Messed up 10.3.9 to 10.4 upgrade on Open Directory Master.

Similar Messages

• Help- 5 yr old messed with the settings and now App world will not open....

  My lovely daughter decided to mess with the settings. Not being able to read- she just did a bunch of touching pictures... JOY... now when I go to open App WOrld it tells me "Blackberry App works is not currently available in your country". We are in America, and the other PLaybook in the house still functions as per normal.
  Any ideas what my 5 yr  old pressed????

  If you backed the Playbook up on your PC using the Desktop Manager software, you should be able to easily restore it.
  You can also do a wipe on it, and then re-initilaize it back to its birthday.
  Wipe The Playbook System:
  http://crackberry.com/how-wipe-os-blackberry-playb​ook
  Jerry G.
  Jerry G.

• My safari is messed up.  Every time I do anything it randomly opens a new window for a website that looks like a virus. It also will not let me watch anything on Netflix. I don't know what to do, someone help!

  Every time I try to do anything on my safari it randomly opens new windows to what looks like fraud websites.  Also it will not let me watch anything on Netflix. Please help!

  You may have installed the "DownLite" trojan, perhaps under a different name. Remove it as follows.
  Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
  Back up all data.
  Triple-click anywhere in the line below on this page to select it:
  /Library/LaunchAgents/com.vsearch.agent.plist
  Right-click or control-click the line and select
            Services ▹ Reveal in Finder (or just Reveal)
  from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
  Repeat with each of these lines:
  /Library/LaunchDaemons/com.vsearch.daemon.plist
  /Library/LaunchDaemons/com.vsearch.helper.plist
  /Library/LaunchDaemons/Jack.plist
  Restart the computer and empty the Trash. Then delete the following items in the same way:
  /Library/Application Support/VSearch
  /Library/PrivilegedHelperTools/Jack
  /System/Library/Frameworks/VSearch.framework
  ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
  Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
  From the Safari menu bar, select
            Safari ▹ Preferences... ▹ Extensions
  Uninstall any extensions you don't know you need, including any that have the word "Spigot" or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
  This trojan is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.
  You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the DownLite developer has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight is inexcusable and has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

• After the update, Firefox is a mess on my computer: Won't print, often seizes on opening a window or trying to print. None of which happened before the update. This is the most dysfunctional update yet, on my computer anyway.

  Nothing to add. I'm waiting for a new update to address the problems of this one--which has happened periodically in the past. The "educated guesses" below are incomprehensible.

  Well Bababooey if you're comparing yourself to a Apple Genius Bar then you should already know my answer, your snarky remark get a snarky reply.  Why would I go to a salesperson to fix my computer problem when I can go directly go to the source itself.  I used to sell Apple computers over 8 years ago and was apple certified before the Genius bar existed. If I am to go about fixing an issue I can't fix on my own I will go to the source itself meaning Apple's programmers and developers - being UI UX Developer myself I know they should have QA'd all platforms and troubleshooted any arising issues. 
  This was also the first time in the 20 years I've been using a Mac that I even attempted to go on this forum which i thought would put me in connection with a certified Apple representative.  This turned out to be a complete waste of time just being a public forum with no Apple employee involved.  I was hoping to find a quick fix but in turn I was only frustrated with stupid responses such as yours that were in no way an answer to my original question. 
  BTW I fixed the issue on my own and without your help or Apples help. I'm glad if all forums point here regarding this issue because I now have the answer. The answer I was looking for from someone earlier was as simple as this {Download Maverick and reinstall the platform - it will take an hour to do but afterward 10.9.2 was installed and my computer is now able to shutdown and restart without having to do a hard boot.}  No more software update bar at top and no problems with my drive which I told both you and Grant - I know my computer better than you and I've probably been using them longer than you. 
  So again Babowa you were so wrong...... and I am right.
  Again anyone having the same problem, I suggest reinstalling Maverick and you'll be suprised 10.9.2 will work fine.

• Looks like adobe messed up.  Unable to install the 'required" upgrade  required because it won't let you view any videos until you upgrade. Doesn't recognize new password that I changed because it didn't recognize my old one!

  I have been trying to install the new Adobe Flash upgrade 17 for most of the day, it didn't want to recognize my password so I went to the web page changed the password and now it still dosen't like the new password.  Anyone have solutions?

