Lion Server Setup (Network Login/Mobile Account and more...)
Hardware:
Mac mini Intel Core i7, 2 GHz, 8 GB memory (Server) x 1
iMac 21.5" 2.8GHz Intel Core i7, 12 GB memory (Workstation) x 6
Operating System:
Mac OS X Server Lion 10.7.4 (11E53)
Mac OS X Lion 10.7.4 (11E53)
Relevant Software:
Server.app Version 10.7.4 (1.4.3)
Workgroup Manager Version 10.7 (400.3)
Server Admin Version 10.7 (355)
So my head's swimming with "I dunno's" and I've been perusing probably all the wrong threads trying not to sound like a noob and find the literature that will finally lead me to a solution. This is my first rodeo so make no assumptions about my experience (maybe).
Short Version
I can't login network users. I get an error "You are unable to log in to the user account "<%short_name%>" at this time. Logging in using >console tells me this No home directory: <path to home directory> i.e. /Network/Servers/department.domain.com/Department/Accounts/bbunny
If anyone can point me where to read, I will do so.
Perhaps a longer discussion on how to verify that the proper permissions exist on the share/home directory in question and what those would be.
More detail...
I want to setup a Mac Mini server to have network login accounts stored on the 2nd data volume in a directory we shall call Accounts*. Here all the "network users/logins" have their home directories, so that when they login at the workstation the idea is the workstation will sync their account and allow them to login, if the server is not available, the hope is I can configure it to allow them to login if they've logged in before and the files will sync when they are able. That being the ideal, I get the impression that for best practices, Apple is discouraging the use of mobile accounts that use Home Sync perhaps because it's reliability has been iffy, please advise. A windows user might think of this as "roaming profiles" but, if I understand it, its a little more than that.
Note, I do not want to login to the server and actively work on that network share, I want the account to be local and sync'd as needed. But I want the user to be able to sit at any of the 6 other workstations and see the same documents, emails etc. Obviously if the server is down, it won't be possible to authenticate, but I think it should have cached credentials that should allow the user to login if the server is down and still go about their work.
This is the small picture...there is a larger picture that involves, parallel virtual machines of Windows Server 2008 R2 on server and and Windows 7 on the client, ical, ichat and perhaps wiki's.
I apologize for the roughness of this question, in the interest of brevity, I have plenty of problems that led me here that I can expound upon if asked.
Also a silly question someone might know the answer too, Why does the login payload settings that I have pushed to a workstation device, sometimes vanish inconsistently upon logout?
Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps
"the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.
Problem
What do you do when you get an error when logging into a mobile account setup?
One symptom would be the error message below...
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console You get the message…
"No home directory: <path to home directory>"
or
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console tells me this No home directory: <path to home directory>
Solution
Do the check list…
Short Version
Sever Admin.app > Access (Key Component)
Check Permissions on directories for your file shares.
(The reason stuff doesn't work especially when you're rebuilding/recovering a server)
File sharing setup (Turned ON, Home sharing Enabled)
Directory Utility > Directory Editor or dscl
( Do not underestimate the importance of this part!!!!
Use white-gloves when you're handling it though!!! )
Workgroup Manager
(You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)
Long Version
Check Sever Admin.app > Access
Make sure that your user has the "Proper" access. For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
Server Admin.app > Access
Click the "+" sign, sort by UID and Add the imported users to the following Services…
( You can use a group, but understand when Server.app creates users they get added
individually to each of these groups. )
Address Book
AFP
iCal
iChat
Mail
Profile Manager
SMB
VPN
Check Permissions on directories for your file shares.
(That's an understatement) I could go in depth about all the crap I had to read about, I still
know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil
it down to this…
Permissions require thinking about things first with regards to POSIX permissions... good
ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc
stuff.
Apple's file-sharing access uses this as a starting point to see what the user is allowed to
access.
I also needed to use chflags once to unhide a file that I mucked around with using xattr.
I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or
move them from terminal, the triangles come back in the moved or copied directory. For a
minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually
works by doing a cp that preserves the flags, unless it's a bug. I dunno.
