Nfs automount group security

Similar Messages

• After Security Update, NFS automount hangs login over LDAP

  We currently have a laptop lab in the process of being set up. We have 45 MacBook Pro systems with Snow Leopard 10.6.4 installed. We had set up LDAP authentication for users to log in to our directory server and it worked great over both wired and wireless (WPA2). After installing security update 2010-005, systems hang upon logging in over wireless. We believe the problem is with an NFS automount we set up, because removing the automount allows users to log in successfully over wireless. The NFS is crucial so that users can save data to the server, however, so this is not a solution. Are there any configuration tweaks to undo whats been blocked by the security update?

  After installing update 2010-005, I am having issues with my system hanging during startup (stays indefinitely on the grey 'apple' screen, with a spinning icon, and no status or message stating what it is trying to do).
  I am able to restart, hold SHIFT, and boot into safe mode, with limited functionality, but have not been able to resolve the issue.
  How did you determine that it was hanging on wireless login? (I have not found a log file that states what the system is doing during startup, or why its hanging)
  I have searched for issues like this, and most posts recommend removing entries from /Library/Caches and other similar items, but I'm concerned that I might be starting out with a small problem, and then cause a much bigger problem by removing system entries without really knowing what's broken in the first place.
  Is there a debug screen during startup, that would tell me what steps its taking? (or a log file?)
  I've looked through all of the entries available to the console log review app (apps/utilities/console.app), and was hoping that 'system.log' would tell me what's going on, but so far I'm not seeing anything useful. (there are errors in there, and it looked like there was a crash around the same time as the update was happening, but I'm not seeing any entry during startup that shows what its trying to do, and reveals that its just stuck on that task)
  I've run some of the tasks in the 'Snow Leopard cache cleaner' and onyx utilities, but that hasn't fixed my login problem.
  Any info you have on further diagnosis, rolling back the update, or anything I should try next, would be greatly appreciated!

• Can't Shake NFS Automount, please HELP!

  Mac connects directly to cable modem.
  Problem? Something keeps grabbing me when I go online... my Mac cannot change it's IP address.
  Folder called automount gets created upon reboot.
  Network icon - get info - shows the following: Kind of file is Alias. It is located at /Network. Server is nfs://automount%20-nsl%20%5B197.
  I've been getting this forever - If I get rid of it, it reappers.
  I have no network here, I'm a home user.
  My Windoze doesn't have this automount and gets a new IP each time... but my Mac is locked.
  Can anyone please help me?
  PS - I've tried DHCP renew, it doesn't work at all, nothing happens. My ISP is clueless about this. I believe it is locking onto a static IP but I'm not the one making it do it!

  You report that you're connecting the Mac directly to a Motorola Surfboard without a router. What model Surfboard? (There should be a sticker on the bottom) How is the Windows PC connected to the internet? I have a Mottorola Surfboard at home driving a Mac and Pc, but through an Airport Basestation / router. I suspect that putting a basic four-port US$30 router between the modem and the Mac would help. Note that the Motorola Surfboard FAQ notes that multiple computer support requires a separate router. If you just switch the Ethernet cable from the modem between the PC and the Mac, or connect the Mac via Ethernet and the PC via USB, the modem doesn't accept the Mac's MAC (heardware-specific Media Access Code) after grabbing the PC's MAC code on power up. Putting a router between modem and computers and resetting the modem along with restarting the computers will force the modem to grab the router's MAC, and the router will then serve private-network IPs to the attached computers. Any router currrently on the market will also give you a NAT firewall as well; this hardware firewall can safely be used along with the OS X and Windows software firewalls and can greatly increase the security of your computers (especially the Windows one).
  Also from the Motorola FAQ:My computer keeps pulling a 169.254.x.x IP address, the modem has been reset and power cycled and the computer is still getting the same IP address, how do I correct this?
  Disconnect the Coax cable from the modem and restart it. Once the "Receive" light begins flashing reboot your computer. If the modem and the computer are communicating, the computer will get a 192.168.100.11 IP address (192.168.0.x with the SBG900) from the cable modem. Shut down your computer. Connect the Coax cable to the cable modem, restart it, and wait for the modem to sync up with the cable company. Once the modem is in sync (Power, Receive, Send, On-line are all illuminated) restart the computer. Once the computer has restarted check the IP address. The computer should have a valid IP address from the cable company. Computers attached to the SBG900 will always get a private (192.168.0.x) address regardless of whether or not the SBG900 is registered on the cable system.