  I have decided to dedicate this thread to the wonderful errors of Lion OSX. Each time I find a huge problem with Lion I will make note of it here.
  Today I discovered a new treasure of doggie poop in Lion. No Save As......
  I repeat. No Save As. In text editor I couldn't save the file with a new extension. I finally accomplished this oh so majorly difficult task (because we all know how difficult it should be to save a file with a new extension) by pressing duplicate and then saving a copy of the file with a new extension. Yet then I had to delete the first copy and send it to trash. And of course then I have to secure empty trash because if I have to do this the rest of my mac's life I will be taking up a quarter of percentage of space with duplicate files. So this is the real reason they got rid of Save As: so that it would garble up some extra GB on the ole hard disk.
  So about 20 minutes of my time were wasted while doing my homework and studying for an exam because I had to look up "how to save a file with a new extension in  mac Lion" and then wasted time sitting here and ranting on this forum until someone over at Apple wakes up from their OSX-coma.
  are you freaking kidding me Apple? I mean REALLY?!!!! who the heck designed this?!!! I want to know. I want his or her name and I want to sit down with them and have a long chat. and then I'd probably splash cold water on their face to wake them up.
  I am starting to believe that Apple is Satan.

• Import mail without the correct IDs (OD messed up)

  I messed up the Open Directory info, recreate 5 users from scratch, but how I can import the old mail into the new server?
  Both systems were 10.6.3, and I still have access to the old (screwed up machine). Screwed up because the authentication system behaves weird (logs are saying that the requests were granted, but in effect no one can access reliably).

  This is a fairly complicated problem that I ran into when I wanted to create a brand new server installation with a new Open Directory Master but wanted to copy the email across.
  The first thing I did is stop the mail service on the old server that was still accepting mail so that no mail would be lost, anyone attempting to send mail would just be held in the senders queue.
  The first thing to note is that each user has their mail stored in a folder with a long Hex number for example 'D123456A-D123-4CFF-8553-BEEAF4E887A2' it is a lot easier to determine who's folder is who's if you still have the old server running so you can simply look in Server Admin > Mail > Maintenance > Accounts to see a list who each mail store belongs to. Alternatively if you use the terminal and change into the directory holding all the mail stores and issue the command 'ls -l' to list the stores, each one is owned by the shortname of the owner.
  When you know who each folder belongs to you can copy the contents across to the new server. This gets tricky as permissions are a problem and any user created mailboxes (folders in their mail client) are stored as hidden files (starting with a period e.g .family) these will not copy with a standard finder copy. What I did is mount a network share on the new server and created a new folder with the name of the owner on the new server and then simply went into each folder as root and copied the contents by using the command 'cp -R * /Volumes/New Server/User\ Name/' and then 'cp -R .* /Volumes/New Server/User\ Name/' to copy the hidden files.
  Now you have all the mail copied onto the new server and the question that remains is what you do with it from there. Now in my case mail had not been directed to the new server so I didn't have to worry about mail that was already on the new server. I then simply copied the contents of the mail folders to the new mail store folder, this overwrites any mail that is already in the store so you wouldn't want to do this on a system where there is already building up in the mail store. Once the mail is in the new folder you need to change the permissions 'chown -R newuser:mail B123456A-B123-4CFF-8553-BEEAF4E887A2' where new user in the short name of the user.
  Now if you have already started receiving mail on the new server I guess the best solution would be to create a second account for each user and copy the mail to the second account so as to not overwrite the new mail. They would then have two mail accounts one that is an archive of their old mail and one that is the current. Not ideal but it at least means they still have access to their old mail.
  I have only given an outline of the process assuming you have a fair understanding of the file structure and using the command line, sorry if it is confusing, it is always difficult to judge the level of understanding someone has. Feel free to ask if there is something you don't follow.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• How do i create a single sign on environment from scratch?

  setting up a single mac mini 10.6.6 server in a small law firm and want to create a sso environment from scratch. i have currently got everything working fine as an open directory master, but every reference to sso that i can find, talks about joining an existing sso environment, or joining ad, creating a triangle, but never a stand alone od master to create the sso. am i missing something, or is it not possible or practical to do in such a small office with just a few users?
  thanks for any help understanding this.

