restricted user environment, real users are confined to their home directories and do not have access to the FTP root or other FTP share points, as shown in the following illustration. Anonymous users and users without home directories still have access to the FTP root and FTP share points. So that these users cannot see the home directories of real users, the /Users folder is not set up as an FTP share point. On-the-Fly File Conversion FTP service in Mac OS X Server allows users to request compressed or decompressed versions of information on the server. A file-name suffix such as “.Z” or “.gz” indicates that the file is compressed. If a user requests a file called “Hamlet.txt” and the server only has a file named “Hamlet.txt.Z,” it knows that the user wants the decompressed version, and delivers it to the user in that format. In addition to standard file compression formats, Mac OS X Server has the ability to read files from either HFS or non-HFS volumes and convert the files to MacBinary (.bin) format. This is one of the most commonly used file compression formats for the Macintosh operating system. bin etc Library system Data Volumes FTP server FTP root Looks like "/ " Reports Bob Betty Users Projects Photos FTP share point incorporated within virtual root Data Photos Share point Symbolic link248 Chapter 5 The table below shows common file extensions and the type of compression they designate. Custom FTP Root For increased security, Mac OS X Server lets you create a custom FTP root. You specify the directory path of the custom FTP root using the Advanced pane of Configure FTP Service. See “Configuring FTP Advanced Settings” on page 252. The custom root takes the place of the default FTP root directory. Kerberos Authentication FTP supports Kerberos authentication. You specify the authentication method using the Advanced pane of Configure FTP Service. See “Configuring FTP Advanced Settings” on page 252. For information about Kerberos, see “Kerberos Authentication” on page 224. FTP service specifications Before You Set Up FTP Service Consider the type of information you need to share and who your clients are when determining whether or not to offer FTP service. FTP works well when you want to transfer large files such as applications and databases. In addition, if you want to allow guest (anonymous) users to download files, FTP is a secure way to provide this service. File extension What it means .gz DEFLATE compression .Z UNIX compress .bin MacBinary encoding .tar UNIX tar archive .tZ UNIX compressed tar archive .tar.Z UNIX compressed tar archive .crc UNIX checksum file .dmz Mac OS X disk image Maximum number of connected users (the default setting is 50 for real users and 50 for anonymous users) 1000 FTP port number 21 Number of failed login attempts before user is disconnected 3File Services 249 Restrictions on Anonymous FTP Users (Guests) Enabling anonymous FTP poses a security risk to your server and data because you open your server to users that you do not know. The access privileges you set for the files and folders on your server are the most important way you can keep information secure. Anonymous FTP users are only allowed to upload files into a special directory named “uploads” in the FTP root. If the uploads share point doesn’t exist, anonymous users will not be able to upload files at all. To ensure the security of your FTP server, by default anonymous users cannot m delete files m rename files m overwrite files m change permissions of files Setup Overview Here is an overview of the major steps for setting up FTP service. Step 1: Before You Begin Read “Before You Set Up FTP Service” on page 248 for issues you should keep in mind when you set up FTP service. Step 2: Configure FTP General settings The General settings let you display banner and welcome messages, set the number of login attempts, and provide an administrator email address. See “Configuring FTP General Settings” on page 250. Step 3: Configure FTP Access settings The Access Settings let you specify the number of real and anonymous users. See “Configuring FTP Access Settings” on page 251. Step 4: Configure FTP Logging settings The Logging settings let you specify the events you want to log for real and anonymous users. See “Configuring FTP Logging Settings” on page 251. Step 5: Configure FTP Advanced settings The Advanced settings specify a custom FTP root to use. See “Configuring FTP Advanced Settings” on page 252.250 Chapter 5 Step 6: Create an “uploads” folder for FTP users (optional) If you enabled anonymous access in Step 2, you may want to create a folder for anonymous users to upload files. The folder must be named “uploads.” It is not a share point, but must have appropriate access privileges. See “Creating an Uploads Folder for Anonymous Users” on page 253. Step 7: Create share points and share them using FTP Use the Sharing module of Workgroup Manager to specify the share points that you want to make available through FTP. You must explicitly configure a share point to use FTP in order for FTP users to be able to access the share point. See “Creating Share Points and Setting Privileges” on page 211 and “Configuring File Transfer Protocol (FTP) Share Points” on page 213. Step 8: Start FTP service After you have configured FTP, start the service to make it available. See “Starting FTP Service” on page 252. Setting Up File Transfer Protocol (FTP) Service Configuring FTP General Settings The General settings let you display banner and welcome messages, set the number of login attempts, and provide an administrator email address. To configure the FTP General settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the General tab. 4 Select the “Show Banner Message” option to display a message to users before they log in to the server. 5 Click the Edit Banner button to create or revise a banner message. 6 Select the “Show Welcome Message” option to display a message to users after they have logged in to the server. 7 Click the Edit Welcome button to create or revise a welcome message in the window that appears. 8 Select the “Disconnect after __ failed login attempts” and type a number to limit the number of failed login attempts users can make before they are automatically disconnected from the server. File Services 251 9 In the “Administrator E-mail Address” field, enter an email address if you want to provide a way for users to contact the administrator. 10 Click Save. Configuring FTP Access Settings The Access Settings let you specify the number of real and anonymous users. To configure the FTP Access settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Access tab. 4 Enter a value in the “Allow a maximum of __ real users” field to set the maximum number of registered users who can connect to your server at the same time. Real users are users who have been added in the Users & Groups module of Workgroup Manager. 5 Select “Enable anonymous access” to allow anonymous users to connect to the server and transfer files. Anonymous users can log in using the name “ftp” or “anonymous.” They do not need a password to log in, but they will be prompted to enter their email addresses. Before selecting this option, you should review the privileges assigned to your share points carefully to make sure there are no security holes. For more information about keeping your information secure, read Chapter 4, “Sharing.” 6 Enter a value in the “Allow a maximum of __ anonymous users” field to set the maximum number of anonymous users who can connect to your server at the same time. 7 Click Save. Configuring FTP Logging Settings The Logging settings let you specify the events you want to log for real and anonymous users. To configure the FTP Logging settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Logging tab. 4 In the “Log Real Users” section, select the events you want to appear in the FTP log for real users. You can select FTP Commands, Rule Violation Attempts, Uploads, and Downloads.252 Chapter 5 5 In the “Log Anonymous Users” section, select the events you want to appear in the FTP log for anonymous users. You can select FTP Commands, Rule Violation Attempts, Uploads, and Downloads. 6 Click Save. Configuring FTP Advanced Settings The Advanced settings allow you to specify a custom FTP root. A custom FTP root creates a higher level of security by isolating the files accessible through FTP from the main directory of the server. To configure the FTP Advanced settings: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab. 4 Select the “Use custom FTP root” and enter the pathname in the Path field if you want to create a custom FTP root. See “Custom FTP Root” on page 248. 5 Choose the type of authentication you want to use: Standard, Kerberos, or Any Method. 6 Choose the type of user (chroot) environment you want to use: FTP Root and Share Points, Home Directory and FTP Root, or Home Directory Only. See “User Environments” on page 245. Starting FTP Service Start FTP file service to make the service available to your client users. To start FTP service: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Start FTP Service. A globe appears on the service icon when the service is turned on. Managing File Transfer Protocol (FTP) Service This section tells you how to perform day-to-day management tasks for FTP service once you have it up and running. Stopping FTP Service Important When you stop FTP service, connected users will be disconnected without warning.File Services 253 To stop FTP service: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Stop FTP. Setting Up Anonymous FTP Service You can allow guests to log in to your FTP server with the user name “ftp” or “anonymous.” They do not need a password to log in, but they will be prompted to enter their email addresses. For better security, do not enable anonymous access. To set up anonymous FTP service: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP. 3 Click the Access tab. 4 Select “Anonymous access enabled.” 5 Click Save. If the “Anonymous access enabled” box has a checkmark, anonymous access is already enabled. Creating an Uploads Folder for Anonymous Users The uploads folder provides a place for anonymous users to upload files to the FTP server. It must exist at the top level of the FTP root directory and be named “uploads.” (If you have set up a custom FTP root directory, then the uploads folder must be at the root of that directory.) Use the Finder to create the folder and set write privileges for guest users. Specifying a Custom FTP Root The Advanced settings allow you to specify the path for a custom FTP root. To specify a custom FTP root: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab. 4 Enter the pathname for the FTP root. 5 Select the “Use custom FTP root” and enter the pathname in the Path field if you want to create a custom FTP root. 6 If it does not already exist, create the directory you’ve specified and configure it as an FTP share point. 254 Chapter 5 Specifying the FTP Authentication Method You use the Advanced pane of Configure FTP Service to specify the authentication method. To specify the FTP authentication method: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab. 4 Choose the type of authentication you want to use: Standard, Kerberos, or Any Method. See “Kerberos Authentication” on page 248. Configuring the FTP User Environment You use the Advanced pane of Configure FTP Service to specify the user environment. To configure the FTP user environment: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the Advanced tab. 4 Choose the type of user environment you want to provide. The “FTP Root and Share Points” environment sets up the Users directory as a share point. Real users log in to their home directories, if they are available within the restricted environment. Both real and anonymous users can see other users’ home directories in a share point. (The directories are only accessible to users who have access privileges, however.) The “Home Directory and FTP Root” environment logs real FTP users in to their home directories. They have access to their home directories, to the FTP root, and to FTP share points. The “Home Directory Only” environment restricts real FTP to users’ home directories only. Regardless of the user environment you choose, access to all data is controlled by access privileges. Anonymous users and real users who don’t have home directories (or whose home directories are not located in a share point to which they have access) are always logged in at the root level of the restricted FTP environment. Viewing FTP Logs You use Server Settings to view FTP logs. To view FTP logs: 1 In Server Settings, click the File & Print tab.File Services 255 2 Click FTP and choose Configure FTP Service. 3 Click the Logging tab. 4 Select the log options for real users: FTP Commands, Rule Violation Attempts, Uploads, and Downloads. 5 Select the log options for anonymous users: FTP Commands, Rule Violation Attempts, Uploads, and Downloads. Displaying Banner and Welcome Messages to Users FTP service in Mac OS X Server allows you to create certain messages that you can send to real users and to anonymous FTP users when they log in to your server. Some FTP clients may not display the message in an obvious place, or they may not display it at all. For example, the FTP client Fetch displays a banner message in the “RemoteHostname Messages” window. To display banner and welcome messages to users: 1 In Server Settings, click the File & Print tab. 2 Click FTP and choose Configure FTP Service. 3 Click the General tab. 4 Select the “Show Banner Message” option to display a message to users before they log in to the server. 5 Click the Edit Banner button to create or revise a banner message. 6 Select the “Show Welcome Message” option to display a message to users after they have logged in to the server. 7 Click the Edit Welcome button to create or revise a welcome message in the window that appears. 8 Click Save. Displaying Messages Using message.txt files When a user encounters a directory that contains a file named “message.txt,” the file content is displayed as a message. The user only sees the message the first time he or she connects to the directory during that FTP session. You can use the message to notify users of important information or changes users need to be aware of. Using README Message You can also place a file called “README” in a directory. When users encounter a directory that contains a README file, they receive a message letting them know that the file exists and when it was last updated. Users can choose whether or not to open and read the file.256 Chapter 5 Network File System (NFS) Service Network File System is the protocol used for file services on UNIX computers. Use NFS to provide file service for your UNIX clients (other than Mac OS X clients). You can export a shared item to a set of client computers or to “World.” Exporting an NFS volume to World means that anyone who can access your server can also access that volume. Note: The NFS term for sharing is export. This guide, therefore, uses that term to be consistent with standard NFS terminology. You use the NFS module of Server Settings to configure and manage NFS service. You also use the Sharing module of Workgroup Manager to set privileges and access levels for the share points or folders you want to export. Before You Set Up NFS Service Be sure to consider the security implications of exporting in NFS before you set up NFS service. Security Implications NFS was created for a secure networking environment, in which you can trust the client computer users and the people who administer the clients. Whereas access to Apple file service, Windows file sharing, and FTP service share points is controlled by authentication (user name and password), access to NFS shared items is controlled by the client software and file permissions. NFS allows access to information based on the computer’s IP address. This means that a particular client computer will have access to certain share points regardless of who is using the computer. Whenever the computer is started up, some volumes or folders are automatically mounted or made available, and anyone who uses the computer has access to them. With NFS, it’s possible for a user to spoof ownership of another person’s files. For example, if a file on the server is owned by a user with user ID 1234, and you export a folder that contains that file, someone on a remote computer can create a local user on the remote computer, give it a user ID of 1234, mount that folder, and have the same access to the folder’s contents as the file’s original owner. You can take some steps to prevent this by creating unique user IDs and by safeguarding user information. If you have Internet access and plan to export to World, your server should be behind a firewall. Setup Overview Here is an overview of the major steps for setting up NFS service. File Services 257 Step 1: Before You Begin Read “Before You Set Up NFS Service” on page 256 for issues you should keep in mind when you set up NFS service. Step 2: Configure NFS settings The NFS settings let you set the maximum number of daemons and choose how you want to serve clients—via TCP, UDP, or both. See “Configuring NFS Settings” on page 257. Step 3: Create share points and share them using NFS Use the Sharing module of Workgroup Manager to specify the share points that you want to export (share) using NFS. You must explicitly configure a share point to use NFS in order for NFS users to be able to access the share point. See “Creating Share Points and Setting Privileges” on page 211, “Sharing (Exporting) Items Using Network File System (NFS)” on page 213, and “Automounting Share Points” on page 214. You don’t need to start or stop NFS service; when you define a share point to export, the service starts automatically. When you delete all exports, the service stops. You can tell if NFS service is running by looking for the globe on the NFS icon in Server Settings. Setting Up NFS Service Configuring NFS Settings The NFS settings let you set the maximum number of daemons and choose how you want to serve clients—via TCP, UDP, or both. To configure NFS settings: 1 In Server Settings, click the File & Print tab. 2 Click NFS and choose Configure NFS. 3 Enter a value in the “Allow a maximum of __ daemons” field to set the maximum number of nfsd daemons you want to allow at one time. An nfsd daemon is a server process that runs continuously behind the scenes and processes reading and writing requests from clients. The more daemons that are available, the more concurrent clients can be served. Typically, four to six daemons is adequate to handle the level of concurrent requests. 4 Choose how you want to serve data to your client computers. Transmission Control Protocol (TCP) separates data into packets (small bits of data sent over the network using IP) and uses error correction to make sure information is transmitted properly. 258 Chapter 5 User Datagram Protocol (UDP) doesn’t break data into packets, so it uses fewer system resources. It’s more scalable than TCP, and a good choice for a heavily used server. Do not use UDP, however, if remote clients are using the service. Select both TCP and UDP unless you have a specific performance concern. TCP provides better performance for clients, and UDP puts a smaller load on the server. 5 Click Save. Managing NFS Service This section tells you how to perform day-to-day management tasks for NFS service once you have it up and running. Stopping NFS Service When the server starts up, a startup script checks to see if any NFS exports have been defined; if so, NFS starts automatically. If NFS is not running and you add exports, wait a few seconds for the service to launch. When the service is running, a globe appears on the service icon. To stop NFS service: m Delete all exports. The globe on the service icon disappears. However, the nsfd daemons continue to run until the server is restarted. Viewing NFS Service Status You use Server Status to check the status of all Mac OS X Server devices and services. To view NFS service status: m In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select NFS in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. The Overview tab tells you whether or not the service is running and if mountd, nfsd, and portmap process are running. The mountd process handles mount requests from client computers (only one mountd process will appear in the status window if you’ve defined any exports). The nfsd process responds to read/write requests from client computers that have mounted folders. The portmap process allows client computers to find nfs daemons (always one process). Viewing Current NFS Exports You can use the Terminal application to view a list of the current NFS exports.File Services 259 To view current NFS exports: m In Terminal, enter “showmount -e”. If this command does not return results within a few seconds, there are no exports and the process is blocked (hung). Press Control-C to exit the showmount command and return to an active command line in your Terminal window. Supporting Client Computers This section describes the client computer requirements for using Mac OS X file services. Supporting Mac OS X Clients Apple file service requires the following Mac OS X system software: m Mac OS X version 10.2 m TCP/IP connectivity m AppleShare 3.7 or later Go to the Apple support Web site at www.apple/support/ to find out the latest version of AppleShare client software supported by Mac OS X. Connecting to the Apple File Server in Mac OS X You can connect to Apple file servers by entering the DNS name of the server or its IP address in the Connect to Server window, or, if the server is registered with Network Service Location, you can select its name in the list of servers there. Note: Apple file service does not support AppleTalk connections, so clients need to use TCP/ IP to access file services. You can use AppleTalk to find Apple file servers, but the connection must be made using TCP/IP. To connect to the Apple file server in Mac OS X: 1 In the Finder, choose “Connect to Server” from the Go menu. 2 In the Connect to Server pane, do one of the following: Select the name of the server in the list (if it appears there). Type the DNS name of the server in the Address field. You can enter DNS names in any of the following forms: dns afp://dns afp://dns/sharepoint Type the server’s IP address in the Address field.260 Chapter 5 3 Click Connect. 4 Enter your user name and password, then click Connect. 5 Select the server volume you want to use and click OK. Setting Up a Mac OS X Client to Mount a Share Point Automatically As an alternative to using the automount feature of Apple file service, FTP, or NFS, Mac OS X clients can set their computers to mount server volumes automatically. To set a Mac OS X client computer to mount a server volume automatically: 1 Choose Connect to Server from the Finder’s Go menu to mount the volume on the client computer. 2 Open System Preferences and select the Login pane. 3 Click Add, then locate the Recent Servers folder and double-click the volume you want automatically mounted. The volume is added to the list of items in the Recent Servers folder in the user’s home Library folder. When the client user logs in the next time, the server—if available—will be mounted automatically. The client user can also add the server volume to Favorites and then use the item in the Favorites folder in the home Library. Changing the Priority of Network Connections Mac OS X uses its multihoming capabilities to support multiple network connections. When more than one connection is available, Mac OS X selects the best connection according to the order you specify in the Network preferences. To change the priority of network connections: 1 Open the Network pane of System Preferences. 2 Choose a configuration set from the Location menu if you have configurations set up, or use Automatic. 3 Choose Active Network Ports from the Show pop-up menu. 4 Drag the connections in the Active Ports list into the desired order. Mac OS X uses the first available connection from the top of the list. Supporting Mac OS 8 and Mac OS 9 Clients Apple file service requires the following Mac OS 8 or 9 system software: m Mac OS 8 (version 8.6) or Mac OS 9 (version 9.2.2) File Services 261 m TCP/IP m AppleShare 3.7 or later Go to the Apple support Web site at www.apple/support/ to find out the latest version of AppleShare client software supported by Mac OS 8 and Mac OS 9. Connecting to the Apple File Server in Mac OS 8 or Mac OS 9 Apple file service does not support AppleTalk connections, so clients need to use TCP/IP to access file services. You can use AppleTalk to find Apple file servers, but the connection must be made using TCP/IP. To connect to the Apple file server in Mac OS 8 or Mac OS 9: 1 Open the Chooser and click Server IP Address. 2 Enter the IP address or the name of the server in the window that appears and click Connect. 3 Enter your user name and password, then click Connect. 4 Select the volume you want to use and click OK. Setting up a Mac OS 8 or Mac OS 9 Client to Mount a Share Point Automatically As an alternative to using the automount feature of AFP, FTP, or NFS, clients can set their computers to mount server volumes automatically. To set a Mac OS 8 or Mac OS 9 client computer to mount a server volume automatically: 1 Use the Chooser to mount the volume on the client computer. 2 In the select-item dialog that appears after you log in, check the server volume you want to mount automatically. Supporting Windows Clients Mac OS X Server supports the native Windows file sharing protocol, Server Message Block (SMB). SMB is also known as Common Internet File System (CIFS). Mac OS X Server comes with built-in browsing and name resolution services for your Windows client computers. You can enable Windows Internet Naming Service ( WINS) on your server, or you can register with an existing WINS server. Windows services in Mac OS X Server also provide Windows Master Browser and Domain Master Browser services. You do not need a Windows server or a primary domain controller on your network to allow Windows users to see your server listed in the Network Neighborhood window. Also, your Windows clients can be located on a subnet outside of your server’s subnet.262 Chapter 5 See “Ensuring the Best Cross-Platform Experience” on page 236 for information about setting up a dedicated share point for Windows users, and “Windows User Password Validation” on page 236 for information about different techniques of validating Windows user passwords. TCP/IP In order to have access to Windows services, Windows client computers must be properly configured to connect over TCP/IP. See your Windows networking documentation for information on TCP/IP configuration. Using the Network Neighborhood to Connect to the Windows Server Before trying to connect to the server from a Windows client computer, find out the workgroup or domain of both the client computer and the file server. You can find the workgroup name of a Windows client computer in the computer’s Network Neighborhood window. To find the server’s workgroup name, click the File & Print tab in Server Settings, then click Windows and choose Configure Windows Services. To connect to a Windows server using the Network Neighborhood: 1 On the Windows client computer, open the Network Neighborhood window. If you are in the same workgroup or domain as the server, skip to step 4. 2 Double-click the Entire Network icon. 3 Double-click the icon of the workgroup or domain the server is located in. 4 Double-click the server’s icon. 5 Log in using your Windows login name. Connecting to the Windows Server Without the Network Neighborhood You can connect to the Windows server by double-clicking its name in the Network Neighborhood. You can also connect without using the Network Neighborhood. To connect to the Windows server without the Network Neighborhood: 1 On the Windows client computer, choose Find from the Start menu, then choose Computer from the submenu. 2 Type the name or IP address of your Windows server. 3 Double-click the server to connect. 4 Log in using your Mac OS X Server login name. Supporting NFS Clients Consult your UNIX documentation or system administrator for information on managing mounts.File Services 263 Solving Problems With File Services Solving Problems With Apple File Service User Can’t Find the Apple File Server m Make sure the network settings are correct on the user’s computer and on the computer that is running Apple file service. If you can’t connect to other network resources from the user’s computer, the network connection may not be working. m Make sure the file server is running. You can use a “pinging” utility to check whether the server is operating. m If the user is searching for the server via AppleTalk (in the Chooser), make sure you’ve enabled browsing over AppleTalk in the Access pane of the Apple File Server Settings window, and that AppleTalk is active on both the server and the user’s computer. m Check the name you assigned to the file server and make sure users are looking for the correct name. User Can’t Connect to the Apple File Server m Make sure the user has entered the correct user name and password. The user name is not case-sensitive, but the password is. m Verify that logging in is enabled for the user in the Users & Groups module of Workgroup Manager. m Check to see if the maximum number of client connections has been reached (in the Apple File Service Status window). If it has, other users should try to connect later. m Make sure the server that stores users and groups is running. m Verify that the user has AppleShare 3.7 or later installed on his or her computer. Administrators who want to use the admin password to log in as a user need at least AppleShare 3.8.5. m Make sure IP filter service is configured to allow access on port 548 if the user is trying to connect to the server from a remote location. For more on IP filtering, see Chapter 15, “Firewall Service.” User Doesn’t See Login Greeting m Upgrade the software on the user’s computer. Apple file service client computers must be using Appleshare client software version 3.7 or later. Solving Problems With Windows Services User Can’t See the Windows Server in the Network Neighborhood m Make sure users’ computers are properly configured for TCP/IP and have the appropriate Windows networking software installed. m Enable guest access for Windows users.264 Chapter 5 m Go to the DOS prompt on the client computer and type “ping [IP address],” where “IP address” is your server’s address. If the ping fails, then there is a TCP/IP problem. m If users’ computers are on a different subnet from the server, you need to have a WINS server on your network. Note: If Windows computers are properly configured for networking and connected to the network, client users can connect to the file server even if they can’t see the server icon in the Network Neighborhood window. User Can’t Log in to the Windows Server m If you are using Password Server to authenticate users, check to make sure that it is configured correctly. See “Setting Up an Open Directory Domain and Password Server” on page 92. m If you have user accounts created in a previous version of Mac OS X Server (version 10.1 or earlier) that are still configured to use Authentication Manager, make sure that Authentication Manager is enabled. Then reset the passwords of existing users who will be using Windows services. Reset the user’s password and try again. See Understanding and Using NetInfo for information on how to use the command line utilities to configure Authentication Manager. This document is available on the Mac OS X Server Web site: www.apple.com/macosx/server/ Solving Problems With File Transfer Protocol (FTP) FTP Connections Are Refused m Verify that the user is entering the correct DNS name or IP address for the server. m Make sure FTP service is turned on. m Make sure the user has appropriate access privileges to the shared volume. m See if the maximum number of connections has been reached. To do this, click the Networking tab in Server Settings, click FTP, then choose Configure FTP. m Verify that the user’s computer is configured correctly for TCP/IP. If there doesn’t appear to be a problem with the TCP/IP settings, use a “pinging” utility to check network connections. m See if there is a DNS problem by trying to connect using the IP address of the FTP server instead of its DNS name. If the connection works with the IP address, there may be a problem with the DNS server. m Verify that the user is correctly entering his or her short name and typing the correct password. User names and passwords with special characters or double-byte characters will not work. To find the user’s short name, double-click the user’s name in the Users & Groups list.File Services 265 m See if there are any problems with directory services, and if the directory services server is operating and connected to the network. For help with directory services, see Chapter 2, “Directory Services.” m Verify that IP filter service is configured to allow access to the appropriate ports. If clients still can’t connect, see if the client is using FTP passive mode and turn it off. Passive mode causes the FTP server to open a connection to the client on a dynamically determined port, which could conflict with port filters set up in IP filter service. For a list of common TCP and UDP ports, see “Port Reference” on page 