Ok, now that the Server is running, we can turn to the clients.
We have a pure Open Directory without the smallest stain of Active Directory in our network.
Which is not to say that I dislike the AD. I works great, and it would have been a lot harder to f**k it up like the OD we have here. But I'm embracing Apple fan-boyishness to fulfill my role as Mac admin. I even started to cut out the little Apple logos on the accessory packaging and put them into my sideboard to treasure them...
Uhm, yeah, clients.
There are
three four ways to get your clients to access the local Software Update repository:
1. Use the OpenDirectory to push out the network path to the server.
This is accomplished in the Workgroup Manager in Preferences. It seems to work out of the box, but all of your users must be in OD, and login via OD as well.
Sadly, that's not the case with our users, which are all local users that only use Kerberos tickets to access the fileshares and linux.
I am going to change that, but did not find a good way to migrate all these local users to mobile users jet.
2. Update your local SoftwareUpdate.plist to use the new path
Run this in the terminal (replace the <...> with your update server):
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL '<COMPLETE_URL_TO_SERVER>'
Some other how-tos state that you can enter this line without the complete path to "com.apple.SoftwareUpdate". At least in my setup, this is wrong.
I've tested it with Lion and SL clients, works for me.
Remember, this is an SnowLeopard Server. I think this will not work anymore with a Lion Server as something changed.
You can go back to the original Apple servers if you delete the entry again:
sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
3. Change you local DNS Server to redirect the clients to your server
This could be seen as a horrible hack, but has some nice effects, not possible with other solutions:
- unmanaged clients are caught as well, you don't have to touch your clients
- MacBooks can still access Apples servers if outside the LAN
To integrate this into you network you need to create a new DNS zone, modify the "hosts" file of your update server and use a webserver to redirect some path. This is necessary because the original Apple update server uses different paths then the Software Update service. If you are already using a webserver on port 80 on the Software Update server, you can use another one (but you'll have to change the redirect paths).
This will need some maintenance in the future!
If the Apples swscan.apple.com changes its IP...
If Apple introduces a new DNS name for their update server...
If a new version of MacOS X comes out...
If some automatism in a update changes some part of this...
But it works for now. We use this for Lion and SL client.
First the DNS Zone:
- Go into the Server Admin tool and open the DNS Service.
- Add a zone "swscan.apple.com."(mind the dot at the end!)
- Enter you local DNS server as "Nameserver Hostname"
- Add a A record in this zone: "swscan.apple.com." (mind the dot again!!)
- Don't forget to save.
That's it. You can try it by using the "host" command in the terminal:
original:
:~$ host swscan.apple.com
swscan.apple.com has address 17.250.248.95
modified:
:$ host swscan.apple.com
swscan.apple.com has address 10.0.109.204
While you are on the commandline, you need to add the original IP of the Apple server to the /etc/hosts of your update server. If you fail to do that, your server will not be able to get new updates.
As root:
echo "17.250.248.95 swscan.apple.com" >> /etc/hosts
Second, the web server:
- Enable the web server in the Server Admin tool (Settings/Services).
- In the Web service page, edit the default root site (the one with the *)
- Give it the Host Name "swscan.apple.com
- Under Aliases, add the following entries as Redirects in the bottom box:
/content/catalogs/index-1.sucatalog
http://swscan.apple.com:8088/index.sucatalog
/content/catalogs/others/index-leopard.merged-1.sucatalog
http://swscan.apple.com:8088/index-leopard.merged-1.sucatalog
/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
http://swscan.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog
/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog
http://swscan.apple.com:8088/index-lion-snowleopard-leopard.merged-1.sucatalog
- You can disable the default services (wiki, blog, calendar) in the tab "Web Services"
- Don't forget to save
You should now be able to download software updates from your server, without any editing on you system. Try it by entering the URL in you browser:
http://swscan.apple.com/content/catalogs/index-1.sucatalog
The Software Update access log (in Server Admin) should show you your access.
4. Use your HTTP proxy server to accomplish the above
A college showed me this, I didn't try it out but this is an real alternative:
You are using your squid installation to redirect http traffic to you local update server. This gets you the same benefits as the DNS method, without messing in you DNS config.
Here is the source link (german!):
http://www.heise.de/mac-and-i/artikel/Update-Zweigstelle-1424907.html