Misconfiguration detected in hash 'SID' / 'GID'

Similar Messages

• Misconfiguration detected in hash 'GID'

  So it seems somehow I have a conflict between a default user and a sharepoint with their ID
  Any help to resolve this would be great.
  There are no access restrictions on this machine
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Misconfiguration detected in hash 'GID':
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Group 'com.apple.sharepoint.group.6' (/Local/Default) - ID 106 - UUID F2BBAF71-A605-4F25-8FE5-8927BE578F81 - SID S-1-5-21-2431082434-2368188631-2040194005-1213
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Group 'com.apple.limited_admin' (/LDAPv3/127.0.0.1) - ID 106 - UUID 8622BF36-A93E-41C3-A390-6E584C1EEC5A - SID S-1-5-21-2431082434-2368188631-2040194005-1213
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Misconfiguration detected in hash 'SID':
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Group 'com.apple.sharepoint.group.6' (/Local/Default) - ID 106 - UUID F2BBAF71-A605-4F25-8FE5-8927BE578F81 - SID S-1-5-21-2431082434-2368188631-2040194005-1213
  2010-04-27 13:09:35 EDT - T[0x0000000102B81000] - Group 'com.apple.limited_admin' (/LDAPv3/127.0.0.1) - ID 106 - UUID 8622BF36-A93E-41C3-A390-6E584C1EEC5A - SID S-1-5-21-2431082434-2368188631-2040194005-1213

  Hi, the problem is in the Server Admin - Acess tab. Remove the Access restriction of the service.
  I have the same problem with the "com.apple.access_radius", removing all the restriction the error stop.

• Misconfiguration detected in hash -- but for a "group"?  How to fix?

  So I read the other threads about people with this problem -- but they get this for user accounts.
  In my system.log file, I get these:
  Nov 12 11:05:12 tts10 DirectoryService[29]: Misconfiguration detected in hash 'SID' - see /Library/Logs/DirectoryService/DirectoryService.error.log for details
  But when I look in the error.log, it's referring to groups -- not users:
  2009-11-12 11:05:12 EST - T[0x0000000103381000] - Misconfiguration detected in hash 'SID':
  2009-11-12 11:05:12 EST - T[0x0000000103381000] - Group 'com.apple.sharepoint.group.1' (/Local/Default) - ID 101 - UUID FEC93DE0-2160-4841-83F9-8C3D4D92BF9D - SID S-1-5-21-447369889-2185500279-2677664303-1203
  2009-11-12 11:05:12 EST - T[0x0000000103381000] - Group 'com.apple.access_screensharing' (/Local/Default) - ID 101 - UUID 193DC638-BF8C-44EF-8442-CF93E7B1B84C - SID S-1-5-21-447369889-2185500279-2677664303-1203
  Which apparently seem to have the same ID.
  However, I'm not seeing these groups in WGM. What should I be looking for to find the groups and their IDs?
  (I'm suspicious of the group that says "group.1" being a duplicate group...)
  This is a server that started at 10.5.6, was updated accordingly through 10.5.8 and was updated to 10.6.0/1 a month or so ago and had the 10.6.2 combo update installed a couple of days ago.
  Thanks!

  A bit more on this...
  I looked at the groups with dscl.
  Sure enough, they show the same "PrimaryGroupID":
  /Local/Default/Groups > read com.apple.access_screensharing
  AppleMetaNodeLocation: /Local/Default
  GeneratedUID: 193DC638-BF8C-44EF-8442-CF93E7B1B84C
  NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
  PrimaryGroupID: 101
  RealName:
  Screen Sharing Group
  RecordName: com.apple.access_screensharing
  RecordType: dsRecTypeStandard:Groups
  /Local/Default/Groups > read com.apple.sharepoint.group.1
  AppleMetaNodeLocation: /Local/Default
  GeneratedUID: FEC93DE0-2160-4841-83F9-8C3D4D92BF9D
  GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
  GroupMembership: root
  NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C
  PrimaryGroupID: 101
  RealName: Public
  RecordName: com.apple.sharepoint.group.1
  RecordType: dsRecTypeStandard:Groups
  /Local/Default/Groups >
  I'm just not sure what I'm supposed to do now? On another box, "screensharing" is group "401" (and has a different "RealName"):
  /Local/Default/Groups > read com.apple.access_screensharing
  AppleMetaNodeLocation: /Local/Default
  GeneratedUID: 739023F9-4456-4C1F-BEDB-0EB013B0415B
  NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
  PrimaryGroupID: 401
  RealName:
  Screen Sharing ACL
  RecordName: com.apple.access_screensharing
  RecordType: dsRecTypeStandard:Groups
  /Local/Default/Groups >
  Thoughts? Suggestions?

