10.6.7 mobile accounts automagically become admins
Hi everyone,
Not sure if this should go in the Mac OS X technologies community or not...
We have a pretty large deployment of macs at my company. 10.5.8, 10.6.4, 10.6.5, and 10.6.7. All are bound to our 2003 AD via the built-in plugin. They are bound during imaging with Casper v8.1. I've found that with the 10.6.7 image that we are rolling out now, standard mobile accounts are loging in as admin accounts when bound directly to an custom OU in AD (i.e.: OU=Macintosh,OU=Computers,OU=Cleveland, etc). However when bound to the generic computers CN, these accounts do not log in as admins, and the computer record can then be moved to the custom OU without consequence. However yesterday we did have one computer (10.6.7) bound to the generic computers OU, logged in as a standard mobile account, restarted, logged in again as the same mobile account, but this time was an administrative account. Unbind and rebind seemed to fix it, but this worries me.
The issue is also coming in when the pre-10.6.7 macs are upgraded to OS 10.6.7 (i.e.: 10.6.4 -> 10.6.7 via software update). Sometimes the existing mobile account is promoted to an admin. Unbinding and rebinding (to the generic Computers OU) puts the accounts back to standard.
My question is has anyone experienced this before with 10.6.7 and how did you resolve it? We have 600 macs here that I can't have our techs running around and binding/unbinding computers, especially since we don't know if that's a permanent fix. It's worth noting that this was not a concern last year when we deployed new macs with OS 10.6.4, only deploying 10.6.7 and upgrading pre-10.6.4 computers to 10.6.4. (I'm assuming the upgrade to 10.6.7 will have this problem as well, though I'm not that far in testing).
TIA! Please let me know if you need to see log files. I'm at a loss as to where to even begin to look.
Andrew
There are 3 groups in AD that are allowed to administer the macs: domain admins, enterprise admins, and ma support. None of these users are in those groups, and yes, all AD users, unless otherwise specified, are standard users. The "otherwise specified" part would mean they are a part of one of the aforementioned AD groups, myself for example. I am a member of the Mac Support group so I am an admin on any mac bound to the AD.
Similar Messages
-
Make mobile account with admin permissions without administrator INFO...
How do you bypass the admin permissions with mobile account? How do you make mobile account unlock things? You do you do the secret and rare system administrator login screen, where it says up on the top System Administrator, where nothing would be there? How to force your computer to go to single user mode, not command s or apple s, because that doesn't work for me? How do enable isight -camera without no admin password, no terminal? Is there extension for mac so that it will run and unlock things or open programs without administrator permissions? I need something that will UNLOCK MY macbook, please help. Where can I download password reset.APP for free that comes in the mac os x leopard disc? Thanks for the help...
Why don't you just use your OS X install disc? It has a password reset utility on it.
-
How do I change a mobile account to a local account without server admin?
Our company split into two seperate companies. We moved and the server stayed. All of our machines were on the server and had portable home directories. We no longer connect to a server. And the server we were connected to is no more. So we can't access it at all. Reinstall is not an option.
I want to know if it's possible to change a mobile account back to a local account. Login takes FOREVER!! Is there anyway to fix this.
Whenever I log into my administrator account on the machine, login is very quick.
Are there some preferences I can delete or change? I went into Directory Access on my machine and unchecked the LDAPv3 and all of the other check boxes just to make sure, but it didn't have any effect.
I also tried deleting the "Mirrors" folder, but when I log back in, it's there again.No one knows anything? I just thought it would be some preference file that I need to find and either change or delete.
If anyone knows anything, please reply. The login issue is so frustrating. -
We have a Leopard XServe 10.5.8 and a Client running Snow Leopard 10.6.2. I have just instituted via WGM the policy to create a mobile account on login and to protect the home folder with FileVault. The error I am getting is "Unable to Create mobile account" "Your FileVault home can't be created because a folder with the same name already exists" What am I doing wrong? Is this not possible? Do I need to do it is phases?
