403 Forbidden Lion Server

[notverypc]

While I've had great success setting up a demo Munki Sever on Lion Mac, I'm not having the same success installing in on Lion Server.

Munki Tools are all installed I've create the Repo folder structure and managed to import google chrome into the repo but when I try to view the contents of the repo folder in safari I get the following error:

Forbidden

You don't have permission to access /munki_repo/ on this server.

I have noticed the URL defaults to https:// as well.

https://myservername/munki_repo/

Any help or pointers would be most welcome.

[Joe Wollard]

Fixing a 403 is generally simpler than most folks think. It generally means that your web server doesn't have the permissions it needs to read the requested resource. Open Terminal and do an "ls -l" in your web root to see how the permission differ between the apple-provided index.html and your munki_repo directory and its contents.

You want to make sure that the web server process has read access to everything and execute access on munki_repo and its subdirectories.




---
Joe Wollard

[notverypc]

Thanks for the reply Joe.

The permissions look OK to me:

drwxrwxr-x  4 root  admin     136 25 May 14:22 NetBoot

-rw-rw-r--  1 root  admin  102749 25 Jun  2011 ServerCenter.png

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.de -> /usr/share/web/locales/de.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.en -> /usr/share/web/locales/en.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.es -> /usr/share/web/locales/es.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.fr -> /usr/share/web/locales/fr.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.it -> /usr/share/web/locales/it.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.ja -> /usr/share/web/locales/ja.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.ko -> /usr/share/web/locales/ko.lproj/default.html

lrwxr-xr-x  1 root  wheel      44  1 Sep  2011 default.html.nl -> /usr/share/web/locales/nl.lproj/default.html

lrwxr-xr-x  1 root  wheel      47  1 Sep  2011 default.html.zh-CN -> /usr/share/web/locales/zh_CN.lproj/default.html

lrwxr-xr-x  1 root  wheel      47  1 Sep  2011 default.html.zh-TW -> /usr/share/web/locales/zh_TW.lproj/default.html

-rw-rw-r--  1 root  admin    7782  1 Sep  2011 favicon.ico

-rw-rw-r--  1 root  admin     269  1 Sep  2011 info.php

lrwxr-xr-x  1 root  admin      30 24 May 14:55 munki_repo -> /Volumes/Netinstall/munki_repo

On Friday, 25 May 2012 15:58:00 UTC+1, Joe Wollard wrote:

Fixing a 403 is generally simpler than most folks think. It generally means that your web server doesn't have the permissions it needs to read the requested resource. Open Terminal and do an "ls -l" in your web root to see how the permission differ between the apple-provided index.html and your munki_repo directory and its contents.

You want to make sure that the web server process has read access to everything and execute access on munki_repo and its subdirectories.




---
Joe Wollard

[Greg Neagle]

How about 

ls -al  /Volumes/Netinstall/munki_repo

?

-Greg

[notverypc]

drwxr-xr-x+  4 sadmin  admin   136 25 May 12:35 catalogs

drwxr-xr-x+  3 sadmin  admin   102 25 May 12:43 manifests

drwxr-xr-x+  3 sadmin  admin   102 25 May 12:33 pkgs

drwxr-xr-x+  3 sadmin  admin   102 25 May 12:33 pkgsinfo

[Daniel Hazelbaker]

I don't know how Lion's apache is setup, but I know standard Linux
apache by default does not allow symlinks outside the document root.
You might try copying your munki_repo from the /Volumes/NetInstall to
wherever your web root is and see if that fixes it first.

Daniel

[Greg Neagle]

No, don't do that.

I'm pretty sure that _is_ the document root "notverypc" has listed permissions for.

-Greg

[Daniel Hazelbaker]

Right, if I am reading the output correctly, "notverypc" listed the
document root, which shows that munki_repo is symlinked to
(apparently) an entirely different volume; which is likely outside the
web root; which means the symlink may be denied and/or there is no
<Directory> directive granting access to the folder he is symlinking
to. That isn't a definite, but a quick test to determine if that is
the problem would be to put "munki_repo" IN the web root instead of as
a symlink to somewhere else.

lrwxr-xr-x  1 root  admin      30 24 May 14:55 munki_repo ->
/Volumes/Netinstall/munki_repo

[notverypc]

The munki_repo is on a different volume and I have symlink it back.

Ideally I want to keep all installers on a separate drive

[Greg Neagle]

Split out your "configure a web server" problem from munki.

Work on serving an index.html page from /Volumes/foo/bar first.

-Greg

[notverypc]

I'm still determined to get Lion Server to play nicely with munki..

I've done a completely clean install of 10.7 then installed the server app. I've setup the folder structure for munki in 

Library/Server/Web/Data/Sites/Default

I've then run the chmod –R a+rX Library/Server/Web/Data/Sites/Default/munki_repo

With the web service running in Server app I still get the 403 forbidden error when I navigate to myservername/munki_repo

On the advice of someone else I added the "world wide web server" group to the munki_repo folder via server app with Read rights but the dreaded 403 error still continues to plague me.

I've add a index.html to the munki_repo folder and that appears correctly in safari.

With this very limited success, I went ahead and configured munki. 

Unfortunately this limited success was short lived. When I run the sudo /usr/local/munki/managedsoftwareupdate on a test client I get the following error:

Managed Software Update Tool

Copyright 2010-2012 The Munki Project

http://code.google.com/p/munki

Starting...

