To prevent a user from logging | Apple Mac OS X Server guide

104

3Authenticate as an administrator by entering the following command, replacing adminusername with an administrator’s user name, and entering that administrator’s password when prompted:

> auth adminusername

4Delete the user account by entering the following command, replacing ajohnson with the user account’s short name:

> delete ajohnson

5Quit dscl by entering:

> quit

A user account usually has a matching group of the same name. See “Removing a Group Account” on page 112, for information about deleting this group.

Revoking a User’s Right to Access His or Her Account

There are times when it is necessary to revoke a user’s ability to access the computer. This involves preventing the user from logging in and then terminating all of the user’s processes. This can be done by forcing the user to log out and then killing any remaining processes, or by just killing all of the user’s processes.

To prevent a user from logging in:

1Start the dscl tool in interactive mode, specifying the computer you are using as the source of directory service data:

$ dscl localhost

>

2Change the current folder to /LDAPv3/ipaddress/Users by entering the path at the prompt:

> cd /LDAPv3/ipaddress/Users

Replace ipaddress with the IP address of your directory server. If using a NetInfo directory domain, enter cd /NetInfo/root/Users at the prompt.

3Authenticate as an administrator by entering the following command, replacing adminusername with your administrator user name, and entering your administrator password when prompted:

> auth adminusername

4Quit dscl by entering:

> quit

5Disable the user account by entering the following command:

$ pwpolicy -a diradmin -u ajohnson -setpolicy “isDisabled=1”

Replace ajohnson with the short name of the user account and replace diradmin with the short name of your domain administrator account.

Chapter 8 Working with Users and Groups

Image 104

Apple Mac OS X Server manual Revoking a User’s Right to Access His or Her Account, To prevent a user from logging