Is the user name already in use locally? If so use a different user name on the server and then login and move documents from old local account to an external drive and then re-login to new account on server and copy documents over to new server account. You might have to run the chown command on the contents of the copied over documents: sudo chown -R user /networkuser/copiedfolder and then enter the local admin password. -R is for recursive so it will do it to all files within that folder.
Now a situation that I just ran into was I already had the network account which was a mobile account, but I wanted to promote it to have the File Vault added to it. Well I enabled it within WGM, but it did not apply the settings on the computer that I was logging into. So I logged into the admin account on the computer and deleted the network user in the system preferences users pane. Then logged out and re-logged back in as the new OD File Vault encrypted account it asked me to create local account and I did and it resynced all my files from the server back to the local computer. I am running 10.6.3 OD Server and 10.5.8 clients. Hope this helps. -
Mobile Account Error Setting Up Leopard Client, createmobileaccount error.
Hi all. I posted this discussion under Portable Home Directories, but that is unfortunately a subcategory of Max OS X Server v10.4 Tiger and this is strictly a Leopard issues, so I'm reposting here.
Just following up on an earlier thread regarding mobile home accounts. Thought I'd post a new entry as the other one has been "answered".
I've just recently upgraded a slew of clients and a server to Leopard and have been trying to enable mobile accounts on existing network home accounts. When I set this as a Preference using Workgroup Manager, nothing happens on the clients. When I try to create a mobile account directly on the client while logged in as the network user, I get a standard error (The mobile account could not be created.) every time after it asks to log out and enter the user password in order to create the mobile account.
So, I followed the steps in this thread: http://discussions.apple.com/thread.jspa?threadID=1234051&tstart=0
For the account "leedale" logged in using a network home directory, entered the Terminal command as follows:
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count -vsn leedale -h /Users/leedale
createmobileaccount built Oct 2 2007 22:44:49
verbose output on.
user name = "leedale"
home path = "/Users/leedale"
user password = "(null)"
prompt for password = FALSE
encrypt new home = FALSE
create as external account = TRUE
home sync new account = TRUE
sync URL = "(null)"
MCXCCacheMCXRecordAndGraph(): existingMCXRecord record setValues:forAttribute:dsAttrTypeNative:cachedauthpolicy == -14120 (Unable to set value(s) for dsAttrTypeNative:cachedauthpolicy in record leedale.)
MCXCCreateMobileAccount failed to create account. Error = -14120 (MCXCCacheMCXRecordAndGraph failed). Cleaning up mobile account record.
2007-11-18 17:15:19.831 createmobileaccount551:10b ### Error:-14120 File:/SourceCache/Admin/Admin-423/DSRecord.m Line:484
mobile account could not be created: -14120 (Unable to set value(s) for dsAttrTypeNative:cachedauthpolicy in record leedale.)
Any suggestions?Hi,
The namespace you are using for creating client proxy might not be available for consumption(i.e. it might not be published) or there is no connectivity to the source system so namespace is not available.
Try checking connection.
Hoping it helps..
Regards,
Komal
Edited by: Komal Lakhwani on Feb 8, 2010 4:31 PM -
Server and clients set up 2 years ago
Clients are all Mobile accounts
set up to forcibly create a local home directory in Users folder on each mac whenever one logs in for first time, syncing with network Homes folder on server. mobility is configured at computer group level
As originally configured, I believe that login window displayed all personnel names as specified in Workgroup manager.
1) Now it seems that on SOME macs, this behaviour continues , but on others, only those already having local accounts are displayed at login plus Other...Can't think why this has occurred.
2) In addition to this, today I had to swap out a failing machine with one that was now spare but had been in use before.
This mac mini had the limited usernames in login menu. Those in this list can log in and sync with network home. Variations then ensued...
Randomly, two members of staff who used Other and enters Usernames and Passwords manually, we're recognised and logged in, but a LOCAL account was not created for them...they were running from the Homes folder on the server
3) In addition both myself and another colleague were completely locked out, we could enter credentials manually and our passwords were recognised ( "password will expire in x days..." ) but then message popped up "xxxx xxxxxxxx could not be logged in at this time An error has occurred"
4) Intermittently I get messages from staff who have "hot desked" at a site they infrequently visit. they login and are presented with a desktop displaying files that they deleted some time ago. On logging out (syncing at this point), they return to base to find that this Old desktop has now become their current desktop and followed them back home. It's the intermittent nature that frustrates, it affects some staff on some satellite sites
Can anyone explain these behaviours, please? And advise on remedy?
