Server 3 / SSL Certificate / Open Directory - Problem!

Similar Messages

• Trouble binding 10.5 Server to 10.6 Open Directory

  After a recent power outage one of my 10.5 Servers lost its connection to the OD Master. I am unable to get this system to re-bind to an Open Directory Master (10.6 Server). I had to force un-bind the 10.5 machine (via Directory Utility) because it could not contact the OD Master. After force unbinding the 10.5 Server system I checked Open Directory settings in Server Admin and the role was "Standalone Server".
  Steps to reproduce problem:
  1) Change role of 10.5 Server to "Connects to a Directory System" and rebooted the system.
  2) Launch Directory Utility, click add server and enter the FQDN for my OD Master. SSL option is not checked.
  3) Directory Utility tries to communicate with the OD Master for a few moments...displaying "verifying server address", then comes back with the error "there was no response from SERVER. Please check that the address you entered is correct".
  (where SERVER = the FQDN for the OD Master)
  I Checked that DNS was working and that the system (10.5 Server) could resolve the FQDN of the OD Master. When the above steps did not solve the problem I went to the OD Master and (from Workgroup Manager) deleted the previous entry for the 10.5 Server. This had no effect on the problem. Not sure what to try next?

  Hi,
  Welcome to the    Discussions
  10.5 Server and specifically iChat Server has it's own forum
  http://discussions.apple.com/forum.jspa?forumID=1235 (for Export)
  10.6 Server has Forum called Collaboration Services for iChat Server (And a few other bits)
  The Forums are within Categories.
  Technically each is within it's own OS Category but Tiger, Leopard and Snow Leopard are all shown in this "Master Category" here
  The reason I am posting these links is that I don't know enough about the Server version of iChat.
  The chances are that someone in the 10.6 Server > Collaboration Services forum knows how to Export the list from 10.5 Server and input it in to 10.6 Server.
  Hope this helps.
  7:53 PM Monday; July 19, 2010
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

• The Server's SSL certificate has expired

  Hi,
  Today morning I accessed my mails with out any problems. After some time suddenly my outlook was disconnected and getting the message "The Server's SSL certificate has expired".Can any one help me out of this?
  Thanks,
  Prasad K

  Check if you have accidentally set your system date not to current.
  Edited by: user10788046 on Oct 22, 2010 8:16 PM

• Mac os x server 3.0.2 open directory master disappear from list

  Hi, There is a very funny Mac OS X Server 3.0.2 issue.
  After I updated my mac os X server from 3.0.0 to 3.0.2. as my host name is conflict with other Mac mini, I changed X server's Mac mini's host name, computer name and localhost name. When I restart my x server. My defined "Open Directory Master" disappear from my server list.
  Actually, I need to change some setting from UI, as it disppeared from UI, I can't do any about it. Is there any way to delete it from command line? or How I can enable it appear again?

  As can't find the defined open directory server master, have to delete it from terminal command line as:
  sudo slapconfig -destroyldapserver
  and then add a new open directory master.

• Message: Your Server's SSL certificate has expired. - Can no more login

  Hi,
  Since yesterday I can no more login into beehiveOnline via OBEE. Every time I try it the extension goes offline and tells me in a window that "Your Server's SSL certificate has expired.". If I try to relogin it takes some seconds but the window and message comes up again and again.
  It was working perfectly during the previous weeks, no issues at all. What do I have to do to get it solved?
  Thanks
  Volker

  Hello,
  I've set up OBEE for BeehiveOnLine usage today, without any issue (Monday 28 of June)
  May you retry please?
  Yesterday - Sunday - the system might be under maintenance.
  Thanks
  Fred

• Open Directory Problem

  I can't seem to start open directory services. Using the Server Admin the light is clear indicating that open directory services is not running. The General Settings display the following:
  Open Directory is: Standalone Server
  Lookup Server is: Running
  Netinfo Server is: Local only
  LDAP Server is: Stopped
  Pasword Server is: Stopped
  Kerberos is: Stopped
  When I attempt to access most of the logs I get a system error message "A Service has encountered an eroor. Try to refresh the view (mydomain.com/Open Directory). Report the problem to the admininstrator (me) if it persists. (File not found, the service may not have loggging enabled)
  If I refresh I get the same error message again. I can't find an settings that enable or disable logging in the Open Directory tab of Server Admin.
  I am having troubles with my mail server too, I can log into IMAP with my Mail Cllent no problem but attempting to log into SMTP fails.
  G4 Powerbook 15 1.5 GHz   Mac OS X (10.4)  