540. Clients Can’t Connect to the FTP Server m See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. Anonymous FTP Users Can’t Connect m Verify that anonymous access is turned on. m See if the maximum number of anonymous user connections has been reached. To do this, click the Networking tab in Server Admin, click FTP, then choose Configure FTP. Where to Find More Information About File Services For more information about the protocols used in Mac OS X Server file services, see these resources: m Apple Filing Protocol (AFP): www.apple.com/developer/ m Server Message Block (SMB) protocol ( for Windows file services): www.samba.org m FTP: You can find a Request for Comments (RFC) document about FTP at the following Web site: www.faqs.org/rfcs/rfc959.html RFC documents provide an overview of a protocol or service that can be helpful for novice administrators, as well as more detailed technical information for experts. You can search for RFC documents by number at this Web site: www.faqs.org/rfcs To obtain the UNIX manual pages for FTP, open the Terminal application in Mac OS X. At the prompt, type “man ftp” and press the Return key. m NFS: To obtain the UNIX manual pages for NFS, open the Terminal application in Mac OS X. At the prompt, type “man nfs” and press the Return key.267 C H A P T E R 6 6 Client Management: Mac OS X Workgroup Manager provides network administrators with a centralized method of managing Mac OS X workstations, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they are beginners in a classroom or advanced users in an office. Mac OS X Server saves user documents and preferences in a home directory, so your users can access their files from any Mac on your network. Using Workgroup Manager, you can create user accounts, and then set up groups to provide convenient and efficient access to resources. You can also use account settings and managed preferences to allow more or less flexibility to suit the level of administrative control you want or need. User management is the result of combining a user’s individual settings and preferences, plus settings and preferences for the workgroup and computer he or she is using. The term managed client refers to a user, group, or computer whose access privileges and/or preferences are under administrative control. Managing clients gives you control over user access to applications, removable media, printers, computers, and system resources. Computers and desktops Client Management Applications, folders and files Printers and volumes Users & Groups268 Chapter 6 This chapter summarizes certain aspects of Mac OS X client management, describes how to set up Mac OS X computer accounts using Workgroup Manager, and gives details about using managed preferences to customize and control the Mac OS X user experience. You’ll learn how to m use Workgroup Manager to control user settings and privileges m set up and manage computer accounts m manage preference settings for users, groups, and computer accounts m set up and manage mobile computers Transition Strategies for Mac OS X Client Management If you currently manage your Mac OS 9 or Mac OS 8 clients using Macintosh Manager and you want to upgrade to Mac OS X, download “Upgrading to Mac OS X Server” from the Web site listed below: www.apple.com/macosx/server/ The User Experience This section describes both the actual user experience and the server processes for Mac OS X managed clients. Logging In When a managed client computer starts up, a login dialog box appears. Depending on the login settings selected, a user either types his or her user name or chooses it from a list. The user name and password are verified by directory services, and then the server returns a list of workgroups for that user and the user selects a workgroup. The user’s environment, privileges, and preferences are determined by the settings chosen for that user, the selected workgroup, and the computer he or she uses. When you create user accounts, the login settings determine the user experience. If you allow simultaneous login, the user can log in to more than one computer. Note: Simultaneous login is not recommended for most users. You may want to reserve simultaneous login privileges only for technical staff, teachers, or other users with administrator privileges. Locating the Home Directory User documents are stored in a user’s home directory, which users can access by clicking the Home icon in a Finder window’s toolbar. For more about home directories see Chapter 3, “Users and Groups.” Important If you need to manage Mac OS 9 or Mac OS 8 clients, read Chapter 10, “Client Management: Mac OS 9 and OS 8.”Client Management: Mac OS X 269 Before You Begin You should consider taking advantage of client management if m you want to provide users with a consistent, controlled interface while allowing them to access their documents from any computer m you want to control privileges on mobile computers m you want to reserve certain resources for only specific groups or individuals m you need to secure computer usage in key areas such as administrative offices, classrooms, or open labs Before you set up computer accounts or managed preferences for users, groups, or computers, be sure you follow these preliminary steps. Step 1: Make sure your computers meet minimum requirements Client Computer Software Requirements m Mac OS X v. 10.2 as the primary operating system Note: Workgroup Manager is not used to manage Mac OS 9 or Mac OS 8 clients. Client Computer Hardware Requirements m Macintosh computer with a G3 processor or better (except original PowerBook G3 or upgraded PowerPC processors) m 128 megabytes (MB) of physical random access memory (RAM) m 1.5 gigabytes (GB) of disk space available Administrator Computer Software Requirements m Mac OS X Server v. 10.2 installed Administrator Computer Hardware Requirements m Macintosh computer with a G3 processor or better (except original PowerBook G3 or upgraded PowerPC processors) m 128 MB of RAM m 4 GB of available disk space Step 2: Create a shared domain to store account information Use Open Directory Assistant to set up a shared domain where you can store user, group, and computer account information. For more information about domain hierarchies and how to use Open Directory Assistant, see Chapter 2, “Directory Services.”270 Chapter 6 Step 3: Make sure users and their home directories exist Use Workgroup Manager to set up user accounts and home directories. Once users are created in Workgroup Manager, they are ready to be managed on Mac OS X clients. You can set up various privileges (such as print or mail quotas) for users as you create them. Home directories can be stored on an Apple Filing Protocol (AFP) server. You can set up group volumes as AFP share points and add additional share points if you need them. Each user you want to manage must have a home directory. If no home directory exists for a user, he or she cannot log in. See Chapter 3, “Users and Groups,” for information about how to create users, define user privileges, and set up home directories. Designating Administrators For Mac OS X clients, the server administrator has the greatest amount of control over other users and their privileges. The server administrator can create users, groups, and computer accounts and assign settings, privileges, and managed preferences for them. He or she can also create other server administrator accounts, or give some users (for example, teachers or technical staff ) administrative privileges within certain directory domains. These “directory domain administrators” can manage users, groups, and computer accounts within the limits assigned to them by the server administrator. For more information about assigning administrative privileges to users with network accounts, see Chapter 3, “Users and Groups.” Setting Up User Accounts If you use Workgroup Manager to manage your OS X clients, you can set some privileges when you set up accounts. You can use “presets” like templates and apply various settings automatically when you create an account. See Chapter 3, “Users and Groups,” for more information about how to set up user accounts. Depending on your needs, you may want to set up local user accounts in addition to network user accounts. A network user has a user account associated with Mac OS X Server and you can allow that user to log in from various computers on your network. A local user has an account associated with a specific client computer, and his or her local account is independent from any network user account and other local accounts on other computers. An individual user may have both a network account that provides access to network services and a separate local account on a specific computer. You can set up managed preferences for any user with a network account, but the most convenient way to manage network users is by managing preferences for groups to which they belong. This makes it easier to manage users regardless of which computer they use.Client Management: Mac OS X 271 If users have local accounts on specific computers, you can still manage their user preferences on the client computer without using Workgroup Manager. However, it may be more useful to manage local users indirectly by using Workgroup Manager to manage preferences for the client computer and group that can access that computer. These group and computer preferences are cached for offline use, making this preference configuration especially useful for mobile computers. If a user on a mobile computer disconnects from the network, he or she is still managed. You can set up managed preferences for users after you create the user accounts. For more information about managed preferences and how to use them, see “Managing Preferences” on page 282. Setting Up Group Accounts Although Mac OS X users are not required to be added to group accounts in order to be managed, groups are still very important for efficient and effective client management. For example, you can use groups to provide users with the same access privileges to media, printers, and volumes. For more information about how to create group accounts using Workgroup Manager, see “Administering Group Accounts” on page 165. Managed preferences assigned to a particular group apply to all users in that group. However, managed user preferences may take precedence over group preferences. You can set up managed preferences for groups after you create the group account. For more information about how to manage preferences, see “Managing Preferences” on page 282. Setting Up Computer Accounts A computer account is a list of computers that have the same preference settings and are available to the same users and groups. You can create and modify computer accounts in Workgroup Manager. Computer accounts that you set up appear in the list on the left side of the window. The list of computer accounts is searchable. Settings appear on the List, Access, and Cache panes on the right side of the window. When you set up a computer account, make sure you have already determined how computers will be identified. Use descriptions that are logical and easy to remember (for instance, the description might be the computer name). You must use the “on board” or built-in Ethernet address for a computer’s Address information. This information is unique to each computer. The client computer uses this data to find preference information when a user logs in. You can browse for a computer and Workgroup Manager will enter the computer’s Ethernet address and name for you.272 Chapter 6 When a computer starts up, it checks directory services for a computer account record that contains its Ethernet address and uses settings for that computer account. If no record is found, the computer uses settings for the Guest Computers computer account. You can set up managed preferences for users after you create the user account. For more information about managed preferences and how to use them, see “Managing Preferences” on page 282. If you want a directory domain administrator to edit computer accounts, add or delete computers from a list, or edit computer account preferences, you must give that administrator those privileges. You can assign an administrator privileges for all computer accounts or for a set of specific computer accounts. For more information about assigning administrative privileges, see Chapter 3, “Users and Groups.” Creating a Computer Account You can use a computer account to assign the same privileges and preferences to multiple computers. You can add up to 2000 computers to a computer account. To set up a computer list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to open the directory domain where you want to store the new account, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Click New Record, then type in a list name. 6 To add a computer to the list, click Add and type the computer’s Ethernet address in the Address field. Alternatively, you can click Browse, and Workgroup Manager will enter the computer’s Ethernet address and name for you. 7 Type a description, such as the computer name. 8 Type a comment. Comments are useful for providing additional information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for additional identification information, such as the computer’s model or serial number. 9 Continue adding computers until your computer list is complete. 10 Save the account.Client Management: Mac OS X 273 Note: Computers cannot belong to more than one list, and you cannot add computers to the Guest Computers account. Creating a Preset for Computer Accounts You can select settings for a computer account and save them as a “preset.” Presets work like templates, allowing you to apply preselected settings and information to a new account. Using presets, you can easily set up multiple computer accounts with similar settings. You can use presets only during account creation. You cannot use a preset to modify an existing computer account. To set up a preset for computer accounts: 1 Open Workgroup Manager. 2 Use the At pop-up menu to open the directory domain where you want to create computer accounts using presets, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 To create a new preset from a blank account, first create a new computer account. To create a preset using data in an existing computer account, open the account. 6 In each settings pane, fill in the information you want to use in the preset. 7 Choose Save Preset from the Presets pop-up menu. After you create a preset, you can no longer change its settings, but you can delete it or change its name. To change a preset’s name, choose the preset from the Presets pop-up menu, then choose Rename Preset. To delete a preset, choose a preset from the Presets pop-up menu, then choose Delete Preset. Using a Computer Accounts Preset When you create a new computer account, you can choose any preset from the Presets popup menu to apply initial settings, but you can still change the account settings to meet your needs. Until you save account information, changing to a different preset overwrites earlier information. Once the account is saved, the Preset menu dims and cannot be used again for that account. To use a preset for computer accounts: 1 Open Workgroup Manager. 2 Use the At pop-up menu to open the directory domain where you want to store the new account, then click Accounts.274 Chapter 6 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Choose the preset you want to use from the Presets pop-up menu. 6 Create a new account. 7 Add or update settings as needed, then save the account. Adding Computers to an Existing Computer Account You can easily add more computers to an existing list. However, you cannot add computers to the Guest Computers list. To add additional computers to a list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Select the account to which you want to add computers. 6 If you are using presets, select the one from the Presets pop-up menu. 7 Click Add, then type the computer’s Ethernet address in the Address field. Alternatively, you can click Browse, and Workgroup Manager will enter the computer’s Ethernet address and name for you. 8 Type a description, such as the computer name. 9 Type a comment. Comments are useful for providing additional information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for additional identification information, such as the computer’s model or serial number. 10 Click Save. 11 Continue adding computers and information until your list is complete. Editing Information About a Computer After you add a computer to a computer account, you can edit information when necessary. To change computer information: 1 Open Workgroup Manager.Client Management: Mac OS X 275 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Select a computer account. 6 In the List pane, select the computer whose information you want to edit, and click Edit. 7 Change information in the information fields as needed. Moving a Computer to a Different Computer Account Occasionally, you may want to group computers differently. Workgroup Manager lets you conveniently move computers from one list to another. Computers cannot belong to more than one list, and you cannot move computers to the Guest Computers account. To move a computer from one list to another: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Select a computer account. 6 In the List pane, select the computer you want to move, and click Edit. 7 Select a new computer account in the “Move to list” pop-up menu, and click OK. Deleting Computers From a Computer List When you delete a computer from a computer account, that computer is no longer managed. To delete a computer from a list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Select a computer account.276 Chapter 6 6 In the List pane, select one or more computers in that account’s computer list. 7 Click Remove. Deleting a Computer Account If you no longer need an entire computer account, you can delete it. You cannot delete the Guest Computers account. To delete a computer account: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab, then click List. 5 Select a computer account. 6 Choose “Delete Selected Computer List” from the Server menu. Searching for Computer Accounts Workgroup Manager has a search feature that allows you to find specific computer accounts quickly. You can search within a selected domain and filter search results. To search for computer accounts: 1 Open Workgroup Manager. 2 Click the lock and enter your user name and password. 3 Click Accounts, then click the Computers tab. 4 Using the At pop-up menu below the computer accounts list, limit your search to one of the following locations: Local Directory: Search for account records on local volumes only. Search Path: Search for account records using the path defined in Directory Setup for the computer where you are logged in (for example, myserver.mydomain.com). Other: Browse and select an available directory domain to search for account records. 5 Select an additional filter from the filter pop-up menu next to the search field, if you wish. 6 Type search terms in the search field, then press Return.Client Management: Mac OS X 277 Managing Guest Computers If an unknown computer (one that isn’t already in a computer account) connects to your network and attempts to access services, that computer is treated as a “guest.” Settings chosen for the Guest Computers account apply to these unknown or “guest” computers. Using the Guest Computers account is not recommended for large numbers of computers. Most of your computers should belong to regular computer lists. During server software installation, a guest computer record is automatically created only in the original directory domain. Afterward, a server administrator can create additional guest computer accounts in other directory domains. After the account is created, “Guest Computers” appears in the list of computer accounts. Each directory domain can have only one guest computer account. Depending on network organization and setup, you may not be able to create a guest computer account in certain directory domains. Note: You cannot add or move computers to the Guest Computers account, and you cannot change the list name. To set up the Guest Computers account: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the guest computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab. 5 Select Guest Computers in the account list. 6 Click List, then select a Preferences settings. Select Enable if you want to set up managed preferences. If you select this option, you should click Cache, and then set how often you want to update preferences. Select Inherit if you want guest computers to have the same managed preference settings as the parent server. 7 Click Access and select the settings you want to use. 8 Click Cache and set an interval for clearing the preferences cache, then click Save. After you set up the Guest Computers account, you can manage preferences for it if you wish. For more information about using managed preferences, see “Managing Preferences” on page 282.278 Chapter 6 If you do not select settings or preferences for the Guest Computers account, guest computers are not managed. However, if the person using the computer has a Mac OS X Server user account with managed user or group preferences, those settings still apply when the user connects to your network and logs in. If the user has an administrator account on the computer, he or she can choose not to be managed at login. Unmanaged users can still use the “Go to Folder” command to access a home directory on the network. To delete the Guest Computers account, select the account in the list of computer accounts, then choose Delete from the Edit menu. Working With Access Settings Settings in the Access pane let you make computers in a list available to users in groups. You can allow only certain groups to access computers in a list, or you can allow all groups (and therefore, all users) to access the computers in a list. You can also control certain aspects of local user access. Restricting Access to Computers You can reserve computers so that only certain users have access to them. This can make it easier to provide access to limited resources. For example, if you have two computers set up with the appropriate hardware and software needed to import and edit video, you can reserve those computers for users who need to do video production. First, make sure the user accounts exist, then add the users to a “video production” group, then give only that group access to your video production computers. Note: A user with a local administrator account may always log in. To reserve computers for specific groups: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab. 5 Select a computer account, then click Access. 6 Select “Restrict to groups below.” 7 Click Add, then select one or more groups and drag them to the list. To remove an allowed group, select it and click Remove.Client Management: Mac OS X 279 Making Computers Available to All Users If you want, you can make computers in a list available to any user in any group account you set up. To make computers available to all users: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab. 5 Select a computer account, then click Access. 6 Select “All groups can use the computer.” Using Local User Accounts Local accounts are useful for both stationary and mobile computers with either single or multiple users. Anyone with a local administrator account on a client computer can create local user accounts using the Accounts pane of System Preferences. Local users authenticate locally. If you plan to supply individuals with their own portable computers (iBooks, for example), you may want to make the user a local administrator for the computer. A local administrator has more privileges than a local or network user. For example, a local administrator can add printers, change network settings, or select not to be managed. The easiest way to manage preferences for local user accounts is to manage preferences for the computer that has those local accounts and for the workgroups assigned to the computer. To provide access for users with local accounts: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Accounts. 3 Click the lock and enter your user name and password. 4 Click the Computers tab. 5 Select a computer account that contains computers with local users, then click Access. 6 The account you select must allow local users to log in. Make sure “Allow users with localonly accounts” is selected. 7 If you want local users to see a list of all available workgroups during login, select “All groups can use the computer.” 280 Chapter 6 8 If you want to show only certain workgroups to users during login, select “Restrict to groups below,” and add groups to the list. 9 Click Save. Managing Portable Computers It is important to plan how you want to manage portable computers that have access to your network. This section gives suggestions for managing portable computers used by either multiple users or an individual user. Unknown Portable Computers To manage users who have their own personal portable computers running Mac OS X system software, you can use the Guest Computers account to apply computer-level management for unknown or “guest” computers on your network. If these users log in using a Mac OS X Server user account, user and group managed preferences and account settings also apply. For more information about setting up the Guest Computers account for Mac OS X users, see “Managing Guest Computers” on page 277. For information about managing unknown portable computers that use Mac OS 9 or OS 8 system software, see “Providing Quick Access to Unimported Users” on page 429. Portable Computers With Multiple Local Users One example of shared portable computers is an iBook Wireless Mobile Lab. An iBook Wireless Mobile Lab contains either 10 or 15 student iBooks (plus an additional iBook for an instructor), an Airport base station, and a printer, all on a mobile cart. The cart lets you take the computers to your users (for example, from one classroom to another). To manage the iBooks on your cart, create identical generic local user accounts on each computer (for example, all the accounts could use “Math” as the user name and “student” as the password). You might want to create different generic local accounts for different purposes, such as one for a History class, one for a Biology class, and so on. Each account should have a local home directory and should not have administrative privileges. Use a separate local administrator account on each computer to allow server administrators (or other individuals) to perform maintenance tasks and upgrades, install software, and administer the local user accounts. After creating the local user accounts, add each of the computers to a computer list, then manage preferences for that list. Because multiple users can store items in the local home directory for the generic account, you may want to periodically clean out that folder as part of your maintenance routine. Portable Computers With One Primary Local User There are two ways set up portable computers for a single user.Client Management: Mac OS X 281 m The user does not have administrator privileges, but has a local account. Set up a local administrator account on the computer (do not give the user information about this account), then set up a local account for the user. Users with local accounts that do not have administrator privileges cannot install software and can only add or delete items in their own home directories. A local user can share items with other local users by using the Public folder in his or her local home directory. m The user is the administrator for the computer. If the user is the local administrator, he or she can choose during login whether or not to be managed. For example, in order to access servers at school, the user should choose to be managed at login, but at home he or she may prefer not to be managed since access to the school servers may not be available. If the user also has a Mac OS X Server user account and network access is available, it may still be preferable to log in using the local account in order to reduce network traffic. The user can connect to his or her network home directory (to store or retrieve documents, for example) via the “Go to Folder” command in the Finder’s Go menu. Using Wireless Services You can provide wireless network service to managed clients using AirPort, for example. When a user with a portable computer leaves the wireless area or changes to a different network directory server (by moving out of one wireless area and into another), client management settings may be different. Users may notice that some network services, such as file servers, printers, shared group volumes, and so forth, are unavailable from the new location. Users can purge these unavailable resources by logging out and logging in again. If you need more information about using Airport, consult Airport documentation or visit the Web site: www.apple.com/airport/ How Workgroup Manager Works With System Preferences Workgroup Manager allows administrators to set and lock certain system settings for users on their network. You can set preferences once and allow users to change them, you can keep preferences under administrative control at all times and allow no user changes, or you can choose not to impose any settings at all.282 Chapter 6 In addition to various settings for users, groups, and computer accounts, Workgroup Manager provides control over these preferences: Managing Preferences In Workgroup Manager, information about users, groups, and computer accounts is integrated with directory services. Once you’ve set up users, groups, and computer accounts, you do not have to import them into a separate tool in order to manage them on Mac OS X client computers. Managing preferences means you can control settings for certain system preferences in addition to controlling user access to system preferences, applications, printers, and removable media. Workgroup Manager stores information about settings and preferences in user, group, or computer records on the Mac OS X server. Group preferences are stored on the group volume. User preferences are stored in the user’s home directory (the Home folder on Mac OS X clients). After user, group, and computer accounts are created, you can start managing preferences for them using the Preferences pane in Workgroup Manager. To manage preferences for Mac OS X clients, you must make sure each user you want to manage has a home directory. If a user doesn’t have a home directory, he or she will not be able to log in. For information about how to set up a group volume or how to set up home directories for users, see Chapter 3, “Users and Groups.” Preference pane What you can manage Applications Applications and system preferences available to users Classic Classic startup settings, sleep settings, and the availability of Classic items such as Control Panels Dock Dock location, behavior, and items Finder Finder behavior, desktop appearance and items, and availability of Finder menu commands Internet Email account preferences and Web browser preferences Login Login window appearance and items that open automatically when a user logs in Media Access Settings for CDs, DVDs, and recordable discs, plus settings for internal and external disks such as hard drives or floppy disks Printer Available printers and printer accessClient Management: Mac OS X 283 About the Preferences Cache Only local user accounts use a preference cache. The preference cache is created on the local hard drive when a user logs in. The cache stores only preferences for the computer account to which that computer belongs and preferences for groups associated with that computer, but this can influence how a user is managed offline. The cached preferences can help you manage local user accounts on portable computers even when they are not connected to a network. For example, you can create an account for the set of computers you want to manage, and then manage preferences for the computer accounts. Next, make these computers available to groups, then manage preferences for the groups. Finally, set up local user accounts on the computers, and associate those users with the groups you already manage. Now, if a user goes offline or disconnects from your network, he or she is still managed by the computer and group preferences in the cache. Updating the Managed Preferences Cache You can update a user’s managed preference cache regularly. This setting applies only to computer accounts. The computer checks the server for updated preferences according to the schedule you set. To set an update interval for the managed preferences cache: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then click Preferences. 3 Click the lock and enter your user name and password. 4 Click the Computers tab and select a computer account in the list. 5 Click Cache. 6 Type in a number representing how frequently you want to update the cache, then choose an update interval (seconds, minutes, hours, days, or weeks) from the pop-up menu. For example, you could update the cache every 5 days. Updating Cached Preferences Manually When you need to, you can manually update the managed preferences cache for every computer in a selected computer list. When the cache is updated manually, it will not be updated again automatically until the set interval has passed. To update the managed preferences cache: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the computer account you want, then click Preferences.284 Chapter 6 3 Click the lock and enter your user name and password. 