ASA WebVPN - Accessing Users Home Dir's

Similar Messages

• Accessing users home dir from W7 using net use

  Hi!
  Probably I'm doing something wrong. OES11SP1 on SLES11SP2. User home dir accessible using net use from Windows XP, but not from Windows 7. Already tried to change LmCompatibilityLevel in registry (to 1), but didn't help. I recall, some year ago I had same problem from W7 (64bit) and then I installed Novell Client, now I'm trying to wo the client, should be possible?
  More thanks, Alar.

  On 10.10.2013 13:56, NovAlf wrote:
  >
  > Hi!
  > Probably I'm doing something wrong. OES11SP1 on SLES11SP2. User home dir
  > accessible using net use from Windows XP, but not from Windows 7.
  > Already tried to change LmCompatibilityLevel in registry (to 1), but
  > didn't help. I recall, some year ago I had same problem from W7 (64bit)
  > and then I installed Novell Client, now I'm trying to wo the client,
  > should be possible?
  > More thanks, Alar.
  If you can or can't access a share on OES11 without the Novell CLient
  depends on if you have configured and enabled CIFS on the server.
  Note that "Net Use" is an universal command, and uses the Novell CLient
  too *if* it is installed. Many People believe "Net Use" would somehow be
  Microsoft Network specific, but it isn't. It uses whatever network
  client is isnstalled and able to access the resource.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Deleting pre-defined apple folders in a Users home dir

  Hello,
  i would like to know if its possible to delete the following folders in my Users-home dir:
  * Downloads
  * Music
  * Movies
  * Pictures
  As far as i see 10.5 throws an error if you try to delete them via finder. Havent tried to delete them via terminal as i would like to know if it would cause problems.
  Basically i guess those folders are "secured" as Apple applications like Safari, itunes, iMovie etc use them.
  Well i dont use those applications at all and it would be great to free my home-folder a bit just to have a better overview.
  any help is appreciated
  fidel

  Hello fidel,
  You can remove those directories but I would do so cautiously. Some applications may expect to "see" them in your home folder. Each directory has an ACE (access control entry) which will prevent you from deleting the folder in the Finder. To delete them you must do so as the root user in the Terminal app by preferencing the rm command with sudo.

• Apache2 & User Home dirs....

  OK, the setup. Multiple servers in one tree, broken down by containers.
  ABCD is the tree. Picture three containers below this: 123, 456, 789.
  Following info in TID 10090225, I've been able to setup the webserver
  (WWW) in 123 properly. WWW is serviced from its own server, while the LDAP
  search context is set to ABCD. Now, heres the odd part-- using the syntax
  http://www.abc.com, get web pages. Using http://www.abc.com/~mkovacs, get
  what is in my public_html directory as expected. My home dir is in a 6.5
  server located in 456. Now, follow exactly the same steps for users in 789
  and we get a 404.. The log shows:
  [DATE] [error][client 10.1.1.1] could not create path context. error: 115
  (obsfucated for safety)
  Now, I try this on any account who's home dir is in the server in CX=456,
  all is fine. I am very confused at this point; its like it doesn't want to
  access anything outside the one servers home directory structure... Did I
  miss a step somewhere??
  MJK

  Michael Kovacs wrote:
  > OK, think I have part of it worked out. It looks like you need a
  > uniqueID in the Other tab of a users account. Accounts created before
  > 6.5 don't have this; I've tried to get mod_edir to use CN without
  > success... The key seems to be manually entering this attribute...
  > One doc mentioned setting up LDIF to import this attribute, but there
  > were no instructions on setting it up or making sure it worked for all
  > users.. Any tips?
  >
  > MJK
  >
  >
  I run it OK using the cn attribute.
  It seems to me to be two issues:
  If Apache is set up to use a particular user for browsing the
  LDAP (eDir) directory it must have the rights to the home directory and
  some other attributes in the LDAP directory
  The server hosting Apache needs read rights to the home
  directories of the remote servers.
  It has been a long time since I set these up, once I did it by editing
  httpd.conf, and later using the graphical web manager from https - port
  2200 - open source - manage single apache.
  You could look at the doco for mod_edir on forge.novell.com
  Warren

• User home dir restriction...

