For a £398.99 upgrade fee (unlimited clients), Apple's latest version of OS/X Server, codenamed Panther, provides a boost in functionality, VPN support, Microsoft network compatibility and ease of administration.
The most significant difference that we found in our testing between OS/X 10.2 (Jaguar) and 10.3 is that Apple's previously disjointed management applications have been replaced by one Server Admin application that offers greater control over most of the system. However, Xserve RAID subsystem management still requires an extra application. Server Admin feels similar to Microsoft's Management System (MMS) but lacks plug-ins and multi-server administrative appeal.
Several open source applications have been ported and polished for Panther. Sendmail is out, and Postfix is in. Apple also added open source client interfaces from the Cyrus product that include support for both Post Office Protocol and Internet Message Access Protocol mail. There is also an open source mail list manager called Mailman. Managing all of these elements collectively was quick and simple using Server Admin.
Apple also has added integrated Point-to-Point Tunneling Protocol and Layer 2 Tunneling Protocol (L2TP) support to facilitate IPSec-based VPNs. Lacking an X.509 server to generate the VPN key exchanges needed for dynamic keys, Apple's IPSec implementation accepts only pre-shared keys that Kame generates and therefore lacks the appeal of variable-key infrastructure in the Protected Extensible Authentication Protocol (PEAP) vein. Kame is an open source IPSec/IPv6 initiative.
Because the bundled L2TP VPN software doesn't support the pre-draft IPSec network address translation-traversal function that lets VPNs transverse firewalls, an Apple server running Panther needs to be on the Internet boundary perimeter to support L2TP.
Panther includes Apple's first distribution of Samba 3.0, an open source directory service application that emulates a Windows NT primary domain controller. This lets Windows and Macs use Apple's Open Directory service to perform many of the tasks that typically are completed by a Windows Active Directory server.
There have been numerous initial bug/security fixes associated with Samba 3.0, and despite several automatic updates to the code, we found a few issues when attempting to authenticate between Panther/Samba 3.02 and Active Directory.
For example, when schema changes are made to the Active Directory database, Samba began to have authentication (and therefore additional Kerberos security) problems with Active Directory-based resources. Until this bug is sorted out, we suggest that such changes to the Active Directory schema be performed before adding the updated Panther/Samba 3.02 combination to a network.
Apple has added some mass roll-out capabilities to this revision. The first is the ability to build images for Mac clients that can be delivered from a Panther distribution server, called NetBoot. Building the images was comparatively simple using NetBoot and the new Network Image Utility. However, we couldn't build unique software IDs for distributed client applications, a problem that has myriad workarounds in the Windows world. Fortunately many Mac applications usually don't need software IDs or serialisation to work properly and legally.
Another new feature called Network Install uses NetBoot methods to roll out applications and updates. It bundles applications and/or folders into packages that can be distributed in a number of different ways. Mass server update/rollout for Panther is managed on Xserve systems via another new element called Server Assistant. While not as handy as other server mass distributors we've tested, the Server Assistant is a step in the right direction in terms of having a means of rolling out this operating system across a large network.
In terms of security, Apple has made it easier to manage how files get encrypted with the FileVault file encryption software that comes bundled with its operating system. Specifically, Apple has simplified how administrators control encryption authorisation, key storage (so that keys can be recovered), and key generation. Panther also limits the encryption capabilities to home directories rather than to application, system or library root areas.
With a number of bug-fixes and new features, it's clear that Apple understands the need for interoperability with other architectures. Panther shows a determination on Apple's part to be taken seriously in the server operating system market.