(can see that in a large organisation, one would not want to scroll through entire staff listing to find Username like Warren Zevon, so can one force clients to display EITHER entire list of 40 staff members [OR only those who have logged in at this desktop and thus created a local account to sync with Network Homes folder])Today I created a local account for myself, this allowed me to log in.
Not savvy enought to BIND to understand how to bind to OD. ..got lost in the 'forest' window...
On deleting this local account, I found that I could now login, but this was as a Network Managed account rather than Mobile managed... The Home Folder was the one residing on the server...
How can I get mobile, managed account to be created on initial log in to the machine?
I believe I have added this replacement to the Computer group that manages the << create mobile account when user logs into network account>> mobility setting but it just doesn't 'take' -
Mobile Account Creation and old topic
http://discussions.apple.com/thread.jspa?threadID=1786733&tstart=1 -- This was never successfully answered and has been archived and marked as so?
The problem it turns out, is that Leopard doesn't seemingly like the AD user's home folder location. I've verified this still as an issue today, on 10.5.7. I tried to create a mobile account for a user on a new laptop i got -- it would prompt me for the password three times, saying it's incorrect each time before the account creation is canceled.
If in Server 03 AD tools you first switch that user's "Home Directory" to local (or a mac server), this issue will not persist. On the AD Binding/Directory utility un-check "Require Confirmation" before creating a mobile account.
Then you should be able to log out and login as the user (may have to first delete the user's local directory if one has been created under "Users"), so long as the Home folder is set in AD to a location that is seemingly 'agreeable' with the mac os.
Message was edited by: Oh4Sh0The usual approach with Open Directory is to either use Workgroup Manager to define a managed login preference for a computer group to define that those member computers should cause the use of mobile accounts on those computers, or to do the same thing via Profile Manager.
Note: If you are using Mavericks you must use Profile Manager as it does not support this via Workgroup Manager managed preferences.
This will not require users to need admin authorisation. -
Mobile account creation has different result...
Created managed preference group:
- Finder: Show connected servers on Desktop
- Mobility: Set to create Mobile account, synching off, HomeFolder on startup volume.
- Login: Maps three SMB paths to Windows Server folders
- Active Directory: UNC path set in user's Active Directory profile to Home Folder on Windows Server
There are two different conditions that give different results:
(1) User logs on to a particular Mac once (using AD network account), prior to applying managed preferences. User is not member of preference group. Mac creates full set of User Account folders in user's home. Then user's name is applied to preference group, and user logs on.
(2) User's name applied to preference group, prior to logging on to a particular Mac. User logs in using AD network account.
Results: With condition (1), User gets a full set of typical folders in local home folder, UNC network home folder is mapped to dock - the two Home folders (local and network) are kept separated, all works as anticipated.
With condition (2), user does not consistently get full set of folders in local home folder, UNC network home folder is mapped to dock - and local "Library/Preferences" and "Downloads" is copied into network home. Occasionally, user's AD account gets locked out due to too many failures while attempting to access folders.
I would greatly appreciate anyone who can lead me to understand this.
Thank you...DavidThe usual approach with Open Directory is to either use Workgroup Manager to define a managed login preference for a computer group to define that those member computers should cause the use of mobile accounts on those computers, or to do the same thing via Profile Manager.
Note: If you are using Mavericks you must use Profile Manager as it does not support this via Workgroup Manager managed preferences.
This will not require users to need admin authorisation. -
Mobile account setup stops syncing and acts like a network user
Mobile account setup stops syncing and acts like a network user system under ODM
Setup: Mobile laptop users authenticating against an ODM. Every user has a networked home directory on an Xserve. The whole setup is 10.4 (client and server). All systems run a standard image. Most effected systems have been re-imaged since the onset of the issue.
