Finally, give up Lion Server
I upgraded Mac Os from SLS to Lion Server and had horrible days
configuring things such as multiple web hosting. Finally I gave up Lion server
and reinstall SLS in my mac mini server and it is working beautifully.
Multiple web hosting is very straight forward in SLS.
If you want to try Lion server, you have to make backup so that
you can recover previous setting when you reinstall SLS.
I made the tragic mistake of assuming Apple had a clue, and I only had a backup of the data, instead of also all the configuration files, so now I'm left with all my web sites completely broken, and no idea how to fix them. I'm pretty ticked off and badly disappointed.
Similar Messages
-
Final proof that Lion Server seems unfinished
These really speak for themselves.
I followed the docs available here:
https://help.apple.com/advancedserveradmin/mac/10.7/#
to activate the option so the users may change their password from their wiki page at https://server
For this I check the "Allow users to change their password" in the default website
The result is here when people login to their wiki and click "change password" at the bottom of the page they get this:
Also trying to input a new password twice and hitting the right button (what I guess would be the OK) fails saying the password server might be unavailable...
Well, I don't know if I broke something or if this page is just unfinished in the retail version of Lion Server but I surely didn't do any setup on the web service.
It's all factory setup regarding web service.
Also, wiki seems to work perfectly, webserver for progile manager and mydevices works perfectly.
Another failing web service is the webcal. The link to the webcal at the bottom of the wiki , next to change password link, fails saying too much redirects, but that may be something to do with my network.
What do you think about all this ?
Eric
@teknologismMy bad, it seems there was another error with permissions.
I created /Library/Logs/passwordreset/ and a debug.log file inside
and made the right permissions:
sudo chown -R _teamsserver:_teamsserver /Library/Logs/passwordreset/
sudo chmod -R 750 /Library/Logs/passwordreset/
deactivated the feature, reactivated it and it worked.
Now, why that folder/file wasn't automatically created..dunno... It really doesn't feel very polished...
Eric
@teknologism -
Time Machine: Lion vs. Lion Server... Lion Server breaks existing function?
Hello, I hope someone can point me in the right direction,
I recently upgraded (clean install) all of my machines to Lion. I decided to "start over" with a new time machine setup where each computer would have its own partition on the external drive. I hooked this drive up to a mac mini I had and connected all the other machines to it via the LAN and everything went well for a few days... until I tried to be clever. I decided to try Lion Server on the mini. After I added Server (which just seems to be a bunch of admin utils) and rebooted, my time machine setup stopped working. I am now getting the dreaded "the network backup disk does not support the required AFP features" (specifically TM Lock Stealing). From the client log:
8/7/11 9:31:28.531 PM com.apple.backupd: Starting standard backup
8/7/11 9:31:28.548 PM com.apple.backupd: Network destination already mounted at: /Volumes/Yggdrasil TM
8/7/11 9:31:43.988 PM com.apple.backupd: Destination /Volumes/Yggdrasil TM does not support TM Lock Stealing
8/7/11 9:31:54.000 PM com.apple.backupd: Backup failed with error: 45
Also, that volume doesn't appear anymore in the "Select Disk" dialog of the client. The volume does appear in sharing and I can copy files to/from it via Finder on the client.
Now, I went in to Lion Server and enabled "Time Machine" and set the "backup destination" to the same volume. That works fine. I can select that location and backups from my client go with no problem. That makes me think this is an arcane configuration issue... how can I get Tiger Server (or maybe it's on the client end) to recognize that the exact same disk/partition, just a different Folder is ok to save TIme Machine backups?
In other words... One share: "Yggdrasil TM" is at the root of a partition, which used to work for Time Machine in Lion prior to Server. Another share, "Backups" is inside "Yggdrasil TM" (/Volumes/Yggdrasil TM/Shared Items/Backups on the mini server). Any ideas?
I did notice that /Volumes/Yggdrasil TM/Shared Items/Backups has a .com.apple.timemachine.supported file in it, but it still didn't work after I "sudo cp -p" that file into where my older sparsebundle was.
I even went so far as to double check permissions and ACLs for both directories as being the same:
$ ls -ldae /Volumes/Yggdrasil\ TM/ /Volumes/Yggdrasil\ TM/Shared\ Items/Backups/
drwxrwxrwx+ 10 root staff 408 Aug 8 00:37 /Volumes/Yggdrasil TM/
0: group:com.apple.access_backup allow list,add_file,search,add_subdirectory,delete_child
1: user:_spotlight allow list,search,file_inherit,directory_inherit,only_inherit
drwxrwxrwx+ 5 root staff 170 Aug 8 00:32 /Volumes/Yggdrasil TM/Shared Items/Backups/
0: group:com.apple.access_backup allow list,add_file,search,add_subdirectory,delete_child
1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
I also played around with the /usr/sbin/sharing command, but that doesn't seem to have any real settings to do with this.
I guess I'm stumped, any suggestions before I restore the mini from time machine and give up Lion Server as a lost cause?
ThanksHi, it's been a while, but what I think I did was when I enabled the "real" Lion Time Machine Backups location, it created a sharepoint called Backups.plist. I looked at what was set in there to see if there was anything likely with this command
sudo defaults read /private/var/db/dslocal/nodes/Default/sharepoints/Backups.plist
and I found this bit, which looked interesting
timeMachineBackup = (
1
so, I figured I'd try it in the other plist files where I really wanted the backups as I was basically stumped. Luckily for me, it worked.
