2

I have a somewhat unique lion server setup, but it's experiencing a couple issues.

The main goal is to provide a transparent update server for computers on the network, but to allow them to default back to apple's servers when not in the office (ie, zero client-side changes)

in my office network, I have a DNS entry pointing swscan.apple.com to my mac server, so all local macs are looking at the server for updates.

on the mac server itself, i have /etc/hosts as follows:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost 
fe80::1%lo0 localhost
17.250.248.95 swscan.apple.com 
17.250.248.93 swquery.apple.com 
74.203.241.19 swcdn.apple.com 
74.203.241.25 swcdn.apple.com

when a local mac pings swscan, they resolve to the local server as expected. when the mac server pings swscan, it resolves to apple as expected.

if i choose apple menu / software update on the mac server, it checks apples servers for updates as expected.

the software update service however, is giving me a "cant connect to apple" error.

anyone have any insight? im aware this setup isnt "the apple way" of doing things, but would work best for my network.

  • while I think the way you're approaching this is not good, I do think it's a good question. The answers so far are quite good, in my opinion. – warren Feb 22 '12 at 15:33

3 Answers3

3

Well, looking at this kb article, I would think that you could script something client side to adjust where they look for updates? If you look at the unmanaged clients section at the bottom, it gives two commands you can run to have clients look to your server for updates and how to change them back to Apple's. Maybe you could write a script that runs in cron that tries to detect whether they're inside or outside of the network. Depending on the discovery, you could update the server it's using to the appropriate one.

With something like this in place, you could set up the Software Update service to run like it's supposed to and drop all the DNS/host file voodoo you're trying to pull off.

Safado
  • 4,726
  • 7
  • 35
  • 53
  • yeah, i had seen that article and was aware of the one-liner to point updates in the right place. it will work, despite being a bit of a kludge. ideally, id want no configuration on the client end. –  Feb 22 '12 at 15:24
2

Terrible, terrible idea.

Without checking it, my guess (and hope) is that the connection to Apple's update server uses some kind of authentication to make sure the system is really talking to Apple's server. The reason is that Apple really needs to prevent this kind of attempt, because it could be an attacker trying to pull this stunt. Since in your case, swscan.apple.com is definitely not Apple, this really needs to fail.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • the strange behavior i believe is hiding in DNS somewhere- if i remove my DNS entry for the office, the update server works just fine; save for the clients not being able to connect with zero config. i know theres a one-line defaults write i can use to point local clients at the server, but that becomes kind of useless when laptops leave the office, and lose the ability to update. if it's such a terrible idea constructive criticism is welcome. how would you approach the idea? –  Feb 22 '12 at 15:01
  • 1
    I doubt that, but it's time to get Wireshark running to confirm your assumption. Monitor the network traffic on your client when you try to connect to your fake server and compare it with an attempt with the real deal. Anyway, DNS issue or not, I really, sincerely hope this fails in the end. – Sven Feb 22 '12 at 15:07
  • 1
    How I would do that? Not at all, I only configured non-mobile clients to use the in-house update server. – Sven Feb 22 '12 at 15:09
0

aha! got it all figured out, and it's working perfectly, and transparently.

tutorial and packages required right here

https://sites.google.com/site/stupidmactricks/home/transparentsoftwareupdateserverusingmacosxlionserver107

thanks for all the help!