Issue: Some of the users are not syncing properly every time. It is as if the system forgets it is a mobile system and reverts to using the User's network home (instead of saving to /Users and syncing). If the user is effected, the system will not even accept cached credentials if they are off network. This forgetfulness does not seem to follow any pattern and does not effect all of our mobile users.
In mucking about trying to find a cause to this issue I ran across an oddity in all effected systems Netinfo database. The users are each listed twice. Each entry has the same username, short name and UID. Also, In each case one record looks wrong... this varies somewhat from user to user, but in each case there is marked difference in the record's contents. Deleting the incomplete record in Netinfo manager seems to solve the issue (seems, as we are very early in testing this).
Anyone have a clues as to where this double came from? The only lead so far is that it looks like the users having issues pre-date the use of mobile accounts. At some time they all had local accounts that authenticated against the ODM but never synced or had networked home directories. The pool of users who just got laptops (and thus never had a local account) seem unaffected so far.
Also, what is the best way to browse the ODM master to find these duplicates?I have a similar issue with computers bound to Active Directory. Users occasionally have a problem logging into their computers even though their account is fine. Logging in as Admin and running netinfo manager always shows duplicate user accounts. Deleting the one that says disabled always clears up the issue. I'd like to find a startup script that would delete the disabled account, thus preventing the issue.
-
AD mobile account with local home directory
I basically have the same question as this post:
http://discussions.apple.com/message.jspa?messageID=696367
I have set up Tiger workstations to authenticate to AD, I am forcing a local home dir. Everything works great. I want to do the same thing for Tiger laptop users with mobile accounts. The problem is that OS X creates a second home directory outside of /Users based on attributes from my AD schema. Just like with the non-mobile users, I want to ignore all home dir attributes from AD and just use the user's home dir that is in /Users. So the question is, how can you use a mobile account and force a local home dir with Apple's AD plugin??????Yes, I know how to click buttons in the gui, that does not fix the issue. The issue is that the Active Directory schema at my company includes extended attributes from the RFC 2307 schema. Apple's AD plugin does not know how to handle this extended schema especially when using mobile accounts.
Apple's AD plugin reads these unix attributes from AD and thinks it knows what to do but ends up causing more problems then if there were no unix attributes at all.
Since this post, I have opened a ticket with Apple. They were able to recreate the problem in their lab with their AD server. The only work around is to create a custom ActiveDirectory.plist file that forces the Mac to ignore what AD is telling it.
This solution works unless the ActiveDirectory.plist file is deleted or corrupted. This problem will only become worse once Microsoft includes all of the RFC 2307 schema in their next service pack of Win 2003 server. -
Mobile account on laptop will no longer connect for one user
I have a set of laptops with user accounts set up on them as mobile accounts. This morning one user stuck in his username and password, and the login panel went away and the "purple stars" came up, but it hung there and didn't continue and log him in. After about 5 minutes he got tired of waiting and hit the power button on the laptop. When it rebooted, the usual login panel offering his name, the local administrator account and "other" was missing his name -- just the admin account and "Other". Then he came to find me...
If I go to "Other..." and ldap is green light, and put in his username and password, it shakes it's head like he doesn't exist. I've tried all of the usual tricks back on the Open Directory server -- turn his account off and back on, change the password save change it back, etc. I have compared the setup with several other users who work just fine, and I can't see anything different. I have even logged in with my account (which is not set up for mobility) and it takes the username and password and refuses after a certain point in the login. When I log in with other mobile accounts, it logs in and gets as far as offering to create a local directory (which I cancel out of.) So it's just this one user's account.
When I log in to the local admin account and run system prefs and go to accounts, his account is there and shown as type "mobile". His directory is there, and an 'ls -l' on it shows that he owns it. I've run the directory utility, and everything looks great -- and I can log on via ldap with the other accounts. If I break ldap connectivity by turning off the airport and unplugging the ethernet cable, the light goes red and then the only option on the login panel is the local admin account, not the lodmin plus his account in local mode.
Anybody know what's broken? Evidently the mobile accounts don't like to be powered off in the middle of a login! Anybody know if there is some lock file somewhere that I needs to be deleted?Hi @TSimo,
Welcome to the HP Forums!