• Misconfiguration detected in hash 'Global SID'

  Greetings
  I have the above message in my Directory Services Error log, repeated over & over. I read other posts about this which seem to relate to overlapping user or group IDs. I don't have that issue, and in fact this seems to relate to computer records rather than users or groups. As a test, I deleted & recreated the Guest Computer record, but still get the same issue.
  eddie.waveneyrivercentre.co.uk is the name of the server, and if I am understanding the log correctly it's computer record is somehow conflicting with the guest computer record?
  Mac Mini OS X Server 10.6.2
  Here's the log:
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Misconfiguration detected in hash 'Global SID':
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Computer 'guest' (/LDAPv3/127.0.0.1) - ID -1 - UUID CE6FD001-9FAD-40EF-89D0-6993842825D5 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Computer 'eddie.waveneyrivercentre.co.uk$' (/Local/Default) - ID -1 - UUID 4D69A263-5232-4AB4-A7F7-63C57E7F2F70 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Misconfiguration detected in hash 'Global SID':
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Computer 'guest' (/LDAPv3/127.0.0.1) - ID -1 - UUID CE6FD001-9FAD-40EF-89D0-6993842825D5 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Computer 'eddie.waveneyrivercentre.co.uk$' (/Local/Default) - ID -1 - UUID 4D69A263-5232-4AB4-A7F7-63C57E7F2F70 - SID S-1-5-21-621501553-3013919606-753330415-998
  does anyone have any ideas?
  TIA
  JAmes

  Greetings
  I have the above message in my Directory Services Error log, repeated over & over. I read other posts about this which seem to relate to overlapping user or group IDs. I don't have that issue, and in fact this seems to relate to computer records rather than users or groups. As a test, I deleted & recreated the Guest Computer record, but still get the same issue.
  eddie.waveneyrivercentre.co.uk is the name of the server, and if I am understanding the log correctly it's computer record is somehow conflicting with the guest computer record?
  Mac Mini OS X Server 10.6.2
  Here's the log:
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Misconfiguration detected in hash 'Global SID':
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Computer 'guest' (/LDAPv3/127.0.0.1) - ID -1 - UUID CE6FD001-9FAD-40EF-89D0-6993842825D5 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000101D05000] - Computer 'eddie.waveneyrivercentre.co.uk$' (/Local/Default) - ID -1 - UUID 4D69A263-5232-4AB4-A7F7-63C57E7F2F70 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Misconfiguration detected in hash 'Global SID':
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Computer 'guest' (/LDAPv3/127.0.0.1) - ID -1 - UUID CE6FD001-9FAD-40EF-89D0-6993842825D5 - SID S-1-5-21-621501553-3013919606-753330415-998
  2009-12-29 21:45:41 GMT - T[0x0000000100786000] - Computer 'eddie.waveneyrivercentre.co.uk$' (/Local/Default) - ID -1 - UUID 4D69A263-5232-4AB4-A7F7-63C57E7F2F70 - SID S-1-5-21-621501553-3013919606-753330415-998
  does anyone have any ideas?
  TIA
  JAmes

• Misconfiguration detected in hash global uid/sid

  running on a mac os x sever network 10.6.8 with over 2,000 users and over 50 groups. for about 1 full year now in sever admin we get this error NON stop witch seems to happen when ever someone logs in. It will say
  "misconfiguration detected in hash global UID" OR
  "misconfiguration detected in hash global SID"
  this is nonstop. From what i have read this is due to the same user or group having the same ID. Where can i go to psychically see if they have the same ID (in WGM it does not show any doubled ID's)
  with over 2,000 users and people logging in all the time this error comes out about every 1 minute. Is there any fix for this?

  running on a mac os x sever network 10.6.8 with over 2,000 users and over 50 groups. for about 1 full year now in sever admin we get this error NON stop witch seems to happen when ever someone logs in. It will say
  "misconfiguration detected in hash global UID" OR
  "misconfiguration detected in hash global SID"
  this is nonstop. From what i have read this is due to the same user or group having the same ID. Where can i go to psychically see if they have the same ID (in WGM it does not show any doubled ID's)
  with over 2,000 users and people logging in all the time this error comes out about every 1 minute. Is there any fix for this?

