SSH to Lion Server: The authenticity of host ... can't be established.

Similar Messages

• I have a lion server set up to host storage for time machine backups. Is there a limit to how many different computers can back up to the single server to back up. I am only backing up the users folders . The backup drive is an external Drobo with 6 TB.

  I have a lion server set up to host storage for time machine backups. Is there a limit to how many different computers can back up to the single server to back up. I am only backing up the users folders . The backup drive is an external Drobo with 6 TB. Right now it seems to back up my users all day long. I set their time machine interval to every 5 hours but it still runs all day long and is very slow. Server is on a new Mac Server mini.

  AFAIK, there is no user limit.. it is simply a question of the network load. AFP is a fairly clean protocol.. but TM is not.. it does a lot of testing of the backup.. infact your setting of 5hour gap could well make it worse.
  I would sort out the clients that are doing 100GB backups to a different backup location.. no matter how fast your network.. 100GB takes time to backup.. and over wireless forever.. it will never end.
  I guess some of these clients are on wireless?? I would separate the TM of wireless to those that are wired. No more than 4 or 5 wireless clients to a target device. Otherwise you are saturating your network with backup data. And use 5ghz.. so close by.. it is much faster than 2.4ghz and you will get much better transfer rates.

• After-Delete Resource Action Fails with "the authenticity of host  ..." Err

  I created two Resource Actions (see below for format used). Both actions are being referenced in an Shell Script resource adapter (RA) that's used to create/delete a home directory on a Sun Solaris box. The RA also performs other setup/cleanup activities. The After-Create resource action call to ssh works. The After-Delete resource action call to ssh fails with the following error:
  com.waveset.util.WavesetException: Script failed waiting for "_,)#+
  (:" in response "The authenticity of host 'localhost (127.0.0.1)' can't be
  established. RSA key fingerprint is db:98:c4:cf:84:0a:f9:52:12:14:7...A key
  fingerprint is db:98:c4:cf:84:0a:f9:52:12:14:7e:74:23:f7:8f:df. Are you sure
  you want to continue connecting (yes/no)? " com.waveset.util.WavesetException:
  Script processor timed out with nothing to read and the following unprocessed
  text: "The authenticity of host 'localhost (127.0.0.1)' can't be established.
  RSA key fingerprint is db:98:c4:cf:84:0a:f9:52:12:14:7e:74:23:f7:8f:df. Are you sure you want to continue connecting (yes/no)? The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is db:98:c4:cf:84:0a:f9:52:12:14:7e:74:23:f7:8f:df. Are you sure you want to continue connecting (yes/no)? ".
  By the way, we are currently using Sun Identity Manager 7.0.
  Thanks in advance for your assistance.
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE ResourceAction PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <ResourceAction name='ResAction:myProj:Resource-After-Create'>
  <ResTypeAction restype='Shell Script' timeout='20000'>
  <act>
  #!/bin/csh
  echo "Account ID" >> /myProjFolder/.$WSUSER_accountId.txt
  echo $WSUSER_accountId >> /myProjFolder/.$WSUSER_accountId.txt
  ssh -l someuser localhost /myProjFolder/exe/someExecutable $WSUSER_accountId &
  exit 0
  </act>
  </ResTypeAction>
  <MemberObjectGroups>
  <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
  </MemberObjectGroups>
  </ResourceAction>
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE ResourceAction PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <ResourceAction name='ResAction:myProj:Resource-After-Delete'>
  <ResTypeAction restype='Shell Script' timeout='20000'>
  <act>
  #!/bin/csh
  echo "Account ID" >> /myProjFolder/.$WSUSER_accountId.txt
  echo $WSUSER_accountId >> /myProjFolder/.$WSUSER_accountId.txt
  ssh -l someuser localhost /myProjFolder/exe/someExecutable $WSUSER_accountId &
  exit 0
  </act>
  </ResTypeAction>
  <MemberObjectGroups>
  <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
  </MemberObjectGroups>
  </ResourceAction>

