10.4.x and Active Directory Logins - mobile accounts
Managing 10.4.x workstations and trying to get AD logins to work using OS X AD plugin set to "create mobile home" and "Force local home directory".
AD user accounts get stuck at the login window. The user name and password field are greyed out and the computer sits like that for a long time. Computer responds when pressing the power button to restart, shutdown, sleep, or cancel.
Console reads: automount 174: can't mount server name .... invalid argument (22) over and over
tried setting automount in /etc/hostconfig to NO and that just keeps returning the "unable to login as user .... afp/smb error"
If the AD plug in is cofigured with out the "create mobile home" and "force local home directory" checked, the AD user can log in with a true network home directory.
Seems like the login doesn't work when it's set to create a mobile home and mount the users network folder in the dock.
Clients are Mac 10.4.9 + / WIndows/Active Directory 2003 / OS 10.4 server for management purposes.
any ideas?
my apologies.... posted this question in the wrong forum. will repost.
Similar Messages
-
Active Directory logins - mobile accounts
Managing 10.4.x workstations and trying to get AD logins to work using OS X AD plugin set to "create mobile home" and "Force local home directory".
AD user accounts get stuck at the login window. The user name and password field are greyed out and the computer sits like that for a long time. Computer responds when pressing the power button to restart, shutdown, sleep, or cancel.
Console reads: automount 174: can't mount server name .... invalid argument (22) over and over
tried setting automount in /etc/hostconfig to NO and that just keeps returning the "unable to login as user .... afp/smb error"
If the AD plug in is cofigured with out the "create mobile home" and "force local home directory" checked, the AD user can log in with a true network home directory.
Seems like the login doesn't work when it's set to create a mobile home and mount the users network folder in the dock.
Clients are Mac 10.4.9 + / WIndows/Active Directory 2003 / OS 10.4 server for management purposes.
any ideas?my apologies.... posted this question in the wrong forum. will repost.
-
Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory
Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
jamesHi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay -
hello all...is there a way to activate(on startup) /deactivate(on logoff) CS6 Suite using a script, Active Directory Login Script or central Management Tool?
The long answer is: No. this is Adobe's secret sauce and you cannot manage it using other tools.
Mylenium -
Step by step process to create domain name and active directory in windows 7 64 bit
Step by step process to create domain and active directory in windows 7 64 bit
I work in an organization
I want to create a domain name SBBYDP and make it server for other computers
I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
And this may be in Active directory option.
I installed windows 7 professional edition 64 bit
Can any person help me? Step by step process, I always thanks full all of youHi,
You must use the Windows Server platform system for the AD service, you can refer the following KB first:
Active Directory
http://technet.microsoft.com/en-us/library/bb742424.aspx
AD DS Deployment Guide
http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Sun java directory server and Active Directory
We are using two different directory servers Sun java directory server and active directory.
My question is how we can have password synchronization between these two directory servers.
I have checked Sun Java[TM] System Identity Synchronization for Windows 1 2004Q3
http://www.sun.com/download/products.xml?id=41537425
It seems that it's supported platforms is only for solaris and windows , but I have installed my Sun java directory server on linux and obviously it doesn't work for me.
I would be grateful if anyone can suggest a solution to work around this situation.
I have checked identity manager , I would like to know that if I can do this using this product.
http://www.sun.com/software/products/identity_mgr/specs.jsp
--regards.
SaraYes RHEL 4 is a supported OS with DSEE 6.0.
Identity Synchronization for Windows is a part of DSEE that allows synchronization of users, passwords and groups between Sun Directory Server and Active Directory bi-directionally without altering the users environments, ie it does not require that users change their current habits.
Identity Manager is a complete identity management solution that is targetting enterprise work flow when it comes to user provisioning and de-provisioning, but also allows to build authentication and password change forms that will provision the passwords to many different systems including Sun Directory Server and Active Directory but also IBM mainframes, legacy applications, databases...
If you are implementing a complete identity management solution, then go with Identity Manager. If you need a lightweight and fast solution for just synchronizing users and passwords between Sun DS and MS AD, Identity Synchronization for Windows should be your choice.
Regards,
Ludovic. -
### How to make integration between UCCX and Active Directory##
Hello,
I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
Waiting Yours Reply,,,,
Thanks a lot......What version?
Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure. -
Cucm 9.1.2 and Active Directory(Windows Server 2003 Standart Edition SP2)
Hello!