  Michael:
  From your post, it looks like your machine is configured as a Standalone server, which means that OD isn't supposed to be running. Did you promote to an OD Master? If not, and you plan on giving it a try, search around on the web and these forums first for guides, particularly related to the importance of correct DNS.
  MacBook Pro   Mac OS X (10.4.8)  

• Does mac server 3.2.1 open directory support object class "sambaSamAccount"?

  Hi:
       I use open directory to be a directory service in mac server 3.2.1, and in client side is a linux os.
  I want the user can access data via samba. So i add "objectclass: sambaSamAccount" to user by directory utility,
  and i also copy linux samba.schema replace the default samba.schema but always show the error message.
  The attribute value could not be used because it does not meet the requirements of the attribute.
  What problem with it? I miss do something?
            thanks

  Just to clarify - this is where i get to and after somehow right-clicking and opening this red-marked folder, the contents are seemingly empty
  However I tried drag-dropping the folder to the field where you browse for backup and it found contents as it requested passowrd for archive. I input it but then get this:
  And If I want to create one, I get the "Invalid hostname" error and can not continue
  What now?

• Can't complete initial setup - Open Directory problems

  "Easy to set up, easy to run" my big ***. On initial bootup, the automatic setup failed. "There may be a problem with the Open Directory." A few days later, it was suddenly working. So I set up and enjoyed one, count em, one user account. Then it stopped working again. I can't set up a Group. I can't use Workgroup Manager successfully, either. The whole server has been one big mess of fail.
  Is this a common problem? Is there a fix? A workaround? Do I need to take this thing back??

  Check this site out for starters
  http://www.wazmac.com/serversnetwork/fileservers/osxserversetup/index.htm
  It's not just for schools, and it offers a lot of info on setting up OS X server.
  It is possible that there is some hardware problem, but it's more likely that you need to setup the server correctly. If you're not familiar with OS X Server, it's not necessarily easy.

• 10.6 iCal server using 10.5 Open Directory

  Has anyone had any experience with getting a 10.6 server's various collaboration services working with a 10.5 Open Directory? I have the web services working fine, but I'm having trouble getting iCal running correctly. First, 10.5 clients trying to connect to the 10.6 iCal server won't work via Kerberos. The other problem, is when I connect via digest mode (or whatever the unsecure mode is), the iCal clients don't seem to get anything back from the server. I can create events and I see them via the web interface, but events created or edited via the web interface don't get pushed back to the client.
  Thanks for any help...

  I don't think 10.6 does the enabling stuff the same as 10.5 if I remember correctly. A lot of it is done via the web interface. I know creating a wiki in 10.5 meant creating a group in WG manager and setting it up through that. In 10.6 you go to the wikis part through a browser and hit "Create new wiki". Permissions are setup via the settings page on the wiki.
  I'm not sure if the same goes for calendaring because we haven't ever used the iCal server to the full extent but I think it might be a similar change. When you sign into your "my page" on a 10.6 web server, it creates a calendar for you that you can edit via the web interface or iCal. Wikis also have calendars created, but I'm not sure how to get them in iCal.
  Hopefully that helps some...

