Server Admin "Access" Section and groups
Hi all,
I read some posts about using the ACL in the server manager to control who can do what and I found exactly what I need...letting blog people have an account but not be allowed to log into my AFP share to do damage.
My problem is that when I go to put in my "admin" and "HTTP users groups" into the ACL allowed list, they won't show up. I know in Server Admin and Workgroup Manager you have to turn on hidden system users/groups to see them, and I have them on, but I can't see them in this particular view. Does anyone have a work around so I can set up these lists?
Thanks!
Spoke with our Apple rep and found a solution here:
http://www.bombich.com/mactips/scripts.html
The last script on the page allows for setting ACLs to groups.
What it actually seems to do is to create a new group called "* access" where ** is the service in question (afp, ftp, loginwindow, etc). It gets an ID from 500 forward, which makes it a user level group, which the server can see. It also gains a name like com.apple.access_*.
From there, it places the users/groups you define in the script into the group membership, and then applies it to the ACL.
All in all, it works very well, and I highly suggest it.
X Serve Mac OS X (10.4.7)
Similar Messages
-
Impossible to unlock network-admin, services, users and groups
Hi all,
it is impossible to unlock network-admin, services, users and groups in gnome.
Suggestions or ideas?
Thanks in advance
Greetsalessandro_ufms wrote:
xaiviax wrote:Just fyi, rebuilding system-tools-backends with ABS does not fix issue for me.
Are you put your login user on group stb-admin, put stbd in DAEMONS on rc.conf and restart the computer?
yes, although didn't have stbd in DAEMONS before (worked fine), still didn't fix issue. Been watching this thread, just downgraded package again, works great. I'd rather not downgrade on principal, but that the only thing that works for me currently, so... -
I have a user who had full remote admin access to her Mac Server from her Mac desktop. We recently changed out her desktop for a new iMac. She no longer has full admin remote access to the server. Did I miss something on the setup of the new machine? She can walk to the server and log in with full admin access, but the remote session does not allow for full admin rights. Any help would be appreciated.
Remote access via what? Server.app? Server Admin.app? Remote Desktop?
What OS(es) were running previously, what OS(es) are running now?
What admin rights are unavailable (i.e. what can't she do?) -
I need access to the hotmail server admin account for my company's domain. We hired someone to set up our domain email accounts [email protected] and now that the person is no longer with the company we don't have any way of logging into the admin to manage/delete/add
new email addresses to the company's domain. PLEASE HELP!!!Hi Lee,
i guess you mean Office365 and not hotmail?
If its Officve365 you should post your questions here:
https://community.office365.com/nb-no/f/default.aspx
If its Hotmail then you should check here:
http://windows.microsoft.com/en-us/hotmail/hotmail-help
For Office365 administration login is: https://portal.office.com/
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work -
Accessing username and group name from an external app
How can I access the user name and group name from an external app..? Where is that stored..?
Thanks
FernandoPost Author: pvierheilig
CA Forum: Crystal Reports
Each BOE document has a unique ID. Knowing that will allow you to access it via a URL while passing required login credentials as well, if I recall correctly. However, your very best bet is to review the SDK. -
Access Connections and Group Policy generated network profiles
Hello,
We are in the middle of rolling out 3500 T400 machines and are having fits with Access Connections 5.02. We have a default in-house Preferred Wireless Network Profile that is created on each machine via Group Policy. This works fine with AC and everything does what is supposed to do when our users are in our buildings. When our users go offsite, we have nothing but fits with AC and trying to set up any other WAN connections.
If users set up a new network connection, we are asking them to set it up thru AC. We have had them try using both the "Use Windows to Configure Wireless Network" as well as "IEEE 802.1X Authentication". Once the network connection is set up, for some, the wireless will work for a short period (a week or so) and then will no longer detect network connections. The user nor the client site has made any changes to the wireless configuration.
