How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
     User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root:           myname
admin:          myname
sysadmin:       myname
certadmin:      myname
webmaster:      myname
my_alternate:   myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost    # Default is localhost
REMOTEPORT_DEFAULT=3128         # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
  case $1
  in
    -p) shift;                  # -p option
        SSHPORT=$1;
        shift;;
     *) TUNNEL_DETAILS=$1;      # 1st argument option
        shift;;
  esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob                        # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%@}                            # delete @
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ]                # no hostname given
then
    HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
    && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
    || echo "SSH tunnel FAIL."

Similar Messages

  • Does SL Mail/iCal/Address Book work with Exchange 2010?

    Is anyone using Exchange 2010 with Mail/iCal/Address Book (via the Snow Leopard web services interface and not the IMAP interface)?
    My company is about to upgrade Exchange from 2003 to either 2007 or 2010 and since the boss and I both use Macs we want to make sure that SL's apps will work no matter what choice of Exchange server is made.

    SL has not been tested with Exchange 2010 as far as I am aware. 10.6.2 was only tested against the 2007 variant.

  • Clean Installing MacOS 10.6 - restoring Mail, iCal & Address Book

    My parents own a first-generation white MacBook.
    A couple of years ago, the MacBook's internal hard disk had to be replaced under extra-extented warranty. (MacBooks of that era had hard drive problems, and Apple took care of its customers.)
    As a result, I had to clean-install MacOS 10.6 off of its DVD. I remember it being a pain because I do backup with La Cie's Silverkeeper backup utility, not Apple's Time Machine. (I don't have any empty external hard disks around, so I didn't bother to use Time Machine). I used Silverkeeper to copy my parents' entire user folder over to a hard drive. Because I am cautious about restores, I carefully copied only specific data back to the MacBook once the "new" hard drive was installed. I did not just restore the entire user folder with all of its settings.
    Fast forward a couple of years...
    My parents were complaining of unusual fluctuations of internet speeds on their machine. (They use WiFi, with an Airport base station connected to a DSL modem.) My MacBook Pro had no problem on their Airport connection. Theirs is really screwy. I have been advised to clean install MacOS X again.
    As I recall, this was a bit of a pain the last time. I don't know what has happened, but I assume that something has gone wrong with their settings or with the system software. I want to be careful in doing a clean-install this time so that most settings are not copied over, and only some things do get copied:
    iTunes
    iCal
    Mail
    Address Book
    Safari bookmarks only (I want to be careful about this one)
    How do I do these things without copying over all the other settings/libraries/junk?
    Also: my parents use Facebook frequently. Is there anything in Facebook that can infect their MacBook? If so, what can I do to avoid re-creating that after a clean install?
    I have their user folder backed up on two separate external hard drives just to be safe. Each of those drives contains other information, but I made sure to place the copied user folder inside another folder at the root level of the disk, clearly labeled, so there won't be any problems.
    MY PARENTS' HARDWARE
    MacBook (white, first-generation, 2006 vintage)
    FireWire/USB external hard drives for backup
    THEIR SOFTWARE
    MacOS 10.6 Snow Leopard
    iLife 2009
    iWork 2009
    Microsoft Office 2011: Mac
    Adobe Photoshop Elements 8, with Adobe Bridge CS4
    Flip4Mac

    Does anyone know the easiest way to transfer my account (mail, calendars, etc) from my old account to a fresh one whilst offering a possible elimination of the crashing issue I am experiencing?
    see this link
    http://discussions.apple.com/message.jspa?messageID=6185507
    copy (not move) the relevant data from the old account to some location that both accounts have access to like the folder /Users/Shared. then log into the new account and copy the stuff back to the new account.

  • How to install Apex on small business server with IIS already installed?

    I am building an Oracle Application Express application for a small not-for-profit and they only have a single small business server that is already running the microsoft IIS server. Can I install the Oracle Http server and run both the Oracle and IIS on the same mahine?

    Can I install the Oracle Http server and run both the Oracle and IIS on the same mahine?Absolutely. I'm running Oracle HTTP Server, Tomcat, and IIS on my laptop. Just make sure you don't have port conflicts and you should be problem free.
    - Mark

  • On Mountain lion Server, renewing profile manager's code signing certificate

    Hello,
    I follow the article : HT5358 and i have always this error : certadmin Cannot find the certificate: Certificat de signature de code myserver.domain.fr.
    Is somebody can help me ?!
    Thanks !!!

