PDA

View Full Version : Mac mini server 2010, windows client's, file sharing and VPN




joecool99
Aug 3, 2010, 10:03 PM
Basic network:
INTERNET -> cable modem -> WIFI / Ethernet router

Mini server connected via Giga-ethernet.

4 PC laptops and 3 desktops (all windows vista or windows 7) via N-wifi network.

all i really need is a file sharing service to able to access specified folders/files according to each PC station and have them auto-mounted.

the 7 users, i want all of them to be able to see other user's folders as READ ONLY. only their own folder with full rights.

how do i set this up on the apple mini server and the respective PC clients ?
any issues i need to be aware with MAC server + windows client's combo ?

what would the best tool for remote admin of the server from windows laptop ?



talmy
Aug 4, 2010, 12:29 PM
Frankly, if that's all you want you would have been better served by a Linux or Windows server box. As it is, you will need to go through the normal Snow Leopard Server configuration, assigning a static IP and ensuring DNS is working properly. Then when you configure shares you need to enable SMB. As far as the automounting is concerned, you will need to consult the documentation unless someone else chimes in. To access remotely you will need to use a VNC client as the remote admin tools require OS X.

Your title also mentions VPN. It's easy to set up but I don't know what Windows client works with it. I do tunneling over SSH to access remotely from a PC.

joecool99
Aug 5, 2010, 12:12 AM
i like the mini for it's compactness. i know Linux would have worked too.

about the VPN, it's mainly to access it from home for occasional diagnostics.
the server will be on the LAN, it won't be sitting on the internet line. it's behind the router:

comcast cable -> modem -> wifi / ethernet router | -> WIFI client PC's
| -> ethernet mini server

how do i tunnel from home - also inside LAN to that at work ?

dampfdruck
Aug 5, 2010, 03:07 AM
The easiest is to use something like "teamviewer" or "logmein".

If you want to use a "real" VPN, then you need to configure port forwarding on your router. I assume/guess that what you call "cable modem" is in fact a router and your "WIFI / Ethernet router" is actually a switch. Switches don't require to be configured for your VPN.

talmy
Aug 5, 2010, 09:52 AM
To do the tunneling, I suggest Googling "VNC over SSH". The topic is a bit too big for a post.

joecool99
Aug 14, 2010, 02:09 AM
can anyone advise how to setup properly SMB file-sharing for small network with 8 Windows 7 computers ?

i'm watching LYNDA essential training. lot of it males sense, BUT the very first step - setting up DNS doesn't fir my understanding for file server on a local network.

the mac mini 2010 server will be behind router - it won't be directly on internet line. also, i don't want to host WEB or MAIL services. just simple file server with simple folder sharing and permissions by different groups of people accessing files.

why would i need to setup DNS then ?

screen shot from LYNDA training:

http://lightimagination.net/1ebay/dns.png

see the example: server.private ?

is that what i need to use if i need just LAN file server functionality ?

Is only SMB sharing service compatible with Windows 7 ? Or can i use NFS or other ? Benefits or differences ?
Please advise.

joecool99
Aug 14, 2010, 02:15 AM
strange, when i reboot the server, disconnect monitor, keyboard and mouse i cannot access it remotely ?

is that normal ? so after every reboot/update i need to run up to it and sign in locally ? :confused:

* already found the answer - that happens over WIFI. when connected via Ethernet, i can connect fine

talmy
Aug 14, 2010, 10:58 AM
The server version of OS X is different in that to operate properly (including remote access) forward and reverse DNS must be provided. I had terrible problems until I got this all resolved. Check this out: http://labs.hoffmanlabs.com/node/1436

I'll tell you right now that your primary domain name you show is wrong if you just want LAN access. Study the link, above.

joecool99
Aug 14, 2010, 06:45 PM
i'm getting lost here with DNS configuration. please advise.

config of the LOCAL DNS i tried to setup
http://lightimagination.net/1ebay/dns2.png

i tested it accordingly to LYNDA training essential for 10.6
the test seems all good, see below:

http://lightimagination.net/1ebay/name.png

http://lightimagination.net/1ebay/ip.png

http://lightimagination.net/1ebay/term.png

BUT if i try to setup open directory master i get this message: :(

http://lightimagination.net/1ebay/ds.png


now what ??? please help

talmy
Aug 14, 2010, 08:03 PM
I don't see anything wrong. You wouldn't have the message if everything was initially set up correctly. Just click on "Continue". Kerberos worked for me without doing anything extra after configuring.

