Open Directory users can't access shares

Similar Messages

• Open Directory Users can't add printers

  Hi all,
  I've set up my teachers on OD on OS X Server 10.5 but now when they log in, they cannot add any printers. I've tried many different things to get the lock on the Print & Fax System Pref to be unlocked by default but nothing I've tried works.
  When I log into the computer as an admin, the Print & Fax is unlocked. Logging in as a user via OD locks it. I've checked to make sure that the users are not being managed via OD prefs. Even if they are the lock still appears. Does anyone know what I can do to fix this?
  thanks!

  Ah! Thanks! No wonder I cannot do this...
  Unfortunately, the printers are all USB shared printers connected to computers on the network. Is there anyway to preset these printers? They don't show up in the Print manage settings at all.

• Make Open Directory Users/Groups Administrators on Mac clients

  I have setup a OS X 10.8 server with Open Directory and have 2 mac os x mountain lion clients.  I would like for the user accounts I have created in the Open Directory to have admin access to the 2 mac client machines.  How can I do this?  I am new to OS X server.  Is there a Group Policy type equivalent like in Windows? 

  Ah! Thanks! No wonder I cannot do this...
  Unfortunately, the printers are all USB shared printers connected to computers on the network. Is there anyway to preset these printers? They don't show up in the Print manage settings at all.

• Mountain Lion Open Directory Users PhotoShop Elements 6.0

  Under Mac 10.8.5 , Licensing works fine for local users, but it fail for Open Directory Users.
  specifically I'm trying to launch Adobe Photoshop Elements 6.
  none of my workstations are connected
  it worked just fine under Leopard and Snow Leopard.
  running disk utilities repair permissions did not help.
  running the License Repair tool from adobe did not help.
  deleting the FLEXnet Publisher
  and Preferences/FLEXnet Publisher
  and the
  Preferences/FLEXnet Publisher/FLEXnet did not help
  all of my open directory users are group 1028
  i have
  chgrp -R 1028 /Library/Application Support/Adobe/
  chgrp -R 1028 /Applications/Adobe*
  chmod 775 /Library/Application Support/Adobe/Elements Organizer/11.0/
  chmod 775 /Library/Application Support/Adobe/Adobe PCD/cache
  chmod 775 /Library/Application Support/Adobe/Adobe PCD
  chmod 775 /Library/Application Support/Adobe/SLStore/
  chmod 777 /Library/Application Support/Adobe/Premiere Elements/11.0/AMTInfo.txt
  many of the files in these directories have permissions 664.
  several of the files that are frequently accesses were already 664 before i looked at them.
  i have over 80 user workstations.
  Mountain Lion OSX 10.8.5
  MacPro workstations 2 3.06 GHz 6-core intel Xeon
  12 Gigs of Ram
  Note i also have Adobe Premiere 11.0 installed on the workstations.
  Adobe Premiere 11.0 works fine after all the ownership and permission issues are solved.

  Hi OpenDirectoryDude,
  Photoshop Elements 6 has not been tested and has compatibility issues with Mac 10.8.5

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Saving so that windows user can have access?

  I have my project all ready and those with quick time...loads up perfectly. However those who have windows have a long wait or pile will not come up. Do you know how i can save my final cut express project so that window users can have access to it?

  thank you. one last question....the quick time movie file can not be seen when opening on a windows. do you know if i need a quick time pro so that i can convert it? or is there a way that i don't know about?

• How do I unbind a local user from an Open Directory user?

  I have a couple MacBook Pros running Leopard that successfully bound a local account to a corresponding Open Directory account using Directory Utility.
  I had to re-install Leopard Server (using Standard configuration) and re-create Open Directory accounts. Now these laptops are unable to bind to the new Open Directory accounts. They receive an error that the Open Directory user ID and password provided is incorrect. In addition the local user can no longer reset or change their password. I'm thinking this is because their local accounts are still bound to the old Open Directory accounts that no longer exist. Is there are way to unbind a local account in Leopard that has been bound to an Open Directory account via the Directory Utility.

  What account are you using to bind the machine? When binding you must authenticate using the OD admin login which is usually setup as diradmin or as the current client you are logged into the machine with, but this client needs to exist on the OD server.

• Other user can't access to OBIEE 11G installed on a server

  Hello,
  We have installed OBIEE 11G on a server ( windows sever 2008 r2) with admin account, and it works fine, But others users can't access to obiee 11g ( administration icons are white in their sessions) even they have admin rights.
  Can anyone tell me what should we do??
  Thank you.