  Dear Sir /Madam,
  I want to restrict a user on unix within his home dir .He can go down to his home dir and work but should have access up to his home dir..or any other file system dir...
  Regds,
  Sharad

  Hi
  Change the permissions on the directory above the users home directory ( from the users directory this would be referred to as "." ) so that "others" field is not readable. It would look something like this:
  /export/home/a_user rwxrwx---
  You may need to check which group the user has been assigned to and change the group permissions as well.

• Setting up new user home dir -- what is *supposed* to happen"

  Folks:
  Could someone tell me what Workgroup Mgr is supposed to do when you tell it to set up new home dir?
  Right now it creates the dir, but sets the perms to drwxr-xr-x, owner root, and it's empty.
  This means the new user can't do anything with the dir, and I'm fairly certain Wkg Mgr is supposed to have put some files in there?
  Any clues appreciated,
  Graham

  I've been having some trouble with creating home directories on my server, and others are no doubt more expert in this field than I am, but what should be created are the Documents, Movies, Music, Pictures, Public, and Sites directories that you expect to see. If you create those (or whatever subset you want) and set the ownership of the directory to the correct user, Library and Desktop will be automatically created when they log in.
  In my case, for a while now "Create Home Now" hasn't been working and the home directory is not automatically created when the user logs in. If I set it up manually everything works out, but I'd like to know why this is happening. I can't figure out what's wrong with the share point if that's the problem.

• As Admin I can't access users home folder - (usershare)

  How can I access user's home folders
  Setting up a new server and copied users home from SBS 2003 but having setup all the users I cannot access the users home folders as Admin at the Server console.
  Obviously I can login to a users PC and upload the files from the but...
  This is something I need to do frequently for users.
  *** Edit ***
  If I enable the disabled "Administrator" account - I am then able to access the folders!
  (I would like to keep Administrator account disabled)
  I added Admin to the Administrators group but that didn't work either!
  I suppose I I work around by enabling administrator account but would much rather allow Admin to have same rights.
  ChrisS

  Hi
  There is a GPO that controls the Redirected Folders.... the default in SBS is to restrict users redirected folders exclusively. That means 'Administrators' can not access the files, only the specified users who own it.
  Ironically i also find this restricts viewing the files on these folders in the proper backup
  To fix this you need to do a number of steps.
  1. First of all remove the tick from the GPO for Exclusive access to redirected folders. When this is done any new users you add, the administrators (security group) will be able to access the folders and files.
  However this will not fix the ones made when the PO exclusivity was enabled. To fix this there are methods on this forum about PowerShell access, and guides, all very complicated... but neded if you can;t access your users accounts. Like you I created 3
  users before noticing this GPO issue.
  I found a way around it.
  User 1 is restricted.
  1. So go to a client computer and log on as User 1
  2. navigate to \\server\redirected folders\User 1
  3. Select the Documents folder and right click, properties, security
  4. Add the Administrators (note the s, administrators, not administrator) and give Full Control
  5. Do the same to the Desktop Folder
  You need to do this for each User that is restricted, as each User that is restricted. Each User owns their Desktop and Documents folder and can therefore apply whatever security they like to it.
  The difference the GPO exclusive makes is whether or not Adminsitrators are added to the security for those folders, you are just manully setting this up
  You do not need to take ownership, do not need to run powershell. Admitedly if your users are remote users, and you are never at the clients with the server, then I agree maybe the Ownership and Powershell route is the way to go, but odds are you will visit
  the client and be able to do this on site s the user is logged in. This is the quickest and Easiest way
  Tris

• Network home dirs & Indesign cs3

  I am getting the following error when trying to use InDesign as a network user (home dirs on a Mac OS X Server)
  Adobe InDesign is missing required files. Please reinstall.
  /Library/Application Support/Adobe/TypeSupport/.../ROMAN.TXT
  Have reinstalled and made sure everything is up to date.
  I found a post on here which suggested that permissions were incorrect within the network home directory itself. Could the poster please post more details of what they had to do to get things working?
  It works fine as a local user.
  Thank you.

