Configuring a TIGER server as an LSA OSX Install Server

Configure server to connect to UMOD LDAP
Do NOT add Kerberos_PAM-KFM.pkg (the LDAP config will do passthrough kerberos)

#Set up and do account replication
#---------------------------------
#  - you'll also need to be logged in as 'macroot' on server in order
#    to copy the files over since your account doesn't exist yet on the
#    new server and the script assumes the same user on both hosts
#ssh macroot@NEWSERVER.lsa.umich.edu
#mkdir /private/var/tmp/acct-rep
#chmod 777 /private/var/tmp/acct-rep
##### sudo mkdir /Volumes/DataDisk/local-bin
#sudo mkdir /usr/local
#sudo ln -s /Volumes/DataDisk/local-bin /usr/local/bin
##### sudo scp `whoami`@lsa-swl2.lsa.umich.edu:/usr/local/bin/acct-rep-in /usr/local/bin/


#Perform an account replication (must do it as macroot):
#ssh macroot@serval.lsa.umich.edu
#sudo vi /usr/local/bin/acct-rep-out
#sudo /usr/local/bin/acct-rep-out
#exit # from serval

# back on the new server:
#sudo /usr/local/bin/acct-rep-in
#   - Make a home directory for yourself
#sudo mkdir /Users/yourUsername
#sudo chown yourUsername /Users/yourUsername

Logout and login as yourself


Configure the firewall:
-----------------------
Run Server Admin and connect to the server you're setting up.
Click 'Firewall' in the left column
Select the settings pane
click the '+' to add a new IP Address group
   IP Address Group Name: LSA Networks
   Addresses in group: click '+' to add "141.211.0.0/16"
                       select 'any' and click the '-' to delete it
   IP Address Group Name: Administrative Nets
   Addresses in group: 141.211.67.0/24
                       141.211.211.40   (for ARD task server)

Back in the main firewall settings window:
Click on the Services tab.
  Allow only traffic for "Any Network" on these ports:
      TCP (established)
      UDP outbound and responses
      TCP (outgoing)
   Allow only traffic for "LSA Networks" on these ports:
      ICMP - all messages
      SSH - Secure Shell [22]
      DHCP and NetBoot server [67]
      TFTP - Trivial FTP [69]
      RPC - Remote Procedure Call (rpcbind) [111]
      Apple File Service [548]
      NFS file service [2049]
      Netboot Mystery Ports [989,1014] (you'll have to add these)
      [Add a new rule for Software Update Local Service [TCP 8088] if this
         is going to be a software update server
    Allow only traffic for "Administrative Nets" on these ports:
      Server Admin SSL, also Web-ASIP [311]
      Remote Directory Access [625]
      Server Admin via Server Admin App [687]
      ARD 2.0 [3283,5900]
    Click 'Save'
  Select 'any' in the "Edit Services for:" menu and UNselect all of the 'Allow' checkboxes EXCEPT:
      # (don't select any of the below - left there just in case)
      #TCP outgoing
      #TCP established
      #UDP fragments
      #UDP outbound and responses
  Verify that for any other IP groups (10-net, 192.168-net) that nothing is allowed.
  In the 'Advanced' tab, check the box to Enable Stealth Mode for TCP
  Click 'Save' again
Click the 'Start Service' button at the top to start the firewall



Configure Service ACLs
----------------------
In 'Server Admin', click on the hostname of the server in the left pane
Click the 'Settings' tab at the bottom
Click the 'Access' tab at the top
Uncheck 'Use same access for all services'
Select 'Login Window', and 'Allow only users and groups' of group 'Admin'
Select 'SSH', and 'Allow only users and groups' of group 'Admin'



Sync files over
---------------
sudo mkdir -p /Volumes/DataDisk/Library/NetBoot/NetBootSP0
(see the rsync-commands.txt document for all the commands to run)

For syncing over the Group directory, you may have to tar it up on a known server
first using:
cd /Volumes/DataDisk/Install/
sudo tar -cpf Group.tar Group
scp Group.tar newserver.lsa.umich.edu:/tmp
rm Group.tar
  ...and on the new server:
cd /Volumes/DataDisk/Install
sudo tar -xpf /tmp/Group.tar
rm /tmp/Group.tar