• Misconfiguration detected in hash 'Kerberos'

  I am having difficulty troubleshooting this error.  I have attached a section of the /var/log/opendirectoryd.log file while in debug mode.  This is a 10.7.3 Open Directory master with no replicas.  I put logging into debug mode to try to get to the root of this problem but I am not finding an answer to this issue.  I am getting this same error message with multiple users, but they can all log in and function just fine.  We are doing Radius auth to OD from our Cisco ASA for VPN connectivity and that works fine as well.
  Any help would be greatly appreciated.  Thanks!
  2012-03-12 11:30:09.119 PDT - Multiple names for non-user record 'wleler' - will be cache miss for others
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - Attaching Kerberos id '[email protected].
  OFFICE' to record 'wleler'
  2012-03-12 11:30:09.119 PDT - Setting item 'wleler' with expiration 406137
  2012-03-12 11:30:09.119 PDT - Adding item 'wleler' with expiration 406137
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalGUID - adding entry wleler (0x43E09310) - node 0x45903830
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalUID - adding entry wleler (0x43E09310) - node 0x45903B30
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - UserName - adding entry wleler (0x43E09310) - node 0x45903C60
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
      User 'wleler' (/LDAPv3/127.0.0.1) - ID 1043 - UUID C66E0823-A91D-4C27-9A37-4BA25090F3AC - SID S-1-5-21-2682738804-2853610044-371931698-3086
       User 'cvaraghur' (/LDAPv3/127.0.0.1) - ID 1055 - UUID 062DA3EC-8197-460A-94DA-8F94008B4B0F - SID S-1-5-21-2682738804-2853610044-371931698-3110
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalSID - adding entry wleler (0x43E09310) - node 0x45903DE0
  2012-03-12 11:30:09.119 PDT - Module: SystemCache - Merged record 'wleler' (0x459033E0) into 0x43E09310 - new authority 'Name'
  2012-03-12 11:30:09.120 PDT - Finalizing request 6369 object 0x7fb445d3b860
  2012-03-12 11:30:09.120 PDT - Finalizing request 6366 object 0x7fb445902f30
  2012-03-12 11:30:09.130 PDT - 1458.6370 - Client: AppleFileServer, UID: 0, EUID: 0, GID: 0, EGID: 0
  2012-03-12 11:30:09.130 PDT - 1458.6370 - Adding to global request list - new count 1
  2012-03-12 11:30:09.130 PDT - 1458.6370 - ODQueryCreateWithNode request, NodeID: 425F4A0A-25C3-4E46-8A8E-EC4C2DD3465B, RecordType(s): dsRecTypeStandard:AFPUserAliases, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseExact, Value(s): wleler, Requested Attributes: dsAttributesAll, Max Results: 1

  Hi,
  your log tells me that the users wleler and cvaraghur have the same values in "AltSecurityIdentities" -> something like "kerberos:[email protected]".
  Go to: Systemsettings -> User & Groups -> Login options (the little House Symbol).
  Then Klick the edit button beside the networkaccount server entry. In the new opened window click the open directory service button. Choose the right tree (Users) - (/LDAPv3/127.0.0.1) and authenticate yourself with the diradmin user. Check every single users entry  "AltSecurityIdentities" and change untitled_1 to the users short name.
  Example, change: "kerberos:[email protected]". to "kerberos:[email protected]" for your user wleler and
  "kerberos:[email protected]" for user cvaraghur.
  thats it

• Lion Server: Misconfiguration detected in hash 'UserGroupGUID'

