Apple's 'Tiger' a Serious Enterprise OS

Our new Apple in the Enterprise columnist, John Welch, gets under the hood of Apple's latest OS update and, a few solvable bugs aside, likes what he sees.
On April 29, Apple released the latest iterations of Mac OS X, version 10.4, aka "Tiger". While features such as Spotlight, Dashboard and Automator have received the majority of the, well...spotlight, there are a number of features in Mac OS X 10.4 Server that will please any sysadmin, especially those in a heterogenous environment.

Apple has implemented a lot of new features in Mac OS X 10.4 Server and, happily, almost all of them are things that Mac sysadmins have been asking for. The kernel has been extensively updated, with the benefit that previous "funnel" structures which serialized all network operations are now effectively gone, meaning that network operations can be much more efficient and multithreaded network applications should run better. The kernel modifications also allow for a feature that sysadmins have wanted in Mac OS X for a while now: Access Control lists, or ACLs.

Traditional Unix permissions have involved three possible entities: the file/folder's owner, the file/folder's group, and everyone else. With those three entities you had three possible permissions: read, write, execute.

While this worked well for many years, decades even, in a modern enterprise IT environment, that model is too simplistic. Even on the smaller side of the SMB market, it's not unusual to have multiple groups and users needing different levels of access to the same files or folders. It's also not unusual to have cases where you need to split out creating a new file, writing to an existing file, and deleting an existing file from Unix's traditional all-encompassing "write".

Now, you could do some of this in a coarse way with traditional permissions, and things like the "sticky bit" that only allowed root or the file's owner to delete a file (but did nothing to prevent someone with write access to that file from delete all the contents of that file, and leaving a blank file behind), or the chflags command to set an object as append-only. But even with that, you were still stuck with only three kinds of access to a file.

Compatible ACLs

In Mac OS X 10.4 Server, ACLs change that. ACLs, and their associated ACEs, or Access Control Entries, allow for much finer control of access to file system objects. Apple has wisely, albeit with some controversy, made their implementation of ACLs compatible with Windows ACLs, so that in a mixed environment, the permissions on a given file or folder now work the same regardless of what machine is accessing it. In fact, I was able to set up a server that was bound to an Active Directory 2000 realm, set up some SMB shares, add various Active Directory users and groups to the ACLs, then, from my Windows XP box, modify those ACLs successfully as though they were shared by a Windows server. Although ACLs are only officially supported in Mac OS X 10.4 Server, they can be implemented in Mac OS X 10.4 client via the fsaclctl command, and modified via the chmod command.

ACLs in Mac OS X 10.4 are stored as extended attributes in the HFS+ file system that is Mac OS X 10.4's default. Mac OS X 10.4, moreso than any other release, is using filesystem metadata heavily. While this will increase the overall usefulness of the file system (if you think Apple is alone here, that's not true anymore -- WinFS, whenever it shows up, is all about metadata), it has several implications for sysadmins. Most file system utilities are not going to properly repair Mac OS X 10.4 disks without an update.

As of yet, the only mainline disk repair utility that advertises Mac OS X 10.4 compatibility is TechTool Pro, from Micromat. Alsoft has announced the availability of DiskWarrior 3.0.3 in the first weeks of May, which will support ACLs, extended attributes, and the other new features of Mac OS X 10.4's HFS+ access. Backup utilities are going to need to be updated to fully support these features.

I highly recommend that if your vendor advertises "Tiger Compatible!" that you get specific answers about ACLs, extended attributes and the rest. "Will run without crashing" and "fully supports new features" are, as always, two very different things.

ACLs in Mac OS X 10.4 Server are not just for file system objects. Apple has also implemented Service ACLs, or SACLs, which give the sysadmin an easy way to allow access to basic services on a Mac OS X 10.4 Server, such as AFP, SMB, Printing, Web Services, etc., via users and groups. Allow and deny access are separated, so you can arrange your access however you need. I've found this to be particularly valuable with regard to SSH access and Console login. No longer does a user have those accesses just because they have an account on the server.

Along with the Windows compatibility for ACLs comes increased Windows integration. Setting up Tiger Server as a member server in an Active Directory realm is now far easier and more reliable. Mac OS X 10.4 Server now supports Kerberos and NTLMv2 authentication for Windows clients, so from the Windows side, single sign-on is much more reliable for users accessing SMB shares on a Mac OS X 10.4 Server. This Kerberos integration is also present in Mac OS X 10.4's SMB client, so if your Mac running Mac OS X 10.4 is a part of an Active Directory realm, you now get single sign-on convenience when accessing Windows file servers.

Two-Directional Authentication

Finally, Apple's directory service implementation, Open Directory, has received a few key improvements. Most important is the implementation of Trusted Binding, or two-directional authentication. Not only does the client have to prove itself to the server, but the server must also authenticate to the client. This helps avoid the problem of rogue directory servers being able to subvert Mac OS X clients, a real problem in a heavy wireless environment, which Macs tend toward. Mac OS X 10.4 Server allows you, via SSL and Kerberos, to set up your Open Directory network with packet signing and packet encryption for client/server Open Directory communications along with being able to user Kerberos to help prevent man-in-the-middle attacks. As networks get more flexible, this kind of feature set is critical, so Apple making it easier to implement is a welcome addition to Open Directory's capabilities.

One downside of Mac OS X 10.4 Server's revisions is that due to the extensive kernel changes required for features like ACLs and finer-grained locking, and a stable, documented KPI, Apple broke a lot of third-party networking and kernel code.

Mac OS X 10.4 is possibly the most extensive change Apple has made to Mac OS X since it was first released. This is not an update that you can jump on without planning. I think it's a great update, but it has so many changes that you simply cannot assume that everything will work right. Cisco VPN users who jumped into Mac OS X 10.4 are now very unhappy they did. Obviously, updates and patches will be coming, but Mac OS X 10.4 is definitely a "measure twice, cut once" update. I've been very happy with it, but I also haven't moved my Macs on to it yet.

Once the problems that occur with any major OS update have been ironed out, Mac OS X 10.4 is going to be viewed as a pivotal release for Apple, and one that will go a long way to making it an even better player in the enterprise.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.