• Implicit Fact and Group Security Filters

  Hi All,
  Can somebody confirm for me if the Group Security filter as specified under 'Hr Org-Based security' is supposed to be applied in answers when the only reference to the fact table is via its selection as the implicit fact within the presentation catalog.
  E.g User selects Dim1, Dim 2 and Fact Measure , the query is filtered correctly by users organisation, when the fact measure is removed, OBIEE keeps the same fact table within the generated SQL as it is the implicit fact used to join the two dimension tables together. The results this time are not filtered by organization and its possible to return dimension records for fact rows that are from a different Org - In this case the user can return absense start and end dates for employees outside of his org (Customer wants this prevented)
  Is this expected behaviour ?
  Thanks.

  Hi John
  Thanks for your suggestion
  I tried this and He still doesnt have write access
  He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
  I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
  Do you have any other suggestions?
  Thank you
  PD

• Page & Page Group Security

  Looking for a fast way to check all the Page & Page Group Security? to see what they are all set to w/o having to go though everything manually.
  Thanks

  Did you ever find a solution to this?

• User and Group Security Provisioning

  Hi,
  I have a question regarding Group security in Planning. I am using EPM system 11. My basic question is, if I create a new Planning user (interactive user with no default access to dimensions), and assign that user to a Planning group, does the user automatically inherit all the dimension access assigned to that Group? From my experience, it seems that I must explicitly assign each User access to the dimensions they should be able to Read or Write, and that simply adding them to a group that has been given Write access to the Expense Account (for example) does not give a newly added user to that Group Write access.
  A quick note - when creating new Users, I first create and provision them in Shared Services. However, in order to be able to log in with them, I must recreate the user in EAS's User Directory. This seems redundant to make a user twice, but is the only way I am able to successful login with new users, otherwise the Planning login page says "failed to sync with user provisioning". I have not done this same procedure for the Groups I have created (i.e. I have made and provisioned the Groups in Shared Services, but not recreated them in EAS). Is it possible that this is why Users aren't inherittiing the access rights of the Group? I can provide more information if needed, any help or comments are appreciated. Thanks in advance.

  user3x3 wrote:
  1) EAS method is to open EAS, then open the Essbase Server Node, right-click on security, and click Externalize Users. When I do this there is no right-click option to externalize the users, and since it can only be done once and then not reversed I assume the previous administrator already did this. Since this is not availalbe, I must use the second method.
  If you log in with an administrator account you should see the "Externalize Users" option even if you have already externalized.
  I take it you did not configure your system, I take it was documented so you could have a look how it was configured.
  If essbase is on a different server than shared services then maybe the essbase server was not registered with the shared services registry when it was configured, that might the reason why you are getting the shared services error when you try to convert to shared services security, basically it doesn't know where shared services is. If that is the case then it will need to be configured again.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• User and group security

  Not sure if this fits here, but here goes...
  I have a subportal folder, with a community in side. Inside the community, I have groups. If I give one group the admin level authority, is it just for that community and all of its content, or is it the whole portal. The admin docs are very granular on user and group security throughout the various ways of applying it. WHat I am trying to do is give a group admin control over a singel community as well as full admin control of all groups in the communities admin folder. BUT just those things.
  thanks

  If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
  You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
  Ruslan.

• Group Security Issue with Business Rules

  Hopefully you experts out there can follow this. We have about 200 users in our Planning application split into 3 categories (Admins, Interactive Users and Planners) via groups setup in Shared services. We also have an email group list setup in Outlook that has all 200 users in it that we use to send out emails to all users regarding the application. So in Shared Services we have the email group list as an assigned group in the Planners group. So as new people are added to the group list in email they are automatically included as a user in the Planning application. People that are Admins or Interactive Users are manually added to those groups in Shared Services. Everything seemed to be working fine until we tried blocking the Planners groups from running certain business rules in the application. We have clusters setup in Essbase to control access to the business rules. I went into the cluster and set the Planners group to cannot validate or launch on certain rules but found that I now could not run the business rules either even though I am an Admin and the Admin group has vaildate and launch privledges in the cluster. I believe the issue has to do with the fact that I am by default in the Planners group because I am in the email group list which is assigned to the Planners group in Shared Services. Other than setting up and managing 3 seperate email group lists and assigning them individually in Shared Services, does anyone know how I can manage business rules security using the 3 groups i have setup? I hope this makes sense. If not I can provide more detail. Thanks.

