Configuring a Leopard server as an LSA OSX Install Server

Do NOT add Kerberos_PAM-KFM.pkg (the LDAP config will do passthrough kerberos)

Configure the firewall:
-----------------------
Run Server Admin and connect to the server you're setting up.
Click 'Firewall' in the left column
Select the settings pane
click the '+' to add a new IP Address group
   IP Address Group Name: LSA Networks
   Addresses in group: click '+' to add "141.211.0.0/16" and "207.75.150.0/24"
                       select 'any' and click the '-' to delete it
   IP Address Group Name: Administrative Nets
   Addresses in group: 141.211.67.0/24
                       141.211.211.0/24
                       141.211.177.67
                       select 'any' and click the '-' to delete it
   IP Address Group Name: Other Mac Servers
   Addresses in group: 141.211.211.0/24
                       141.211.67.0/24
                       141.211.177.0/24
    Remove the '10-net' and '192.168-net' IP address groups

Click on the Services tab.
  Allow only traffic for "Any Network" on these ports:
      TCP (established)
      UDP outbound and responses
      TCP (outgoing)
      DNS - responses to outbound queries
      Serial number support
      ICMP - Replies to outbound pings
   Allow only traffic for "LSA Networks" on these ports:
      ICMP - all messages
      SSH - Secure Shell [22]
      DHCP and NetBoot server [67]
      DHCP and NetBoot client [68] (if server's address is assigned by DHCP)
      TFTP - Trivial FTP [69]
      RPC - Remote Procedure Call (rpcbind) [111]
      Apple File Service [548]
      NFS file service [2049]
      ###Netboot Mystery Ports [989,1014] (you'll have to add these)
      Netboot Mystery Port [1023 UDP] (you'll have to add this)
      [Add a new rule for Software Update Local Service [TCP 8088] if this
         is going to be a software update server
    Allow only traffic for "Other Mac Servers" on these ports:
      LDAP secure [636]
    Allow only traffic for "Administrative Nets" on these ports:
      Server Admin SSL, also Web-ASIP [311]
      Remote Directory Access [625]
      Server Admin via Server Admin App [687]
      ARD 2.0 [3283,5900]
    Click 'Save'
  In the 'Advanced' tab, check the box to Enable Stealth Mode for TCP
  Click 'Save' again
Click the 'Start Firewall' button

If this machine is lsa-sni-eh:
Server Admin > Open Directory
  Make this machine an Open Directory master
Server Admin > Open Directory > LDAP
  Enable SSL
  Cert: Default
Reinstall the Kerberos.pkg (since the OD master'ing will overwrite it)

If this machine is NOT lsa-sni-eh:
Make this machine into an Open Directory replica of lsa-sni-eh


Once all the OD replication is set,
# Make members of the 'macserveradmins' OD group be real admins on the box:
sudo dseditgroup -o edit -t group -a macserveradmins admin

(hint: to add users to the macserveradmins group:
dseditgroup -u macdiradmin -n /LDAPv3/127.0.0.1 -o edit -t user -a dpugh macserveradmins
)

Logout and login as yourself





Configure Service ACLs
----------------------
In 'Server Admin', click on the hostname of the server in the left pane
Click the 'Settings' tab
Click the 'Access' tab at the top
Choose For selected services below:
  AFP - LSA Installers
  Login Window - DSA
  SSH - DSA
Select 'Login Window', and 'Allow only users and groups' of group 'Admin'
Select 'SSH', and 'Allow only users and groups' of group 'Admin'


Limit ARD Access
----------------
System Preferences
Remote Management
Only these users: macroot


#Sync files over
#---------------
#sudo mkdir -p /Volumes/DataDisk/Library/NetBoot/NetBootSP0
#(see the rsync-commands.txt document for all the commands to run)
#
#For syncing over the Group directory, you may have to tar it up on a known server
#first using:
#cd /Volumes/DataDisk/Install/
#sudo tar -cpf Group.tar Group
#scp Group.tar newserver.lsa.umich.edu:/tmp
#rm Group.tar
#  ...and on the new server:
#cd /Volumes/DataDisk/Install
#sudo tar -xpf /tmp/Group.tar
#rm /tmp/Group.tar


