Local login capability for network accounts?

Similar Messages

• Screen Sharing Broken for Network Account Admins Mac OS X Server

  Re: OS X 10.8.4, Server.app 2.2.1
  After replacing a failed Airport Extreme -- and the resulting changes in server IP address -- Screen sharing is now broken for "Network" account administrators. "Local" adminstrators can screen share successfully.
  When logging in as a Local Admin, the System Log contains a single entry:
  Authentication: SUCCEEDED :: User Name: localadmin :: Viewer Address: 10.0.1.6 :: Type: DH
  When logging as a Network Admin, a similar line appears:
  Authentication: SUCCEEDED :: User Name: testnetwork :: Viewer Address: 10.0.1.6 :: Type: DH
  followed by screen-fulls of other log messages, eventually ending -- a minute or two later -- with:
  screensharingd[77693]: uid 1034 not found
  screensharingd[77693]: unable to get width and height of display.
  at which point the client sees a "Error: Network connection lost." alert. 1034 is the UID of "testnetwork", as seen in
  dscl /LDAPv3/127.0.0.1 -list /Users UniqueID
  So apparently, Network users are authenticated, but screensharingd cannot find the user.
  changeip -checkhostname returns "success". Just to be sure, I  "Updated the Host Name" as suggested by the "Network Configuration Has Changed" alert in Server.app -- problem remains.
  How does one debug this? Are there more comprehensive debug logging options available for screensharingd or login window? Anyone else seen this problem?

  Linc: thanks for your inquiry.
  Here are more steps I've taken to solve this problem:
  1) From a Time Machine backup to a test partition, I restored the server from before the failure of the base station and found that the login problems were present then.
  2) On yet another test partition, I created from scratch a new OS X Server. Added a local administrator, and a network admistrator and discovered the same problem: network administrators cannot screen share, although in this case, they are simply unauthorized.
  Using dscl, things look OK: there is a /Local/Default/Groups/com.apple.access_screensharing that lists only the admin group, and the admin group contains networkAdmin.
  Furthermore, I can log in as the networkadmin from the login window, as "Other".
  Furthermore, I can ssh into the server using the networkadmin credential.
  I used odutil to boost the logging OpenDirectory log level. The logs are very verbose, but to my eyes, it looks like OD recognizes the networkUser, but screensharingd fails to authorize. See logs below.
  Can someone confirm that screen sharing from network admin accounts works at all? Is there a way to elevate screensharingd logging to find out more about why it rejects network admins?
  TIA
  /var/log/opendirectoryd.log
  4643.65273.65277, Module: search - ODQueryCreateWithNode request, NodeID: 3D4241C6-FAFF-4816-8F7C-B3E0ED6F56A6, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): networkadmin, Requested Attributes: dsAttributesStandardAll, Max Results: 1
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: search - queuing request to connection - '/LDAPv3/127.0.0.1:ldap:406935A6-9ADB-413A-A82B-7F30F4E9E5A1'
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RecordName' for ambiguous name query
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RealName' for ambiguous name query
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAc count)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=networkadmin )(cn=networkadmin)))', baseDN - 'cn=users, dc=testserver,dc=local'
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - found result - 'uid=networkadmin,cn=users,dc=testserver,dc=local'
  4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - ODQueryCreateWithNode completed, delivered 1 result
  4643.65273, Node: /Search, Module: search - ODQueryCreateWithNode completed, delivered 1 result
  4643.65278 - Client: screensharingd, UID: 0, EUID: 0, GID: 0, EGID: 0
  4643.65278 - ODNodeRelease request, NodeID: 184CFA31-1EB8-4384-B9CA-D04A93736CB1
  4643.65278, Node: /Search - ODNodeRelease completed
  clearing all node authentication connections
  /var/log/system.log:
  screensharingd[4665]: Authentication: FAILED :: User Name: networkadmin :: Viewer Address: 10.0.1.6 :: Type: DH

• Can I enable simple finder for network accounts?

