Active Directory user passwords on mobile account with File Vault

Similar Messages

• HELPDeleted user account with file vault on to free disk space, to no avail

  My saga is a long one. Quick telling: I am the administrator on my eMac, and was locked out of my desktop last spring when the disk became overly full. File vault was turned on, and I was told by my computer repair folks that since the desktop was encrypted, it could not be accessed. A sad situation, since I had not backed up the disk, and had years of family photos that were lost, not to mention iTunes, Quicken, and more.
  Since then I bought a back-up disk, and saved a copy of that desktop, just in case.
  My computer is overly full again, and today I decided to delete my old user account in order to free space. Of the 160G in this computer, 80% was associated with that user (that is, me). I deleted account via the System Preferences window and its Accounts window.
  I emptied the trash, and 'got info' on my hard drive, only to see that nothing had disappeared, memory-wise! I am still nearly full--only having 2G available, rather than the 130 or more that I had hoped to free up.m I restarted too.
  I went to Apple Support to find that one should turn off File Vault before deleting a user account. Unfortunately, this is impossible for me, since I can not/could not access the user account to turn it off.
  SO here is my question: is there a way to delete the files of a user account that had file vault turned on, but that is inaccessible? There is no deleted user file in my User folder, by the way.
  I am not suer what to do. Any help is appreciated.

  Thanks for your insights.
  The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
  I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
  Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
  Here is the disk warrior report for the first part of its tests:
  DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
  ready to replace the original directory.
  There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
  you create 204 MB of contiguous free space before replacing the original directory.
  All file and folder data was easily located.
  Comparison of the original and replacement directories indicates that there will be changes to the number, the
  contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
  directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
  comparison tests were performed.
  • Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
  links, indexes and more have been repaired.
  • 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
  Disk Information:
  Files: 552,652
  Folders: 131,014
  Free Space: 2.47 GB
  Format: Mac OS Extended
  Block Size: 4 K
  Disk Sectors: 321,410,736
  Media: HDT722516DLAT80
  Time: 11/28/08 6:54:19 PM
  DiskWarrior Version: 4.1

• How do you setup a user mobile account, with the home directory stored locally and not synced to the server?

  I want to be able to setup a user mobile account, with the home directory stored locally and not synced to the server.  What is the best way to do this? I am running Server 10.6 with 10.6 clients.  Open Directory will be used to authenticate and manage preferences.   Also, this one account will be used simultaneosly in a computer lab setting, so files will be stored locally in the client, hence the need to NOT sync to the server.  Any Ideas? 

  currofelix wrote:
  So what does WGM Look like in the Home Tab? afp://servername.domainname/Users? or afp://Users?
  The attached screen shots should help you:
  You will only have to do this step once. Obviously you want to use the user's shortname here.
  Then, you will see this as an option in WGM:

• Creating active directory users with dscl

  Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
  SUCCESSFUL READ OF AD USER ATTRIBUTE:
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
  Password:
  SMBHomeDrive: H:
  root#
  SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
  Password:
  root#
  FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
  root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
  Password:
  <main> attribute status: eDSInvalidRecordType
  <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
  root#
  The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

  In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
  However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
  the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

• Unable to login @ login window with Active Directory User

  I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.
  When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.
  Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.
  Thanks,
  Ken

  I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
  I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
  31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services
  31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname
  31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• Adobe Form that Creates Active Directory User Account

  Hello all!  Hopefully someone can help me with this.  I am using Adobe LiveCycle Designer ES 8.2 to create a user account request form.  I have the form created and now am working on a submit button that will email the form to the approving officials.  Once its emailed to the approving officials I would like to have a button available in which the approval person can select resulting in the creation of an Active Directory user account.  I need the fields in the form to populate cooresponding fields inside of Active Directory.  Current AD structure is on Server 2003.  Are there any ideas for how to accomplish this?

  I don't know. However, you might get a better or faster answer in the LiveCycle forum that deals with Designer.

