Server Admin - Trouble creating groups

Similar Messages

• Server Admin user and group limit

  Just noticed today with 10.6.7 that there is a limit of 100 users being displayed in Server Admin. I guess the sames goes for Groups as well.
  As soon as i deleted some old accounts the users i had created recently appeared in Server Admin.
  Is there a fix for this?
  Thanks

  As you mentioned, it is a display limit in WM, the accounts are still there. A quick workaround is to type part of the object name in the search box at the top of the list.
  That 100 object display limit was probably the result of countless meetings between middle-managers. I'm guessing it went something like this:
  "Why don't we just show them all?"
  "Some deployments could have tens of thousands... that won't work... it'll take forever to load and even longer for somebody to skim through the list."
  "Okay, how about we do 1000?"
  "No, that won't work either. Still too many to skim through and, even worse, they'll spend years with 999 objects in there then add a few more and think it's broken..."
  "Fine... then 100. Short enough to load reasonably quickly and long enough that the average person could eyeball it."
  "But there will still be some admins who think it's broken and want to change it."
  Steve Jobs walks in, "Give 'em a search box."
  Middle-managers in unison, "Brilliant!"
  Sorry. It's early, and I'm a bit punchy.

• Server Admin not displaying groups correctly

  Server 10.5.8, Mac Pro 4 core 2.66, 56 GB RAM.
  Had a crash yesterday, all back to normal now except:
  Server Admin's "show users and groups" is not displaying groups correctly" "users" is missng, and any new groups I created in WM are missing. Even if I sort by GID, they don't show up. And yet, if I type "staff" in the search bar, it shows up with GID 20. Also shared folders are showing up as groups

  Surely someone can at least point me in the right direction? I tried rebuilding the LDAP database, but that didn't fix it.

• Updating Sun LDAP Server through custom create group forms

  Hi,
  we have requirement whererin we must create a create group form (custom form) and then update the new group details to the Sun LDAP server. After defining the LDAP Resource, how do I proceed in creating the resource object and configuring the same with the 'create group form ' for updating the necessary attributes in LDAP server.

  There is no way to perfrom LDAP authentication using our product without a mapped group. I haven't used it in a while but the Sun LDAP mamagement tools were very straight forward, creating users/groups issn't much trouble
  First creat the users and groups wherever in the direcotry, then in the group properties you must make the users members of the groups. Map the groups into BO and your done.
  If you wanted someone to setup both your LDAP directory and Business Objects typically a 3rd party professional service may be used. For configuring BO you can open a case with the authentication team in support if stuck. You could get some tips as most of our engineers have set up sun a few times for internal testing.
  Regards,
  Tim

• Server Admin "Access" Section and groups

  Hi all,
  I read some posts about using the ACL in the server manager to control who can do what and I found exactly what I need...letting blog people have an account but not be allowed to log into my AFP share to do damage.
  My problem is that when I go to put in my "admin" and "HTTP users groups" into the ACL allowed list, they won't show up. I know in Server Admin and Workgroup Manager you have to turn on hidden system users/groups to see them, and I have them on, but I can't see them in this particular view. Does anyone have a work around so I can set up these lists?
  Thanks!

  Spoke with our Apple rep and found a solution here:
  http://www.bombich.com/mactips/scripts.html
  The last script on the page allows for setting ACLs to groups.
  What it actually seems to do is to create a new group called "* access" where ** is the service in question (afp, ftp, loginwindow, etc). It gets an ID from 500 forward, which makes it a user level group, which the server can see. It also gains a name like com.apple.access_*.
  From there, it places the users/groups you define in the script into the group membership, and then applies it to the ACL.
  All in all, it works very well, and I highly suggest it.
  X Serve   Mac OS X (10.4.7)  

• Adding Groups to server admin

  I'm trying to set up a wiki on our website, but I can't add any groups. Ever time I try to add a group in Server Admin under Web Services, it just disappears. And the Workgroup Manager has no options under the "Enable the following services for this group on:" tab. Blogs are working just fine, but I can't get the wiki to recognize a group for the life of me. I took a screenshot of my problem and uploaded it below. Thanks!
  http://i160.photobucket.com/albums/t175/blathersby/help.png

  A couple of things to note.
  1) In order to host group wikis, you must either be an Open Directory master or be connected to another Leopard Server's OD. It is simplest to have the wiki server act as an OD master.By selecting Advanced Configuration, you are committed to setting everything up by hand... just means there are a few more steps.
  2) The groups you want to have wikis must be in the Open Directory Master (/LDAPv3/127.0.0.1), and not in the local directory (/Local/default). The screenshot you've given shows the group you are expecting to have a wiki is in /Local/default
  3) That list in Server Admin does not denote which groups can have wikis, it denotes which users are allowed to create groups that have wikis. I've gone through it in detail in another post, but the upshot is that leaving that list empty means any authenticated user can create groups with wikis (using Directory.app). If the list is not empty, then only those users in that list (or in a group that is in that list) can have groups they've created host wikis on that machine.