Set up Kerberos
---------------
Install the Kerberos.pkg file from Packages Complete (or just copy over 
/Library/Preferences/edu.mit.Kerberos from a recently built machine)

Create and install the keytab on each machine:
(You must be a kerberos admin to do this)
Run "kadmin -p admUSERNAME/admin" from a machine that can run kadmin
  (although OSX has kadmin, it is currently uncompatible with our
   kerberos setup - use a solaris machine, such as 'mozi')
kadmin:  addprinc -randkey host/fully.qualified.host.name
kadmin:  addprinc -randkey afpserver/fully.qualified.host.name
kadmin:  ktadd -k /path/to/new/keytab/file host/fully.qualified.host.name
kadmin:  ktadd -k /path/to/new/keytab/file afpserver/fully.qualified.host.name
kadmin:  quit

From the new machine:
sudo scp `whoami`@mozi:/path/to/new/keytab/file /etc/krb5.keytab
sudo chown root:wheel /etc/krb5.keytab
sudo chmod 600 /etc/krb5.keytab
sudo vi /Library/Preferences/com.apple.AppleFileServer.plist 
   (search for and change the "kerberosPrincipal" from "afpserver" to
    "afpserver/fully.qualified.host.name@KERBEROS.REALM")
SHORTCUT:
defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/fully.qualified.host.name@UMICH.EDU




Create the AFP shares for SNI
-----------------------------
Create this script and run it
    (or copy it from lsa-swl2.lsa.umich.edu:/usr/local/bin/make-group-shares)

######### BEGIN SCRIPT    
#!/bin/sh
if [ `whoami` != "root" ] ; then
  echo "You must use sudo to run this program"
  exit 1
fi
sharing -a "/Volumes/DataDisk/Install/LSA" -s 100 -g 000 -i 00
cd /Volumes/DataDisk/Install/Group
for installgroup in `/bin/ls -1` ; do
  if [ -d "$installgroup" ] ; then
    echo "Creating sharepoint for $installgroup"
    sharing -a "/Volumes/DataDisk/Install/Group/$installgroup" -s 100 -g 000 -i 00
  fi
done
######## END OF SCRIPT

Run Workgroup Manager:
Click the 'Sharing' icon to define the file shares
Delete all existing shares (Groups, Public, Users)
  (select each SharePoint, then uncheck the "Share this directory" checkbox)

Run Server Admin:
Connect to the server you're setting up.
Select 'AFP' in the left column
Click Settings
   General:
      UNCHECK Enable Rendezvous registration
      UNCHECK Enable browsing with AppleTalk
   Access:
      Authentication = Kerberos
      UNCHECK Enable Guest access
      leave 'Enable secure connections' and 'Enable admin to masquerade...' checked
   Logging:
      CHECK 'Enable access Log'
      CHECK 'Error Log->Archive every 7 days'
Click the 'Start Service' button at the top to start AFP

Configure NetBoot
-----------------
Run 'Server Admin'
Select 'NetBoot' in the left columne
Select 'Settings' in the main window
In the 'General' tab:
  In the top half, check the box to Enable Built-in Ethernet
  In the bottom half, check the boxes corresponding to 'Images' & 'Client Data' on 'DataDisk'
  Click 'Save'
In the 'Images' tab:
  Be sure you see 'LSA OSX Install v#' and it's set to:
      Default (if a college-wide server)
      Enable
      Protocol=NFS
Click 'Start Service'
(you'll see a warning about some services not being enabled, this is because the Web 
service isn't running [and won't be] - just ignore it and continue)


IMPORTANT NOTE:
Theoretically, once you've enabled NetBoot on the server, it should automatically
create a sharepoint for /Volumes/DataDisk/Library/Netboot/NetbootSP0 in AFP and also for NFS.
After a few minutes, the NFS service should start on its own.  If it doesn't 
you may want to just reboot the server and it should pick it up.



Verify Everything
-----------------
It's possible that enabling some of the services mentioned above may 
re-enabled some share points or preferences.  It may be a good idea
to double-check everything in the AFP & Share preferences (particularly
if Guest access has been re-enabled).