• Cannot log into DTR with Active Directory User

  Greetings,
  I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
  500   Internal Server Error
    SAP J2EE Engine/6.40 
    Application error occurred during the request procession.
    Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
  Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
  This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
  Any help is greatly appreciated.
  Thanks,
  Marty

  Hi Marty,
  In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
  http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
  It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
  Regards,
  Manohar

• Exporting Active directory users to excel with conditions

  I'm trying to export AD users with selected fields out to a spreadsheet, with the condition that the employeeid field is greater than 99999.    I found a VBScript elsewhere on this site that does everything i need, even filtering on the employeeid
  field except that when it export to the spreadsheet the employeeid field comes back as if it's blank.  But i know it's not as it will do the filtering correctly.  Below is the script i've been using.   As i said it will correctly list all users
  with employeeid greated than 5 digits but it just won't export the actual employeeid field
  Dim ObjWb 
  Dim ObjExcel 
  Dim x, zz 
  Set objRoot = GetObject("LDAP://RootDSE") 
  strDNC = objRoot.Get("DefaultNamingContext") 
  Set objDomain = GetObject("LDAP://" & strDNC) ' Bind to the top of the Domain using LDAP using ROotDSE 
  Call ExcelSetup("Sheet1") ' Sub to make Excel Document 
  x = 1 
  Call enummembers(objDomain) 
  Sub enumMembers(objDomain) 
  On Error Resume Next 
  Dim Secondary(20) ' Variable to store the Array of 2ndary email alias's 
  For Each objMember In objDomain ' go through the collection 
  if ObjMember.EmployeeID > 199999 Then  'if employee id greater than 199999 then add to spreadsheet (meaning physician)
  x = x +1 ' counter used to increment the cells in Excel 
  ' I set AD properties to variables so if needed you could do Null checks or add if/then's to this code 
  ' this was done so the script could be modified easier. 
  SamAccountName = ObjMember.samAccountName 
  FirstName = objMember.GivenName 
  LastName = objMember.sn 
  EmployeeID = ojbMember.employeeID
  EmailAddr = objMember.mail 
  Addr1 = objMember.streetAddress 
  Title = ObjMember.Title 
  Department = objMember.Department
  ' Write the values to Excel, using the X counter to increment the rows. 
  objwb.Cells(x, 1).Value = EmployeeID
  objwb.Cells(x, 2).Value = SamAccountName 
  objwb.Cells(x, 3).Value = FirstName 
  objwb.Cells(x, 4).Value = LastName 
  objwb.Cells(x, 5).Value = EmailAddr
  objwb.Cells(x, 6).Value = Addr1 
  objwb.Cells(x, 7).Value = Title 
  objwb.Cells(x, 8).Value = Department 
  ' Write out the Array for the 2ndary email addresses. 
  For ll = 1 To 20 
  objwb.Cells(x,26+ll).Value = Secondary(ll) 
  Next 
  ' Blank out Variables in case the next object doesn't have a value for the property 
  EmployeeID = "-"
  SamAccountName = "-" 
  FirstName = "-" 
  LastName = "-" 
  EmailAddr = "-" 
  Addr1 = "-" 
  Title = "-" 
  Department = "-" 
  For ll = 1 To 20 
  Secondary(ll) = "" 
  Next 
  End If 
  ' If the AD enumeration runs into an OU object, call the Sub again to itinerate 
  If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then 
  enumMembers (objMember) 
  End If 
  Next 
  End Sub 
  Sub ExcelSetup(shtName) ' This sub creates an Excel worksheet and adds Column heads to the 1st row 
  Set objExcel = CreateObject("Excel.Application") 
  Set objwb = objExcel.Workbooks.Add 
  Set objwb = objExcel.ActiveWorkbook.Worksheets(shtName) 
  Objwb.Name = "Active Directory Users" ' name the sheet 
  objwb.Activate 
  objExcel.Visible = True 
  objwb.Cells(1, 1).Value = "EmployeeID"
  objwb.Cells(1, 2).Value = "SAMAccountName"
  objwb.Cells(1, 3).Value = "FirstName" 
  objwb.Cells(1, 4).Value = "LastName"  
  objwb.Cells(1, 5).Value = "Email" 
  objwb.Cells(1, 6).Value = "Addr1" 
  objwb.Cells(1, 7).Value = "Title" 
  objwb.Cells(1, 8).Value = "Department" 
  End Sub 
  MsgBox "User dump has completed.", 64, "AD Dump" ' show that script is complete