  i appreciate your input Rikakiah, although i am glad i don't have to pronounce your alias out loud
  anyway, that's starting to sound like something i might want to try, because so much of what i want to do is not really working the way i'm doing it. it had crossed my mind, but wasn't sure i was going to avoid problems by using network home folders instead of mobile accounts. at this point, i have only one of the four workstations bound to the server, which was purchased as a mac mini snow leopard server with the dual internal drives, and was set up as a mirrored raid with the 2 internal 500 gig drives.
  i am seeing what seems to me like some odd behavior with network accounts working with the log in screen (all the users show up in the log in screen properly as network accounts, but only one account, the one that matches exactly the local account user name and password and allows log in) and auto mounting group shares are not seeming to work at all. what seems odd, is that management of the local account seems to be working great, and has merged management with the local account. the user still has all their existing documents and settings, but i can see that the things like the control panels i locked them out of are grayed out. so to be try to be clear here, i have 4 network accounts set up in wgm, and on the log in screen, i see 3 network accounts with the typical network user icon, and what looks like the original account with the original icon. i can only log in using that account, but when i get in there, it's managed ok. i expected to see the original local account and 4 network accounts, but evidently using the same user name on the server as the local account caused this. when i try to log in with one of the other network accounts, the login screen shakes it head no.
  for the record, from another post talking about network log in issues, on the local system, setting System Preferences>Accounts>Login Options>Allow network users to log in at login window>Options>Only these network users: can mess this up, but my settings there are fine, since i had never messed with that. it says "allow all network users" or something like that.
  here's what i am trying to get to: auto mounting group shares and single sign on for afp group folders and ichat, and as you said to allow the users to move around from workstation to workstation as needed. as you know, there's a myriad of settings to make this all happen. i don't see how anyone can help me fix the 2 things that aren't working, unless i give a long winded explanation of what my settings in workgroup manager and server admin are, so here goes…
  i have dns and open directory running fine, a static map of ip addresses so that i can do authenticated directory binding, which seems great so far. in wgm, i have under preferences / computer list the one computer i have bound - computername$ and under window checked always, heading - directory status, list of users, show local users, network users, computer administrators, and other. under options checked always, enable fast user switching, computer administrators may refresh or disable management, and start screen saver after 5 minutes. under access checked always, clicked the gear button once which caused network users - allow - * to appear in the access control list, local only users may log in, local only users use available workgroup settings, and combine available workgroup settings. scripts and items have never checked.
  then for workgroup folders to auto mount, i have set afp auto mounts for each of my 2 groups, partner admin and support staff in server admin / afp. under accounts / groups / support staff / group folder, the support staff auto mount is selected, and the user i am working with is obviously a member of that group under the members tab. finally, under preferences / groups / support staff / items, always and add group is checked and the support staff volume shows up in the list. authenticate selected share point with user's login name and password is grayed out and not checked, and merge with user's items is grayed out and checked. i'm not sure what i am missing to get auto mounting group folders here. btw, the user can for sure log into the group folder with the same user name password that she logs into the workstation with, if she does so manually under the go / connect to server menu.
  oh, and ichat seems to work as expected. she gets sso there! sweet!
  if i do end up trying to go for network home folders, (i would like to see auto mounting group folders working first, before i try) i found something that looks like a no-brainer to add to the mix…
  http://tools.mconserv.net/NHR.html
  thanks everyone for your interest in helping me deploy this server.

• Complications migrating from Snow Leopard Server to Mountain Lion Server.

  I'm migrating from Snow Leopard Server to Mountain Lion Server. The article "OS X Server: Upgrade and migration" (http://support.apple.com/kb/HT5381) says
  "Make sure that any DNS or DHCP servers on which your server depends remain running during the upgrade"
  This advice is reinforced by the details of the article "OS X Server: Steps to take before upgrading or migrating the Open Directory database" (http://support.apple.com/kb/HT5300).
  As the server I'm migrating from provides these services it will need to be running during the migration process. This would seem to limit my options to doing the migration from a Time Machine backup (or, making a seperate clone of the server's drive and connecting it externally to the new box)
  My main concern is the seemingly inevitable clash that is going to occur on the network as the new server takes on the roles of the old one - while it is still running.
  What are my options here ?
  This is my second attempt as on my first try I did the migration from the TM backup with the network down - and none of my local network users or their home directories were migrated, although the settings for the mount points were, but there were no actual directories where they pointed to!
  Clear directions on how to procede would be VERY MUCH appreciated
  Thank you.