  You've probably already fixed it...
  Just log on in the console yourself, instead of IdM. After answering yes, key fingerprint will be added to the ~/.ssh/known_hosts, and IdM will be happy.
  Milan

• Move just wikis to new Lion server (redirect one virtual host)

  I have a bunch of services on my Mac Pro with Snow Leopard Server, including file sharing, VPN, subversion, wikis, several websites, a few webapps, etc.  I don't want to upgrade that server right now, but I'd like to try upgrading the wikis to Lion Server and Wiki Server 3.
  How could I move the wiki's to Lion Server on another machine?  They are all accessed through a seperate virtual host.
  We only have one public IP right now (I maybe could get a second public IP but don't want to just for this.)  Everything hits my router (dd-wrt device, so quite configurable) which sends port 80 (and most other ports) to my snow leopard server.
  One idea would be to have the router redirect another port (8080 or something) to the new lion server, and then put a redirect page on the original wiki address (port 80) to redirect over to 8080, which would then go to the other server.  But that's not really ideal because then the users of my wiki would see it on a new port and a lot of times ports other than 80 are blocked by firewalls (not my firewall, but firewalls closer to my users.)
  So does anyone have an other ideas on how to redirect the traffic of one virtual host to another internal machine behind NAT?   
  Separate question: any experience migrating a wiki from Wiki Server 2 to Wiki Server 3?  Did it work well?
  John

  The best way to do this is to take the contents of /Library/Collaboration and put it in a location accessible from your newly set up Lion install.  In Server.app, enable Wiki, and run:
       sudo wikiadmin migrate -r /Path/To/Library/Collaboration
  After that, start the wiki and you should be good to go.  You should bind your Lion server to the same Directory as the Snow Leopard server, to ensure permissions and users carry across successfully.
      A.

• I have just purchased os x mountain lion on the app store. how can i see if it is downloading

  I have just purchased os x mountain lion from teh app store. how can i see if it is downloading correctly and how long should it take?

  If you click on Purchases icon in the toolbar you should find it listed with your purchases. There should be a progress bar showing.
  The file is over 4  GBs. How long it takes depends on your internet service speed.

• I have an I mac with Lion and the curser freezes, what can be done.

  I have an I mac with Lion and the curser freezes. It froze in Word, Safari, Iphoto, and photoshop, what can be done?.

  4GB of RAM is not very much RAM these days particularly if you tend to have many windows open at one time. For example if you are working in Safari and have several tabs open and then work on a Photoshop project that will eat a lot of RAM. One simple way to check is open Activity Monitor (Applications - Utilities - Activity Monitor) and click the System Memory tab. Run this under typical use and check the amount of FREE RAM. It will look something like:
  I can see from my example I am dangerously low on RAM by the amount of free RAM I have. I suspect if you upgrade to 8, 12 or even 16GB of RAM your machine would work much better. BTW ...my MacBook Air is limited to 4GB so it's up to me to manage my RAM better.

• Can't install Lion get the message "recovery system can't be created"  -see picture of my screen

  So I have been trying to install Lion for 2 days.  The screen below is what I keep getting.  Here's what I have done so far...
  1.) Delete files (I have now have about 50GB free)
  2.) Complete all updates (running 10.6.8)
  2.) Disk Utility repair with Snow Leopard CD
  3.) Remove Lion and re-download
  4.) Went to the www.apple.com/support/norecovery page, but the solutions didn't seem to help or really apply to my problem
  No matter what I do, the following occurs:
  1.) Starts installing (says it has 33 minutes to go)
  2.) Gets to about 29 minutes and I get the screen below!
  I even went to the Apple store today and tried some of this with a One to One assistant, he couldn't resolve it either and hadn't seen this message before with anyone else.  When he asked a "Genius" he told me to delete more files.  But that didn't help either!!
  HELP!!!!

