Statement about Lion Server experience

Similar Messages

• Question about Lion Server usage...

  Hi there!
  I'm new to Lion Server (at most, I had used the SL sharing preferences, but never the Server Admin or any of those tools...)
  I'm having some troubles understanding Lion Server. First of all... where are all the files stored?? I know the web server files are stored at /Library/Server/Web... but what about all mails, wikis, and those files?
  That is one question... the other one is... while fiddling with the wiki server I noticed that when I created a user, it's profile page is saved on the wiki and when I delete that user, the wiki document is still there! Wasn't it supposed to be deleted as I deleted the user itself?
  I can't seem to find a manual or something, only for SL Server not Lion.
  Can someone please help me out?
  Thanks!
  - Eduardo

  Eduardo
  At the moment there is very little for Lion Server. What little there is, is here:
  http://www.apple.com/uk/support/lionserver/
  and here:
  http://manuals.info.apple.com/en_US/lion_server_upgrading_migrating.pdf
  The administration manuals take some time to become available which is usually the case when Apple release a new version of the Server Version. However most of what's there does not change that much and generally the 10.6 Administration Manuals will contain most of what will eventually become the 10.7 Administration Manuals. Again this has always been the case going back to at least 10.3 Server. Technologies introduced in 10.5 Server such as CalDAV, Wiki and Blog etc did not change that much in 10.6. Apple also moved away from Cyrus as one of the Mail MDAs to Dovecot. But again the locations of where these were stored did not change. Going back to CalDAV and CardDAV these now appear to be amalgamated into one store.
  As ever with any version of the Server - regardless of platform or age - it's a good idea to have plenty of backups and to experiment first with a test/lab environment before rolling it out to a full production server.
  HTH?
  Tony

• Question about Lion Server documentation

  Historically Apple has posted the server documentation as a set of PDF documents which can be freely downloaded. I have found what appears to be the correct webpage for the Lion Server documentation which is  http://www.apple.com/macosx/server/resources/documentation.html but this page only has a Getting Started guide as a PDF and the rest as only HTML which can only be viewed online.
  Does anyone know if there are PDF versions available somewhere?
  http://www.apple.com/macosx/server/resources/documentation.htmlhttp://www.apple. com/macosx/server/resources/documentation.html

  William Bowden1 wrote:
  https://help.apple.com/advancedserveradmin/mac/10.7/print.html?lang=en#printBook
  Unfortunately that is the html version I mentioned. It comes down as a single massive document which takes forever to load.
  I know Apple have been having a spat with Adobe over Flash, but that is no reason to boycot offering PDF manuals.

• What to do when SLS - Lion Server Upgrade & Migration Fail

  Hi everyone,
  I've had a tough time over the past week trying to updating my SLS to LS. (It was a slow week at the office so despite the warnings in these discussions I wasn't disturbing anyone, so I thought I'd try...) Both an upgrade to the current running system and a clean install on a wipe of that hard drive stall at the "Configuring Services" "Upgrading services" screen of the set up process. The migration path eventually fails, and as far as I can tell, it seems that the upgrade path just stays there forever.
  Don't worry - I'm doing this all on a Super Duper! clone of my primary drive, so I can go back to SLS whenever I need to.
  BUT, I can tell that the server's status is at least partially okay, even in this stalled setup state - iChat seems to work on various clients, and I can use Server Admin to see stats and services, etc.
  So despite the discomfort of a failed install, part of me feels like I'll be fine with the LS if I can just figure out how to move my old data into the right places for the new system to use it. But I can't find any guidance for that. I'm looking to migrate OD (seems to have migrated fine), iCal, iChat, Address Book, Wikis, Time Machine, and File Sharing (which should be trivial to set up, I reckon).
  Can anyone point me in the right direction?
  Thanks very much,
  Willhaus