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Installing Server Software Locating Computers for InstallationSpecifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Setting Network Preferences Configuring Network InterfacesViewing or Changing Media Settings Managing Network Port Configurations Working with Disks and Volumes Mounting and Unmounting VolumesMounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Index AppendixGlossary Contents About This Guide Using This Guide Commands and Other Terminal TextCommand Parameters and Options Understanding Notation Conventions Default Settings Commands Requiring Root Privileges Install Mac OS X Server and set it up for the first time Create and manage users, groups, and computer lists. Set upThis guide Tells you how to Earlier versions of the server Manage directory and authentication services Set up and manage QuickTime streaming services This guide Tells you how to Executing Commands Opening Terminal Specifying Files and Folders Path string DescriptionTest.c file in the current folder Folder Redirect Description Modifying Flow ControlRedirecting Input and Output Using Environment Variables Following command in a Terminal window Executing Commands and Running Tools Correcting Typing Errors Repeating CommandsIncluding Paths Using Drag and Drop Searching for Text Within a File Scheduling Tasks Terminating CommandsAn example of a configured crontab file To access a man Sending Commands to a Remote ComputerViewing Command Information $ hdiutil help $ dig -h $ diff --help Executing Commands Understanding Secure Shell How SSH Works Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints What is an SSH Man-in-the-Middle Attack? Controlling Access to SSH Service Connecting to a Remote Computer Using SSHTo access a remote computer using ssh You’re prompted for the user’s password Using Telnet To enable Telnet accessTo disable Telnet access To access a remote computer using telnet Installing Server Software To use installer to install Mac OS X Server software Locating Computers for Installation Specifying the Target Computer Volume Preparing the Target Volume for a Clean InstallationTo list volumes available for server software To list computers on the local network Restarting After Installation Automating Server SetupInstalling from Multiple CDs Creating a Configuration File To save a configuration file during server setup Installing Server Software and Finishing Basic Setup Working with an Encrypted Configuration File Customizing a Configuration FileTo provide a passphrase in a file To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Configuring the Server Remotely from the Command Line Storing a Configuration File in an Accessible Location Using the serveradmin Tool Changing Server SettingsUsing the serversetup Tool Viewing, Validating, and Setting the Software Serial Number General and Network PreferencesTo display the server’s software serial number To set the server software serial number To check for available updates To install an updateUpdating Server Software To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup Restarting a Computer Automatic RestartTo restart the local computer To restart a remote computer immediately Manipulating Open Firmware Nvram Variables Changing a Remote Computer’s Startup DiskShutting Down a Computer Monitoring and Restarting Critical Services Folder Usage Restarting or Shutting Down a Computer Viewing or Changing the Computer Name Viewing or Changing the Date and TimeTo display the computer name To change the computer name Viewing or Changing the System Date Viewing or Changing the System TimeViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing Automatic Restart Settings Viewing or Changing the Energy Saver SettingsViewing or Changing Sleep Settings Changing the Power Management Settings Viewing or Changing the Startup Disk Settings Viewing or Changing the Sharing Settings Viewing or Changing the International SettingsViewing or Changing Remote Login Settings Viewing or Changing Apple Event Response To view the current setting Viewing and Changing the Login SettingsDisables the buttons and 1 enables the buttons Setting Network Preferences Configuring Network Interfaces Viewing or Changing MTU Values Managing Network Interface InformationViewing Port Names and Hardware Addresses Managing Network Port Configurations Viewing or Changing Media SettingsCreating or Deleting Port Configurations Activating Port Configurations Changing a Server’s IP Address Managing TCP/IP SettingsTo change the order of the port configurations To change the IP address of a standalone server To change a server’s IP addressRun the changeip tool To list TCP/IP settings for a configuration To view TCP/IP settings for port en0To view TCP/IP settings for a particular port or device To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Ieee 802.3ad Ethernet Link Aggregation Enabling TCP/IPWorking with VLANs Configuring a Network Interface Configuring Ethernet Link Aggregation Managing AppleTalk Settings Managing Snmp Settings Installing Snmp Open the /etc/hostconfig file Locate the lineStarting Snmp Immediately above it, add this line Configuring Snmp To start the snmp agent manuallyTo identify the process id To stop snmpd Collecting Snmp Information from the Host To view the snmp.conf fileTo start snmpd, execute this as root Other options in the menu you were working in are Managing Proxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Web Proxy Settings Viewing or Changing Secure Web Proxy SettingsViewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Proxy Bypass Domains Managing AirPort SettingsViewing or Changing Socks Firewall Proxy Settings Hostname Managing the Computer, Host, and Bonjour NamesComputer Name Managing Preference Files and the Configuration Daemon Command displays 0 if the name was changedBonjour Name To display the server’s Bonjour name To get the hostname of a system Changing Network LocationsTo set the hostname of a system Computer will respond with output similar to the