Just in case, though, make sure your server is the only DNS server (disable DNS in your router). I didn't see DHCP configured -- you will need that so that other computers will be able to find your DNS server.

joecool99
Aug 14, 2010, 08:24 PM
I don't see anything wrong. You wouldn't have the message if everything was initially set up correctly. Just click on "Continue". Kerberos worked for me without doing anything extra after configuring.

Just in case, though, make sure your server is the only DNS server (disable DNS in your router). I didn't see DHCP configured -- you will need that so that other computers will be able to find your DNS server.

Are you saying i should ignore the message ? Honestly i don't fully understand it, but essentially it's error message ? Something doesn't seems to be configured right.

What is single sign-on (Kerberos 5) ? Do i need it with windows networking ?

Currently the other windows computers are hooked by WIFI-n (IPv6 disable everywhere) to a router, so i assume i need the DNS kept on the touter ON.
Do i really need to disable it and configure all stations manually ?

Only the server is on MANUAL so i know where it is all the time.

talmy
Aug 14, 2010, 08:49 PM
You will want DHCP enabled and set so that other computers will use your server for DNS. In the DNS Settings tab you add the Forwarder IP Addresses to the external DNS server you want to use. Your server, in System Preferences -- Network, should specify its own address for its DNS server. Your router should have DHCP and DNS services turned off. You don't have to manually configure any computer other than your server.

The way I read the message is that Kerberos is currently configured, and that the configuration will be lost when you switch to Open Directory Master. This doesn't surprise me since changing that setting tends to wipe out any open directory data. You can always reenable Kerberos later if you need it. I don't know if it does anything for Windows.

joecool99
Aug 14, 2010, 09:27 PM
actually getting somewhere - finally. now i see the server on windows machine and can login with the user names / groups i've created.
still working on setting up the permissions etc.

one of the user groups is wrong i want to change the short name, but it's greyed out! why ? i cannot delete it and start over :-(

i unchecked all the users from this group so it should be available for delete ?

http://lightimagination.net/1ebay/group.png

I've left the server as is with manual IP configuration:

http://lightimagination.net/1ebay/ipserver.png

the rest of the network is still using routers DNS and DHCP. seems to be working fine. so far...

i just went ahead and installed directory master even with the warning of Single sign-on not available. then enabled SMB sharing

talmy
Aug 15, 2010, 09:13 PM
You can't change shortnames. Best best is to create a new group with the shortname you want and put everyone on that group. Looking at my setup, the group named workgroup is my only group that has a grayed out delete button. It also is the only group that was created by default. I did notice that the delete button is available in the Workgroup Manager program when logged in as the Directory Administrator. That may be the problem trying to delete it it the fairly anaemic Server Preferences program.

joecool99
Aug 16, 2010, 07:54 PM
really grateful for the hep here. server OSX issues are not as discussed topics among the MAC crowed.

update of current situation (after 2nd install - updated to 10.6.4 via SSH before setting up the server in background):

• DNS (auto configuration - did not touch)
• OD master running (installed fine with kerberos, no error as before) :rolleyes:
• SMB running on the server (AFP and SMB windows
• server DNS address in network conf. pointed to itself as: 127.0.0.1

comcast cable modem -> Dlink WIFI router -> rest of the network
- the WIFI router runs DNS and DHCP

• most computers are via WIFI, except one XP SP3 PC (eth) - have yet to reinstall to W7


STRANGE behavior (or my messed up setup)

• few times i had all windows computers see the server in the network windows explorer listed with the rest of the computers, today the PC's didn't see the server by itself. i can ping by IP and name "server" fine. i can open run command \\server and then it appears in the windows explorer. odd ?

also the shared folders i've defined and then manually linked in W7 (with checkin, remember credentials and automount at login). however after W7 restart it fails to reconnect and i need to re-enter it again)

i lost the link that was editing local policy in "group policy manager" in LAN responses. someone else suggested to disable kerberos login in SMB. however i didn't have luck with that.