Others will have a stable connection wirelessly until they connect over VPN – VPN will drop in a few minutes after connection. They can then sometimes reconnect after a reboot; but the instability is a constant problem.
It seems to me that the problem could all be traced back to GP enforcement, which occurs every 8 hours when connected to our network. If a user is offline for several days, then connects up to check email or transfer time or whatever, then they are kicked off. If a user connects via VPN, they are kicked off within minutes - again potentially traceable to GP enforcement.
Has anyone else dealt with this scenario of Preferred Wireless Network policies and Access Connections?
Thanks!Try going back to AC 4.52, which solved the problems i was having with AC5.02 (freezes, BSOD, loss of wireless connections when coming out of standby, GUI problems) on Vista Home Premium. Scroll down for prevous versions of AC5.02 here:
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-67283
I do not use a VPN system so AC4.52 may not help your 3500 Thinkpads.
Lenovo (Mark_Lenovo) knows there are problems with AC5.02 for the last three (or more ) months and have stated that AC 5.1 will solve the problems, but it has not been released as far as I know. There are many threads on AC5.02 on this forum and also on thinkpads.com
the Lenovo Blog site also has an update on AC5.02 ;under "Design Matters" on how they selected the graphics for wireless connections - the responses there offer some suggestions to fix the problems.
T60: 6371-CTO, VISTA Home Premium+SP1, 2GB....R51: 1836-Q4U,XP,1GB...600...755CD -
Adobe Media Server Admin Consol Question and buffering
2 part question
Under applications and streams for VOD what exactly is cache hits and misses. also is there an option that if you pause VOD video it will still continue to download to clients computer for people who have slow internet connections ThanksThe description of those fields can be found here: http://help.adobe.com/en_US/adobemediaserver/adminapi/WSa4cb07693d12388431df580a12a34991eb c-8000.2.3.html#WS5b3ccc516d4fbf351e63e3d11a0d3ed999-7fe5AdminAPI.2.3
hits
Number; total number of segment “hits” since the server started.
misses
Number; total number of segment misses since the server started.
And:
"If requested data is contained in the cache (cache hit), this request can be served by simply reading the cache, which is comparatively faster. Otherwise (cache miss), the data has to be recomputed or fetched from its original storage location, which is comparatively slower. Hence, the greater the number of requests that can be served from the cache, the faster the overall system performance becomes." -- The all knowing Wikipedia -
Who is he? Strange user in server admin access AFP
Who is that strange user?
Tnx Gijs (NL)It's probably a deleted user.
Although you know users by their short name, or even their real name, the OS/directory tracks them via a UUID and that's what you're seeing here.
If the UUID doesn't map back to a current user in the directory then you're going to see the UUID since there's no longer an associated user record. The most likely scenario is that the account has been deleted. -
Server Admin is not showing all users in "Show Users
I've discovered that a previous upgrade from Tiger to Leopard in 2009 has lead to newer users not be displayed Server Admin 'Show Users and Groups'. New groups display fine.
We upgraded again to Snow Leopard a couple of months back and so are running the latest admin tools.
I really can't pick why these accounts aren't showing so any points would be appreciated.
Thanks.After numerous reinstalls failed to solve this problem, I discovered that on my system, it has to do with using an external monitor (via DVI port). When I drag the Firefox window from my laptop screen to an external monitor, "Show All Bookmarks" is suddenly empty. Dragging the browser window back to the original display (laptop) does NOT fix it. Firefox must be RESTARTED on the original display. When Firefox re-opens, "Show All Bookmarks" functions normally again.
WORK AROUND: the only way I can view "Show All Bookmarks" on my external monitor is to first open both the browser and "Show All Bookmarks" windows on the original display, drag BOTH windows to the other monitor and be sure to leave the "Show All Bookmarks" library window open in the background. If I forget and close it by accident, the problem happens all over again. -
When I goto web server administration in users and group tab it alway show me Unable to initialize LDAP (No LDAP server is configured) Is it cause the effect to use web server because I use iWS with ias .