  Hi!
  I Have a macbook pro 13' core 2 duo 2.53Ghz and am getting the exact same reaction!
  it's been a few hours since i've been trying to install lion. Download took about 2hrs and everything fine until, each time i've tried, announcing  exactly "33 minutes" and popping up that screen a few minutes after a stuck "29 minutes"
  Anyone has ideas?
  I've seen a lot of threads and thought it might be because of that Paralell windows 7 i never use. But I even tried deleting it all and the problem persists. I'll be at the apple store tomorow and try to figure something out.
  this is just not fair...
  my screen:
  Yet... I'm still really excited about Lion! I'm pretty sure this nightmare will be worthy after all! Thanks for helping out!

• When I type .ssh root@10.0.02 it says host not recognized I'm unable to get in to known host file can not fix the problem.

  When I open terminal and do sash [email protected] it says warning rsa key not recognized to go to known-hosts file which ican not grt into I have download pico but am not sure how to launch it or what I ave to do.

  sibeen, please stop starting new posts when you are really just continuing the first post.  "Reply" to one of your existing posts when you are really just continuing the same question.  If I have not lost count, you have posted 3 times about this same ssh rsa host key issue, and Linc Davis and I have been trying to keep track of all the details, but with it spread out across multiple new posts, it is difficult.
  I'm guessing as you again forgot to post the actual error (I'm starting to wonder if you are testing how well Linc and I can guess at your problem ).  Anyway, I'm guessing that you managed to delete the $HOME/.ssh/known_hosts file, and now when you try to ssh to 10.0.0.2 it wants to add the remote system's host rsa key into a newly created known_hosts file.
  The authenticity of host '[10.0.0.2]:22([10.0.0.2]:22)' can't be established.
  RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
  Are you sure you want to continue connecting (yes/no)?
  Generally the command ask if you want to do this, yes or no.  You type "yes" and your Mac memorizes the remote system's host rsa key.
  If this is not the warning message you are seeing, then as Linc has requested, please post the exact error (feel free to mask put the actual key or usernames or IP addresses, but keep the words.
  If you are still getting the original error from 3 posts ago, then I would not try editing $HOME/.ssh/known_hosts, and instead just delete the file, and when you get a message like I have posted above, answer it with "yes".
  WIth respect to pico, Mac OS X already has pico installed, so there was  no need to download it from anywhere.  However, most people just use 'nano' which has essentially replaced 'pico' as an easy to use Terminal based text editor.  But like I said, I think you will be happier if you just delete the known_hosts file and get on with your ssh operations.
  Finally, I think in your 2nd post you indicated you tried deleting a file that had a dash in the name (known-hosts) instead of an underscore (known_hosts).  If that was just a typo when you entered your post, and you were really getting you cannot delete a directory, then something is seriously wrong, or you accidentally allowed a space to be inserted between .ssh and known_hosts.  Personally, I'm going with you actually entered a space and the 'rm' command thought you wanted to delete the .ssh directory instead of $HOME/.ssh/known_hosts.  I could be wrong, but using copy and paste to post actual Terminal screen output as well as the command you entered would be very helpful to anyone trying to provide useful information.  In other words, help us help you.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Best way to connect mac clients through Lion Server to AD?

  Ok, so here's what we are trying to set up for our school network. We currently have a 2003 server system hosting our PCs.
  Authentication - through 2003 server AD
  When client logs in:
  Mac Client -------sends info to --------> Lion Server ----passed data through to-----> 2003 Server
  2003 Server -----responds with authentication----> Lion Server ---applies profile management to client------> Mac Client
  My thought is that Lion Server needs to connect to the 2003 server via the active directory setup in Users and Groups, but the clients should be connecting to the Lion server via LDAP3.
  We can authenticate to the AD server directly from the clients or from the server, no issues there. Yet putting the Lion Server in "attached to another server" mode in Server Admin Tools doesn't Kerberize, even after giving proper permissions to the server via AD. I'm assuming that Kerberization needs to happen in order for Lion server to pass ther login data from the mac client to the 2003 server and vice versa, right?
  Also, we would like to have the users' 2003 network user folders on the desktop automatically, or preferrably what they access when they go to Home. I noticed some options in Profile Manager as well as Workgroup Manager to make this happen. I assume that once the data between the 3 is working proerly, this will be close to a no-brainer.
  So, advice is much appreciated here, first time setting up this type of hybrid system. Thanks!