  Hi,
  I'm new to OS X Server - the price had me installing and doing things manually prior to Lion.  Previously I managed users and groups manually, but now I'm giving open directory a go.  I'm seeing these messages in opendirectoryd.log:
  2011-08-21 08:38:06.479 EDT - Module: SystemCache - Misconfiguration detected in hash 'UserGroupGUID':
          Group 'workgroup' (/LDAPv3/localhost) - ID 1025 - UUID 96520719-99D8-4168-8AF1-11AD55FB389F - SID S-1-5-21-987654321-987654321-987654321-3051
          Group 'workgroup' (/LDAPv3/127.0.0.1) - ID 1025 - UUID 96520719-99D8-4168-8AF1-11AD55FB389F - SID S-1-5-21-4096-2147483670-3416910327-3051
  2011-08-21 08:38:06.482 EDT - Module: SystemCache - Misconfiguration detected in hash 'UserGroupGID':
          Group 'workgroup' (/LDAPv3/localhost) - ID 1025 - UUID 96520719-99D8-4168-8AF1-11AD55FB389F - SID S-1-5-21-987654321-987654321-987654321-3051
          Group 'workgroup' (/LDAPv3/127.0.0.1) - ID 1025 - UUID 96520719-99D8-4168-8AF1-11AD55FB389F - SID S-1-5-21-4096-2147483670-3416910327-3051
  I also see this:
  2011-08-21 08:38:04.990 EDT - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
  2011-08-21 08:38:04.990 EDT - Registered subnode with name '/LDAPv3/127.0.0.1'
  2011-08-21 08:38:04.991 EDT - Discovered configuration for node name '/LDAPv3/localhost' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/localhost.plist'
  2011-08-21 08:38:04.991 EDT - Registered subnode with name '/LDAPv3/localhost'
  "workgroup" is the default group that was there - I didn't create it (or any other groups), though I did add members.  I'm curios why it is referencing both "/LDAPv3/localhost" and "/LDAPv3/127.0.0.1", and I suspect that may be the issue.  If so, any ideas on how I caused this, and how to fix it?  My guess is that I could remove one of the .plist files, but if I have done something in the gui to cause this, I'd like to fix it there so that some config chagne doesn't end up re-creating the problem.  So far I haven't done any "manual" editing of configuration files.
  Thanks very much!

  Hah! Thanks for pointing that out!  I've moved it over there:
  https://discussions.apple.com/thread/3277778
  Sorry about that!

• Misconfiguration detected in hash 'Global UID'

  Very dears all,
  I upgraded to Snow Leopard Server but I am still missing to have everything working safely as it was on Leopard Server.
  In SL Server, Open Directory is Master and its overview page says that both LDAP Server, Password Server and Kerberos are running but in the Settings pane the Kerberize... button is always present (while it is absent in L Server) and if I push the button I am requested to enter user name and password, which is the same I enter in WGM (where it works OK), but it is not accepted and the same windows is re-opened.
  Checking the OP logs, in Directory Services Error log, I got the following raw:
  Misconfiguration detected in hash 'Global UID'
  As well as User root raws for /LDAPv3/127.0.0.1 and Local are present with complex string references for UUID and SID.
  Is there anyone may help me to understand what it means and what to do to fully recover the service?
  Many thanks and best wishes,
  Carmine

  I look in my Directory Services Error log and see
  2009-11-11 13:28:27 EST - T[0x0000000100783000] - Misconfiguration detected in hash 'Global UID':
  2009-11-11 13:28:27 EST - T[0x0000000100783000] - User 'root' (/LDAPv3/127.0.0.1) - ID 0 - UUID 50518200-F0D2-4497-A282-6BBE836687C9 - SID S-1-5-21-68834345-3193862298-1725808020-1000
  2009-11-11 13:28:27 EST - T[0x0000000100783000] - User 'root' (/Local/Default) - ID 0 - UUID FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 - SID S-1-5-18
  I launch dscl and
  list LDAPv3/127.0.0.1/Users/
  diradmin
  root
  vpn_30717237d42a
  root user in open directory that is new in SL.
  list Local/Default/Users/
  _amavisd
  _appowner
  _appserver
  _ard
  _atsserver
  _calendar
  _carddav
  _clamav
  _coreaudiod
  _cvmsroot
  _cvs
  _cyrus
  _devdocs
  _dovecot
  _eppc
  _installer
  _jabber
  _lda
  _locationd
  _lp
  _mailman
  _mcxalr
  _mdnsresponder
  _mysql
  _pcastagent
  _pcastserver
  _postfix
  _qtss
  _sandbox
  _screensaver
  _securityagent
  _serialnumberd
  _softwareupdate
  _spotlight
  _sshd
  _svn
  _teamsserver
  _timezone
  _tokend
  _trustevaluationagent
  _unknown
  updatesharing
  _usbmuxd
  _uucp
  _windowserver
  _www
  _xgridagent
  _xgridcontroller
  com.apple.calendarserver
  com.apple.mailuserforservices
  com.apple.notificationuser
  daemon
  nobody
  notjunkmail
  root
  Which also has a root user. So yes I have 2 root users. I have never seen a root user in the ldap database is this new and expected?
  Is this wrong?
  should I line up the generated UIDS?
  read LDAPv3/127.0.0.1/Users/root/
  dsAttrTypeNative:altSecurityIdentities: Kerberos:[email protected]
  dsAttrTypeNative:apple-generateduid: 50518200-F0D2-4497-A282-6BBE836687C9
  dsAttrTypeNative:authAuthority:
  ;ApplePasswordServer; blah blah blah blah blah
  [email protected]:192.168.1.1
  dsAttrTypeNative:cn:
  System Administrator
  dsAttrTypeNative:gidNumber: 0
  dsAttrTypeNative:homeDirectory: /private/var/root
  dsAttrTypeNative:loginShell: /bin/tcsh
  dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensibleObject
  dsAttrTypeNative:shadowExpire: 0
  dsAttrTypeNative:shadowLastChange: 0
  dsAttrTypeNative:sn: Administrator
  dsAttrTypeNative:uid: root
  dsAttrTypeNative:uidNumber: 0
  dsAttrTypeNative:userPassword: ******
  AltSecurityIdentities: Kerberos:[email protected]
  AppleMetaNodeLocation: /LDAPv3/127.0.0.1
  AuthenticationAuthority:
  Change: 0
  Expire: 0
  GeneratedUID: 50518200-blah-blah-blah-blah
  LastName: Administrator
  NFSHomeDirectory: /private/var/root
  Password: ******
  PrimaryGroupID: 0
  RealName:
  System Administrator
  RecordName:
  root
  System Administrator
  RecordType: dsRecTypeStandard:Users
  UniqueID: 0
  UserShell: /bin/tcsh
  read Local/Default/Users/root
  AppleMetaNodeLocation: /Local/Default
  AuthenticationAuthority: ;ShadowHash; ;Kerberosv5;;root@LKDC:SHA1.3 blah;
  GeneratedUID: blah blah-blah-blah-blah-blah blah blah
  NFSHomeDirectory: /var/root
  Password: ******
  PrimaryGroupID: 0
  RealName:
  System Administrator
  RecordName: root
  RecordType: dsRecTypeStandard:Users
  SMBSID: S-1-5-18
  UniqueID: 0
  UserShell: /bin/sh
  What to do...