As for how I figured out where the sharepoint plist files were... I have a long name and I got tired of seeing the mounts show up as "MyFirstName MyLastName's Public Folde" (note truncation) on all my macs, so I went looking for those files some time ago. :-)
Hope that helps. -
I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root: myname
admin: myname
sysadmin: myname
certadmin: myname
webmaster: myname
my_alternate: myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080 # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost # Default is localhost
REMOTEPORT_DEFAULT=3128 # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
-p) shift; # -p option
SSHPORT=$1;
shift;;
*) TUNNEL_DETAILS=$1; # 1st argument option
shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])} # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*} # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%@} # delete @
if [ "$CAR" != "" ] # leading or trailing port specified
then
USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ] # no hostname given
then
HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
&& echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
|| echo "SSH tunnel FAIL." -
Upgrade from Lion Server to ML 10.8.1 Broke Mail server!
....10.8.1 OD seems to work, files and AFP available, but Mail server not working correctly. Now users don't see mail, postfix issues numerous errors about missing system_user_maps and delivers no mail? Must recover mails! Help! Where should I look, and what to read for Diagnosis ?
After upgrade in place from SL to Lion to ML. most services did not work correctly; except for Mail and DNS and OD. Reinstalled. Now most everything seems to work including Card Services, Calendars, Wiki, Web, DNS, OD. But Mail is off and missing??? No delivery of INcoming mail, No Sending Mail, no IMAP Mail login for users.
On Mail configuration in Server.App: Turned off All Filtering. Have rebooted Server several times, Restarted Mailserver from Server,app and Terninal. Same Results. Somewhere along the line from Server 10.5 to SL to Lion to 10.8 incoming Maill started going to [email protected] rather than simply [email protected].
Is it possible that virtual domains are fuzzing up the works? The error logs use the longer virtual domain (with the sevrer name prefix) rather than the domain name?
Here are some sample Log messages:
From SYStem Log:
Sep 7 19:33:56 plg1.plg-law.com postfix/cleanup[1998]: warning: 8273B199E3F8: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:56 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/ECF3A196A4FE: error writing 8273B199E3F8: queue file write error
Sep 7 19:33:58 plg1.plg-law.com postfix/pickup[1324]: warning: E5AC9199E3F9: message has been queued for 1 days
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: E5AC9199E3F9: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:58 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/ED4AB196A4FF: error writing E5AC9199E3F9: queue file write error
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: 385DD199E3FB: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:59 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/EE2A9199B211: error writing 385DD199E3FB: queue file write error
From SMTP Log:
Sep 7 19:35:24 plg1.plg-law.com postfix/pickup[1324]: 3652E199E487: uid=78 from=<_mailman>
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: 3652E199E487: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:35:24 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/8E82B199AD06: error writing 3652E199E487: queue file write errorhere's my configured postfix main.cf file from /etc/postfix/main.cf (mountain lion server 10.8.1)
Server.app should have somewhat configured it correctly for you in someways, but something got messed up in the import script I guess.
Hope this helps...
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
queue_directory = /Library/Server/Mail/Data/spool
# The command_directory parameter specifies the location of all
# postXXX commands.
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
data_directory = /Library/Server/Mail/Data/mta
# QUEUE AND PROCESS OWNERSHIP
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
mail_owner = _postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#mydomain = domain.tld
# SENDING MAIL
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# [email protected].
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#myorigin = $myhostname
#myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
# Note: you need to stop/start Postfix when this parameter changes.
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
# - You redefine the local delivery agent in master.cf.
# - You redefine the "local_transport" setting in main.cf.
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
# Details are described in the LOCAL_RECIPIENT_README file.
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a [email protected] address.
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
# If you're connected via UUCP, see also the default_transport parameter.
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
# REJECTING UNKNOWN RELAY USERS
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a [email protected] address.
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
# Specify 0 to disable the feature. Valid delays are 0..10.
#in_flow_delay = 1s
# ADDRESS REWRITING
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#alias_maps = dbm:/etc/aliases
#alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
#alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#recipient_delimiter = +
# DELIVERY TO MAILBOX
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#mailbox_transport = lmtp:unix:/file/name
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#fallback_transport = lmtp:unix:/file/name
#fallback_transport = cyrus
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
# luser_relay works only for the default Postfix local delivery agent.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#luser_relay = [email protected]
#luser_relay = [email protected]
