[PhillyMJS]

Assuming you’ve got Open Directory going, you’d do something like this to get a list of users in the group ‘mygroup’:
[code]dscl /LDAPv3/127.0.0.1 -read /Groups/mygroup GroupMembership[/code]
You’ll get output like this:
[code]GroupMembership: user1 user2 user3 user4[/code]
So you’d just need to parse that output to get the individual usernames and do an mv on each username to plunk their user folder into the correct new location.

HTH,

~Philly

[PhillyMJS]

Did you set Workgroup Manager to show all the system users and groups, and verify that there was already a VPN key user present in your LDAP directory?

You might want to do that, delete it if there is one, and then recreate it per the tech note– then reboot and take VPN for a spin again. It’s been a while since I had a similar issue, but I remember needing more than one try to get that key user account successfully created.

~Philly

[PhillyMJS]

Well, I have a tentative solution– now I need a fresh set of eyes to check out my work and maybe provide a nudge or two in the right direction. I also need to test and make sure this doesn’t interfere with the operation of the UPS and automatic shutdowns.

I found a key in scutil that reports information about the UPS, including whether it’s running on AC power or battery. I then added to Kicker.xml, so it triggers a script when the UPS state changes.

The addition to /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml:
———-
<dict>
<key>execCommand</key>
<string>/Library/Management/reportpowersourcechange.sh</string>
<key>execUID</key>
<integer>0</integer>
<key>keys</key>
<array>
<string>State:/IOKit/PowerSources/UPS0</string>
</array>
<key>name</key>
<string>Power Source State</string>
</dict>
———-

The triggered script, reportpowersourcechange.sh:
———-
#!/bin/bash
# Returns “AC” or “Battery”
currentpowersource=`echo “show State:/IOKit/PowerSources/UPS0” | scutil | grep “Power Source State” | awk ‘{ print $5 }’`

#Compare the current power source with the one returned at last check, only act if it has changed
if [ -f /Library/Management/lastpowersource ]
then
lastpowersource=`cat /Library/Management/lastpowersource`
else
lastpowersource=”AC”
fi

# If the power source has changed, log it.
if [ $currentpowersource != $lastpowersource ]
then
message=”Power source is now running on $currentpowersource power.”
logger -p local0.notice -i -t UPS $message
#add code to send an email notification here
echo $currentpowersource > /Library/Management/lastpowersource
fi
———-

The log entries:
———-
May 28 22:10:13 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:10:14 server UPS[312]: Power source is now running on Battery power.
May 28 22:10:18 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:10:24 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:10:28 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:10:58 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:03 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:08 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:13 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:14 server UPS[369]: Power source is now running on AC power.
May 28 22:11:18 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:23 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:33 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:11:43 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:12:03 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:12:33 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
May 28 22:13:28 server configd[60]: executing /Library/Management/reportpowersourcechange.sh
———-

Assuming this doesn’t mess up the ability of the UPS to shut the machine down when needed, the only thing I have left to figure out is how do I get the thing to stop filling my logs? The kicker apparently reports *every* change in UPS information, which is not what I want. All the entries you see above are most likely due to changes in the charge level of the UPS battery, as it drained slightly when I unplugged it, and as it charged back to 100% after I reconnected it to AC power. If it drains all the way, the logs will have a ton of entries, and I’d like to avoid that. I don’t see a way to use Kicker to monitor only one value in a dictionary instead of all of them.

[PhillyMJS]

I may have found a solution to this problem. I was horsing around in Terminal and looked through /usr/share/swupd/html.

I noticed the index.sucatalog files, and loaded one into my browser. No matter what I do, the updates are always listed with “myserver.mydomain.org” in the URL– the external name.

I did a quick find and replace on the file via perl: “perl -i -pe ‘s/mydomain.org/mydomain.lan/g’ index.sucatalog”

Voila! The client machines now pull their software updates across my internal network, they don’t “go out and come back in” via the WAN connection. I have only done a couple updates, but the speed is much faster and there have been no ill effects. Having said that, YMMV- duplicate my efforts at your own risk. 🙂

Note: I originally stopped the Software Update service before doing the find-replace, then restarted it. That was no good, the file was refreshed back to using mydomain.org as soon as I started the service again.

I guess the way to force the behavior I want would be to grep ‘mydomain.org’ from the index.sucatalog file every so often, and run the find-replace one-liner when needed.

Hopefully this is something that will be able to be set in Server Admin in a future version of OS X Server.

