[SOLVED] iptables preventing ssh within local network

Similar Messages

• Help using torrent client + local network fileserver[SOLVED]

  as the title says i need some help in order to make it possible for either azureus or deluge to be able to see my local network's fileserver as unfortunately neither of the both can "see" the network (arch can see if ofc and i can browse the contents)
  The fileserver is specifically FreeNAS with CIFS/SAMBA,
  The hard disks are in UFS format (need em from time to time when i log into windows xp -rarely)
  I was thinking of a way to mount the fileserver but i cant do it
  Can someone give me an example of how to be able to mount it ? as as many tries i ve made to tamper with fstab in general didn't return any results (using ntfs-3g in order to mount windows partitions/linux partitions)
  Thanks in advance
  Last edited by jedimastermaniac (2008-06-28 15:58:47)

  so something like this should work ?
  //Server IP  or hostname/ share??  i can understand the rest but that's i would like to understand
  would for example... this work
  //200.150.0.0/fileserverpath to hard disks) /mountpoint blah blah work?
  this is the point where i need help basically. the first part

• My computer looks alone on the local network

  Hello,
  Since a few days, I can't see any computer in the "Shared" section of the Finder's side bar.
  Digging into that problem, I noticed I can no more connect to any of the local network computers using their name (i.e.: afp://mycomputer.local) but can well using the IP address (i.e.: afp://192.18.1.10).
  Access to outside world causes no problem.
  Any idea on how to solve this is welcome !
  Regards,
  Lionel

  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. All it does is to collect information about the state of the computer. That information goes nowhere unless you choose to share it. However, you should be cautious about running any kind of program (not just a shell script) at the behest of a stranger. If you have doubts, search this site for other discussions in which this procedure has been followed without any report of ill effects. If you can't satisfy yourself that the instructions are safe, don't follow them. Ask for other options.
  Here's a summary of what you need to do, if you choose to proceed:
  ☞ Copy a line of text in this window to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
  4. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  5. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  6. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
  Triple-click anywhere in the line of text below on this page to select it:
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts 51 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports 'com.autodesk.AutoCad com.evenflow.dropbox com.google.GoogleDrive' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 ` route -n get default|awk '/e:/{print $2}' ` 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n\t(%s)\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' /^ *$|CSConfigDot/d;s/^ */   /;s/[-0-9A-Fa-f]{22,}/UUID/g;s/(ochat)\.[^.]+(\..+)/\1\2/;/Shared/!s/\/Users\/[^/]+/~/g ' ' s/^ +//;5p;6p;8p;12p;' ' {sub(/^ +/,"")};NR==6;NR==13&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: [^EO]|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple |Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<200) print "com.apple.";} ' ' $3~/[0-9]:[0-9]{2}$/ { gsub(/:[0-9:a-f]{14}/,"");} { print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/root/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1000) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' '/\/etc\/(auto_m|hosts[^.]|peri|sshd?_c)/s/^\.\/[^/]+//p' ' /\/(Contents\/.+\/Contents|Frameworks)\//d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| ","||kMDItem'${p[35]}'=");sub("^.."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[9]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/ { next;} /%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]" "$1;b=b$1;} END { if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text$|POSIX sh.+ text ex)/) F=F" ("T")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ +B/{ s/.+= |(-[0-9]+)?\.s.+//g;p;} ' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / /{$0="'"${p[28]}"'"};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9;} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps sudo\ crontab sudo\ iotop top pkgutil PlistBuddy whoami cksum kextstat launchctl sudo\ launchctl crontab 'sudo defaults read' stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' defaults\ read scutil sudo\ dtrace sudo\ profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil sudo\ lsof );c2=(com.apple.loginwindow\ LoginHook '-c Print /L*/P*/loginw*' '-c Print L*/P*/*loginit*' '-c Print L*/Saf*/*/E*.plist' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' '-c Print\ :'${p[35]}' 2>&1' '-c Print\ :Label 2>&1' '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status "-F '\$Time \$Message' -k Sender kernel -k Message Req 'Beac|caug|dead[^bl]|FAIL|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|SMC:' -o -k Sender fseventsd -k Message Req 'SL'" '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/*/*.{BS,Bas,Es,OSXU,Rem}*.bom' ' {/,}L*/Lo*/Diag* -type f -regex .\*[cgh] ! -name *ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '-L {/{S*/,},}L*/Lau* -type f' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' ' -L /S*/L*/{C*/Sec*A,E}* {/,}L*/{A*d,Ca*/*/Ex,Compon,Ex,In,iTu,Keyb,Mail/B,P*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -type f -name Info.plist ' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` " /e*/{auto_master,{cron,fs}tab,hosts,{launchd,sysctl}.conf,ssh{,d}_c*} {,/usr/local}/etc/periodic/*/* .launchd.conf " list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' -i4TCP:0-1023 com.apple.dashboard\ layer-gadgets );N1=${#c2[@]};for j in {0..8};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents launchd Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear;};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};';done;A7(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0(){ [[ "$v" ]]&&echo "$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "$s"<<<"$v"`&&C1 1 $1;};for i in 1 2;do for j in 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;A0;{ A2 0 $((N1+1)) 2;C0;A1 0 $N1 1;C0;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D22 11 17 17 20;for i in 0 1;do D22 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A2 19 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;A2 4 20 21;B7 6;B2 9;A4 14 7 52 9;B2 10;B6 9 10 4;C3 25;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;D23 24 24 32 31;D13 25 37 32 33;A1 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D13 21 0 32 19;D13 10 42 32 40;D22 29 35 46 39;};D23 14 1 48 42;D12 34 43 53 44;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 26 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D23 35 45 55 46;D23 32 31 43 38;D23 20 42 32 41;D23 14 2 48 43;D13 4 5 32 1;D22 4 4 50 0;D13 14 3 49 5;B3 4 22 57;A1 26 46 56;B7 22;B3 0 0 58;C3 47;D23 22 9 37 7;A7;C2 2;} 2>/dev/null|pbcopy;exit 2>&-  
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  7. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
  8. If you see an error message in the Terminal window such as "syntax error," enter
  exec bash
  and press return. Then paste the script again.
  9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
  [Process completed]
  to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report the results. No harm will be done.
  11. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with "Model Identifier." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  12. When you post the results, you might see the message, "You have included content in your post that is not permitted." It means that the forum software has misidentified something in the post as a violation of the rules. If that happens, please post the test results on Pastebin, then post a link here to the page you created.
  Note: This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
  Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• [Solved] iptables rules for machine running as openvpn server