If it cause some effect ,Please let me know how to configured LDAP server.Run this Command from the Exchange Server
Net time \\ADServerName /Set
and confirm the action,
and then you need to restart the service
Microsoft Exchange Active Directory Topology Service
and confirm you are not getting the Error 4001 in the event Viewer.
Thank you, it resolved my issue after being sweating looking for solution.
How can I prevent this from happening? I cannot restart services on each server reboot nor lose 5 years of my life!!!
Sokratis Laskaridis MCP, MCTS, MCITP, Small Business Specialist Netapp ASAP, Symantec STS -
ISE Admin Access Authentication to RADIUS Token Server
Hi all!
I want to use an External RADIUS Token Server for ISE Admin Access Authentication and Authorization.
Authentication works, but how do I map the users to Admin Groups? Is there a way to map a returned RADIUS Attribute (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
Thanks in advance,
Michael LangerreiterISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
Last Modified
Nov 25, 2014
Product
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases
1.3(0.876)
Description (partial)
Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups
Conditions:
RBAC with shadow user & Radius token
View Bug Details in Bug Search Tool
Why Is Login Required?
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract. -
Server Admin 10.5.6 v 1.1 - Server Admin and WGM
The server admin is clunky and delays of 3 minutes plus to save a new user or delete an old one.
I have updated on all 4 of my servers but on each of them the About Server Admin reports it as v 10.5.3 and the About WGM reports it a v 10.5.5
Is there something else to be done.
Cheers,
Syd ChessonServer Admin and WGM tend to be very slow when DNS forward/reverse resolution is not in place or incorrect. Have you checked that?
-
Shared folders (Windows file shares) show access denied and do not prompt for credentials
Scenario:
Like other admins, I log on and work as a 'standard user' (usera) with no admin rights anywhere in the domain, to perform admin tasks I have another account (userb) which I authenticate with as and when required. userb has been allocated/delegated permissions
as required.
Problem:
When trying to connect to shared folders on servers (2008 R2) using a UNC patch via Windows Explorer (Win 7 Ent.), I see an access denied error and do not get an option to supply alternative credentials.
If I try to connect to the admin shares on the same server (\\server\C$ or \\server\e$) I get an access denied message AND get prompted for credentials. I supply my admin account and gain access as expected.
If I check share and storage management when attempting to connect, I see that Windows is trying to connect me to each share as usera (which has no access). I understand why I get access denied at this point, but not why it can't just prompt me to supply an
account that does have access. When trying the admin shares I also see the usera account, but I get a prompt to supply a user who does have access.
Share permissions on the folders are for example 'Everyone' Full Control. NTFS permissions are 'userb' has modify (read, execute, list, traverse etc) via a 'Server Admins' AD Universal security group.
Note: If I do a NET USE from CMD and use the /USER switch, I can access the shares fine. But this is not great for accessing shared folders on the fly from various computers.
How can I get the other shares on the server to prompt me, rather than just say access denied?
Many thanks.Try to disable guest user from the server
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY
suggestion in a test environment before implementing! -
Manually start RADIUS, Authentication and groups for Cisco ASAs
I am testing moving a 10.7 server to 10.8.
We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past. In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service. With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service. The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
I have found the clients file in /etc/raddb and added our ASAs to the clients list. I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
I need help with:
1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
2- Can anyone tell me how to turn on RADIUS? radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
ThanksWith David's suggestion I was able to get RADIUS running. The following assumes that you are comfortable with Terminal and would be able to back up any files you edit. Here is what I did to our fresh installation of 10.8 Server:
In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window. The last line after this entry should be something similar to "Ready to process records." In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed. Scroll down in the file to the section where there are "instantiate" items. I commented out the SQL setup, by putting a # before the line that says "sql". Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor. I redid step number 1 twice and eventually RADIUS was running. Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future. OS X Server adds its clients in an SQL database according to the programming notes in the .conf files. I will only be using our Cisco ASAs so SQL is not relevant to our setup.