4 Click the Computers tab and select a computer account from the list. 5 Click Cache, then click “Update the Cache.” How Preference Management Works Managed preference settings can be applied to user, group, or computer accounts. The final set of preferences a user has is a combination of preference settings for his or her own user account, preferences for the workgroup chosen at login, and preferences for the computer he or she is currently using. For some preferences, such as Finder preferences, user settings override group settings and group settings override computer settings. Other preferences, such as printer preferences, have an additive result. For example, the final list of printers available to a user is a combination of the computer printer list, the group printer list, and the user’s printer list. Preferences for applications, Dock items, and login items behave in a similar manner. In some cases, you may find it easier and more useful to set certain preferences for only one type of record. For example, you could set printer preferences only for computers, set application preferences only for workgroups, and set Dock preferences only for users. In such a case, no override or addition occurs for these preferences because the user inherits them without competition. Preference Management Options When you manage preferences for a user, group, or computer account, you can choose to set the preferences once, always, or never using radio buttons in the management bar. Preferences Computer (C) Group (G) User (U) C+G+U Added Overridden InheritedClient Management: Mac OS X 285 Managing a Preference Once If you want to manage a preference initially for users, but allow them to make changes if they have that privilege, select Once in the management bar. When a user logs in, preference files in his or her home directory are updated with any preferences that are managed “once.” These preference files are time stamped. If you update settings for a preference that is managed once, Workgroup Manager applies the most recent version to the user’s preference files the next time he or she logs in. For some preferences, such as Classic preferences or Media Access preferences, Once is not available. You can only select Never or Always. Always Managing a Preference You can force preference settings for a user by selecting Always in the management bar. The next time the user logs in, the preference reverts to the original settings chosen by the administrator even if the user is allowed to change the settings. Preferences that are “always” managed are stored in the /Library/Managed Preferences folder. Never Managing a Preference If you don’t want to manage settings for a preference at all, select Never in the management bar. If you provide users with access to an unmanaged preference, they can change settings as they wish. “Never” is the default setting for all preferences. Managing User Preferences You can manage preferences for individual users as needed. However, if you have large numbers of users, it may be more efficient to manage most preferences by group and computer instead. You might want to manage preferences at the user level only for specific individuals, such as directory domain administrators, teachers, or technical staff. You should also consider which preferences you want to leave under user control. For example, if you aren’t concerned about where a user places the Dock, you might want to set Dock Display management to Never. To manage user preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the user account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Click the Users tab and select a user account in the account list. 5 Click the icon for the preference you want to manage.286 Chapter 6 6 In each tab for that preference, choose a management setting. Then select preference settings or fill in information you want to use. Some management settings are not available for some settings, and some preferences are not available to some types of accounts. Two preferences (Printing and Media Access) allow only one management setting that applies to all options for that preference. 7 When you are finished, click Apply Now. Managing Group Preferences Group preferences are shared among all users in the group. Setting some preferences only for groups instead of for each individual user can save space, especially when you have large numbers of managed users. Because users can select a workgroup at login, they have the opportunity to choose a group with managed settings appropriate to the current task, location, or environment. It can be more efficient to set preferences once for a single group instead of setting preferences individually for each member of the group. To manage group preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the group account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a group account in the account list. 5 Click the icon for the preference you want to manage. 6 In each tab for that preference, choose a management setting. Then select preference settings or fill in information you want to use. Some management settings are not available for some settings, and some preferences are not available to some types of accounts. Two preferences (Printing and Media Access) allow only one management setting that applies to all options for that preference. 7 Click Apply Now. Managing Computer Preferences Computer preferences are shared among all computers in a list. In some cases, it may be more useful to manage preferences for computers instead of for users or groups. To manage computer preferences: 1 Open Workgroup Manager.Client Management: Mac OS X 287 2 Use the At pop-up menu to find the directory domain that contains the user account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a computer account in the account list. 5 In each tab for that preference, choose a management setting. Then select preference settings or fill in information you want to use. Some management settings are not available for some settings, and some preferences are not available to some types of accounts.Two preferences (Printing and Media Access) allow only one management setting that applies to all options for that preference. 6 In each tab for that preference, select the settings you want to use. 7 Click Apply Now. Editing Preferences for Multiple Records You can edit preference for more than one user, group, or computer account at a time. If some settings are not the same for two or more accounts, you may see a “mixed-state” slider, radio button, checkbox, text field, or list. For sliders, radio buttons, and checkboxes, a dash is used to indicate that the setting is not the same for all selected accounts. For text fields, the term “Varies...” indicates a mixed state. Lists show a combination of items for all selected accounts. If you adjust a mixed-state setting, every account will have the new setting you choose. For example, suppose you select three group accounts that each have different settings for the Dock size. When you look at the Dock Display preference pane for these accounts, the Dock Size slider is centered and has a dash on it. If you change the position of the Dock Size slider to Large, all selected accounts will have a large-size Dock. Disabling Management for Specific Preferences After you set up managed preferences for any account, you can turn off management for specific preference panes by setting the management setting to Never. To selectively disable preference management: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the icon for a preference that is currently being managed. 6 Click the tab containing the preference settings you no longer want to manage.288 Chapter 6 Two preferences (Printing and Media Access) do not have a management settings bar for each tab. Instead, a management bar is displayed above the tabs. 7 Select Never in the management settings bar. 8 Click Apply Now. When you change the preference management settings, the new setting applies to all items in the active preference pane. If you want to disable all preference management for an individual preference (for example, Dock), make sure the management setting is set to Never in each pane of that preference. Managing Applications Preferences Use Applications settings to provide access to applications and to select which items appear in System Preferences. Applications Items Preferences Applications Items settings let you create lists of “approved” applications users are allowed to open, and you can allow users to open items on local volumes. Creating a List of Approved Applications You need to provide access to the applications you want users to open. To do this, use Items settings for the Applications preference and create a list of “approved” applications. If an application is not on the list, a user cannot open it. You can, however, allow applications to open “helper applications” that are not listed. You can make applications available to multiple users by managing Items settings for the Applications preference for groups or computer accounts. You can also set this preference for individual users. To add applications to a user’s list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the Applications preference icon, then click Items. 6 Set the management setting to Always. 7 Click Add to browse for the application you want, then add it to the list. To select multiple items, hold down the Command key.Client Management: Mac OS X 289 8 When you have finished adding applications to the list, click Apply Now. Preventing Users From Opening Applications on Local Volumes When users have access to local volumes, they can access applications on the computer’s local hard drive, in addition to approved applications on CDs, DVDs, or other external disks. If you don’t want to allow this, you can disable local volume access. To prevent access to local applications: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the Applications preference icon, then click Items. 6 Set the management setting to Always. 7 Deselect “User can open items on local volumes.” 8 Click Apply Now. Managing Application Access to Helper Applications Sometimes, applications need to use “helper applications” for tasks they cannot complete themselves. For example, if a user tries to open a Web link in an email message, the email application might need to open a Web browser application to display the Web page. When you make an application list available for users, groups, or computer accounts, you may want to include common helper applications in that list. For example, if you give users access to an email application, you might also want to add a Web browser, a PDF viewer, and a picture viewer to avoid problems opening and viewing email contents or attached files. When you set up a list of “approved” items in the Applications preference settings, you can choose whether to allow applications to use helper applications that aren’t in the “approved” items list. To manage access to helper applications: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list.290 Chapter 6 5 Click the Applications preference icon, then click Items. 6 Set the management setting to Always. 7 If you have not already created a list of approved applications, do so now. Click Add to browse for the application you want to add to the list.To remove an application from the list, select it and click Remove. If you want to allow helper applications, be sure those applications are added to the list. 8 Select “Allow approved applications to open non-approved applications” to allow access to helper applications. Deselect this option to disable it. 9 Click Apply Now. Applications System Preferences You can choose which system preferences users see when they open System Preferences. Managing Access to System Preferences When you show an item in System Preferences, a user can open the preference, but may or may not be able to change its settings. For example, if you set preference management for the Dock to Always and you make Dock preferences available in System Preferences, a user can view the settings but cannot make any changes. Some System Preferences may not be available on your administrator computer. You should either install the missing preferences on the administrator computer you are using, or you should use Workgroup Manager on an administrator computer that has those preferences installed. To manage access to System Preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Applications preference icon. 5 Click System Preferences. 6 Set the management setting to Always. 7 Deselect the Show checkbox for each item you do not want to display in a user’s System Preferences. Click Show None to deselect every item in the list. Click Show All to select every item in the list.Client Management: Mac OS X 291 8 Click Apply Now. Managing Classic Preferences Classic Preferences are used to set Classic startup options, select the Classic System Folder and set sleep options for Classic, and make certain Apple menu items available to users. Classic Startup Preferences Startup settings affect what happens when Classic starts. Making Classic Start Up After a User Logs In If users often need to work with applications that run in Classic, it is convenient to have Classic start up immediately after a user logs in. To start Classic after login: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the Classic preference icon, then click Startup. 6 Set the management setting to Always. 7 Select “Start up Classic on login to this computer.” 8 If you don’t want users to see the Classic startup screens, select “Hide Classic while starting.” 9 Select “Warn at Classic startup” to show an alert when Classic starts. 10 Select “Show Classic in the menu bar” to place a Classic icon in the menu bar. 11 Click Apply Now. Choosing a Classic System Folder If the name of the hard disk or volume containing the Mac OS 9 System Folder is Macintosh HD, you do not have to specify a Classic System Folder. If you want to use a specific Mac OS 9 System Folder when Classic starts up, you can specify it in the Classic preference pane in Workgroup Manager. To choose a specific Classic System Folder: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.292 Chapter 6 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the Classic preference icon, then click Startup. 6 Set the management setting to Always. 7 Type in the path to the Classic System Folder you want to use (make certain the path you specify does not contain errors), or use Choose to browse for the folder you want. 8 Click Apply Now. Classic Advanced Preferences Advanced preference settings for Classic let you control items in the Apple menu, Classic sleep settings, and the user’s ability to turn off extensions or rebuild Classic’s desktop file during startup. Allowing Special Actions During Restart You can allow users to perform special actions, such as turning off extensions or rebuilding Classic’s desktop file, when they restart computers. You may want to allow this privilege for specific users, such as members of your technical staff. To allow special actions during restart: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list. 5 Click the Classic preference icon, then click Advanced. 6 Set the management setting to Always. 7 Select “Allow special startup modes.” 8 Click Apply Now. Keeping Control Panels Secure If you don’t want users to have access to Mac OS 9 control panels, you can remove the Control Panels item from the Apple menu. To prevent access to Control Panels: 1 Open Workgroup Manager.Client Management: Mac OS X 293 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Classic preference icon. 5 Click Advanced, and set the management setting to Always. 6 Select “Hide Control Panels.” 7 Click Apply Now. Preventing Access to the Chooser and Network Browser If you don’t want users to have access to the Chooser or Network Browser in Classic, you can remove these items from the Apple menu. To remove the Chooser and Network Browser from the Apple menu: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Classic preference icon. 5 Click Advanced and set the management setting to Always. 6 Select “Hide Chooser and Network Browser.” 7 Click Apply Now. Making Apple Menu Items Available in Classic You can hide or reveal Apple menu items (other than the Chooser, Network Browser, or Control Panels) as a group. This group includes items such as Calculator, Key Caps, and Recent Applications. To show other Apple menu items: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Classic preference icon.294 Chapter 6 5 Click Advanced and set the management setting to Always. 6 Deselect “Hide other Apple menu items.” 7 Click Apply Now. Adjusting Classic Sleep Settings When no Classic applications are open, Classic will go to sleep to reduce its use of system resources. You can adjust the amount of time Classic waits before going to sleep after a user quits the last Classic application. If Classic is in sleep mode, opening a Classic application may take a little longer. To adjust Classic sleep settings: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Classic preference icon. 5 Click Advanced and set the management setting to Always. 6 Drag the slider to set how long Classic waits before going to sleep. If you don’t want Classic to go to sleep at all, drag the slider to Never. 7 Click Apply Now. Managing Dock Preferences Dock settings allow you to adjust the behavior of the user’s Dock and specify what items appear in it. Dock Display Preferences Dock Display preferences control the Dock’s position and behavior. Controlling the User’s Dock Dock settings allow you to adjust the position of the Dock on the desktop and change the Dock’s size. You can also control animated Dock behaviors. To set how the Dock looks and behaves: 1 Open Workgroup Manager.Client Management: Mac OS X 295 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Dock preference icon. 5 Click Dock Display. 6 Select a management setting (Once or Always). 7 Drag the Dock Size slider to make the Dock smaller or larger. 8 If you want items in the Dock to be magnified when a user moves the pointer over them, select the Magnification checkbox, then adjust the slider. Magnification is useful if you have many items in the Dock. 9 If you don’t want the Dock to be visible all the time, select “Automatically hide and show the Dock.” When the user moves the pointer to the edge of the screen where the Dock is located, the Dock pops up automatically. 10 Select whether to place the Dock on the left, right, or bottom of the desktop. 11 Select a minimizing effect. 12 If you don’t want to use animated icons in the Dock when an application opens, deselect “Animate opening applications.” 13 Click Apply Now. Dock Items Preferences Dock Items settings allow you to add and arrange items in a user’s Dock. Adding Items to a User’s Dock You can add applications, folders, or documents to a user’s Dock for easy access. To add items to the Dock: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Dock preference icon. 5 Click Dock Items. 6 Select a management setting (Once or Always).296 Chapter 6 7 To add individual applications, regular folders, and documents to the Dock, click Add to browse and select the item you want. To remove a Dock item, select it and click Remove. You can rearrange Dock items in the list by dragging them into the order in which you want them to appear. Applications are always grouped at one end; folders and files are grouped at the other. 8 When you have finished adding regular and special Dock items, click Apply Now. Preventing Users From Adding Additional Dock Items Ordinarily, users can add additional items to their own Docks, but you can prevent this. Users cannot remove Dock items added by the administrator. To prevent users from adding items to their Docks: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Dock preference icon. 5 Click Dock Items, then set the management setting to Always. 6 Deselect “Users may add and remove additional Dock items.” 7 Click Apply Now. Managing Finder Preferences Finder Preferences allow you to control various aspects of Finder menus and windows. Finder Preferences Use the Finder Preferences settings in Workgroup Manager to select a Finder type for the user, show or hide items mounted on the desktop, and control Finder window behaviors. You can also make file extensions visible and show users a warning if they attempt to empty the Trash. Keeping Disks and Servers From Appearing on the User’s Desktop Normally when a user inserts a disk, that disk’s icon appears on the desktop. Icons for local hard disks or disk partitions and mounted server volumes are also visible. If you don’t want users to see these items on the desktop, you can hide them.Client Management: Mac OS X 297 These items still appear in the top-level directory when a user clicks the Computer icon in a Finder window toolbar. To hide disk and server icons on the desktop: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click the Preferences tab and select a management setting (Once or Always). 6 Under “Show these items on the Desktop,” deselect the items you want to hide. 7 Click Apply Now. Controlling the Behavior of Finder Windows You can select what directory appears when a user opens a new Finder window. You can also define how contents are displayed when a user opens folders. To set Finder window preferences: 1 Open Workgroup Manager and click Preferences. 2 Select a user, group, or computer account in the account list, then click the Finder preference icon. 3 Click the Preferences tab and select a management setting (Once or Always). 4 Under “New Finder window shows,” specify the items you want to display. Select Home to show items in the user’s home directory Select Computer to show the top-level directory, which includes local disks and mounted volumes. 5 Select “Always open folders in a new window” to display folder contents in a separate window when a user opens a folder. Normally, Mac OS X users can browse through a series of folders using a single Finder window. 6 Select “Always open windows in Column View” to maintain a consistent view among windows. 7 Click Apply Now.298 Chapter 6 Making File Extensions Visible A file extension usually appears at the end of a file name (for example, “.txt” or “.jpg”). Applications use the file extension to identify the file type. To make file extensions visible: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click the Preferences tab and select a management setting (Once or Always). 6 Select “Always show file extensions.” 7 Click Apply Now. Selecting the User Environment You can select either the regular Finder or the Simplified Finder as the user environment. The regular Finder looks and acts like the standard Mac OS X desktop. The Simplified Finder uses panels and large icons to provide users with an easy-to-navigate interface. To set the user environment: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click the Preferences tab and select a management setting (Once or Always). 6 Select either “Use normal Finder” or “Use Simplified Finder to limit access to the computer.” 7 Click Apply Now. Hiding the Alert Message When a User Empties the Trash Normally, a warning message appears when a user empties the Trash. If you do not want users to see this message, you can turn it off. To hide the Trash warning message: 1 Open Workgroup Manager.Client Management: Mac OS X 299 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click the Preferences tab and select a management setting (Once or Always). 6 Deselect “Show warning before emptying the Trash.” 7 Click Apply Now. Finder Commands Preferences Commands in Finder menus and the Apple menu allow users to easily connect to servers or restart the computer, for example. In some situations, you may want to limit user access to these commands. Workgroup Manager lets you control whether or not certain commands are available to users. Controlling User Access to an iDisk If users want to connect to an iDisk, they can use the “Go to iDisk” command in the Finder’s Go menu. If you don’t want users to see this menu item, you can hide the command. To hide the “Go to iDisk” command: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Commands and set the management setting to Always. 6 Deselect “Go to iDisk.” 7 Click Apply Now. Controlling User Access to Remote Servers Users can connect to a remote server by using the “Connect to Server” command in the Finder’s Go menu and providing the server’s name or IP address. If you don’t want users to have this menu item, you can hide the command. To hide the “Connect to Server” command: 1 Open Workgroup Manager.300 Chapter 6 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Commands and set the management setting to Always. 6 Deselect “Connect to Server.” 7 Click Apply Now. Controlling User Access to Folders Users can open a specific folder by using the “Go to Folder” command in the Finder’s Go menu and providing the folder’s path name. If you don’t want users to have this privilege, you can hide the command. To hide the “Go to Folder” command: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Commands and set the management setting to Always. 6 Deselect “Go to Folder.” 7 Click Apply Now. Preventing Users From Ejecting Disks If you don’t want users to be able to eject disks (for example, CDs, DVDs, floppy disks, or FireWire drives), you can hide the Eject command in the Finder’s File menu. To hide the Eject command: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon.Client Management: Mac OS X 301 5 Click Commands and set the management setting to Always. 6 Deselect Eject. 7 Click Apply Now. Hiding the Burn Disc Command in the Finder On computers with appropriate hardware, users can “burn discs” (write information to recordable CDs or DVDs). If you don’t want users to have this privilege, you can hide the Burn Disc command in the Finder’s File menu. To hide the Burn Disc command: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Commands and set the management setting to Always. 6 Deselect “Burn Disc.” 7 Click Apply Now. To prevent users from using or burning recordable CDs or DVDs, use settings in the Media Access panes. Only computers with a CD-RW drive, Combo drive, or Superdrive can burn CDs. The Burn Disc command will work only with CD-R, CD-RW, or DVD-R disks. Only a Superdrive can burn DVDs. Removing Restart and Shut Down Commands From the Apple Menu If you don’t want to allow users to restart or shut down the computers they are using, you can remove the Restart and Shut Down commands from the Apple menu. To hide the Restart and Shut Down commands: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon.302 Chapter 6 5 Click Commands and set the management setting to Always. 6 Deselect “Restart/Shut Down.” 7 Click Apply Now. As an additional preventive measure, you can also remove the Restart and Shut Down buttons from the login window using settings for Login preferences. See “Managing Login Preferences” on page 305 for instructions. Finder Views Preferences Finder Views allow you to adjust the arrangement and appearance of items on a user’s desktop, in Finder windows, and in the top-level directory of the computer. Adjusting the Appearance and Arrangement of Desktop Items Items on a user’s desktop appear as icons. You can control the size of desktop icons and how they are arranged. To set preferences for the desktop view: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Views, then select a management setting (Once or Always). This setting applies to options in all three view tabs. 6 Click Desktop View. 7 Drag the slider to adjust icon size. 8 Select how you want to arrange icons on the user’s desktop. Select “None” to allow users to place items anywhere on the desktop. Select “Always snap to grid” to keep items aligned in rows and columns. Select “Keep arranged by,” then choose a method from the arrangement pop-up menu. You can arrange items by name, creation or modification date, size, or kind (for example, all folders grouped together). 9 Click Apply Now.Client Management: Mac OS X 303 Adjusting the Appearance of Finder Window Contents Items in Finder windows can be viewed in a list or as icons. You can control aspects of how these items look, and you can also control whether or not to show the toolbar in a Finder window. Default View settings control the overall appearance of all Finder windows. Computer View settings control the view for the top-level computer directory showing hard disks and disk partition, external hard disks, mounted volumes, and removable media (such as CDs or floppy disks). To set preferences for the default and computer views: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Finder preference icon. 5 Click Views, then select a management setting (Once or Always). This setting applies to options in all three view tabs. 6 Click Default View. 7 Drag the Icon View slider to adjust icon size. 8 Select how you want to arrange icons. Select None to allow users to place items anywhere on the desktop. Select “Always snap to grid” to keep items aligned in rows and columns. Select “Keep arranged by,” then choose a method from the arrangement pop-up menu. You can arrange items by name, creation or modification date, size, or kind (for example, all folders grouped together). 9 Adjust List View settings for the default view. If you select “Use relative dates,” an item’s creation or modification date is displayed as “Today” instead of “4/12/02,” for example. If you select “Calculate folder sizes,” the computer calculates the total size of each folder shown in a Finder window. This can take some time if a folder is very large. Select a size for icons in a list. 10 Select “Show toolbar in Finder windows” if you want the user to see the toolbar.304 Chapter 6 11 Click Computer View and adjust Icon View and List View settings for the computer view. Available settings are similar to those available for the default view described in steps 5 through 9. 12 Click Apply Now. Managing Internet Preferences Internet preferences let you set email and Web browser options. Setting Email Preferences Email settings let you specify a preferred email application and supply information for the email address, incoming mail server, and outgoing mail server. To set email preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Internet preference icon. 5 Click Email and select a management setting (Once or Always). 6 To set the default email reader, click Set and choose the email application you prefer. 7 Type information for the email address, incoming mail server, and outgoing mail server. 8 Select an email account type (either POP or IMAP). 9 Click Apply Now. Setting Web Browser Preferences Use Web settings in Internet preferences to specify a preferred Web browser and a place to store downloaded files. You can also specify a starting point URL for your browser using the Home Page location. Use the Search Page location to specify a search engine URL. To set Web preferences: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password.Client Management: Mac OS X 305 4 Select a user, group, or computer account in the account list, then click the Internet preference icon. 5 Click Web and select a management setting (Once or Always). 6 To set the Default Web Browser, click Set and choose a preferred Web browser application. 7 Type a URL for the Home Page. This is the page a user sees when a browser opens. 8 Type a URL for the Search Page. 9 Type a folder location for storing downloaded files, or click Set to browse for a folder. 10 Click Apply Now. Managing Login Preferences Use Login preferences to set user login options, provide password hints, and control the user’s ability to restart and shut down the computer from the login screen. You can also mount the group volume or make applications open automatically after a user logs in. Login Window Preferences Login Window settings affect the appearance and function of items in the login window. Deciding How a User Logs In Depending on the settings you choose, a user will see either a name and password text field or a list of users in the login window. These settings apply only to computer accounts. To set up how a user logs in: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a computer account in the account list, then click the Login preference icon. 5 Click Login Window and set the management setting to Always. 6 Select how the user logs in. To require the user to type his or her username and password, select “Name and password entry fields.” To allow a user to select his or her name from a list, select “List of users able to access this computer.” 7 If you decide to use a list of users, select categories of users you want to display in the list.306 Chapter 6 Select “Show local users” to include local user accounts in the list. Select “Show network users” to include network users in the list. Select “Show administrators” to include users with administrator privileges in the list. If you allow unknown users, you can select “Show other users.” 8 Click Apply Now. Helping Users Remember Passwords You can use a “hint” to help users remember their passwords. After three consecutive attempts to log in with an incorrect password, a dialog box displays the hint you created. To show a password hint: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Login preference icon. 5 Click Login Window and set the management setting to Always. 