What choices are you presented with for configuring Open Directory in Server Assistant?

Connected to directory system
Open Directory master

(you cannot configure a Replica in Server Assistant)

Describe how to use Access Control lists, how they interact with Owner & Group permissions? Can an owner of a file change the ACL while connected over AFP? What is the Effective Permissions Inspector?

Files and folders are set with POSIX permissions and, if enabled on the volume, can also have File Access Control Lists applied inidividually.

(Both are configured in WGM -> Sharing)

File ACLs, which can be set in a granular way, override any POSIX permissions which they related to (on a permission-by-permisison basis). You can use the Effective Permissions Inspector (in WGM utility menu) to see how the ACL will affect or override the POSIX permissions for any particular use or group.

A user logged in over AFP can change permissions or ownership of a file they own IF there is no corresponding ACL list which prevents this (an ACL can be setup to deny Change Permissions or Change Owner).

A user logged in over AFP cannot change the ACL entry, however, that applies to a given file or folder.

Describe the managed preferences order priority. Scenario is: dock positioned on one side for user, other side for group, bottom for computer. Describe the behavior of what happens when a remote user logs in with managed preferences. What takes priority and how does the OS handle this for preferences that are override?

For managed preferences where the user, group, and computer have different preferences managed, the behavior for each preference is either: inherit, override, or combine.

The logic is that each preference is evaluated separately — if the preference is only set for one– user, group, OR computer (and the others are not managed), then whichever one is set will become the result– this is called inherited

If the preference is set for more than one– user, group, and computer — then it depends on whether or not the preference itself can have only one value. For example, the Dock position can have only one value. The list of available Applications, or the items to launch at log-in, however, can have multiple values. If the preference can have only one value, then the override rule applies: the user trumps computer, and the computer trumps the group. (when combining preferences that can have only one value, the order of importance is: user, computer, group)

Finally, if the preference CAN have multiple values (like Log-in items or Applications), the user, group, and computer managed preferences are combined.

In OX X Server 10.4, what does FTP support on-the-fly? (encrypt, decrypt, encode, decode, etc…) What is commonly done together and what is not supported?

encode — this has to do with the files with Resource forks (from mac OS 9 typically) which get encoded into a MacBinary file– with resource fork & data fork together

archive — taking a group of files and/or folders and archiving them into a single .tar file

compress — will add .gz to end and compress the file (does not preserve resource forks)

Commonly done together: archiving & compressing, to create a .tar.gz file

note you could also use MacBinary in combination with the others


Does OX X Server 10.4 implementation on FTP support CRAM-MD5 and what is CRAM-MD5?

Not supported by FTP. FTP can authenticate Clear text or kerberos

What are preference manifests and how do they extend the concept of managed preferences previous to 10.4 Server? In WGM, where is the never, once, often, always modes and how are they used? How does this relate to preference manifests?

When in Preferences (in WGM), you can manage each preference by user according to never, once or always. (this is done by going to the Overview tab when configuring a users Preferences in WGM). This displays a GUI for managing the Apple-related preference.

Tiger introduces preference manifests, which allow you to specify managed preferences for both Apple and non-Apple applications, displays a more advanced and detailed option in a generic list view. (You go this in the Details tab when configuring Preferences in WGM)

When Preference Manifests (from the Details tab), add an application, then click Edit…. This will open the Preferences Editors (the info is displayed in a generic window and is grabbed from the Applications plist). Unlike above, the options here are: once, often, and always.

When a particular preference is set to once, the first time the user logs in this preference will be set this way and the user can make a change that will stay.

When a particular preference is set to often, the preference will revert to the managed setting each time the user logs in, but will allow the user to change the preference setting while logged in for that session. When logging in again, the preference will revert to the managed setting.

When a preference is set to always, the user will probably not be able to change the preference setting at all (it will always be managed by the preference manifest rules), even while logged, but some Applications do not honor this will in fact allow the user to change the settings.

What is the maximum number of groups you can assign to a single user under OS X Server 10.4?

No limit to the number of groups a user may belong to, however, if a directory is shared via NFS, a 16 group limitation is imposed by the NFS architecture

What is a printer pool and how is it used?

you can configure printer pools with multiple printers, for availability and volume. a job sent to a printer pool will be printed on any one of available printers in the pool

What is strict locking and you should use it under which protocol environments (AFP, FTP, SMB, etc, combination)? What is oplock?

Whenever using SMB *with* another file sharing protocol.

The opportunistic lock (oplock) function allows an application to open a file that might be used by multiple applications, as though it was the only application using the file if the application makes the first open request.

When a second application requests access to a file with an outstanding oplock, the initial application having the existing oplock is notified by the server. The prior application, if acting politely, will then flush it’s buffers and write any file changes to the server. After writing the changes the first application typically issues a lock for only the range of bytes it needs to use, releasing the overall lock of the file.

When Any Method is selected in for AFP, describe the attempted ways that an AFP authentication happens and the order in which they happen.

in Server Admin: the choices are Standard, Kerberos, and Any Method.

When set to Any Method, AFP will first try to authenticate via Kerberos. If unavailable on the clients machine, AFP will show an error to the clients machine and then try standard authentication (which encrypts authentication over AFP)