This helped me get my file visible again...
chflags hidden path_to_file
chflags nohidden path_to_file
Read up on those manuals, if you're not a terminal type go to apples website
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/
or download...
http://www.bruji.com/bwana/ I thought that was cool.
or if you prefer to read the manual in pdf try…
man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf
man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf
man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf
man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf
My basic guideline was avoid using ACLs if at all possible, if you try to use them, things
can get crazy complicated, take notes and plan, baby. If you read above, opening up
permissions wide is wrong though. You would restrict permissions tightly to begin with and
then place ACE (Access Control Entries) to specifically target the rights you want to enable.
Here's one that's obviously a novice attempt to do this, but since the novice is the only one
speaking…. here it is, Universe… >:P
sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/
That allowed my admin to do all the things a normal user could do so far… It fixed things for
my admin, which made me happy. I really hate having to authenticate or sudo just to see
the contents of a nested directory. I could explain it, and even give a few notes on why its
probably overkill, but I will attempt to look less stupid till "poked".
There's another command line utility I STILL haven't read, which may bear mentioning
because…well I haven't read it. umask (see wikipedia or unix.com)…I worked past my
problems without going into it so far, but obviously it's there, and it serves a purpose.
I also found this article helpful…and educational. :O
http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html
( Its enlightening to hear the air whistling between a developer/coder's ears, still it's
apparent he has a clear idea what's going on.
Ever wonder why when you use get info to check or assign permissions it kind of
flakes out and doesn't take? Read this article! )
Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also
can set the 2nd category of permissions, which windows users may be familiar with
Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff.
All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let
the professionals weigh in on that one and cut my wall-of-text to ribbons.
To heuristically check I would connect from a client as one or two of my users and see what
folders I could mount as a share, armored with an understanding of what ls -le@O * showed
me in Terminal.
3.) File sharing setup (Turned ON, Home sharing Enabled)
Here is an example of using command line sharing utility where each share is properly
labeled (that took a bit for me to figure out) still this share only enables the AFP share as
you can see from my flags.
sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10
Then you do a sudo sharing -l and get back what you just did…
List of Share Points
name: Database
path: /Volumes/Hard Drive/Department/Database
afp: {
name: Database-afp
shared: 1
guest access: 0
inherit perms: 1
ftp: {
name: Database-ftp
shared: 0
guest access: 0
smb: {
name: Database-smb
shared: 0
guest access: 0
If you mess up the sharing command, you may not be paying attention (I wasn't) but there
are a lot of defaults that Apple will just assume you meant to do anyway and it won't read
any of your flags, you have to get it right or the flags will be defaulted.
( Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but
the default was afp and smb. So each time I ran sudo sharing -l after I shot my sharing
command…back would come smb shared: 1 and I knew that wasn't right. Also my
custom names were defaulting to the name of the directory not the name I had
specified. )
I like to know what protocol my share is over so when it doesn't work, I know which protocol's
are connecting. It's not full-proof, but it's a bookmark. I wish the network browser would
identify the protocol that its available listed shares are using, because small visual queues
like that help when you're trying to see what works. Maybe that's something I should
investigate via the command line?
As a note about reading forums, I discovered using command line that "\" is kind of like a
way of going to next line neatly with long commands…."\ " is a way to insert a space. As you
can see above where I have a volume with a space in it.
Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I
had to enclose it in quotes and do "Share With-space" instead. So nooby beware!
( *nix users are now rolling their eyes at this tip. )
I wasn't sure how you enabled a share for home directories from the command line, maybe its
in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to
revisit this question since my work around was to go to Server.app and verify that what I set
up in the sharing in terminal was being reflected in the gui…sort of my own MVC
(model-view-controller) check.
4.) Directory Utility > Directory Editor or dscl
Make sure what you see in WGM and Server.app are reflected here….to that question let's
take a journey where I did some exploring about that.
Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"
Ah, then you will - LOVE - this tip…
( Provided my testing or yours, later, doesn't prove that in my ignorance I've broken
Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty. I think of
OD as Apple's Registry, but that's not what it is at all. However, you as the user do have
to "****" around in it from time to time. )
I scoured the forums and everyone was saying things like "You have to change your server
role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around
not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY
bugging me.
Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you
can make a Registry Backup….(yea bad analogy) In Server Admin.app you can go to your Open
Directory Service > Archive and Choose a place to Archive your information. (Figure this out by
yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)
Before we can remove the entry we "SEE" in WGM we should make sure no
one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory
Utility set the Home directory to "None". (We need to remember to set this to a correct share
later….Mental Note!!!)
Now Open Directory Utility
Method 1
System Preferences > Users & Groups > Login Options
Click the Lock to make changes…
Authenticate -> click "OK" (do I REALLY have to step-by-step this?)
Network Account Sever: • Local Server - click "Edit" button here.
Open Directory Utility > Directory Editor
( Wow, did Apple hire someone from Microsoft? You'ld think with all their research in to
Human Interface Design that's WAY too many clicks to get to something you need. )
or
Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)
Use "Go to Folder" Under Finder > Go > Go to Folder...
⇧⌘G /System/Library/CoreServices/
Click "OK"
and Double click Directory Utility.app
or
Method 3
Terminal
open /System/Library/CoreServices/Directory\ Utility.app/
Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"
You should glance through this and get to know it. You should use it to see what
information is really being stored about your Users, Groups, Mounts…
We are interested in Mounts, which is where we want to go…and there is the pesky
mount that you will see reflected in WGM.
Authenticate, and delete the bugger.
Quit WGM and restart it. Voila, bad share is GONE!!!!!
a.) First select all my users
b.) Then I clicked on the "+" and added the correct share
( Remember, I only showed you the first one we created, this is another and
for THIS one you HAVE to go into Server.app and verify that it is set to be
available for Home Directories in this case for AFP. )
For the home directory entry you do this...
afp://computer.domain.com/Accounts-afp
%short_name%
/Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%
%short_name% is a wild card for the short name there are other wild cards check out Apple's
Documentation on them. I lost the link sorry \<shrug\>
Interesting dscl commands…(check it out in command line form and compare side by side with
what you see in the GUI Directory Utility)
dscl . list /users
dscl . list /groups
If you want to output information about each user, though, use readall:
dscl . readall /users
dscl . readall /groups
And if you need to programatically parse said information, use -plist to make your life easier:
dscl -plist . readall /users
dscl -plist . readall /groups
This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first
commands I think look in ALL directories local, Search, LDAP whatever you have. The command here
corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.
dscl /LDAPv3/127.0.0.1 -list /Users
dscl /Local/Default -list /Users
5.) Workgroup Manager
Remember this is a utility that is not long for this world. Apple's Mountain Lion is rumored to fully
replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow
desktop computers are being pulled/dragged along for the ride. I have plenty of issues with
Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.
Anyway, treat this baby like the bottom rung, because, well it is built like you start your
foundation here, but it's just a viewer with controlling "tweaks". Use the other areas to get a solid
grasp of what is actually going on. Server.app is where you should create accounts you can
feel are safe. When you create accounts in WGM, you are responsible for making sure they
have the appropriate EVERYTHING.
This list is by no means complete, but these are the areas this noob is or was prepared to talk about.
Good night for now. Enjoy climbing my wall of text, and yea sorry about that. :O Run for you lives!!!!
- Signed Shadowwraith
Similar Messages
-
I want to be able to setup a user mobile account, with the home directory stored locally and not synced to the server. What is the best way to do this? I am running Server 10.6 with 10.6 clients. Open Directory will be used to authenticate and manage preferences. Also, this one account will be used simultaneosly in a computer lab setting, so files will be stored locally in the client, hence the need to NOT sync to the server. Any Ideas?
currofelix wrote:
So what does WGM Look like in the Home Tab? afp://servername.domainname/Users? or afp://Users?
The attached screen shots should help you:
You will only have to do this step once. Obviously you want to use the user's shortname here.