6 Select “Show password hint after 3 attempts to enter a password.” 7 Click Apply Now. Preventing Restarting or Shutting Down the Computer at Login Normally, the Restart and Shut Down buttons appear in the login window. If you don’t want the user to restart or shut down the computer, you should hide these buttons. You may also want to hide the Restart and Shut Down commands in the Finder menu. See “Managing Finder Preferences” on page 296 for instructions. Check the Commands pane of Finder preferences and make sure “Restart/Shut Down” is not selected. To hide the Restart and Shut Down buttons: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Login preference icon. 5 Click Login Window and set the management setting to Always.Client Management: Mac OS X 307 6 Select “Hide Restart and Shut Down buttons in the Login Window.” 7 Click Apply Now. Login Items Preferences Settings for Login Items allow you to open applications or mount the group volume automatically for the user. Opening Applications Automatically After a User Logs In You can have frequently used applications ready for use shortly after a user logs in. If you open several items, you can hide them after they open. This prevents excess clutter on the user’s screen, but the applications remain open and accessible. As the listed applications open, they “stack” on top of each other in the Finder. The last item in the list is closest to the front of the Finder. For example, if you have three items in the list and none of them are hidden, the user sees the menu bar for the last item opened. If an application has open windows, they may overlap windows from other applications. To make applications open automatically: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Login preference icon. 5 Click Login Items and select a management setting (Once or Always). 6 To add an item to the list, click Add. 7 Select the Hide checkbox for any item you don’t want the user to see right away. The application remains open, but its windows and menu bar remain hidden until the user activates the application (for example, by clicking its icon in the Dock). 8 Deselect “User may add and remove additional login items” if you do not want users to have this privilege. Users cannot remove items added to this list by an administrator, but users can remove items they’ve added themselves. 9 To prevent users from stopping applications that open automatically at login, deselect “User may press Shift to keep applications from opening.” 10 Click Apply Now.308 Chapter 6 Managing Media Access Preferences Media Access preferences let you control settings for and access to CDs, DVDs, the local hard drive, and external disks (for example, floppy disks and FireWire drives). Media Access Disc Media Preferences Disc Media settings affect only CDs, DVDs, and recordable discs (for example, a CD-R, CDRW, or DVD-R). Computers that do not have appropriate hardware to use CDs, DVDs, or recordable discs are not affected by these settings. Controlling Access to CDs and DVDs If a computer can play or record CDs or DVDs, you can control what type of media users can access. You cannot restrict access to individual CDs or DVDs or specific items on them. You can, however, choose not to allow any CDs or DVDs. You can also limit access by requiring an administrator’s user name and password. To control access CDs and DVDs: 1 Open Workgroup Manager and click Preferences. 2 Select a user, group, or computer account in the account list, then click the Media Access preference icon. 3 Set the management setting to Always. This setting applies to all Media Access preference options. 4 Click Disc Media. 5 Choose settings for CDs and CD-ROMs. Select the Allow checkbox next to CDs & CD-ROMs to let users access music, data, or applications on compact discs. To restrict access to compact discs, select Require Authentication to require an administrator user name and password. To prevent access to all compact discs, deselect Allow. 6 Choose settings for DVDs. Select the Allow checkbox next to DVDs to let users access movies and other information on digital video discs. To restrict access to DVDs, select Require Authentication to require an administrator user name and password. To prevent access to all DVDs, deselect Allow. 7 Click Apply Now.Client Management: Mac OS X 309 Controlling the Use of Recordable Discs If a computer has the appropriate hardware, users can “burn discs” or write information to a recordable disc such as a CD-R, CD-RW, or DVD-R. Users can burn CDs on computers with a CD-RW drive, Combo drive, or Superdrive. Users can burn DVDs only on computers with a Superdrive. If you want to limit the ability to use recordable media, you can require an administrator’s user name and password. Alternatively, you could allow users to read information on a recordable disc, but not allow them to burn a disc themselves. To control the use of recordable discs: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Media Access preference icon. 5 Set the management setting to Always. This setting applies to all Media Access preference options. 6 Click Disc Media. 7 Select options for recordable media. Select the Allow checkbox next to Recordable Discs to let users use a CD-R, CD-RW, or DVD-R disc. Select the Authentication checkbox to require an administrator password to use the disc. To prevent users from recording information to compact discs or DVD-R discs, deselect Allow. 8 Click Apply Now. Media Access Other Media Preferences Settings in the Other Media pane affect internal hard disks and external disks other than CDs or DVDs. Controlling Access to Hard Drives and Disks Media Access settings selected in the Other Media pane let you control access to both a computer’s hard disk and any external disks other than CDs and DVDs. If you don’t allow access to external disks, users cannot use floppy disks, Zip disks, FireWire hard drives, or other external storage devices.310 Chapter 6 To restrict access to internal and external disks: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Media Access preference icon. 5 Set the management setting to Always. This setting applies to all Media Access preference options. 6 Click Other Media. 7 Select options for Internal Disks (the computer’s hard disk and disk partitions). Select the Authentication checkbox to require a password to access the hard disk. Deselect the Allow checkbox to prevent users access to the hard disk. If you select the Read-Only checkbox, users can view the contents of the hard disk but cannot modify them or save files on the hard disk. 8 Select options for External Disks (other than CDs or DVDs). Select the Authentication checkbox to require a password to access external disks. Deselect the Allow checkbox to prevent access to external disks. If you select the Read-Only checkbox, users can view the contents of external disks but cannot modify them or save files on external disks. 9 Click Apply Now. Ejecting Items Automatically When a User Logs Out On computers used by more than one person, such as in a computer lab, users may sometimes forget to take their personal media with them when they leave. If they do not eject disks, CDs, or DVDs when they log out, these items may be available to the next user who logs in. If you allow users to access CDs, DVDs, or external disks, such as Zip disks or FireWire drives, on shared computers, you may want to make computers eject removable media automatically when a user logs out. To eject removable media automatically: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.Client Management: Mac OS X 311 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Media Access preference icon. 5 Set the management setting to Always. This setting applies to all Media Access preference options. 6 Click Other Media. 7 Select “Eject all removable media at logout.” 8 Click Apply Now. Managing Printing Preferences Use Printing preferences to create printer lists and manage access to printers. Printer List Preferences Printer List settings let you create a list of available printers and control the user’s ability to add additional printers or access a printer connected directly to a computer. Making Printers Available to Users To give users access to printers, you first need to set up a printer list. Then, you can allow specific users or groups to use printers in that list. You can also make printers available to computers. A user’s final list of printers is a combination of printers available to the user, the group selected at login, and the computer being used. To create a printer list for users: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Select a management setting (Once or Always). This setting applies to all Printing preference options. 6 Click Printer List. 7 The Available Printers list is created from the list of available network printers in the Print Center application.312 Chapter 6 Select a printer in the Available Printers list, then click “Add to List” to make that printer available in the User’s Printer List. If the printer you want doesn’t appear in the Available Printers list, click Open Print Center and add the printer to Print Center’s printer list. 8 Click Apply Now. Preventing Users From Modifying the Printer List If you want to limit a user’s ability to modify a printer list, you can require an administrator’s user name and password in order to add new printers. You can also remove this privilege outright. To restrict access to the printer list: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Select a management setting (Once or Always). This setting applies to all Printing preference options. 6 Click Printer List. 7 If you want only administrators to modify the printer list, select “Require an administrator password.” 8 If don’t want any user to modify the printer list, deselect “Allow users to add printers to the Printer list.” 9 Click Apply Now. Restricting Access to Printers Connected to a Computer In some situations, you want only certain users to print to a printer connected directly to their computers. For example, if you have a computer in a classroom with a printer attached, you can reserve that printer for teachers only by making the teacher an administrator and requiring an administrator’s user name and password to access the printer. To restrict access to a printer connected to a specific computer: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.Client Management: Mac OS X 313 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Select a management setting (Once or Always). This setting applies to all Printing preference options. 6 Click Printer List. 7 If you want only administrators to use the printer, select “Require an administrator password.” 8 If don’t want any user to access the printer, deselect “Allow printers that connect directly to the user’s computer.” 9 Click Apply Now. Printer Access Preferences Access settings let you specify a default printer and restrict access to specific printers. Setting a Default Printer Once you have set up a printer list, you can specify one printer as the default printer. Any time a user tries to print a document, this printer is the preferred selection in an application’s printer dialog box. To set the default printer: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Select a management setting (Once or Always). This setting applies to all Printing preference options. 6 Click Access. 7 Select a printer in the user’s printer list, then click Make Default. 8 Click Apply Now. Restricting Access to Printers You can require an administrator’s user name and password in order to print to certain printers.314 Chapter 6 To restrict access to a specific printer: 1 Open Workgroup Manager. 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences. 3 Click the lock and enter your user name and password. 4 Select a user, group, or computer account in the account list, then click the Printing preference icon. 5 Select a management setting (Once or Always). This setting applies to all Printing preference options. 6 Click Access. 7 Select a printer in the user’s printer list, then select “Require administrator password.” 8 Click Apply Now.315 C H A P T E R 7 7 Print Service Print service lets you share network printers for clients of the Mac OS X Server. You share printers by setting up print queues for them. When users submit print jobs to a shared printer, the jobs are automatically sent to the printer’s queue, where they are held until the printer becomes available or criteria you set up have been met. For example, you can m set the priority of print jobs in a queue m hold the printing of a job for a particular time of day m place a job on hold indefinitely The following applications help you administer print service: m The Print module of Server Settings lets you configure general print service settings, set up how print queues are shared, and manage print jobs submitted to shared printers. m Server Status lets you monitor the status of print jobs. m The Accounts module of Workgroup Manager lets you set print quotas for users.316 Chapter 7 What Printers Can Be Shared? Mac OS X Server supports PostScript-compatible printers connected to your network using AppleTalk or the Line Printer Remote (LPR) protocol. Mac OS X Server also supports PostScript-compatible printers connected directly to your server by means of a Universal Serial Bus (USB) connection. Mac OS X Server Ethernet USB AppleTalk PostScript printer LPR PostScript printer PostScript printerPrint Service 317 Who Can Use Shared Printers? Shared printers can be used over the network by users who submit print jobs using AppleTalk, LPR, or Server Message Block (SMB) protocols: Macintosh computers support AppleTalk and LPR. Windows computers use LPR and SMB. UNIX computers use LPR. See “Setting Up Printing on Client Computers” on page 323. Setup Overview Here is an overview of the basic steps for setting up print service: Step 1: Read “Before You Begin” Read “Before You Begin” on page 319 for issues that you should consider before setting up print service. Mac OS X user (printers selected using Print Center) Mac OS 9 user (printers selected using Desktop Printer Utility) UNIX user user (printers selected using Print Center) Mac OS 8 and Mac OS 9 users (printers selected using Desktop Printer Utility) UNIX user Windows NT and Windows 2000 users Windows NT and Windows 2000 users Windows 95, 98, and ME users Mac OS X Server LPR AppleTalk SMB318 Chapter 7 Step 2: Start up and configure print service Use Server Settings to start up and configure the print service. Print service configuration lets you set options that apply to all print queues that you are sharing—for example, starting print service automatically when the server starts up. See “Starting Up and Configuring Print Service” on page 319. Step 3: Add printers and configure their print queues You make printers available to users by adding them to the server using the Print module of Server Settings. When you add a printer, a print queue is created automatically. Users see these print queues as printers from their desktops. You then configure the print queues, also using the Print module of Server Settings. See “Adding Printers” on page 320 and “Configuring Print Queues” on page 320. Step 4: (Optional) Add print queues to a shared Open Directory domain You can add print queues to a shared Open Directory domain for users of Mac OS X computers that have access to the domain. This makes it easier for Mac OS X client users to locate shared printers because these print queues show up automatically in Print Center Directory Services lists. See “Adding Print Queues to Shared Open Directory Domains” on page 321. Step 5: (Optional) Set print quotas for users If you want to limit the number of pages users can print, set print quotas for user accounts and enforce quotas on print queues. See “Setting Up Print Quotas” on page 322. Step 6: Set up printing on client computers Mac OS X clients: Add one or more print queues to users’ printer lists using Print Center. Mac OS 9 and Mac OS 8 clients: Use the Chooser to add AppleTalk printers or use Desktop Printer Utility to add LPR printers to the clients’ desktops. Windows clients: If you have Windows clients using SMB, you need to make sure Windows services are running and that at least one print queue is available for SMB users. UNIX clients: Most UNIX systems support LPR. Some configuration may be required. Refer to the manufacturer’s documentation on setting up LPR printers or consult your UNIX administrator. See “Setting Up Printing on Client Computers” on page 323.Print Service 319 Before You Begin Before you set up print service, determine which protocols are used for printing by client computers. When you configure a print queue, you will need to enable each of the required protocols. Print service supports the following protocols: m AppleTalk m Line Printer Remote (LPR) m Server Message Block (SMB) See “Setting Up Printing on Client Computers” on page 323. Security Issues In general, AppleTalk and LPR printers do not have any provisions for security. Windows services require that users log in by providing a user name and password before using SMB printers. See “Windows User Password Validation” on page 236. Setting Up Print Service The following sections tell you how to configure your server’s print service, and how to create and configure print queues for the server. Starting Up and Configuring Print Service Use the Print module of Server Settings to start up and configure print service. To start up and configure print service: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Start Print Service. 3 Click Print again and choose Configure Print Service. 4 Select “Start print service at system startup” if you want print service to start automatically when the server starts up. 5 Select “Automatically share new queues for Windows printing” if you want Windows users who print using the SMB protocol to be able to automatically use new print queues that you create using Print Center. If you select this option, make sure that Windows services are running. See “Starting Windows Services” on page 240. 6 Choose the default queue for LPR print jobs. Using a default queue simplifies the setup for printing from client computers. See “Selecting a Default Print Queue” on page 329.320 Chapter 7 If you choose None, print jobs sent to the default queue will not be accepted by the server (and therefore will not be printed). 7 Select “Server log” if you want to archive the print service log file. Specify how often (by entering the number of days) you want to archive the current log and start a new one. 8 Select “Queue logs” if you want to archive the print queues’ log files. Specify how often (by entering the number of days) you want to archive the current log and start a new one. Adding Printers You can share any PostScript-compatible printer that has a queue defined for it on the server. You use the Print module of Server Settings to “add” printers to the server. When you add a printer, the print queue is created automatically. Note: You do not need to “add” USB printers connected directly to the server. Queues for USB printers are created automatically without that step. To add a printer and create a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Click New Queue. 4 Choose the protocol used by the printer you want to add from the pop-up menu. 5 For “AppleTalk” or “Directory Services” printers, select a printer in the list and click Add. For “LPR Printers using IP,” enter the printer Internet address or DNS name, select whether to use the default queue on the server, enter the queue name, and click Add. If you want to print from the server, set up a print queue on the server using Print Center. Configuring Print Queues You configure a print queue to specify which protocols to use to share the queue and to specify the default settings for new print jobs. You can also change the name of the queue. To configure a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the print queue you want to configure and click Edit. 4 If you want users to see a name other than the Print Center queue name, enter a name in the Queue Name field. Entering a queue name does not change the Print Center queue name. Print Service 321 You’ll probably need to change the queue name if users who print to your queues have restrictions on printer names they can use. For example, some LPR clients do not support names that contain spaces, and some Windows clients restrict names to 12 characters. Queue names shared via LPR or SMB should not contain characters other than A – Z, a – z, 0 – 9, and “_” (underscore). AppleTalk queue names cannot be longer than 32 bytes (which may be fewer than 32 typed characters). Note that the queue name is encoded according to the language used on the server and may not be readable on client computers using another language. 5 Select the protocols used for printing by your client computers. If you select “Windows printing (SMB),” make sure Windows services are running. See “Starting Windows Services” on page 240. 6 If you want to add the queue to a shared Open Directory domain, choose a shared domain from the pop-up menu, then enter the user name and password for the administrator of the server on which the domain resides. This allows users of Mac OS X computers configured to access the domain to print to the queue by choosing it from the Directory Services printer list in Print Center (rather than having to manually enter the LPR print host and queue name). Note: After sharing a print queue in an Open Directory domain, do not try to add the queue from the Directory Services list to your server. 7 Choose the default job priority for new print jobs in this queue. 8 Select Hold to postpone printing all new jobs that arrive in the queue. Specify a time of day to print the jobs, or choose to postpone printing indefinitely. 9 Select “Enforce print quotas” if you want to enforce the user print quotas for the printer. Adding Print Queues to Shared Open Directory Domains If you add a print queue to a shared Open Directory domain, users of Mac OS X computers that are configured to access the domain can print to the queue by choosing it from the Directory Services printer list in Print Center (rather than having to manually enter the LPR print host and screen name). To add a print queue to a shared Open Directory domain: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue you want to add and click Edit. 4 Choose a shared domain from the “Share LPR Queue in Domain” pop-up menu. Enter the user name and password for the administrator of the server on which the domain resides.322 Chapter 7 The Open Directory printer is named using the queue name defined in the Print module of Server Settings. LPR clients do not support names that contain spaces, and some Windows clients restrict names to 12 characters. Queue names shared via LPR or SMB should not contain characters other than A – Z, a – z, 0 – 9, and “_” (underscore). AppleTalk queue names cannot be longer than 32 bytes (which may be fewer than 32 typed characters). Note that the queue name is encoded according to the language used on the server and may not be readable on client computers using another language. Note: After sharing a print queue in an Open Directory domain, do not try to add the queue from the Directory Services list to your server. Setting Up Print Quotas There are two parts to setting up print quotas—specifying the quotas in users’ accounts and enforcing the quotas for the print service. You use the Users & Groups module of Workgroup Manager to set up print quotas for a user. You can set specific quotas for each print queue or you can define a single quota that applies to all print queues (that are enforcing quotas) to which a user has access. See “Working With Print Settings for Users” on page 151. You use Server Settings to “turn on” the enforcement of users’ print quotas that you’ve defined for a print queue. If you do not enforce print quotas, users can print an unlimited number of pages to the queue. Enforcing Quotas for a Print Queue Unless you enforce quotas for a print queue, users will have unlimited printing capabilities even if print quotas are defined for the users’ accounts. To enforce quotas for a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the print queue and click Edit. 4 Select “Enforce print quotas” to enforce the user print quotas for the print queue. Print Service 323 Setting Up Printing on Client Computers Mac OS X Clients Mac OS X users must add shared print queues to their Print Center printer lists before they can use the queues. Mac OS X supports both AppleTalk and LPR printers. Users can also add print queues in Open Directory domains accessible from the Mac OS X computer. If a Mac OS X client is having trouble printing, see “Solving Problems” on page 334. Adding a Print Queue in Mac OS X Using AppleTalk You use the Print Center to add print queues to a computer’s printer lists. Print Center is usually located in the Utilities folder of the Applications folder. To add a print queue using AppleTalk: 1 Open the Print Center and click Add Printer. 2 Choose AppleTalk from the pop-up menu. 3 Select a printer from the list and click Add. Adding a Print Queue in Mac OS X Using LPR You use the Print Center to add print queues to a computer’s printer lists. Print Center is usually located in the Utilities folder of the Applications folder. To add a print queue using LPR: 1 Open the Print Center and click Add Printer. 2 Choose “LPR Printers using IP” from the pop-up menu. 3 Enter the server’s DNS name or IP address in the LPR Printer’s Address field. To use the default queue, select the “Use Default Queue on Server” option. If the server does not have a default LPR queue defined or you do not want to use the default queue, remove the checkmark and enter a queue name in the Queue Name field. 4 Choose a description of the printer from the Printer Model pop-up menu, then click Add. Adding a Print Queue From an Open Directory Domain You use the Print Center to add print queues to a computer’s printer lists. Print Center is usually located in the Utilities folder of the Applications folder. To add a print queue from an Open Directory domain: 1 Open the Print Center and click Add Printer. 2 Choose Directory Services from the pop-up menu. 3 Select a queue, then click Add.324 Chapter 7 Mac OS 8 and Mac OS 9 Clients Mac OS 8 and 9 support both AppleTalk and LPR printers. Users can set up printing to a server print queue by using the Chooser for AppleTalk printers or Desktop Printer Utility for LPR printers. (The Desktop Printer Utility is usually located in the LaserWriter Software folder in the Apple Extras folder or in the Utilities folder in the Applications folder.) If a Mac OS 8 or 9 client is having trouble printing, see “Solving Problems” on page 334. Setting Up Printing on Mac OS 8 or 9 Client for an AppleTalk Printer You use the Chooser to set up AppleTalk printers. To set up printing for an AppleTalk printer: 1 Open the Chooser. 2 Select the LaserWriter 8 icon or the icon for your printer’s model. The LaserWriter 8 icon works well in most cases. Use a printer-specific icon, if available, to take advantage of special features that might be offered by that printer. 3 Select the print queue from the list on the right. 4 Close the Chooser. Setting Up Printing on Mac OS 8 or 9 Clients for an LPR Printer You use the Desktop Printer Utility to set up LPR printers. To set up printing for an LPR printer: 1 Open the Desktop Printer Utility and select Printer (LPR). Click OK. 2 In the PostScript printer Description (PPD) File section, click Change and select the PPD file for the printer. Choose Generic if you do not know the printer type. 3 In the LPR Printer Selection section, click Change and enter the server’s IP address or domain name in the Printer Address field. 4 Enter the name of a print queue on the server that is configured for sharing via LPR. Leave the field blank if you want to print to the default LPR queue. 5 Click Verify to confirm that print service is accepting jobs via LPR. 6 Click OK, then Create. 7 Enter a name and location for the desktop printer icon, and click Save. The default name is the printer’s IP address, and the default location is the Desktop.Print Service 325 Windows Clients To enable printing by Windows users who submit jobs using SMB, make sure Windows services are running and that one or more print queues are available for SMB use. See “Starting Windows Services” on page 240 and “Adding Printers” on page 320. All Windows computers—including Windows 95, Windows 98, Windows Millennium Edition (ME), and Windows XP—support SMB for using printers on the network. Windows 2000 and Windows NT also support LPR. Note: Third-party LPR drivers are available for Windows computers that do not have built-in LPR support. If a Windows client is having trouble printing, see “Solving Problems” on page 334. UNIX Clients UNIX computers support LPR for connecting to networked printers without the installation of additional software. If a UNIX client is having trouble printing, see “Solving Problems” on page 334. Managing Print Service This section tells you how to perform day-to-day management tasks for print service once you have it up and running. Monitoring Print Service Server Status lets you monitor all services on a Mac OS X server. If you want to make changes to print service, use Server Settings. To monitor print service: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select Print in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Overview tab to see if print service is running, the time it started if it is running, and the number of queues. 3 Click the Logs tab to see print service logs for the system and for individual print queues. Use the Show pop-up menu to choose which log to view. 4 Click Queues to see the status of print queues. The table includes the name of the printer, type of print queue, number of jobs, sharing, and status for each queue.326 Chapter 7 Stopping Print Service You use the File & Print pane in Server Settings to stop print service. To stop print service: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Stop Print Service. Setting Print Service to Start Automatically You can set print service to start automatically when the server starts up. To start print service automatically when the server starts up: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Configure Print Service. 3 Select “Start Print Service at system startup.” Managing Print Queues This section tells you how to perform day-to-day management of print queues. Monitoring a Print Queue Server Status lets you monitor all services on a Mac OS X server. The Queues pane lists the queues for the print service and tells you the name or kind of printer, how many jobs are pending, how the printer is shared, whether a job is printing, and, if so, the status of that job. If you want to make changes to a print queue, use Server Settings. To monitor a print queue: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select Print in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Queues tab to see the status of the print queues. The table includes the name of the printer, type of print queue, number of jobs, sharing, and status for each queue.Print Service 327 Putting a Print Queue on Hold (Stopping a Print Queue) To prevent jobs in a queue from printing, put the print queue on hold. Printing of all jobs waiting to print is postponed. New jobs are still accepted but won’t be printed until the queue is started up again and the jobs ahead of it (of the same or higher priority) are printed. If a job is printing, it is canceled and reprinted from the beginning when the queue is restarted. To put a print queue on hold: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the print queue you want to hold and click Hold. Restarting a Print Queue If you put a print queue on hold, restart the print queue to resume printing for all jobs that have not been put on hold individually. If a job was in the middle of printing when you put the print queue on hold, that job will be printed again from the beginning. To restart a print queue that’s been put on hold: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue and click Release in the Print Monitor window. Changing a Print Queue’s Configuration Use the Server Settings Print Monitor to view and change a print queue’s configuration. Note: When you change a print queue’s configuration, the queue may become unavailable to users. You may need to alert users to set up client computers to use the queue again. To change a print queue’s configuration: 1 In Server Settings, click the File & Print tab. 2 Click Print, and choose Show Print Monitor. 3 Select the print queue you want to change and click Edit. 4 If you want users to see a name other than the Print Center queue name, enter a name in the Queue Name field. Entering a queue name does not change the Print Center queue name. You’ll probably need to change the queue name if users who print to your queues have restrictions on printer names they can use. For example, some LPR clients do not support names that contain spaces, and some Windows clients restrict names to 12 characters. 