• How do I create a virtual directory in Snow Leopard Server Admin program?

  Hi, how do you use the server admin program in snow leopard server to create an apache virtual directory? I can't see it in the applet anywhere. Thank you.

  Well this is what I thought too but I don't think I'm doing something right. I have a default website on port 80 and I created a second site on the same port. They are two different websites. One is the initial one that comes stock with the osx. The second one I created.
  When I browse to my server I get the second site. How can I get the default to be the one that points to the mail, wiki, calendar stuff, while my second domain is something totally different.
  http://myserver (should be the default stuff like mail.)
  http://myserver/mysecondsite (should be my other stuff.)
  The problem is that when I go to http://myserver it is going to http://myserver/mysecondsite
  What am I doing wrong? Thank you.

• Creating Open Directory Replica fails with Server Admin Error Value 1127

  Hallo,
  I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
  Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
  When executing
  slapconfig -createreplica master.ourdomain.com diradmin
  as root on the prospective replica machine, I get the following error message:
  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  That makes perfect sense to me, but how is it meant to work then?
  Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
  root login is not permitted to this machine via public key authentication.
  While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
  Replica Setup failed : This machine does not have a valid computer name
  I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
  changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
  reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
  Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
  I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
  I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
  Thanks and bye, Christian Völker

  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
  Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
  Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
  In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
  Then configure the /etc/sshd_config file on the OD master like this:
  \# Authentication:
  PermitRootLogin yes
  PasswordAuthentication yes
  PubkeyAuthentication no
  and the /etc/ssh_config file on the OD replica like this:
  PasswordAuthentication yes
  PubkeyAuthentication no
  Then from the OD replica as the 'root' user issue:
  slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
  Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

• Config.sh-Admin server directory is created..but manged soa server is not

  Hi,
  I have installed weblogic and then soa 11g,nowe creating domain using config.sh on shared storage.
  @ nodes and binaries are shared for both the nodes(all installation binaries are shared on a common location which is in turn mounted on both nodes).
  After running config.sh ,
  it says installation sucessful howevr Admin server directory is created..but manged soa server is not getting created.
  Plz any body suggest some resolution..vvvv urgent..
  Cheers,
  Arshi

  Hi Arshi,
  Start the Admin server and then managed servers and directory should get created.
  Regards,
  Anuj

• Trying to create a linked server to a remote 3rd party server using an AD group

  I am the DBA at our organization so I have full authority to all of our local SQL Server databases but we have data in a remote 3rd party SQL Server database that is only read-only.  The 3rd party has granted the read only privileges to one of our AD
  groups - let's call it mydomain\adgroup1.  I would like to create a linked server from one of our local SQL Servers to the remote database.  I'm not sure how to do this. 
  I have set the AD group up as a login and a user in my local database.  When I try to create the link, I used the mydomain\adgroup1 as the local login and, since the same credentials exist in the remote server, I checked the impersonate box and click
  OK but I get "mydomain\adgroup1 is not a valid login or you do not have permission".  Is it possible to create a linked server using an AD group?  As of now, we only have the AD group permissions in the remote database.  We could probably
  request a single SQL Server account to be created on the remote side and we could create the same on our side, but we are trying to keep things as simple and transparent as possible (and we would really like to move more toward AD security and away
  from individual users in the db).
  Can anyone give me advice on how to get these two SQL Servers linked?

    From your description, you likely want to implement Windows authentication for linked server, which requires to implement Kerberos constrained delegation.
   I would recommend the following link to get started: 
  How to Implement Kerberos Constrained Delegation with SQL Server 2008 (https://msdn.microsoft.com/en-us/library/ee191523%28SQL.100%29.aspx?f=255&MSPPError=-2147217396
    -Raul Garcia
     SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Trouble Starting Server Admin

  So I am new to setting up a server, and I have come across some troubles already. I am running the Server Admin on the server itself, and we are using Mac OS X Server 10.5.3. I have gone through all of the Installation and configuration steps. When I open the Server Admin folder, it gives me the following message: There is no server at the address you entered. It tells me to contact the network administrator for troubleshooting (too bad that is me). It gives me the following options to click: Keep in List; Disconnect; and Remove.
  Have I missed a step in the installation and configuration? Any advice would be wonderful.

  Hi.
  How are you trying to connect to the server? What I mean is, are you entering a full domain name for the server, or it's IP? If trying to connect via the name, its possible (likely) there is a DNS configuration problem.
  What you'll find as you work more with OS X Server, is that a proper DNS setup is absolutely critical to making almost anything but the most basic services work correctly.
  Click on Remove, then try re-connecting via the IP address of the server to see if it connects. If it does, you'll need to troubleshoot your DNS setup. Use the little + button on the bottom left to "Add new server…" then enter the appropriate info.
  Also, make sure you're connecting using the admin name and password you set up during the server set up stage. I know, that sounds obvious, but just double-check anyway.