~Philly

[PhillyMJS]

[QUOTE][u]Quote by: arekdreyer[/u][p]If you are pointing to your internal IP addresses for network home directory, you can’t sync when your not at home, right?[/p][/QUOTE]
Correct.

[PhillyMJS]

Just this past week, I put in a G5 running Tiger Server and Kerio MailServer at a client, with about 50 users. We migrated them from Windows SBS 2003. Kerio makes a connector so you can use Outlook on Windows clients and it looks and behaves virtually the same as when connecting to Exchange. They also have an Exchange Migration Utility that did a pretty good job of pulling the Exchange mailboxes over. The utility is still a beta and I did run into a few issues with it, but by and large the migration was a smashing success. KMS also works very well with the Exchange connectivity in Entourage 2004SP2. Tip: If you run Tiger Server on the same machine as KMS, Kerio’s LDAP service won’t run on the default port (389)– change it to use 3268, which is the default port for Microsoft’s Global Catalog Service (and the default LDAP port set in Entourage Exchange accounts), and that’s one less thing you’ll have to configure in Entourage.

We set the client up on Open Directory, and it works great. You tell KMS to add a user, it asks you if you want to add one that’s ‘internal’ to Kerio or an account that already exists in Open Directory. If you choose Open Directory, it gives you a list of the users you can add, and boom, that’s it. They have an e-mail account. When they change their OD password, so changes the mail password. You can also publish their name into Kerio’s equivalent of the Exchange Global Address list with a couple extra mouse clicks.

The webmail is gorgeous, and works equally well on Macs and Windows– it puts Outlook Web Access to shame. It also has WAP functionality, and works to a degree with Blackberry handhelds (though admittedly nowhere near as well as Exchange with Blackberry Enterprise Server).

One thing I do not like about it is the decidedly inconsistent administration. Some things have to be set up in the webmail, some things in the admin utility, etc. It’s kind of all over the place that way. You also cannot add external users to a distribution group, which is a pain in the butt. Some user settings that I would like to be able to apply globally can’t be applied that way, it’s per-user only. But all in all, it is a good product.

If you’re considering rolling this out somewhere, I highly recommend setting it up on a test machine with (if possible) an external IP and possibly a ‘throwaway’ domain name, so you can actually use it as a mailserver and test out configuration scenarios. Put it through its paces as much as you can during your 30-day demo– you’ll be glad for the experience later when you set things up for real. We even built an SBS box in my office and populated it with dummy data to test the Exchange migration.

~Philly

[PhillyMJS]

Thanks for your replies. I did a little more poking around and found a reasonably-priced SATA PCI card that does RAID-5, the RocketRAID 1810A (yes, they specifically mention Mac support). NewEgg has it for $169. I read the manuals, and I like what I saw.

The absolute cheapest I can come up with is 3 Maxtor MaxLine III 250GB SATA drives in RAID-5 configuration, mounted in the server. Including cables and estimated shipping, it’d be under $520, for ~500GB of usable space with fault tolerance.

I really like the idea of the external enclosure, though, and that ups the price by about another ~$275 at the minimum. I may just suck it up to save some cash now and go with a RAID-5 made from 3 300GB drives in the server. I can always transplant them later into an external enclosure (and maybe even add a fourth drive) if my storage needs increase.

And yes, when I move to the new server I’m also upgrading my network infrastructure to use GigE. 🙂 I only have to plunk in a switch that supports it, everything else is already in place, or will be once I move to the new server.

~Philly

[PhillyMJS]

The rule of thumb I use is to always create your image on the newest hardware you have, that way everything you’ve got is covered. When I get in a newer machine after that, I clone my existing image to it via FireWire target mode and then boot the new machine from the OS install disc it came with and upgrade the OS on it. Sometimes it’s necessary to do a clean OS install and fix some applications, but in most cases you’ll be fine.

I worked that way in the OS 8 and 9 days, and haven’t had any problems with it yet in the OS X era.

~Philly

[PhillyMJS]

[QUOTE BY= fherbert] On your OS X server VPN setup, did you enter the dns server and search domain in the “Client Information Tab” in the “Settings” section on the VPN server in Server Admin??[/QUOTE]

Yes, I did. I used the local DNS (192.168.x.x) server running on the OS X box for the LAN, not the two upstream ones belonging to my ISP. Sometimes I still had problems, though, until I put the DNS and search domain info into the client-end PPTP network port configuration myself.

Also, I got PPTP VPN working in WinXP with that LCP Extensions checkbox I mentioned previously enabled. Dunno why it wouldn’t work before.