  Hi Stephen
  I had some progress with my problem. Make sure the user has a valid Caches folder in their Library folder in their home dir. Make sure that they have read/write access to the folder and if everything looks ok, trash it, log out, log in and try again.
  stu

• NFS home dirs as individual qtree or folder?

  I'm setting up individual user home dirs to be automounted under linux, so NFS (we're using cmode if it matters).  I don't know wether to setup the home dirs as individual qtrees per person (ex: /home_vol/qtree_username), or a single homedire qtree where everyone has a folder (ex: /vol1/home_qtree/username).  I've seen this done both ways, and I don't really know if one's better than the other.  I feel like the per user qtree is more flexible, but a bigger pain to manage.  Any thoughts/advice?

  I've always stayed away from creating a qtree per-user. It always seemed like a lot more overhead for each user vs just creating them as a subdirectory of a qtree. I don't know how many users you are talking about but the max qtrees per-volume may be an issue. --rdp

• Accessing Home Dir's via ASA SSL VPN

  I have an ASA 5540 and an ACS 4.0. i am configuring an SSL based VPN for users in an active directory. I want to give the users access to their Windows Home Dir and have created a CIFS link in the URL list in the tunnel group policy for those users.
  I want to give the users access to \\SERVER\Share\%username% as it is described in windows terms. how do a go about this in the ASA, as the above does not work at all? the ASA wants to use the / instead of \ in the CIFS shares. It works fine for normal shares and hidden share specified with $, but not using the %username% variable.
  The documentation on SSL VPNS on both ASA and ACS 4.0 is terrible.
  Best regards,
  Neal Lewis

  This question might be a bit outdated, yet I stumbled across it since even in times of OS 8.4(3), I've had exactly the same problem. Menawhile I've found the solution to it:
  You can work with the usual WebVPN variables which ASA offers for single sign-on (SSO) purposes. The following example works for my customer for a profile in which he applies two-factor authentication and allows his users to access their Windows home share using SSO (using the secondary WebVPN login information, which is their AD login name, accessed via LDAP):
  Bookmark URL:
  cifs:///CSCO_WEBVPN_SECONDARY_USERNAME%24 (where %24 is a code substitution for the '$' sign)
  SSO config:
  group-policy attributes
    webvpn
      auto-signon allow ip auth-type ntlm username CSCO_WEBVPN_SECONDARY_USERNAME password CSCO_WEBVPN_SECONDARY_PASSWORD
  There are two important things to consider, though:
  The share name *must* match the user's login name
  The folder effectively has to be configured to be a share (not just an ordinary folder). My tests have shown that it doesn't work even if that desired, ordinary destination folder is a subfolder of an accessible share.
  Hope that helps other people.
  Toni

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• AD Users auth Ok but cannot log into AFP Home dirs

  Hello,
  I have a problem that has been driving me nuts for around 6 weeks so wondering if someone can help me out.
  I have an XServe that has been bound to the AD Server. This server holds the users only. The Xserve is connected to an XRAID. I recently rebuilt The XRAID to be a 0+1 (2 stripes, 1 mirroring the 2nd). I then configured the Home Dirs on the Xserve to reside on the XRAID. I created a folder called UserHomes and then shared this using AFP and SMB. I removed guest access for both protocols. I Added the AD users groups to the ACLs to allow them access. I added the AD admin with full control rights to all folders, and the AD Staff group with read only access to that folder only.
  I then used a script that would use dscl to extract the AD users into a list, created a folder for their Home dir, copied the Default template into their home dirs and then chowned the homedir to the AD user and chmodded the homedir 700.
  Now, when i try to log in as an AD user, they get authenticated correctly as would be expected but then the login window disappears and the user is left with the desktop picture and a spinning coloured ball. This stays like this until the machine is hard-reset or the loginwindow is quit remotely.
  I have tried using mobile accounts for the same user and this results in the user logging in, synching and even having full access to their home dir from the doc as well as all shares available to them, showing that kerberos seems to be working. But this started to do the same as full network accounts as well, ie the spinning ball after login.
  I have rebuilt the OD server, the clients and even swapped out the switches and cabling. Same result. I have run tcpdump which seems to suggest things are as they should be (although i don't really know what i am looking for) But AFP logs show the client opening and closing forks but never logging in).
  DNS is resolving successfully also.
  Any ideas on what could be the problem

  I synchronize the clocks of both the OS X Server and OS X Client with the AD Server. The user gets authenticated fine and the login window disappears, but thats as far as it gets the users then starts to load (open and close forks according to the AFP Log) their profile but it never turns up. No dock, no Finder. I can see that it is trying to load though because if i manage the wallpaper setting using WGM, the background of the logging in user changes. Just doesn't do anything else

• Accessing files in another Admin users home directory?