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
# For details, see "man header_checks".
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
# The following parameters are used when installing a new Postfix version.
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
newaliases_path = /usr/bin/newaliases
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
mailq_path = /usr/bin/mailq
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
setgid_group = _postdrop
# html_directory: The location of the Postfix HTML documentation.
html_directory = /usr/share/doc/postfix/html
# manpage_directory: The location of the Postfix on-line manual pages.
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
sample_directory = /usr/share/doc/postfix/examples
# readme_directory: The location of the Postfix README files.
readme_directory = /usr/share/doc/postfix
#======================================================================
# dovecot
dovecot_destination_recipient_limit = 1
# default mailbox size limit set to no limit
mailbox_size_limit = 0
# List of ciphers or cipher types to exclude from the SMTP server cipher
# list at all TLS security levels.
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
# Protect SSL/TLS encryption keys
tls_random_source = dev:/dev/urandom
# (APPLE) Credentials for using URLAUTH with IMAP servers.
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
# (APPLE) The SACL cache caches the results of Mail Service ACL lookups.
# Tune these to make the cache more responsive to changes in the SACL.
# The cache is only in memory, so bouncing the sacl-cache service clears it.
use_sacl_cache = yes
# sacl_cache_positive_expire_time = 7d
# sacl_cache_negative_expire_time = 1d
# sacl_cache_disabled_expire_time = 1m
#======================================================================
mydomain_fallback = localhost
message_size_limit = 104857600
biff = no
mynetworks = 127.0.0.0/8,www.yourvirtaldomain.com
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
smtpd_use_pw_server = yes
smtpd_sasl_auth_enable = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = loopback-only
smtpd_helo_required = yes
smtpd_pw_server_security_options = cram-md5,gssapi
header_checks = pcre:/etc/postfix/custom_header_checks
smtpd_tls_CAfile = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.chain.pem
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
relayhost =
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_enforce_tls = no
smtpd_use_tls = yes
enable_server_options = yes
smtpd_tls_key_file = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.key.pem
smtpd_tls_cert_file = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.cert.pem
mydomain = yourdomain.com
virtual_alias_maps = $virtual_maps hash:/etc/postfix/virtual_users
virus_db_update_enabled = 1
mailbox_transport = dovecot
postscreen_dnsbl_sites = zen.spamhaus.org*2
maps_rbl_domains =
virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains
config_directory = /Library/Server/Mail/Config/postfix -
Using DBD::Mysql on OS X Lion Server
Hello together,
I have MySQL running on Mac OS X Lion Server.
The server was upgraded from Leopard Server so it is the Apple installed MySQL server version from Mac OS X Server 10.5.
/usr/libexec/mysqld Ver 5.0.67-log for apple-darwin9.0 on i686 (Source distribution)
Now I want to install DBD::Mysql vom cpan but whatever I tried, it didn´t work.
After googling I first I thought it might be an issue of headers and libraries so I copied /usr/local/lib/mysql and /usr/local/include/mysql from a OS X client machine, where I did install DBD::Mysql months ago.
But I got some errors like
dyld: Symbol not found: _mysql_init, referer: ...
and
dyld: lazy symbol binding failed: Symbol not found: _mysql_init, referer: ....
(This is from appache error_log since I am have cgi scripts which use DBD::Mysql)
Then I read some articles that it might be an issue of 32-bit an 64-bit incompatibilities.
Could anyone give me some advice on how to get DBD::Mysql up an running or at least how to find out what the problem really is.
Thanks in advance and best regards
macmartinIn the meantime I tried many differnt things.
Finally I copied theses files from Mac OS X 10.7 client to the 10.7 Server:
/Library/Perl/5.12/darwin-thread-multi-2level/Bundle/DBD/mysql.pm
/Library/Perl/5.12/darwin-thread-multi-2level/DBD/mysql.pm
/Library/Perl/5.12/darwin-thread-multi-2level/DBD/mysql/GetInfo.pm
/Library/Perl/5.12/darwin-thread-multi-2level/DBD/mysql/INSTALL.pod
/Library/Perl/5.12/darwin-thread-multi-2level/auto/DBD/mysql/mysql.bs
/Library/Perl/5.12/darwin-thread-multi-2level/auto/DBD/mysql/mysql.bundle
/usr/local/lib/mysql/
/usr/local/include/mysql
/usr/local/mysql/lib
So if anyone runs into the same problem one possible solution could be to set up DBD::Mysql on 10.7 client and copy the appropriate files to the server.
Best regards
macmartin -
Is SSL and multiple websites possible with Lion Server?
this is the obligatory apology from a nub here....
I have not been a sys admin since the days of NT 4.0.
I like to think that "hey, i might need a touch up here and there, but I think I can find my way around..." Wrong.
I have been searching, and reading and searching and reading, and trying everything I can think of.. and I CAN NOT figure out how to get mutliple websites working with Lion Server, using self signed certs 1 for each of my subdomains.
Has anyone, anywhere (thank you google for returning searches to me from 2004?!?! More puzzled confusion....) posted a step by step guide yet???
I have a mac mini, and I have two domain names that are resolving to my exterinal interface on my router just fine, and I have tried what I thought was
every different possible combination of voodoo, magic, 00000...MoreTestingNeeded.conf, and all the other tricks.
Is it possible to get ssl and multiple websites working with one IP address?
Thanks...Thank you very much for your time and input. My birthday was fantastic! Thanks for asking.
I found out about SNI while researching an error I was getting in the log. I really never found any definitive "this is what you need to do", so I was going to get back to it later.
You probably know this, but Lion Server breaks out all of the virtual hosts into seperate documents in the "sites" directory. All I do is I launch the server.app, and in the web component, I enter the name of the website that I want to resolve to my server, and I give it the path to the docs. Thats it. There is no DNS configuration to speak of, on my part, and I don't believe that its necessary (?) to touch the httpd.conf file at this point yet either, even though I think I hear others saying you do. (I have no issues with getting into the file and making any changes, I just thought it was interesting.)
I am still trying to figure out how a user is supposed to add any other types of services LIKE ftp, etc. I know and use the server admin tools, but I have found that the app really does do its job in terms of creating all the dns records for resolving the sites you create. I sure hope its not just using the host file, is it? I never see any additional files in the DNS manager, for any of the subdomains. Where are they?