SMB error logs:

[2010/08/16 15:52:25, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.
Unable to sync browse lists in this workgroup.
[2010/08/16 16:07:16, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.
Unable to sync browse lists in this workgroup.
[2010/08/16 16:22:34, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.

and other, i just forgot to copy it and bring home. although it's running, seems there are quite a few bugs...

http://lightimagination.net/1ebay/dns3.png

http://lightimagination.net/1ebay/smb.png
http://lightimagination.net/1ebay/smb2.png

talmy
Aug 16, 2010, 08:59 PM
Well SMB is out of my area of expertise, that's for sure! But looking at the error messages, it wants a Domain Master Browser and can't find one. You didn't check the box for the server to be the Domain Master Browser. Perhaps you should check that box? Beyond that guess, I couldn't tell you what the difference between a Domain and Workgroup Master Browser. But I do know that SMB needs a Master Browser to tabulate the connected systems so that they can be located -- that's why they don't show up in the Network Neighborhood.

joecool99
Aug 16, 2010, 10:37 PM
make sense... i'll try it tomorrow again. now, so i can troubleshoot and monitor from home, i would like to setup VPN.

i've watched the video Lynda.com.Mac.OS.X.Server.10.6.Snow.Leopard.DNS.and.Network.Services

very cool, one of the steps are properly configuring the router forwarding:

http://lightimagination.net/1ebay/vpnlynda.png

i'm still a bit unclear. with this setup:

comcast modem -> ethernet router with public IP -> local 192.168.xxx.xxx

if i don't have a DNS setup for the public IP given by comcast (i'm not hosting web). do i just setup the public IP of the router in the VPN ?

than those specified ports will be then forwarded to specified machine 192.168.xxx.x ?

talmy
Aug 16, 2010, 11:27 PM
I am concerned here because you are forwarding to 192.168.12.2 yet in an earlier post you show your server at 192.168.0.2. You want to forward to your server's LAN IP address. Otherwise it looks like the port forwarding is correct, at least the ports used.

Do you have a static IP on the Internet, or is it Dynamic? This is the IP address of the router looking outward as opposed to inward facing, which is probably 192.168.x.1. If it is static, then that is the IP address you use to VPN access your LAN. If it is dynamic then you need a Dynamic DNS service like DynDNS.com. I've got a domain name on the outside which I have point to my name at DynDNS.com that then points to my home network. Works just fine.

The instructions for setting up VPN worked for me just fine from the start. It turned out to be the easiest service to configure. You will want to use the Shared Secret IPSec Authorization. The data on the Client Information page is used in the DHCP configuration of clients connected over VPN, so set the DNS Server and search domains fields same as you have for local systems. In the Network Routing Definition you are specifying the address range goes over the VPN connection. You have the option (in the client) to send all traffic over VPN, which is slower but very secure because no system in the LAN the client is on can analyze any of the traffic beyond it is going to your VPN. You should use 192.168.x.0 255.255.255.0 private, where "x" is as appropriate (is it 0 or 12??).

joecool99
Aug 17, 2010, 12:10 AM
I am concerned here because you are forwarding to 192.168.12.2 yet in an earlier post you show your server at 192.168.0.2. You want to forward to your server's LAN IP address. Otherwise it looks like the port forwarding is correct, at least the ports used.

Do you have a static IP on the Internet, or is it Dynamic? This is the IP address of the router looking outward as opposed to inward facing, which is probably 192.168.x.1. If it is static, then that is the IP address you use to VPN access your LAN. If it is dynamic then you need a Dynamic DNS service like DynDNS.com. I've got a domain name on the outside which I have point to my name at DynDNS.com that then points to my home network. Works just fine.