  Here is a test version
  Set xl = CreateObject("Excel.Application")
  xl.Visible = True
  Set wb = xl.Workbooks.Add()
  Set sheet = wb.Worksheets("sheet1")
  sheet.Name = "Active Directory Users"
  i = 1
  With sheet
  .Cells(i, 1).Value = "EmployeeID"
  .Cells(i, 2).Value = "SAMAccountName"
  .Cells(i, 3).Value = "FirstName"
  .Cells(i, 4).Value = "LastName"
  .Cells(i, 5).Value = "Email"
  .Cells(i, 6).Value = "Addr1"
  .Cells(i, 7).Value = "Title"
  .Cells(i, 8).Value = "Department"
  End With
  Set users = GetADUsers()
  While Not users.EOF
  i = i + 1
  With sheet
  .Cells(i, 1).Value = users("employeeID")
  .Cells(i, 2).Value = users("samAccountName")
  .Cells(i, 3).Value = users("GivenName")
  .Cells(i, 4).Value = users("sn")
  .Cells(i, 5).Value = users("mail")
  .Cells(i, 6).Value = users("streetAddress")
  .Cells(i, 7).Value = users("Title")
  .Cells(i, 8).Value = users("Department")
  End With
  users.MoveNext
  Wend
  Function GetADUsers()
  Set rootDSE = GetObject("LDAP://RootDSE")
  base = "<LDAP://" & rootDSE.Get("defaultNamingContext") & ">"
  filt = "(&(objectClass=user)(objectCategory=Person))"
  attr = "employeeid,SAMAccountName,mail,GivenName,sn,streetAddress,Title,Department"
  scope = "subtree"
  Set conn = CreateObject("ADODB.Connection")
  conn.Provider = "ADsDSOObject"
  conn.Open "Active Directory Provider"
  Set cmd = CreateObject("ADODB.Command")
  Set cmd.ActiveConnection = conn
  cmd.CommandText = base & ";" & filt & ";" & attr & ";" & scope
  Set GetADUsers = cmd.Execute()
  End Function
  ¯\_(ツ)_/¯

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• How to import your MS Active Directory users in an Oracle table

