Lion server - profilermanager mydevices login

Similar Messages

• Mac OSX Lion Server Network User Login Issue

  We have in the office a server running Mac OSX Lion, and several network users who've all been running happily for quite a will.
  About a month ago I was added to the system, and initially we had a few issues relating to the home directory, but we changed 'something' and it all worked.
  Fast forward to now, and we've added a new user - Hannah - to our system.
  I've added her in the Workgroup Manager, and set her up everywhere I can find on the server. Her home directory creates on the server fine.
  She appears in the Logon list on the client machines, and here's where the trouble starts...
  Every time she tries to log on, it fails. The logon box just bounces or wobbles as though the password is incorrect. We've tried changing the password, to no avail. We've tried adding new test users - same problem.
  We've tried sudo kinet on the Terminal as a local user, with variable results.
  I'm at my wits end, and really hoping someone here can help offer some suggestions or advice we can work through to get to the bottom of this.
  Thanks in advance!

  Your problems are likely occurring because you added her to the directory with Workgroup Manager.
  You should really start avoiding WGM when at all possible as Apple is clearly moving away from it. Because of this, things don't always work as expected when using 'legacy' tools like WGM.
  My guess as to what your problem is: When you create a new user in Server.app, two things happen for you automatically that WILL NOT HAPPEN if done from WGM.
  First the user is added to the default "Workgroup" group.
  More importantly (and the source of much confusion), the user is automatically added to SACLs.
  Check the SACL for the user in Server.app, I bet you'll notice that they aren't a member of the File Sharing group like they should be. To solve this problem, you can either delete the user and recreate them in Server.app, or manually add them to the appropriate SACL.
  I would opt for recreating them in Server.app if I were you, as I don't trust user accounts that originate in WGM on Lion Server.

• Lion Server Setup (Network Login/Mobile Account and more...)

  Hardware:
       Mac mini Intel Core i7, 2 GHz, 8 GB memory (Server)     x 1
       iMac 21.5" 2.8GHz Intel Core i7, 12 GB memory (Workstation)     x 6
  Operating System:
      Mac OS X Server Lion 10.7.4 (11E53)
       Mac OS X Lion 10.7.4 (11E53)
  Relevant Software:
       Server.app Version 10.7.4 (1.4.3)
       Workgroup Manager Version 10.7 (400.3)
       Server Admin Version 10.7 (355)
  So my head's swimming with "I dunno's" and I've been perusing probably all the wrong threads trying not to sound like a noob and find the literature that will finally lead me to a solution.  This is my first rodeo so make no assumptions about my experience (maybe).
  Short Version
  I can't login network users.  I get an error "You are unable to log in to the user account "<%short_name%>" at this time.  Logging in using >console tells me this No home directory: <path to home directory>    i.e. /Network/Servers/department.domain.com/Department/Accounts/bbunny
  If anyone can point me where to read, I will do so.
  Perhaps a longer discussion on how to verify that the proper permissions exist on the share/home directory in question and what those would be.
  More detail...
  I want to setup a Mac Mini server to have network login accounts stored on the 2nd data volume in a directory we shall call Accounts*.  Here all the "network users/logins" have their home directories, so that when they login at the workstation the idea is the workstation will sync their account and allow them to login, if the server is not available, the hope is I can configure it to allow them to login if they've logged in before and the files will sync when they are able. That being the ideal, I get the impression that for best practices, Apple is discouraging the use of mobile accounts that use Home Sync perhaps because it's reliability has been iffy, please advise.  A windows user might think of this as "roaming profiles" but, if I understand it, its a little more than that.
  Note, I do not want to login to the server and actively work on that network share, I want the account to be local and sync'd as needed.  But I want the user to be able to sit at any of the 6 other workstations and see the same documents, emails etc.  Obviously if the server is down, it won't be possible to authenticate, but I think it should have cached credentials that should allow the user to login if the server is down and still go about their work.
  This is the small picture...there is a larger picture that involves, parallel virtual machines of Windows Server 2008 R2 on server and and Windows 7 on the client, ical, ichat and perhaps wiki's.
  I apologize for the roughness of this question, in the interest of brevity, I have plenty of problems that led me here that I can expound upon if asked.
  Also a silly question someone might know the answer too, Why does the login payload settings that I have pushed to a workstation device, sometimes vanish inconsistently upon logout? 

  Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps
  "the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.
  Problem
  What do you do when you get an error when logging into a mobile account setup?
  One symptom would be the error message below...
       "You are unable to log in to the user account "<%short_name%>" at this time.
  Logging in using >console  You get the message…
       "No home directory: <path to home directory>"
       or
       "You are unable to log in to the user account "<%short_name%>" at this time. 
       Logging in using >console tells me this No home directory: <path to home directory>
  Solution
  Do the check list…
  Short Version
  Sever Admin.app > Access (Key Component)
  Check Permissions on directories for your file shares. 
  (The reason stuff doesn't work especially when you're rebuilding/recovering a server)
  File sharing setup (Turned ON, Home sharing Enabled)
  Directory Utility > Directory Editor or dscl 
  ( Do not underestimate the importance of this part!!!!
  Use white-gloves when you're handling it though!!! )
  Workgroup Manager
  (You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)
  Long Version
  Check Sever Admin.app > Access
  Make sure that your user has the "Proper" access.  For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
  Server Admin.app > Access
  Click the "+" sign, sort by UID and Add the imported users  to the following Services…
  ( You can use a group, but understand when Server.app creates users they get added
  individually to each of these groups. )
  Address Book
  AFP
  iCal
  iChat
  Mail
  Profile Manager
  SMB
  VPN
  Check Permissions on directories for your file shares. 
            (That's an understatement) I could go in depth about all the crap I had to read about, I still
            know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil
            it down to this…
            Permissions require thinking about things first with regards to POSIX permissions... good
            ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc
            stuff.
            Apple's file-sharing access uses this as a starting point to see what the user is allowed to
            access.
            I also needed to use chflags once to unhide a file that I mucked around with using xattr. 
            I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or
            move them from terminal, the triangles come back in the moved or copied directory.  For a
            minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually
            works by doing a cp that preserves the flags, unless it's a bug.  I dunno.
            This helped me get my file visible again...
            chflags hidden path_to_file
            chflags nohidden path_to_file
            Read up on those manuals, if you're not a terminal type go to apples website
            http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/
            or download...
            http://www.bruji.com/bwana/ I thought that was cool.
            or if you prefer to read the manual in pdf try…
    man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf
            man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf
            man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf
            man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf
            My basic guideline was avoid using ACLs if at all possible, if you try to use them, things
            can get crazy complicated, take notes and plan, baby. If you read above, opening up
            permissions wide is wrong though.  You would restrict permissions tightly to begin with and
            then place ACE (Access Control Entries) to specifically target the rights you want to enable.
            Here's one that's obviously a novice attempt to do this, but since the novice is the only one
            speaking…. here it is, Universe… >:P
            sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/
            That allowed my admin to do all the things a normal user could do so far… It fixed things for
            my admin, which made me happy.  I really hate having to authenticate or sudo just to see
            the contents of a nested directory.  I could explain it, and even give a few notes on why its
            probably overkill, but I will attempt to look less stupid till "poked".
            There's another command line utility I STILL haven't read, which may bear mentioning
            because…well I haven't read it.  umask (see wikipedia or unix.com)…I worked past my
            problems without going into it so far, but obviously it's there, and it serves a purpose.
            I also found this article helpful…and educational.  :O
            http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html
            (          Its enlightening to hear the air whistling between a developer/coder's ears, still it's
                      apparent he has a clear idea what's going on.
                      Ever wonder why when you use get info to check or assign permissions it kind of
                      flakes out and doesn't take?  Read this article!          )
            Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also
            can set the 2nd category of permissions, which windows users may be familiar with
            Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff. 
            All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let
            the professionals weigh in on that one and cut my wall-of-text to ribbons.
            To heuristically check I would connect from a client as one or two of my users and see what
            folders I could mount as a share, armored with an understanding of what ls -le@O * showed
            me in Terminal.
  3.)           File sharing setup (Turned ON, Home sharing Enabled)
            Here is an example of using command line sharing utility where each share is properly
            labeled (that took a bit for me to figure out) still this share only enables the AFP share as
            you can see from my flags.
    sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10
            Then you do a sudo sharing -l and get back what you just did…
                                            List of Share Points
            name:                    Database
            path:                    /Volumes/Hard Drive/Department/Database
                      afp:          {
                      name:          Database-afp
                      shared:          1
                      guest access:          0
                      inherit perms:          1
                      ftp:          {
                      name:          Database-ftp
                      shared:          0
                      guest access:          0
                      smb:          {
                      name:          Database-smb
                      shared:          0
                      guest access:          0
            If you mess up the sharing command, you may not be paying attention (I wasn't) but there
            are a lot of defaults that Apple will just assume you meant to do anyway and it won't read
            any of your flags, you have to get it right or the flags will be defaulted. 
            (          Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but
                      the default was afp and smb.  So each time I ran sudo sharing -l after I shot my sharing
                      command…back would come smb shared: 1 and I knew that wasn't right.  Also my