Testing the running RADIUS server was easy as well. In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed. This file contains details for users if you wanted to add them manually to the RADIUS server. For testing purposes I removed the # before a line referring to a user "steve." I had to get RADIUS restarted to take up the new information about Steve. I killed the process using Activity Monitor and reran step number 1.
In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t". You should get back a positive authentication message. Switching back to the original tab will show the output of the RADIUS server.
Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
RADIUS is now running and authenticating against its own users file.
Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them. In Terminal enter "sudo pico /etc/raddb/clients.conf". We added lines for our ASAs, following the samples in the code. The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius". This created the sacl for the service. Editing of the associated users and groups permitted to use the service was able to be done in Server. Be sure to select from the View menu "Show system accounts". Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created. The RADIUS sacl can then have groups and users added to it.
To ensure that RADIUS is running and stays running enter the following in Terminal. First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window. Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA. I was also able to authenticate a user which had been added to the "Users" in Server. It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
Once I have everything running properly, I will add a post here to close this discussion.
If anyone can shorten this procedure please let us know what you suggest.
-Erich -
I just installed an evaluation version of weblogic commerce and personalization server. I understand we can create users and groups and assign users to different groups. But I am wondering who has the privilege to do this, developer or end-user? In paticular, is it possible for a super user (should be end-user) in one group to manager all other users in the same group. This feature would be especially useful for B2B portal because usually we would allow a company administrator manage all users within that company. Thanks in advance.Zhe
Hi Steve,
What's the plan to provide ASP support in WLPS in the future ? Is there
any examples of WLPS that uses a 3rd party user management server (such
as LDAP)?
Thanks,
Leo
6th Dimension-
Steve Willcox wrote:
>
We only support a single administrator for a 'realm' of users. We don't have an admin permission mechanism on a group of users basis. The feature you are looking for more fits the ASP model and not an enterprise application model.
However, since WLPS/WLCS uses the WebLogic security realm to access users and groups, you can use a 3rd party user management tool that supports the permissions you are looking for in order to create users and groups. This would require the 3rd party user management tool to have an implementation of the WebLogic Security Realm class that works with this 3rd party user management server.
Zhe Liu wrote:
I just installed an evaluation version of weblogic commerce and personalization server. I understand we can create users and groups and assign users to different groups. But I am wondering who has the privilege to do this, developer or end-user? In paticular, is it possible for a super user (should be end-user) in one group to manager all other users in the same group. This feature would be especially useful for B2B portal because usually we would allow a company administrator manage all users within that company. Thanks in advance.Zhe--
Steve Willcox
BEA Systems, Inc.
ECommerce Application Components R&D
Architect
mailto:[email protected]
http://www.bea.com
Maybe you are looking for
-
I am trying to figure out how to back up ALL of my apps, games, movies, personal info, etc, that is destroyed when I upgrade ITunes ( I do not know why). If it's all on ITunes in the first place then what's the problem with installing new software
-
Automator script for remote shutdown
hello everyone i use a mac mini as a media server and i use ssh from the terminal to turn it off remotely, i know you can run terminal commands in automator, but i cant get it to work can someone show me how the script should look like, im not even s
-
PDF to Word Pictures are not visible
I have just converted and PDF file into a word document with a few pictures and only one picture is visible and the others are all black
-
hi all, is it possible to declare a cursor like this ..??? declare cursor is select ab.col1,cd.col2 from (select a.col1,b.col2 from a,b conditions)ab (select c.col1,d.col2... from c,d conditions..)cd i am getting the following error PL/SQL: ORA-00923
-
HtmlCommandLink generation within custom component
Hey everybody, I had a previous post similar to this, but after solving the one problem I was having another one arose that I'm not sure how to fix either. I've been scouring google and the forums for a definite answer on this to no avail. So, here's