The instructions for setting up VPN worked for me just fine from the start. It turned out to be the easiest service to configure. You will want to use the Shared Secret IPSec Authorization. The data on the Client Information page is used in the DHCP configuration of clients connected over VPN, so set the DNS Server and search domains fields same as you have for local systems. In the Network Routing Definition you are specifying the address range goes over the VPN connection. You have the option (in the client) to send all traffic over VPN, which is slower but very secure because no system in the LAN the client is on can analyze any of the traffic beyond it is going to your VPN. You should use 192.168.x.0 255.255.255.0 private, where "x" is as appropriate (is it 0 or 12??).

the router VPN port screen shot forwarding is from lynda ;-) mine will be as shown before x.x.0.2

the public IP is probably dynamic. i'll look into dyn DNS also.
will report back. thank you.

joecool99
Aug 21, 2010, 10:12 PM
i setup the advanced routing as in the image before (with correct local IP)

then i looked at the outside IP on the router, wrote it down, created VPN (L2PT) with the shared secret, but cannot connect.

http://lightimagination.net/1ebay/vpnn.png

i'm attempting VPN first time ever, what obvious did i miss ? the outside IP doesn't respond to ping, could that be just a setting on comcast modem ?

talmy
Aug 21, 2010, 10:19 PM
Routers typically don't respond to ping requests for security reasons.

If you are testing VPN within your LAN, try connecting directly to your server's IP address. I don't think you can connect to your router's outside IP address unless you are connecting from the outside. I've never tested that. You might also want to have your router port forward SSH to your server, enable ssh on your server, and see if you can access your server that way as well.

Eric-PTEK
Aug 21, 2010, 10:25 PM
STRANGE behavior (or my messed up setup)

• few times i had all windows computers see the server in the network windows explorer listed with the rest of the computers, today the PC's didn't see the server by itself. i can ping by IP and name "server" fine. i can open run command \\server and then it appears in the windows explorer. odd ?

also the shared folders i've defined and then manually linked in W7 (with checkin, remember credentials and automount at login). however after W7 restart it fails to reconnect and i need to re-enter it again)

i lost the link that was editing local policy in "group policy manager" in LAN responses. someone else suggested to disable kerberos login in SMB. however i didn't have luck with that.

SMB error logs:

[2010/08/16 15:52:25, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.
Unable to sync browse lists in this workgroup.
[2010/08/16 16:07:16, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.
Unable to sync browse lists in this workgroup.
[2010/08/16 16:22:34, 0, pid=21939] /SourceCache/samba/samba-235.4/samba/source/nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.

and other, i just forgot to copy it and bring home. although it's running, seems there are quite a few bugs...

http://lightimagination.net/1ebay/dns3.png

http://lightimagination.net/1ebay/smb.png
http://lightimagination.net/1ebay/smb2.png

As someone else said, this is not a job for a osX server, its just not.

Windows boxes do a very poor job of peer to peer amongst themselves, in fact I'd tell a customer peer to peer on a Windows box is useless unless you have a host file on each machine, point to all the other machines, but then you need to manage and update.

What you need to do is turn off DNS/DHCP on the router and let the server handle it...and if you go through that much trouble on a Windows box might as well go Active Directory and get rid of peer to peer all together. IMO peer to peer is not a true business solution, not with how cheap you can put together a W2K8 server.

If you do that then the server's DHCP will also cause DNS to register the machines, allowing the windows boxes to find one another.

Since your letting the router do the work it, it assigns the addresses but has no DNS pool of its own.

Your internal domain is company.com

Your DHCP unit on the router hands out 10 IP's for computers1 through computer10.

So when you try to browse for computer1.company.com that is an unregistered name because your ISP's DNS obviously doesn't register it, plus it exists inside your LAN.

I'll assume osX works this way since its the logical way. Now osX is your DHCP/DNS instead.

DHCP handles out 10 IP's to 10 computers, it also registers them in its own internal DNS.

So you browse to www.macrumors.com, it checks its own internal DNS, does not find it, then asks the ISP DNS to resolve it.

You browse to computer1.company.com and it does find it registered in your company DNS and returns an address.