• How to detect it left side Alt or right side Alt key pressed?

  Hi,
  I want to know if there is a way to detect whether it is the alt key on the left of the keyboard pressed or it is the alt key on the right side of the keyboard pressed. I don't want to use JNI stuff. Is there a 100% Java solution to it?
  Thanks

  I've seen bug reports regarding this issue, and it is stated as fixed, but I don't know for which release of the jdk. So far, I think you can't distinguish between left and right alt/shift/ctrl..

• Device Detection in Server side using jdev 11.1.1.7

  How to detect the device from which the request is from (in server side) and respond to it accordingly using jdeveloper 11.1.1.7???  i tried using servlets bt i didnt get the expected output....

  Hi R,
  The device you mean if its windows, linux, apple or android?? The following code returns seeDetails if the request is being made from a device that is NO WINDOWS OR LINUX.
  public String processAccordingDevice(){
          RequestContext context = RequestContext.getCurrentInstance();
          Agent agent = context.getAgent();
          String platformName = agent.getPlatformName();
          return !("windows".equals(platformName) || "linux".equals(platformName)) ?
              "seeDetail" : "";

• Misconfiguration detected - Failed to insert key ' T CN=Apple Root CA,OU=Apple Certification Authority,O=Apple Inc.,C=US S CN=com.apple.idms.appleid.prd.

  Al of a sudden after trying to get profiles running with server app I can no longer log into the system with my user account. I can however log in with the root user.
  Ihave tried a ton of support articles from apple support site and web based searches to no avail?

  Al of a sudden after trying to get profiles running with server app I can no longer log into the system with my user account. I can however log in with the root user.
  Ihave tried a ton of support articles from apple support site and web based searches to no avail?

• Changing a GID

  I can't post a reply to this archived topic here (http://discussions.apple.com/thread.jspa?threadID=2263001&tstart=0), but I was wondering how does one go about changing a GID for a group that is not listed in the Workgroup Manager (eg. com.apple.access_backup, com.apple.access_mail)? I really want to fix these errors:
  2011-03-08 14:54:43 PST - T[0x0000000100604000] - Misconfiguration detected in hash 'Global GID':
  2011-03-08 14:54:43 PST - T[0x0000000100604000] - Group 'com.apple.access_mail' (/Local/Default) - ID 255 - UUID 876303C7-04E0-4670-9E45-217BA7EC8039 - SID S-1-5-21-4096-2147483670-3417106711-1511
  2011-03-08 14:54:43 PST - T[0x0000000100604000] - Group 'com.apple.access_backup' (/Local/Default) - ID 255 - UUID F029947A-E96F-45D1-B986-1A8A8626133F - SID S-1-5-21-4096-2147483670-3417106711-1511

  use dscl ?
  you could go interactive or do it on the command line. instead of using LDAPv3/127.0.01 use the local directory.