Can CUCM 9.1.2 support an integration with Active Directory(Windows Server 2003 Standart Edition SP2)? How do I have to write down LDAP Manager Distinguished Name? I can find supporting only Active Directory 2003 in documentations without reference to Operation System.Yes, it is possible.
Check this how-to if you have any doubts about the process.
http://blog.ipexpert.com/2010/04/28/cucm-and-active-directory-integration/
http://www.markholloway.com/blog/?p=1189 -
Difference between Windows NT domain registry and Active Directory registry
What are the difference(s) ?
Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ? -
Mobile Account and Active Directory home folder
We install a XServe server (Mac OS X 10.6.3). We join it to Active Directory for authentification and Open Directory for policy. I read the magic triangle on the web.
I mount a MacBook Pro with Mac OS X 10.6. I join it to AD and after to OD. When I configure an account to be mobile, the home folder configure in AD stop to mount automatically. If the account is not mobile the home folder mount correctly.
Somebody has an idea of waht happen?Hello, sifeduc, and welcome to the AppleBoards,
This really seems like a Directory Services question and is probably best suited to this board: http://discussions.apple.com/forum.jspa?forumID=1353
That being said are you talking about Portable Home Directories? If so PHDs should be created on the server first and on the client second. If you have a client account you want to sync to the OD you need to delete the client account - *but leave it in place* - create a server account and then use the local account which will then sync to the server. The steps for this are a little more complicated than that but not much.
Good Luck,
=Tod -
Lion Server Setup (Network Login/Mobile Account and more...)
Hardware:
Mac mini Intel Core i7, 2 GHz, 8 GB memory (Server) x 1
iMac 21.5" 2.8GHz Intel Core i7, 12 GB memory (Workstation) x 6
Operating System:
Mac OS X Server Lion 10.7.4 (11E53)
Mac OS X Lion 10.7.4 (11E53)
Relevant Software:
Server.app Version 10.7.4 (1.4.3)
Workgroup Manager Version 10.7 (400.3)
Server Admin Version 10.7 (355)
So my head's swimming with "I dunno's" and I've been perusing probably all the wrong threads trying not to sound like a noob and find the literature that will finally lead me to a solution. This is my first rodeo so make no assumptions about my experience (maybe).
Short Version
I can't login network users. I get an error "You are unable to log in to the user account "<%short_name%>" at this time. Logging in using >console tells me this No home directory: <path to home directory> i.e. /Network/Servers/department.domain.com/Department/Accounts/bbunny
If anyone can point me where to read, I will do so.
Perhaps a longer discussion on how to verify that the proper permissions exist on the share/home directory in question and what those would be.
More detail...
I want to setup a Mac Mini server to have network login accounts stored on the 2nd data volume in a directory we shall call Accounts*. Here all the "network users/logins" have their home directories, so that when they login at the workstation the idea is the workstation will sync their account and allow them to login, if the server is not available, the hope is I can configure it to allow them to login if they've logged in before and the files will sync when they are able. That being the ideal, I get the impression that for best practices, Apple is discouraging the use of mobile accounts that use Home Sync perhaps because it's reliability has been iffy, please advise. A windows user might think of this as "roaming profiles" but, if I understand it, its a little more than that.
Note, I do not want to login to the server and actively work on that network share, I want the account to be local and sync'd as needed. But I want the user to be able to sit at any of the 6 other workstations and see the same documents, emails etc. Obviously if the server is down, it won't be possible to authenticate, but I think it should have cached credentials that should allow the user to login if the server is down and still go about their work.
This is the small picture...there is a larger picture that involves, parallel virtual machines of Windows Server 2008 R2 on server and and Windows 7 on the client, ical, ichat and perhaps wiki's.
I apologize for the roughness of this question, in the interest of brevity, I have plenty of problems that led me here that I can expound upon if asked.
Also a silly question someone might know the answer too, Why does the login payload settings that I have pushed to a workstation device, sometimes vanish inconsistently upon logout?Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps
"the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.
Problem
What do you do when you get an error when logging into a mobile account setup?
One symptom would be the error message below...
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console You get the message…
"No home directory: <path to home directory>"
or
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console tells me this No home directory: <path to home directory>
Solution
Do the check list…
Short Version
Sever Admin.app > Access (Key Component)
Check Permissions on directories for your file shares.