  Can I enable simple finder for network accounts?

  This was possible (drop dead easy) through MCX.  It was one checkbox.  If you are supporting older machines, you might still be able to push out MCX settings.  My experience with 10.8.x is that MCX is inconsitent at best.
  In Profile Manager...  Best suggestion is to look at creating a custom profile.  For what it is worth, this is the default MCX setting if the Simple Finder option was set on a user.  Note the InterfaceLevel = Simple. 
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
            <key>mcx_application_data</key>
            <dict>
                      <key>.GlobalPreferences</key>
                      <dict>
                                <key>Forced</key>
                                <array>
                                          <dict>
                                                    <key>mcx_preference_settings</key>
                                                    <dict>
                                                              <key>AppleShowAllExtensions</key>
                                                              <false/>
                                                    </dict>
                                          </dict>
                                </array>
                      </dict>
                      <key>com.apple.finder</key>
                      <dict>
                                <key>Forced</key>
                                <array>
                                          <dict>
                                                    <key>mcx_preference_settings</key>
                                                    <dict>
                                                              <key>AppleShowAllExtensions-immutable</key>
                                                              <true/>
                                                              <key>FinderSpawnWindow</key>
                                                              <false/>
                                                              <key>FinderSpawnWindow-immutable</key>
                                                              <true/>
                                                              <key>InterfaceLevel</key>
                                                              <string>Simple</string>
                                                              <key>NewWindowTargetIsHome</key>
                                                              <false/>
                                                              <key>NewWindowTargetIsHome-immutable</key>
                                                              <true/>
                                                              <key>OpenInColumnView</key>
                                                              <false/>
                                                              <key>OpenInColumnView-immutable</key>
                                                              <true/>
                                                              <key>ShowExternalHardDrivesOnDesktop</key>
                                                              <true/>
                                                              <key>ShowExternalHardDrivesOnDesktop-immutable</k ey>
                                                              <true/>
                                                              <key>ShowHardDrivesOnDesktop</key>
                                                              <true/>
                                                              <key>ShowHardDrivesOnDesktop-immutable</key>
                                                              <true/>
                                                              <key>ShowMountedServersOnDesktop</key>
                                                              <true/>
                                                              <key>ShowMountedServersOnDesktop-immutable</key>
                                                              <true/>
                                                              <key>ShowRemovableMediaOnDesktop</key>
                                                              <true/>
                                                              <key>ShowRemovableMediaOnDesktop-immutable</key>
                                                              <true/>
                                                              <key>WarnOnEmptyTrash</key>
                                                              <true/>
                                                              <key>WarnOnEmptyTrash-immutable</key>
                                                              <true/>
                                                    </dict>
                                          </dict>
                                </array>
                      </dict>
            </dict>
  </dict>
  </plist>

• Login with a network account in offline, possible?

  Hello,
  I have a question, since I had before snow leopard server. So the questions now belongs to the Lion Server, the dedicated server. And this is not a issue, but few questions to you and need to plan to setup to the dedicated server if there is a or few way to do!
  Before I could login in with a network account from Snow Leopard server from my MacBook PRO. I think there is still possible to do it. But now today I just wonder is there a possible to login in with a network account in offline too, also no internet require? And what is the name for that? True, I don't know a lot of VPN and never used this, can you explain bit about it? But I know when I logged in, I used a Open Directory account and this was "virtual screen", no need to open the screen sharing program or whatever. It just was from the Login Window, also when you are turn on the computer. Do you know what name and know how to could use a network account in offline on my mac?
  I just want to give you an example:
  If I am sitting in a flight to Vancouver from London, then there I have no internet access in flight trip, so I just login the network account and this had before "cache". Of course need to login in internet first to get all informations and files in computer, so these are stored in my computer. Then I am working with a presentation during the trip. When I am arrived in Vancouver, then I am connecting to a internet, so the computer, also the network account will update to the server with these new files etc or of these what I did in during the flight trip.
  Here is few question sticks from the text above:
  1. Can I use a network account in offline?
  2. Do you know any name for this method in Mac?
  3. I don't know VPN, so what do this mean and containing what?