  I set up an older laptop as an OpenVPN server for my home network (and a dwarffortress server, but that's beside the point).  This is the first time I've set something like this up - I wanted a secure way of being able to ssh into my home network from outside. 
  In any case, I got it working (finally figured out I needed to port forward 1194 on my router), but I wanted to make sure that my iptables-rules look reasonable:
  # Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
  *nat
  :PREROUTING ACCEPT [3:517]
  :INPUT ACCEPT [3:517]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
  COMMIT
  # Completed on Sun Dec 28 02:16:10 2014
  # Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
  *filter
  :INPUT ACCEPT [323:24107]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [152:13348]
  -A INPUT -i tun+ -j ACCEPT
  -A FORWARD -i tun+ -j ACCEPT
  -A FORWARD -s 192.168.88.0/24 -j ACCEPT
  -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  COMMIT
  # Completed on Sun Dec 28 02:16:10 2014
  Last edited by emacsomancer (2014-12-29 21:32:25)

  bleach wrote:
  look at your filters you accept everything
  :INPUT ACCEPT [323:24107]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [152:13348]
  a better way would be to block everything but outgoing and then open ports and such.
  :INPUT DROP
  :FORWORWOD DROP
  :OUTPUT ACCEPT
  then your current(92.168.88.0/24 -j ACCEPT) forwarding will go through but not other things.
  some good articles on iptables; iptables,simple stateful firewall
  Ok, this is my modified setup:
  # Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
  *filter
  :INPUT DROP
  :FORWARD DROP
  :OUTPUT ACCEPT
  -A INPUT -i tun+ -j ACCEPT
  -A INPUT -i wlp3s0 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
  -A INPUT -s 192.168.1.0/24 -i wlp3s0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A FORWARD -i tun+ -j ACCEPT
  -A FORWARD -s 192.168.88.0/24 -j ACCEPT
  -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A OUTPUT -o wlp3s0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  COMMIT
  # Completed on Mon Dec 29 03:36:02 2014
  # Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
  *nat
  :PREROUTING ACCEPT [389:94808]
  :INPUT ACCEPT [1:60]
  :OUTPUT ACCEPT [1:72]
  :POSTROUTING ACCEPT [1:72]
  -A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
  COMMIT
  # Completed on Mon Dec 29 03:36:02 2014
  I added in lines to allow for SSH within my internal network.  But now I am unable to make a OpenVPN connection from outside...what could be wrong?