    Hello!
    I just solved my problem - I read the KB article again and there it says
    "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
    Maybe it is the same with your problem.
    Bye,
    Christoph

  • Can't log in to Lion Server. Open Directory Log Message says: unable to connect to password server

    I am setting up Lion Server. I can't log in to Lion Server from client.
    Checking the Open Directory Log: says: "unable to connect to password server" or
    "3394.14268, Node: /LDAPv3/127.0.0.1, Module: AppleODClient - unable to read Password Server response - connection to Password Server was closed, socket fd 18 (5205)"
    Thanks for help with this.

    I never discovered the problem, and instead rebuilt the server from the ground up.  I followed instructions at this discussion thread.  Very helpful.
    How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.
    I have had some log-in problems with users.  I have found that restarting the server helps. If this doesn't work, I rebuild permissions on the server, followed by opening up Workgroup Manager, go to the user's password, click on options and require that the user change password on the next log-in. For some reason, this will usually fix the problem.  I then log in as the user, and "change" the password to the original one. Also note, that if you import a user, the password is not brought in.  You must enter it for each user that you imported.  Even so, I have often had to resort to the re-set password procedure to enable a log-in.

  • Fresh Install of Mountain Lion how do I export users from Lion Server

    I've been having some issues with Lion Server, mainly Kerberos related and Profile Manager. So I want to start fresh with Mountain Lion.
    I've installed ML and Server, and profile manager is working now for the first time (yay!)
    Now I want to Import all my existing Open Directory users from Lion, I don't want to Import the entire OD though because I think some of my kerberos issues will just get carried over to ML.
    I would like to just export the Users to a file then use ML server to import users from file, but I can't see an option to export in Lion Server, I have tried doing it from WGM on Lion but the 'users' file is not recognised by ML server

    Great thanks for the reply, I'll try it tonight when everyone has logged off.
    Yeah I was very pleased initially with kerberos on Lion, it worked great to start with, now I'm just getting expired tickets for a default realm when some users log in, yet other users continue to work fine.
    I was planning to slowly install Mountain Lion Server and test is thouroghly but I've had a bit of a disaster that if forcing me to go live with ML server quicker than I wanted to!
    Basically because on Lion Server I have all the Service Data on a separate drive, and I upgraded to ML server on a backup copy of Lion Server just to see what it was like, though now I've rebooted the original Lion drive but half of the services are now screwwed up because the ML Server must have changed them, so things like Wiki Server and Profile Manager are now broken from the Lion Server boot, they just show "Error Reading Settings"
    I realise now I should have moved the Service data back to the local drive before doing a test upgrade so I wouldn't have messed it up! but now it seems like my best way forward is a fresh install of ML Server

  • Where can I find info on how to install and run Snow Leopard Server as virtual machine inside Mountain Lion

    Where can I find info on how to install and run Snow Leopard Server as virtual machine inside Mountain Lion

    Here is the short answer:
    Installing Snow Leopard Server into Parallels 10 for DUMMIES:
    http://forums.macrumors.com/showpost.php?p=17285039&postcount=564

  • How to install and configure the SQL Server

    Hi All,
    We have to install SQL server in the new server because the old server is crash and need to upgrade. Please advice How to install and configure the SQL Server to run SAP Business One 8.8 successfully and what part we do have to give attention.
    Kind Rgds,
    Steve

    Hi,
    Try this solution:
    The step-by-step installation guide can be found in the documentation included in the installation media. (\Documentation\SystemSetup\AdministratorGuide_SQL.pdf).
    Below are some important parts that you should pay attention to during the Installation process.
    Resolution
    Collation setting: It must be set as SQL_Latin1_General_CP1_CI_AS,even the company DB is non-english location. The company DB will be created as corresponding collation settings automatically.
    Instance and TCP Port : It is recommended to run SBO on default instance and TCP port 1433. Otherwise,some optional components such as B1i may not work properly.
    Native Client: SQL Server Native Client should be installed on every client machine to enable the ODBC connection to DB server.
    Rgds,

  • Hello guys..does anybody know how to install and use adobe master collection with the new lion?   I need to use Flash and illustratore, but apparently those programmes are incompatible with the new operative sistem...   I am a new mac users and I'd like t

    Hello guys..does anybody know how to install and use adobe master collection with the new lion?
    I need to use Flash and illustratore, but apparently those programmes are incompatible with the new operative sistem...
    I am a new mac users and I'd like to know if there are other similar programmes I can use with lion!