328 Chapter 7 Note: If you change the name of a print queue that has already been shared, print jobs sent by users to the old queue name will not be printed. Users will need to set up their computers again to use the queue with its new name. 5 Select the protocols used for printing by your client computers. If you select “Windows printing (SMB),” make sure Windows services are running. See “Starting Windows Services” on page 240. 6 If you want to add the queue to a shared Open Directory domain, choose a shared domain from the pop-up menu, then enter the user name and password for the administrator of the server on which the domain resides. This allows users of Mac OS X computers configured to access the domain to print to the queue by choosing it from the Directory Services printer list in Print Center (rather than having to manually enter the LPR print host and queue name). Note: After sharing a print queue in an Open Directory domain, do not try to add the queue from the Directory Services list to your server. 7 Choose the default job priority for new print jobs in this queue. 8 Select Hold to postpone printing all new jobs that arrive in the queue. Specify a time of day to print the jobs, or choose to postpone printing indefinitely. 9 Select “Enforce print quotas” if you want to enforce the user print quotas for the printer. Renaming a Print Queue When you add a printer in Print Center, the default name of the queue created for it is the same as the printer name. Note: If you change the name of a print queue that has already been shared, print jobs sent by users to the old queue name will not be printed. Users will need to set up their computers again to use the queue with its new name. To rename a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the print queue you want to rename and click Edit. 4 Enter a new name in the Queue Name field. Entering a queue name does not change the Print Center queue name. Print Service 329 Selecting a Default Print Queue Specifying a default print queue simplifies setup for printing from client computers to LPR print queues. Users can choose to print to the default queue rather than having to enter the IP address of a specific queue. To select a default print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Configure Print Service. 3 Choose the queue you want to make the default queue from the “Default Queue for LPR” pop-up menu. Deleting a Print Queue When you delete a print queue, any jobs in the queue that are waiting to print are also deleted. Note: If a job is printing, it is canceled immediately. To avoid abruptly canceling users’ print jobs, you can turn off sharing a queue until all jobs have finished printing and then delete the queue. To delete a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the print queue you want to delete and click Delete. Managing Print Jobs This section tells you how to perform day-to-day management of print jobs. Monitoring a Print Job You monitor individual print jobs using the Queue Monitor window of Server Settings. To monitor a print job: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue and click Show Queue Monitor.330 Chapter 7 The Queue Monitor window displays all the current print jobs in priority order. It also indicates the current status of the active (printing) job, the name of the user who submitted each job, and the number of pages and sheets in each job. The number of pages is the number of pages in the document. The number of sheets is the physical number of pages in the queue, which reflects the number of copies or the number of pages printed on one sheet of paper. For example, a Page/Sheets value of 4/20 appears if a user prints five copies of a four-page document. Stopping a Print Job You can stop a job from printing by putting it or the queue in which it resides on hold. To put a single print job on hold, see the following section. To put a print queue on hold to stop jobs from printing, see “Putting a Print Queue on Hold (Stopping a Print Queue)” on page 327. Putting a Print Job on Hold When you put a print job on hold, it is not printed until you take it off hold or until the date and time you set it to be printed has been reached. If the job has already started to print, printing stops and the job remains in the queue. When you take the job off hold, printing starts from the beginning of the job. Use Shift-click or Command-click to select multiple jobs and put them all on hold at the same time. To put a print job on hold: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Hold. 5 If you want to take the job off hold automatically at a certain time, click Set Priority, then specify the date and time to release the job for printing. If there are other jobs of equal or higher priority in the print queue when the print job is released, the actual print time will be later. Restarting a Print Job When a print job has been placed on hold, it is not printed until you restart the job or until the time you set it to be printed has been reached. Note: If you put the print queue on hold, restart the print queue to print the job.Print Service 331 To restart a print job: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Release. The job is returned to the print queue and is printed after all other jobs in the queue with the same priority. Holding All New Print Jobs You can automatically postpone printing all new jobs that arrive in a print queue. To hold new print jobs: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue and click Edit. 4 Select the Hold checkbox. Choose Until to specify a time of day at which to print new jobs. Choose Indefinitely to postpone printing new jobs indefinitely. Setting the Default Priority for New Print Jobs When a new print job is sent to a print queue, it is assigned the priority defined for the print queue. Jobs are printed in order of priority. Urgent jobs are printed first, then Normal jobs, and finally Low jobs. To set the default priority for new print jobs in a queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue and click Edit. 4 Under the “Default Settings for New Jobs” section, choose a job priority of Urgent, Normal, or Low. Changing a Print Job’s Priority When a print job arrives in a queue, it is assigned the default priority for that queue. You can override the default by changing the priority for the individual print job. To change a print job’s priority: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor.332 Chapter 7 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Set Priority. 5 Select the priority you want to assign to the job. Urgent jobs are printed first, then Normal jobs, and finally Low jobs. The job is printed after any other job in the queue with the same priority. Deleting a Print Job If a job is printing at the time you delete it, the job will stop printing after the pages in the printer’s hardware buffer have been printed. To delete a print job: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Show Print Monitor. 3 Select the queue containing the job, then click Show Queue Monitor. 4 Select the job and click Delete. Managing Print Quotas This section tells you how to perform day-to-day management of print quotas. Suspending Quotas for a Print Queue You use the Print module of Server Settings to enforce and suspend print quotas. Suspending quotas for a print queue allows all users unlimited printing to the queue. To enforce or suspend quotas for a print queue: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Configure Print Service. 3 Select the print queue and click Edit. 4 Deselect the “Enforce print quotas” option. To enforce print quotas again, select the “Enforce print quotas” option again. Managing Print Logs This section tells you how to view and archive print logs.Print Service 333 Viewing Print Logs Print service has two kinds of logs: print service and print queue. Print service logs record such events as when print service was started and stopped and when a print queue was put on hold. Separate logs for each print queue record individual print jobs, including such information as which users submitted jobs for particular printers and the size of the jobs. You can view the print service logs using Server Status. To view print service logs using Server Status: 1 In Server Status, locate the name of the server you want to monitor in the Devices & Services list and select Print in the list of services under the server name. If the services aren’t visible, click the arrow to the left of the server name. 2 Click the Logs tab to see print service logs for the system and for individual print queues. Use the Show pop-up menu to choose which log to view. Archiving Print Logs As noted, print service maintains two kinds of logs: a print service log and a log for each print queue. You can specify how often you want to archive the logs and start new ones. All logs, both current and archived, are kept in the /Library/Logs/PrintService folder. Archived files are kept until they are manually deleted by the server administrator. To specify how often to archive print logs: 1 In Server Settings, click the File & Print tab. 2 Click Print and choose Configure Print Service. 3 Select “Server log” and enter a number of days to specify how often you want to archive the print service log and start a new log. The current log file name is PrintService.server.log. Archived print service log files have the archive date appended (for example, PrintService.server.log.20021231). 4 Select “Queue logs” and enter a number of days to specify how often you want to archive each print queue log and start a new one. The log files are stored in /Library/Logs/PrintService. Individual log files are named after the print queues (for example, PrintService.myqueue.job.log). Archived print queue log files have the archive date appended (for example, PrintService.myqueue.job.log.20021231). You can view current log files using Server Status. You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555.334 Chapter 7 Deleting Print Log Archives The log files are stored in /Library/Logs/PrintService. You can clear out unwanted archive files by deleting them from this directory using the Finder. You can also use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used by log files. See “Log Rolling Scripts” on page 555. Solving Problems Try these suggestions to solve or avoid printing problems. Print Service Doesn’t Start m If you expect print service to start automatically when the server starts up, make sure the “Start print service at system startup” option is selected in the Configure Print Service window. m To verify that the server’s serial number is entered correctly and has not expired, click the General tab, click Server Info, and choose Change Product Serial Number. m Use Server Status to review the print service log for additional information. Users Can’t Print m Check to see that print service is running. Open Server Settings and select the File & Print tab. If the print service is not running, select Print and choose Start Print Service. m Make sure that the queue users are printing to exists by opening the Print Monitor window. On Mac OS 8 or Mac OS 9 computers, use the Chooser (for AppleTalk print queues) or Desktop Printer Utility (for LPR print queues) to make sure the printer setup is correct. On Mac OS X, use the Print Center to add print queues to the printer list. m Verify that the queue users are printing to is shared correctly. SMB is for Windows users only. LPR is a standard protocol that users on (some) Windows computers, as well as on Macintosh, UNIX, and other computers, can use for printing. m Verify that Mac OS clients have TCP/IP set up correctly. m If Windows NT 4.x clients can’t print to the server, make sure that the queue name is not the TCP/IP address of the printer or server. Use the DNS host name instead of the printer or server address or, if there is none, enter a queue name containing only letters and numbers. Print Jobs Don’t Print m Check the Print Monitor window to make sure that the queue is not on hold. Open Server Settings, click the File & Print tab, click Print, and choose Show Print Monitor. m Make sure that the printer is connected to the server or to the network to which the server is connected. Print Service 335 m Make sure the printer is turned on and that there are no problems with the printer itself (out of paper, paper jams, and so on). m Review the print logs for additional information. Open Server Status, select Print under the server name in the Devices & Services list, and click the Logs tab. Print Queue Becomes Unavailable m If you changed a print queue’s name that has already been shared, print jobs sent by users to the old queue name will not be printed. Users need to set up their computers again to use the queue with its new name. See “Setting Up Printing on Client Computers” on page 323.337 C H A P T E R 8 8 Web Service Web service in Mac OS X Server offers an integrated Internet server solution. Web service is easy to set up and manage, so you don’t need to be an experienced Web administrator to set up multiple Web sites and configure and monitor your Web server. Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web server responds to requests for HTML Web pages stored on your site. Open-source software allows anyone to view and modify the source code to make changes and improvements. This has led to Apache’s widespread use, making it the most popular Web server on the Internet today. Web administrators can use Server Settings to administer Web service without knowing anything about advanced settings or configuration files. Web administrators proficient with Apache can choose to administer Web service using Apache’s advanced features. In addition, Web service in Mac OS X Server includes a high-performance, front-end cache that improves performance for Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed by the server each time it is requested. Web service also includes support for Web-based Distributed Authoring and Versioning, known as WebDAV. With WebDAV capability, your client users can check out Web pages, make changes, and then check the pages back in while the site is running. In addition, the WebDAV command set is rich enough that client computers with Mac OS X installed can use a WebDAV-enabled Web server as if it were a file server. Since Web service is based on Apache, you can add advanced features with plug-in modules. Apache modules allow you to add support for Simple Object Access Protocol (SOAP), Java, and CGI languages such as Python.338 Chapter 8 Before You Begin This section provides information you need to know before you set up Web service for the first time. You should read this section even if you are an experienced Web administrator, as some features and behaviors may be different from what you expect. Configuring Web Service You can use Server Settings to set up and configure the most frequently used features of Web service. If you are an experienced Apache administrator and need to work with features of the Apache Web server that aren’t included in Server Settings, you can modify the appropriate configuration files. However, Apple does not provide technical support for modifying Apache configuration files. If you choose to modify a file, be sure to make a backup copy first. Then you can revert to the copy should you have problems. For more information about Apache modules, see the Apache Software Foundation Web site at www.apache.org Providing Secure Transactions If you want to provide secure transactions on your server, you should set up Secure Sockets Layer (SSL) protection. SSL lets you send encrypted, authenticated information across the Internet. If you want to allow credit card transactions through your Web site, for example, you can use SSL to protect the information that’s passed to and from your site. For instructions on how to set up secure transactions, see “Setting Up Secure Sockets Layer (SSL) Service” on page 361. Setting Up Web Sites Before you can host a Web site, you must m register your domain name with a domain name authority m create a folder for your Web site on the server m create a default page in the folder for users to see when they connect m verify that DNS is properly configured if you want clients to access your Web site by name When you are ready to publish, or enable, your site, you can do this using Server Settings. The Sites pane in the Configure Web Service window lets you add a new site and select a variety of settings for each site you host. See “Managing Web Sites” on page 349 for more information.Web Service 339 Hosting More Than One Web Site You can host more than one Web site simultaneously on your Web server. Depending on how you configure your sites, they may share the same domain name, IP address, or port. The unique combination of domain name, IP address, and port identifies each separate site. Your domain names must be registered with the domain name authority (InterNIC). Otherwise, the Web site associated with the domain won’t be visible on the Internet. (There is a fee for each additional name you register.) If you configure Web sites using multiple domain names and one IP address, older browsers that do not support HTTP 1.1 or later (that don’t include the “Host” request header), will not be able to access your sites. This is an issue only with software released prior to 1997 and does not affect modern browsers. If you think your users will be using very old browser software, you’ll need to configure your sites with one domain name per IP address. Understanding WebDAV If you use WebDAV to provide live authoring on your Web site, you should create realms and set access privileges for users. Each site you host can be divided into a number of realms, each with its own set of users and groups that have either browsing or authoring privileges. If your Web site is on an intranet, you may not want to create realms. Defining Realms When you define a realm, which is typically a folder (or directory), the access privileges you set for the realm apply to all the contents of that directory. If a new realm is defined for one of the folders within the existing realm, only the new realm privileges apply to that folder and its contents. For information about creating realms and setting access privileges, see “Setting Access for WebDAV-Enabled Sites” on page 354. Setting WebDAV Privileges The Apache process running on the server needs to have access to the Web site’s files and folders. To do this, Mac OS X Server installs a user named “www” and a group named “www” in the server’s Users & Groups List. The Apache processes that serve Web pages run as the www user and as members of the www group. You need to give the www group read access to files within Web sites so that the server can transfer the files to browsers when users connect to the sites. If you’re using WebDAV, the www user and www group both need write access to the files and folders in the Web sites. In addition, the www user and group need write access to the /var/run/davlocks directory. Understanding WebDAV Security WebDAV lets users update files in a Web site while the site is running. When WebDAV is enabled, the Web server must have write access to the files and folders within the site users are updating. This has significant security implications when other services are running on the server, because individuals responsible for one site may be able to modify other sites.340 Chapter 8 You can avoid this problem by carefully setting access privileges for the site files using the Sharing module of Server Settings. Mac OS X Server uses a predefined group named “www,” which contains the Apache processes. You need to give the www group read and write access to files within the Web site. You also need to assign read and write access to the Web site administrator (owner) and None (no access) to Everyone. If you are concerned about Web site security, you may choose to leave WebDAV disabled and use Apple file service or FTP service to modify the contents of a Web site instead. Understanding Multipurpose Internet Mail Extension (MIME) Multipurpose Internet Mail Extension (MIME) is an Internet standard for specifying what happens when a Web browser requests a file with certain characteristics. You can choose the response you want the Web server to make based on the file’s suffix. Your choices will depend partly on what modules you have installed on your Web server. Each combination of a file suffix and its associated response is called a MIME type mapping. MIME Suffixes A suffix describes the type of data in a file. Here are some examples: m txt for text files m cgi for Common Gateway Interface files m gif for GIF (graphics) files m php for “PHP: Hypertext Preprocessor” (embedded HTML scripts) used for WebMail, etc. m tiff for TIFF (graphics) files Mac OS X Server includes a default set of MIME type suffixes. This set includes all the suffixes in the mime.types file distributed with Apache, with a few additions. If a suffix you need is not listed, or does not have the behavior you want, use Server Settings to add the suffix to the set or to change its behavior. Note: Do not add or change MIME suffixes by editing configuration files. Web Server Responses When a file is requested, the Web server handles the file using the response specified for the file’s suffix. Responses can be either an action or a MIME type. Possible responses include m return file as MIME type (you enter the mapping you want to return) m send-as-is (send the file exactly as it exists) m cgi-script (run a CGI script you designate) m imap-file (generate an IMAP mail message) m mac-binary (download a compressed file in MacBinary format)Web Service 341 MIME type mappings are divided into two subfields separated by a forward slash, such as “text/plain.” Mac OS X Server includes a list of default MIME type mappings. You can edit these and add others. When you specify a MIME type as a response, the server identifies the type of data requested and sends the response you specify. For example, if the browser requests a file with the suffix “jpg,” and its associated MIME type mapping is “image/jpeg,” the server knows it needs to send an image file and that its format is JPEG. The server doesn’t have to do anything except serve the data requested. Actions are handled differently. If you’ve mapped an action to a suffix, your server runs a program or script, and the result is served to the requesting browser. For example, if a browser requests a file with the suffix “cgi,” and its associated response is the action “cgi-script,” your server will run the script and send the resulting data back to the requesting browser. Setting Up Web Service for the First Time Follow the steps below to set up Web service for the first time. If you need more information to perform any of these tasks, see “Managing Web Service” on page 342 and “Managing Web Sites” on page 349. Step 1: Set up the Documents folder When your server software is installed, a folder named Documents is set up automatically. Put any items you want to make available through a Web site in the Documents folder. You can create folders within the Documents folder to organize the information. The folder is located in this directory: /Library/WebServer/Documents In addition, each registered user has a Sites folder in the user’s own home directory. Any graphics or HTML pages stored in the user’s Sites folder will be served from this URL: server.example.com/~username/ Step 2: Create a default page Whenever users connect to your Web site, they see the default page. When you first install the software, the file “index.html” in the Documents folder is the default page. You’ll need to replace this file with the first page of your Web site and name it “index.html.” If you want to call the file something else, make sure you change the default document name in the General pane of the site settings window. For more information about Web site settings, see “Managing Web Sites” on page 349.342 Chapter 8 Step 3: Assign privileges for your Web site The Apache process running on the server must have access to the Web site’s files and folders. To allow this access, Mac OS X Server creates a group named “www,” made up of the Apache processes. You need to give the www group read-only access to files within your Web site so that it can transfer those files to browsers when users connect to the site. For information about assigning privileges, see Chapter 4, “Sharing.” Step 4: Configure Web service The default configuration works for most Web servers that host a single Web site, but you can configure all the basic features of Web service and Web sites using Server Settings. To host user Web sites, you must configure at least one Web site. To access the configuration settings, click Web and choose Configure Web Service. Choose the settings you want for your server and your Web site. For information about these settings, see “Managing Web Service” on page 342. Step 5: Start Web service In Server Settings, click the Internet tab. Click Web and choose Start Web Service. When the service is running, you see a globe on the Web icon. Step 6: Connect to your Web site To make sure the Web site is working properly, open your browser and try to connect to your Web site over the Internet. If your site isn’t working correctly, see “Solving Problems” on page 364. Managing Web Service The Configure Web Service window lets you set and modify most options for your Web service and Web sites. To access the Configure Web Service window: 1 In Server Settings, click Web and choose Configure Web Service. 2 Click one of the four tabs to see the settings in that pane. Important Always use Server Settings to start and stop the Web server. You can start the Web server from the command line, but Server Settings won’t show the change in status for several seconds. Server Settings is the preferred method to start, stop, and modify Web service settings.Web Service 343 Starting or Stopping Web Service You start and stop Web service from the Server Settings application. To start or stop Web service: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Start Web Service or Stop Web Service. If you stop Web service, users connected to any Web site hosted on your server are disconnected immediately. Starting Web Service Automatically You can set Web service to start automatically whenever the server starts up. This will ensure that your Web sites are available if there’s been a power failure or the server shuts down for any reason. To have Web service start automatically: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Select “Start Web service on system startup.” Modifying MIME Mappings Multipurpose Internet Mail Extension (MIME) is an Internet standard for describing the contents of a file. The MIME Types pane lets you set up how your Web server responds when a browser requests certain file types. For more information about MIME types and MIME type mappings, see “Understanding Multipurpose Internet Mail Extension (MIME)” on page 340. The Web server is set up to handle the most common MIME types. You can add, edit, or delete MIME type mappings. To add or modify a MIME type mapping: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the MIME Types tab. 4 Click Add to add a new mapping, or select a mapping and click Edit, Duplicate, or Delete. (If you choose Delete, you’ve finished.) Important Always use Server Settings to start and stop the Web server. You can start the Web server from the command line, but Server Settings won’t show the change in status for several seconds. Server Settings is the preferred method to start, stop, and modify Web service settings.344 Chapter 8 5 Type the file suffix that describes the type of data in files handled by this mapping. 6 Choose a Web server response from the Response pop-up menu. If you choose “Return file as MIME type,” enter the MIME type you want to return. 7 Click Save. If you choose a response that is a Common Gateway Interface (CGI) script, make sure you have enabled CGI execution for your site in the Options pane of the site settings window. Setting Up Persistent Connections for Web Service You can set up Web service to respond to multiple requests from a client computer without closing the connection each time. Repeatedly opening and closing connections isn’t very efficient and decreases performance. To set up persistent connections: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 In the General pane, enter a number in the Maximum Persistent Connections field. If you set the number to zero, there is no limit to the number of requests allowed per connection. However, the default setting of 500 provides better performance. 4 Enter a number in the Connection Timeout field if you want to specify the amount of time that can pass between requests before the session is disconnected by the Web server. 5 Click Save, then restart Web service. Limiting Simultaneous Connections for Web Service You can limit the number of simultaneous connections to your Web server. When the maximum number of connections is reached, new requests receive a message that the server is busy. To set the maximum number of connections to your Web server: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 In the General pane, enter a number in the Maximum Simultaneous Requests field. The default maximum is 500, but you can set the number as high or as low as you want to, taking into consideration the desired performance of your server. 4 Click Save, then restart Web service.Web Service 345 Setting Up Proxy Caching for Web Service A proxy lets users check a local server for frequently used files. You can use a proxy to speed up response times and reduce network traffic. The proxy stores recently accessed files in a cache on your Web server. Browsers on your network check the cache before retrieving files from more distant servers. To take advantage of this feature, client computers must specify your Web server as their proxy server in their browser preferences. To set up a proxy: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Proxy tab and select Enable Proxy. 4 Set the maximum cache size. When the cache reaches this size, the oldest files are deleted from the cache folder. 5 Type the path name for the folder in the Cache Folder field. You can also click the Select button and browse for the folder you want to use. If you are administering a remote server, file service must be running on the local machine to use the Select button. If you change the folder location from the default, you will have to select the new folder in the Finder, select Get Info and change the owner and group to www. 6 Click Save, then restart Web service. Blocking Web Sites From Your Web Server Cache If your Web server is set up to act as a proxy, you can prevent the server from caching objectionable Web sites. You can import a list of Web sites you want to block. The list must be a text file with the host names separated by white space (lines, spaces, or tabs). To block Web sites: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Proxy tab and select Enable Proxy. Important To take advantage of this feature, client computers must specify your Web server as their proxy server in their browser preferences.346 Chapter 8 4 Type the URL of the Web site you want to block in the field and click Add. Or click Import to import a list of Web sites. 5 Click Save, then restart Web service. Enabling SSL for Web Service If you plan to set up Secure Sockets Layer (SSL) service and enable it for Web sites, you need to enable it for the entire Web service. Once you enable SSL service you can configure SSL for each site hosted on your server. For more information about configuring SSL for a specific Web site, see “Enabling SSL” on page 357. To enable SSL for Web service: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click “Enable SSL support.” 4 Click Save, then restart Web service. Setting Up the SSL Log for a Web Server If you are using Secure Sockets Layer (SSL) on your Web server, you can set up a file to log SSL transactions and errors. To set up an SSL log: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab, select a site to edit, then click Edit. 4 Click the Security tab, select Enable Secure Sockets Layer (SSL), then enter the path name for the folder where you want to keep the SSL log in the SSL Log File field. 5 Click Save, then restart Web service. Setting Up WebDAV for a Web Server Web-based Distributed Authoring and Versioning (WebDAV ) allows you or your users to make changes to Web sites while the sites are running. If you enable WebDAV, you also need to assign access privileges for the sites and for the Web folders. To enable WebDAV: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service.Web Service 347 3 In the General pane, select “Enable WebDAV support,” then click the Sites tab. 4 Select a Web site and click Edit, click the Options tab, then select Enable WebDAV. 5 Click the Access tab. Select a realm and click Edit, or click Add to create a new realm. The realm is the part of the Web site users can access. 6 Type the name you want users to see when they log in. The default realm name is the name of the Web site. 7 Type the path to the location in the Web site to which you want to limit access. You can also click the Select button and browse for the folder you want to use. If you are administering a remote server, file service must be running on the local machine to use the Select button. 