Managing Server Access
When configuring any server for access by users, you’ll need to determine what services
the server will provide and what levels of user access to assign. So far, we have discussed
only network services, which do not require any specific user access to the server once the
service is enabled. For many of the other services this book will cover, such as file sharing,
you will need to create specific user accounts on your server.
When considering the creation of user accounts, you’ll want to determine how to best set up
your users, how to organize them into groups that match the needs of your organization,
and how to best maintain this information over time. As with any service or information
technology (IT) task, the best approach is to thoroughly plan your requirements and
approach before starting to implement a solution.
Creating and Administering User and
Administrator Server Accounts
Authentication occurs in many different contexts in Mac OS X and Mac OS X Server, but it
most commonly involves using a login window. For example, when you start up a Mac OS X
computer, you may have to enter a user name and password in an initial login window
before being allowed to use the system at all. (By default, Mac OS X is set to automatically
log in with the first account that was set up on the system, without asking for a password.
Unless you change this default setting using the Accounts pane of System Preferences, you
will not see the initial login window when you start up the system.) While the login example
might seem to apply only to Mac OS X, it could be that you are authenticating to a user
account that lives across the network on Mac OS X Server.
Another example occurs when you connect to a network server, whether via AFP or SMB.
A user must authenticate before accessing these services, even if logging in just as a guest
user. If a login name and password are not entered correctly, a “Login failed” alert appears,
indicating a failed attempt at authentication.
110 Authenticating and Authorizing Accounts
To administer a server through Server Admin or Workgroup Manager, an administrator
must authenticate using those applications. This is required whether the server is being
administered locally or remotely.
Using Server Preferences for User Accounts
If you configured Mac OS X Server as a Standard or Workgroup server, you can use the
Server Preferences application for configuring user accounts. This application manages users
and groups using an interface very similar to the Accounts preferences pane on Mac OS X.
Creating and Administering User and Administrator Server Accounts 111
Server Preferences gives you the basic options for account management, including the
account details, contact information, services that user is authorized to use, and groups
to which a user belongs. As mentioned in Lesson 1, if you’ve configured your server as an
Advanced server, you won’t be able to use the Server Preferences application. Because the
user-related options are generally self-explanatory when using Server Preferences, we’ll
focus on the Advanced server management methods for the remainder of this lesson.
Using Workgroup Manager for Configuring User Accounts
Workgroup Manager is the primary tool for creating and configuring user accounts on Mac
OS X Server. To grant a person specific permissions on Mac OS X Server, you must set up a
user account for that person. User accounts on Mac OS X Server are the same as on Mac
OS X, although accounts created with Workgroup Manager provide more complex options
and settings. They also enable you to create network-visible accounts, accounts that can be
used to log in remotely.
On Mac OS X Server, you can have local user accounts and network accounts. Standard
user accounts on Mac OS X enable a person to access files and applications local to that
computer. Similarly, user accounts on Mac OS X Server permit users who log in locally to
access files or services (such as mail and print services) that are located on the server, but
they also give remote users access to server volumes and associated files if the users are
created in a network-visible directory service. Local users can connect to servers remotely,
but can log in only locally.
Here are some examples of Mac OS X Server user account settings:
UNIX user ID (UID)
User password type (shadow hash, crypt, open directory)
Home folder location
User address information
112 Authenticating and Authorizing Accounts