    Lab79 wrote:
    Are you on Apple's payroll?
    well dude I can only let you know that as I work with those programme I don't have to pay for it is my company that pays the programme I whant to use( that's why I was asking if there where other programmes ..that I could use with lion insted that Illustrator and Flash!)..I know Adobe since 2005 and I can say that Adobs products are very good...I think that if it's an Adobe probleme or fault ..they will solve it very soon...but unfortunally I have the impression that after Jobs passed away Appel decided to change politics..and everything started to go very bad! (see FCP X)..
    good luck with apple dude..
    Where is the Apple problem? I have CS4 and CS5 running perfectly fine on my Macbook Pro. Installed 5 after Lion upgrade. Worth every cent. Adobe did have some catching up to do with Lion but with the CS5.5 update all runs fine. But not yours. So it is a problem with the Lion OS? You say you have been with Adobe since 2005. So you would be aware of all the other issues that Adobe had catching up with past Oss in Mac and Windows then. They get it right, but it is up to them. It is not up to Apple, nor Microsoft for that matter, to run around and check that every software developer in the world is running their business properly.
    And what has politics got to do with anything. Some people just have to blame Software for their poor Hardware maintainence of failure of the same.
    <The only think I can really do is to go back on my old windows...give back this orrible lap top and ask for my money back!>
    Great suggestion. You should go with that one, but good luck getting a refund.
    Bye

  • I just purchased the Mac Mini Server with the intention of replacing Lion Server with Lion for the first hard drive while installing Windows 7 thru Bootcamp on the second hard drive. Is it possible for me to do this? Thanks.

    I just purchased the Mac Mini Server with the intention of replacing Lion Server with Lion for the first hard drive while installing Windows 7 thru Bootcamp on the second hard drive. Is it possible for me to do this? Thanks.

    I would use Parallels or VMWare and use the second drive to hold the virtual machine. That way the VM only uses the space that it needs and you can still use the remainder of the drive for other things, not to mention that you would not need to reboot to run windows.
    Also Time Machine does not back up a boot camp partition.

  • How to install and configure ms exchange server 2007 both role hub and edge transport role in one network

    How to install and configure ms exchange server 2007 both role hub and edge transport role in one network 

    Hi,
    Edge role is design for perimeter networks, to keep security risks minimum.  So it’s not recommended to have edge role in internal network. Must have separate network or subnet for edge services.
    If you are playing around it in labs, then you can put edge role within same subnet as other exchange roles and no specific requirements in that case.
    Thanks.
    MachPanel - Premium Cloud Automation Solution

  • Can anyone tell me how to install logic 8 on lion using pacifist step by step in simple terms please

    can anyone tell me how to install logic 8 on lion using pacifist step PLEASE

    Both psd and tiff are the two formats to use for your master file. Saving as a jpg will flatten the layers and remove any trace of transparency. Tiff has an option in the save as dialog box to compress the file.
    If you find it necessary you could zip older files for archiving.
    Once the raw file has been opened in photoshop, it is no longer considered a raw file, as photoshop has no way to save to that file. Which is why you need to save as a psd or tiff.
    That said, camera raw dialog box and Lightroom will save its edits to a sidecar file, which is why they are considered to be non-destructive. Since you can delete the side care file and start again. It is the combination. Of the raw file and the side car file that ends up in photoshop. Which is one reason why it is recommended to do as much as you can in camera raw or Lightroom first. But the latest version of photoshop allows your photoshop filets be loaded into camera raw as a filter. So that recommendation is not as important as it once was.

  • How to install logic 8 on lion using pacifist

    how to install logic 8 on lion using pacifist for dummies Please

    Hi,
    You don't need to uninstall it, but you can drag the old application to the trash when you're sure you're through with it.
    I hope you have the full Logic 8 - if you have bought the upgrade from 7 to 8 you would still need the XS key to install it.
    HTH