The server needs to be the manager of the network, which means it must be aware of all the devices, which requires it to be the DNS/DHCP.

Irregardless although you like the mini form factor you would be much much better served with a Windows server.

Still my explanation should hold true.

talmy
Aug 22, 2010, 08:51 AM
I certainly concur with Eric-PTEK. I reread the thread and noted I did say the server needs to be the DNS and DHCP server, but then I did notice the OP stated in a later message that the router was still the DNS/DHCP server for the other systems.

OS X Server is not a "It Just Works" Apple product, and in an environment with only Windows clients it looses whatever advantages it has in a Mac environment.

joecool99
Aug 23, 2010, 10:26 PM
Routers typically don't respond to ping requests for security reasons.

If you are testing VPN within your LAN, try connecting directly to your server's IP address. I don't think you can connect to your router's outside IP address unless you are connecting from the outside. I've never tested that. You might also want to have your router port forward SSH to your server, enable ssh on your server, and see if you can access your server that way as well.

i've tested it from MBP at home. also behind WIFI router with comcast modem.
do i need to configure the modem at home too to carry through the VPN ?

will have to try SSH.

talmy
Aug 24, 2010, 09:19 AM
The access from home shouldn't be a problem, but it is possible (not likely) the outgoing ports are being blocked at home. Then again, the incoming ports might be blocked at work. SSH is less likely to be blocked anywhere.

joecool99
Aug 24, 2010, 11:36 PM
The access from home shouldn't be a problem, but it is possible (not likely) the outgoing ports are being blocked at home. Then again, the incoming ports might be blocked at work. SSH is less likely to be blocked anywhere.

so how should i configure the SSH ? at work add routing to port 22 to to local IP server address ?

then try to connect with terminal to the public IP of the router as:

ssh 10.x.x.10 ?

talmy
Aug 25, 2010, 09:09 AM
Yes forward port 22 to your server. BUT if your router has an external address starting 10. then you are behind another firewall as 10. addresses are not public. That could be the cause of your problems.

joecool99
Aug 25, 2010, 12:18 PM
Yes forward port 22 to your server. BUT if your router has an external address starting 10. then you are behind another firewall as 10. addresses are not public. That could be the cause of your problems.


the 10. address is what i see on the WIFI router that's connected to Comcast modem. is there a firewall in comcast modem ? can that be configured ?

talmy
Aug 25, 2010, 03:32 PM
Sounds like the "Comcast Modem" is a router, or else Comcast has you behind a router of its own to minimize the number of IP addresses it needs. At any rate you've got a problem. You need to get at the configuration to port forward. Assuming you have business class and not residential service, you should be able to get a static IP address which would solve the problem, but at any rate it seems like you need to be asking Comcast what's going on.

ae3265
Aug 25, 2010, 07:28 PM
The access from home shouldn't be a problem, but it is possible (not likely) the outgoing ports are being blocked at home. Then again, the incoming ports might be blocked at work. SSH is less likely to be blocked anywhere.

Actually, getting OpenVPN working on OS X isn't that bad and it can take care of most of the routing issues. You do need a router capable of setting internal LAN routes (avoid D-LINK! as they tend to not have this). It's works great with the Windows Open VPN client as well as Tunnelblick for Mac. You can also use the OpenVPN source to compile for Solaris and Linux, etc.

EG, in my set up, I have VPN endpoints from my main server to my work lab and my father's computers on separate subnets, from my central location I can go into either as needed without having to much around with SSH. Using port 443 avoids most firewall issues as well.

Just another option there...

joecool99
Aug 30, 2010, 01:06 AM
however i need to resolve the comcast modem first, since it's a router on it's own, giving the WIFI router 10.x IP address.

i never tried to configure comast modem for port routing. or should i replace it with one that doesn't work as a router ?

joecool99
Aug 30, 2010, 12:00 PM
the server has 2 drives in raid 1 mirror more as well as external drive for time machine backup. i would also like a daily copy to a windows machine.

what would be a good way to do it ? i don't need the hourly backup as time-machine, but once at night to copy the files. a smart way so it copies only the files that has changed ?