  Hi
  "1. Can I use a network account in offline?"
  If I've understood you correctly, yes.
  "2. Do you know any name for this method in Mac?"
  There are several: Portable Home Directories, Mobility, Mobile Accounts etc:
  http://manuals.info.apple.com/en_US/UserMgmt_v10.6.pdf
  Page 215 onwards. Additionally Page 163 if Active Directory is involved.
  "3. I don't know VPN, so what do this mean and containing what?"
  You could have googled this yourself but here you go:
  http://www.howstuffworks.com/vpn.htm
  Essentially it's a means of providing a secure connection from remote networks such as your home or possibly a hotel to a specific location - such as your office or place of work - which allows you to access Servers and/or Services as if you were at that location itself.
  ". . . so the computer, also the network account will update to the server with these new files etc or of these what I did in during the flight trip."
  Depending on where you are and the size of the files this may be a doutftul/painful experience and possibly not worth undertaking? However only you would really know? IMO it would make more sense to sync these files once you were back on the Server's network. It's possible you may benefit by signing up for MobileMe or iCloud?
  HTH?
  Tony

• Mobile Account Preferences visible on Menubar for Network Accounts

  On Mobile Accounts (setup with Profile Manager), acting as network account (home folder in server), the mobile account preferences are shown on the menubar. In addion, it says "last home sync" incomplete. Both are wrong according to my understanding.
  However it makes sense - and it if the case - if the account is really working as mobile account with local home folder on a e.g. macbook.
  Does anyone has the same issue?

  I have the same issue. No fix yet.
  One of my machines has joined the network and seems to be ok in almost every way...clearly with the exception of this way.
  I will post if / when I find a solution.
  W

• Script for adding a login item for all accounts in the system

  Hi,
  Thanks for reading this query. I am new to the mac environment. I have developed a java application and created an installer of this application for MAC system.I want to run this application on starting the system. So I have written an apple script for adding this application in login items and this script will run immediately after completing installation process. And the entire process is fine. But the problem is, the application is added to login items of only the user who installed the application. But I want to get available the application in the login list of all accounts created in the system. How can I achieve this? Once more thanks in advance. I am attaching my script below:
  +*tell application "System Events"*+
  +* make login item at end with properties {path:"/Applications/MyApplication.app", hidden:true}*+
  +*end tell*+

  Hi,
  Try to use tables RSOSFIELDMAP, RSDSSEGFD and RSTRAN
  Hope it helps
  bhaskar

• Setting Scratch for Network Accounts

  Hello,
  We hav a lab of 18 Imacs and 5 Mac pros. We are using OD on an Xserve and we would like to set the Scratch disk for FCP 6.0.3 to use an external firewire drive. The problem is each network account it wants to use the network Home folder. Any help would be much appreciated.
  Message was edited by: sjkeith77
  Message was edited by: sjkeith77

  Nope...gotta set it manually in the program.
  Hey, the students have to know this stuff...so they'd better know how to set the scratch disk.
  Shane

• Can not login to a network account.

  I dont typically support macs, but I have a client with an odd issue that I can not solve.
  He has a Macbook Pro with OSX 10.6.
  He logs in using his network account, authenticating against an OSX 10.5 server.
  When he tries to to login, it appears as if he has a bad password.
  His account is able to login just fine on other Macbooks in the company. (So I'm assuming his network account and password are fine)
  Other users are able to log into HIS Macbook just fine, inclusing new accounts that have never before logged into this Macbook. (So I assume his macbook is communicating just fine with the OSX server)
  When I go into the accounts list in the Macbook, his account is not there. It's missing.
  If I try to create an account with his name, I'm told the account already exists.
  We ran diskutility to repair the permissions on the drive, but this did not fix the issue.
  Any ideas?
  On the windows support side I would simply rebuild the users profile.. I'm not sure what the equivilent is on the mac side.