• Kernel_task at 90% on my Macbook

  Hi - the kernel_task on my Macbook is consistently at 80-90%.
  Curiosly, if I boot in "safe-mode" (pressing shift while booting) the kernel_task stays at a reasonable 3%.
  I've run the hardware check (pressing D while booting) and nothing was found.
  All this points to a software problem -- any ideas how to identify the offending component/process?
  - Francisco
  PS: I've the impression this has been happening for a while and maybe related to the battery (which is working but shows zero cycles).
  OSX 10.6.8
  Hardware Overview:
    Model Name:          MacBook
    Model Identifier:          MacBook6,1
    Processor Name:          Intel Core 2 Duo
    Processor Speed:          2.26 GHz
    Number Of Processors:          1
    Total Number Of Cores:          2
    L2 Cache:          3 MB
    Memory:          2 GB
    Bus Speed:          1.07 GHz
    Boot ROM Version:          MB61.00C8.B00
    SMC Version (system):          1.51f53
    Serial Number (system):          W894764P8PW
    Hardware UUID:          C76E1A18-0418-5CB9-8F53-7ED5296F6F5D
  Battery Information:
    Charge Information:
    Charge remaining (mAh):          0
    Fully charged:          No
    Charging:          No
    Full charge capacity (mAh):          0
    Health Information:
    Cycle count:          0
    Condition:          Normal
    Battery Installed:          Yes
    Amperage (mA):          0
    Voltage (mV):          0