following This example, the network location will switch to AirPortTo view the current locations Mounting and Unmounting Volumes Understanding Disks, Partitions, and the File System Mounting Volumes Unmounting VolumesTo unmount a volume To view a list of currently mounted file systems To enable diskspacemonitor Displaying Disk InformationMonitoring Disk Space To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To erase and repartition a disk To get mount info about a partitionTo mount a drive To format a Mac OS Extended volume as case-sensitive HFS+ Command DescriptionPartitioning and Formatting Disks Partitioning a Disk Checking for Disk Problems Labeling a DiskFormatting a Disk To fomat a disk Checking to See If Journaling is Enabled Enabling Journaling for an Existing VolumeTo see if journaling is enabled To enable journaling Enabling Journaling When You Erase a Disk Understanding Spotlight TechnologyDisabling Journaling Enabling and Disabling Spotlight To enable Spotlight on your server Performing Spotlight SearchesRestart your server To view the metadata of a file Managing RAID Volumes Controlling Spotlight Indexing To repair a failed mirror Imaging and Cloning Volumes Using ASRTo image a boot volume To restore a volume from an image Working with Users and Groups Understanding Accounts Administering and Creating Accounts Creating a Local Administrator User Account for a ServerTo create a local administrator user account To create an local administrator user with a specific UID Creating a Domain Administrator User Account To create a domain administrator user account Checking a User’s Administrator Privileges Creating a Nonadministrator User AccountTo find the Guid of the administrator user To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 Retreiving a User’s Guid Removing a User AccountTo retrieve a user’s Guid Review the Guid for a particular user To prevent a user from logging Revoking a User’s Right to Access His or Her AccountDisable the user account by entering the following command To reenable a user account that is disabled To terminate all of a user’s processes Checking a Server User’s Name, UID, or Password Attribute Description Modifying a User AccountTo change a user account attribute to a new value Creating a Mobile User Account To create a mobile account Managing Home Folders To flush the cacheCreating a User’s Home Folder To create a home folder for a particular user Administering Group Accounts To create a home folder for users in the local domainMounting a User’s Home Folder To mount a user’s shared home directory on an AFP server Creating a Group Account To add a group account To remove a group account You can remove group accounts by using the dscl toolRemoving a Group Account To add a user to a group You can add users to a group using the dscl toolAdding a User to a Group To remove a user from a group You can remove users from a group by using the dscl toolRemoving a User from a Group Review the new settings of the group To verify a nested group Creating and Deleting Nested GroupTo create a nested group Editing Group Records To unnest a groupTo display the information about a particular group To delete a group Viewing the Workgroup a User Selects at Login Creating a Group FolderTo create a group folder See the CreateGroupFolder man page for more information Importing Users and Groups To import users and groups Number of attributes in each account record Creating a Character-Delimited User Import FileWriting a Record Description 121 An example user account looks like this Using the StandardUserRecord ShorthandUsing the StandardGroupRecord Shorthand Viewing Permissions Setting PermissionsSome examples of permission settings Setting the umask for Individual Users Use one of the following values to set the permission level See the chmod man page for more information Changing PermissionsUse the chmod tool to change permissions for an item Securing System Accounts Changing the OwnerChanging the Group Securing Initial System Accounts To disable root login Enter the root password when promptedSecuring the Root Account Restricting Use of the sudo Tool Securing Single-User Boot Computer should restart and display the login window Setting Password PolicyTo set the Open Firmware password for increased security To change a user’s password To view the global password policyTo set the minimum password length to 5 characters To set a more secure global password policy Access the help prompt and enter the command name Finding User Account InformationSee the pwpolicy man page for more information To query for a user by name 132 Working with File Services Managing Share Points Listing Share Points Creating a Share PointTo list existing share points To create a share point To change share point settings Modifying a Share Point Managing the AFP Service Starting and Stopping AFP ServiceChecking AFP Service Status Viewing AFP Settings Changing AFP Settings List of AFP SettingsTo change a setting To change several settings Allow an administrator user to masquerade as another user Authentication mode. Can beWhether the AFP service should restart automatically when Location of the error log Record user logins in the activity log Login greeting messageLast time the login greeting was set or updated Default = -1unlimited List of AFP serveradmin Commands Value returned by getConnectedUsers Listing Connected UsersTo list connected users Disconnecting AFP Users Sending a Message to AFP UsersTo send a message To disconnect users Canceling a User Disconnect To cancel a user disconnectComputer will repond with the following output Value Description Computer will respond with the following output Listing AFP Service StatisticsTo list service statistic samples Viewing AFP Log Files To view the latest entries in a logTo display the log paths Value displayed by Managing the NFS Service Starting and Stopping NFS ServiceChecking NFS Service Status Viewing NFS Service Settings Managing the FTP Service Starting FTP ServiceStopping FTP Service Checking FTP Service Status