  Hello,
  I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
  This doesn't work so I used an alternative solution:
  How to import your MS Active Directory users in an Oracle table
  - a Visual Basic script for export from Active Directory
  - a table in my database
  - a SQL*Loader Control-file
  - a command-file to start the SQL*Loader
  Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
  Just to share my scripts:
  I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
  'Export_ActiveDir_users.vbs                              26-10-2006
  'Script to export info from MS Active Directory to a CSV-file
  '     Accountname, employeeid, Name, Function, Department etc.
  '       Richard de Boer - Wetterskip Fryslan, the Nethterlands
  '     samaccountname          Logon Name / Account     
  '     employeeid          Employee ID
  '     name               name     
  '     displayname          Display Name / Full Name     
  '     sn               Last Name     
  '     description          Description / Function
  '     department          Department / Organisation     
  '     physicaldeliveryofficename Office Location     Wetterskip Fryslan
  '     streetaddress          Street Address          Harlingerstraatweg 113
  '     l               City / Location          Leeuwarden
  '     mail               E-mail adress     
  '     wwwhomepage          Web Page Address
  '     distinguishedName     Full unique name with cn, ou's, dc's
  'Global variables
      Dim oContainer
      Dim OutPutFile
      Dim FileSystem
  'Initialize global variables
      Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
      Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
      Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
  'Enumerate Container
      EnumerateUsers oContainer
  'Clean up
      OutPutFile.Close
      Set FileSystem = Nothing
      Set oContainer = Nothing
      WScript.Echo "Finished"
      WScript.Quit(0)
  Sub EnumerateUsers(oCont)
      Dim oUser
      For Each oUser In oCont
          Select Case LCase(oUser.Class)
                 Case "user"
                      If Not IsEmpty(oUser.distinguishedName) Then
                          OutPutFile.WriteLine _
                 oUser.samaccountname      & ";" & _
                 oUser.employeeid     & ";" & _
                 oUser.Get ("name")      & ";" & _
                 oUser.displayname      & ";" & _
                 oUser.sn           & ";" & _
                 oUser.description      & ";" & _
                 oUser.department      & ";" & _
                 oUser.physicaldeliveryofficename & ";" & _
                 oUser.streetaddress      & ";" & _
                 oUser.l           & ";" & _
                 oUser.mail           & ";" & _
                 oUser.wwwhomepage      & ";" & _
                 oUser.distinguishedName     & ";"
                      End If
                 Case "organizationalunit", "container"
                      EnumerateUsers oUser
          End Select
      Next
  End SubThis give's output like this:
  rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
  tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
  CREATE TABLE     PG4WF.ACTD_USERS     
       samaccountname          VARCHAR2(64)
  ,     employeeid          VARCHAR2(16)
  ,     name               VARCHAR2(64)
  ,     displayname          VARCHAR2(64)
  ,     sn               VARCHAR2(64)
  ,     description          VARCHAR2(100)
  ,     department          VARCHAR2(64)
  ,     physicaldeliveryofficename     VARCHAR2(64)
  ,     streetaddress          VARCHAR2(128)
  ,     l               VARCHAR2(64)
  ,     mail               VARCHAR2(100)
  ,     wwwhomepage          VARCHAR2(128)
  ,     distinguishedName     VARCHAR2(256)
  )I made SQL*Loader Control-file:
  LOAD DATA
  INFILE           'ActiveDir_users.csv'
  BADFILE      'ActiveDir_users.bad'
  DISCARDFILE      'ActiveDir_users.dsc'
  TRUNCATE
  INTO TABLE PG4WF.ACTD_USERS
  FIELDS TERMINATED BY ';'
  (     samaccountname
  ,     employeeid
  ,     name
  ,     displayname
  ,     sn
  ,     description
  ,     department
  ,     physicaldeliveryofficename
  ,     streetaddress
  ,     l
  ,     mail
  ,     wwwhomepage
  ,     distinguishedName
  )I made a cmd-file to start SQL*Loader
  : Import the Active Directory users in Oracle by SQL*Loader
  D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
  http://www.kouti.com/tables/userattributes.htm
  Greetings,
  Richard de Boer

  I have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
  Is there any way that I can find out what time each record has been inserted?
  For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
  First you need to clarify what you mean by 'the date that each record get inserted'.  A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
  Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
  The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time.

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Best practice converting local laptop accounts to Mobile Accounts with PHD

  Hi,
  what is the best practice to convert local laptop users (with different UIDs than their network account) to mobile accounts? Especially when the local dir should not be synced in whole (just Documents, Library). Client and server are 10.5, network accounts are on NFS.
  I tried creating the mobile account with a minimal network directory (Library etc. ) and then move the original folders into place, but this didn't work out (the sync info was overwritte somewhere ..)
  Christian

  I think your best bet is to copy the home folder off the laptop to the user share on the server. Then with WGM create the same user and the apply all permissions of the network user to the copied folder.
  Once you have that create your settings for the PHD and then go to the laptop. There you will setup the laptop and bind it to the directory, have that user login (might want to do this on a lan, not airport) and then it will move all the data across to that laptop, and since the network user (same as the local) owns that folder everything should work. If the password is the same then OS X should fix the login and keychain password, so saved forms or email password would show up.
  I did this same thing for 20 OS 10.4 client laptops. Took me a while to get all of this in place but will spare you the running around...
  hope that helps

• Window Active Directory users cannot see home drive when logon to Macs

  This problem just occurred, so that tells me either 10.4.9 has done it or a security update to Windows 2003 Server.
  Looking for any tech saavy network guru to help.
  Windows 2003 Server houses active directory. Users in the past were able to log on to a Macintosh computer and their home drive would appear on the desktop.
  Now 'all of a sudden' any user that logs onto a Macintosh computer with an AD account does not see their home drive on the desktop.
  Has anyone else had this problem? Any suggestions on how to resolve it? I haven't unbound the Mac from AD yet will try that tomorrow.
  JTS

  Fixed this...a corrupted keychain item that contained the users prior used network password was the culprit.
  Once I delted the corrupted keychain, active directory users can log on a Mac and see their home directory on the desktop.
  JTS