                      custom names were defaulting to the name of the directory not the name I had
                      specified.           )
            I like to know what protocol my share is over so when it doesn't work, I know which protocol's
            are connecting. It's not full-proof, but it's a bookmark.  I wish the network browser would
            identify the protocol that its available listed shares are using, because small visual queues
            like that help when you're trying to see what works.  Maybe that's something I should
            investigate via the command line?
            As a note about reading forums, I discovered using command line that "\" is kind of like a
            way of going to next line neatly with long commands…."\ " is a way to insert a space. As you
            can see above where I have a volume with a space in it. 
            Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I
            had to enclose it in quotes and do "Share With-space" instead. So nooby beware!
            (          *nix users are now rolling their eyes at this tip.          )
            I wasn't sure how you enabled a share for home directories from the command line, maybe its
            in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to
            revisit this question since my work around was to go to Server.app and verify that what I set
            up in the sharing in terminal was being reflected in the gui…sort of my own MVC
            (model-view-controller) check.
  4.)           Directory Utility > Directory Editor or dscl 
    Make sure what you see in WGM and Server.app are reflected here….to that question let's
            take a journey where I did some exploring about that.
    Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"
            Ah, then you will  - LOVE -  this tip…
            (          Provided my testing or yours, later, doesn't prove that in my ignorance I've broken
                      Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty.  I think of
                      OD as Apple's Registry, but that's not what it is at all. However, you as the user do have
                      to "****" around in it from time to time.          )
            I scoured the forums and everyone was saying things like "You have to change your server
            role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around
            not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY
            bugging me.
            Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you
            can make a Registry Backup….(yea bad analogy)  In Server Admin.app you can go to your Open
            Directory Service > Archive and Choose a place to Archive your information. (Figure this out by
            yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)
    Before we can remove the entry we "SEE" in WGM we should make sure no
            one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory
            Utility set the Home directory to "None".  (We need to remember to set this to a correct share
            later….Mental Note!!!)
            Now Open Directory Utility
            Method 1
            System Preferences > Users & Groups > Login Options
            Click the Lock to make changes…
            Authenticate -> click "OK"          (do I REALLY have to step-by-step this?)
            Network Account Sever: • Local Server - click "Edit" button here.
            Open Directory Utility > Directory Editor
            (          Wow, did Apple hire someone from Microsoft?  You'ld think with all their research in to
                      Human Interface Design that's WAY too many clicks to get to something you need.          )
            or
            Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)
            Use "Go to Folder" Under Finder > Go > Go to Folder...
    ⇧⌘G /System/Library/CoreServices/ 
            Click "OK"
            and Double click Directory Utility.app
            or
            Method 3
            Terminal
            open /System/Library/CoreServices/Directory\ Utility.app/
            Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"
            You should glance through this and get to know it.  You should use it to see what
            information is really being stored about your Users, Groups, Mounts…
            We are interested in Mounts, which is where we want to go…and there is the pesky
            mount that you will see reflected in WGM.
            Authenticate, and delete the bugger.
            Quit WGM and restart it.  Voila, bad share is GONE!!!!!
            a.)          First select all my users
            b.)           Then I clicked on the "+" and added the correct share
                      (          Remember, I only showed you the first one we created, this is another and
                                for THIS one you HAVE to go into Server.app and verify that it is set to be
                                available for Home Directories in this case for AFP.          )
                      For the home directory entry you do this...
                      afp://computer.domain.com/Accounts-afp
                      %short_name%
                      /Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%
    %short_name% is a wild card for the short name there are other wild cards check out Apple's
                      Documentation on them.  I lost the link   sorry \<shrug\>
            Interesting dscl commands…(check it out in command line form and compare side by side with
            what you see in the GUI Directory Utility)
            dscl . list /users
            dscl . list /groups
            If you want to output information about each user, though, use readall:
            dscl . readall /users
            dscl . readall /groups
            And if you need to programatically parse said information, use -plist to make your life easier:
            dscl -plist . readall /users
            dscl -plist . readall /groups
            This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first
            commands I think look in ALL directories local, Search, LDAP whatever you have.  The command here
            corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.
            dscl /LDAPv3/127.0.0.1 -list /Users
            dscl /Local/Default -list /Users
  5.)          Workgroup Manager
            Remember this is a utility that is not long for this world.  Apple's Mountain Lion is rumored to fully
            replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow
            desktop computers are being pulled/dragged along for the ride.  I have plenty of issues with
            Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.
            Anyway, treat this baby like the bottom rung, because, well it is built like you start your
            foundation here, but it's just a viewer with controlling "tweaks".  Use the other areas to get a solid
            grasp of what is actually going on.  Server.app is where you should create accounts you can
            feel are safe.  When you create accounts in WGM, you are responsible for making sure they
            have the appropriate EVERYTHING.
  This list is by no means complete, but these are the areas this noob is or was prepared to talk about.
  Good night for now.  Enjoy climbing my wall of text, and yea sorry about that.  :O Run for you lives!!!!
    - Signed Shadowwraith