Then, you will see this as an option in WGM: -
Mixing mobile account and network account.
Is it possible to have mobile account on some computers and network account on others and having the same user logging in (only one login at a time) without sync issues ?
I have tested it with account preferences set on computers and it is working nice until I have been logged in on a computer with networked account, then I experience sync issues. Every time I log in mobile account I got a dialog window asking me to select "Sync Later" , "Mobile" or "Networked". It does not matter what I select, the dialog comes back everytime I log off and on with the mobile account. I have only managed get rid of it by deleting mobile account and sync it again.
Message was edited by: kenguruAgain, thanks for taking your time explaining this for me.
After been reading the User Management documentation from apple about Managing Portable Computers (Chapter 8), I got the opposite impression about running Mobile Account on multiple computers. From this text, as I read it, it is a common thing to do, as long as we are aware of sync issues that might occur and know how we shall deal with it.
So I'm a little confused about this topics, as it seem to make sense what you are saying, but the documentation says something different.
I have tried setting sync preferences on the user instead, so that every login is made with a mobile account on every computer. That seems to work ok. Off course sync issues may arise, but here the the file sync can be fixed through the dialogs windows that pops up. Unlike under the mix of network logins and mobile account logins where it doesn't matter which location I set to be the place containing the most recent files. This only occurs after a network account login. If I have been logged on another computer set up with mobile account everything syncs nicely. I think
So for now, I think I will stick with setting up users with mobile account preferences and skip the networked account.
Does this make any sense or am I still mistaking here?
Ok, thanks for all you help.
Bernt -
What is 'mobile account' and how does it work?
This is a hidden feature in Mac OS Leopard, that I believe require an Leopard Server on the network.
I have not found it in the regular user interface, but it can be revealed by following the below process:
1. Go to System Preferences > Accounts
2. Unlock
3. Search for mobile account, and press Enter
4. Wait for the Mobile account options to show up
What is this feature? How does it work?
I have found no references to it in the normal documentation.Google is your friend:
"A mobile account is a Mac OS X Server user account that has been copied to a local computer and remains synchronized with the server account so that both locations contain a matching set of data."(Mac OS X Server User Management, p. 46).
And it has been around since 10.3, so it is not something new to Leopard.
see: http://www.afp548.com/articles/Panther/mcx2.html -
The title says it all. I downloaded OS X Lion Server using my apple developer account? Will it stay after my 1 year enrolment is over? I basicaly signed in and redeemed a code to download OS X Lion Server. It is now in my purchased list in the Mac App Store. But I got it by redeeming a code that I got through being an Apple Mac Developer. I wanted to know if I decided not to pay $99 next year to renew my enrolment, will I still be able to keep OS X Lion Server in my purchased list in the Mac App Store. When I click on More Apps by Apple in the Mac App Store, it takes me to the page with all their apps. OS X Lion Server says it is installed. But I want to know if it will still be in the purchased menu after the enrolment is finished and not renewed.
I am a new Mac Developer. I checked the page you gave me and I think it's more to do with topics about programming and using the developer tools and pre-release software. I don't think my question relates to any of the topics there. OS X Lion Server has already been released and is available for the public. I was planning on buying it. But before I did that I wanted to become a developer. So I enrolled in the Mac Developer program and I went to download OS X Mountain Lion Developer Preview 2 when I realized that I could also download the already released OS X Lion Server which was available for $50. So instead of buying it from the Mac App Store, I just got the redemption code from the Mac Developer Center and downloaded it free of charge (I did pay the $99 to be a Mac Developer though). Now it has been added to the purchased list in the Mac App Store and when I click the More Apps by Apple button in the Mac App Store, it takes me to the page with all Apple apps. And now on that page it says that OS X Lion Server has been installed. I am just wandering if once my enrollment is over next year April, and I decide not to renew my enrolment, will I still be able to have the OS X Lion Server in my list of purchased apps and still be able to re-download it? Sorry if this is too long, but I am trying to be as clear as possible. Sometimes when I ask questions, I wait a whole day and go back there, only to find out that they didn't understand what I meant. Thank you .
