General Lion Server Notes

Some general Lion server setup notes

Some notes on setting up Lion server and titbits of information related to it. Chronologically edited with latest tests and observations on top.

Update 8:

1) Time Machine
– New control utility tmutil
– Local Backup exists to mirror time machine disk that it is backing up to.
– Exist under root permissions in /.MobileBackup
– To disable local backups do it in the CLI with
$ sudo tmutil disablelocal 

Update 7:

1) Profile Manager
– Default configuration settings may not show up for all services configured. checking and unchecking “include configuration for services” soaves the problem

2) Changes in IP can now trigger a “Recovery option” that can help change the network settings. Server identity can be now attached to a network interface . This should be similar to the changeip command but through a GUI. This would mean if there are changes in the IP state or hostname, check the Server.app first for messages and go through the recovery options before checking again with Terminal.app on the network state.

3) Nuking the Profile Manager backend
– On the server end run “sudo /usr/share/devicemgr/backend/wipeDB.sh
– On client end run “configurationprofiles -D
– Ensure that services are stopped before doing this.

4) Setting a OSX server to act as a Gateway
– suggested order to setup a localized OD with internet access
a. Setup Internet interface
b. Use Internet Sharing. Internal interface IP will default to 192.168.2
c. Use the Server.app to define the Hostname and primary interface for the server. This should be the interface pointing to the internal network
d. Once the setup completes, a local DNS would be created with the hostname defined. Change this to address to the correct zone.
e.  NOTE: that at this point, DNS, DHCP, NAT and FIREWALL should be configured with addresses to dish out 192.168.2.X using the internal network.
f. Re-order the network service order such that the Internet facing interface is on top.

5) OD Binding + Profile Manager
– client seems to know that there are SSL certs required to trust the OD and prompts the user to accept them. client services would be configured at this binding point.
– profiles downloaded after becomes trusted. MCX continues to be applied.
– All configured services can be downloaded via the profile page. If MDM accepted. will be auto pushed.
– passcode lock from profile manages requires a 6 digit code.
– system is forced shutdown after a remote lock. Lock applied at firmware stage (seems to be a open firmware password).

Update 6:

1) Installation problems
– Zap NVRAM
– NVRAM stores the UUID of the target install drive as well as the type of install
– Inspect NVRAM using nvram command and do the appropriate action

2) Creating Lion Recover Partition Image
– check root device using mount, then use hdiutil pmap to identify partition
sudo hdiutil create -uid – -gid 80 -mode -1775 -srcdevice [identified source] [save image location]
– Scan image for restore sudo asr imagescan –source [save image locaiton]
To restore the recovery image to a lion system with no recovery partition, identify the root partition using diskutil list
– Resize the partition, and create a 1G partition with name Recovery.
– Re-image the Partition with the Recovery Image
– Set the type of the partition to “Apple_Boot”  with sudo asr adjust –target /dev/disk0s3 -settype Apple_Boot

[edit]

to set the type to normal HFS so that the Disk Utility can see the Recovery HD drive, use

 sudo asr adjust –target /dev/disk0s3 -settype Apple_HFS

Update 5:

1) Podcast Service
– Podcast Publisher uses Podcast Service
– Podcast Service != Podcast Producer
– Podcast Service is a simpler iteration of PCP
– Can post into Podcast Library or make use of PCP Workflow
– Library location in

2) Podcast Publisher
– Create Podcast feed and Episodes
– Interestingly, it doesn’t capture its own window when doing a screen capture
– Can have option to send email to announce new feed/cast
– Can edit information based on [INFO] button at top right corner
– Descriptions only shows up when subscribed to in iTunes
– MP3 imports don’t seems to work? stick to M4A, M4V or MP4 for now.

3) Profile Manager
– Able to wipe all device/settings for profile manager
$ sudo /usr/share/devicemgr/backend/wipeDB.sh
OR
— stop the Profile Manager service
— bring up Terminal, then:
$ cd /usr/share/devicemgr/backend
$ sudo serveradmin start postgres
$ sudo rake db:drop RAILS_ENV=”production”; sudo rake db:create RAILS_ENV=”production”; sudo rake db:migrate RAILS_ENV=”production”;
— start the Profile Manager service

Update 4:

1) Profile Manager URL=https://myserver/profilemanager and https://myserver/devices
– Seem to have a way to fill in variables in profile.

Profile Manager Variable Keys

– If the user un-enrolls or removes the device from safari, the MDM profile also disappears. Other provisioned profiles also disappears along with it.
– Best to RESET the device before changing users
– Give it about 5 minutes before the configurations takes effect
– How to force push a profile?

2) iChat
– username is full email address and the server hostname (NOT Domain)
– Logs are located at /Library/Server/iChat/Data/message_archives

3) Podcast Producer
– Everything still seems as per old way. Nothing new seems to work.
– Manage Library link doesn’t seem to provide anything useful
– For some reason, it is VERY slow?