• I'm trying to use Mountain Lion Server so my family can have separate logins via Screen Share to their iTunes.

  Using Mountain Lion Server so my family can have separate logins and connect via Screen Share.
  Works great, each has their own home directory and permissions are perfect.
  Now setting up iTunes for each with their own Library (not shared), thus keeping multiple Libraries.
  I get this;
  This Computer is already associated with an Apple ID.
  If you download past purchases with your Apple ID, you
  cannot auto-download past purchases with a different
  Apple ID for 90 days.
  What!
  So what it is on the same computer, they are completely separate Libraries never to be mixed.
  If this works, I only need to keep one computer up and running, instead of three.
  Each can do their syncing/backup and connect to the various Airplay/AppleTVs I have around the house.
  How do I fix this.
  Thanks

  Bottom line is you can't - easily.
  You need to make sure that you log out of the server each time otherwise the ID is running. To explain, if you had a laptop with different people using it, your solution works fine. Each time someone logs in, the iTunes ID is different so it works as you can only have one person using the laptop at any one time.
  Now, turning your problem inside-out, you want people to be able to log into iTunes concurrently to use their own version of the program with their own library. This does not seem to work and you get the conflicted ID error message. Even though iTunes is running under their own login ident, I have never been able to get this working reliably and was told that iTunes is NOT a network-aware application as it is designed to be single user.
  The way I got around this was to login as XYZ and to make sure that the ID was changed in iTunes accordingly. However, it did not always work so I gave up with the whole thing.

• Mountain Lion Server Workgroup Login Selections

  Hi All,
      I am installing a Mountain Lion Mac Mini server which is replacing our Snow Leopard Mac Mini server.
  The system is bound to 2008R2 ADS. When I log into the Snow Leopard Server from a client I am presented with which group I would like to log in to as in ADS I am a member of two groups. ie admins and staff. This is how we have set it up so all is good there.
  The issue that I am having is that the groups are not being being presented on the client when logging into Mountain Lion Server although the configuration on the two servers is the same.
  Has anybody experienced this problem before? Maybe this is now default behaviour with Mountain Lion server? The problem is its automatically logging us in with the most restrictive group so we have no admin rights on the clients.
  Thanks in advance for any info!!