  I'm having a similar problem. Could you let me know how to eliminate the mobile account using the command line?
  Thanks!

• Disable Photobooth for network accounts

  Hi there,
  I have Mac's attached to a windows active directory network.
  I am looking to disable some mac software on the windows login account without a mac server. Is this possible???
  any help is gratefully appreciated
  tim

  thanks guys

• Windows 8-10 local login or use MS account login?

  MS has one of the most attacked systems on the planet. Which they themselves proclaim.  They are not storing your password haphazardly. They've been running in the user accounts business since at least 2000.. including Xbox Live (another huge target)..I would say its unlikely they aren't doing the very best to handle that securely.

  The unified login makes it easier to access all of your devices, computer, email, Xbox, etc. It also allows your personal Windows settings to be synced with other computers/devices. If you opt to use One Drive your documents are synced as well.I would advise against storing sensitive information in any cloud service, but for most things it's perfectly safe.So long as you use good practices and good passwords the odds of your information being accessed is minimal.To directly address your password concern, Microsoft being a software industry leader is most likely using uniquely salted passwords in their database. Short version, even if your password hash is stolen from MS the group/individual that has it still wouldn't have your password and could not access your computer.Not that it's impossible to figure out a password that matches the...

• Firefox vs Safari. Which one is the best for network accounts?

  Hi,
  I heard some people complaining about Firefox taking too much server cpu? I don't want to make any mistakes since I have a lot of network user accounts.
  Does anybody has issues with Firefox?
  Thanks

  Firefox is better since it doesn't allow students to bypass the proxy.
  Example : in Safari, the students can type https://facebook.com rather than http://facebook.com to access the website.
  But Firefox proxy configurations have to be locked since student can change them.

• Controlling email under parental controls for network accounts

  I use OS X server (10.8) to mange kids accounts at home, so they can logon to laptop or desktop and all there stuff is there.
  This works perfectly as does the profile server ensuring that they have their parental controls set.
  I've just stated to look at creating an email account for the older one and found that whilst there is a great 'People' tab in the Systems Preferences parental controls this doesn't seem to exist in profile manger at all.
  Does anyone kniow how to setup 'safe' lists of people for inbound and outbound email using profile manager or directory admin ?
  Thanks in advance

  Quick Kick wrote:
  Thank you.
  But does anyone know the default Parental Controls Settings, specifically under the Other tab?
  you can find them out yourself. make a new account and enable parental controls on it. then expand "other" and see what's checked and what's not checked.

• One iMac cannot login to network accounts

  We have a small network with Lion (10.7.5) Server running on a Mac Pro and a variety of 8 iMacs and Mac minis that use the server for file sharing and network accounts. The client Macs are running a mix of Mountain Lion (10.8) and Mavericks (10.9). They have all 'joined' the 'Network Account Server' using the 'Login Options' section of the Users & Groups preference pane. And, except for one iMac, all the clients can log into network (or mobile) accounts from the server -- both ones that have previously been logged into on that machine and ones that haven't. However, one of the iMacs will not log into a network account. There are a few local accounts and logging into them is no problem. But every time we try to log into a network account on this iMac, the login dialogue just does the 'invalid login' shake. It seems not to check the login credentials with the server.
  As far as I can tell, this iMac is set up the same as all the others. It is certainly joined the Network Account Server and there is a green dot by the server name in the Users & Groups preference pane. I have removed and re-added the server from there a few times, and I've even reinstalled Mavericks on this iMac (it is running 10.9.2). I haven't been able to find anything that has helped to solve this problem. Does anyone know why one iMac would refuse to use the network logins from the server when the others work? Or what I can do to gain further information?
  Many thanks.