Set up Kerberos
---------------
#Install the Kerberos.pkg file from Packages Complete (or just copy over 
#/Library/Preferences/edu.mit.Kerberos from a recently built machine)
#
#Create and install the keytab on each machine:
#(You must be a kerberos admin to do this)
#Run "kadmin -p admUSERNAME/admin" from a machine that can run kadmin
#  (although OSX has kadmin, it is currently uncompatible with our
#   kerberos setup - use a solaris machine, such as 'mozi')
#kadmin:  addprinc -randkey host/fully.qualified.host.name
#kadmin:  addprinc -randkey afpserver/fully.qualified.host.name
#kadmin:  ktadd -k /path/to/new/keytab/file host/fully.qualified.host.name
#kadmin:  ktadd -k /path/to/new/keytab/file afpserver/fully.qualified.host.name
#kadmin:  quit
#
#From the new machine:
#sudo scp `whoami`@mozi:/path/to/new/keytab/file /etc/krb5.keytab
#sudo chown root:wheel /etc/krb5.keytab
#sudo chmod 600 /etc/krb5.keytab

sudo mv /etc/krb5.keytab /etc/krb5.keytab.orig
sudo ln -s /Volumes/DataDisk/krb5.keytab /etc/krb5.keytab

#sudo vi /Library/Preferences/com.apple.AppleFileServer.plist 
#   (search for and change the "kerberosPrincipal" from "afpserver" to
#    "afpserver/fully.qualified.host.name@KERBEROS.REALM")

SHORTCUT:
defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/fully.qualified.host.name@UMICH.EDU




Create the AFP shares for SNI
-----------------------------
Create this script and run it
    (or copy it from lsa-swl2.lsa.umich.edu:/usr/local/bin/make-group-shares)

######### BEGIN SCRIPT    
#!/bin/sh
if [ `whoami` != "root" ] ; then
  echo "You must use sudo to run this program"
  exit 1
fi
sharing -a "/Volumes/DataDisk/Install/LSA" -s 100 -g 000 -i 00
cd /Volumes/DataDisk/Install/Group
for installgroup in `/bin/ls -1` ; do
  if [ -d "$installgroup" ] ; then
    echo "Creating sharepoint for $installgroup"
    sharing -a "/Volumes/DataDisk/Install/Group/$installgroup" -s 100 -g 000 -i 00
  fi
done
######## END OF SCRIPT

Click the 'Sharing' icon to define the file shares
Delete all existing shares (Groups, Public, Users)
  (select each SharePoint, then uncheck the "Share this directory" checkbox)
Connect to the server you're setting up.
Select 'AFP' in the left column
Click Settings
   General:
      UNCHECK Enable Bonjour registration
   Access:
      Authentication = Kerberos
      UNCHECK Enable Guest access
      leave 'Enable admin to masquerade...' checked
   Logging:
      CHECK 'Enable access Log'
      CHECK 'Error Log->Archive every 7 days'
Click the 'Start Service' button at the top to start AFP

Configure NetBoot
-----------------
Run 'Server Admin'
Select 'NetBoot' in the left columne
Select 'Settings' in the main window
In the 'General' tab:
  In the top half, check the box to Enable Built-in Ethernet (Ethernet 1)
  In the bottom half, check the boxes corresponding to 'Images' & 'Client Data' on 'DataDisk'
  Click 'Save'
In the 'Images' tab:
Be sure you see the LSA InstallersClick 'Start Service'
(you'll see a warning about some services not being enabled, this is because the Web 
service isn't running [and won't be] - just ignore it and continue)



IMPORTANT NOTE:
Theoretically, once you've enabled NetBoot on the server, it should automatically
create a sharepoint for /Volumes/DataDisk/Library/Netboot/NetbootSP0 for NFS.  Go into
the File Sharing configuration and also add AFP file sharing for the same directory.
Though this isn't necessary for the service, it makes it a lot easier to copy the
netboot images around.
After a few minutes, the NFS service should start on its own.  If it doesn't 
you may want to just reboot the server and it should pick it up.



Verify Everything
-----------------
It's possible that enabling some of the services mentioned above may 
re-enabled some share points or preferences.  It may be a good idea
to double-check everything in the AFP & Share preferences (particularly
if Guest access has been re-enabled).