Configuring a PANTHER server as an LSA OSX Install Server


Set up and do account replication
---------------------------------
  - you'll also need to be logged in as 'macroot' on server in order
    to copy the files over since your account doesn't exist yet on the
    new server and the script assumes the same user on both hosts
ssh macroot@NEWSERVER.lsa.umich.edu
mkdir /private/var/tmp/acct-rep
sudo mkdir /usr/local/bin
sudo scp `whoami`@lsa-swl2.lsa.umich.edu:/usr/local/bin/acct-rep-in /usr/local/bin/

Perform an account replication (must do it as macroot):
ssh macroot@serval.lsa.umich.edu
sudo vi /usr/local/bin/acct-rep-out
sudo /usr/local/bin/acct-rep-out
exit # from serval

# back on the new server:
sudo /usr/local/bin/acct-rep-in
   - Make a home directory for yourself
sudo mkdir /Users/yourUsername
sudo chown yourUsername /Users/yourUsername

Logout and login as yourself

Install rsyncx
--------------
(the following shows a command-line method - you could also do this through
a GUI with the rsyncx pkg from the console, pretending to be at the console
using ARD, or using ARD's pkg install feature)
cd /tmp
scp lsa-swl2.lsa.umich.edu:/Volumes/macswd/OSX-NetInstall-Packages/Complete/PRODUCTION/r/RsyncX_v2.1.tgz .
tar -xf RsyncX_v2.1.tgz 
sudo installer -pkg RsyncX_v2.1.pkg -target /

Sync files over
---------------
sudo mkdir /Library/NetBoot
sudo mkdir /Library/NetBoot/NetBootSP0
(see the rsync-commands.txt document for all the commands to run)

Configure the server
--------------------
Run Workgroup Manager:
Click the 'Sharing' icon to define the file shares
Delete all existing shares (Groups, Public, Users)
  (select each SharePoint, then uncheck the "Share this directory" checkbox)
Create two share points for the following:
      DataDisk->Install->Group->Generic
      DataDisk->Install->LSA
   With the following properties:
      General:
           Share this item and its contents
           Owner: root            Read & Write
           Group: lsa-installers  Read Only
           Everyone:              None
           Click the "Save" button at the bottom
           If a warning about the execute bit comes up, just ignore it (Don't fix)...
      Protocols
           Apple File Settings:
              Share this item using AFP
              UNCHECK "Allow AFP guest access"
           Windows File Settings, and FTP, and NFS:
              UNCHECK "Share this item using ..."
              UNCHECK "Allow ... guest access"
           Click the "Save" button at the bottom
           If a warning about the execute bit comes up, just ignore it (Don't fix)...
      Network Mount
           Ensure that the "Automount this item to clients in domain"
              is unchecked

Run Server Admin:
Connect to the server you're setting up.
Select 'AFP' in the left column
Click Settings
   General:
      UNCHECK Enable Rendezvous registration
      UNCHECK Enable browsing with AppleTalk
   Access:
      UNCHECK Enable Guest access
      leave 'Enable secure connections' and 'Enable admin to masquerade...' checked
   Logging:
      CHECK 'Enable access Log'
      CHECK 'Error Log->Archive every 7 days'
Click the 'Start Service' button at the top to start AFP

From a terminal on the server, run:
   sudo serveradmin settings afp:noNetworkUsers = yes
This solves the problem with permissions mapping on fileshares when both the
client and server computer use the same UIDs but don't share a common directory
for users and groups.

Configure the firewall:
-----------------------
Run Server Admin and connect to the server you're setting up.
Click 'Firewall' in the left column
Select the settings pane
click the '+' to add a new IP Address group
   IP Address Group Name: LSA Networks
   Addresses in group: click '+' to add "141.211.0.0/16"
                       select 'any' and click the '-' to delete it
Back in the main firewall settings window:
  Select 'LSA Networks' in the left column and click the following 'Allow' checkboxes:
      ICMP Echo Reply
      Secure Shell (SSH) [22]
      Server Admin SSL, also Web-ASIP [311]      
      Apple File Service [548]
      Remote Directory Access [625]
      Server Admin via Server Admin App [687]
      NFS file service [2049]
      Apple Remote Desktop [3283]
    Click 'Save'
  Select 'any' in the left column and UNselect all of the 'Allow' checkboxes
  Verify that for any other IP groups (10-net, 192.168-net) that nothing is allowed.
  In the 'Advanced' tab, be sure that the first 
       'deny - any - any in' is enabled
  In the 'Advanced' tab, be sure that the LAST
       'deny - any - any in' is UNCHECKED
  In the 'Advanced' tab, be sure that 'allow - any - any via lo0' is enabled
  Click 'Save' again
Click the 'Start Service' button at the top to start the firewall

Configure NetBoot
-----------------
Run 'Server Admin'
Select 'NetBoot' in the left columne
Select 'Settings' in the main window
In the 'General' tab:
  In the top half, check the box to Enable Built-in Ethernet
  In the bottom half, check the boxes corresponding to 'Images' & 'Client Data' on 'OSDisk'
  Click 'Save'
In the 'Images' tab:
  Be sure you see 'LSA OSX Install v#' and it's set to:
      Default (if a college-wide server)
      Enable
      Protocol=NFS
Click 'Start Service'
(you'll see a warning about some services not being enabled, this is because the Web 
service isn't running [and won't be] - just ignore it and continue)


IMPORTANT NOTE:
Theoretically, once you've enabled NetBoot on the server, it should automatically
create a sharepoint for /Library/Netboot/NetbootSP0 in AFP and also for NFS.  After
a few minutes, the NFS service should start on its own.  If it doesn't you may want
to just reboot the server and it should pick it up.



Verify Everything
-----------------
It's possible that enabling some of the services mentioned above may 
re-enabled some share points or preferences.  It may be a good idea
to double-check everything in the AFP & Share preferences (particularly
if Guest access has been re-enabled).

Set up Kerberos
---------------
Install the Kerberos.pkg file from Packages Complete (or just copy over 
/Library/Preferences/edu.mit.Kerberos from a recently built machine)

Create and install the keytab on each machine:
(You must be a kerberos admin to do this)
Run "kadmin -p admUSERNAME/admin" from a machine that can run kadmin
  (although OSX has kadmin, it is currently uncompatible with our
   kerberos setup - use a solaris machine, such as 'mozi')
kadmin:  addprinc -randkey host/fully.qualified.host.name
kadmin:  addprinc -randkey afpserver/fully.qualified.host.name
kadmin:  ktadd -k /path/to/new/keytab/file host/fully.qualified.host.name
kadmin:  ktadd -k /path/to/new/keytab/file afpserver/fully.qualified.host.name
kadmin:  quit

From the new machine:
sudo scp `whoami`@mozi:/path/to/new/keytab/file /etc/krb5.keytab
sudo chown root:wheel /etc/krb5.keytab
sudo chmod 600 /etc/krb5.keytab
sudo vi /Library/Preferences/com.apple.AppleFileServer.plist 
   (search for and change the "kerberosPrincipal" from "afpserver" to
    "afpserver/fully.qualified.host.name@KERBEROS.REALM")
In the Server Admin utility, under AFP->Settings->Access, set Authentication
  to "Any Method" and [Stop and] Start the service.

For testing it, from your desktop machine,
get a LSA.UMICH.EDU kerberos ticket, then try
  ssh newhostname 
and it should connect without asking for your password.
You can also try doing a "Connect To Server" from the finder to initiate
an AFP connection, and that should go through without asking for your
password.