(The reason stuff doesn't work especially when you're rebuilding/recovering a server)
File sharing setup (Turned ON, Home sharing Enabled)
Directory Utility > Directory Editor or dscl
( Do not underestimate the importance of this part!!!!
Use white-gloves when you're handling it though!!! )
Workgroup Manager
(You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)
Long Version
Check Sever Admin.app > Access
Make sure that your user has the "Proper" access. For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
Server Admin.app > Access
Click the "+" sign, sort by UID and Add the imported users to the following Services…
( You can use a group, but understand when Server.app creates users they get added
individually to each of these groups. )
Address Book
AFP
iCal
iChat
Mail
Profile Manager
SMB
VPN
Check Permissions on directories for your file shares.
(That's an understatement) I could go in depth about all the crap I had to read about, I still
know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil
it down to this…
Permissions require thinking about things first with regards to POSIX permissions... good
ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc
stuff.
Apple's file-sharing access uses this as a starting point to see what the user is allowed to
access.
I also needed to use chflags once to unhide a file that I mucked around with using xattr.
I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or
move them from terminal, the triangles come back in the moved or copied directory. For a
minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually
works by doing a cp that preserves the flags, unless it's a bug. I dunno.
This helped me get my file visible again...
chflags hidden path_to_file
chflags nohidden path_to_file
Read up on those manuals, if you're not a terminal type go to apples website
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/
or download...
http://www.bruji.com/bwana/ I thought that was cool.
or if you prefer to read the manual in pdf try…
man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf
man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf
man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf
man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf
My basic guideline was avoid using ACLs if at all possible, if you try to use them, things
can get crazy complicated, take notes and plan, baby. If you read above, opening up
permissions wide is wrong though. You would restrict permissions tightly to begin with and
then place ACE (Access Control Entries) to specifically target the rights you want to enable.
Here's one that's obviously a novice attempt to do this, but since the novice is the only one
speaking…. here it is, Universe… >:P
sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/
That allowed my admin to do all the things a normal user could do so far… It fixed things for
my admin, which made me happy. I really hate having to authenticate or sudo just to see
the contents of a nested directory. I could explain it, and even give a few notes on why its
probably overkill, but I will attempt to look less stupid till "poked".
There's another command line utility I STILL haven't read, which may bear mentioning
because…well I haven't read it. umask (see wikipedia or unix.com)…I worked past my
problems without going into it so far, but obviously it's there, and it serves a purpose.
I also found this article helpful…and educational. :O
http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html
( Its enlightening to hear the air whistling between a developer/coder's ears, still it's
apparent he has a clear idea what's going on.
Ever wonder why when you use get info to check or assign permissions it kind of
flakes out and doesn't take? Read this article! )
Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also
can set the 2nd category of permissions, which windows users may be familiar with
Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff.
All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let
the professionals weigh in on that one and cut my wall-of-text to ribbons.
To heuristically check I would connect from a client as one or two of my users and see what
folders I could mount as a share, armored with an understanding of what ls -le@O * showed
me in Terminal.
3.) File sharing setup (Turned ON, Home sharing Enabled)
Here is an example of using command line sharing utility where each share is properly
labeled (that took a bit for me to figure out) still this share only enables the AFP share as
you can see from my flags.
sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10
Then you do a sudo sharing -l and get back what you just did…
List of Share Points
name: Database
path: /Volumes/Hard Drive/Department/Database
afp: {
name: Database-afp
shared: 1
guest access: 0
inherit perms: 1
ftp: {
name: Database-ftp
shared: 0
guest access: 0
smb: {
name: Database-smb
shared: 0
guest access: 0
If you mess up the sharing command, you may not be paying attention (I wasn't) but there
are a lot of defaults that Apple will just assume you meant to do anyway and it won't read
any of your flags, you have to get it right or the flags will be defaulted.
( Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but
the default was afp and smb. So each time I ran sudo sharing -l after I shot my sharing
command…back would come smb shared: 1 and I knew that wasn't right. Also my
custom names were defaulting to the name of the directory not the name I had
specified. )
I like to know what protocol my share is over so when it doesn't work, I know which protocol's
are connecting. It's not full-proof, but it's a bookmark. I wish the network browser would
identify the protocol that its available listed shares are using, because small visual queues
like that help when you're trying to see what works. Maybe that's something I should
investigate via the command line?