  Have you tried using Business Rules projects? Create a project for the admin Shared Services group and assign all rules to that group. Create a Planning project for planners and assign only rules that you want them to run. Any rule that planners should not have access to would be removed from the Planner business rules project, but still in the admin project for you to run.

• How do I make nfs automounted volumes visible in Finder?

  or, in other words, have opposite option to default nobrowse?
  from mount manpage
               nobrowse
                       This option indicates that the mount point should not be visible via the GUI
                       (i.e., appear on the Desktop as a separate volume).
  this is edited mount command output from Mac Pro
  mac-pro:~ ivarss$ mount
  /dev/disk0s2 on / (hfs, local, journaled)
  devfs on /dev (devfs, local, nobrowse)
  map -hosts on /net (autofs, nosuid, automounted, nobrowse)
  map auto_home on /home (autofs, automounted, nobrowse)
  map autofs_nfs on /Volumes/lto5 (autofs, automounted, nobrowse)
  /dev/disk1s2 on /Volumes/VFS HDD 0122 (hfs, local, nodev, nosuid, journaled, noowners)
  varaklani:/nfs on /Volumes/nfs/faili (nfs, nodev, nosuid, automounted, nobrowse)
  thanks!
  shpokas

  Well, when you add a component, it's size is 0,0 and it is located at the top left corner (0,0 point of its parent container). When you call pack(), the components are resized, and their placement is set.
  So what you did wrong is that you're trying to repaint the panel1 - therefore panel2 never appears, since its dimension is 0,0.
  THere's a solution though. Call the validate method of the container you add the component to - that is, jPanel1.validate() instead of its repaint method. Then panel1 will resize the components it contains. Then its not necessary to call the repaint, it'll be done automatically, because the container's graphics area is not valid any more after the validation.
  private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
       // Add your handling code here:
       JPanel2 p = new JPanel2();
       jPanel1.add(p);
       // jPanel1.repaint();
       jPanel1.validate();
  }

• LDAP and Notes Group Security Authentication Troubles

  First, my apologies if this is in the wrong forum, but after looking at the forum names a few times this seemed the most appropriate.
  I have a PDF file that I would like to have access restricted to a certain group on my organization's directory server. I'm kind of the new guy here, so I'm not 100% certain on this, but I'm pretty sure that our setup is:
  A Lotus Domino LDAP server storing the directory information in a Lotus Notes database. Each user has a Notes certificate stored on the server for authentication to various databases we have on our intranet.
  I've entered the LDAP server information in the Security Settings... window in Acrobat, and I'm sure its correct as I can use the same information to browse the LDAP server with Softerra LDAP browser. There is no authentication required, but the server might restrict access based on domain; I'm not sure (shouldn't matter). Anyway, when I go to Manage Trusted Identities... then Add Contacts, then Search, I can never get any results to return.
  I wish to only allow users in a certain group, CN=ALLOWED - GROUP, to have access to the PDF. I feel that there should be a way to accomplish this with the Notes certificates. Anyone know what I'm doing wrong or need to do?
  If something I've said is wrong or unclear, I'd be happy to try again; this sort of thing isn't my forte.
  Thanks in advance,
  Mark

  > I guess the CA is the machine that's hosting the Lotus notes database
  No, the CA is merely an "entity". It's your Certificate Authority, the master certificate used to sign and authenticate all subsidiary certificates. You are talking about setting this up as a PKI for signature validation and managed security, right? Or am I way off base with your workflow and leading you away from where you should be (if so, feel free to ignore me - lots of people do)?
  Leonard is right though, for securing individual PDFs to a specific group you would need LiveCycle Rights Management ES. The security needs to be in the PDF itself otherwise its useless. Say you configure your security at an application level, as you are trying to do, and then someone copies the PDF to a USB key and takes it home. No longer on your network, so they can now freely open the document.