Parameter ftp Description Changing FTP Service SettingsList of FTP Service Settings Directory in which the FTP content is stored Displays a banner message that appears whenPrompted to log in to the FTP. Customize to your Own preferences Checking for Connected FTP Users List of FTP serveradmin CommandsViewing the FTP Transfer Log Managing the SMB/CIFS Service Starting and Stopping SMB/CIFS ServiceChecking SMB/CIFS Service Status Viewing SMB/CIFS Service Settings Parameter smb Description Changing SMB/CIFS Service SettingsList of SMB/CIFS Service Settings Browser service. Can be set to Advanced pane of Windows service settings in the ServerLow errors and warnings only Medium service start and stop, authentication failures Server’s NetBIOS name. Can be set to a maximum Pane of the Windows service settings in the Server AdminWindows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Users Disconnecting SMB/CIFS Users Listing SMB/CIFS Service StatisticsTo list SMB/CIFS connections Computer responds with the following output Viewing SMB/CIFS Service Logs Location of the SMB service logLocation of the name service log Managing ACLs Using chmod to Modify ACLs Following are the permissions applicable to foldersTo grant a user write permission for a file To deny a guest read permission for a file To view the ACL of a file Output should look like the following 160 Working with the Print Service Understanding the Print Process Performing Print Service Tasks Starting and Stopping Print ServiceTo start print service To stop print service Changing Print Service Settings Checking the Status of Print ServiceViewing Print Service Settings Print Service Settings Parameter print Description Queue Data Array Parameter printDescription Following is an example of a queue array parameter block Managing the Print ServiceCommand printcommand= Description Pausing a Queue Listing QueuesListing Jobs and Job Information To pause a queue To release the job Holding a JobTo hold a job To obtain a list of available cover pages Viewing Print Service Log FilesViewing Cover Pages 170 Understanding the NetBoot Service Starting and Stopping NetBoot ServiceTo start NetBoot service To stop NetBoot service Changing NetBoot Settings Checking NetBoot Service StatusViewing NetBoot Settings Changing General Netboot Service Settings Volume parameter arrayParameter netboot Description Storage Record Array Filters Record Array Image Record Array Port Record Array Enabling NetBoot 1.0 for Older NetBoot ClientsTo enable NetBoot Booting from an Image Using hdiutil to Work with System ImagesWorking with System Images Updating an Image Using asr to Restore System Images Imaging Multiple Clients Using Multicast asr Choosing a Boot Device Using systemsetup To configure a client to receive a multicast stream Understanding the Mail Service Postfix Agent Cyrus Mailman Managing the Mail Service Starting and Stopping Mail ServiceChecking the Status of Mail Service Viewing Mail Service Settings Mail Service Settings Parameter mail Description Default = 500s Default = 1sDefault = domain Default = += Default = 0s Default = postfixDefault = 1000s Default = -=+ Default = flock Default = flushDefault = 60s Default = postdrop Default = 10s Default = /usr/binDefault = mail Default = none Default = smtp Default = 7dDefault = qmgr Default = fcntl Default = error Default = showqDefault = 5d Default = host Default = incoming Default = activeDefault = deferred Default = bounce Default = virtual Default = $homeDefault = rewrite Default = 600s Default = 30s Default = hashDefault = Default Default = c Default = cyrus Default = auxprop 193 To list samples Mail serveradmin CommandsListing Mail Service Statistics Viewing the Mail Service Logs Default = srvr.logTo display the log locations Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Enter a key size at the next prompt, and then press Return Setting Up SSL for Mail ServiceGenerating a CSR and Creating a Keychain 199 Accessing the Server Certificates Obtaining an SSL CertificateImporting an SSL Certificate into the Keychain To import an SSL certificate into the keychain Creating a Password File See the certadmin man page for more informationTo create a password file To list the certificates stored in the System keychain Configuring Mailboxes Enabling Sieve Scripting To enable Sieve support Reload the mail serviceEnabling Sieve Support Sample Sieve Scripts Self-Defined Forwarding Script Basic Sort and Anti-Junk Mail Filter Script Sieve Scripting Resources 206 Understanding Web Technology Files Location Managing the Web Service Starting and Stopping Web ServiceChecking Web Service Status Viewing Web Settings Changing Settings Using serveradmin Changing Web SettingsServeradmin and Apache Settings Web serveradmin Commands Viewing Service LogsViewing Service Statistics Listing Hosted Sites Value you want to display. Valid values V1-Number of requests per secondV2-Throughput bytes/sec V3-Cache requests per second Addsite.in File Example Script for Adding a WebsiteAddsite File Tuning the Server Performance To run the script Working with Application Servers and Java Apache TomcatJBoss Server To start Apache Tomcat To install the default database MySQL DatabaseTo start JBoss, enter the following To stop JBoss, enter the following To set the root password To create a databaseTo set the network option To start mysqld Working with Network Services Managing Network Services Managing the Dhcp Service Starting and Stopping Dhcp ServiceChecking the Status of Dhcp Service Viewing Dhcp Service Settings Changing Dhcp Service Settings Dhcp Service SettingsTo see a list of available service settings To change a single Dhcp setting Subnet Parameter Dhcp Subnet Settings ArrayAbout Subnet IDs General pane of the subnet settings in the Server Not set defaultWins pane of the subnet settings in the Server Lease time in seconds Corresponds to the NetBIOS Scope ID field in the Wins Adding a Dhcp SubnetTo add a subnet Domain name such as apple.com About Static Map IDs Adding a Dhcp Static MapTo add a static map List