  I appreciate all your help. I really do.
  This is basically what I needed to know - You said,
  "The audio out on a TV will source whatever input is associated with the current screen."
  With my current macmini to TV setup - I have to have a separate audio line (apart from the dvi cable for video ) to the TV. I was not sure if that macmini audio line to the TV would transfer to the receiver. If it did not then I assumed (since the macmini only has one audio out line that I would have to split that audio line - one to the TV and one to the receiver ). That was my thinking anyway, but if whatever is on the screen will transport to the receiver then I should have no problem.
  Thank you again for helping me think through this.
  Pete

• Bridging a WPA2 Enterprise Radius Server (Lion Server) to Apple TV

  Hello,
  I was wondering if anyone can help me out with this setup that I have with Lion Server. Recently I set up my Airport Extreme to use Radius and bind it to my Lion Server for Authentication. Radius works with most of my devices, except for my ATV2 (which is in a different room from the AIrport Extreme.) As most of you may know, ATV2 doesn't support WPA2 Enterprise networks.
  Ideally what I would like to do is have the Apple TV connect to my wireless network for all of my videos that are shared on a HD connected to my Lion Server. I was thinking about looking for a WPA2 enterprise wireless bridge with an Ethernet port so that I can connect the ATV to the bridge and have the bridge connect to my Airport Extreme. However, here is what I can not figure out. How can I get that bridge to authenticate to the Radius Server on Lion Server? From my understanding the Radius service on the Lion Server uses its own proprietary radius server to where I couldn't get the bridge to cnnect.
  Please let me know your thoughts. If it helps, I have a 1st generation TC that I can place in the other room. However, I couldn't see any functionality in Airport Utility that would allow me to bridge that box to the WPA 2 Enterprise network.

  Hello,
  I was wondering if anyone can help me out with this setup that I have with Lion Server. Recently I set up my Airport Extreme to use Radius and bind it to my Lion Server for Authentication. Radius works with most of my devices, except for my ATV2 (which is in a different room from the AIrport Extreme.) As most of you may know, ATV2 doesn't support WPA2 Enterprise networks.
  Ideally what I would like to do is have the Apple TV connect to my wireless network for all of my videos that are shared on a HD connected to my Lion Server. I was thinking about looking for a WPA2 enterprise wireless bridge with an Ethernet port so that I can connect the ATV to the bridge and have the bridge connect to my Airport Extreme. However, here is what I can not figure out. How can I get that bridge to authenticate to the Radius Server on Lion Server? From my understanding the Radius service on the Lion Server uses its own proprietary radius server to where I couldn't get the bridge to cnnect.
  Please let me know your thoughts. If it helps, I have a 1st generation TC that I can place in the other room. However, I couldn't see any functionality in Airport Utility that would allow me to bridge that box to the WPA 2 Enterprise network.

• How can I configure Lion server or mail.app to show IMAP subfolders with mailboxes?

  I'm sure we've all seen the weird IMAP glitch where mail subfolders appear down lower on the mail.app pane instead of nested neatly under the mailbox itself.  Usually you can get around this by changing the Inbox IMAP prefix to "" or "INBOX" or "/" or some such path that the server recognizes as the root path to your IMAP folder.  Unfortunately, this sometimes means you are unable to work with those folders or introduce other problems.
  Since I am running Lion (Client) and Lion Server as my mail host, I would think that there is an appropriate answer to this either on the mail.app client settings, or perhaps with a Lion Server configuration through DOVECOT.  I don't mind if the solution is a command-line one, but I need to be able to easily set up my mailboxes so that mail subfolders appear properly under each mailbox, instead of being hidden away lower on the page where it is very inconvenient to find, especially when you are using multiple email accounts.
  Client Machine Lion 10.7.3
  Server Machine Lion Server 10.7.3
  Please Help!!!!