I wasn't able to find much on a Photosmart 7420, did you perhaps mean Photosmart 7520?
If that is correct, this may just be a case of needing to reconnect the printer to the wireless network again due to the upgraded router and extender
To do this, please restore the network defaults on the printer (press the wrench on the printer's touch screen, select Wireless, then select Restore Network Defaults, should be the last option) and once that completes go back to the same Wireless menu on the printer and run the Wireless Setup Wizard on the printer. This will update the connection on the printer itself.
After this completes you will need to remove the driver and re-add it on the computer. How this is done depends on the operating system, so if you're not sure how to remove the driver and re-add it, please let me know which operating system you use and I will get you some instructions
Hope to hear from you soon!
Please click “Accept as Solution ” if you feel my post resolved your issue, as it will help others find the solution faster
Click the “Kudos Thumbs Up" on the right to say “Thanks” for helping!
**MissTeriLynn**
I work on behalf of HP -
Erase mobile account home folders script
does anyone know of a script that will erase all of the mobile account home folders on local machines while keeping the admin and other local account folders in place??
Here is a script I've used to flush all Portable Home Directories (Run as "root" user) --> http://homepage.mac.com/applesd/downloads/flush-phds-script.zip
-
Active Directory user passwords on mobile account with File Vault
Hi all,
I enabled file vault when I moved to my MacBook Pro. I joined the computer to the domain (after enabling file vault), and logged in with my domain account, creating a managed, mobile account so that I could use the computer when not connected to the domain.
Active Directory has forced a change in my password for the domain account but I cannot get the password on the Mac to change the password and sync with the domain.
My account (the one with the changed network password) on the Mac is a standard user account. When I open system preferences, go to Security & Preferences, General, click on the lock to unlock and allow change and then click Change Password ..., I receive the following error message after going through the steps to change the password:
The password for the account "user" was not changed. There was a problem with your password. It's possible your system administrator doesn't allow you to change your password. Contact your system administrator for help.
For Old Password, I used the old network password, the one that I use to log into the Mac. For New Password, I used my new, current password.
The same result happens when I attempt to change the password from the Users & Groups section of the System Preferences.
I have logged out and logged in with the user account that is identified as the admin and get a similar (same ?) error when attempting to change the password.
Any suggestions? How do I get the passwords to be one so that I can forget the old password?Thanks for your insights.
The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
Here is the disk warrior report for the first part of its tests:
DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
ready to replace the original directory.
There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
you create 204 MB of contiguous free space before replacing the original directory.
All file and folder data was easily located.
Comparison of the original and replacement directories indicates that there will be changes to the number, the
contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
comparison tests were performed.
• Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
links, indexes and more have been repaired.
• 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
Disk Information:
Files: 552,652
Folders: 131,014
Free Space: 2.47 GB
Format: Mac OS Extended
Block Size: 4 K
Disk Sectors: 321,410,736
Media: HDT722516DLAT80
Time: 11/28/08 6:54:19 PM
DiskWarrior Version: 4.1 -
Convert Open Directory mobile accounts to Active Directory mobile accounts
We have 200 or so Macs using OD mobile accounts.
Implementing Active Directory, getting rid of Open Directory.
How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
I can convert accounts this way:
a. Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
b. Log into users’ account by choosing the other option, thus creating a mobile account.
c. Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
Any other ideas? Preferably a script I can deploy to all computers?I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
Cheers,
Rob -
Lion Server Setup (Network Login/Mobile Account and more...)
Hardware:
Mac mini Intel Core i7, 2 GHz, 8 GB memory (Server) x 1
iMac 21.5" 2.8GHz Intel Core i7, 12 GB memory (Workstation) x 6
Operating System:
Mac OS X Server Lion 10.7.4 (11E53)
Mac OS X Lion 10.7.4 (11E53)
Relevant Software:
Server.app Version 10.7.4 (1.4.3)
Workgroup Manager Version 10.7 (400.3)
Server Admin Version 10.7 (355)
So my head's swimming with "I dunno's" and I've been perusing probably all the wrong threads trying not to sound like a noob and find the literature that will finally lead me to a solution. This is my first rodeo so make no assumptions about my experience (maybe).