Update 3:

1) Profile Manager
– Turn on and setup push credentials with AppleID (make sure you are OD enabled!)
– Export server certificate for export into devices. If certificate has no root chain, have to install the certificate first.
— Make sure you install
(a) the Root CA from Keychain Access -> System -> [the description of the item would be “Root certificate authority”]
(b) the intermediate certificate from Keychain Acces -> System -> [non human read-able UUID with description “intermediate certificate authority]
Login to https://myserver/devices using the OD user and install the certs. Results should be Verified certs
– Enroll the device.
— Cannot seem to effectively manage a group of users? USERNAME seems to always be required regardless of using group to set a profile or not.??

Update 2:

1) Some details of the webappctl configuration to create advanced web configs

Using webappctl configurations

2) Mail setup is as normal using server admin.
– Webmail activation using “Server” app
– Cannot just turn on webmail in a separate virtual domain. Make use of only the default domain.
– SSL for Webmail has to be enabled across the entire default domain. (without any advanced configuration. believe it is otherwise possible to do so if willing to dive into the conf files)
– Webmail makes use of roundcube webmail system. (http://roundcube.net/)
– Server side mail filter is integrated into roundcube mail under settings. Webmail side bar must be expanded to see settings available on the side
– No more mail setting within Workgroup Manager. Default is ON.
– Local users default enables mail.

3) Address server
– can be SSL enabled. Use selection under HARDWARE->SSL Cert

3) iCal server
– can be SSL enabled. Use selection under HARDWARE->SSL Cert
– When setting up accounts, server address picks up the domain of the email instead of the actual server address. have to change
– take note of SSL setting when completing iCal setup
– Ensure local user has email setup before using iCal

4) Wiki
– Web calendars location is http://myserver/webcal. Not obvious, but can add into “My page”
— Can delegate using web interface. Click on name title to see delegates.
– New File in Documents only accepts common file formats? (PDF, JPG etc etc?)
— Notification and Sharing with other users is possible
— Cannot edit from iOS
– Local users can also create wikis (depending on setup from Wiki panel in “Server”)
– Can watch for changes and see revision history

Update 1:

1) To setup customized virtual web host, first setup a virtual host using the “Server” application.
– Configure the virtual host within “Server”. (there isn’t too much to set)
– Go to /etc/apache2/sites
– Look for the corresponding *.conf file
– Edit the file and turn on AllowOverrides. Do no add new lines as they will be over written when the Web server gets restarted.
– Return to the corresponding “Sites” directory for the virtual host and create a .htaccess file
– Add your advanced configurations here. Example of this would be Redirects, AddHandler etc etc

2) To secure the /var/empty directory which gets accessed when an invalid HTTP query is done
– Create a .htaccess file in the /var/empty directory
– Use the Options directive to turn off  Indexes and ExecCGI

3) Check out webappctl and corresponding man files if the requirement is to create a webapp that sits under a virtual domain.
– This would allow a customized httpd_*.conf file to be created and adhered to.
– This can also be started independently by using the webappctl command

4) Open Directory needs to be setup in order to use File Sharing over webdav
– URL would be (http|https)://yoururl/webdav/username
– If mounting using a Computer, mounting to webdav is fine
– If mounting using iOS, need to mount directly to the username
– RW is available on the users home directory

5) Guest accessibility
[From OSX]
– AFP works (URL = afp://myserver/)
— Guest login only shows guest share points
— User login shows list for user to choose. Both local and OD.
— Local user shows local public folders
– SMB works (URL = smb://mysever/)
— Guest login shows list of all SMB folders with “nobody” folder. No icon badge shown but permissions respected across different accessible folders
— User login shows list of all SMB folders with user folder. Same as guest login but with user privileges.
— Local admin user login shows list of all available sharepoints as well as drives.
— Local standard user shows list of all SMB folders with user folder. Same as guest login but with user privileges.
– Webdav doesn’t work completely (URL = http://myserver/webdav).
— Guest cannot login
— OD user login shows list of all webdav folders upon mount. No icon badge but permissions respected across different accessible folders
— Local user login shows list of all webdav folders upon mount. No icon badge but permissions respected across different accessible folders

[iOS]
– Webdav doesn’t work completely (URL = http://myserver/webdav).
— Guest cannot login. Credentials prompted
— OD and Local users cannot login. (invalid response) if using (URL =  http://myserver/webdav/user), OD user can login.

6) NFS file shares
— create /etc/exports. man nfsd and exports to see configuration
— use nfsd -F /etc/exports checkexports to check confguration
— use serveradmin start/stop nfs to control

7) CardDAV works on both Mac and iOS. Flawless using OD as well as local users.