-
10.4.x and Active Directory Logins - mobile accounts
Managing 10.4.x workstations and trying to get AD logins to work using OS X AD plugin set to "create mobile home" and "Force local home directory".
AD user accounts get stuck at the login window. The user name and password field are greyed out and the computer sits like that for a long time. Computer responds when pressing the power button to restart, shutdown, sleep, or cancel.
Console reads: automount 174: can't mount server name .... invalid argument (22) over and over
tried setting automount in /etc/hostconfig to NO and that just keeps returning the "unable to login as user .... afp/smb error"
If the AD plug in is cofigured with out the "create mobile home" and "force local home directory" checked, the AD user can log in with a true network home directory.
Seems like the login doesn't work when it's set to create a mobile home and mount the users network folder in the dock.
Clients are Mac 10.4.9 + / WIndows/Active Directory 2003 / OS 10.4 server for management purposes.
any ideas?my apologies.... posted this question in the wrong forum. will repost.
-
Mountain Lion Server with Network User
I have a Mountain Lion Server with a network user. The whole system has been redone from Lion Server and on top of that I moved location, ISP, hardware and a few other things. The way I used the setup on Lion was to bind my MBP to the server and login from the MBP login window with the network account. If for whatever reason I wanted to look at the network account on the server, I could fast user swtich and everything that was open ie Safari, Mail, etc would be the same as it was on the MBP.
Now if I'm logged into the network user on the MBP and then go to the server, it logs in as if I've just booted. They share the home folder and any new files/folders created on one shows on the other. But if Mail is open on the MBP it won't be open on the server.
Does anyone have any ideas or suggestions?Thanks for your reply.
I believe I got it to work, but,... How do you get the network account users to show up on the login window of the client computer? The login window shows the name of the client computer and the local accounts on the client computer. When I select Other in the login list I can login using a network account user id and it logs in. The network account user names do not show up on the login window -
Mountain Lion Server: add network user to remote management
Hi,
So recently I have upgraded from Lion Server to ML Server. A little disappointing, but whatever, I've moved on and got everything almost back to where I had it with Lion.
My last few issues I believe are related but can't quite figure it out. In Lion I have an admin profile and then a network user profile that I used on my MBP bound with AD. I'm at the stage where my nre network user can log in on the server machine but I can't log in as the network user via screen sharing. I can't add a network user to Remote Management, and with Remote Management enabled Screen Sharing is greyed out. I'd really like this to work.
My second problem is that I can't bind my MBP to the server but even when bound the network user account can't log in.
Any body have any ideas?
Thanks!I had this problem on a clean install.
The solution was incredibly simple for me, but only after I saw Ross.M's note about opening the Users & Groups settings panel (in the OS System Prefs, not in server) and rebinding to OD server under Login Options.
That was not the solution for me, but under Login Options I discovered a previously unnoticed pref for "Allow network users to login at login window." I had this option set (apparently by default) to "Only these network users:" but with an empty list. Adding my users to the list made it work perfectly.
Talk about KISS -
Lion Server setup & Time Capsule
Greetings,
I am new to lion server so please bear with me. Some of my question me seem dumb to some of you. But to me the only dumb question is one not asked. So please bear with me.
Server and time capsule will both do NAT, DHCP. Which should I use for the network Server or Time Capsule. I am connecting with a Brighthouse cable modem with a Dynamic IP. I have the Time Capsule in Bridge Mode with a static IP 192.168.0.6. The server is Static with 192.168.0.5. Brighthouse wireless is disabled as I like the time capsule wireless. Time capsule is providing WI-FI. Brighthouse router/Modem provides the Router at 192.168.0.1.
I have a domain name abc.net. Should I set up lion server first and then set up Time Capsule after it is working? Do I set this up as a .local, .private or .net account during server setup? I want to be able to get to my computer from my domain name and handle my mail.