As a note about reading forums, I discovered using command line that "\" is kind of like a
way of going to next line neatly with long commands…."\ " is a way to insert a space. As you
can see above where I have a volume with a space in it.
Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I
had to enclose it in quotes and do "Share With-space" instead. So nooby beware!
( *nix users are now rolling their eyes at this tip. )
I wasn't sure how you enabled a share for home directories from the command line, maybe its
in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to
revisit this question since my work around was to go to Server.app and verify that what I set
up in the sharing in terminal was being reflected in the gui…sort of my own MVC
(model-view-controller) check.
4.) Directory Utility > Directory Editor or dscl
Make sure what you see in WGM and Server.app are reflected here….to that question let's
take a journey where I did some exploring about that.
Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"
Ah, then you will - LOVE - this tip…
( Provided my testing or yours, later, doesn't prove that in my ignorance I've broken
Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty. I think of
OD as Apple's Registry, but that's not what it is at all. However, you as the user do have
to "****" around in it from time to time. )
I scoured the forums and everyone was saying things like "You have to change your server
role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around
not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY
bugging me.
Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you
can make a Registry Backup….(yea bad analogy) In Server Admin.app you can go to your Open
Directory Service > Archive and Choose a place to Archive your information. (Figure this out by
yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)
Before we can remove the entry we "SEE" in WGM we should make sure no
one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory
Utility set the Home directory to "None". (We need to remember to set this to a correct share
later….Mental Note!!!)
Now Open Directory Utility
Method 1
System Preferences > Users & Groups > Login Options
Click the Lock to make changes…
Authenticate -> click "OK" (do I REALLY have to step-by-step this?)
Network Account Sever: • Local Server - click "Edit" button here.
Open Directory Utility > Directory Editor
( Wow, did Apple hire someone from Microsoft? You'ld think with all their research in to
Human Interface Design that's WAY too many clicks to get to something you need. )
or
Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)
Use "Go to Folder" Under Finder > Go > Go to Folder...
⇧⌘G /System/Library/CoreServices/
Click "OK"
and Double click Directory Utility.app
or
Method 3
Terminal
open /System/Library/CoreServices/Directory\ Utility.app/
Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"
You should glance through this and get to know it. You should use it to see what
information is really being stored about your Users, Groups, Mounts…
We are interested in Mounts, which is where we want to go…and there is the pesky
mount that you will see reflected in WGM.
Authenticate, and delete the bugger.
Quit WGM and restart it. Voila, bad share is GONE!!!!!
a.) First select all my users
b.) Then I clicked on the "+" and added the correct share
( Remember, I only showed you the first one we created, this is another and
for THIS one you HAVE to go into Server.app and verify that it is set to be
available for Home Directories in this case for AFP. )
For the home directory entry you do this...
afp://computer.domain.com/Accounts-afp
%short_name%
/Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%
%short_name% is a wild card for the short name there are other wild cards check out Apple's
Documentation on them. I lost the link sorry \<shrug\>
Interesting dscl commands…(check it out in command line form and compare side by side with
what you see in the GUI Directory Utility)
dscl . list /users
dscl . list /groups
If you want to output information about each user, though, use readall:
dscl . readall /users
dscl . readall /groups
And if you need to programatically parse said information, use -plist to make your life easier:
dscl -plist . readall /users
dscl -plist . readall /groups
This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first
commands I think look in ALL directories local, Search, LDAP whatever you have. The command here
corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.
dscl /LDAPv3/127.0.0.1 -list /Users
dscl /Local/Default -list /Users
5.) Workgroup Manager
Remember this is a utility that is not long for this world. Apple's Mountain Lion is rumored to fully
replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow
desktop computers are being pulled/dragged along for the ride. I have plenty of issues with
Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.
Anyway, treat this baby like the bottom rung, because, well it is built like you start your
foundation here, but it's just a viewer with controlling "tweaks". Use the other areas to get a solid
grasp of what is actually going on. Server.app is where you should create accounts you can
feel are safe. When you create accounts in WGM, you are responsible for making sure they
have the appropriate EVERYTHING.
This list is by no means complete, but these are the areas this noob is or was prepared to talk about.
Good night for now. Enjoy climbing my wall of text, and yea sorry about that. :O Run for you lives!!!!
- Signed Shadowwraith -
10.4.6 and Active Directory Problem - Volume cannot be found??