  • Lion Server: iOS 5 clients can't connect to Address Card Server

    I have set up shared accounts on the server for Calendar and Address Book (family) sharing. Although I can add and use the Address Book shared account on OS X Lion clients, I can't get this to work on iOS 5 clients (iPhone nor iPad). I keep on getting "CardDAV account verification failed".
    Calendar sharing works just fine on both OS X and iOS5 clients
    Let me briefly describe my setup and observations:
    Server:
    Running Lion Server 10.7.2 on Mac Mini (server)
    Using SSL connections with keys generated during set-up of the server
    Portforwarding in router (ao) for 8008 and 8843 (iCal and Address Book)
    Created  shared accounts on server for Calendar ("sharedcalendar") and Address Book ("sharedcontacts")
    In the DNS server I created services in my primary zone for "_caldavs._tcp." and "_carddavs._tcp." both on port 8443
    OS X Client (Calendar)
    Created additional CalDAV account in preferences (user "sharedcalendar")
    Left the server settings untouched (server path, port "auto" and using SSL but not Kerberos)
    Created in "sharedcalendar" different calendars and reminder lists for the family members which each can access from their OS X client
    This account is now set-up through Profile Manager (tried this with Address Book as well but didn't make any difference)
    iOS 5 Client (Calendar)
    Once tested on standalone and got this working I'm now using the Profile Manager to push the definition of the shared account to all clients
    Hostname with port 8443 (default)
    Left Principal URL blank since it was optional
    User "shared calendar" with the appropriate password
    Ticked "Use SSL"
    OS X client (Address Book)
    Created additional CardDAV account in preferences (user "sharedcontacts").
    Left the server settings untouched (port 443 using SSL)
    iOS 5 client (Address Book)
    In the settings add a CardDAV account (server, user "sharedcontacts", password, description).
    First error message "Cannot connect Using SSL. Do you want to try setting up the account without SSL?". When I press continue I get the error "CardDAV account verification failed"
    If I then save the account details still and edit the account I can access the "advanced settings". When I change to SSL I have tried port 0 (default value), 8443 (the one that's listed in the documentation) and 8843 (which is used by default if you try to set up the
    account in Profile Manager). All to no avail, including Profile Manager
    Observations:
    Lion Server app nicely lists both Calendar and Address Book Server as active (plus Profile Manager, File Server, Web server and Wiki server)
    When I access my server home page, Calendar is listed in addition to other services (Mail | Calendar | Change Password | Profile Manager) but not Address Book. Is this normal behaviour? i.e. can't Address Book entries be changed through a web interface?
    Address Book on OS X client uses 443 for SSL but does not require me to define port 8443 for secure iCal or Address Book server communications
    Lion Server Profile Manager specifies port 8843 as port for SSL communication. I only saw 8443 listed in documentation
    The response "can't connect .." or "account verification failed" happens very quick which make me think either the verification doesn't even leave the iPad or there is something wrong in the SSL connection
    Since iCal set-up works nicely using the same ports I am puzzled why it doesn't work for Address Book
    Your solutions or suggestions how to investigate are most welcome,
    Erik

    Thanks for joining the discussion.
    Although port 8443 is mosten quoted as correct port for CalDAV and CardDAV, port 8843 can be found both on Apple's website and other places:
    see Technical Note 1649 to find port 8443 listed for iCal and port 8843 for Address Book
    Mac OS X Lion Server for Dummies (sic) lists port 8843 on pages 236 and 238 but port 8443 in many other places
    when you want to push iCal and Address Book information with Profile Manager, Profile Manager lists port 8443 for iCal but port 8843 for Address Book as default:
    So I hope you understand I'm somewhat puzzled.
    I did get the Address Book working for my Lion desktops with the all the necessary certificates as far as I know, just not for the iOS devices (iPhone and IpPad). iCal sharing from Lion Server works fine on both Lion and iOS devices.

Maybe you are looking for

  • Use of wildcard * in SELECT statement

    I have read that the use of the wildcard * in a SELECT statement cannot be utilized when using the INSERT INTO or other queries where data column/field alignment is critical. I have noted that the INSERT INTO column/fields must be in the same order a

  • I keep getting a error -3221

    I try to download music from itunes but the error -3221. I did all the help button told me to do but nothing worked. I want to download a lot of music, movies and audio books. Please help me!!!!

  • ESS Leave Request - Portal Runtime Error when the "Cancel" button is hit

    We have configured the Leave Request application, created a custom workflow, created security roles, and we are now testing in our quality environment.  We are encountering a very strange "Portal runtime error" which we cannot resolve - When you come

  • Workflow Test Data for BUS1010

    Hello experts, i have a problem when testing my new workflow. I use BUS1010 for setting up credit data for debitors. I set test data for all BO like BUS2032. There is the key field 12 character long so I enter 0000012092 for my salesorder and for KNA

  • Writing this query

    Hi , This is what i want to do from query/table A & query/table B 1) i want to get all from A where it's not in B 2) and also i want to get from A where their id is the same BUT it must be meet a certain date range is it possible to write this as a s