I set this up once and it worked for about 2 hours. After that it would never see my computer. So I am setting up server again but wanted to see if I could get a little first time guidence this time. I also signed up with DYNDNS for DNS updating and that just seemed to throw a whole new batch of problems in.
So any help would be great... Not dumb with computers, but new to apple servers. And I don't do geek well!!
I think all the IP numbers, what I need to change on Netfirms to get to my computer get me confused in the setup.
ThanksServer and time capsule will both do NAT, DHCP
Sure.
Which should I use for the network Server or Time Capsule
Why do you think you need to use either of them?
Ideally, you should have ONE device on your network running NAT, and ONE device running DHCP.
From your description it sounds like your Brighthouse router is running NAT therefore there is no need to run NAT anywhere else.
The chances are that the Brighthouse router is also running a DHCP server for your LAN, therefore there is also no need to run DHCP off the Time Capsule or the Server. You've already got those bases covered.
So, at least without more information, I'd be inclined to say: neither.
Should I set up lion server first and then set up Time Capsule after it is working?
Probably. It depends on what your plans are for the Time Capsule. If you're using the TC as a wireless base station then it doesn't need to be running until you're ready to connect wireless clients.
If you're using the TC for backup, you don't need it until your server and/or clients are setup and ready to backup.
Since the TC is not (as per the above) running either NAT or DHCP, there's not much else to do with it.
So focus on the server.
Do I set this up as a .local, .private or .net account during server setup?
That's entirely up to you, although there are a couple of options. First off, though, realize that there is no, zip, nada connection between the hostname you use on your internal LAN and any public domain. It's 100% valid for your server to be called foo.bar while serving web content for abc.net and getting email for xzy.com, all at the same time.
Personally, I tend to set them the same (e.g. abc.net in this case), but others will recommend a different approach. It's largely personal preference.
I want to be able to get to my computer from my domain name and handle my mail.
If you're talking about getting to your computer/mail from an external locale, that's 100% down to DNS and completely independent of what the server thinks its own name is. -
Active Directory logins - mobile accounts
Managing 10.4.x workstations and trying to get AD logins to work using OS X AD plugin set to "create mobile home" and "Force local home directory".
AD user accounts get stuck at the login window. The user name and password field are greyed out and the computer sits like that for a long time. Computer responds when pressing the power button to restart, shutdown, sleep, or cancel.
Console reads: automount 174: can't mount server name .... invalid argument (22) over and over
tried setting automount in /etc/hostconfig to NO and that just keeps returning the "unable to login as user .... afp/smb error"
If the AD plug in is cofigured with out the "create mobile home" and "force local home directory" checked, the AD user can log in with a true network home directory.
Seems like the login doesn't work when it's set to create a mobile home and mount the users network folder in the dock.
Clients are Mac 10.4.9 + / WIndows/Active Directory 2003 / OS 10.4 server for management purposes.
any ideas?my apologies.... posted this question in the wrong forum. will repost.
-
Lion Server: All network users have disappeared
Hi,
A search through the forums and kbase didn't give me anything that mapped well to my problem. Here's the situation:
Specs:
Mac Pro (2008) 6GB RAM, SSD boot with space available, OS X Lion (latest) with Server.app
Services:
File Sharing
Users: less than 15—accounts only used for file server access.
This is the only server on the local network, all network routing is taken care of by a Meraki router.
I went to add a new user to our fileserver, and was unable to connect to the server over Apple Remote Desktop. At the time, file sharing from the server (I *believe*) was still working. I logged in with the file server's local admin account via SSH and tried to use Kickstart to get ARD running again—something I'm well versed in. The script ran as usual, but ARD could still not connect. So, as everyone was in a meeting, I tried to use `shutdown` to reboot the fileserver from the CLI, something I've also done in the past (but not frequently). Usually that takes about a minute to work, and then my shell disconnects—but after 5 minutes, the Mac had not rebooted.
At that point, I decided to walk to the server and manually force it down by holding the power button in. That powered off the Mac, and 30 seconds later, I booted it up.