  Moving from Snow Leopard to Mountain Lion means first installing the client (non-Server) version of Mountain Lion and then install Server.app this means that for at least part of the process you will not be running DNS, DHCP or Open Directory.
  If you are going to end up using the same DNS name and IP address after the change then an approach you could follow would be as follows.
  Destroy any Open Directory replicas
  Archive your Open Directory Master (to make a backup)
  Note down your DNS records in case they get messed up
  Export via Workgroup Manager your users, and groups (you might not need this but better safe than sorry), make sure you do not include the diradmin account
  Keep a full back of the server (you should always have backups)
  Note down your DHCP server settings in case they get messed up
  Note down any other service settings
  Install Mountain Lion
  Install Server.app
  Install Workgroup Manager (extra free download)
  Run Server.app
  Make sure settings for services are as much as possible the same as before
  If your lucky that may be all you need to do, otherwise...
  Restore Open Directory archive, if your lucky that will be all you need to do, otherwise...
  Make new Open Directory Master
  Run Workgroup Manager
  Import users and groups you previously exported
  You will then have to set passwords for each user as these are not preserved via Workgroup Manager export
  When I did this, I was also being forced to change all my IP addresses so I had no choice but to use Workgroup Manager to export and import accounts.

• Seeking Simple OD/Kerberos Answers

  I have been messing with our test server for several days now and feel I have gotten no where fast. I have searched through Apple's support pages and have done everything I think they say to do, but to be honest I think most Apple technical writers assume people know more then they do and thus say less than they should.
  I am trying to set up a new server to replace our old G4 Xserver and want to set the new one up 'correctly'. When the G4 was first put into place some years ago it was under emergency conditions and needless to say mistakes were made, mostly from not having the time needed to learn the new software. As time went on the server churned away endlessly and was always rock-solid, but the directory structure was local and it really did not take advantage of any of the great features that set OS X server apart from the 6.3 server it replaced.
  My immediate goals are as follow:
  - Set up the user directory on a network domain
  - Use Single Sign-On
  - Use the automated preference settings
  - Optionally have auto-mounted share points
  So far I believe I have set up the Open Directory Master the way it should be, but the rest of it I am lost on.
  Please note that the server is set up with a Static IP Address and its name is registered in our company's DNS directory and is fully pingable by both its name and address.
  If there are some good white papers out there that someone can point me to or some good basic advice on any single part of my puzzle I would appreciate it.

  Here are some links that will keep you busy for a while
  http://www.afp548.com/article.php?story=20050908125443243&query=ad%252Fod
  http://homepage.mac.com/johnd (click on downloads, then latest tips)
  http://www.apple.com/server/documentation (get the Open Directory Admin pdf and User Management)

• Network User Can't Delete Desktop Files

  I'm not sure if this is a server or dekstop question because I'm not sure where the problem is, but I'll start here.
  I have a user that cannot delete files on his desktop, and now can't change his desktop background.  He is a networked user on a 10.6.2 iMac.  His account is on a Mac OS X 10.6.8 server.  When I try to delete the file, it prompts for administrator authentication.  I enter it in, but nothing happens.  No errors appear and the file doesn't delete.  When I look at the details, it says "com.apple.desktopservices".  I have done the following things:
  1.  Reapplied rights to his folder in the Get Info Box
  2.  Deleted him from Workgroup Manager and re-created his account
  3.  Checked that the file isn't locked
  4.  Checked that the desktop folder isn't locked
  5.  Verified his permissions are correct on all folders
  6.  Ran Disk Utility on his machine
  7.  Tried his account on another machine (same result as on his machine)
  Based on another forum, I moved the com.apple.desktop.plist file out of his library and logged him in again. The only thing that I noticed is the background picture changed back to default.  I moved the file back, but the desktop picture is still back to default and if I go into System Prefences, I can't change the background or screen saver.
  Something is messed up somewhere with his desktop settings, but I can't figure out where.  Does anyone have any ideas?

  Today I backed up my Open Directory master on the server, deleted it and recreated it from the backup. No change unfortunately and still the same message:
  "The document xxx.yyy could not be saved. You don't have permission."
  Any good suggestions available?