• Server 2008R2 - SSL Certificate Weak Public Key Strength

  Hello -
  I'm using a Windows 2008R2 server and am working on locking the system down. We use the BeyondTrust Retina Network Security Scanner, the scanner returns two results that I'm having trouble solving.
  The first is finding is:
  'SSL Certificate Weak Public Key Strength'
  "Retina has detected that the certificate on the target supports a  cryptographically weak public key strength. An attacker may be able to leverage weaknesses in the public key strength to gain access to sensitive information."
  "Replace the current certificate with one using a high-grade public key strength of 2048 bits of higher"
  **Does anyone have any ideas how to find all the certificates loaded on the machine that aren't at 2048 bits or higher, the system is a standalone machine without internet access**
  The second finding is:
  'SSL Certificate Self-Signed'
  "Retina has detected that the certificate on target is self-signed. Self-signed certificates can provide underlying cryptographic functionality, but cannot guarantee the origin of the certificate is trusted."
  "Verify the certificate is trusted to ensure the confidentiality and integrity of prior encrypted communications. Replace the current self-signed certificate with one signed by a trusted root certificate authority."
  **Anyone have any ideas how to find 'self-signed' certificates? I've tried searching through the certificates store on the local computer, but I can't seem to find a self-issued certificate, but Retina sure found some.**
  Any help would be greatly appreciated!!
  Thanks,
  Ryan

  A self signed certificate is a certificate which Subject attribute equals Issuer attribute. You can use below script to find selfsigned certificates which is selfsigned and public key is less than 2048 bits.
  Be aware that if you search in all possible certificate stores (including Trusted Root CA store) you will find a lot of self signed certificates. Please see my notes in powershell code.
  #Find self-signed certificate which keysize less than 2048. Uncomment one of the lines below
  #$myCerts = Get-Item Cert:\CurrentUser\My #search in Current User Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\LocalMachine\My #search in Local Machine Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\CurrentUser\* #search in Current User Store - this will bring a lot of cert list
  #$myCerts = Get-Item Cert:\LocalMachine\* #search in Local Machine Store - this will bring a lot of cert list
  $myCerts.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
  $myCertsList = Get-ChildItem $myCerts.PSPath
  $myCertsList | where {$_.Subject -like $_.Issuer -and $_.PublicKey.Key.KeySize -lt 2048} | select * #self-signed and less then 2048
  $myCerts.Close()
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Initial setup and Open Directory problem

  Hi,
  I'm new to the MAC OS X server system and trying to get one up and running on a G5.
  Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
  The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
  I go trough following steps while installing from scratch:
  - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
  - Choose keyboard layout, enter license and create an account "admin"
  - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
  - Install as a standalone server (so I can configure dns & other network services after basic setup)
  - Check "network time server" (so time will be synced for Kerberos)
  - Proceed, install and reboot
  OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
  - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
  - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
  Start the DNS service and reboot
  - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
  DNS seems to be working fine, now I would like to get the Open Directory service to work:
  - change "Standalone" to "Open directory master" in the server configuration panel
  - provide a password for the directory admin
  - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
  - Save & start the service and perform a reboot to be sure all the new settings are in use
  Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
  Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
  Starting LDAP server (slapd)
  command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
  Hostname server.companyname.local is from Rendezvous
  Skipping Kerberos configuration
  Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
  Regards,
  Seppe
  G5 Mac OS X (10.4.6) /

  We currently have a static IP and a public dns hosted
  by MediaTemple, so I think I can create a subdomain
  on MediaTemple and link it to our fixed IP address
  ("private.companyname.com" >> static ip) instead of
  using dydns.. ?
  Of course.
  I suppose I can then use "private.companyname.com" as
  the zone name on my G5 server and use
  "server.private.companyname.com" for my local DNS?
  Sounds reasonable.
  If using this DNS, what will be the Kerberos REALM
  and Search Base? And do I still need to specify
  private.companyname.com as the Search Base in the
  Network Settings of the clients and server?
  Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
  So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
  For the LDAP search domain I'd also follow the road of using domain name space as search base.
  When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
  host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
  HTH
  -Ralph

• Jabber Guest server Local SSL certificate

  Hi , trying to download a local ssl certificate from jabberguest server and issued a 'generate a new self signed certificate' request. system shows 'a certificate signing request is being created, please wait' . unfortunetly its been like that for 2 days now - even after rebooting the server it still reports the same. (version is 10.5.3.115)....any advice appreciated.....TIA , Jeff

  Jeff,
  I had a look at my Jabber Guest server this morning and oddly enough I found the same thing as you did. I'm not sure when the server got into this state however I can say it has been fully functional. Anyway, there are two options that you generally should have.
  1) "Generate a New Self-Signed Certificate"
  2) "Create a New Certificate Signing Request"
  To restore these options I had to run the certificate scripts through the root of the system.
  1) cd /opt/cisco/webcommon/scripts/
  2) ./createcsr.sh   (This is for the Cert Signing Request)
  3) ./selfsigned.sh  (This is for the Self Sign)
  After running each script you'll need to run through the general certificate questions.
  I hope this helps.
  -P