  Okay, so I've had some marginal success.
  After leaving the hung install for a ridiculous amount of time (24+ hours), I realized that I could click the help button, and from the help window click the "further info about Lion Server" link to launch Safari. That gave me access to Software Update from the Apple menu, which then let me install the latest Safari update which conveniently enough requires a restart.
  After restart, the Server Migration Assistant kicked in again, but failed quickly in the upgrading services stage. Another restart, and the sever finally booted more or less normally.
  The strange thing was that although chat services worked fine during the hung install, all OD-related services stopped working after restarting. Turns out there were no users or groups in OD. Importing them from an OD archive, though, restored them.
  So now iChat works great (even the old chat longs migrated successfully), and AFP is properly sharing our volumes across our studio's network. So our server is limping along.
  The other services we need that aren't up yet are Wiki and iCal. Some info about those:
  Wiki: administrators can log in and see all wikis just fine. That's awesome because it means the data migrated successfully. Any non-admin users can log in, but are then get a wiki-styled page that says simply "No wikis found". It's as if they don't have permissions to see the wikis, even though in Server.app they belong to the groups that the wikis are associated with. I've tried removing and re-adding users to groups, but that doesn't seem to do it. Any ideas how to fix this?
  Calendar: While I can't get this to work, it's not like it's completely lifeless. An account in a client Lion iCal configured with the proper Lion settings returns an error that reads:
  "The Server is Busy or Unavailable.
  "The server at myserver.com is currently unable to handle the connection for account “ Calendars” due to a temporary overloading or maintenance of the server. If this continues you should contact the server administrator.
  "You may try to connect to the server again or take the account offline."
  As a logged in administrator, in a wiki clicking on Calendar in the nab bar goes to the calendar style page with an unending dialogue box that reads "Getting events from server". And clicking on Calendar from Home page footer takes me to the URL https://myserver.com/webcal with an error that says:
  "Service Temporarily Unavailable
  The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
  Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8r DAV/2 Server at myserver.com Port 443"
  Again, at least I'm confident that the data migrated properly -  I can find all the calendar data in it's proper new location - but either the service won't start or something's not configured correctly. I've tried chaining the hostname and restarting the service about a billion times. I've got no idea what to try next. Any ideas?
  Thank you so much,
  Willhaus

• Lion Server: All network users have disappeared

  Hi,
  A search through the forums and kbase didn't give me anything that mapped well to my problem. Here's the situation:
  Specs:
  Mac Pro (2008) 6GB RAM, SSD boot with space available, OS X Lion (latest) with Server.app
  Services:
  File Sharing
  Users: less than 15—accounts only used for file server access.
  This is the only server on the local network, all network routing is taken care of by a Meraki router.
  I went to add a new user to our fileserver, and was unable to connect to the server over Apple Remote Desktop. At the time, file sharing from the server (I *believe*) was still working. I logged in with the file server's local admin account via SSH and tried to use Kickstart to get ARD running again—something I'm well versed in. The script ran as usual, but ARD could still not connect. So, as everyone was in a meeting, I tried to use `shutdown` to reboot the fileserver from the CLI, something I've also done in the past (but not frequently). Usually that takes about a minute to work, and then my shell disconnects—but after 5 minutes, the Mac had not rebooted.
  At that point, I decided to walk to the server and manually force it down by holding the power button in. That powered off the Mac, and 30 seconds later, I booted it up.
  Back on my Mac via ARD, I was able to remotely control it and got to the Fileserver's log in screen, which featured a red dot in the use field I'd never seen before. It's tool tip read "network users are currently unavailable" (paraphrased, perhaps). I logged in with the Fileserver's local admin user (as usual) and launched the Server.app, only to find that in the `Users` section, there were no users listed, and the plus and minus buttons were greyed out.
  I tried rebooting but got the same results. I then repaired permissions and verified the boot drive. Lots of permissions repairs (as usual) but nothing improved. Another reboot after the permission repair and disk repair, just for safety's sakes… and as you can guess by me posting here… no improvement.
  I'm not heavily versed in Server. I'm not even sure if those users are stored in a database, and where that DB would live. Does server make dumps or backups of the users on its own? Should I have been? Is this LDAP? Anyone have some next steps I can try? What info would be useful?
  My first goal would be to recover a damaged DB. I only have just under 15 users, so re-creation isn't difficult. But, under the department of "I don't know a ton about Lion Server" I don't know if network users act like OS X users… where you could create a new user with the same username, but if their UID is different, then they won't have access to their owned files on the fileserver… is Server that exacting? Does it care who owns the file?
  Thanks in advance for any ideas, or resources you can point me to!