8 Click Save. Starting Tomcat Tomcat adds Java servlet and JavaServer Pages ( JSP) capabilities to Mac OS X Server. Java servlets are Java-based applications that run on your server, in contrast to Java applets which run on the user’s computer. JavaServer Pages allows you to embed Java servlets in your HTML pages. For more information on Tomcat see “Installing and Viewing Web Modules” on page 365. You can set Tomcat to start automatically whenever the server starts up. This will ensure that the Tomcat module starts up after a power failure or after the server shuts down for any reason. Note: Tomcat is not started by a Startup Item, nor is it started directly by the watchdog process. It is started and stopped by the Server Settings application in conjunction with the serversettingsd process, which uses the /Library/Tomcat/bin/tomcatctl script. To start Tomcat on server startup: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click “Start Tomcat at system startup.” 4 Click Save, then restart the server. To verify that Tomcat is running, use a Web browser to access port 9006 of your Web site by entering the URL for your site followed by :9006 (see the URL below). http://example.com:9006 If Tomcat is running, accessing port 9006 will display the default Tomcat home page.348 Chapter 8 Checking Web Service Status In the Server Settings application, you can check to see the current state of the server and the performance cache, and which Web modules are active. The Start/Stop Status Messages field displays messages about the server status. If you are not sure what the messages mean, you can find explanations on the Apache Web site: www.apache.org If Web service is not running, the window shows only the date and time the server stopped. To view Web service status: 1 In Server Settings, click Internet. 2 Click Web and select Show Web Service Status. Current requests and current throughput include both Apache and performance cache data. Performance cache requests and throughput include performance cache data only. Viewing Logs of Web Service Activity Web service in Mac OS X Server uses the standard Apache log format, so you can use any third-party log analysis tool to interpret the log data. To view the log files: 1 In Server Status, click Web under your server. 2 Click the Logs tab. 3 Click the log you want to view. Setting Up Multiple IP Addresses for a Port When you first set up your server, the Setup Assistant lets you configure one IP address for each Ethernet port available on the server. On some occasions, you may want to configure multiple IP addresses for a particular port. For example, if you use the server to host multiple Web sites, you may want to accept requests for different domain names (URLs) over the same port. To do so, you need to set up the port to have multiple configurations, one for each domain name, and then use the Web module of Server Settings to map each site to a particular configuration. To set up multiple IP addresses for a port: 1 Open System Preferences and click Network. 2 Choose Advanced from the Configure pop-up menu. 3 Click New.Web Service 349 4 Enter a name for the new port configuration and choose the port you are configuring from the Port pop-up menu. Click OK. 5 Choose the port configuration you just added from the Configure pop-up menu. 6 Click the TCP tab, then choose Manually from the Configure pop-up menu. Enter the new IP address and other information describing the port. Click Save. Managing Web Sites The Sites pane lists your Web sites and provides some basic information about each site. You use the Sites pane to add new sites or change settings for existing sites. To access the Sites pane: m In Server Settings, click Web and choose Configure Web Service, then click the Sites tab. Setting Up the Documents Folder for Your Web Site To make files available through a Web site, you put the files in the Documents folder for the site. To organize the information, you can create folders inside the Documents folder. The folder is located in this directory: /Library/WebServer/Documents In addition, each registered user has a Sites folder in the user’s own home directory. Any graphics or HTML pages stored here will be served from this URL: http://server.example.com/~username/ To set up the Documents folder for your Web site: 1 Open the Documents folder on your Web server. If you have not changed the location of the Documents folder, it’s in this directory: /Library/WebServer/Documents/ 2 Replace the index.html file with the main page for your Web site. Make sure the name of your main page matches the default document name you set in the General pane of the site settings window. 3 Copy files you want to be available on your Web site to the Documents folder. Changing the Default Web Folder for a Site A site’s default Web folder is used as the root for the site. In other words, the default folder is the top level of the directory structure for the site. To change the default Web folder for a site hosted on your server: 1 Log in to the server you want to administer.350 Chapter 8 2 Drag the contents of your previous Web folder to your new Web folder. 3 In Server Settings, log in to the server where the Web site is located. 4 Click the Internet tab, then click Web and choose Configure Web Service. 5 Click the Sites tab. 6 Select a site in the list, then click Edit. 7 Type the path to the Web folder in the Website Folder field, or click the Select button and navigate to the new Web folder location (if accessing this server remotely, file service must be turned on to do this; see Chapter 5, “File Services,” for more information). 8 Click Save, then restart Web service. Enabling a Web Site on a Server Before you can enable a Web site, you must create the content for the site and set up your site folders. To enable the Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab, then click Add. 4 Type the fully qualified DNS name of your Web site in the Name field. 5 Enter the IP address and port number (any number up to 8999) for the site. The default port number is 80. Make sure that the number you choose is not already in use by another service on the server. 6 Enter the path to the folder you set up for this Web site. You can also click the Select button and browse for the folder you want to use. If you are administering a remote server, file service must be running on the local machine to use the Select button. 7 Enter the file name of your default document (the first page users see when they access your site). 8 Make any other settings you want for this site, then click Save. 9 Click the Enabled box next to the site name in the Sites pane of the Configure Web Service window. Important In order to enable your Web site on the server, the Web site must have a unique IP address and port number combination. See “Hosting More Than One Web Site” on page 339 and “Setting Up Multiple IP Addresses for a Port” on page 348 for more information.Web Service 351 10 Click Save, then restart Web service. Setting the Default Page for a Web Site The default page appears when a user connects to your Web site by specifying a directory or host name instead of a file name. To set the default Web page: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site in the list, then click Edit. 5 In the General pane, type a name in the Default Document Name field. A file with this name must be in the Web site folder. 6 Click Save, then restart Web service. Note: The Default Document Name field can have more than one entry. Any file name containing a space must be enclosed in quotes. Each entry must be separated by a space. Changing the Access Port for a Web Site By default, the server uses port 80 for connections to Web sites on your server. You may need to change the port used for an individual Web site, for instance, if you want to set up a streaming server on port 80. Make sure that the number you choose does not conflict with ports already being used on the server (for FTP, Apple file service, SMTP, and others). If you change the port number for a Web site you must change all URLs that point to the Web server to include the new port number you choose. To set the port for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site, then click Edit. 5 Type the port number in the Port field, then click Save. Improving Performance of Static Web Sites If your Web sites contain static HTML files, and you expect high usage of the pages, you can enable the performance cache to improve server performance. You should disable the performance cache if352 Chapter 8 m you do not anticipate heavy usage of your Web site m most of the pages on your Web site are generated dynamically The performance cache is enabled by default. To enable or disable the performance cache for your Web server: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site in the list, then click Edit. 5 In the Options pane, select or deselect “Enable performance cache.” 6 Click Save, then restart Web service. You can also improve server performance by disabling the access and error logs. Enabling Access and Error Logs for a Web Site You can set up error and access logs for individual Web sites that you host on your server. However, enabling the logs can slow server performance. To enable access and error logs for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site in the list, then click Edit. 5 Click the Logging tab and select the logs you want to enable. 6 Set how often you want the logs to be archived. 7 Type the path to the file where you want to store the logs. You can also click the Select button and browse for the folder you want to use. If you are administering a remote server, file service must be running on the local machine to use the Select button. 8 Click Save, then restart Web service. Setting Up Directory Listing for a Web Site When users specify the URL for a directory, you can display either a default Web page (such as index.html) or a list of the directory contents. You can display either a simple list or a detailed folder list. To set up directory listing, you need to enable indexing for the Web site. Note: Folder listings are displayed only if no default document is found.Web Service 353 To enable indexing for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site, then click Edit. 5 Select “Enable indexing of folders” in the Options pane. If you want a simple list, skip to step 8. If you want a detailed folder list, continue with the next step. 6 Click Save, then click the General tab of the Configure Web Service window. 7 Select “Enable detailed folder listings.” 8 Click Save, then restart Web service. Connecting to Your Web Site Once you configure your Web site, it’s a good idea to view the site with a Web browser to verify that everything appears as intended. To make sure a Web site is working properly: 1 Open a Web browser and type the Web address of your server. You can use either the IP address or the DNS name of the server. 2 Type the port number, if you are not using the default port. 3 If you’ve restricted access to specific users, enter a valid user name and password. Enabling WebDAV Web-based Distributed Authoring and Versioning ( WebDAV ) allows you or your users to make changes to Web sites while the sites are running. If you enable WebDAV, you also need to assign access privileges for the sites and for the Web folders. To enable WebDAV: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 In the General pane, select “Enable WebDAV support,” then click the Sites tab. 4 Select a Web site and click Edit, click the Options tab, then select Enable WebDAV. 5 Click the Access tab. Select a realm and click Edit, or click Add to create a new realm. The realm is the part of the Web site users can access. 6 Type the name you want users to see when they log in.354 Chapter 8 The default realm name is the name of the Web site. 7 Type the path to the location in the Web site to which you want to limit access. If file service is running, or if you are using Server Settings on the Mac OS X server, you can click Select and browse to find the location. 8 Click Save. Setting Access for WebDAV-Enabled Sites You create realms to provide security for Web sites. Realms are locations within a site that users can view or make changes to when WebDAV is enabled. When you define a realm, you can assign browsing and authoring privileges to users for the realm. To add users and groups to a realm: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service, then click the Sites tab. 3 Select a site name and click Edit, then click the Access tab. 4 Select a realm and click Edit, or click Add to create a new realm. The default name for a new realm is the name of the Web site. 5 Select the “Everyone” checkbox and choose “can Browse” from the pop-up menu. 6 Drag users and groups from the list of users and groups in Workgroup Manager to the realm window. 7 Select Allow Authoring if you want a user or group to be able to author. If you don’t select Everyone, you can fully restrict access and add only the users you want to browse and author for this realm. When you select privileges for Everyone, you have these options: “Browse” allows everyone who can access this realm to see it. You can add additional users and groups to the User or Group list to enable authoring for them. “Browse and Author” allows everyone who has access to this realm to see and make changes to it. Enabling a Common Gateway Interface (CGI) script Common Gateway Interface (CGI) scripts (or programs) send information back and forth between your Web site and applications that provide different services for the site. m If a CGI is to be used by only one site, install the CGI in the Documents folder for the site. The CGI name must end with the suffix “.cgi.”Web Service 355 m If a CGI is to be used by all sites, install it in the /Library/WebServer/CGI-Executables folder. In this case, clients must include /cgi-bin/ in the URL for the site. For example, http://www.example.com/cgi-bin/test-cgi m Make sure the file permissions on the CGI allow it to be executed by the user named “www.” Since the CGI typically isn’t owned by www, the file should be executable by everyone. To enable a CGI for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a Web site in the list and click Edit. 5 Select Enable CGI Execution under Site Options. 6 Click Save, then restart Web service. Note: Note that for security reasons, the printenv and test-cgi scripts that are pre-installed in the /Library/WebServer/CGI-Executables folder are not executable by default. You may want to make them executable to verify correct operation of CGIs. Use either the Finder or the Terminal application to set their permissions to be executable. Apple also supports CGIs written in AppleScript, referred to as ACGIs. To run an ACGI, use the Mac OS X Script Editor to save the AppleScript as an Application with the Stay Open option. Then start Classic and the ACGI Enabler (in /Applications/Utilities) before you request the file from a browser. Enabling Server Side Includes (SSI) Enabling Server Side Includes (SSI) allows a chunk of HTML code or other information to be shared by different Web pages on your site. SSIs can also function like CGIs and execute commands or scripts on the server. Note: Enabling SSI requires making changes to UNIX configuration files in the Terminal application. To enable SSI, you must be comfortable with typing UNIX commands and using a UNIX text editor. To enable SSI: 1 In the Terminal application, use a text editor to edit /etc/httpd/httpd_macosxserver.conf 2 Add the following line to each virtual host for which you want SSI enabled: Options Includes To enable SSI for all virtual hosts, add the line outside any virtual host block.356 Chapter 8 3 In Server Settings, click Web and add “index.shtml” to the set of default index files for each virtual host. By default, the mime_macosxserver.conf file maintained by server settings contains the following two lines: AddHandler server-parsed shtml AddType text/html shtml If your SSI files use a file extension other than .shtml you should add that type to the mime_macosxserver.conf file. You can add MIME types in Server Settings from the MIME Types tab. The changes take effect when you restart the Web service. Monitoring Web Sites You can use the Sites pane to check the status of your Web sites. The Sites pane shows m whether a site is enabled m the site’s DNS name and IP address m the port being used for the site Double-clicking a site in the Sites pane opens the site settings window, where you can view or change the settings for the site. To access the Sites pane: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. Setting Server Responses to MIME Types Multipurpose Internet Mail Extension (MIME) is an Internet standard for specifying what happens when a Web browser requests a file with certain characteristics. A file’s suffix describes the type of data in the file. Each suffix and its associated response together are called a “MIME type mapping.” See “Understanding Multipurpose Internet Mail Extension (MIME)” on page 340 for more information. To set the server response for a MIME type: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the MIME Types tab and then click Add, or select a MIME type and click Edit. 4 Type the file suffix associated with this mapping in the File Suffix field.Web Service 357 5 Choose the server response from the pop-up menu, or type the file type in the Return MIME Type field. If you return a CGI, make sure you’ve enabled CGI execution for the Web site. 6 Click Save, then restart Web service. Enabling SSL Before you can enable Secure Sockets Layer (SSL) protection for a Web site, you have to obtain the proper certificates. For more information see “Setting Up Secure Sockets Layer (SSL) Service” on page 361. To set up SSL for a Web site: 1 In Server Settings, click the Internet tab. 2 Click Web and choose Configure Web Service. 3 Click the Sites tab. 4 Select a site and click Edit. 5 Click the Security tab, then select Enable Secure Sockets Layer (SSL). 6 Click each button in the Security pane and paste the contents of the appropriate certificate or key in the text field for each. Click Save before going on to the next button. 7 Type the location of the SSL log file in the SSL Log File field. You can also click the Select button and browse for the folder you want to use. If you are administering a remote server, file service must be running on the local machine to use the Select button. 8 Click Save, then restart Web service. Enabling PHP PHP (PHP: Hypertext Preprocessor) is a scripting language embedded in HTML that is used to create dynamic Web pages. PHP provides functions similar to those of CGI scripts, but supports a variety of database formats and can communicate across networks via many different protocols. The PHP libraries are included in Mac OS X Server, but are disabled by default. See “Installing and Viewing Web Modules” on page 365 for more information on PHP. Note: Enabling PHP requires making changes to UNIX configuration files in the Terminal application. To enable PHP, you must be comfortable with typing UNIX commands and using a UNIX text editor.358 Chapter 8 To enable PHP: 1 In the Terminal application, use a text editor to edit /etc/httpd/httpd.conf 2 Enable PHP by removing the comment character, #, from the following lines, which are located in various places in the file: #LoadModule php4_module /usr/libexec/httpd/libphp4.so #AddModule mod_php4.c 3 Save the changes and close the file. The changes take effect when you restart the Web service. WebMail WebMail adds basic email functions to your Web site. If your Web service hosts more than one Web site, WebMail can provide access to mail service on any or all of the sites. The mail service looks the same on all sites. The WebMail software is included in Mac OS X Server, but is disabled by default. Note: Enabling WebMail requires making changes to UNIX configuration files in the Terminal application. To enable WebMail, you must be comfortable with typing UNIX commands and using a UNIX text editor. The WebMail software is based on SquirrelMail, which is a collection of open-source scripts run by the Apache server. For more information on SquirrelMail, see this Web site: www.squirrelmail.org WebMail Users If you enable WebMail, a Web browser user can m compose messages and send them m receive messages m forward or reply to received messages m maintain a signature that is automatically appended to each sent message m create, delete, and rename folders and move messages between folders m attach files to outgoing messages m retrieve attached files from incoming messages m manage a private address book m set WebMail preferences, including the color scheme displayed in the Web browser To use your WebMail service, a user must have an account on your mail server. Therefore, you must have a mail server set up if you want to offer WebMail on your Web sites.Web Service 359 Users access your Web site’s WebMail page by appending /WebMail to the URL of your site. For example, http://mysite.example.com/WebMail Users log into WebMail with the name and password they use for logging in to regular mail service. WebMail does not provide its own authentication. For more information on mail service users, see “Supporting Mail Users” on page 405 in Chapter 9, “Mail Service.” When users log in to WebMail, their passwords are sent over the Internet in clear text (not encrypted) unless the Web site is configured to use SSL. For instructions on configuring SSL, see “Enabling SSL for Web Service” on page 346. WebMail users can consult the user manual for SquirrelMail at the following Web page: www.squirrelmail.org/wiki/UserManual WebMail and Your Mail Server WebMail relies on your mail server to provide the actual mail service. WebMail merely provides access to the mail service through a Web browser. WebMail cannot provide mail service independent of a mail server. WebMail uses the mail service of your Mac OS X Server by default. You can designate a different mail server if you are comfortable using the Terminal application and UNIX command-line tools. For instructions, see “Configuring WebMail” on page 360. WebMail Protocols WebMail uses standard email protocols and requires your mail server to support them: m Internet Message Access Protocol (IMAP) for retrieving incoming mail m Simple Mail Transfer Protocol (SMTP) for exchanging mail with other mail servers (sending outgoing mail and receiving incoming mail) WebMail does not support retrieving incoming mail via Post Office Protocol (POP). Even if your mail server supports POP, WebMail does not. Enabling WebMail You can enable WebMail for the Web site (or sites) hosted by your Web service. Changes take effect when you restart Web service. 1 Make sure your mail service is started and configured to provide IMAP and SMTP service. The mail service of Mac OS X Server provides IMAP and SMTP service by default. For details on mail service configuration, see Chapter 9, “Mail Service.” 2 Make sure IMAP mail service is enabled in the user accounts of the users you want to have WebMail access. 360 Chapter 8 For details on mail settings in user accounts, see “Working With Mail Settings for Users” on page 150 in Chapter 3, “Users and Groups.” 3 Enable PHP according to the instructions on page 357. 4 In the Terminal application, use a text editor to edit /etc/httpd/httpd_macosxserver.conf and add the following line: Include /etc/httpd/httpd_squirrelmail.conf Where you add this line depends on whether your server hosts multiple Web sites and whether you want all or some hosted Web sites to have WebMail. If your server hosts only one Web site or you want all Web sites to have WebMail, add the “Include” line outside all blocks. If you want only some Web sites hosted by your server to have WebMail, add the “Include” line at or near the top of the block for each of your Web sites that you want to have WebMail service. Here is an example of the beginning of a block for a Web site at 192.0.32.72 with the “Include” line added: ServerName www.example.com Include /etc/httpd/httpd_squirrelmail.conf 5 Add the default document name “index.php” to the default documents for the site. This allows the server to display the default WebMail page if a client requests a URL for a folder without including a document name. See “Setting the Default Page for a Web Site” on page 351 for more information on adding a default document name. Configuring WebMail WebMail is based on SquirrelMail, an open-source module for the Apache Web server that provides Web service for Mac OS X Server. SquirrelMail has several options that you can configure to integrate WebMail with your site. The options and their default settings are as follows: m Organization Name is displayed on the main WebMail page when a user logs in. The default is Mac OS X Server WebMail. m Organization Logo specifies the relative or absolute path to an image file. m Organization Title is displayed as the title of the Web browser window while viewing a WebMail page. The default is Mac OS X Server WebMail. m Trash Folder is the name of the IMAP folder where mail service puts messages when the user deletes them. The default is Deleted Messages.Web Service 361 m Sent Folder is the name of the IMAP folder where mail service puts messages after sending them. The default is Sent Messages. m Draft Folder is the name of the IMAP folder where mail service puts the user’s draft messages. The default is Drafts. You can configure these and other settings—such as which mail server provides mail service for WebMail—by running an interactive Perl script in a Terminal window, with root privileges. These configuration settings apply to all Web sites hosted by your Web service. To configure basic WebMail options: 1 In the Terminal application, type cd /opt/squirrelmail/configure sudo ./conf.pl 2 Follow the instructions displayed in the Terminal window. WebMail configuration changes do not require restarting Web service unless users are logged in to WebMail. To further customize the appearance (for example, to provide a specific appearance for each of your Web sites), you need to know how to write PHP scripts. In addition, you need to become familiar with the SquirrelMail plug-in architecture and write your own SquirrelMail plug-ins. Setting Up Secure Sockets Layer (SSL) Service If you want to provide secure transactions on your server, such as allowing users to purchase items from a Web site, you should set up Secure Sockets Layer (SSL) protection. SSL lets you send encrypted, authenticated information across the Internet. If you want to allow credit card transactions through a Web site, for example, you can protect the information that’s passed to and from that site. When you generate a certificate signing request (CSR), the certificate authority sends you a certificate that you install on your server. They may also send you a CA certificate (ca.crt). Installing this file is optional. Normally, CA certificates reside in client applications such as Internet Explorer and allow those applications to verify that the server certificate originated from the right authority. However, CA certificates expire or evolve, so some client applications may not be up to date. Generating a Certificate Signing Request (CSR) for Your Server The CSR is a file that provides information needed to set up your server certificate.362 Chapter 8 To generate a CSR for your server: 1 Log in to your server using the root password and open the Terminal application. 2 At the prompt, type these commands and press Return at the end of each one. cd openssl md5 * > rand.dat openssl genrsa -rand rand.dat -des 1024 > key.pem 3 At the next prompt, type a passphrase, then press Return. The passphrase you create unlocks the server’s certificate key. You will use this passphrase when you enable SSL on your Web server. 4 If it doesn’t already exist on your server, create a directory at the following location: /etc/httpd/ssl.key Make a copy of the key.pem file (created in step 2) and rename it server.key. Then copy server.key to the ssl.key directory. 5 At the prompt, type the following command and press Return. openssl req -new -key key.pem -out csr.pem This generates a file named csr.pem in your home directory. 6 When prompted, enter the following information: m Country: The country in which your organization is located. m State: The full name of your state. m Locality: The city in which your organization is located. m Organizational name: The organization to which your domain name is registered. m Organizational unit: Usually something similar to a department name. m Common name of your Web server: The DNS name, such as server.apple.com. m Email address: The email address to which you want the certificate sent. The file “csr.pem” is generated from the information you provided. 7 At the prompt, type the following, then press Return. cat csr.pem The cat command lists the contents of the file you created in step 5 (csr.pem). You should see the phrase “Begin Certificate Request” followed by a cryptic message. The message ends with the phrase “End Certificate Request.” This is your certificate signing request (CSR). Obtaining a Web Site Certificate You must purchase a certificate for each Web site from an issuing authority.Web Service 363 Keep these important points in mind when purchasing your certificate: m You must provide an InterNIC-registered domain name that’s registered to your organization. m If you are prompted to choose a software vendor, choose Apache Freeware with SSLeay. m You have already generated a CSR, so when prompted, open your CSR file using a text editor. Then copy and paste the contents of the CSR file into the appropriate text field on the issuing authority’s Web site. After you’ve completed the process, you’ll receive an email message that contains a Secure Server ID. This is your server certificate. When you receive the certificate, save it to your Web server’s hard disk as a file named server.crt. Installing the Certificate on Your Server 1 Log in to your server as the administrator or super user (also known as root). 2 If it doesn’t already exist on your server, create a directory with this name: /etc/httpd/ssl.crt 3 Copy server.crt (the file that contains your Secure Server ID) to the ssl.crt directory. Enabling SSL for the Site 1 In Server Settings, click Web and choose Configure Web Service. 2 Make sure Enable SSL support is selected for the entire site. 3 Click Sites, then select the site where you plan to use the certificate, and click Edit. 4 Click the Security tab. 5 Select Enable Secure Socket Layer (SSL). 