Back on my Mac via ARD, I was able to remotely control it and got to the Fileserver's log in screen, which featured a red dot in the use field I'd never seen before. It's tool tip read "network users are currently unavailable" (paraphrased, perhaps). I logged in with the Fileserver's local admin user (as usual) and launched the Server.app, only to find that in the `Users` section, there were no users listed, and the plus and minus buttons were greyed out.
I tried rebooting but got the same results. I then repaired permissions and verified the boot drive. Lots of permissions repairs (as usual) but nothing improved. Another reboot after the permission repair and disk repair, just for safety's sakes… and as you can guess by me posting here… no improvement.
I'm not heavily versed in Server. I'm not even sure if those users are stored in a database, and where that DB would live. Does server make dumps or backups of the users on its own? Should I have been? Is this LDAP? Anyone have some next steps I can try? What info would be useful?
My first goal would be to recover a damaged DB. I only have just under 15 users, so re-creation isn't difficult. But, under the department of "I don't know a ton about Lion Server" I don't know if network users act like OS X users… where you could create a new user with the same username, but if their UID is different, then they won't have access to their owned files on the fileserver… is Server that exacting? Does it care who owns the file?
Thanks in advance for any ideas, or resources you can point me to!It gets far weirder……
Now no one, myself included can log in.
Checking the logs, which I'll try to attach a small sample of here (Dropbox link below since you can only attach images here), I see repeated instance of both `opendirectoryd` crashing and respawning, and of server manager unable to authenticate:
1/19/15 4:57:06.658 PM com.apple.opendirectoryd: Assertion failed: (0 == (connection->flags & eODConnectionFlagSocketValid)), function __odconnection_connect_block_invoke_2, file /SourceCache/opendirectoryd/opendirectoryd-172.17/src/odconnection.c, line 988.
1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd[13760]) Job appears to have crashed: Abort trap: 6
1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd) Throttling respawn: Will start in 9 seconds
1/19/15 4:57:07.761 PM ReportCrash: Saved crash report for opendirectoryd[13760] version ??? (???) to /Library/Logs/DiagnosticReports/opendirectoryd_2015-01-19-165707_localhost.cras h
1/19/15 4:57:17.276 PM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: user with slot 4873a20f-0cc0-f7c3-0000-000a0000000a not found. Result: 80 Other (e.g., implementation specific) error
1/19/15 4:57:17.277 PM AppleFileServer: _Assert: /SourceCache/afpserver/afpserver-585.7/afpserver/AgentSession.cpp, 856 (4294952813)
1/19/15 4:57:32.703 PM servermgrd: servermgr_accounts: got error 2100 trying to auth to local LDAP node
https://dl.dropboxusercontent.com/u/1344045/server-sample.log.txt -
Not sure if this is correct forum for this, apologies if it isn't.
I have some of my users set up as mobile accounts.
These same users are using parallels for WinXP sessions.
The issue I have is that when I download an attachment or file under MacOSX, I save it to my "Home" directory, because I am using a moblie account that is saved on the local hard drive.
In my parallels Window my networked "Home" directory is exactly that, on the server.
Therefore I do not get to see the saved file from earlier until a sync has occurred or a manual sync has been performed.
Is there a way (and I have asked parallels, they haven't replied) of making the Parallels windows to reference the home directory on the local hard drive, so that I do not have to wait for the sync to occur."Not sure if this is correct forum for this, apologies if it isn't."
Try the Parallels forums:
http://forums.parallels.com -
Again: Mobile accounts and folder date
Hi,
for a while syncing between MacBooks and Lion server worked.
But now I have issues again without changing a running system
1. On my MacBooks everyday, i.e after restarting, Spotlight indexes my files
2. Actually my MacBook Pro syncs my whole folder structure and modifies the date of the folder to the actual date! What a mess!
Anyone with the same behaviour?
Any solutions or simply a bug in Lion server?
I use 10.7.3 with Filesyncagent activated.