Short Version
I can't login network users. I get an error "You are unable to log in to the user account "<%short_name%>" at this time. Logging in using >console tells me this No home directory: <path to home directory> i.e. /Network/Servers/department.domain.com/Department/Accounts/bbunny
If anyone can point me where to read, I will do so.
Perhaps a longer discussion on how to verify that the proper permissions exist on the share/home directory in question and what those would be.
More detail...
I want to setup a Mac Mini server to have network login accounts stored on the 2nd data volume in a directory we shall call Accounts*. Here all the "network users/logins" have their home directories, so that when they login at the workstation the idea is the workstation will sync their account and allow them to login, if the server is not available, the hope is I can configure it to allow them to login if they've logged in before and the files will sync when they are able. That being the ideal, I get the impression that for best practices, Apple is discouraging the use of mobile accounts that use Home Sync perhaps because it's reliability has been iffy, please advise. A windows user might think of this as "roaming profiles" but, if I understand it, its a little more than that.
Note, I do not want to login to the server and actively work on that network share, I want the account to be local and sync'd as needed. But I want the user to be able to sit at any of the 6 other workstations and see the same documents, emails etc. Obviously if the server is down, it won't be possible to authenticate, but I think it should have cached credentials that should allow the user to login if the server is down and still go about their work.
This is the small picture...there is a larger picture that involves, parallel virtual machines of Windows Server 2008 R2 on server and and Windows 7 on the client, ical, ichat and perhaps wiki's.
I apologize for the roughness of this question, in the interest of brevity, I have plenty of problems that led me here that I can expound upon if asked.
Also a silly question someone might know the answer too, Why does the login payload settings that I have pushed to a workstation device, sometimes vanish inconsistently upon logout?Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps
"the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.
Problem
What do you do when you get an error when logging into a mobile account setup?
One symptom would be the error message below...
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console You get the message…
"No home directory: <path to home directory>"
or
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console tells me this No home directory: <path to home directory>
Solution
Do the check list…
Short Version
Sever Admin.app > Access (Key Component)
Check Permissions on directories for your file shares.
(The reason stuff doesn't work especially when you're rebuilding/recovering a server)
File sharing setup (Turned ON, Home sharing Enabled)
Directory Utility > Directory Editor or dscl
( Do not underestimate the importance of this part!!!!
Use white-gloves when you're handling it though!!! )
Workgroup Manager
(You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)
Long Version
Check Sever Admin.app > Access
Make sure that your user has the "Proper" access. For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
Server Admin.app > Access
Click the "+" sign, sort by UID and Add the imported users to the following Services…
( You can use a group, but understand when Server.app creates users they get added
individually to each of these groups. )
Address Book
AFP
iCal
iChat
Mail
Profile Manager
SMB
VPN
Check Permissions on directories for your file shares.
(That's an understatement) I could go in depth about all the crap I had to read about, I still
know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil
it down to this…
Permissions require thinking about things first with regards to POSIX permissions... good
ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc
stuff.
Apple's file-sharing access uses this as a starting point to see what the user is allowed to
access.
I also needed to use chflags once to unhide a file that I mucked around with using xattr.
I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or
move them from terminal, the triangles come back in the moved or copied directory. For a
minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually
works by doing a cp that preserves the flags, unless it's a bug. I dunno.
This helped me get my file visible again...
chflags hidden path_to_file
chflags nohidden path_to_file
Read up on those manuals, if you're not a terminal type go to apples website
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/
or download...
http://www.bruji.com/bwana/ I thought that was cool.
or if you prefer to read the manual in pdf try…
man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf
man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf
man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf
man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf
My basic guideline was avoid using ACLs if at all possible, if you try to use them, things
can get crazy complicated, take notes and plan, baby. If you read above, opening up
permissions wide is wrong though. You would restrict permissions tightly to begin with and
then place ACE (Access Control Entries) to specifically target the rights you want to enable.