Here is the contents of what appears to be the first file read, that is for SSL enabled sites:
``````````````````````````````````````````````````````````````````
This is "0000_any_443.conf:"
`````````````````````````````````````````````````````````````````
## Default Virtual Host Configuration
NameVIrtualHost *:443
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot "/path/to/the/docs"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog "//log" cmbndvhst
ErrorLog "/"
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "SOMEGARBAGEIDONTKNOWIFISHOULDSHAREORWHAT"
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProxyEngine On
SSLCertificateFile "/sslcerts/certs/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXXX.cert.pem"
SSLCertificateKeyFile "/sslcerts/certs/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXX.key.pem"
SSLCertificateChainFile "/path/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.chain.pem"
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>
<Directory "/Path/To/The/Docs/XXXX/SDFSDD">
Options All +MultiViews -ExecCGI -Indexes
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
</Directory>
Include /httpd_passwordreset_required.conf
</VirtualHost>
```````````````````````````````````````````````````````````````````````````````` `````````````
So.. my questions are:
Where in the .confs do I add what I need from your above items? Would it go each of the site docs that I need? I am really not sure what apple is doing here.
I have 4 domain names resolving to my server right now, and subdomains to each of the domains. So there are a total of about 10 "site" docs, not a big deal to change each, I just wonder if Lion overwrites these docs with each refresh or what? Also, If I try to add a third .com right now it breaks the whole site.
(Out of conversation, but I just remembered this. I just had to "quit" out of the server.app.) When installing the directory server, it hangs on "getting certificates". The spinning wheel (not the rainbow collered one, but the black one by the words "Getting Certificates") just sits there and spins. I finally just hit the red X and relaunch server.
Lastly, you meniton importing the key. I am using the key manager within the server app. I am not sure where and how I would make the cert and key you are referring to for the importing? I have tried to use the key manager in the OS, but I am not sure of the relationship between that key manager app, and the key manager within the server.app. I have tried to create certs in the keymanager in the OS side, but I do not know how to get them to show up for use in the keymanager in the server.app.
BTW: Thanks. Thanks for the help. I really appreciate it. -
Lion Server Install Failure/Incomplete
Hi,
I just purchased and tried to install Lion Server. After a few hours of being stuck at "Configuring System", and the progress bar being "stuck" for over 45 minutes, it just crashed. Now launching the app just brings the server menu but none of the services can be accessed (almost all menu entries are grayed out).
So I can't re-install (because it thinks it's already installed) and the install is incomplete and thus wont work! This is very annoying.
Apple, I love you guys but for those of us who are playing with server, don't give us the one button for dummies UI. Maybe some of us are techs who aren't afraid of the command line or "advanced" menus (an option like --force-reinstall would be nice right now!!!).
Any suggestions???
Thanks,
PS: What's with the install UI window with a cropped progress bar and icons? The window can't be resized nor scrolled ???Since Lion Server is essentially an app, you can throw it in the trash and re-download it. I believe that what that application does is give you front-end access to tools that are already on your system, and adds a few command-line tools such as slapconfig.
I would try this: trash the application, you can even try using something like AppCleaner, which finds associated plists. Then, go to /Library/Receipts. There is a plist in there that contains the install history. find and remove any entries associated with install. Don't worry if you accidentally delete something that isn't associated, as it is ust a receipt list, but it is alway a good idea to make a backup of the original, just in case.
Once you do that, reboot the machine into single user mode and run "fsck -fy" from the command line. once that completes, reboot and run repair permissions from disk utility. Finally, re-download the app from the App Store and re run the installer. You might need to hold down the option key to re-download, but either way, it should come back down and run again.
If none of that work, I would go with the backup, wipe, and install suggestiosn from above. Grab youself an extneral hard drive (a good investment anyway), clone the machine with Carbon Copy Cloner, and then wipe and re-install. -
Upgrade MacPro Tower from OSX Lion to OSX Lion SERVER (Pros/Cons)
I recently upgraded both of my Mac's to OSX 10.7 lion
First the stats on both my macs;
#1
12 Core MacPro Tower
x2 Stock 2.66 GHz Westmere Processors
12 GB Mem
120 GB SSD intel boot drive
x3, 2TB Samsung HD's in the other 3 slots
Running single user Mac OSX 10.7 lion, and one of thw Samsungs has a 500GB Windows 7 partition
#2
15" 2011 Macbook Pro
i5 Intel
8GB Memory
120 GB SSD
Running single user Mac OSX 10.7 lion
The home network it run by a 500GB Time Capsule (used to back up the laptops preferences only really, the tower has it's own 4 bay RAID unit that I use to back it up), the home network also supports two apple TV's which stream iTunes media from the tower. I of course use my laptop for when I am out in the field and away from home, whatever downloads or files I've created on it are transfered to the Tower and then deleted from the laptop for the most part. Recently my grilfriend has moved in and wants to use the tower in the similar fashion that I do as she also has a mac (which I mostly maintain), and I want to create a system that makes it easier to share and transfer files remotely on our home network, which finally brings me to my question. Would upgrading my tower to 10.7 Lion server edition allow for a more versatile set-up like this? Would I still be able to use it as a stand alone desktop with all of the apps it has insalled in it? Would it affect my media (iTunes) library and streaming to appleTV/airtunes or home sharing? What are the pros and cons of switching from a single user OS to the server OS?