  On your client machine login screen, type in ">console" (without quotes) in the username field and hit enter. Try and login with your network account username and password. What error messages do you get in console?
  Taylor

• Can't Login With Network Account After Upgrade To Yosemite Server 4

  I've been putting off this troubleshooting for a while now, and after trying everything I could find, decided to post.
  - After upgrading my server to Yosemite with Server 4, and my MacBook to Yosemite, I can no longer login with any network accounts.
  - I was on clean installs of Mavericks before the upgrade.
  - I'm using SSL for the OD, with a GoDaddy cert, the same one that was working on Mavericks.
  - I've tried removing the laptop's binding using the Users and Groups preferences dialog, which does not remove the laptop's entry from Open Directory, so I manually deleted the record on the server.
  - I then choose to Join again, and it looks as though everything goes through, but I still cannot login with a network account.  Also, when rejoining, it does not create a binding on the server.
  - If I use the Directory Utility->Services->LDAPv3, and add it that way, entering the FQDN and checking Encrypt..., Use for auth and Use for contacts, it asks me for the directory admin username and password, and does in fact create the binding on the server, but I still cannot login.  What's strange about that method, is that it forces the use of the IP address of the server, rather than the FQDN, like I entered it, which would of course have problems, because the certificate's common name is the server's FQDN.  It does not allow me to change from using the IP address, graying out that field.
  - I've also tried destroying the OD and restoring from archive to no avail.
  It looks like many users have hit dead ends with this, with some having success by completely formatting and setting up a new iteration of the server, but I will not be doing that.  However, I'll be happy to try any other suggestions.
  Thanks for your time,
     -- Mike

       Okay, I've finally resolved the issue, thanks to the Apple Enterprise tech support team.  I'm thinking they wouldn't mind if I share this information, but I can't guarantee that this will work on your system or, worse yet, degrade your system further.  However, that's fairly unlikely, just make sure you have plenty of backups before you begin any troubleshooting session.
       So I was told to perform the following instructions, which I did, line for line.  The part about closing Server.app seems a given, but I'm not sure why they want you to open Server.app at the the end (maybe taken out of context from some other instructions?).  I did it anyway, but you should be able to begin testing, on a client workstation, right after rekerberizing is complete.  I did, however, need to reboot my client, login as local admin, and then binding would proceed, and network users are able to login again.  The engineer also let me know to expect an error, something like the following: "2015-03-11 21:58:38 +0000 Error synchronizing removal of attribute draft-krbPrincipalACL from record 72519e4c-7ac7-15e4-bd42-10adb1944cbc: 77013 result: 16 No such attribute" - this is apparently normal, and did in fact happen in my experience.
  So here's the fix:
  - Quit Server.app (don’t just close the window)
  - On the Open Directory Server, execute these Terminal commands:
    - sudo mkdir /var/db/openldap/migration/
    - sudo touch /var/db/openldap/migration/.rekerberize
    - sudo slapconfig -firstboot
  - Open Server.app
  And that's it.  I did nothing else on my OD server, just logged out.  Immediately tried binding on my MacBook client, it failed, I rebooted, tried again, it worked quickly, and I'm able to login with network user accounts again.

• Converting a local account to a network account

  What's the best way to move a local home directory to a network account? I'd like to convert the local account information to the network account. I have a OD server setup in Leopard 10.5.5 and the client is 10.5.5 also.
  The user is setup on the server and I just need to get all of the user's local data into the network account, I will delete the local account when all the files are transferred.
  Thanks.

  i usually do the following on the client side:
  login as a local admin of other user with admin privileges
  rename (mv) the user's local home
  delete the user's local account via the accounts pane or dscl
  ensure the machine is bound to od
  login and create a phd for the user in question
  ensure that works fine and sync settings look ok
  logout as the user, login as the admin (this can be done remotely)
  mv the old home back to match the user's shortname on the server
  change perms to set ownership on the new/old home
  delete the remains of the original portable home (should be basically a default homedir) if you haven't yet
  login again as the od user, and it should work
  now, you'll have to be careful to maintain proper permissions and check sync settings afterward, but this approach generally works. alternately, you could rsync the local home to the network home with the user still logged in, and then skip a few steps above.