  It gets far weirder……
  Now no one, myself included can log in.
  Checking the logs, which I'll try to attach a small sample of here (Dropbox link below since you can only attach images here), I see repeated instance of both `opendirectoryd` crashing and respawning, and of server manager unable to authenticate:
  1/19/15 4:57:06.658 PM com.apple.opendirectoryd: Assertion failed: (0 == (connection->flags & eODConnectionFlagSocketValid)), function __odconnection_connect_block_invoke_2, file /SourceCache/opendirectoryd/opendirectoryd-172.17/src/odconnection.c, line 988.
  1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd[13760]) Job appears to have crashed: Abort trap: 6
  1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd) Throttling respawn: Will start in 9 seconds
  1/19/15 4:57:07.761 PM ReportCrash: Saved crash report for opendirectoryd[13760] version ??? (???) to /Library/Logs/DiagnosticReports/opendirectoryd_2015-01-19-165707_localhost.cras h
  1/19/15 4:57:17.276 PM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: user with slot 4873a20f-0cc0-f7c3-0000-000a0000000a not found.  Result: 80 Other (e.g., implementation specific) error
  1/19/15 4:57:17.277 PM AppleFileServer: _Assert: /SourceCache/afpserver/afpserver-585.7/afpserver/AgentSession.cpp, 856 (4294952813)
  1/19/15 4:57:32.703 PM servermgrd: servermgr_accounts: got error 2100 trying to auth to local LDAP node
  https://dl.dropboxusercontent.com/u/1344045/server-sample.log.txt

• I want to erase my hard drive and reinstall  lion server. Can someone help me out?

  i have a mac mini running lion server. I want to erase all the date and start fresh. When i try to reinstall Lion it does not show anything about lion server but jut Lion. I want to make sure I do it properly. It is also asking me in which hard drive to install Lion but im unsure.
  can someone help me out?

  Check in the app store under purchases both lion and server should show up there to download again.
  No need to erase both drives for a clean install just the drive you are using for the OSX. Though if you are truly starting a fresh then erase and reformat both.
  As for Upgrades. Yosemite is the only upgrade now available through the app store as is Server 4.0 for Yosemite. I have not tested the latest server yet and can not comment on it's reliability.
  Any server you set up should be thoroughly tested on a closed network before going live.
  Hope this helps.
  PJRS

• Worth upgrading to Lion Server?

  Not trying to be snarky, geniunly curious.
  Currently have a Snow Leopard server for a small business office. It's being used as an Open Directory master, network share, web server, and Time Machine backup. No mail/calendar/wiki (use Kerio for that). In reading about Lion server I'm not sure if any of the new features are worth the upgrade for me. We went from 10.5 to 10.6 server mostly for the speed boosts and Spotlight searching, but I can't seem to find any "must have" Lion features for my use case.
  Anyone care to share their decisions over why they are planning an upgrade, and why?

  I will add to what was said above. Do not under any circumstances upgrade.
  I recently setup a clean Lion server, pre-installed on an iMac, with the lion server add-on from the App Store. So, totally clean machine, starting from scratch, Lion pre-installed.
  It's been a nightmare. The Server tool is unusable. It is buggy as ****. User and Group assignments just up and dissapear. They are still present, but you can't see them from the Server Tool. The only way to manage them is to use the Users and Groups Preference Pane, which is a pain also, but at least it works.
  The UI for setting permissions (yes, the standard Command-I interface), is screwed up also. It cannot handle simple tasks whithout failing. You never know what it its going to do. You add a group. But it doesn't take. You add it again. It might work. Hevean forbid you want to add a group, assign it read-write, and then apply to all subfolders. LOOKS like it works, but it doesn't. I confirmed this using the command line tools.
  I finally gave up trying to use the UI for permissions, and now I am doing everything from the command line using "chmod" commands. These always work. As soon as I can figure out how to manage users and groups from the command line, that's what I'm going to do.
  Windows SMB/CIFS sharing is a nightmare. It mostly works. Except when it doesn't. And it doesn't a whole lot of time. You think it's fine. But for no apparent reason, the Mac starts dropping the connection if it idles for too long. You can have a document open on a Windows machine, and go back to save it or work further, and the connection has dropped. Repeatedly you will work on a file, and for no apparent reason, when you try to save it, you are told that the file is already open by another user. But it's not. You are the only user, and in fact you are only using one single application to edit the file.
  I could not get our Debian-Linux based RIPs (for our large format printers) to connect using SMB at all. I finally gave up after numerous attempts trying every possible combination, and switched to using NFS exports. Thankfully, NFS still works in Lion, and the NFS Manager app (google for it) has been updated to manage them if you are uncomfortable doing it from the command line / text editor.
  We are hobbling along. It ain't pretty. I wish we had another option at this point.
  FYI: We didn't have a choice but to make this move now. Our old fileserver, a linux box, could no longer keep up with our growing user base and our very large file systems (we are a medium-sized printing company). Linux is great as a Mac server for smaller networks, but it can't handle either Samba or AFP connections once the filesystem grows too large. It bogs down horribly due to the inherent limitations of Samba and Netatalk. So our only options were a Mac Server or Windows+Extreme-Z IP. We chose to roll the dice on an iMac + Promise Pegasus disk array on Thunderbolt + Lion Server.
  I wish I had the option to install Snow Leopard. But you can't install it on this iMac. The only machines that support Thunderbolt AND Snow Leopard are laptops. Unless we spent gobs of money on a Mac Pro + Fiber Channel (which would have been almost triple the price), our only choices were the new Mac Mini Server, or the new iMac, either of which supports Thunderbolt, but neither of which supports Snow Leopard.

• Regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections (any ideas???)

  regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you

  Hi Jason
  I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
  the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
  I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
  Just a thought, obviously try at your own risk but it worked for me.
  Kellen

• Advise about setting up a permissons on Lion server for a small office.

  What is the common wisdom and advise about setting up permissions optimally for a small office using OS X Lion Server as a file server?  I thought I had this solved by setting the ACL permissions so that all users and appropriate groups can read and write all files on the server.  This works great until a new file is created.  Then it appears that the POSIX umask kicks in and takes priority over the ACL permissions.  I need to allow group write permissions on all new files.  My options seem to be:
  Make everyone an admin - not great for obvious security reasons
  Change the umask for the whole machine - also security problems, though perhaps fewer than the everyone-an-admin route above
  Write a folder action applescript to add group write permission on all new files.  This works fine if you have a static number of folders  With new folders it has the problem: How do new folders created by non-admin users get this folder action automatically applied to them - some cronjob to hunt down the new folders; an applesscrpt folder action that adds a folder action to all new folders (sounds recursively complicated)?
  Have a cron job regularly do something like  `chmod -R 664` on all files.  This will break during those between the cracks times between when someone creates a new file and when the cronjob runs - not ideal.
  Seems like this should be easier which makes me think I'm missing something obvious.
  Any help great appreciated.  Thank you in advance!

  Good-heart's advice is certainly your first step, but if you've already done that and still have the problem you've described, you might have the 10.7.3 ACL bug, particularly if your users and groups are in an OD or AD rather than being local accounts on the server. The problem is that ACL's for directory accounts are incorrectly ignored, resulting in POSIX permissions coming into play.
  I've descibed my workaround for this here;
  https://discussions.apple.com/message/18037703
  I haven't yet tried the other trick I've read about, which is to ensure your Share's data directories are at least one level down on the volume - there is a post here on the Communities that mentions this;
  https://discussions.apple.com/message/18028746
  I seem to remember that this helped with an earlier version of AFP, if using external firewire or usb storage.
  Let us know if you find a fix, it seems a number of people have problems with this.
  Regards,
  Ian

• Deleting wikis with missing About pages in Lion server.

  I am new mac mini lion server owner.  Somehow I ended up with Wikis without  About Pages n Wiki server and am unable to delete those wikis even with my admin account.  When I go to those wikis I get a message "An unexpected error occurred.".  I see Action (gear) icon on the page but it only has "Settings" and "Help" links, but no option to delete the wiki even when logged in with an account that own the wiki.  Clicking on Settings does not take me there, but remains on the same page.   But I am able to go to settings pages of those wikis by manually changing the url to "/settings" after removing the html page of the wiki.
  Can someone please help me on how to delete those wikis?  I searched in google but found no answers to this.  I even looked at Lion documentation but it has no helpful information for this case.  I am new to Mac OS, have been a PC user for all these years.  So I am new to even simple things on a Mac OS.  Please help.
  Thank you.