  Thanks Williams - I will look into those.
  It's the Snow Leopard that came in the MacBook.
  This is how the log looks when boot in safe mode - and cpu usage back to normal
  28/09/2011 06:52:18          kernel          PAE enabled
  28/09/2011 06:52:18          kernel          64 bit mode enabled
  28/09/2011 06:52:18          kernel          Darwin Kernel Version 10.8.0: Tue Jun  7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386
  28/09/2011 06:52:18          kernel          vm_page_bootstrap: 441553 free pages and 17199 wired pages
  28/09/2011 06:52:18          kernel          standard timeslicing quantum is 10000 us
  28/09/2011 06:52:18          kernel          mig_table_max_displ = 73
  28/09/2011 06:52:18          kernel          AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled
  28/09/2011 06:52:18          kernel          AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled
  28/09/2011 06:52:18          kernel          calling mpo_policy_init for TMSafetyNet
  28/09/2011 06:52:18          kernel          Security policy loaded: Safety net for Time Machine (TMSafetyNet)
  28/09/2011 06:52:18          kernel          calling mpo_policy_init for Quarantine
  28/09/2011 06:52:18          kernel          Security policy loaded: Quarantine policy (Quarantine)
  28/09/2011 06:52:18          kernel          calling mpo_policy_init for Sandbox
  28/09/2011 06:52:18          kernel          Security policy loaded: Seatbelt sandbox policy (Sandbox)
  28/09/2011 06:52:18          kernel          Copyright (c) 1982, 1986, 1989, 1991, 1993
  28/09/2011 06:52:18          kernel          The Regents of the University of California. All rights reserved.
  28/09/2011 06:52:18          kernel          MAC Framework successfully initialized
  28/09/2011 06:52:18          kernel          using 9175 buffer headers and 4096 cluster IO buffer headers
  28/09/2011 06:52:18          kernel          IOAPIC: Version 0x11 Vectors 64:87
  28/09/2011 06:52:18          kernel          ACPI: System State [S0 S3 S4 S5] (S3)
  28/09/2011 06:52:18          kernel          PFM64 0xf10000000, 0xf0000000
  28/09/2011 06:52:18          kernel          [ PCI configuration begin ]
  28/09/2011 06:52:18          kernel          console relocated to 0xf10010000
  28/09/2011 06:52:18          kernel          PCI configuration changed (bridge=2 device=1 cardbus=0)
  28/09/2011 06:52:18          kernel          [ PCI configuration end, bridges 4 devices 17 ]
  28/09/2011 06:52:18          kernel          AppleIntelCPUPowerManagement: (built 16:44:45 Jun  7 2011) initialization complete
  28/09/2011 06:52:18          kernel          Sleep failure code 0x00000000 0x15000000
  28/09/2011 06:52:18          kernel          mbinit: done (64 MB memory set for mbuf pool)
  28/09/2011 06:52:18          kernel          rooting via boot-uuid from /chosen: 74AE97F5-8AD7-326D-B92B-ADCDBE6687C5
  28/09/2011 06:52:18          kernel          Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>
  28/09/2011 06:52:18          kernel          com.apple.AppleFSCompressionTypeZlib kmod start
  28/09/2011 06:52:18          kernel          com.apple.AppleFSCompressionTypeZlib load succeeded
  28/09/2011 06:52:18          kernel          AppleIntelCPUPowerManagementClient: ready
  28/09/2011 06:52:18          kernel          Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/SATA@B/AppleMCP79AHCI/PR T0@0/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageD river/Hitachi HTS545025B9SA02 Media/IOGUIDPartitionScheme/Customer@2
  28/09/2011 06:52:18          kernel          BSD root: disk0s2, major 14, minor 2
  28/09/2011 06:52:18          kernel          jnl: unknown-dev: replay_journal: from: 2543616 to: 10100736 (joffset 0x11502000)
  28/09/2011 06:52:18          kernel          BTCOEXIST off
  28/09/2011 06:52:18          kernel          wl0: Broadcom BCM4353 802.11 Wireless Controller
  28/09/2011 06:52:18          kernel          5.10.131.42
  28/09/2011 06:52:18          kernel          jnl: unknown-dev: journal replay done.
  28/09/2011 06:52:18          kernel          hfs: Removed 5 orphaned / unlinked files and 0 directories
  28/09/2011 06:52:09          com.apple.launchd[1]          *** launchd[1] has started up. ***
  28/09/2011 06:52:18          DirectoryService[11]          Improper shutdown detected
  28/09/2011 06:52:19          kernel          NVEthernet: Ethernet address d4:9a:20:09:52:00
  28/09/2011 06:52:19          kernel          AirPort_Brcm43224: Ethernet address d4:9a:20:6f:70:7b
  28/09/2011 06:52:19          kernel          IO80211Controller::dataLinkLayerAttachComplete():  adding AppleEFINVRAM notification
  28/09/2011 06:52:19          kernel          IO80211Interface::efiNVRAMPublished(): 
  28/09/2011 06:52:19          kernel          systemShutdown false
  28/09/2011 06:52:19          blued[16]          Apple Bluetooth daemon started
  28/09/2011 06:52:36          mDNSResponder[18]          mDNSResponder mDNSResponder-258.21 (May 26 2011 14:40:13) starting
  28/09/2011 06:52:36          DirectoryService[11]          Misconfiguration detected in hash 'Global GID' - see /Library/Logs/DirectoryService/DirectoryService.error.log for details
  <same line repeated 30 or 40 times>
  28/09/2011 06:52:36          DirectoryService[11]          Misconfiguration detected in hash 'GID' - see /Library/Logs/DirectoryService/DirectoryService.error.log for details
  28/09/2011 06:52:37          kernel          AirPort: Link Down on en1. Reason 8 (Disassociated because station leaving).
  28/09/2011 06:52:37          com.apple.SecurityServer[22]          Session 0x5fbff962 created
  28/09/2011 06:52:37          com.apple.SecurityServer[22]          Entering service
  28/09/2011 06:52:38          kernel          NVDANV50HAL loaded and registered.
  28/09/2011 06:52:38          kernel          Previous Shutdown Cause: -60