Checking for available updates...

    Retreiving list of software for this machine...

ERROR: Could not retrieve manifest client_manifest from the server.

ERROR: Error 22: The requested URL returned error: 404

ERROR: Could not retrieve managed install primary manifest.

    No changes to managed software are available.

Finishing...

Done.

 

I could install munki on lion client but then I'd loose features from the server that I'm currently using in Lion server 

I know this isn't a munki issue but I would highly value any pointer or help. I've never had to use the web service in lion server before and it's a little beyond.

[Arjen van Bochoven]

Ok, I did the same in 10.7 Server, clean install:

Open Server.app, turn on webserver.

Check in Browser:
http://localhost/

I get nice Welcome screen.

Then I create the repository:
sudo mkdir /Library/Server/Web/Data/Sites/Default/munki_repo

Check in Browser:
http://localhost/munki_repo/

I get a Forbidden message, which is ok, because by default directory browsing is disabled.

I change ownership of the repo so I don't need sudo to populate the repo
sudo chown admin_user /Library/Server/Web/Data/Sites/Default/munki_repo

Now let's create the directory structure:
mkdir /Library/Server/Web/Data/Sites/Default/munki_repo/{manifests,pkgs,pkgsinfo,catalogs}

Now I have to add a manifest, the easiest way to do that is to use manifestutil. First configure manifestutil for the repo:

$ /usr/local/munki/manifestutil --configure
Path to munki repo (example: /Volumes/repo) [/Volumes/munki/]: /Library/Server/Web/Data/Sites/Default/munki_repo/
Repo fileshare URL (example: afp://munki.example.com/repo) []:

Then run manifestutil:

$ manifestutil
Entering interactive mode... (type "help" for commands)

Create a manifest called test:

> new-manifest test

Check in browser:
http://localhost/munki_repo/manifests/test

I see an xml file with some empty keys and arrays.

From here on use the munki documentation to add pkgs and manifests.

-Arjen

[Arjen van Bochoven]

On May 30, 2012, at 10:26 AM, notverypc <notv...@gmail.com> wrote:

> With the web service running in Server app I still get the 403 forbidden error when I navigate to myservername/munki_repo

Which is fine, munki client will never request http://myservername/munki_repo

> On the advice of someone else I added the "world wide web server" group to the munki_repo folder via server app with Read rights but the dreaded 403 error still continues to plague me.

It is not a server error, but a user error. You should not navigate to the directory.

> I've add a index.html to the munki_repo folder and that appears correctly in safari.

So the webserver is functioning correctly.

> With this very limited success, I went ahead and configured munki.

Not sure what you mean by 'configured munki', did you set up the server, the client, what were the parameters?

-Arjen

[notverypc]

Hi Arjen

Thanks for the pointers they really helped!!

Munki is now working... happy days...

I think I got thrown by the 403 forbidden errors when I didn't need to :)

Thanks again

On Wednesday, 30 May 2012 10:13:12 UTC+1, Arjen van Bochoven wrote:

On May 30, 2012, at 10:26 AM, notverypc

[WiseByte]

I don't know if you got your answer yet, but I'm also using Lion server to serve as a Munki Repo. in addition, I'm also using the built-in WiKi for documentation that's available for HelpDesk plus other stuff that also rely on Apache. There are three things I configured to get this to work:

1. Create the Repo directory and give everyone or www read permission.

2. Let's say your Munki Repo directory is located at /Users/Shared/Repository then add the entry "Alias /munki_repo /Users/Shared/Repository" to Apache's config file httpd.conf. If you don't know where it is located type httpd -V to find out. Find the "-D SERVER_CONFIG_FILE=" entry.

3. Lastly, populate your Munki Repo then start either the WiKi or Web service via the Server application.

That worked for me. Hope that helps.

[notverypc]

Thanks for the additional pointers.

I've got munki working now with Lion Server. I'm so impressed with the software. 

I'm just exploring what I can do with the software and the plan is to use it for our summer refresh and updates.

Thanks again to all that helped me. It really is gratefully received.

[Greg Neagle]

It would be extraordinarily helpful to see a log snippet or `/usr/local/munki/managedsoftwareupdate -vvv` run that demonstrates the issue.

HTTP response code 404 is "File not Found". But we don't have any way of guessing _what_ file the munki client happens to be looking for.

-Greg

On Jul 19, 2012, at 1:34 PM, Stuart Garlock wrote:

Hello,

I work for the Eastman School of Music's computer lab as an assistant, and we are using munki to roll out updates on web apps. I had it set up and running for a while, but recently I started getting error 22 followed by 404 which I think is the same error notverypc had. I am using the wiki on my server the same way that you are so perhaps you could help? The wiki still works so I am not entirely sure what the problem is. I have been looking through my httpd.conf file to do your drop in from your step 2 because I am hosting from a different drive and currently have the repo linked in /Library/Server/Web/Data/Sites/Default/ Perhaps that is the problem?

Any help would be appreciated, I will probably get it up and running again eventually but if I can save a couple of days of ignorantly stumbling through the schools server that would be good.

Thanks,

Stuart-

[Stuart Garlock]

Thank you for your fast reply, I acquired the log saw the problem and fixed it. I am back online, sorry to waste your time. 

Stuart-