Thank you in advanve for being patient with me, I'm relatively new to trying to be more than just an average computer user,
-AdamI was just in a conversation on another list going on and on about syncing, calendar sharing, hassles with Mail, etc. I was explaining that today, even though there might only be one or two computer users on a LAN, each of those users may have several devices, so we're back to client/server architecture. But I didn't realize Lion Server was only $49 piddling bucks!
I'd do yerselft a favor and get it; I'm thinking of it. I've probably paid more over time for various applications and services that do what it does outta the box. Like calendar and contact sharing, email serving, etc. It does webdav too, which makes file sharing easier on mobile devices.
Otherwise it acts like any old Mac; I can't imagine her use would strain any of the resources you have. Much of the software the server uses is part of the regular OS anyway. Check out the features it has; it looks pretty good.
And give us a review if you get it.
Rob -
What to do when SLS - Lion Server Upgrade & Migration Fail
Hi everyone,
I've had a tough time over the past week trying to updating my SLS to LS. (It was a slow week at the office so despite the warnings in these discussions I wasn't disturbing anyone, so I thought I'd try...) Both an upgrade to the current running system and a clean install on a wipe of that hard drive stall at the "Configuring Services" "Upgrading services" screen of the set up process. The migration path eventually fails, and as far as I can tell, it seems that the upgrade path just stays there forever.
Don't worry - I'm doing this all on a Super Duper! clone of my primary drive, so I can go back to SLS whenever I need to.
BUT, I can tell that the server's status is at least partially okay, even in this stalled setup state - iChat seems to work on various clients, and I can use Server Admin to see stats and services, etc.
So despite the discomfort of a failed install, part of me feels like I'll be fine with the LS if I can just figure out how to move my old data into the right places for the new system to use it. But I can't find any guidance for that. I'm looking to migrate OD (seems to have migrated fine), iCal, iChat, Address Book, Wikis, Time Machine, and File Sharing (which should be trivial to set up, I reckon).
Can anyone point me in the right direction?
Thanks very much,
WillhausOkay, so I've had some marginal success.
After leaving the hung install for a ridiculous amount of time (24+ hours), I realized that I could click the help button, and from the help window click the "further info about Lion Server" link to launch Safari. That gave me access to Software Update from the Apple menu, which then let me install the latest Safari update which conveniently enough requires a restart.
After restart, the Server Migration Assistant kicked in again, but failed quickly in the upgrading services stage. Another restart, and the sever finally booted more or less normally.
The strange thing was that although chat services worked fine during the hung install, all OD-related services stopped working after restarting. Turns out there were no users or groups in OD. Importing them from an OD archive, though, restored them.
So now iChat works great (even the old chat longs migrated successfully), and AFP is properly sharing our volumes across our studio's network. So our server is limping along.
The other services we need that aren't up yet are Wiki and iCal. Some info about those:
Wiki: administrators can log in and see all wikis just fine. That's awesome because it means the data migrated successfully. Any non-admin users can log in, but are then get a wiki-styled page that says simply "No wikis found". It's as if they don't have permissions to see the wikis, even though in Server.app they belong to the groups that the wikis are associated with. I've tried removing and re-adding users to groups, but that doesn't seem to do it. Any ideas how to fix this?
Calendar: While I can't get this to work, it's not like it's completely lifeless. An account in a client Lion iCal configured with the proper Lion settings returns an error that reads:
"The Server is Busy or Unavailable.
"The server at myserver.com is currently unable to handle the connection for account “ Calendars” due to a temporary overloading or maintenance of the server. If this continues you should contact the server administrator.
"You may try to connect to the server again or take the account offline."
As a logged in administrator, in a wiki clicking on Calendar in the nab bar goes to the calendar style page with an unending dialogue box that reads "Getting events from server". And clicking on Calendar from Home page footer takes me to the URL https://myserver.com/webcal with an error that says:
"Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8r DAV/2 Server at myserver.com Port 443"
Again, at least I'm confident that the data migrated properly - I can find all the calendar data in it's proper new location - but either the service won't start or something's not configured correctly. I've tried chaining the hostname and restarting the service about a billion times. I've got no idea what to try next. Any ideas?
Thank you so much,
Willhaus -
We have a Mac Mini (new Nov. 2011) runnig Lion Sever 10.7.2 and I can't get it to work properly. I have done two instals including the original startup. I have an OD running, I have added users and groups. The Mac's and PC's in the office can access the shared folders and files without any problems. We are using a new Time Capsule and it is working fine. I'm even running Rumpus FTP software using port 8000 and that is working fine.
When I set up the server the second time I followed the instructions from lynda.com. I have a SSL cert. from GoDaddy installed.
Problem #1:
If I set the Server's DNS Server to its own IP address, to run MiniDNS the server has a very hard time connecting to the internet. Safari is super slow and will time out when trying to reach websites like Apple.com.
Problem #2:
The Wiki, Web & Profile Manager do not work. When I go to my domain (server.saterdesign.com) I get the "Safari can't connect to the server".
Problem #3:
When a local Mac tries to Add the server by going to the System Preferences, Mail, Contacts & Calendars and chosing "Add Account" and then clicking "Add a Max OS X Server account => clicking create, the server shows but if you choose it and try to Set Up, it says "Unable to verify user credentials". I have also tried to connect to the server using its fully qualified domain name without success.