• Getting  file from local network computer

  Hi! I have a problem to get the file form local network. I have tried following ways to do it:
  new File ("file://10.150.11.214/pics/bilde.JPG");
  new File ("smb://10.150.11.214/pics/bilde.JPG");
  new File ("http://10.150.11.214/pics/bilde.JPG");There is always error:
  java.io.FileNotFoundException: file://10.150.11.214/pics/bilde.JPG
  (The filename, directory name, or volume label syntax is incorrect)On the local computer IP is 10.150.11.214 and shared folder "pics"
  Can U give me some solution!
  tnx! ;)

  Manivel wrote:
  +@kajbj+
  Why? The problem is already solved.
  <BR>
  Yes correct, but see OPs previous post.
  +PeterisR wrote
  I had tried as U sad, Manivel! but there were problems .. tnx, anyway!+Ok. I can understand that you want to know why / how it failed, but using URI/URL is in this case not the best way. Using the normal File class and UNC name is far more common.
  Kaj

• Asa 5505 Remote VPN Can't access with my local network

  Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
  ASA Version 8.2(1)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 155.155.155.10 255.255.255.0
  interface Vlan5
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy mull internal
  group-policy mull attributes
  vpn-tunnel-protocol IPSec
  username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
  vpn-group-policy Mull
  tunnel-group mull type remote-access
  tunnel-group mull general-attributes
  address-pool vpn-Pool
  default-group-policy mull
  tunnel-group mull ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
  here is my cry ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
        current_peer:155.155.155.1, username: Thomas
        dynamic allocated peer ip: 192.168.100.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 73FFAB96
      inbound esp sas:
        spi: 0x1B5FFBF1 (459275249)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2894
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x73FFAB96 (1946135446)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2873
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• Is there any way to make a Mac identify as a Windows machine on a local network?

  I work for a municipal government organization. Occasionally, I am blocked by the network spam/firewall software (Barracuda) from accessing websites from my Mac, but NOT blocked from them if I go from a Windows machine -- even if it's a Windows VM running on the Mac! The reason given is usually because the sites are identified as "shopping".)
  My suspicion is that, since AFAIK I am on the only Mac on the city's network that is NOT in one of the school department's computer labs, that there is a setting on the server side that is set to assume that any Mac is a classroom machine and that the user is a minor. (***PLEASE NOTE*** Before anyone says anything, he sites in question tend to be free font or free graphics sites and ARE actually work-related, since I have no budget for fonts or stock photos... Keep it clean, you! <gr>)
  I know that there are ways to spoof a browser, say, on the web, but is there any way to do this directly on a local network? More to the point, if it IS possible, is there a way for ME to do it from my end rather than putting in a request to the MIS **** Desk to do something at THEIR end?

  Try this, UneasySilence.com has a guide on how to use SheepShaver to run Mac OS 9 on an Intel Mac.
  http://www.gibix.net/dokuwiki/en:projects:sheepshaver
  "Who said you can't use MacOS 9 because you have an Intel Mac? It is completely possible with a little bit of tinkering, and a really cool universal application called Sheep Shaver, which came to us via a tip from Kazaki. Sheep Shaver is a full speed 'Classic' emulator for Windows, Linux, and Intel based Macs, that runs older MacOS's at shockingly full speed!"
  http://www.uneasysilence.com/archive/2006/08/7352/
  If my answer helps or solves your problem, please mark it accordingly, it provides an incentive for posters here to try and help and gives others a quicker way of finding solutions faster, thank you.

• Setting up a VoIP extension on a local network.