of Dhcp serveradmin Commands Viewing the Dhcp Service LogCommand Dhcpcommand=Description Determine the location of the Dhcp service logs Managing the DNS Service Starting and Stopping the DNS ServiceChecking the Status of DNS Service Viewing DNS Service Settings Changing DNS Service Settings DNS Service SettingsList of DNS serveradmin Commands Viewing the DNS Service Log Configuring IP Forwarding Managing the Firewall Service Starting and Stopping Firewall Service Checking the Status of Firewall ServiceViewing Firewall Service Settings Firewall Startup Parameter ipfilter Description Changing Firewall Service SettingsFirewall Service Settings Adding Rules by Modifying ipfw.conf Defining Firewall RulesIpfilter Groups with Rules Array Unmodified ipfw.conf file Adding Rules Using serveradmin Ping cracker.evil.org to determine its IP addressTo add a rule An example of this would be similar to the following Firewall serveradmin Commands Ipfilter Rules Array Managing the NAT Service Viewing Firewall Service LogUsing Firewall Service to Simulate Network Activity Location of the ipfilter service log Starting and Stopping NAT Service Checking the Status of NAT ServiceViewing NAT Service Settings Changing NAT Service Settings Parameter nat Description NAT Service SettingsNAT serveradmin Commands Viewing the NAT Service Log Port Mapping Managing the VPN Service Starting and Stopping VPN ServiceChecking the Status of VPN Service Viewing VPN Service Settings Changing VPN Service Settings List of VPN Service SettingsDefault = Keychain Default = IPSec Default = Manual Default = L2TPDefault = PPP Default = Dsacl Default = EAP-RSA Default = PptpDefault = Mppe List of VPN serveradmin Commands Viewing the VPN Service LogVPN Service Log on this Restarted. See Using the serveradmin Tool on Site-to-Site VPN Configuring Site-to-Site VPNLocation of the VPN service log Adding a VPN Keyagent User Setting Up IP Failover IP Failover PrerequisitesIP Failover Operation Hardware Requirements To enable IP failover Enabling IP Failover Pre and Post Scripts Configuring IP FailoverNotification Only Enabling PPP Dial-In Restoring the Default Configuration for Server ServicesTo restore the NAT service to its default configuration To restore the Dhcp service to its default configuration Re-create the two default recordsTo restore the Qtss service to its default configuration To restore the DNS service to its default configuration To restore the VPN service to its default configuration Understanding Open Directory Using General Directory ToolsTesting Your Open Directory Configuration Testing Open Directory Plug-ins Changing Open Directory Service SettingsModifying a Directory Domain Registering URLs with SLP Configuring Ldap PasswordOptionsStringLDAPTimeoutUnits Default = minutes LDAPServerBackend Managing OpenLDAP Tool Used to Configuring slapd and slurpd DaemonsStandard Distribution Tools Delay Rebind Idle TimeoutIdle Rebinding Options Searching the Ldap Server 256 257 Using Ldif Files Additional Information About Ldap Configuring NetInfoManaging NetInfo Managing Open Directory Passwords Open Directory Password ServerViewing or Changing Password Policies Enabling or Disabling Authentication Methods Kerberos and Apple Single Sign-On Backing Up the Kerberos DatabaseTo dump the KDC’s database To load KDC data from a dumped file To add a service principal Principal ManagementTo add a principal To delete a principal Using Directory Service Tools Operating on Directory Service Directory DomainsUsing kadmin to kerberize a service To kerberize a service from a terminal running on that host Finding Network Information Manipulating a Single Named Group Record Adding or Removing Ldap Server Configurations Configuring the Active Directory Plug-InTo add an Ldap server To remove an Ldap server 266 Performing Qtss Service Tasks Understanding QuickTime Streaming Server Starting and Stopping the Qtss Service Checking Qtss Service StatusViewing Qtss Settings Changing Qtss Settings Qtss Settings Descriptions of SettingsDefault = qtaccess Look in the sample file for Default = admin Default = digest Default = qtss Managing QtssListing Current Connections Logs on Connections Viewing Qtss Service StatisticsFor connections v1, this is integer average number Send a HUP signal to this process Forcing Qtss to Reread its PreferencesTo force Qtss to reread its preferences List the Qtss processes Configuring Streaming Security Resetting the Streaming Server Admin User Name and PasswordTo set up Sites/Streaming/ in older home folders To reset the user name and password Controlling Access to Streamed Media Creating an Access File Between terms, make sure you enclose the entire message Quotation marksPath and filename of the user file Qtusers Accessing Protected Media Adding User Accounts and PasswordsAdding or Deleting Groups Making Changes to the User or Group File Manipulating QuickTime and MP4 Movies Creating Reference MoviesCreate QuickTime Atom ref movie with extension .qtl Create XML text ref movie with extension .qtl 280 Configuring the Log File Configuring Your System Logging Local Logging Configuring Remote Logging on a Client Computer To enable remote logging on a client computerConfiguring Remote Logging on a Server Remote Logging Or match a single host like this Open /etc/rc and locate the following line PCI RAID Card Command Reference 286 287 288 Glossary Computer account See computer list Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Access Securing Chgrp tool ACL access control list136 Example Stopping service Naming 41 Restoring images Logs Lpr Backup Cyrus Mail files Dynamic Host Configuration Protocol. See Dhcp Error messages command not found Executing commandsImage Booting from 176 updating Disk journaling Kerberosautoconfig tool 261 keychain Backing up Principal management 262 tools and utilities 302 QuickTime Streaming Server. See Qtss Used by ldapsearch 255 scheduling tasks AFP DNS 239 Terminating commands Time, viewing or changing 57 Stopping serviceViewing service logs Tools for remote configuration