  I had this problem on a clean install.
  The solution was incredibly simple for me, but only  after I saw Ross.M's note about opening the Users & Groups settings panel (in the OS System Prefs, not in server) and rebinding to OD server under Login Options.
  That was not the solution for me, but under Login Options I discovered a previously unnoticed pref for "Allow network users to login at login window."  I had this option set (apparently by default) to "Only these network users:"  but with an empty list.  Adding my users to the list made it work perfectly.
  Talk about KISS

• Server admin is unable to login to server.app after upgrade to Mountain Lion Server?

  After upgrade to Mountain Lion Server I am unable to login to the server tools. When I input the admin user name and password the dialog box just shakes indicating the wrong password. But it is the correct password. How do I reset the password or if necessary how do I rest the server and start over on Mountain Lion. I found info on how to reset the server on previous versions of the server which involved executing a plist in the LaunchDaemon folder. However that file does not exist on the server following upgrade to Mountain Lion.
  Thanks, Howard

  I upgraded today and had the same issue. I took following steps to fix my computer.
  Boot into Recovery Partition (Hold Option Button while booting)
  Open Terminal.
  Type resetpassword
  Select your hard drive
  Select the user account (Administrator)
  Enter a new password for the user
  Reenter password
  Save
  Restart
  Boot normally, Login as Adminstrator with the new password and add "Admin" permission to your account.
  Restart
  Everything should be working as expected

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Final proof that Lion Server seems unfinished

  These really speak for themselves.
  I followed the docs available here:
  https://help.apple.com/advancedserveradmin/mac/10.7/#
  to activate the option so the users may change their password from their wiki page at https://server
  For this I check the "Allow users to change their password" in the default website
  The result is here when people login to their wiki and click "change password" at the bottom of the page they get this:
  Also trying to input a new password twice and hitting the right button (what I guess would be the OK) fails saying the password server might be unavailable...
  Well, I don't know if I broke something or if this page is just unfinished in the retail version of Lion Server but I surely didn't do any setup on the web service.
  It's all factory setup regarding web service.
  Also, wiki seems to work perfectly, webserver for progile manager and mydevices works perfectly.
  Another failing web service is the webcal. The link to the webcal at the bottom of the wiki , next to change password link, fails saying too much redirects, but that may be something to do with my network.
  What do you think about all this ?
  Eric
  @teknologism

  My bad, it seems there was another error with permissions.
  I created /Library/Logs/passwordreset/ and a debug.log file inside
  and made the right permissions:
  sudo chown -R _teamsserver:_teamsserver /Library/Logs/passwordreset/
  sudo chmod -R 750 /Library/Logs/passwordreset/
  deactivated the feature, reactivated it and it worked.
  Now, why that folder/file wasn't automatically created..dunno... It really doesn't feel very polished...
  Eric
  @teknologism

• How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?

  How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?  We have a super awesome contacts server that works great for our Mac users.  About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them.  I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server.  I've tried several different settings, and looked all over the web, but could not find the proper way to configure this.  Does anyone know if this can be done, or if not, would have a better suggestion?  Thank you for your time!!

  try double clicking keychain acces should launch and ask if you want to install login, system, System roots
  A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system.