I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
Any ideas?
PowerPC Mac OS X (10.4.6)Hi Chris!
Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
Hope this helps! bill
1 GHz Powerbook G4 Mac OS X (10.4.7) -
Active Directory login soooo slow with 10.4.11 client upgrades
Hi All,
I have a problem and hopefully someone will be able to help me.
We have around 30 Macs in and a golden triangle set up with Mac OS X Server 10.3 on Xserves and a Windows Server 2003 as the PDC and primary DNS server.
Basically, after upgrading the clients to 10.4.11 the log in process takes an extra 90 seconds to connect. The login window will appear but you are not able to log in until after 90 seconds. During the 90 seconds there are "Some Network Accounts Available" but this is just the Open Directory accounts in the background.
I have tested with 10.4.4 up to 10.4.10 and this problem does not appear but once I upgrade to 10.4.11 then the problem comes back so I don't believe it is a server orientated problem.
I also attempted using the old Active Directory plug-in within Directory Access from 10.4.8 and 10.4.10 in place of the one installed with 10.4.11 and this did not help with the matter.
Does anyone know what has changed with 10.4.11 and what I could possibly do to resolve this problem?
I probably haven't covered all the bases so let me know if you need more information.
DehsinotsaAnswered at http://discussions.apple.com/message.jspa?messageID=13129261
-
Applre Remote Desktop and Active Directory
Hi
How does one remote desktop into a Mac that in bound to Microsofts Active Directory ?
It will not accept any username/password if bound, but if unbound it connects first go.
Suggestions ?Have you looked into extending the Active Directory schema to support Mac OS X? Given the problems I'm having with AD Mobile Accounts, I don't even want to think about modifying the AD schema yet; and I doubt I'd get approval in the best of circumstances. But it may be useful for what you're trying to do.
See "Best Practices: Integrating Mac OS X with Active Directory" (April 2007) at
http://images.apple.com/itpro/pdf/ADBest_Practices2.0.pdf
{quote}Extend the AD schema to handle management.
By adding 38 attributes and 10 classes to the AD schema, your AD system can support all Mac OS X management policies. Just use the normal Mac OS X management tools and target the AD domain.{quote}
Message was edited by: Robert Racansky
Message was edited by: Robert Racansky -
NAC, OOB wireless and Active directory
Hello.
Here we need to set up Network Access with OOB wireless and authentication via Active Directory. I have followed this guide but still can't get it work.
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
In my scenario:
CAM NAC: 192.168.7.100
CAS NAC: 192.168.9.9
WLC 5508: 192.169.9.2
AD and DHCP servers: 192.168.7.2 and 192.168.8.2
APs and clients range: 192.168.9.0/23
when i Check "Radius Server Overwrite interface" and select NAT state: SNMP NAC on the following images....
I try to navegate and I get the Login default page that I already configured asking me for credentials, I type them but it get stucks there. I have already configured everything showed on the guide posted above. Do I need to do something else that is not explicitly explained in the guide?
Thanks in advance.Sarayanan
I just tried without "Radius Server Overwrite interface" checked and got the same results. WLAN is mapped with interface managment
AP group is the default one.
Here are the CAM logs
On the NPS windows server 2008 cant see any log about this connection. Please give me some advices.
Thanks in advance.
Maybe you are looking for
-
I am about to buy my first Apple Mac, an iMac 24 inch, a possible future problem I can for see is that here we get daily power cuts lasting between 5 minuest to 5 hours , I am planning on Buying a an UPS (uninterruptible power supply ) which I hope s
-
Slideshow music from itunes into iDVD. PLEASE HELP!!!
I am new to itunes and idvd, however I have had my mac since November. I am making a slideshow for a bachelorette party and wedding, and really want to be able to customize the music that plays through the slideshow. I have spent about 4 hours trying
-
Hiya folks. Just a quick request to have some way of noting code on a page. Arial Narrow default font for long lines, and background CSS colouring would be neat in a [code] tag. I tried but she didn't show up. Cheers n' Beers
-
this happened when i signed on today. what does it mean and is it safe to do so? thank you!!
-
Quality of iPad 2 glass?
I fell asleep whilst reading kindle on my iPad 2, and woke to find my iPad had fallen off the bed and had cracked from one corner of the screen spreading through the screen. I have had it for less than 2 months and I am extremely disappointed in the