  With the help of the experts on this board I have successfully set up a VoIP phone extension on our private network. The questions & answers can be viewed at. http://forums.linksys.com/linksys/board/message?board.id=VoIP_Adapters&thread.id=3197 . For the benefit of anyone attempting a similar project, here is the completed setup.
  This installation is in a small motel in Te Anau, on New Zealand’s South island. The manager lives off site, and needs to be able to receive calls at night, and also transfer incoming calls to guest’s extensions through the hotels PBX. This necessitates a direct link to the PBX, rather than simply diverting the phone. One solution would have been to lease a circuit from the local Telco, but in NZ, this is very expensive, so another solution was sought. Fortunately there was an established wireless data link between the hotel and the managers residence, so VoIP seemed the obvious choice.
  The equipment used is a Linksys SPA3102 connected to an extension on the PBX, and a Linksys PAP2 at the remote end. The setup would work equally well if connected to a phone line, rather than the PBX.
  I’ll start the setup with the SPA3102.
  Connect the POTS line to the LINE port, and your switch/router to the INTERNET port. In my setup the Ethernet port is not used. Plug a standard phone into the Phone port. This is useful for testing and setting up. It’s not needed afterwards, unless you want a local phone.
  Open your web browser, and type the adaptor IP into the address bar. Go to Admin, and Advanced Settings.
  ROUTER SETUP
  WAN Setup Tab:
  Connection type: Static IP.
  Static IP Settings: The Network address on your local network (192.168.x.x)
  Subnet mask 255.255.255.0
  LAN Setup Tab:
  LAN IP address: This is automatically selected to be on a different sub net from the WAN. Unless it conflicts with another address on your system you shouldn’t change it.
  Enable DHCP: No
  (Save these settings.)
  VOICE SETUP
  System Tab: No Changes
  SIP Tab: No Changes
  Provisioning Tab: No Changes
  Regional Tab: Mostly this sets the dial tones etc to match your local service. Unless you need them to be the same this shouldn’t need any changes
  The Hook Flash Timer Min & Max: should be set to the local values. The Defaults (.1 and .9) are OK for North America. Australia and New Zealand use .07 & .13. If you have trouble sending a hook flash, check these values against the local settings.
  DTMF playback level should be greater than zero. (I used 3)
  (Save these settings)
  Line 1 Tab:
  I don’t use Line 1 except for testing. During setup the line should be enabled. After the system is running OK, it can be disabled
  Line enabled yes
  SIP port 5060
  Proxies are not used in this setup.
  Register: No
  Make call without reg: yes
  Answer call without reg: yes
  User ID: 10? (you can use any number)
  Line 1 Tabupplementary services.
  Change Call waiting, 3 way Conf, and 3 way call, to no. (These interfere with sending a hook flash)
  Hook Flash Tx method: AVT
  (save these settings)
  PSTN Line Tab
  Line enable: yes
  SIP Port 5061 (default)
  Proxy: proxies are not used.
  Register: no
  Make call w/o reg yes
  Answer call w/o reg yes
  Display name: anything you like (VoIP gateway?)
  User ID: leave blank
  User password: leave blank
  Use auth ID: no
  Dial Plan 1: (<:*>S0). Switches to the outside line when * received.
  Dial Plan 2: (<:[email protected]:5060>S0). 11 is the user ID on the PAP2
  VoIP to PSTN enable: yes
  VoIP caller default DP: 1
  One stage Dialing: no
  VoIP users & Passwords.
  User 1 ID: 11. User1 DP: 1
  User 2 ID: 21 User 2 DP: 1
  User 3 ID 22 User 3 DP: 1
  (These are the line numbers of additional PAP2’s on our system)
  PSTN to VOIP Gateway enable: yes
  PSTN Caller ID none
  PSTN Caller Default DP: 2
  Detect PSTN long silence yes
  Detect VoIP long silence yes
  Detect Disconnect tone yes
  VoIP answer delay 0
  PSTN Answer delay 0
  PSTN to VoIP gain (Set these to adjust
  VoIP to PSTN gain the speech volume)
  Line in Use voltage: This should be set midway between the On Hook and Off Hook voltages, which you get from the Info screen. Most public phones are 47v on hook, and 7v off hook, so the setting should be 27v. My PBX is 27v on hook, and 7v off hook, so my setting is 17v. To read this, go to the Info screen and check the Line Voltage, then go Off hook (make a call), click the reload button on your browser, and check the line voltage again.
  (save these settings)
  This completes the setting up of the SPA3102.
  Now for the setup of the PAP2.
  Open your web browser, and type the PAP2 IP into the address bar. Go to Admin, and Advanced Settings.
  System tab:
  DHCP no
  Static IP 192.168.x.x (same sub-net as your network. Different adaptor number)
  Net Mask 255.255.255.0
  (save these settings)
  SIP Tab: no changes.
  Provisioning Tab: no Changes
  Regional Tab.
  Hook Flash Min & Max: change to your local settings if required.
  (save these settings)
  Line 1 & Line 2 Tabs.
  Whether you use Line 2 depends on whether you want to have 2 phones on the PAP2. All calls from the PSTN line of the SPA3102 will go to Line 1 of the PAP2 as per Dial Plan 2 on the SPA
  Line enable yes
  SIP port 5060 (line 1) & 5061 (line 2)
  Proxy Proxies are not used.
  Register no
  Make call w/o reg yes
  Answer call w/o reg yes
  Display name: anything you like
  User ID 11 (line 1) & 12 (line 2)
  (These are used to identify each line on the system)
  Call waiting: no
  3 way conf: no
  3 way call: no
  DTMF Tx method: AVT
  Dial Plan: This is the dial plan I use on line 1.
  (<:192.168.4.10:5061>S3|21S0<:@192.168.4.9:5060>|22S0<:@192.168.4.9:5061>)
  You will have to modify it for use on other lines, or other adaptors, and the IP addresses must match your system IP addresses. Here is an explanation.
  192.168.4.10:50613 All my adaptors are on subnet 4. 10 is the number of the SPA3102, and 5061 is the SIP port mapped to the PSTN line. If the handset is lifted, and no numbers are dialed the call will be transferred to the PSTN line after 3 seconds, and you will hear the outside dial tone. If within 3 seconds you dial either 21, or 22, the phone on either line 1, SIP port 5060, or Line 2, SIP port 5061, on adaptor 9 will ring. (If you only have one PAP2 then you will only need the first section of this dial plan.)
  Enable IP Dialing: yes
  (save these settings).
  User 1 and User 2 tabs: no changes
  That just about does it. All incoming calls from outside are received by the PBX, and after hours are sent to the extension connected to the SPA3102, which rings the phone on the remote PAP2 in the manager’s house. If the call is for a guest we can press the recall button (hook flash), dial the guest’s extension number, and transfer the call when they answer. As an added bonus we have a second PAP2 elsewhere on the network, and we can call between the 3 adaptors. All 3 adaptors have access to an outside line, though the PBX. I’m fairly sure it would also work through a VPN, which would mean we could take a VoIP phone anywhere in the world, and still be virtually ‘On site". I don’t know if that is a good thing or not.