• A stable, fast reliable VNC connection to Lion or Lion server

  I hope this post help people with VNC setup from non Mac machines to a Mac running Lion or Lion Server 10.7.4.
  Apple has changed quite a few things in Lion regrading VNC and screen sharing. As a consequence many VNC viewers are no longer compatible until the VNC software is upgraded to be Lion compatible. You will find many posts about this topic in this forum, eg
  https://discussions.apple.com/thread/3289794?start=0&tstart=0
  Often, the result is that  the user can't proceed beyond the gray login screen (screen locks up etc).
  This post describes how configure Real VNCs VNC server on Lion Server 10.7.4 to work in conjunction! with ARD, thus allowing you to keep screen sharing enabled and still use ARD from client if that is desired)
  Download the VNC server at (Version 5! necessary)
  http://www.realvnc.com/download/vnc/latest/
  and install the VNC server on the host (the computer you want to login to via VNC)
  Single User Host setup
  ==================
  - Install the VNC server and follow the intsruction
  (If you your Mac is configured for remote management, screen sharing, remote apple events the installation may complete with error stating to contact the manufacturer....ignore the error as it most likely caused by a port conflict because VNC server and ARD (or apple scrren sgaring both use port 5900 per default), the software was still completely and correctly installed.
  - start VNC Server by opening Finder -> Applications -> Real VNC -> VNC Server (User Mode)
  You will see a small VNC icon in the top tsak bar of the screen.
  (if you open the "information Center" the issues tab will show a port 5900 conflict)
  - open VNCserver Options and select the connections tab:
  +Change the default port from 5900 to 5901 and serve Java viewer on Port from 5800 to 5801
  + Change Authetication to "Mac password"
  + Select Encryption "always on"
  - Selct the expert tab
  +scroll down to the bottom of the list and change "StopUserModeOnSwitchOut" to "no"
  (this settings prevents the VNC server to be stopped automatically if you have Fast Switching User Mode enabled on the host.)
  - select "Apply"
  (now if you open the Information Center" again, the port conflict problem should be solved.
  - select "open" from the VNC server menu:
  If the configuration was succesful, thw window will show a check mark in a green box stating everything is ok.
  - In addition you will find the address that the client user will need to connect to the VNC server on the host
  it will say something like "VNC viewer user can connect using the address 192.168.x.y:1"
  Note: If you start several VNC servers, each session will need a dedicated port (like 5902, 5903 etc)
  Router/Firewall Settings:
  ===================
  Depending on the router/firewall you use your ports may have been automatically configured for you (airPort extreme for example).
  You need to open port 5901 and 5801 and forward these ports to the IP address of the host. If ARD was alredy working in your setup, you can copy the port coniguration for ports 5900, 3283 and 3306 that are used by ARD and implement the same rules for the new port used by VNC 5901.
  Review the settings of your firewall/router.
  VNC client
  ========
  - download the VNC client for your OS from
  http://www.realvnc.com/download/viewer/
  and follow the install instructions.
  - Start the VNC client on your client PC (Windows for example) and enter the address that the VNC server reported to you earlier (192.168.x.y:1)
  - Encryption : "Let VNC Server choose"
  - select "connect"
  - enter your Mac username and password that was setup on your host
  you are now connected via VNC to your host.
  You can also configure the VNC server to allow other users to login to the same! VNC session using their user credentials (friends/family or serverAdmins that want to share access to the host)
  To do this open the options dialog box on the VNC server host computer and select "configure" next to authentication.
  - add the users that are supposed to get access to your VNC session using their own credentials. (make sure this is what you really want, otherwise read on in the multi user section of this post)
  Multi User Host Setup
  =================
  If multiple users are supposed to access the host computer using their own credentials logging into their own! desktop, follow these instructions:
  - first enable Fast User Switching on your host computer by going to
  System preferences -> User/Groups -> Login Options and select the check box  "show fast user switching menu as..."
  - For each user on the host that should be reached via a VNC session start VNC server (user) as described before and assign a new port number to the new user like 5902 etc.
  - repeat the configuration outlined above for each user (eg. "StopUserModeOnSwitchOut" to "no")
  (note initilally when you start the VNC server for the first time again, you will get notified that a port conflict exists again....this disappears as soon as the new port is configured)
  now another user can login via VNC into his own desktop using the server address : "191.168..x.y.:2"
  Final notes:
  =========
  I spent hours trying to get a variety of VNC viewers to work with the new screen sharing/VNC implementation in Lion and finally gave up. I called Apple Enterprise support and they confirmed that "a majority of the existing VNC products are not compatible with the new VNC implementation in Lion yet and that Apple recommends ARD". The discussion on what other non Mac users (Windows, Linux) should do did not go anywhere....
  I have tested the above configuration with the free version VNC server 5 on the host and the free version VNC viewer 5 on a client. It worked flawlessly, fast, reproducable and very stable. You need to be aware that depending on the features you want (number of desktops, users etc) that you may have to purchase the personal or enterprise edition for the server.
  The featurs are described here:
  http://www.realvnc.com/products/vnc/
  I personally installed the enterprise edition after I verified that the free editions worked stable and reliably as I needed them to work.
  I hope you now have a stable VNC link into your Lion host from the platform of your choice !