  Hi,
  This is the exact format how my tnsnames.ora file looks. sorry, I can ping it in command prompt now. In my connection pool i tried first DSN =  ab.bc.xy.zx, did not work. Then I saw oracle's default repository and changed my DSN to your suggested format starting from "DESCRPTION" to rest. Still no luck Do you think, i should put the same TNS in my local machine??
  ab.bc.xy.zx =
  (DESCRIPTION =
      #(ADDRESS = (PROTOCOL = TCP)(HOST = 10.20.30.110)(PORT = 1521))
      #(ADDRESS = (PROTOCOL = TCP)(HOST = 10.20.30.120)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.20.30.130)(PORT = 1521))
      (LOAD_BALANCE = yes)
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SID = cap2)
  thanks,
  BK.

• Cannot find bookmarks - open directory user

  We have LDAP v3 at our school. A teacher logged on to a different computer and her bookmarks were missing. Since she is an open directory user, I believe her books should follow her. We were trying to figure out where on a Mac the bookmarks are stored...and we could not figure it out.
  We see the profile where an internet search told us the bookmarks were -- but we could not see them. What specific folder are they in and what is the name of the file/folder that contains the bookmarks?

  The name of the file is '''places.sqlite'''.

• CS5.5 refusing to open, launch so can't access urgent old site that requires work upon it

  Dreamweaver CS5.5 refusing to open, launch so can't access urgent web site created within it a while back that requires work upon it. CS4 not open/launch itself either? Therefore can't even export a site file to open up in a newer version but that won't run, support vital menu editing within it.

  Try clearing the program cache and/or restoring preferences...
  Deleting a corrupted cache file
  Restore preferences | Dreamweaver CS4, CS5, CS5.5, CS6
  If those don't work, you may need to reinstall using the Cleaner Tool. That won't affect your actual site files, but you would need to set-up the site definitions again within DW: Use the CC Cleaner Tool to solve installation problems | CC, CS3-CS6

• Lion: All Open Directory users obliterated

  After a rough migration from SLS, I've been running Lion Server successfully for a couple of weeks now.  However, this morning I saw that the file sharing services were down.  When I brought the server up on the monitor, the Finder was frozen solid.  I had to do a hard restart, and once it came up, all the Open Directory users are gone.  Only local users remain.  When I attempt to open the LDAP directory in Workgroup Manager it throws up a -14006 error.
  I'm going to attempt to rebuild the machine from a backup last night, but I'm wondering if anyone has any (quicker) advice.
  I'm tempted to just try and copy /var/db/openldap from the backup image over to the server, but I'm afraid it'll simply explode.  Is there a better alternative?  I don't have a current backup archive of *just* the open directory stuff...

  Restoring from a backup image "fixed" it of course, but I'm still curious how to restore the open directory database from a mirrored partition (i.e. without the use of an explicite restore from an open directory backup)

• The Plug-in window (I/O thing) won't open, so I can't access my plugins...What do I do?

  The Plug-in window (I/O thing) won't open, so I can't access my plugins...What do I do?
  When i double click on the window i am unable to change it from EVP88 Electric Piano in the left hand sidebar.
  When I watch tutorials on how to use parts of logic, people use the I/O as a menu, whereas it does not do that for me.

  In the online Help type    Basic Operations
  From the List choose..  Basic Operations    then in the left hand menu choose..    Using The Mouse.
  Look at the list of mouse operations, I think it's the third one down. 
  Read how many different mouse operations Logic responds to.
  If you really want to learn Logic, reading the manual is a good thing, not only to find what you're looking for but of of the extra/related information you will find as you solve your original question.

• Why the apple store is so expensive and why the apple users can't access for free after spending huge amount in apple phone ?

  Why the apple store is so expensive and why the apple users can't access for free after spending huge amount in apple phone ?

  The Apple store is correct. The warranty is not international, and Apple will not accept or return iPhones shipped from a different country.  You need to ship the phone to somebody in Hong Kong who can take it in to Apple for repair, or pay a third party repair shop in the Philippines to fix it.

• I changed itunes options the other day to only synch one playlist and now when I open itunes I can't access my library.

  I changed itunes options the other day to only synch one playlist and now when I open itunes I can't access my library or any playlists. 