All the Lion Server seems to be able to do is run the OD, and share files. I can't use the Server Address book, or iCal or iChat, or Web, or Wiki, or Profile Manager.
I've turned all the services off and on again. I've set the SSL to None, and to a self signed SSL.
After the second instal the Web, Wiki, and Profile Manager worked for awhile. Then I had to change the IP address of the Server, that broke all that stuff. When I changed it back, it still didn't work. BUT, even when the Web & Wiki . . . etc. was working, I could not get the client Mac's to Set Up and use the Server services, other than File Sharing.
P.S. Doing things in the "Terminal" give me the runs . . . . I'm a GUI guy - a Graphics Guy forced into the IT world by horrible career choices.Anad Nosbig wrote:
I tried using Terminal, I typed in /var/named and it just said:
-bash: /var/named: is a directory
You'd need to use the cd command to change to the /var/named directory. Type man cd for more info on the cd command.
Anad Nosbig wrote:
I truly appreciate the help, I do . . but this is beyond ridiculous. When you buy a new car it runs, you don't have to go home and learn how to adjust the computer controlled variable timing BEFORE the engine will run!!
I'm trying to help you. If you just want to complain, call Apple.
Anad Nosbig wrote:
Do I have to run DNS??
If all I want is Address Book and iCal, is DNS a MUST??
Is DNS necessary for file sharing??
Yes, DNS is a must for OS X server. If you want services to run reliably (or at all) you will need functional DNS.
Anad Nosbig wrote:
The first time I had this set up I was not running OD. I wiped it clean and re-installed the OS so I could start fresh and do it correct from the start with a FQDN and a trusted SSL, and OD. After all that I'm back at where I was when all it was doing is sharing files. This came from Apple as a Mac Mini Server, it should just be and DO that!
It is and can do everything you want it to, but not without proper configuration. If you were expecting to plug it in, turn it on and just go without any configuration, then maybe a server isn't for you. -
Lion Server Profile Manager Configuration
Hi Guys,
Currently have been testing Lion Server and Profile Manager Configuration.
So Far Have setup
Lion with Server App and Server Admin Tools
Configured Open Directory Master and enabled SSL on LDAP
Once Configured OD has created a CA Certificate can use for Profile Manager
Have Enabled in Server.app Web and Profile manager
In SSL Certificate Configuration have set CA Certificate for Web and Enabled Apple push notifications with my apple ID
In Profile Manager Enabled Device Management and Enabled Sign configuration profiles and selected CA Open Directory Certificate Created when setting up OD Master.
On Server Originally could install Trust Profile OK and Enroll Server OK with no issues, but on any other 10.7 Devices could install Trust Profile OK but would always say unsigned and Enroll would never work or just hang.
Now Since Played around with settings on 10.7 Server can no longer enroll but trust OK.
Questions have is
For SSL and Profile Manager to work properly as well as Certificates do you require to purchase a proper SSL Certificate or can we use the OD Master Certificate that gets created. All we are testing is on the Local LAN so don't want to get a SSL certificate from the internet.
Also why cannot 10.7 clients trust profile and enroll Devices Properly? How do I get this working properly?
Any ideas?
Regards,
Shanetaubmas wrote:
Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
Shane
Did you get this to work in an ESXI envrionment? If so, which version are you running? -
A stable, fast reliable VNC connection to Lion or Lion server
I hope this post help people with VNC setup from non Mac machines to a Mac running Lion or Lion Server 10.7.4.
Apple has changed quite a few things in Lion regrading VNC and screen sharing. As a consequence many VNC viewers are no longer compatible until the VNC software is upgraded to be Lion compatible. You will find many posts about this topic in this forum, eg
https://discussions.apple.com/thread/3289794?start=0&tstart=0
Often, the result is that the user can't proceed beyond the gray login screen (screen locks up etc).
This post describes how configure Real VNCs VNC server on Lion Server 10.7.4 to work in conjunction! with ARD, thus allowing you to keep screen sharing enabled and still use ARD from client if that is desired)
Download the VNC server at (Version 5! necessary)
http://www.realvnc.com/download/vnc/latest/
and install the VNC server on the host (the computer you want to login to via VNC)
Single User Host setup
==================
- Install the VNC server and follow the intsruction
(If you your Mac is configured for remote management, screen sharing, remote apple events the installation may complete with error stating to contact the manufacturer....ignore the error as it most likely caused by a port conflict because VNC server and ARD (or apple scrren sgaring both use port 5900 per default), the software was still completely and correctly installed.
- start VNC Server by opening Finder -> Applications -> Real VNC -> VNC Server (User Mode)
You will see a small VNC icon in the top tsak bar of the screen.
(if you open the "information Center" the issues tab will show a port 5900 conflict)
- open VNCserver Options and select the connections tab:
+Change the default port from 5900 to 5901 and serve Java viewer on Port from 5800 to 5801
+ Change Authetication to "Mac password"
+ Select Encryption "always on"
- Selct the expert tab
+scroll down to the bottom of the list and change "StopUserModeOnSwitchOut" to "no"
(this settings prevents the VNC server to be stopped automatically if you have Fast Switching User Mode enabled on the host.)