• NFS / automount hangs on Solaris 10 SunOS oats 5.10 Generic_125100-07 sun4u

  We are running Solaris 10 125100-07 on a SunFire V440.
  We host computer services for another department on this host.
  The server acts as both an NFS server and an NFS client. We do a lot of cross-mounting in our environment due to the lack of large centralized storage.
  This particular machine automounts shares from our Solaris 8, 9 and 10 servers and possibly a few Suse servers, and a NetApp owned by another department.
  Every day and a half or so, something happens to either NFS or the automounter, and the machine 'hangs' in that we have NFS requests that never get filled.
  Restarting either autofs or the nfs client, or both does not seem to help. The only fix we have found so far is a reboot.
  We have throttled NFS_CLIENT_VERSMAX to 3 and set AUTOMOUNT_VERBOSE and AUTOMOUNTD_VERBOSE both to TRUE.
  The general failures we see look like this:
  May 17 04:44:15 oats nfs: [ID 333984 kern.notice] NFS server grieg not respondin
  g still trying
  May 17 04:44:15 oats last message repeated 1 time
  May 17 04:46:15 oats automountd[392]: [ID 196269 daemon.error] dupreq_nonidemp:
  duplicate request in progress
  May 17 04:49:57 oats last message repeated 4 times
  May 17 04:52:15 oats automountd[392]: [ID 196269 daemon.error] dupreq_nonidemp:
  duplicate request in progress
  The dupreq_nonidemp messages repeat until we reboot.
  The nfs server that does not respond varies from day to day. No other computer on our network complains about it.
  This started after we installed 125100-05, and has continued through 125100-07.
  As far as I can tell we are up to date on patches:
  root@oats # smpatch analyze
  No patches required.
  Any thoughts?
  I was thinking I might back out 125100-XX.
  dal
  e

  Interesting,
  we have the same problem on SunOS Generic_118833-36 on V440, V445, V240, V245, but not on an old E420, and not on a T2000.
  We upgraded them with patch cluster to Generic_138888-07, but it has not changed anything:
  E420 and T2000 are stable, the Fire-Vxxx have problem, each has its own "problem interval": one system 1.5 days, two systems 10 days, one every 3 months.
  The problem is: NFS/TCP is suddenly dead. Then all NFS mounts, e.g. a manual mount, is hung with "NFS server not responding". A reboot helps.
  We have added proto=udp to the mount options. No more problems since.
  Permanent mounts, without Automounter, would certainly work, too.
  But IMHO there is nothing wrong with Automounter itself, but the hanging occurs e.g. after 4000 NFS mounts, and Automounter is the enabler for that.

• How to create NAS nfs automounts in Mavericks

  So I had 3 automount nfs shares working in Mavericks last week, but for some odd reason all stopped working along with access to TimeMachine on my NAS and the ability to open disk images.
  After some digging I removed my automount modifications to auto_master in /etc and all started to work again... my problem now is how do I now get my 3 automounts to work again so Aperture and iTunes can see their content on my NAS...
  I had added this line to auto_master /Volumes/  -auto_share
  I had created a flie in /etc called auto_share and this contained the following
  Vault 
  -fstype=nfs,soft,intr,rsize=32768,wsize=32768,noatime,timeo=900,retrans=3,proto= tcp 192.168.128.20:/Vault
  Multimedia 
  -fstype=nfs,soft,intr,rsize=32768,wsize=32768,noatime,timeo=900,retrans=3,proto= tcp 192.168.128.20:/Multimedia
  Aperture 
  -fstype=nfs,soft,intr,rsize=32768,wsize=32768,noatime,timeo=900,retrans=3,proto= tcp 192.168.128.20:/Aperture
  This worked and then it stopped...
  Any help appreciated
  Andrew