  I'm using the free VNC edition from RealVNC on Mt. Lion (10.8.5) and the basic information is in this article for Lion is confirmed for the VNC Server 5.0.6 (r113416) on Mt. Lion.
  The main Options... window shows the Connections tab and I just changed my port to something other than 5900 and the port conflict went away.
  The Free edition does not allow Mac password and encryption can't be enabled. (Ya gotta pay for that.)
  Connected to it from my iPod Touch using Mocha VNC with no problems.

• How do I access files with an iPad on a Lion Server?

  One of the reasons I upgraded fron Snow Leopard server to Lion server is to access files from an iPad and iPhone.  I see in the File Sharing sharepoint configuration box the iOS checkbox, but how do I get to the files from the iPad?

  Thank you for shaking my brain!  I kept looking for a file structure to show up, such as Fidner.  Your answer got me thinking correctly. Instead of looking for a "Finder", I opened Pages on my iPad and touched "+" then "copy from webdav".  From there I got a login screen and typed https://servername.com/webdav plus my credentials and it got me right to the files on the server!  I can now access files on my server from my iPad and can save the changes back!  It works both on the local network and remotely!  Thanks again!
  Message was edited by: FTZMan

• How to setup iCal on a Lion server and its client machines?

  I recently bought a new mini server (running Lion) in order to share our iCal calenders (like in the Apple presentations). I thought this would be an easy process but apparently it isn't. So what was I already able to achieve:
  1) Set up 5 different clients (on the Lion server), with corresponding e-mailadresses and passwords.
  2) Activated iCal on the server preference window (ical: on)
  3) Tried to add the user a account on one of the five client machines => HERE it goes wrong.
  My main issue is that I'm not able to add a user account on a client machine and have it connected to the server.
  It would be really nice if someone could assist me with it.
  Warm Regards

  I posted additional information  online using the newly created Launchpad login Service account.
  I hope that explains my situation, if not I will add more detail here.
  There is no problem, when ither of the two OS are used to enable printing with the HP Deskjet 2050 J510 series printer.
  The problem begins when I try to print from the other OS , when connected to one of the Operating System.
  I have tried without success to print from Windows 7 Ultimate 64-bit OS from an HP Deskjet 2050 J510 series connected to a Ubuntu 12.04 LTS server with Amahi (HDA), installed.
  The same thing occurred when I tried to print from the Ubuntu server and the printer was connected to the Windows 7 Ultimate 64-bit running P.C.

• Why can't I uninstall the Mountain Lion Server?