  Hi RajPad,
  i have not yet found a commandline tool to remove pages. If you're familiar with SQL you can use a tool to connect to the postgresql database where the pages are stored.
  I won't try to write a "howto connect to pgsql on lion" here because i know this has been answered already.
  If youre connected to the database collabd and you have a page url like:
  http://my.lion.server/wiki/pages/P9c196z/somepage.html
  Then your SQL to find the entity is:
  SELECT * FROM entity where tiny_id='P9c196z';
  Note the uid from that result and find and remove all related entries in other tables there after removing this entity.
  I have not excercised that myself because i don't have a system to screw
  Make a Database dump prior to your actions and hope nobody is editing pages while you're at work.
  If you have a plain SQL dump you could pick individual datasets from there to rebuild if something goes wrong. You'll only have to note what you changed to be able to revert.
  Just an idea ....
  Make a copy of your page and compare both pages in database. If one is working and the other aint you should be able to find the difference.
  Good Luck
  Andreas

• Thinking about getting Lion server when it comes out?

  I am truly thinking of getting Lion server when it comes out.  After reading the information on the web site, it looks as if I need to have Snow Leopard Server first.  I know it's early but just wanted to know so I know how I wish to do it.  Any feedback would be helpful, thanks.  Also what are your thoughts on Snow Leopard Server?

  10.6 server runs great and has many customizable options.
  10.7 server will have a more simple layout to make it easier for the small office manger to use.
  To get 10.7 server from what i understand is you need to have at least 10.6.6 client. Then you can upgrade to Lion for $30. Once the lion client is installed you can then install the server tools which is $50.

• How do I get Mac Pro with Lion Server to restart at a set time when users are connected?

  I have recently configured a Mac Pro with Lion Server, and have set it to restart automatically every morning at 3am. When I arrive in the morning, I notice that it has not rebooted, usually because it states there are users connected. Is there a way to automatically disconnect users so that the machine will reboot.  No one is ACTIVELY connected at this time of the morning, but may still be logged in somewhere. I did see where I can log out users after a set period of time when using Workgroup Manager to manage a computer or computer group, but I don't use the server to manage all of the computers that have users log in.
  Thanks!

  Well, it doesn't necessarily have to be each and every night, but it was for the sole purpose of preventing sluggishness. We had it set up before, as Snow Leopard Server and it would restart every night. It would occasionally be slow and need rebooting, however a manual reboot was not possible by most people in the store as they did not have credentials to screen share and restart it - which would result in holding down the power button to shut it down.
  The server is used for the sole purpose of logging in about 50 users just so they can customize their experience, as well as saving items to their own home folders.  The store is closed during the night, and there is no reason anyone would be accessing it during the night.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• What I wish I'd Known Before My Lion Server Install