  I've tried editing /etc/dovecot/conf.d/10-mail.conf on Lion Server to add the following:
  namespace private {
    type = private
    separator = /
    prefix = INBOX/
    inbox = yes
  This puts me in a catch-22:
  If I leave the "IMAP Path Prefix" setting in the account Advanced tab empty, I can see the subfolders and move messages in and out of them, but can't add or edit the folders or heirarchy.
  If I set the "IMAP Path Prefix" to "INBOX" I can add and edit subfolders, but they don't appear nested under my inbox.
  Please help!

• How do I make Lion Server support more than one Time Machine disk?

  Under Snow Leopard Server, I had two disks set up for Time Machine backups. This came about as I'm running a Mac Mini with the 500 GB internal drives which turned out to be insufficient for one of the connected Macs which uses a terabyte drive. I then added an external 6 TB drive and made it a Time Machine destination too. Worked beautifully. When I upgraded to Lion Server the external large drive was no longer available for backups and the interface for configuration within Server only allows for one drive to be in use at a time. Any suggestions (short on reverting to Snow Leopard) as to how to re-enable having both drives available for networked Time Machine access?
  Thanks!

  Hi Adam,
  Before I even realised that the Server app had a setting for TM, I just configured TM backups on my (SL) clients as I had done in SL.
  I shared the drive(s) on the server I wanted to use.
  For each client, I mounted the appropriate shared drive containing its sparseimage file, then set TM on the client to use that drive.
  Then I unmounted the shared drive and started TM.
  It mounted the remote drive (without displaying it in Finder) and opened the sparseimage, showing the "Time Machine Backups" volume on the desktop.
  So you could use any drive attached to the server to backup any client.
  It worked fine for me.
  In the end, I changed my clients to use the (single) shared "Backups" volume which Server.app creates because I can fit all my stuff on one drive.
  HTH

• Lion Server install fail

  I'm trying to install Lion Server on a Lion system.
  When trying to install Lion Server the server app installer wants to download additional things.
  When it tries, the Server app says ":Can't install Server Essentials because you are not connected to the Internet."
  My internet is up and running - that's how I bought the Server app and made this post to the Apple Support Community.
  Does anyone have any ideas on how to get the Server app to see this?
  Thank you.

  Hi Wozzar. Check out the following thread from iblueracoon. I had exactly the same issue as you and this solved my problem. All the best:
  Correct Answer by iblueracoon  on Jul 21, 2011 1:16 AM
  Hi! I've been having this same issue and I had been busting my head about it for a couple of hours. Whenever I went to create a partition to install windows and download the support software, it would pop up that message. The same for whenever I tried running a java application. An easy fix to this would be to go into system preferences > Network, next, create a new location and delete the old one(transfer your connections ofcourse). Then, connect to your current network. Now, just go into "advanced">"Proxies" and disable auto proxy discovery! It seemed to do the trick for me

• Lion server, basic questions

  HI,
  I have three questions :
  1.  If I install Lion server on my desktop iMac, can I exchange files or document from my Macbook Por from my school.  Before I was ablle to do it in ftp, now how is it work ?
  2.  Is my Time Capsule is sufficient for routeur ? I mean, do I have to put my Time Capsule in bridge position and get a linksys routeur for example for controll the passage to my iMac ?
  3.  I my network, I have a G4 on OSX 10.4, will it be yet possible to acess to my iMac in server mode for it, and will it be posible to access to the G4 from my iMac on Lion server ?
  Thanks,
  Claude

  Thanks for quick response.   Indeed, in hindsight, it appears that they had only installed the Server App, but not the Server Admin tools.
  Unfortunately, I am not a system admin, but I played one on TV <grin>
  All kidding aside ... I'm willing to learn, but would need most of the basics controlled through the GUI ... and then feel comfortable reading up and editting configuration files and running commands from the Terminal.
  On this line, is there good documentation of this, or is this something that you know because you are familiar with Unix?    ie something like the alternate port issue ... is this something in the GUI, or something I would have to edit via Terminal?
  Just trying to make an informed decision before jumping platforms.
  Thanks
  David