  Hi Andrew, as promised, here is my login script. Substitute anything in and including <> for your info. Copy/Paste into AppleScript Editor, save as an .app and add to login items for a user. Logout script to follow.
  tell application "Terminal"
       try -- See if the NAS is awake, if not, wake it and give it time to appear
            do shell script "ping -c 1 <ip address>"
       on error
            tell application "Terminal"
                 try
                      do shell script "/Applications/wol -q -p=7 <mac address>" -- if the NAS supports WOL
                      delay 120 -- give more or less after timing NAS startup time
                 end try
            end tell
       end try
       try -- Make the mount points, repeat for how many are needed
            do shell script "mkdir /Volumes/<Dir1>"
            do shell script "mkdir /Volumes/<Dir2>"
       end try
       set success to 0
       repeat 5 times -- try the mounts 5 times, then bomb out
            delay 5
            try -- perform the mounts, change protocol formats as required (e.g. for SMB mounts "smbfs://..."
                 do shell script "mount -t afp afp://<user>:<password@<ip address>/<Share1> /Volumes/<Dir1>"
                 do shell script "mount -t afp afp://<user>:<password@<ip address>/<Share2> /Volumes/<Dir2>"
                 close every window -- close Finder windows that automatically open on mount
                 beep
                 activate
                 with timeout of 43200 seconds -- Display success dialog and wait up to 12 hours (doesn't need that long) for user to click "OK", reason: see last line, leave out if not needed
                      display alert "<Share1> and <Share2> are now available."
                 end timeout
                 set success to 1
                 exit repeat
            on error number errNum
                 tell application "Terminal"
                      quit
                 end tell
            end try
       end repeat
       if success is not 1 then -- the bomb out section
            beep
            activate
            display alert "Please check that NAS is on then Log Out and Log In again. ( " & errNum & " )"
       end if
       quit
  end tell
  tell application "<application name>" to quit -- auto-close any apps that you don't want running for this session, without OK message delay above, script will time out and this line won't execute

• CC&B User group Security

  Hi,
  When a user is attached to multiple User groups (User group 1, User group 2), if User group 1 has access to change premise and User group 2 does not have access to change premise then the User has no access to change Premise. This is the current behavior of CC&B. Anyway to change this ? User group 1 has Change access to Premise application service and User group 2 does not have change access to Premise application service. User is linked to both User group 1 and User group 2
  it appears to be only when there is custom security
  Requirement is to set up like even if one User group has access then allow the user to make changes in premise. How to accomplish this ? Suggestions please
  Edited by: user8861524 on Jun 3, 2013 4:31 PM

  Hi
  First have you maintained the usergroup authorisations for that Z table? first do that.
  Then in the at selection-screen event you have to write the code:
  If R1 = 'X'.   " when one of the radiobutton is selected
    if R_main = 'X'.    " when pressed the Maintain button
       <write a select or other check for User group authrisation for Z table>
  endif.
  endif.
  Reward points if useful
  Regards
  Anji

• Migrating HSS MSAD group security

  Hello All,
  I have been tasked to migrate Shared Services Security from one environment 11.1.2 to another 11.1.2. This is normally not a hard thing to do. This situation is different as the provisioning is done through MSAD groups (i.e. no Shared Services Native Groups). When I perform an LCM extract, there is no reference to any of the MSAD groups or any of the provisioning against that group. Does anyone know if this can be done? Please advise, thank you in advance for any help that you can provide.

  You will probably need issue a create first for example
  create or replace user 'essuser' type external;
  alter user 'essuser' add to group essgroup;
  or
  create or replace user 'essuser@LDAPNAME' type external;
  alter user 'essuser@LDAPNAME' add to group essgroup;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Group Security in Planning

  Hi All,
  I have a question related to Planning dimensions security using groups. Say there is User-A, User-B, and User-C and I created to 2 groups using these 3 users in Hyperion Shared Services in the following manner
  Group-1 : User-A and User-B
  Group-2 : User-B and User-C
  (User-B is present in Group-1 and Group-2.)
  The question is - in Planning, If I I give following access rights to the above two groups for a member of a dimension, what kind of access would User-B would get that member?
  Group-1 - Read/Write
  Group-2 - None (NoAccess)
  Is it None or Read/Write?
  Any help would be greatly appreciated.
  Thanks,
  Prashanth
  Edited by: HypUser on Mar 29, 2011 8:46 AM

  None takes precedence over Read/Write.