• Can't Create Group Wiki On ML Server

  Have a Mac Mini Server (late 2012) running OS X 10.8.3 and Server.app. Have some groups and users sprinkled among them.
  Would like to create group wiki, but when I push that button a web page opens with the error message:
  "The requested URL /wiki/projects was not found on this server."
  What is going on here? How can I create a group wiki?

  What if you can't do a clean installation?! How would I be able to make it work anyway?!

• Can't create DNS zones in Server Admin

  Hi All,
  So, I've run into this strange problem where when configuring the zone files for the DNS server in Server Admin that clicking on the + button doesn't do anything. I've re-installed Tiger Server including reformating the disk and still nothing.
  Can anyone tell me where the zone file is kept. It might be better just to make my own unless anyone can tell me why the + button isn't working.
  Thanks much!

  Definitely better to make your own, if you know how (lots of good google-able docs on this). Using Server Admin for DNS zone files is dicey at best.
  BIND config file is located at '/etc/named.conf'
  Zone files live in '/var/named/.' Primary zone files are named 'myDomain.com.zone' and secondary files are named 'myDomain.com.bak'
  Feel free to email me if you need some default files.
  Can anyone tell me where the zone file is kept. It
  might be better just to make my own unless anyone can
  tell me why the + button isn't working.
  iBook G4   Mac OS X (10.4.3)  

• Where can i find the created group in portalcontent of content admin?

  Hi all,
  I have created a group with name Group1.  I assigned some users to the group one by one.  Is there any method to add 5 users at a time?
  How can i store the created groups in the folder & where can i find the Group1in the portalcontent?
  thanks & regards,
  vila

  You can assign multiple users to a group by using the User Data Import option. Navigate to User Adminstration --> Import.
  Create a file with the following entries and upload it for group assignments
  [Group]
  gid=YourGroupName
  gdesc=...
  user=User1;User2;User3...
  To know the users assigned to a group,
  1. Navigate to User Administration --> Identity Management.
  2. Put your group name and search.
  Regards,
  Prasanna Krishnamurthy

• Can connect with Server Admin and Server Prefs, not Screen Sharing or ARD

  Just set up 10.5 server on my G5, and trying to connect from 10.5 on my iMac. I have tried both with the server System Preferences set to allow Screen Sharing via VNC, and with Remote Management enabled for ARD. In both cases, I get authentication errors when trying to connect from home. I have tried with both the full username, and with the short name of the only account on the server. My assumption is that, since this is the administrator account, I don't need to setup explicit privs for it on the server.
  I can authenticate without any trouble with both Server Admin and Server Preferences.
  The Firewall is not enabled on either machine, although I am behind a NAT router at home -- is it necessary to open any special ports to enable screen sharing? Is it possible that having these ports closed would produce an authentication error?
  Thanks for any help.

  Hi
  I'm going to assume you configured your Server in Standard Configuration and not Workgroup or Advanced?
  When using Standard in setting up the server DNS is automatically configured for as well as the Server taking an Open Directory Master Role. The admin account created at the beginning is for administering the Open Directory. Unknown to you and not documented at all - as far as I can see - is the 'Local Administrator' (localadmin) account.
  You only become aware of this account if for some reason you have a problem with the Server which involves demoting to Standalone (ie not an Open Directory Master) once this happens you find you can't log on to the Server anymore or communicate with any of the Server applications because it won't accept any username or password other than root and localadmin for the name and the password defined for the original admin account you created right at the beginning.
  Sometimes it does not even take demotion to find yourself locked out of the Server. Some have experienced this problem when running the Security Update or when some other problem has occured.
  Part of the process of creating an Open Directory Master involves the creation of a 'special' directory administrator account. This account is used for administering the LDAP node. If demotion takes place this account gets blown away along with all users and group accounts that exist in the LDAP node, in fact everything to do with Open Directory is destroyed apart from Users' home folders.
  Why demote if this happens? Sometimes the LDAP database gets damaged/corrupted beyond a point where normal troubleshooting methods fail. This can happen for a whole variety of reasons but more often than not is due to a poorly configured DNS Service. You basically only have two options once you reach that stage. A server reinstall involving a format and rebuild or a demotion to Standalone. Which option would you choose? Prior to demotion you can (if you have the chance) export users and groups or even archive the LDAP database itself for restoration later on. This is a useful option as everything to do with the LDAP Server is retained - passwords, users, groups etc. The other method of saving users etc does not retain passwords.
  As time goes on and you become more familiar with your server you will find more and more of this information out for yourself. Hopefully the simple advice I've given helps you understand Open Directory a little better.
  Hope this helps, Tony