  28/09/2011 06:52:38          kernel          DSMOS has arrived
  28/09/2011 06:52:40          kernel          00000000  00000020  NVEthernet::setLinkStatus - not Active
  28/09/2011 06:52:40          fseventsd[42]          event logs in /.fseventsd out of sync with volume.  destroying old logs. (558 37 206826)
  28/09/2011 06:52:40          fseventsd[42]          log dir: /.fseventsd getting new uuid: 02EF05DC-5E8C-4DE1-838C-7E235078C7D8
  28/09/2011 06:52:40          bootlog[49]          BOOT_TIME: 1317189123 0
  28/09/2011 06:52:41          configd[14]          bootp_session_transmit: bpf_write(en1) failed: Network is down (50)
  28/09/2011 06:52:41          configd[14]          DHCP en1: INIT transmit failed
  28/09/2011 06:52:41          /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[38 ]          Login Window Application Started
  28/09/2011 06:52:42          com.apple.usbmuxd[31]          usbmuxd-211 built on May 16 2011 at 00:14:56 on May 16 2011 at 00:14:55, running 64 bit
  28/09/2011 06:52:42          configd[14]          network configuration changed.
  28/09/2011 06:52:42          configd[14]          setting hostname to "laptop.local"
  28/09/2011 06:52:45          kernel          Auth result for: 00:25:69:9b:09:bd No Ack
  28/09/2011 06:52:47          com.apple.SecurityServer[22]          Session 0x1207182 created
  28/09/2011 06:52:47          com.apple.SecurityServer[22]          Session 0x1207182 attributes 0x30
  28/09/2011 06:52:48          loginwindow[38]          Login Window Started Security Agent
  28/09/2011 06:52:49          airportd[21]          Apple80211Associate() failed -3905 (Timeout)
  28/09/2011 06:52:50          kernel          Auth result for: 00:25:69:9b:09:bd No Ack
  28/09/2011 06:52:50          WindowServer[70]          kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
  28/09/2011 06:52:50          com.apple.WindowServer[70]          Wed Sep 28 06:52:50 laptop.local WindowServer[70] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
  28/09/2011 06:52:51          kernel          Auth result for: 00:25:69:9b:09:bd MAC AUTH succeeded
  28/09/2011 06:52:51          kernel          AirPort: Link Up on en1
  28/09/2011 06:52:51          kernel          AirPort: RSN handshake complete on en1
  28/09/2011 06:52:51          SecurityAgent[89]          Showing Login Window
  28/09/2011 06:52:53          configd[14]          network configuration changed.
  28/09/2011 06:52:46          warmd[30]          [fetcher_open_file:936] open("/var/db/dyld/dyld_shared_cache_x86_64") => -1 (errno: 2)
  28/09/2011 06:52:47          SecurityAgent[89]          User info context values set for fgarau
  28/09/2011 06:52:48          authorizationhost[87]          Failed to authenticate user <fgarau> (tDirStatus: -14090).
  28/09/2011 06:52:53          SecurityAgent[89]          User info context values set for fgarau
  28/09/2011 06:52:53          SecurityAgent[89]          Login Window Showing Progress
  28/09/2011 06:52:54          SecurityAgent[89]          Login Window done
  28/09/2011 06:52:54          loginwindow[38]          Login Window - Returned from Security Agent
  28/09/2011 06:52:54          loginwindow[38]          USER_PROCESS: 38 console
  28/09/2011 06:52:55          com.apple.launchd.peruser.501[97]          (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
  28/09/2011 06:52:55          com.apple.launchd.peruser.501[97]          (com.apple.SystemUIServer.agent) Conflict with job: 0x100300b30.anonymous.SecurityAgent over Mach service: com.apple.tsm.uiserver
  28/09/2011 06:53:03          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputerIndexed"
  28/09/2011 06:53:05          storeagent[108]          port created
  28/09/2011 06:53:06          com.apple.launchd.peruser.501[97]          (com.apple.Kerberos.renew.plist[116]) Exited with exit code: 1
  28/09/2011 06:53:17          com.apple.launchd.peruser.501[97]          ([email protected][120]) Exited with exit code: 1
  28/09/2011 06:53:33          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputerIndexed"
  28/09/2011 06:59:18          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"
  28/09/2011 06:59:19          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"
  28/09/2011 06:59:19          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"
  28/09/2011 06:59:20          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"
  28/09/2011 06:59:21          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"
  28/09/2011 06:59:21          mds[37]          (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"

• Misconfiguration error

  I keep getting these errors - can anyone interpret what is wrong?  I am also having issues authenticating inot a company LEAP account over Wifi -- just wondering if this could be at all related.
  2011-09-08 13:10:49.520 EDT - Module: SystemCache - Misconfiguration detected in hash 'X509DN':
            User 'User1' (/Local/Default) - ID 501 - UUID B5E40240-0DEB-4D2D-B4CE-FEB063D4F176 - SID S-1-5-21-1644581886-2670095315-2735356224-2002
            User 'User2' (/Local/Default) - ID 502 - UUID C7E3BC3F-0749-4A6B-8E5E-CFDA0AFB919E - SID S-1-5-21-1644581886-2670095315-2735356224-2004

  hi Srini,
  I have checked the forum and found amy be this is the best place any ways !!!!! next time will keep in mind...
  I haven't change anything its my IE 7 installation that may have done something wrong which by the way i have downgraded to IE6 again to get the EBS going
  It works fine but only some of the times.... most of the time it gives me the miscofiguration error.... then I have to start all the services again..... I really dont know by which service I got right and after trying 2-3 times EBS starts....
  Kindly help me in resolving this
  Thanks again
  - Shivdeep Singh

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."