• Wikis, OD Masters, and a "What if" Question

  I have several Xserves running 10.5.3, one has an established website and external IP, the others are accessible on the internal network. The public IP server is a OD replica; one of the internal servers is the OD Master. I have been attempting to ignore the Web Administration caveat that wiki and ical servers must be on the OD Master with limited success, at least with the wiki part.
  What if I made the external IP server, currently an OD replica, into a subordinate OD Master? Would this be doable? Would it enable properly running wiki and ical on the external IP server? I really do not want to remove the existing (internal) OD Master server....
  Page 69 of the Open Directory Admin manual says:
  You can use cross-domain authorization between an Active Directory server and a Mac OS X v10.5 Open Directory server or between two Mac OS X v10.5 Open Directory servers. Cross-domain authorization does not work on a Mac OS X v10.4 server. To use PAC information, the pseudomaster server must have a Kerberos realm for the subordinate server to join.
  To become a subordinate for a directory system you must use Directory Utility to join your server to an Active Directory or Open Directory server that has Kerberos configured and running. Then, using Server Admin, you must promote your Open Directory server to an Open Directory master. The subordinate server automatically determines that it is subordinate to an Active Directory or Open Directory server and configures itself accordingly.
  Has any one done this? Problems? Does it accomplish the goal of having functioning wikis and ical server on the external IP server together with the existing internal OD Master server? Will I end up with conflicting systems? Will the LDAP directory become a mess?
  Thoughts, suggestions, etc., would be sincerely appreciated.

  Since this is about "what if's"... what if you tried to run it on a Virtual PC, then made an image of that VPC, then put that image on a different volume?
  Just curious
  Currently Just passed the CompTIA A+ 601 with flying colours! =D
  Owner of an SL500 running Vista Business with 4GB of PC2 6400 RAM

• SAN with 3 Xserves with No OpenDirectory - Permissions!?

  We have 3 xserves shaing the same folder from one SAN.
  None of the xserves are connected to any Open Directory or Active Directory.
  My question is this:
  When we add a user to the ACL of the SAN on server1, server2 and server3 show an unknown number in place of a User. so we just add the same name of the user onto both other servers. Example: macuser. So when clients need to connect to the SAN folder, they connect using the user name macuser.
  We do have an AActive Directory server on Windows 2003 Server that has over 200 accounts for all users. We also have another Mac that can serve as an open Directory master.
  What is the best practice for setting up the SAN shares so that all the Windows clients and Mac Clients can connect with little or no permissions errors?
  I can provide much information if need be.
  Thanks in advance.

  Well, OS X uses the User ID as the definition of user identity. It does not use the user short name. So if you use local accounts, your user IDs will be 501 (for the first user on a machine), 502 (for the second user) and so on.
  Thus, if you create users Joe, Fred, and Mark on machine #1 (in that order), and then you create Rob, Joe, and Fred, on the second machine, when you log in as Joe on machine #1, you will be logged in with Rob's permissions, for example. This is a mess.
  Use a directory service. That's pretty much the advice. Unless you have a script which creates the users as part of your imaging process, or unless you have EXACTLY ONE account you use on every machine (and you create it first on each machine), you're going to be spelunking in the pain cave where permissions are concerned.

• Windows sharing on a second OS X server

  Hello,
  I have 2 Mac OS X Servers with Mac OS X Server 10.4.11. One server is an Open Directory Master and the other is an Open Directory Replica.
  The OD Master is also a Primary Domain Controller, only for Windows filesharing. I can connect with Windows clients to the PDC.
  The OD Replica must also be an Windows fileserver for filesharing.
  I have set it to Standalone Server and made the workgroup the same as the PDC. Windows services is starting up, but I can't connect.
  When I change the role to Domain Member or Backup Domain Controller, click save and type in the password, I'll get an error.
  The error is:"Error while writing settings (Cannot make the server a domain member)". I'll tried it with root, diradmin and the local admin accounts.
  Does anyone know how to make this work?
  Kind regards,
  Ferry

  Hi,
  I have quiet the same problem with 2 Mac OS X Servers with Mac OS X Server 10.5.4. The OD and PDC on the first server works pretty well, but on the second it's a mess.
  My aim :
  * Server #1 : DNS, OD, PDC, AFP/SMB/FTP (Home Directories)
  * Server #2 : DHCP, NetBoot, Replica , BDC , PrintServices with IPP/SMB
  * Server #3 : Windows 2003 Server for the user's profiles (works fine) and Ghost
  0) For the OD, I have to turn on SMB as a "standalone" server and then change to "PDC" without stopping the SMB service. Don't try to set it directly as a PDC, otherwise the clients can't login.
  1) I set the second server as Replica and BDC, it's possible but then I had a lot of trouble with the clients, some couldn't write on their own Home Directory.
  2) So I come back and set the second server as a "Standalone" for the OD, but it remains as Replica in the first one, troubles again.
  3) I save the LDAP, then demote the OD/PDC then repromote it, and, restore the LDAP. Set the second as "standalone/standalone". It's possible to integrate the server in the OD domain, but impossible to join the SMB domain as "Domain member", it ask me to join but nothing happens, it goes back to "standalone" ! Result : the Window's clients can't print.
  Any solution for joining the second server as "domain member" ?
  I will try to fix the printing problem by setting server #1 as Print Server.
  Beside of that, I'm disapointed by Leopard Server, no usable printing quota, no usable files quota, NFS unstable, quite a lot of bugs,
  Futhermore, how do I best handle synchronisation of the "out of connections files" in Windows XP, I turn it off, good idea ? I have mostly desktop computers.