• [IMAP SSL] Certificate-Based Login problems

  Hi,
  I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
  The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
  In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
  1. Add the CA-signed server certificate.
  2. Add the trusted Certificate Authority.
  3. Turn on all cipher suites including the weak ones.
  4. Enable SSL
  ./configutil -o service.imap.enablesslport -v yes
  ./configutil -o service.imap.enable -v 1
  ./configutil -o service.imap.sslport -v 993
  ./configutil -o service.imap.sslusessl -v yes
  ./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
  5. Check with the netstat command to verify that the service is running.
  bash-3.00# ./configutil -o service.imap.sslport
  993
  bash-3.00# netstat -an | grep 993
  *.993 *.* 0 0 49152 0 LISTEN
  Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
  The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
  [10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
  [10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
  Also there are some error logs related to the Ciphers:
  [10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
  A (0x0064)
  (-8186)
  Please, Can you help me to discover if there is something wrong in my configuration?
  Thanks in advance.
  Kind Regards,
  Luis

  Thanks for your reply Shane.
  Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
  [15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
  Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
  bash-3.00# telnet localhost 143
  Trying 192.168.169.108...
  Connected to goody.
  Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
  . login llcc LLCC_PASSWORD
  Connection to goody closed by foreign host.
  The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
  Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
  configutil -o local.mmp.enable -v 1
  configutil -o local.store.enable -v 0
  configutil -o local.imta.enable -v 0
  configutil -o local.http.enable -v 0
  Any idea?
  One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
  Thanks a lot for your help,
  Best Regards,
  Luis

• Can not join a Windows XP machine to OS X Server 10.5.3 Open Directory

  I have setup an OS X Server for testing before we deploy it to the network for production. And I trying to join the Windows XP machine to the Domain which I set up in Server Admin under SMB and I get an error "A domain controller for the domain "DomainName" could not be contacted". I have setup WINS, DCHP and DNS. I ping the OS X Server using the it's Fully qualified domain name and I can see the server under network neighbourhood but I can not login into.

  Hi Guys,
  Here is more info on my SMB configuration, I still can't join a Windows XP machine to OS X Server 10.5.3 PDC. Hope this configuration helps in anyway.
  smb:realm = "GRIDIRON01.OT.GRIDIRONINTERNAL.COM"
  smb:logon drive = "H:"
  smb:logon path = "\\%N\profiles\%u"
  smb:workgroup = "pctopia"
  smb:wins support = yes
  smb:map to guest = "Never"
  smb:enable print services = "yes"
  smb:wins server = emptyarray
  smb:security = "USER"
  smb:server string = "gridiron01"
  smb:ntlm auth = "yes"
  smb:netbios name = "gridiron01"
  smb:max smbd processes = 0
  smb:os level = 65
  smb:preferred master = yes
  smb:add user script = "/usr/bin/opendirectorypdbconfig -c createuseraccount -r %u -n /LDAPv3/127.0.0.1"
  smb:lanman auth = "yes"
  smb:domain logons = yes
  smb:domain master = yes
  smb:use spnego = yes
  smb:use kerberos keytab = yes
  smb:adminCommands:homes = yes
  smb:adminCommands:serverRole = "primarydomaincontroller"
  smb:adminCommands:ldapRole = "1.1 - hosting a master LDAP directory server\n"
  smb:auth methods = "odsam"
  smb:dos charset = "CP437"
  smb:enable disk services = "yes"
  smb:log level = 1
  smb:add machine script = "/usr/bin/opendirectorypdbconfig -c createcomputeraccount -r %u -n /LDAPv3/127.0.0.1"

• Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

  Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
  Here is what IS working:
  1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
  2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
  3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
  Here is what IS NOT working:
  4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
  Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
  Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
  Any help greatly appreceated.

  Nope. Never used sso_util.
  I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
  In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
  Two keys to getting THIS/MY set-up working:
  1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
  2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
  http://discussions.apple.com/message.jspa?messageID=10903468#10903468
  Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!