  Background
  My windows laptop failed and my iMAC's hard drive was recalled recently.  During this time I decided to buy a MacBook Pro and migrate everthing from my Windows laptop.  I also bought Airport Extreme.  As I got recently unemployed, I wanted to create a private network accessible from my MacBrook and MacBook Air (until I could afford to buy the Mac Mini Server).  So I downloaded the Lion Server from the App Store using my MacBook Pro (I didn't realize it would install automatically).  So, I redownloaded from my iMac and went through the configuration.
  Issues
  I was unable to log in using my existing user accounts from the MacBook/Air.  I turned on the screen sharing (as I had lots of applications and documents on the iMac).  But my firewall reported access to screen sharing service, web service etc from external IP addresses.  iMac frequently went into freeze modes (no response to mouse/keyboard) and sometimes blank screen (monitor off).  So I turned off screen sharing.
  I struggled with finding a way to make the local accounts into network accounts.  I even tried adding them to a Network Group.  I was unsucessful in being authenticated by the iMac server.  The login window always showed "... unavailable ..".  I went through and tried all suggestions posted in this site. Nothing seemed to work.
  I decided to unistall the Server and do a fresh install.  Even here there were no clear documentation/instructions with the server app.  According to suggestions here and as per this http://support.apple.com/kb/HT4827 article, I removed the turned off all services, deleted the Server.app and also the /Library/Server folder.  Rebooted.  The iTunes store's purchased page still shows the Server as Installed.  I did the same on the MBP and it shows up asInstall.
  I don't see any of the server applications in the Activity Monitor.  But my firewall reported incoming requests to Kerberos, Port 464, 5000, 625, 749, and Program Linking.
  Airport Extreme is letting in external requests.  I did not use public domain for my server nor any dynamic dns service.
  Questions
  How do I remove completely the Server app from my iMac?
  The first time I installed the server, I used it to control the Airport Extreme.  So how do I reset the Airport Extreme to factory settings (assuming Apple's marketing literature is correct) so that it acts as a barrier between the wild, wild internet and my home network?
  Is there better control of the Airport Extreme base station? Like MAC filtering?
  How do you elevate existing users on iMac to the level of network users?  I want any of my family members to be able to use the MBP or MBA using their own account and see their documents and settings.
  Recommendations Solicited
  I cannot add a Mac Pro/Mac Mini Server at this point (unless Apple comes out payment plans for the consumers).  That is why I purchased the MBP/MBA from BestBuy.  So need the best way to use my existing resources to create a small home network for school, development, testing etc.

  I have captured the install log.  Right now I don't have the Sever.app and related files in the system.  But log shows the server is running or installed today.  I have seen MiniLauncher tag (don't know what it is).  And if the server is running, it is not appearing in the Activity log.

• Mountain Lion Server: add network user to remote management

  Hi,
  So recently I have upgraded from Lion Server to ML Server. A little disappointing, but whatever, I've moved on and got everything almost back to where I had it with Lion.
  My last few issues I believe are related but can't quite figure it out. In Lion I have an admin profile and then a network user profile that I used on my MBP bound with AD. I'm at the stage where my nre network user can log in on the server machine but I can't log in as the network user via screen sharing. I can't add a network user to Remote Management, and with Remote Management enabled Screen Sharing is greyed out. I'd really like this to work.
  My second problem is that I can't bind my MBP to the server but even when bound the network user account can't log in.
  Any body have  any ideas?
  Thanks!

  I had this problem on a clean install.
  The solution was incredibly simple for me, but only  after I saw Ross.M's note about opening the Users & Groups settings panel (in the OS System Prefs, not in server) and rebinding to OD server under Login Options.
  That was not the solution for me, but under Login Options I discovered a previously unnoticed pref for "Allow network users to login at login window."  I had this option set (apparently by default) to "Only these network users:"  but with an empty list.  Adding my users to the list made it work perfectly.
  Talk about KISS

• Address book Sync with Lion Server

  Hello,
  I have set up a Mac Mini with Lion Server and have OD users (no local user on the server). When I login "locally" (using the OD user account), I have my full environment, everything seems to work ok. Also the sync from my iPhone seems to work (only some calendar errors, sync doesn't come up with address book errors). But, as I now have noted, there is not really a sync of the address book. I have an old version of my address book on the server.
  How do I properly set up that:
  - my iPhone syncs with my OD user's address book only
  whereas
  -  central address book is kept on the OD server as well (without any sync)?
  Or did I get something wrong regarding the concept of running an address book on the Lion server ... maybe it's not possible to sync the iPhone to an OD user's address book?
  Best regards,
  Olaf.

  Have you tried rebuilding the accounts in SystemPrefs>Mail, Contacts and Calendars?
  Are the machines bound to the directory?
  Try setting it up in a fresh account on the broken Mac.
  Try setting it up on a different Mac.
  Hope this helps,
  Brian