• Show Network Users (as List) not working consistently (10.5 server/client)

  I am running an Xserve with 10.5.5 Server as an Open Directory Master. When I go to the Computer Group the clients are listed in and set the preference to show network users as list on the loginwindow, the clients are not constantly displaying the list. Network Accounts are available on the client and typing the username in Other is also logging in.
  What I think is strange is that my custom heading always displays, so I know I'm getting at least some of the mcx settings on the client. This was not a problem with 10.5.4 client/server combo. If only local accounts are listed, you can restart and 50% of the time the network users show up in the list. You can also log in as a local user and log out, this will sometimes refresh the list to display network users. However, whether or not the users are displayed in the list, network accounts are always available and can login via Other.
  Does anybody know what I can do to fix the problem? It is an elementary school environment, so it is not feasible to have kindergarten students to type out their names every single time.
  One possible solution I came up with is to replace the 10.5.5 loginwindow on the client with the 10.5.4 version, but 10.5.5 supposedly fixes a lot of problems with it. Are there any negative consequences that could occur from doing this besides the fact that I lose the security fixes to the 10.5.5 version? I know that my 10.4.11 clients do not experience this problem, so I'm guessing that the 10.5.4 loginwindow might just work, but wanted to see if anyone knew of any issues in doing this.
  I have also written a program that manages our clients for automated naming, image OS version assignment with NetRestore, and generate import files that create computer and computer list records for Workgroup Manager. This information is stored in a MySQL database and the program I wrote generates files that are imported into Workgroup Manager for list assignment. The computer lists are generated by room number, and computers are assigned names with their corresponding room number and placed in the appropriate computer list. In 10.5, I see that there is a push for Computer Groups rather than Computer Lists. However my program assigns computers to lists using the computer record name rather than the generated uid of the computer record like the computer group expects. From what I understand, the only benefit to Computer Groups is that you can include other Computer Groups within Computer Groups. Does this create any issues for mcx management? I have tried both groups and lists and have the same problem with loginwindow network user lists on 10.5.5.
  Another question I have is how do you change the Cache settings now in WGM? In 10.4.11, there was a "Cache" tab where you could force clients to refresh the MCX cache after x amount of time, but the tab has been removed in 10.5. Can I add that mcx flag to Open Directory and have my 10.5 clients respect the policy, or has this been outdated in 10.5?
  Thanks,
  Chris Bethel
  Hamilton County Dept. of Education
  Chattanooga, TN
  [email protected]

  Thanks for your reply, it gave me an idea that seems to be working so far:
  This is not feasible for anything other than an elementary school with network homes. It is extremely insecure but when you need a working product, you pretty much gotta do what you gotta do. Here's what I've done:
  1. I created a local administrator user with the name "@ Refresh List" with short name "refreshlist" with no password.
  2. Launch Script Editor (in /Applications/AppleScript/Script Editor) and paste this code:
  do shell script "rm -Rf '/Library/Managed Preferences'" password "" with administrator privileges
  do shell script "killall loginwindow" password "" with administrator privileges
  3. Save with file format set to Application, check "Run Only" and uncheck all other boxes to somewhere the user home folder.
  4. In the Accounts pane of System Preferences, select the "@ Refresh List" user and go to the Login Items tab.
  5. Drag in the application you just saved.
  6. Quit System Preferences and log out.
  This is EXTREMELY bad for security, but since its elementary school students and network home folders, there's not much for them to mess up. It provides a 1-click process to updating the much needed list.
  Also -- I've tried swapping out loginwindow with 10.5.4 and experienced the exact same result.
  My fix is quick and dirty, but gets the job done.
  Does anyone else have any suggestions?
  Message was edited by: WollarinTJ