  In another topic thread http://discussions.apple.com/thread.jspa?threadID=798797&tstart=0
  I've posted how I somehow hosed my first Admin account, which was, foolishly, my primary working account.
  I've tried several things documented in the other thread to try to get back into the system under that login name, but with no luck. I created another Admin user, and tried using the Terminal window to creat a disk image of the original admin user home directories, but it failed with input/output error at reading a DMG file on the desktop.
  I've tried to access those folders via the new admin, but can't get in, says I don't have sufficient priveledges.
  Is there a way to change the priveledges for those folders, from single user, or current Admin terminal window? I have the password, so it's not like I'm trying to break in to someone else's files without permission.
  I've got some not-yet-backed photos and other files in the original account I need.
  Am I just screwed?

  Did you enable the root account on the system using
  NetInfo Manager ?
  Not sure what that is. I'll check it out.
  Have you considered using the OSX boot disc to reset
  the admin account password ?
  I do need to try booting from the cd, however, it doesn't appear to be a password issue - the password is accepted at the login prompt, a bad password typed in intentionally vibrates the box, the good password doesn't. Running admin utilities from the guest account with the ailing admin account name and password works. Still, it's worth a shot.

• Cisco ASA disable command line interface (CLI) vor VPN Remote Access users

  Hi,
  I have local database for a couple of VPN Remote Access users on our Cisco ASA 5510 firewall. When adding users i asigned them the privilege leve 0. Is it possible to completly disable CLI for theses users as they will only be using VPN Remote Access and do not need to access the appliance cli.
  Thanks in advance.
  Kind Regards,
  Marco

  Hi,
  We will need to use the vpn-filter or the ssh command to block ssh from the vpn pool.
  Regards,
  Vivek

• Command line creating of users fails to correctly set afp:// based home dir

  i'm using a script to make users. they come and go quite a lot, don't want to be using a mouse all day long.
  i thought it would be simple. dscl /LDAPv3/127.0.0.1 -create /Users/user1 NFSHomeDirectory /network/servers/some.server.here/path
  with some other part of the script creating the home directory and setting it up for use.
  this only gets me a nfs based home directory, which doesn't seem to work. when i make them in WGM, i get an afp based one. (afp://some.server.here/group1/user1)
  what's the trick? how can i create an OD entry with dscl which results in the same outcome as using WGM?

  using this script now. seems to work:
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" UserShell /bin/bash
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" RealName "$sinaFIRST $sinaSECOND"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" UniqueID "$userID"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" PrimaryGroupID "$mainG"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" NFSHomeDirectory /Network/Servers/my.server.com/Volumes/promise/"$homeF"/"$sinaUSER"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" HomeDirectory "<home_dir><url>afp://my.server.com/$homeF</url><path>$sinaUSER</path></home_di r>"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" homeDirectory /Network/Servers/my.server.com/Volumes/promise/"$homeF"/"$sinaUSER"
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" apple-user-homeurl "<home_dir><url>afp://my.server.com/$homeF/</url><path>$sinaUSER</path></home_d ir>"
  echo -n "GID2, "
  [ "$secG" != "none" ] && dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -append /Groups/"$secG" GroupMembership "$sinaUSER"
  echo -n "pass, "
  dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -passwd /Users/"$sinaUSER" "$sinaPASS"
  echo -n "quota, "
  [ "$Uquota" != "none" ] && dscl -u diradmin -P $dirpass /LDAPv3/127.0.0.1 -create /Users/"$sinaUSER" HomeDirectoryQuota "$Uquota"
  # create home directory
  echo -n "Creating: home Dir: "
  /usr/sbin/createhomedir -n /LDAPv3/127.0.0.1 -u "$sinaUSER"