6 Click Edit Certificate File and paste the text from your certificate file (the certificate you obtained from the issuing authority) in the text field, then click Save. 7 Click Edit Key File and paste the text from your key file (the file key.pem, which you set up earlier) in the text field, then click Save. 8 Click Edit CA Certificate File and paste the text from the ca.crt file in the text field. (This is an optional file that you may have received from the certificate authority.) Click Save. 9 Click in the Pass Phrase field and type the passphrase from your CSR in the text field, then click Save. 10 Set the location of the log file that will record SSL transactions and click Save. 11 Stop and then start Web service.364 Chapter 8 Solving Problems Users Can’t Connect to a Web Site on Your Server m Make sure that Web service is turned on and the site is enabled. m Check the Start/Stop Status Messages field in the Web Service Status window for messages. If you are not sure what the messages mean, you’ll find explanations on the Apache Web site at: www.apache.org m Check the Apache access and error logs. m Make sure users are entering the correct URL to connect to the Web server. m Make sure that the correct folder is selected as the default Web folder. Make sure that the correct HTML file is selected as the default document page. m If your Web site is restricted to specific users, make sure those users have access privileges to your Web site. m Verify that users’ computers are configured correctly for TCP/IP. If the TCP/IP settings appear correct, use a “pinging” utility that allows you to check network connections. m Verify that the problem is not a DNS problem. Try to connect with the IP address of the server instead of its DNS name. m Make sure your DNS server’s entry for the Web site’s IP address and domain name are correct. A Web Module Is Not Working as Expected m Check the error log in Server Status for information about why the module might not be working correctly. m If the module came with your Web server, check the Apache documentation for that module and make sure the module is intended to work the way you expected. m If you installed the module, check the documentation that came with the Web module to make sure it is installed correctly and is compatible with your server software. For more information on supported Apache modules for Mac OS X Server, see this Web site: www.apache.org/docs/mod/ A CGI Will Not Run m Check the CGI’s file permissions to make sure the CGI is executable by www. If not, the CGI won’t run on your server even if you enable CGI execution in Server Settings.Web Service 365 Installing and Viewing Web Modules Modules “plug in” to the Apache Web server software and add functionality to your Web site. Apache comes with some standard modules, and you can purchase modules from software vendors or download them from the Internet. You can find information about available Apache modules at this Web site: www.apache.org/docs/mod m To view a list of Web modules installed on your server, click Web in Server Settings, click Internet, click Web then select Show Web Service Status. m To install a module, follow the instructions that came with the module software. The Web server loads modules from this directory: /usr/libexec/httpd/ In addition, you must change the httpd.conf file to load and then add new modules. Macintosh-Specific Modules Web service in Mac OS X Server installs some modules specific to the Macintosh. These modules are described in this section. mod_macbinary_apple This module packages files in the MacBinary format, which allows Macintosh files to be downloaded directly from your Web site. A user can download a MacBinary file using a regular Web browser by adding “.bin” to the URL used to access the file. mod_sherlock_apple This module lets Apache perform relevance-ranked searches of the Web site using Sherlock. Once you index your site using the Finder, you can provide a search field for users to search your Web site. m Choose Get Info in the Finder to index a folder’s contents. Note: You must be logged in as root for the index to be copied to the Web directory in order to be searchable by a browser. Clients must add .sherlock to your Web site’s URL to access a page that allows them to search your site. For example: http://www.example.com/.sherlock mod_auth_apple This module allows a Web site to authenticate users by looking for them in directory service domains within the server’s search policy. When authentication is enabled, Web site visitors are prompted for a user name and password before they can access information on the site.366 Chapter 8 mod_redirectacgi_apple This module works in conjunction with the ACGI Enabler Application to allow users to execute ACGI programs (Mac OS CGIs). To enable an ACGI, log in as the administrator and open the ACGI Enabler Application. Do not log out of the application—it must be running for ACGIs to work. mod_hfs_apple This module requires users to enter URLs for HFS volumes using the correct case (lowercase or uppercase). This module adds security for case-insensitive volumes. If a restriction exists for a volume, users receive a message that the URL is not found. Open-Source Modules Mac OS X Server includes these popular open-source modules: Tomcat, PHP: Hypertext Preprocessor, and mod_perl. Tomcat The Tomcat module, which uses Java-like scripting, is the official reference implementation for two complementary technologies developed under the Java Community Process: m Java Servlet 2.2. For the Java Servlet API specifications, see the following site: java.sun.com/products/servlets m JavaServer Pages 1.1. For these API specifications, see java.sun.com/products/jsp If you want to use Tomcat, you must activate it first. See “Starting Tomcat” on page 347 for instructions. PHP: Hypertext Preprocessor PHP lets you handle dynamic Web content by using a server-side HTML-embedded scripting language resembling C. Web developers embed PHP code within HTML code, allowing programmers to integrate dynamic logic directly into an HTML script rather than write a program that generates HTML. PHP provides CGI capability and supports a wide range of databases. Unlike client-side JavaScript, PHP code is executed on the server. PHP is also used to implement WebMail on Mac OS X Server. For more information about this module, see www.php.net mod_perl This module integrates the complete Perl interpreter into the Web server, letting existing Perl CGI scripts run without modification. This integration means that the scripts run faster and consume fewer system resources. For more information about this module, seeWeb Service 367 perl.apache.org MySQL MySQL provides a relational database management solution for your Web server. With this open-source software, you can link data in different tables or databases and provide the information on your Web site. The MySQL Manager application simplifies setting up the MySQL database on Mac OS X Server. You can use MySQL Manager to initialize the MySQL database, and to start and stop the MySQL service. MySQL is pre-installed on Mac OS X Server, with its various files already in the appropriate locations. At some point you may wish to upgrade to a newer version of MySQL. You may install the new version in /usr/local/mysql, however, MySQL Manager will not be aware of the new version of MySQL and will continue to control the pre-installed version. If you do install a newer version of MySQL, use MySQL Manager to stop the pre-installed version, then start the newer version via the config file. For more information on MySQL, see www.mysql.com Where to Find More Information For information about configuration files and other aspects of Apache Web service, see these resources: m Apache: The Definitive Guide, 2nd Edition, by Ben Laurie and Peter Laurie (O’Reilly and Associates, 1999) m Writing Apache Modules with Perl and C, by Lincoln Stein and Doug MacEachern (O’Reilly and Associates, 1999) m Web Performance Tuning, by Patrick Killelea (O’Reilly and Associates, 1998) m Web Security & Commerce, by Simson Garfinkel and Gene Spafford (O’Reilly and Associates, 1997) m For more information about Apache, see the Apache Web site: www.apache.org m For an inclusive list of methods used by WebDAV clients, see RFC 2518. RFC documents provide an overview of a protocol or service that can be helpful for novice administrators, as well as more detailed technical information for experts. You can search for RFC documents by number at this Web site: www.faqs.org/rfcs369 C H A P T E R 9 9 Mail Service Mail service in Mac OS X Server allows network users to send and receive email over your network or across the Internet. The mail service sends and receives email using the standard Internet mail protocols: Internet Message Access Protocol (IMAP), Post Office Protocol (POP), and Simple Mail Transfer Protocol (SMTP). The mail service also uses a Domain Name System (DNS) service to determine the address of outgoing mail. This chapter begins with a look at the standard protocols used for sending and receiving email. It goes on to explain how mail service works, summarize the aspects of mail service management, and tell you how to m manage mail service m manage incoming and outgoing mail m manage the mail database m monitor and log mail activity m limit junk mail m handle undeliverable mail m support mail users m improve mail service performance m back up and restore mail files370 Chapter 9 Mail Service Protocols A standard mail setup uses SMTP to send outgoing email and POP and IMAP to receive incoming email. Mac OS X Server includes an SMTP service and a combined POP and IMAP service. You may find it helpful to take a closer look at the three email protocols. Post Office Protocol (POP) The Post Office Protocol (POP) is used only for receiving mail, not for sending mail. The mail service of Mac OS X Server stores incoming POP mail until users have their computers connect to the mail service and download their waiting mail. After a user’s computer downloads POP mail, the mail is stored only on the user’s computer. The user’s computer disconnects from the mail service, and the user can read, organize, and reply to the received POP mail. The POP service is like a post office, storing mail and delivering it to a specific address. One advantage of POP is that your server doesn’t need to store mail that users have downloaded. Therefore, your server doesn’t need as much storage space as it would using the IMAP protocol. However, because the mail is removed from the server, if any client computers sustain hard disk damage and lose their mail files, there is no way you can recover these files without using data backups. POP is not the best choice for client users who access mail from more than one computer, such as a home computer, an office computer, or a laptop while on the road. When a user reads mail via the POP protocol, the mail is downloaded to the user’s computer and completely removed from the server. If the user logs in later from a different computer, he or she won’t be able to see previously read mail. In Out Out The Internet ron@example.edu In Mail server for school.com Mail server for example.comMail Service 371 Internet Message Access Protocol (IMAP) Internet Message Access Protocol (IMAP) is the solution for people who need to receive mail from more than one computer. IMAP is a client-server mail protocol that allows users to access their mail from anywhere on the Internet. Users can send and read mail with a number of IMAP-compliant email clients. With IMAP, client users’ mail is stored in a remote mailbox on the server; mail appears to users just as if it were on the local computer. IMAP delivers mail to the server, as with POP, but the mail is not removed from the server until the user deletes it. IMAP follows the typical client-server model. The user’s computer can ask the server for message headers, ask for the bodies of specified messages, or search for messages that meet certain criteria. These messages are downloaded as the user opens them. Simple Mail Transfer Protocol (SMTP) Simple Mail Transfer Protocol (SMTP) is a protocol that is used to send and transfer mail. Since SMTP’s ability to queue incoming messages is limited, it is usually used only to send mail, while POP or IMAP is used to receive mail. SMTP Alternatives: Sendmail and Postfix Instead of the SMTP mail service of Mac OS X Server, you can use another mail transfer agent (MTA), such as the UNIX programs Sendmail and Postfix. If you choose to use another mail transfer agent, it handles all incoming and outgoing SMTP mail. In this case, mail sent to local email users is delivered to the other mail transfer agent. Then Mac OS X Server transfers incoming mail from the other mail transfer agent for final delivery to email users using the POP and IMAP protocols. POP and IMAP continue to function as usual, but SMTP mail is now subject to the rules and settings of the other mail transfer agent. The UNIX Sendmail program is included with Mac OS X Server and is configured to work correctly with Mac OS X Server mail service. To use Sendmail, you must set Mac OS X Server mail service to use an alternate mail transfer agent and you must start Sendmail. For more information about Sendmail, see this Web site: www.sendmail.org If you want to use the Postfix program instead of Sendmail, you must install and configure Postfix. Then you must set Mac OS X Server mail service to use an alternate mail transfer agent and you must start Postfix. For more information about Postfix, see this Web site: www.postfix.org372 Chapter 9 How Mail Service Uses SSL The mail service supports secure IMAP connections with mail client software that requests them. If a mail client requests a Secure Sockets Layer (SSL) connection, the mail service automatically complies. The mail service still provides non-SSL (unencrypted) connections to clients that do not request SSL. The mail service does not require any configuration to use SSL in this manner. The configuration of each mail client determines whether it connects with SSL or not. How Mail Service Uses DNS Before sending an email, your mail service will probably have a Domain Name System (DNS) service determine the Internet Protocol (IP) address of the destination. The DNS service is necessary because people typically address their outgoing mail by using a domain name, such as example.com, rather than an IP address, such as 198.162.12.12. To send an outgoing message, your mail service must know the IP address of the destination. The mail service relies on a DNS service to look up domain names and determine the corresponding IP addresses. The DNS service may be provided by your Internet service provider (ISP) or by Mac OS X Server, as explained in Chapter 14, “DNS Service.” The mail that your mail service receives comes from other servers, and they use DNS to look up your mail service. DNS is able to find your mail service if you have created a mail exchange (MX) record for it. Your MX record specifies the name of the computer that handles mail service for your domain. This computer is known as a mail host. For example, the MX record for the domain example.com may specify that the name of the mail host is mail.example.com. If a mail service wants to send mail that’s addressed to someone@example.com, the mail service requests the MX record for the domain example.com and learns that it should actually send the mail to someone@mail.example.com. An MX record can provide redundancy by listing an alternate mail host for a domain. If the primary mail host is not available, the mail can be sent to the alternate mail host. In fact, an MX record can list several mail hosts, each with a priority number. If the lowest priority host is busy, mail can be sent to the host with the next lowest priority, and so on.Mail Service 373 Where Mail Is Stored The mail service keeps track of email messages in a small database, but the database does not contain the messages. The mail service stores each message as a separate file in a mail folder. The mail service stores its database file and folder of messages in the folder /Library/ AppleMailServer by default. You can change the location of the mail folder and database to another folder, disk, or disk partition. You can even specify a shared volume on another server as the location of the mail folder and database, although using a shared volume incurs performance penalties. Mail service uses an additional folder if you turn on the option to use an alternate mail transfer agent, such as the UNIX Sendmail program. The alternate mail transfer agent delivers mail for users of your Apple mail service to the /var/mail folder. This is the standard UNIX mail delivery location. Mail for each user is stored in standard UNIX mailbox format in a file with the user’s name. The Apple IMAP and POP service imports mail from this location to the mail database in the /Library/AppleMailServer folder. A user’s mail remains in /var/mail until the user checks for new mail. Technically, the Apple mail service imports a user’s mail when the user selects the Inbox via IMAP or triggers a LIST via POP. How User Account Settings Affect Mail Service In addition to setting up and managing mail service as described in this chapter, you can also configure some mail settings individually for everyone who has a user account on your server. Each user account has settings that do the following: m enable or disable mail service for the user account m specify the server that provides mail service for the user account m set a quota on the amount of disk space for storing the user account’s mail on the server m specify the protocol for the user account’s incoming mail: POP, IMAP, or both m maintain separate inboxes for POP and IMAP mail m show a POP mailbox in the user’s list of IMAP folders m alert the user via NotifyMail when mail arrives What Mail Service Can Do About Junk Mail You can configure your mail service to decrease the volume of unsolicited mail, also known as junk mail and spam. You can take steps to block spam that is sent to your mail users. 374 Chapter 9 You can also take steps to prevent senders of junk mail from using your server as a relay point. A relay point or open relay is a server that unselectively receives and forwards all mail addressed to other servers. An open relay sends mail from any domain to any domain. Junk mail senders exploit open relay servers to avoid having their own SMTP servers blacklisted as sources of spam. You do not want your server blacklisted as an open relay, because other servers may reject mail from your users. Your mail service can do any of the following to reduce spam: m require SMTP authentication m restrict SMTP relay, allowing relay only by approved servers m reject all SMTP connections from disapproved servers m match the DNS name of every mail server to the reverse-lookup of its IP address m reject mail from blacklisted servers SMTP Authentication If your mail service requires SMTP authentication, your server cannot be used as an open relay by anonymous users. Someone who wants to use your server as a relay point must first provide the name and password of a user account on your server. SMTP authentication applies to mail relay, but does not apply to delivery of mail for local mail service users. Your mail service always accepts mail for local delivery without SMTP authentication. Your local mail users must also authenticate before sending mail. This means your mail users must have mail client software that supports SMTP authentication or they will be unable to send mail. Restricted SMTP Relay If your mail service allows SMTP relay only by approved mail servers, then the approved servers can relay through your mail service without authenticating. You create the list of approved servers. Servers not on the list cannot relay mail through your mail service unless they authenticate first. All mail servers, approved or not, can deliver mail to your local mail users without authenticating. Mail Service 375 SMTP Authentication and Restricted SMTP Relay Combinations The following table describes the results of using SMTP authentication and restricted SMTP relay in various combinations. Rejected SMTP Servers You can have your mail service reject all SMTP connections from mail servers that you add to a list of disapproved servers. Your mail service does not allow anyone to authenticate from a disapproved server. No one can send your users mail or relay mail through your server from a disapproved server. Mismatched DNS Name and IP Address Your mail service can log and optionally reject connections from a mail server whose DNS name doesn’t match the name that your DNS service gets when it looks up the mail server’s IP address. This method intercepts junk mail from senders who pretend to be someone else, but may also block mail sent from a misconfigured SMTP server. You should be aware that because reverse-lookups of IP addresses involve contacting DNS, they could slow down the performance of your mail service. Blacklisted Servers Your mail service can reject mail from SMTP servers that are blacklisted as open relays by an Open Relay Behavior-modification System (ORBS) server. Your mail service uses an ORBS server that you specify. ORBS servers are also known as black-hole servers. SMTP authentication Restricted SMTP relay Result On Off All mail servers must authenticate before your mail service will accept any mail for relay. Authentication is not required for delivery to local mail users. Your local mail users must also authenticate to send mail. On On Approved mail servers can relay without authentication. Servers that you have not approved can relay after authenticating with your mail service. Off On Your mail service can’t be used for open relay. Approved mail servers can relay (without authenticating). Servers that you have not approved can’t relay unless they authenticate, but they can deliver to your local mail users. Your local mail users do not have to authenticate to send mail. This is the most common configuration.376 Chapter 9 What Mail Service Doesn’t Do Mail service provided by Mac OS X Server does not support m mailing lists m virtual domains (user@example1.com and user@example2.com can’t be different mail accounts) m Secure Sockets Layer (SSL) for SMTP and POP m mail services on multiple Mac OS X Servers, because they would all try to provide SMTP service on port 25 and user accounts can’t be assigned to a particular server for SMTP service Mail Service Configuration in the Local Directory The mail service configuration is stored in the local Open Directory domain of your Mac OS X Server, in a specific record with specific attributes and values. For example, the server’s local Open Directory domain stores the path of the UNIX mail delivery location that is used if you choose to use a mail transfer agent other than the SMTP service of Mac OS X Server. You can view and change the values of mail service attributes in the server’s local Open Directory domain with NetInfo Manager, which is included with Mac OS X Server. For instructions, see “Using NetInfo Domains” on page 110 of Chapter 2, “Directory Services.” Overview of Mail Service Tools The following applications help you set up and manage mail service. m Server Assistant. Use to start mail service when you install Mac OS X Server m Server Settings. Use to start, stop, and configure mail service m Workgroup Manager. Use to create user accounts for email users and configure each user’s mail options m Server Status. Use to monitor mail service, view mail logs, list email accounts, and list connected email users m Terminal. Optionally use for tasks that involve UNIX command-line tools, such as cleaning up the mail database and starting SendmailMail Service 377 Setup Overview You can have mail service set up and started as part of the Mac OS X Server installation process. An option for setting up mail service appears in the Setup Assistant application, which runs automatically at the conclusion of the installation process. If you select this option, mail service is set up as follows: m SMTP, POP, and IMAP all active and using standard ports m standard authentication methods used (not Kerberos), with POP and IMAP set for cleartext passwords (APOP and CRAM-MD5 turned off ) and SMTP authentication turned off m local mail delivery only (no mail sent to the Internet) m mail relay turned off m administrator access via IMAP turned on If you want to change this basic configuration, or if you have not set up your mail service, these are the major tasks you perform to set up mail service: m Step 1: Before you begin, do some planning. m Step 2: Set up MX records. m Step 3: Start mail service. m Step 4: Configure incoming mail service. m Step 5: Configure outgoing mail service. m Step 6: Configure additional settings for mail service. m Step 7: Set up accounts for mail users. m Step 8: Create a postmaster account. m Step 9: Set up each user’s mail client software. Following is a summary of these tasks. The description of each task tells you which pages have detailed instructions for performing the task. Step 1: Before you begin, do some planning See “Before You Begin” on page 379 for a list of items to think about before you start fullscale mail service. Step 2: Set up MX records If you want users to be able to send and receive mail over the Internet, you should make sure DNS service is set up with the appropriate MX records for your mail service. m If you have an Internet service provider (ISP) that provides DNS service to your network, contact the ISP and have the ISP set up MX records for you. Your ISP will need to know your mail server’s DNS name (such as mail.example.com) and your server’s IP address. 378 Chapter 9 m If you use Mac OS X Server to provide DNS service, create your own MX records as described in “Using DNS With Mail Service” on page 516 in Chapter 14, “DNS Service.” m If you do not set up an MX record for your mail server, your server may still be able to exchange mail with some other mail servers. Some mail servers will find your mail server by looking in DNS for your server’s A record. ( You probably have an A record if you have a Web server set up.) Note: Your mail users can send mail to each other even if you do not set up MX records. Local mail service does not require MX records. Step 3: Start mail service Make sure the server computer shows the correct day, time, time zone, and daylight-saving settings in the Date & Time pane of System Preferences. Mail service uses this information to time stamp each message. An incorrect time stamp may cause other mail servers to handle a message incorrectly. Once you’ve verified this information, you can start mail service. If you selected the Server Assistant option to have mail service started automatically, stop mail service now and then start it again for your changes to take effect. For detailed instructions, see “Starting and Stopping Mail Service” on page 380. Step 4: Configure incoming mail service Your mail service has many settings that determine how it handles incoming mail. See these sections for instructions: m “Working With Settings for Incoming Mail” on page 382 m “Working With Settings for Incoming POP Mail” on page 384 m “Working With Settings for Incoming IMAP Mail” on page 385 Step 5: Configure outgoing mail service Your mail service also has many settings that determine how it handles outgoing mail. For instructions, see these sections: m “Working With Settings for Outgoing Mail” on page 387 m “Working With Settings for SMTP Mail” on page 389 Step 6: Configure additional settings for mail service Additional settings that you can change affect how mail service stores mail, interacts with DNS service, limits spam, and handles undeliverable mail. See these sections for detailed instructions: m “Working With the Mail Database” on page 393 m “Cleaning Up the Mail Files” on page 395Mail Service 379 m “Limiting Junk Mail” on page 398 m “Working With Undeliverable Mail” on page 402 Step 7: Set up accounts for mail users Each person who wants mail service must have a user account in a directory domain accessible by your mail service. The short name of the user account is the mail account name and is used to form the user’s mail address. In addition, each user account has settings that determine how your mail service handles mail for the user account. You can configure a user’s mail settings when you create the user’s account, and you can change an existing user’s mail settings at any time. For instructions, see m “Administering User Accounts” on page 137 of Chapter 3 m “Working With Mail Settings for Users” on page 150 of Chapter 3 Step 8: Create a postmaster account You need to create a user account named “postmaster.” The mail service may send reports to the postmaster account. When you create the postmaster account, make sure mail service is enabled for it. For convenience, you can set up forwarding of the postmaster’s mail to another mail account that you check regularly. Chapter 3, “Users and Groups,” tells you how to create user accounts. Step 9: Set up each user’s mail client software After you set up mail service on your server, mail users must configure their mail client software for your mail service. For details about the facts that users need when configuring their mail client software, see “Supporting Mail Users” on page 405. Overview of Ongoing Mail Service Management Information in these sections will help you with your day-to-day mail service maintenance activities: m “Monitoring Mail Status” on page 403 m “Performance Tuning” on page 407 m “Backing Up and Restoring Mail Files” on page 408 Before You Begin Before setting up mail service for the first time: m Decide whether to use POP, IMAP, or both for incoming mail.380 Chapter 9 m If your server will provide mail service over the Internet, you need a registered domain name. You also need to determine whether your ISP will create your MX records or you will create them in your own DNS service. m Identify the people who will use your mail service but don’t already have user accounts in a directory domain accessible to your mail service. You will have to create user accounts for these mail users. Working With General Settings for Mail Service This section tells you how to start and stop mail service, configure Kerberos authentication, list your mail server’s local names, change any mail protocol settings, and monitor or archive mail. These settings affect all incoming and outgoing mail service protocols—POP, IMAP, and SMTP. All these settings are described in this section. Starting and Stopping Mail Service Mail service is ordinarily started automatically after you complete the Server Assistant. You can also use the Server Settings application to start and stop mail service at your discretion. To start or stop mail service: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Start Mail Service or Stop Mail Service. If you plan to turn off mail service for an extended period of time, notify users before you stop the mail service. When you start mail service, it looks for an existing database from an earlier version of Mac OS X Server. Mail service automatically converts an existing mail database and renames the existing database so that it won’t be converted again. See “Converting the Mail Database From an Earlier Version” on page 393 for additional information. Starting Mail Service Automatically You can set mail service to start automatically whenever the Mac OS X Server system starts up. This ensures that mail service will start when the system restarts after a power outage or another unexpected event. To configure automatic startup for mail service: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the General tab. 4 Select “Start mail server at system startup” and click Save.Mail Service 381 Requiring or Allowing Kerberos Authentication You can choose to require, allow, or disallow the Kerberos authentication method for all SMTP, IMAP, and POP mail service. Before enabling Kerberos authentication for mail service, you must integrate Mac OS X with a Kerberos server. For instructions, see “Integrating Mac OS X With a Kerberos Server” on page 199 in Chapter 3, “Users and Groups.” To enable Kerberos authentication of mail service: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the General tab. 4 Choose a method from the Authentication pop-up menu and click Save. Choose Standard if you want mail service to use the authentication methods that are set by clicking POP Options, IMAP Options, and SMTP Options in the Protocols tab. Choose Kerberos if you want mail service to require Kerberos authentication for POP, IMAP, and SMTP. In this case, users’ mail client software must support Kerberos. Choose Any Method if you want to allow but not require the use of Kerberos authentication. A mail client that does not support Kerberos can use the standard authentication method instead. Adding or Removing Local Names for the Mail Server Your mail service has a list of all the domain names for which it is responsible. You should add any names that are likely to appear after @ in the addresses of mail directed to your server. For example, the list might contain variations of the spelling of your domain name or company name. Your mail settings apply to all domain names in this list. To add or remove local names for the mail server: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click Add and type the domain name of a virtual mail host for which you want your server to be responsible. To remove an item from the list, select it and click Remove. 4 Click Save. Note: If you’ve set up MX records, you don’t need to add anything to this list. Your mail service will add names as it discovers them in the course of its daily operation.382 Chapter 9 If a domain name in this list does not have an MX record, only your mail service recognizes it. External mail sent to this domain name will be returned. You should place domain names without MX records in this list only as a time saver for local (internal) mail. Changing Protocol Settings for Mail Service You can change the settings for all protocols that your mail service uses. These may include SMTP, IMAP, POP, and NotifyMail. 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab, then click the Options button for the protocol you want to change. 4 Make the changes you want and click Save. Monitoring and Archiving Mail You can configure mail service to send blind carbon copies of all messages to a user or group that you specify. You might want to do this if you need to monitor or archive messages. Senders and receivers of mail do not know that copies of their mail are being archived. You can set up the specified user or group to receive the blind carbon copies using POP, and then set up a client email application to log in periodically and clean out the account by retrieving all new messages. You may want to set up filters in the email client to highlight certain types of messages. Or you may want to archive all messages for legal reasons. To monitor or archive all messages: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Hosts. 3 Click the Incoming Mail tab. 4 Select “Blind copy incoming and outgoing messages to” and type a user name or group name. 5 Click Save. Working With Settings for Incoming Mail You can change settings that affect mail coming to users of your mail service, including mail your users receive from one another. The mail service has settings for limiting incoming message size, deleting incoming messages automatically, and notifying users who have new mail.Mail Service 383 Limiting Incoming Message Size You can set a maximum size for incoming messages. The default is 10,240 kilobytes (10 megabytes). To set a maximum incoming message size: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Messages tab. 4 Select Message Size and type the number of kilobytes you want to set as the limit. 5 Click Save. Deleting Email Automatically You can have your mail service delete incoming messages automatically after a specified period of time. You may want to set these options if disk space is an issue. To delete incoming mail automatically: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Messages tab. 4 Select Automatic Mail Deletion and enter the number of days in the fields for unread and read mail. Disable either setting by leaving it blank (don’t enter a number of days). Disable all automatic mail deletion by deselecting Automatic Mail Deletion. Notifying Users Who Have New Mail Rather than require each user to periodically check for new mail, the mail service can notify users when they have new mail. To do this, you set your mail service to use the NotifyMail protocol. To set your mail service to use NotifyMail: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable NotifyMail. 