IshanSee also http://support.apple.com/kb/TS3346
Symptoms
Active Directory users may receive the message "You are unable to log in to the user account (username) at this time" when trying to log in. This can happen with successive Active Directory users who have home directories on different sharepoints of the same server. They can log in if the Mac OS X client is restarted.
Resolution
Edit the /etc/auto_master file of the affected Mac OS X client. Comment out the /Network/Servers entry as shown in the example below:
# Automounter master map
+auto_master # Use directory service
/net -hosts -nobrowse,hidefromfinder,nosuid
/home auto_home -nobrowse,hidefromfinder
#/Network/Servers -fstab
/- -static
Save the file, then restart. -
Lion server - profilermanager mydevices login
Trying to get profile stuff working.
I have mac mini running lion server
I created a couple of network accounts.
When one of those users goes to the mydevices page (http://<servername>/mydevices) to enroll a device, I get a login prompt. This always fail with invalid username or password. Currently, only my admin account can logged in.
mac mini server is running open directory server of course since that is required for profile manager.
thanks!It is buried at the bottom of the list on the front page, I found it by looking for 'server' in the search box, or I wouldn't even know it existed
Regards,
Colin R.
PS I assume that is where all the experts are hanging out. -
AD mobile account and Netinfo stuff up
Hi everyone, Not sure if this is the right place for this but I have made a stuffup and I'm not sure how to fix it.
I have my iBook in ad AD domain, and evrything was working flawlessly that is until I noticed strange errors in console indicating my UID was too large and stating this is not causing your problem Funny thingis I never knew I had a problem. What's the old adage about not fixing it if it's not broke?? Anyway being fearful of stuffing things up I have let it lie for a couple of months this way. After looking around on our Win Servers I couldn't find where or what the UID was mapping to, so decide to take the plunge and edit my account in Netinfo. So I made two duplicates of my account and chage my UID from a six digit figure to a 3 digit figure. Now when I login, I get the default desktop and Dock settings, even though my Home folder is mapped correctly. Help?Yes, I know how to click buttons in the gui, that does not fix the issue. The issue is that the Active Directory schema at my company includes extended attributes from the RFC 2307 schema. Apple's AD plugin does not know how to handle this extended schema especially when using mobile accounts.
Apple's AD plugin reads these unix attributes from AD and thinks it knows what to do but ends up causing more problems then if there were no unix attributes at all.
Since this post, I have opened a ticket with Apple. They were able to recreate the problem in their lab with their AD server. The only work around is to create a custom ActiveDirectory.plist file that forces the Mac to ignore what AD is telling it.
This solution works unless the ActiveDirectory.plist file is deleted or corrupted. This problem will only become worse once Microsoft includes all of the RFC 2307 schema in their next service pack of Win 2003 server.
Maybe you are looking for
-
Hi All, I am replicating Product Listings (VB02 in ECC) data from ECC to CRM. Now I need to Update a Z table in CRM System with the data coming from ECC when the Inbound Queue in CRM System is processed via SMQ2. Can Anybody please tell me what BADI
-
Unable to upgrade to PI 7.1
Hi, I have a PI 7.0 system which im trying to upgrade. SAPup is failing at the 'mount point' stage of extraction. It is looking for 'SAP Kernel DVD Unicode', and i have tried pointing it at my UC-Kernel 7.1 Upgrade downloads, and pretty much every d
-
Dreamweaver CS3 seems to be crashing with TimeMachine
I just got TimeMachine working with a TimeCapsule. Ever since I've seen incredible slowdowns and stalls in Fireworks and DW3 keeps crashing on open. I have to repair permissions to get it to work. Anyone else seen this muddled behavior? I also am see
-
Hello Everyone, I recently bought an iPad2. When I synced it to my iTunes account, I knew that all of the apps I have purchased that work on the iPad and iPhone would be transferred to my iPad. I didn't think any iPhone only apps would be transferred
-
Hi, I am in the process of shopping for a new laptop and am considering the MBP. I've never owned a Mac before. I am a bit hesitant to change from PC to Mac because I rely on my computer for running SAS, which can only run on Windows OS. I've done a