- select "Apply"
(now if you open the Information Center" again, the port conflict problem should be solved.
- select "open" from the VNC server menu:
If the configuration was succesful, thw window will show a check mark in a green box stating everything is ok.
- In addition you will find the address that the client user will need to connect to the VNC server on the host
it will say something like "VNC viewer user can connect using the address 192.168.x.y:1"
Note: If you start several VNC servers, each session will need a dedicated port (like 5902, 5903 etc)
Router/Firewall Settings:
===================
Depending on the router/firewall you use your ports may have been automatically configured for you (airPort extreme for example).
You need to open port 5901 and 5801 and forward these ports to the IP address of the host. If ARD was alredy working in your setup, you can copy the port coniguration for ports 5900, 3283 and 3306 that are used by ARD and implement the same rules for the new port used by VNC 5901.
Review the settings of your firewall/router.
VNC client
========
- download the VNC client for your OS from
http://www.realvnc.com/download/viewer/
and follow the install instructions.
- Start the VNC client on your client PC (Windows for example) and enter the address that the VNC server reported to you earlier (192.168.x.y:1)
- Encryption : "Let VNC Server choose"
- select "connect"
- enter your Mac username and password that was setup on your host
you are now connected via VNC to your host.
You can also configure the VNC server to allow other users to login to the same! VNC session using their user credentials (friends/family or serverAdmins that want to share access to the host)
To do this open the options dialog box on the VNC server host computer and select "configure" next to authentication.
- add the users that are supposed to get access to your VNC session using their own credentials. (make sure this is what you really want, otherwise read on in the multi user section of this post)
Multi User Host Setup
=================
If multiple users are supposed to access the host computer using their own credentials logging into their own! desktop, follow these instructions:
- first enable Fast User Switching on your host computer by going to
System preferences -> User/Groups -> Login Options and select the check box "show fast user switching menu as..."
- For each user on the host that should be reached via a VNC session start VNC server (user) as described before and assign a new port number to the new user like 5902 etc.
- repeat the configuration outlined above for each user (eg. "StopUserModeOnSwitchOut" to "no")
(note initilally when you start the VNC server for the first time again, you will get notified that a port conflict exists again....this disappears as soon as the new port is configured)
now another user can login via VNC into his own desktop using the server address : "191.168..x.y.:2"
Final notes:
=========
I spent hours trying to get a variety of VNC viewers to work with the new screen sharing/VNC implementation in Lion and finally gave up. I called Apple Enterprise support and they confirmed that "a majority of the existing VNC products are not compatible with the new VNC implementation in Lion yet and that Apple recommends ARD". The discussion on what other non Mac users (Windows, Linux) should do did not go anywhere....
I have tested the above configuration with the free version VNC server 5 on the host and the free version VNC viewer 5 on a client. It worked flawlessly, fast, reproducable and very stable. You need to be aware that depending on the features you want (number of desktops, users etc) that you may have to purchase the personal or enterprise edition for the server.
The featurs are described here:
http://www.realvnc.com/products/vnc/
I personally installed the enterprise edition after I verified that the free editions worked stable and reliably as I needed them to work.
I hope you now have a stable VNC link into your Lion host from the platform of your choice !I'm using the free VNC edition from RealVNC on Mt. Lion (10.8.5) and the basic information is in this article for Lion is confirmed for the VNC Server 5.0.6 (r113416) on Mt. Lion.
The main Options... window shows the Connections tab and I just changed my port to something other than 5900 and the port conflict went away.
The Free edition does not allow Mac password and encryption can't be enabled. (Ya gotta pay for that.)
Connected to it from my iPod Touch using Mocha VNC with no problems. -
How do I set up my Time Machine and Mac Mini with Lion Server so i have one wifi loop in the house?
HELP!
So I have had a Time Machine wifi loop at the house for approx. 6 years. I run two Macbooks, 2 iPhones, 2 iTouch and a Samsung Smart Blueray on the loop.
I just bought a Mac Mini with Lion Server. When setting it up I'm not sure what or how I managed to do, but I now have 2 wifi loops, one doesn't lock and niether will support the Samsung BlueRay. Also, each time I want to go online with one of the other Mac devices i have to relog into the wifi loop.
Can someone please walk me through the fix. The mac Mini is plugged straight into the Time Machine to recevie its internet connection.
Thanks!
JohnYou often see this limit of 10 clients in wireless hotspots but I have yet to see it in an adsl modem.. most strange way to pay for a service that is really irrelevant how many clients you use.
Have a go .. I recently setup a TC to help a guy run his Roku.. and this setup worked well.. I have no idea if it can work in your case.
Lets say the IP you get is 192.168.2.1-10 .. doesn't matter what it really is. And the adsl modem is 192.168.2.254
(Assuming they are private addresses.. if they are public IP you can just use the DHCP and NAT. )
But go to the airport utility.. I think you need to run v5 at least to change DNS.. but you can do the same thing in v6 using static but no dns changes.
Now you set the IP of the TC manually.. This address might need to be in the dhcp range of the modem to work. You can set the DNS to same IP as the router address.. ie home address of the modem. Or you can use another DNS.. whatever you like.
Then set DHCP for clients that will join.. this can then expand the scope of addresses..
It worked without a NAT error.. although I am not sure exactly how.. on paper it should not be able to work but did.. have a go.. otherwise there is perhaps another way.. but it is complicated.