Here's one that's obviously a novice attempt to do this, but since the novice is the only one
speaking…. here it is, Universe… >:P
sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/
That allowed my admin to do all the things a normal user could do so far… It fixed things for
my admin, which made me happy. I really hate having to authenticate or sudo just to see
the contents of a nested directory. I could explain it, and even give a few notes on why its
probably overkill, but I will attempt to look less stupid till "poked".
There's another command line utility I STILL haven't read, which may bear mentioning
because…well I haven't read it. umask (see wikipedia or unix.com)…I worked past my
problems without going into it so far, but obviously it's there, and it serves a purpose.
I also found this article helpful…and educational. :O
http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html
( Its enlightening to hear the air whistling between a developer/coder's ears, still it's
apparent he has a clear idea what's going on.
Ever wonder why when you use get info to check or assign permissions it kind of
flakes out and doesn't take? Read this article! )
Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also
can set the 2nd category of permissions, which windows users may be familiar with
Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff.
All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let
the professionals weigh in on that one and cut my wall-of-text to ribbons.
To heuristically check I would connect from a client as one or two of my users and see what
folders I could mount as a share, armored with an understanding of what ls -le@O * showed
me in Terminal.
3.) File sharing setup (Turned ON, Home sharing Enabled)
Here is an example of using command line sharing utility where each share is properly
labeled (that took a bit for me to figure out) still this share only enables the AFP share as
you can see from my flags.
sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10
Then you do a sudo sharing -l and get back what you just did…
List of Share Points
name: Database
path: /Volumes/Hard Drive/Department/Database
afp: {
name: Database-afp
shared: 1
guest access: 0
inherit perms: 1
ftp: {
name: Database-ftp
shared: 0
guest access: 0
smb: {
name: Database-smb
shared: 0
guest access: 0
If you mess up the sharing command, you may not be paying attention (I wasn't) but there
are a lot of defaults that Apple will just assume you meant to do anyway and it won't read
any of your flags, you have to get it right or the flags will be defaulted.
( Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but
the default was afp and smb. So each time I ran sudo sharing -l after I shot my sharing
command…back would come smb shared: 1 and I knew that wasn't right. Also my
custom names were defaulting to the name of the directory not the name I had
specified. )
I like to know what protocol my share is over so when it doesn't work, I know which protocol's
are connecting. It's not full-proof, but it's a bookmark. I wish the network browser would
identify the protocol that its available listed shares are using, because small visual queues
like that help when you're trying to see what works. Maybe that's something I should
investigate via the command line?
As a note about reading forums, I discovered using command line that "\" is kind of like a
way of going to next line neatly with long commands…."\ " is a way to insert a space. As you
can see above where I have a volume with a space in it.
Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I
had to enclose it in quotes and do "Share With-space" instead. So nooby beware!
( *nix users are now rolling their eyes at this tip. )
I wasn't sure how you enabled a share for home directories from the command line, maybe its
in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to
revisit this question since my work around was to go to Server.app and verify that what I set
up in the sharing in terminal was being reflected in the gui…sort of my own MVC
(model-view-controller) check.
4.) Directory Utility > Directory Editor or dscl
Make sure what you see in WGM and Server.app are reflected here….to that question let's
take a journey where I did some exploring about that.
Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"
Ah, then you will - LOVE - this tip…
( Provided my testing or yours, later, doesn't prove that in my ignorance I've broken
Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty. I think of
OD as Apple's Registry, but that's not what it is at all. However, you as the user do have
to "****" around in it from time to time. )
I scoured the forums and everyone was saying things like "You have to change your server
role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around
not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY
bugging me.
Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you
can make a Registry Backup….(yea bad analogy) In Server Admin.app you can go to your Open
Directory Service > Archive and Choose a place to Archive your information. (Figure this out by
yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)
Before we can remove the entry we "SEE" in WGM we should make sure no
one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory
Utility set the Home directory to "None". (We need to remember to set this to a correct share
later….Mental Note!!!)
Now Open Directory Utility
Method 1
System Preferences > Users & Groups > Login Options
Click the Lock to make changes…
Authenticate -> click "OK" (do I REALLY have to step-by-step this?)