~Philly

[PhillyMJS]

I’m having a good day here– I think the three-day weekend cleared my mind. 🙂

The VPN log kept showing something about LCP requests, or something like that, when the XP box would time out trying to connect. Just stooging around in the settings on the XP side of things, I found the culprit. Something called “Link Control Protocol” is enabled by default on XP, but it doesn’t seem to be supported (or at least enabled by default) by OS X Server.

Open the Properties on your PPTP connection, select the “Networking” pane, click the “Settings” button under the “Type of VPN” popup, and uncheck the “Enable LCP Extensions” option.

Again, I had to put the DNS and WINS server settings for the VPN LAN into the proper places on the Windows box before everything started behaving, but at least it works.

Looks like my clients are going to need some detailed, screenshot-laden instructions to set up VPN connections on their home boxes.

~Philly

[PhillyMJS]

I followed the instructions in the tech note over the weekend but still couldn’t get anything working.

Now this morning, I tried from my office and after putting the internal IP address of the DNS server and the default domain in the PPTP network settings on the client (and fixing a stupid typo in the server’s DNS server settings), everything works. Very weird.

Trying it from my office PC running XP doesn’t work, it gets as far as “verifying password” and then gives up and times out., even though I’m trying to establish a PPTP connection and have everything configured properly on the PC (AFAIK). Have to get that figured out, since the client where I’ll be using this needs dual-platform VPN access.

I’ll nuke and rebuild my test server from scratch one night this week and see if I can at least duplicate my results on the Mac client side of things.

Oh, and I still can’t get L2TP incoming connections with either platform. I never get past “Contacting VPN Server.” I’m not sure, but I don’t think simply enabling the L2TP checkbox in the firewall setup opens all the inbound ports L2TP needs. Anyone?

~Philly

[PhillyMJS]

[QUOTE BY= mac_ash_cia]When that new user logs in for the first time where is it getting the dock data from?[/QUOTE]

/System/Library/User Template/English.lproj/Library/Preferences/

~Philly

[PhillyMJS]

Dumb question, but have you gone into the router and correctly mapped the incoming ports to the second NIC?

Also, have you tried taking the router out of the mix and just setting up your DSL-using interface with the Mac’s built-in PPPoE, just to see if that works?

Are you certain the incoming traffic isn’t being blocked by the ISP due to a “no servers” policy and/or anti-spam efforts?

I’m going to be trying something like this soon myself, so I’m interested to see if you get it working.

~Philly

[PhillyMJS]

[QUOTE BY= kleinmatic]But is it worth doing? I know that if the Xserve ever gets sick my users will all crash and not be able to work at all. Is the convenience and robustness of network home directories worth the trade-off? I fear that it’s putting all of our eggs in one basket.[/QUOTE]

I’m hammering out the details of a project for a mid-sized client right now, and we are defiinitely going to use network home directories. I too worried about a server crash bringing the whole place to a screeching halt, but there’s an answer– mobile user accounts. If you’re not familiar with them, they’re designed to put a local copy of a NHD on a laptop user’s machine so they can use the computer normally while not on the LAN.

I’ve done quite a bit of testing with them and they work quite well, with one caveat– Panther Server does not offer sync capabilities between the local and network home directories, AFAICT. Tiger Server will remedy this oversight, but for now we’ve had to find a 3rd-party sync utility (ChronoSync) to sync the two folders.

For laptop users who leave the office, the syncing needs to be done (at a minimum) when first rejoining the LAN after being away, and when about to be removed from it again. You can also use mobile user accounts for non-mobile desktop Macs, purely as a hedge against server failure. On those machines, the syncing should be done around noon and again in the evening, to minimize data loss if the server hosting the NHDs goes bye-bye.

I’m kinda hoping my client will delay the project a bit so we can set them up with Tiger Server and not have to mess with ChronoSync. It’s a nice utility, but automatic syncing as a server function would certainly be preferable.

~Philly

[PhillyMJS]

I feel your pain– I’m having the exact same problem. I can connect just fine, but cannot connect to any shares. I can’t even ping the server’s internal IP address while connected.

Apple’s server documentation is practically worthless. Would it kill them to maybe include an example configuration with explanations as to why the settings have to be a certain way? I even came up snake eyes searching Google and Apple’s support discussions for help.

Someone needs to create a tutorial that steps through the setup of each OS X Server service… something I can read through and actually duplicate on a spare machine at home to really learn the ins and outs of how it works and understand why it needs to be set up a certain way, and then apply that knowledge to my own projects. <sigh> But I guess someone’s making too much money from selling $2000 classes to put out a decent tutorial for the advanced stuff.

~Philly

[Author]

Posts