Give us an example from a computer plugged into the modem of what IP .. subnet mask .. Gateway and DNS you get. Then I can fine tune the values for it. -
Lion Server: All network users have disappeared
Hi,
A search through the forums and kbase didn't give me anything that mapped well to my problem. Here's the situation:
Specs:
Mac Pro (2008) 6GB RAM, SSD boot with space available, OS X Lion (latest) with Server.app
Services:
File Sharing
Users: less than 15—accounts only used for file server access.
This is the only server on the local network, all network routing is taken care of by a Meraki router.
I went to add a new user to our fileserver, and was unable to connect to the server over Apple Remote Desktop. At the time, file sharing from the server (I *believe*) was still working. I logged in with the file server's local admin account via SSH and tried to use Kickstart to get ARD running again—something I'm well versed in. The script ran as usual, but ARD could still not connect. So, as everyone was in a meeting, I tried to use `shutdown` to reboot the fileserver from the CLI, something I've also done in the past (but not frequently). Usually that takes about a minute to work, and then my shell disconnects—but after 5 minutes, the Mac had not rebooted.
At that point, I decided to walk to the server and manually force it down by holding the power button in. That powered off the Mac, and 30 seconds later, I booted it up.
Back on my Mac via ARD, I was able to remotely control it and got to the Fileserver's log in screen, which featured a red dot in the use field I'd never seen before. It's tool tip read "network users are currently unavailable" (paraphrased, perhaps). I logged in with the Fileserver's local admin user (as usual) and launched the Server.app, only to find that in the `Users` section, there were no users listed, and the plus and minus buttons were greyed out.
I tried rebooting but got the same results. I then repaired permissions and verified the boot drive. Lots of permissions repairs (as usual) but nothing improved. Another reboot after the permission repair and disk repair, just for safety's sakes… and as you can guess by me posting here… no improvement.
I'm not heavily versed in Server. I'm not even sure if those users are stored in a database, and where that DB would live. Does server make dumps or backups of the users on its own? Should I have been? Is this LDAP? Anyone have some next steps I can try? What info would be useful?
My first goal would be to recover a damaged DB. I only have just under 15 users, so re-creation isn't difficult. But, under the department of "I don't know a ton about Lion Server" I don't know if network users act like OS X users… where you could create a new user with the same username, but if their UID is different, then they won't have access to their owned files on the fileserver… is Server that exacting? Does it care who owns the file?
Thanks in advance for any ideas, or resources you can point me to!It gets far weirder……
Now no one, myself included can log in.
Checking the logs, which I'll try to attach a small sample of here (Dropbox link below since you can only attach images here), I see repeated instance of both `opendirectoryd` crashing and respawning, and of server manager unable to authenticate:
1/19/15 4:57:06.658 PM com.apple.opendirectoryd: Assertion failed: (0 == (connection->flags & eODConnectionFlagSocketValid)), function __odconnection_connect_block_invoke_2, file /SourceCache/opendirectoryd/opendirectoryd-172.17/src/odconnection.c, line 988.
1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd[13760]) Job appears to have crashed: Abort trap: 6
1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd) Throttling respawn: Will start in 9 seconds
1/19/15 4:57:07.761 PM ReportCrash: Saved crash report for opendirectoryd[13760] version ??? (???) to /Library/Logs/DiagnosticReports/opendirectoryd_2015-01-19-165707_localhost.cras h
1/19/15 4:57:17.276 PM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: user with slot 4873a20f-0cc0-f7c3-0000-000a0000000a not found. Result: 80 Other (e.g., implementation specific) error
1/19/15 4:57:17.277 PM AppleFileServer: _Assert: /SourceCache/afpserver/afpserver-585.7/afpserver/AgentSession.cpp, 856 (4294952813)
1/19/15 4:57:32.703 PM servermgrd: servermgr_accounts: got error 2100 trying to auth to local LDAP node
https://dl.dropboxusercontent.com/u/1344045/server-sample.log.txt
Maybe you are looking for
-
How to display swf in full screen mode and how to redirect to a url
Hi, I have 2 questions : Question 1 - I have a flash swf file and I want to display it in the browser in full mode meaning it should fit the browser, I have tried adding fscommand("fullscreen", "true"); in the first frame of a lyaer but it does not w
-
Friday Question: Best Interview Questions
For this week's installment, I'm asking for questions (what?). If you were to interview somebody for a job in your domain (and I know that many of you probably do interview people), what are some key questions you would ask? I'm always disappointed i
-
Ifs Instalation (Database+app server same box)
My environment: Windows Professional 2000 Oracle Database 9.2.0.1 production Oracle9iAS Java Edition v9.0.3 Oracle Internet File System Release 9.0.2 for windows I installed Oracle Ok. I installed Oracle9iAS Java Edition v9.0.3 in separate home Ok I
-
JNLP and Tomcat JNDI DataSource
Software JDK 1.5 Update 6 Tomcat 5.5.4 Requirements I have a Client Side requirement and this project is going to be deployed to 5 users initially all in a lan but there are very chances of adding more users simultaneously. I am thinking of deploying
-
I'm sick of my macbook connecting to my neighbour's BTFON network
I'm sick of my macbook connecting to my neighbour's BTFON network EVERY TIME I START MY MAC even though I have my own network set up and "remembered". Can i tell my mac to ignore their INFURIATING network?