4 Click Save. Warning Automatic mail deletion permanently removes mail from the server, including messages in IMAP folders.384 Chapter 9 NotifyMail must also be enabled in each user account. For instructions, see “Enabling Mail Service Account Options” on page 150 of Chapter 3, “Users and Groups.” In addition, third-party software must be installed on users’ computers. For more information, see this Web site: www.notifymail.com Working With Settings for Incoming POP Mail Post Office Protocol (POP) is used to receive, but not send, mail. Users connect to a POP service to retrieve all of their waiting mail. After the user has retrieved mail, it is usually removed from the server. (A setting in the user’s mail client software determines whether it asks the POP service to remove the user’s retrieved mail.) The mail service has settings for requiring authenticated POP connections, changing the POP response name, and changing the POP port number. All these settings are described in this section. Requiring Authenticated POP (APOP) Your POP mail service can protect users’ passwords by requiring APOP connections. When a user connects with APOP, the user’s mail client software encrypts the user’s password before sending it to your POP service. Before configuring your mail service to require APOP, make sure all users’ mail client software is able to use APOP as well. To require APOP authentication: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable POP3, if it is not already checked. 4 Click POP3 Options. 5 Select “Require APOP authentication” and click Save. Changing the POP Response Name You can change the DNS name that your POP mail service sends back to a user’s mail client software when the client initiates a POP connection. To change the POP response name: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable POP3, if it is not already checked.Mail Service 385 4 Click POP3 Options. 5 Enter the DNS name you want your mail service to use when responding to POP connections, then click Save. Changing the POP Port Number The standard port number for POP mail service is 110. You can specify a different port, but do so carefully. If you change your mail service’s POP port number, you must also change the POP port used by all users’ mail client software. Also, don’t use a port that is used by another service. To change the POP port number: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable POP3, if it is not already checked. 4 Change the port number for the POP3 protocol and click Save. Working With Settings for Incoming IMAP Mail Internet Message Access Protocol (IMAP) is a client-server mail protocol that allows users to access their mail from anywhere on the Internet. Each IMAP user’s mail remains in mailboxes on the server, just as if it were on the user’s computer. IMAP delivers mail to the user’s inbox as does POP, but when the user retrieves mail, it is not removed from the server. The mail service has settings for requiring secure IMAP authentication, changing the IMAP response name, using case-sensitive IMAP folder names, controlling IMAP connections per user, terminating idle IMAP connections, and changing the IMAP port number. All these settings are described in this section. Requiring Secure IMAP Authentication Your IMAP mail service can protect users’ passwords by requiring that connections use the Challenge-Response Authentication Method MD-5 (CRAM-MD5). When a user connects with CRAM-MD5 authentication, the user’s mail client software encrypts the user’s password before sending it to your IMAP service. Before configuring your mail service to require CRAM-MD5 authentication, make sure all users’ mail client software is able to authenticate using the CRAM-MD5 method. To require CRAM-MD5 authentication: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service.386 Chapter 9 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Select “Require CRAM-MD5 authentication” and click Save. Changing the IMAP Response Name You can change the DNS name that your IMAP mail service sends back to a user’s mail client software when the client initiates an IMAP connection. To change the IMAP response name: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Enter the DNS name you want your mail service to use when responding to IMAP connections, then click Save. Using Case-Sensitive IMAP Folder Names You can allow mail users to create IMAP folders with names that are spelled the same but are capitalized differently. For example, a user could have one folder named ‘”Urgent” and a different folder named “URGENT.” To allow case-sensitive IMAP folder names: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Select “Use case-sensitive IMAP folder names” and click Save. Controlling IMAP Connections Per User You can adjust the load each mail user can put on your server by limiting the number of connections each user can have on a single IP address. To limit IMAP connections per user: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab, then click IMAP Options.Mail Service 387 4 Enter the number of connections you want to allow, then click Save. The default setting is 32, and the maximum is 128. A value of zero gives users unlimited connections. Terminating Idle IMAP Connections You can specify how long you want to allow IMAP mail connections to remain idle before the connection is terminated. Terminating idle connections can improve mail service performance. To set idle connection limits: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab, then click IMAP Options. 4 Enter the number of minutes you want to allow for each IMAP connection, then click Save. The default is 30 minutes, and a zero indicates that there is no time limit. The accepted range is 1 through 999. Changing the IMAP Port Number The default port for incoming IMAP connections is 143. You can change this port number, but you’ll need to change the port number for IMAP client computers as well. Make sure you don’t change to a port number already in use by another service or operation. To change the IMAP port number: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Change the port number for the IMAP protocol and click Save. If you change your mail service’s IMAP port number, you must also change the IMAP port used by all users’ mail client software. Working With Settings for Outgoing Mail You can change settings that affect mail going out of your mail service, including mail that your users send to one another. The mail service has settings for sending nonlocal mail, sending only local mail, and suspending outgoing mail service.388 Chapter 9 Sending Nonlocal Mail If your mail service currently allows sending only local mail, you can change a setting to allow sending mail to addresses outside your local network, including to the Internet. To allow sending mail outside your local network: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Outgoing Mail tab. 4 Choose “Allow outgoing mail” from the pop-up menu, then click Save. Sending Only Local Mail You can set your mail service to allow sending only messages that are addressed to recipients on your local network. This setting prevents users from sending mail to addresses on the Internet. To allow only local outgoing mail delivery: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Outgoing Mail tab. 4 Choose “Limit to local users” from the pop-up menu, then click Save. If you limit outgoing mail to local users, all the options in the Outgoing Mail pane are disabled because they are not relevant to local outgoing mail. Suspending Outgoing Mail Service You can prevent the mail service from sending new outgoing mail. You could do this to isolate a problem, or to prevent conflicts with other mail service running on your network. To suspend outgoing mail service: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and choose Use None from the pop-up menu. 4 Click Save.Mail Service 389 Working With Settings for SMTP Mail The mail service includes a Simple Mail Transfer Protocol (SMTP) service for sending mail. Subject to restrictions that you control, the SMTP service also transfers mail to and from mail service on other servers. If your mail users send messages to another Internet domain, your SMTP service delivers the outgoing messages to the other domain’s mail service. Other mail services deliver messages for your mail users to your SMTP service, which then transfers the messages to your POP service and IMAP service. Your mail service has settings for requiring SMTP authentication, sending mail via another SMTP server, changing the SMTP response names, changing the incoming SMTP port number, changing the outgoing SMTP port number, and enabling an alternate mail transfer agent. You can also start Sendmail. All these tasks are described in this section. Your mail service also has settings that restrict SMTP mail transfer and thereby limit junk mail. For more information on these settings, see “Limiting Junk Mail” on page 398. Requiring SMTP Authentication Your server can guard against being an open relay by requiring SMTP authentication. Requiring authentication ensures that only known users—people with user accounts on your server—can send mail from your mail service. You can configure the mail service to require secure authentication using the CRAM-MD5 method. You can also allow the less secure PLAIN and LOGIN authentication methods, which don’t encrypt passwords, if some users have email client software that doesn’t support the CRAM-MD5 method. Note: Requiring SMTP authentication does not affect delivery of mail to users of your mail service. Your mail service doesn’t require other servers to authenticate before delivering mail for local mail service users. To require SMTP authentication: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and Apple Mail Service SMTP from the pop-up menu. 4 Click SMTP Options. 5 Select “Require authenticated SMTP using CRAM-MD5,” optionally select “Allow PLAIN and LOGIN authentication,” and then click Save. Sending SMTP Mail via Another Server Rather than delivering outgoing mail directly to its various destinations, your SMTP mail service can relay outgoing mail to another server. The other server then attempts to deliver your SMTP service’s outgoing mail. Your SMTP service batches outgoing mail and sends it to the other server, which acts as a proxy for delivering the mail. 390 Chapter 9 m You may need to use this setting to deliver outgoing mail through a firewall set up by your organization. In this case, your organization will designate a particular server for relaying mail through the firewall. m You may find this setting useful if your server has slow or intermittent connections to the Internet, or if you are billed by the number of connections you initiate. To relay SMTP mail through another server: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Outgoing Mail tab. 4 Click “Relay all SMTP mail via” and enter the DNS name or IP address of the server that provides SMTP relay. 5 Click Save. Note: This option is disabled if the pop-up menu is set to “Limit to local users.” Changing the SMTP Response Names When your server connects with another server to send outgoing mail, your SMTP mail service identifies itself by sending a name. Your SMTP service also sends its name when another server contacts your server to deliver incoming mail. You can specify the name that your SMTP service sends for incoming connections and the name it sends for outgoing connections. m The incoming and outgoing SMTP response names are typically the same. m The incoming and outgoing response names should match the DNS name that another server would get by doing a reverse DNS lookup of your server’s IP address. m If your server connects to the Internet via an Internet gateway or router that uses Network Address Translation (NAT), your server effectively has the IP address of the Internet gateway or router. In this case, the incoming and outgoing response names should match the DNS name that another server would get by doing a reverse DNS lookup of the Internet gateway’s IP address. An AirPort Base Station is an example of an Internet gateway that can be configured to use NAT. To specify the SMTP response names: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and choose Apple Mail Service SMTP from the pop-up menu. 4 Click SMTP Options. 5 Enter the incoming response name and the outgoing response name, then click Save.Mail Service 391 Changing the Incoming SMTP Port Number You can change the port number on which your SMTP service receives incoming mail from other servers. Other servers must use this port number to deliver incoming mail to your server. The standard incoming SMTP port is 25. You can change this port number, but do so carefully. If you change to a nonstandard incoming SMTP port number, other servers will be unable to deliver incoming mail to your server unless they use this nonstandard port number for their outgoing SMTP mail. Make sure you don’t change to a port number already in use by other services or operations. To change the incoming SMTP port number: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable SMTP, if it is not already checked. 4 Change the port number for the SMTP protocol and click Save. Changing the Outgoing SMTP Port Number You can change the port number that your SMTP service uses when attempting to send outgoing mail to other servers. The standard port for outgoing SMTP connections is 25. You can change this port number, but do so carefully. If you use a nonstandard outgoing SMTP port, your server will be unable to deliver outgoing mail to other servers unless they use this nonstandard port for their incoming SMTP mail. Make sure you don’t change to a port number already in use by another service or operation. To change the outgoing SMTP port number: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Network Settings tab. 4 Change the SMTP port number and click Save. Enabling an Alternate Mail Transfer Agent You can use an alternate mail transfer agent, such as the UNIX Sendmail program, to handle incoming and outgoing SMTP mail. Any mail sent to local email users is processed by the mail transfer agent and transferred to the Mac OS X Server mail service for delivery. POP and IMAP continue to function as usual, but SMTP mail is now subject to the rules and settings of the mail transfer agent. To use another mail transfer agent: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service.392 Chapter 9 3 Click the Protocols tab and choose Other Mail Transfer Agent from the pop-up menu. 4 Click Save. 5 Start the other mail transfer agent program. Starting Sendmail If you configure mail service to use an alternate mail transfer agent such as the UNIX program Sendmail, you need to start the mail transfer agent program. It then becomes the primary SMTP mail transfer agent on your server. The UNIX Sendmail program is included with Mac OS X. To start Sendmail as root, type this command in the Terminal application: /usr/lib/sendmail -bd To configure Sendmail to start automatically every time the system starts up, you need root privileges; edit the /etc/hostconfig file, find the line containing MAILSERVER, and make it read MAILSERVER=-YESTo keep Sendmail from starting when the system starts up, change the line to MAILSERVER=-NOThe Sendmail program will not operate if the permissions of the root directory are changed. Some installer programs for software updates or applications may change the root directory permissions from the standard for Mac OS X Server to the standard for a Mac OS X client computer. The standard for Mac OS X Server is 1755 or rwxr-xr-t, which means read/write/execute by owner, read/execute by group, and read/execute by everyone (world). The standard for a Mac OS X client is 1775 or rwxrwxr-t, which allows group write privileges. You can check the permissions currently set for the root directory by typing the following command in the Terminal application: ls -al / This form of the ls command displays detailed information for the root directory. The first character of each line indicates the type of item (d for directory, l for symbolic link, - for regular file). This is followed by nine characters that indicate the permissions for the item. The item name is at the end of the line. A single period (.) represents the directory whose contents are listed, and it is the first line displayed by this ls command. In this case, the first line is for the root directory. If the permissions for the root directory are rwrr-xr-t then they are correct for Mac OS X Server. Mail Service 393 If the permissions for the root directory are rwxrwxr-t then they have been changed to the standard for a Mac OS X client. To correct this, type the following command in the Terminal application: sudo chmod g-w / For more information on Sendmail, see this Web site: www.sendmail.org Working With the Mail Database The mail database keeps track of messages for all mail service users. Mail service stores messages in separate files. You can do the following with the mail database and files: m convert the mail database from an earlier version of Mac OS X Server m change the location where the mail database and files are stored m configure automatic mail deletion m allow administrators to access the mail database and files via IMAP m clean up the mail database and files All these tasks are described in this section. Converting the Mail Database From an Earlier Version When mail service starts for the first time, it looks for an existing mail database from an earlier version of Mac OS X Server. Mail service migrates messages from an existing mail database to the current mail database format. After migrating all messages, mail service renames the old database to preclude the old database from being converted again. You can delete the renamed database file when you are satisfied that the migration and conversion process was successful. In Mac OS X Server version 10.2, the mail service stores each message in a separate file and keeps track of message files in a relatively small database file. In earlier versions of Mac OS X Server, the mail service stores all messages in one large database file, /Library/ AppleMailServer/MacOSXMailDB. The automatic conversion process extracts each message from the monolithic database file and stores it in a separate file. The message files are located in a folder at /Library/AppleMailServer/AppleMail (unless you change the location where mail is stored). The new MacOSXMailDB file contains only user and mail account information. Note: For the mail database conversion to complete successfully, the server must have enough disk space available. The amount of disk space available should equal the size of the database file being converted.394 Chapter 9 Changing Where Mail Is Stored You can change where mail is stored on the server. The default location is /Library/AppleMailServer. To change where mail is stored on the server: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the General tab. 4 Select “Use alternate mail store location” and enter the path of the location that you want to use. 5 Click Save. Configuring Automatic Mail Deletion If disk space is an issue, you can have read and unread mail automatically deleted from your server at specified times. If you choose this option, you should let your users know how long their messages will remain on the server before being deleted. Automatic mail deletion permanently removes mail from the server, including messages in IMAP folders. To set up automatic mail deletion: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Messages tab. 4 Click Automatic Mail Deletion and type the number of days in the field below for unread mail and read mail. Don’t enter a number if you don’t want to enable one of the settings. 5 Click Save. Allowing Administrator Access to the Mail Database and Files You can configure IMAP to allow the server administrator to view and modify any message in the mail database. To take advantage of this administrator access, you must use an email client that allows you to change its IMAP port number, such as the Mail application in Mac OS X. To gain administrator access from such an email client, you must know a server administrator name and password. The mail client must be configured to use the IMAP administrator port instead of the normal IMAP port. The standard port number for IMAP administrator access is 626. You can change your mail service to use a different port number.Mail Service 395 When your mail client connects on the IMAP administrator port, you see all the messages stored on the server. Each user’s mailbox appears as a separate folder in your mail client. You can remove disused mailbox folders that belonged to deleted user accounts. In addition to seeing the mail users, you also see outgoing mail hosts. A host with an unusually high number of messages queued for delivery may indicate that your mail service is unable to connect with the host to exchange mail. If you allow administrator access to the mail database, you should use your server’s IP firewall service to restrict connections on the IMAP administrator port (port 626 by default) to IP addresses that are well known to you. For instructions, see Chapter 15, “Firewall Service.” To configure administrator access to the database: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and select Enable IMAP, if it is not already checked. 4 Click IMAP Options. 5 Select Allow IMAP Administrator Access and optionally change the port number. 6 Click Save. 7 In your email client application, create an account that uses IMAP to connect to your mail service and change the IMAP port to match the port specified in step 5. For example, to change an IMAP account’s port number in the Mac OS X Mail application, choose Preferences from the Mail menu, click Accounts, select the IMAP account, click Edit, and click the Advanced tab. (If your version of Mail doesn’t have an Advanced tab, click the Account Options tab.) Cleaning Up the Mail Files You can clean up and compact the mail database and other mail files by typing a simple UNIX command in the Terminal application. Note: Cleaning up and compacting the mail files may take a long time. The length of time depends on the number of mail messages and the number of mail users. To clean up and compact the mail database: 1 In Server Settings, stop mail service. 2 Open Terminal and at the prompt, type the following and then press Return: sudo /usr/sbin/MailService -compressDB 3 Enter your administrator password and press Return.396 Chapter 9 The cleanup operation takes place without any feedback. During cleanup, a number of messages are written in the mail service repair log, which you can view by using Server Status. The cleanup operation is finished when another command-line prompt appears. 4 In Server Settings, start mail service. Working With Network Settings for Mail Service You can change the following network settings of your mail service: m which DNS records mail service uses to look up a mail server m when mail service updates its DNS cache m when mail service connections time out This section describes how to change these settings. Specifying DNS Lookup for Mail Service You can specify the type of DNS records you want your mail service to use when it looks up the server for an address of an outgoing message, such as user@example.com. Your mail service can look up another server by requesting m Only an MX list. An MX List consists of one or more MX records for an Internet domain. An MX record matches a domain name, such as example.com, with the full DNS name of a mail server, such as mail.example.com. Some domains have more than one mail server, each with an MX record. In this case, the MX records specify priorities for the mail servers. Some mail servers don’t have any MX records. m Only an A record. An A record matches a full DNS name (also known as a host name), such as mail.example.com, to an IP address. m An MX list and an A record. By default, your mail service requests MX records. If none exists, the mail service requests an A record. To specify the type of DNS records your mail service requests: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Network Settings tab. 4 Select one of the settings for DNS Request, then click Save.Mail Service 397 Updating the DNS Cache in Mail Service The mail service stores verified domain names in a cache and does not verify the cached information unless you set the cache to be updated periodically. The cache improves mail service performance, because the mail service doesn’t have to contact the DNS service for every message. You may reduce mail service performance if you set the cache to be updated too frequently. To change how often the mail service updates its DNS cache: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Network Settings tab. 4 Select one of the Cache Settings options. Select “Cache DNS information for __ minutes” and enter the number of minutes you want information to be stored before the cache is refreshed. Select “Respect ‘Time to Live’ (TTL) DNS Settings” if you want to use the default settings of the DNS service. Ordinarily, your mail service resends mail repeatedly until it makes a connection with the server at the destination. TTL specifies how long your mail service continues requesting connection information from DNS before giving up and generating a nondelivery report. 5 Click Save. Changing Mail Service Timeouts If your mail service has frequent trouble remaining connected to another server, you can increase the length of time your mail service waits before giving up on connections with other servers. This can be helpful if your server has a slow or intermittent connection to the Internet. To change the allowed connection time: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Network Settings tab. 4 In the Open Connection field, enter the number of seconds you want your mail service to wait before giving up on a connection attempt. 5 In the Read/Write field, enter the number of seconds you want to allow the other mail host to respond before your mail service stops attempting to send or receive a message. 6 Click Save.398 Chapter 9 Limiting Junk Mail You can configure mail settings to decrease the amount of junk mail that your mail service delivers to users. You can also take steps to prevent senders of junk mail (spam) from using your server as an open relay. If you allow junk mail senders to use your server as a relay point, your server may be blacklisted as an open relay, and other servers may reject mail from your users. Your mail service can do the following to reduce spam: m Require SMTP authentication so that your server cannot be used as a relay point by anonymous users. For instructions, see “Requiring SMTP Authentication” on page 389. m Restrict SMTP relay, allowing relay only by approved servers on a list that you create. For instructions, see “Restricting SMTP Relay” on page 398. m Reject SMTP connections from specific servers on another list that you create. For instructions, see “Rejecting SMTP Connections From Specific Servers” on page 399. m Log and optionally reject an SMTP connection from a server whose DNS name doesn’t match a reverse-lookup of its IP address. For instructions, see “Checking for Mismatched SMTP Server Name and IP Address” on page 399. m Reject SMTP connections from servers that are blacklisted as open relays by an Open Relay Behavior-modification System (ORBS) server. For instructions, see “Rejecting Mail From Blacklisted Senders” on page 401. m Allow or deny SMTP connections from specific IP addresses by using the firewall service of Mac OS X Server. For instructions, see “Filtering SMTP Connections” on page 401. Restricting SMTP Relay Your mail service can restrict SMTP relay by allowing only approved servers to relay mail. You create the list of approved servers. Approved servers can relay through your mail service without authenticating. Servers not on the list cannot relay mail through your mail service unless they authenticate first. All servers, approved or not, can deliver mail to your local mail users without authenticating. Your mail service can log connection attempts made by servers not on your approved list. To restrict SMTP relay: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Host Settings. 3 Click the Incoming Mail tab. 4 Select “only hosts in this list” and then edit the list of servers. Click Add to add a server to the list. Click Remove to delete the currently selected server from the list. When adding to the list, you can use a variety of notations.Mail Service 399 Enter a single IP address, such as 192.168.123.55. Enter an IP address range, such as 192.168.40-43.*. Enter an IP address/netmask, such as 192.168.40.0/255.255.248.0. Enter a host name, such as mail.example.com Enter an Internet domain name, such as example.com 5 Optionally select “Log recipient rejections to error log.” 6 Click Save. Rejecting SMTP Connections From Specific Servers Your mail service can reject all SMTP connections from servers on a disapproved-servers list that you create. No one can authenticate from a disapproved server, much less send your users mail or relay mail through your mail service. To reject SMTP connections from specific servers: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Filter tab. 4 Select “Reject messages from SMTP servers in list” and then edit the list of servers. Click Add to add a server to the list. Click Remove to delete the currently selected server from the list. When adding to the list, you can use a variety of notations. Enter a single IP address, such as 192.168.123.55. Enter an IP address range, such as 192.168.40-43.*. Enter an IP address/netmask, such as 192.168.40.0/255.255.248.0. Enter a host name, such as mail.example.com Enter an Internet domain name, such as example.com 5 Click Save. Checking for Mismatched SMTP Server Name and IP Address Your mail service can log and optionally reject connections from a server whose DNS name doesn’t match the name that your DNS service gets when it looks up the server’s IP address. This method intercepts junk mail from senders who pretend to be someone else, but may also block mail sent from a misconfigured SMTP server.400 Chapter 9 Note: Reverse-lookups of IP addresses may slow the performance of your mail service because lookups involve more contact with DNS service. To check SMTP server names and IP addresses: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Filter tab. 4 Select “Log connection if SMTP name does not match IP address” and then optionally select “Reject if name does not match address.” 5 Click Save. Your SMTP mail service may be unable to do a successful reverse lookup of a server that identifies itself in a nonstandard way. Specifically, the SMTP service can determine the server name in a HELO command that doesn’t deviate too much from standard form. The SMTP service can determine the server name and do a reverse lookup from HELO commands like the following: helo mail.example.com helo I am mail.example.com The SMTP service cannot do a reverse lookup from HELO commands like the following: helo I’m mail.example.com helo I am mail server mail.example.com helo what a wonderful day it is The following table explains the results for various configurations of the settings for logging and rejecting unsuccessful reverse lookups. Log Reject Result No No Accepts all HELO commands Yes No Accepts all HELO commands and logs each server whose name doesn’t match or whose name can’t be determined from the HELO command Yes Yes Logs and rejects each server whose name doesn’t match or whose name can’t be determined from the HELO commandMail Service 401 Rejecting Mail From Blacklisted Senders You can have your mail service check an Open Relay Behavior-modification System (ORBS) server to see if incoming mail came from a known junk-mail sender. ORBS servers are also known as black-hole servers. To reject mail from known junk-mail senders: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Filter tab. 4 Select “Use a server for junk mail rejection” and then type the DNS name of an ORBS server. 5 Click Save. Allowing SMTP Relay for a Backup Mail Server If your network has more than one mail server, one can be designated as a backup server to deliver mail in case the primary server goes down. (Backup mail servers are designated by MX records.) A backup mail server may need to relay SMTP mail. You can set your server to ignore SMTP relay restrictions when accepting mail as a backup server for another mail server. To allow SMTP relay for a backup mail server: 1 In Server Settings, click the Internet tab. 2 Click Mail Service and choose Configure Mail Service. 3 Click the Protocols tab and choose Apple Mail Service SMTP from the pop-up menu. 4 Click SMTP Options. 5 Select “SMTP relay when host is a backup for destination” and click Save. Filtering SMTP Connections You can use the firewall service of Mac OS X Server to allow or deny access to your SMTP mail service from specific IP addresses. 1 In Server Settings, click the Network tab. 2 Click Firewall and choose Show Firewall List. 3 Click New and configure the settings to create a filter that allows or denies access to port number 25 from an IP address or range of IP addresses that you specify, then click Save. Important Blocking unsolicited mail from blacklis