  The truth is that I am on my FIFTH Lion Server install on the same box this week. While I was working on #4, I went ahead and submitted a ticket with Apple and arranged a timeslot for this morning to work with them to help me past my struggles with Lion Server. This post is the result of that experience. Big props to Apple support techs Chuck and Don - you know who you are!
  What I Wish I'd Known Before My Lion Server Install
  1. Do NOT migrate user accounts, apps, and files, until AFTER you have the Server set up and working correctly.
  - This one tip, which is brilliantly simple, would have saved me four very long days of head bashing.
  2. Server Admin Tools are mandatory.
  - The first time around I used the Server App to configure the system (after an upgrade install, and subsequently after a clean install + migration).
  - Server Admin allows you to set up the foundation of your server - which it NEEDS!
  - DNS - configure a local, pseudo domain for your server if you're doing this at home. Something like "mynet.private" - if you don't, your SSL certificates can get all jacked up, your clients will not trust your certs. This breaks a lot of stuff.
  3. Do NOT accept the mDNS .local domain suffix for your Server
  - At each step, if something auto-fills your server name as name.local reject it, and use the fully qualified domain name that you set up above (server.mynet.private).
  - If you do not do this, anything that requires certificates could/will have big problems.
  4. Enable services one at a time. Reboot after EACH major phase past the core Lion install.
  - Base install ... Server install. REBOOT
  - DNS configuration. REBOOT
    - validate your host name - I needed to force a 'changeip' command because there was a problem with the HOSTNAME retaining the mdns .local domain name.
  - OD Master config. REBOOT
  - Set up Podcast Producer (which will also setup your Xgrid). REBOOT
  5. Take images of your hard drive as you go.
  - Once I got the core server installed, the basic services above, I rebooted and held the option key, then restarted on the Recovery HD image.
  - Use Disk Utility to take a snapshot image of your hard disk so you can get back to this wonderful place of everything working! It's cheap insurance, and adds a bit of extra time, but is well worth it. If you leave the default settings alone (the 'compressed' one in particular) it will use as little space as possible. My server at this stage of configuration created a 4GB disk image.
  6. Use the Migration Assistant After the above
  - Now you can migrate your apps
  - Migrate your users
  - etc.
  If you use the Migration option while you're installing the server, or if you upgrade on top of your Snow Leopard (or whatever), I can almost guarantee you that you are in for a world of hurt.
  I struggled through all kinds of issues with files having embedded information, scattered throughout all the various subsystems, that gummed up my installation and would case all manner of the flakey Lion Server behavior that you read about ("Error Reading Configuration").
  If you want to use Podcast Producer, or any of the Profile Manager features, the above methodology was the only way that I could get them to work. Often times I'd have everything working, then reboot and it would break. After I did the above, the system is as solid as a rock.
  Today, I love Lion Server. Yesterday I was cursing it.
  Best of luck!!

  There are 2 distinct apps in Lion Server.... Podcast (in Server app) and Podcast Producer (Server admin which is deemed legacy from SNS).  Podcast uses Podcast Publisher instead of Podcast Capture to produce, edit and submit to Podcast app.  Podcast doesn't requre Xgrid where PCP did. The two don't mix.
  It's as clear as mud in all the documentation about this.
  We're finding that Podcast Publisher has much more flexibility that Podcast Capture (edit, episodes & more), can use existing workflow from PCP, doesn't require xgrid, and podcasts can easily be managed by non-IT people via the Podcast wiki as opposed to the CLI pcast commands to edit & modify PCP feeds.
  Hope this helps.

• Setup Lion Server for use in Small Office of Windows & Mac Clients

  I've purchased a Mac Mini Server with Lion Server installed to be used in my small office of less than 10 people.
  The primary goal of this server is to used for File Sharing, bother locally, and remotely.
  In the process of setting up Lion Server I have come across a couple things that I am confused about.
  The first is Open Directory.
  It is my understanding that this is not a necessary setup for the number of users in my office, however I set it up anyway as it appeared to be something that would be useful in the future.
  I have come across information that states Lion Server will not be accessible for Windows users connected via Open Directory. Thus my inclination is to disable the service, and set up my users as local users.
  My question is, for local and remote File Sharing, is there any benefit to using Open Directory?
  The second has to do with Remote Access.
  I am familiar with the notion of a VPN, but I need some clarification as to my remote access options.
  When I go to setup my Server's hostname, I am presented with three options. 1) Host name for local network, 2) Host name for private network, and 3) Host name for Internet.
  I have a domain name for my company's website, so I set up a subdomain (server.mycompany.com), asked my ISP for a Static WAN IP, and pointed thesubdomain to said IP using my DNS. Thus this appears to be option number 3; to allow users to connect to my server from the local network, as well as the Internet.
  My question is, how does this differ from a VPN both in setup, as well as method with which users will access the server? Is there a benefit to one over the other? I would Google this to find an answer, but I can't seem to find a name for what this setup is called.
  I very much appreciate any help you can provide.
  Thanks.

  Well, I spoke too soon.  Lion Server is unstable, awkward and is far too limited to qualify as an Apple product. Even though there's quite a few enhancements, the omissions of technologies in the server 10.6 edition makes this "server" a no go for us.
  Even after installing mysql, I still cannot run a Joomla website on Lion server as it should be done. The wiki's a nice thing to have, but isn't a "professional grade" solution.  There's too much iOS as well.
  With that said, I think it's a shame that apple would put customers through so much frustration and disappointment by releasing such a lame product. In order for us to use Lion server, we would have to be able to run a second (totally separate) instance of Apache. It also appears that server settings are changing to the extent that services become inaccessible as the system is running.