nbalonso.com

OS X Server: Revert Manage Service Access

| Comments

In OS X server, by default, all users are allowed to access any service that you activate. This is a nice thing and suits perfectly fine in many scenarios.

When you want the opposite behaviour en only allow users who you explicitly configure access to services, there is an app for that also a way to do that. You go to the users pane, select any user, click the gear at the bottom,  ”Edit Access to Services“,  ”Manage Service Access“ and finally ”Manage“.

From that point on, you will need to manually give access to services for each user, each single user, one by one… that is what you wanted. Or it is not?

According to the Apple documentation (to be accurate the lack of it) there is no way to undo what you just did.

It has happened to me that I enabled this manual management while troubleshooting, without reading and/or thinking on the consequences, and then I started getting the expected “I can’t access to the folder anymore”. Formatting the server just for this seemed unreasonable, so it was exploring time.

Trying to get this reverted I noticed the change created service access control lists in the usual /var/db/dslocal/nodes/Default/groups. Looking for a “master” config file to rule ‘em all set this up… nope!

Then someone mentioned “serveradmin cli?” and eureka! there you are!

Doing a diff between a server that has the service access control disabled and my problematic server I got the setup down to the actual keys.

After some playing with the serveradmin cli, here is how I got back the default behaviour:

1
2
3
4
5
6
7
8
9
10
11
bash-3.2$ serveradmin settings info:monitorControlLists:_array_id:com.apple.monitor_all_services = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_addressbook = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_afp = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_ftp = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_calendar = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_chat = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_loginwindow = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_mail = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_vpn = delete
bash-3.2$ serveradmin settings info:accessControlLists:_array_id:com.apple.access_smb = delete
bash-3.2$ serveradmin settings info:adminControlLists:_array_id:com.apple.admin_all_services = delete

Then I restarted the server and all was back to normal. Having the “Show only allowed users” checkbox selected in the users pane, it was showing me back all the users. Also going back to the “Edit Access to Services” it was showing me the button of doom.

After this experience the Time Machine service box is clickable, which wasn’t the case before, and the service access plists still reside in my dscl path. But hey! it works again and without formatting :)

Comments