Network Account Sever: • Local Server - click "Edit" button here.
Open Directory Utility > Directory Editor
( Wow, did Apple hire someone from Microsoft? You'ld think with all their research in to
Human Interface Design that's WAY too many clicks to get to something you need. )
or
Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)
Use "Go to Folder" Under Finder > Go > Go to Folder...
⇧⌘G /System/Library/CoreServices/
Click "OK"
and Double click Directory Utility.app
or
Method 3
Terminal
open /System/Library/CoreServices/Directory\ Utility.app/
Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"
You should glance through this and get to know it. You should use it to see what
information is really being stored about your Users, Groups, Mounts…
We are interested in Mounts, which is where we want to go…and there is the pesky
mount that you will see reflected in WGM.
Authenticate, and delete the bugger.
Quit WGM and restart it. Voila, bad share is GONE!!!!!
a.) First select all my users
b.) Then I clicked on the "+" and added the correct share
( Remember, I only showed you the first one we created, this is another and
for THIS one you HAVE to go into Server.app and verify that it is set to be
available for Home Directories in this case for AFP. )
For the home directory entry you do this...
afp://computer.domain.com/Accounts-afp
%short_name%
/Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%
%short_name% is a wild card for the short name there are other wild cards check out Apple's
Documentation on them. I lost the link sorry \<shrug\>
Interesting dscl commands…(check it out in command line form and compare side by side with
what you see in the GUI Directory Utility)
dscl . list /users
dscl . list /groups
If you want to output information about each user, though, use readall:
dscl . readall /users
dscl . readall /groups
And if you need to programatically parse said information, use -plist to make your life easier:
dscl -plist . readall /users
dscl -plist . readall /groups
This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first
commands I think look in ALL directories local, Search, LDAP whatever you have. The command here
corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.
dscl /LDAPv3/127.0.0.1 -list /Users
dscl /Local/Default -list /Users
5.) Workgroup Manager
Remember this is a utility that is not long for this world. Apple's Mountain Lion is rumored to fully
replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow
desktop computers are being pulled/dragged along for the ride. I have plenty of issues with
Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.
Anyway, treat this baby like the bottom rung, because, well it is built like you start your
foundation here, but it's just a viewer with controlling "tweaks". Use the other areas to get a solid
grasp of what is actually going on. Server.app is where you should create accounts you can
feel are safe. When you create accounts in WGM, you are responsible for making sure they
have the appropriate EVERYTHING.
This list is by no means complete, but these are the areas this noob is or was prepared to talk about.
Good night for now. Enjoy climbing my wall of text, and yea sorry about that. :O Run for you lives!!!!
- Signed Shadowwraith
Maybe you are looking for
-
Can't fully restore my Time Machine/Time Capsule Backup to my newly-wiped SSD/HDD
On receiving my leased, Bootcamp-enabled MacBook Pro, I saw that there were no installation discs for Windows or OSX, and that there were 2 partitions (or so I thought) for Mac and Windows: 375GB each. As I produce music using software in both OSs, I
-
I am getting the following error when I right click on a package in solution explorer and execute using SQL Server 2014: Project consistency check failed. The following inconsistencies were detected: package.dtsx. has a different ProtectionLevel than
-
Help me for getting the specific permutation set in java
input is a specific range(int) and a key output is : specific permutation of the number (int),,,,,,,,,, which includes all the number from the input range......... Example List function_name(starting no.,ending no.,key) starting no. and ending no. sp
-
What is Media Recovery Log ..? Physical Standby Database
Hello All, In my physical stdby database alert log I could see the below message, I'm not sure what id Media Recovery Log and why it is dumping ORACLE_HOME Directory..? Could any one please help on this..? I need to house keep ORACLE_HOME directory.
-
How to create the exposure circle in the middle?
Hey guys... I wanna know how to create that exposure in the middle of this pic... It adds focus to the pic... Like the circular light in the middle... Sorry, I'm very new :/ http://25.media.tumblr.com/tumblr_m51ol23d5n1ruc6bgo1_500.jpg