  I think I fixed this problem a few years ago by literally copying and pasting all my audio content into the iTunes library folder. I can't remember what is called of the top of my head and I don't know if this will still work.

• Windows XP users can't access SMB/CIFS shares on MAC OSX10.4.4 Xserve bug?

  The Xserves are new for us. This problem involves two of the 10.4 xerserves.
  1 serves as an Open Directory System Master(10.4.3). 2 Serves as a file share & backup (10.4.4).
  Both are production machines and cannot easily be restarted.
  There is no Windows network, Active Directory or Windows domain in our network.
  We created a SMB and AFP share on the file server which is a member of the Open Directory. (It is bound and kerberized to server 1).
  The users all have accounts in the OD system and all passwords are Open Directory. Our users can ssh into the various xserves (including the file share server 2) and authenticate against OD.
  We made the shares available via smb under Protocols --> Windows File Settings. We turned the Windows Service on in Server Admin. I'ts a standalone server and all the authentication types are checked under access.
  The MAC (powerbook) users can access the share fine. The Windows users can't. The Windows laptops can see the file share server (through search - not visable is Network Neighborhood) but when they try and connect they are presented by an authentication box that just keeps cycling over and over regardless of what the user types as user name & passwd.
  I tried to access the smb share with my powerbook(10.4.4) and have the same issue. I'm presented with an authentication box but authentication fails.
  The Windows File Service Log shows:
  auth.c:checkntlmpassword(312)
  checkntlmpassword: Authentication for user [csmith] -> [csmith] FAILED with error NTSTATUS_WRONGPASSWORD
  [2006/02/24 21:52:03, 1] authods.c:opendirectory_authuser(212)
  User "csmith" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  [2006/02/24 21:52:03, 1] authods.c:opendirectory_smb_pwd_checkntlmv1(427)
  opendirectorysmb_pwd_checkntlmv1: [-14090]opendirectoryauthuser
  [2006/02/24 21:52:03, 2] /SourceCache/samba/samba-92.15/samba/source/auth/auth.c:checkntlmpassword(312)
  checkntlmpassword: Authentication for user [csmith] -> [csmith] FAILED with error NTSTATUS_WRONGPASSWORD
  [2006/02/24 21:52:03, 1] authods.c:opendirectory_authuser(212)
  User "csmith" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  [2006/02/24 21:52:03, 1] authods.c:opendirectory_smb_pwd_checkntlmv1(427)
  opendirectorysmb_pwd_checkntlmv1: [-14090]opendirectoryauthuser
  [2006/02/24 21:52:03, 2] /SourceCache/samba/samba-92.15/samba/source/auth/auth.c:checkntlmpassword(312)
  checkntlmpassword: Authentication for user [csmith] -> [csmith] FAILED with error NTSTATUS_WRONGPASSWORD
  [2006/02/24 21:52:03, 2] /SourceCache/samba/samba-92.15/samba/source/smbd/server.c:exit_server(595)
  Closing connections
  I've googled this error and it seems that there a lot of engineers out there with the same problem but no answers. Could this be a bug with Apple's SMB process? Is there something I've missed? (I've looked at the smb.conf and have even turned off deny clear text passwords - I've even tried granting guest access) Anyone have any ideas?

  On the server itself, run the following in the Terminal:
  (from a few different sources):
  run ps -auxw | grep Password
  to see if Password service is running
  Also check the logs in /Library/Logs/PasswordService
  Try: id username
  and see if you get some info returned.
  Ex: id jimguy
  You should get some info about uid, gid, groups.
  sudo killall -USR1 DirectoryService
  Then try to login from a client machine.
  Be sure to re-issue
  sudo killall -USR1 DirectoryService
  in order to stop the (far more) verbose logging.
  Then check the logs in /Library/Logs/DirectoryService
  In Open Directory, you might want to revert to standalone (this will destory the existing OD setup) and then re-promote to OD Master. You'll lose all OD users however when doing so. If you don't have many, this may be best.
  You'll want to verify the hostname, and forward & reverse DNS lookups before re-promoting, and watch for any errors when promoting to OD master
  See, when you say "The real clue is that I'm unable to access the shares from my Powerbook G4 with my Open Directory account. I can log in to the file share as the local admin though and that's why I'm thinking there is a bug in the samba/OD relationship. " - that's the real clue indeed.
  The local admin account, the first admin account you setup on the server, is indeed local, and resides in NetInfo, not Open Directory.
  So something is afoul in your OD.