  Hi HW,
  The PBX is a Panasonic TA308. There is no special interface to the PBX,  the  line port on the SPA3102 is simply plugged into an extension, like another phone. Anyone calling that extension will have the call routed through the SPA & PAP2 to the remote phone.
  The whole setup is totally seamless, & transparent to the user. As we are on a local network there is virtually no latency. There is a slight tendancy to echo,  but the echo suppression mostly takes care of that.
  THis has been a good exercise, and once I got my head around what I was trying to do, with your help,  it was pretty easy.  I think the hook flash timing would be the thing which gives most users a problem, as it seems to vary widely around the world. I was surprised at the difference between the US and NZ (.1 & .9 to .07 & .13).  There didn't seem to be any other critical differences.
  Now I am the local expert on VoIP   "In the Kingdom of the blind, the one-eyed man is King."

• Practical usage / difference - local vs server (local / network) accounts

  I have purchased a book on Mountain Lion Server, looked on the Apple support community and the Internet but I cannot find a clear answer, or explanation, to my query.
  Instead of looking at the features in Mountain Lion (ML) Server and Open Directory (OD) I'd like to approach this in terms of the functionality I would like to achieve. I am sure that many other people have had, will have, the same sort of questions.
  Some background: I have an all Apple home network — few Mac machines (iMac, MacBook), iPad, iPhone & Airport Extreme. I recently purchased a Mac mini running ML which I have setup as a server. The installation went OK and the DNS setup is fine.
  This is my question / requirement / clarification needed.
  As I understand it there are three types of user accounts in OS X + OS X Server with OD:
  Computer (standalone) Local — basically the account you would have on a Mac if you had only the one machine. Using (as I believe) a local 'Open Directory' (?) database.
  Server 'Local User' — an account on the server using a local OD database on that specific server.
  Server 'Local Network User' — an account on the server using a networked OD database on the server.
  Below is what do I want to do — this is the functionality I want / don't want. I am aware that some of this functionality may, or may not, be available on OS X + Server + OD. Also I am looking at this from the perspective of a systems administrator of Windows + Active Directory sites — not saying that Windows & AD is better, but that that is my experience & frame of reference.
  Access to shared common services — DHCP, DNS, Files, Mail, Calendar, Contacts, Messages, Time Machine backup, VPN. That is all the goodies I expected to get with a dedicated Mac mini OS X server machine.
  To have access to those services within the home LAN and, as relevant (Mail, Contacts, Calendar, Messages) via the Internet. If via the Internet then securely via use of certificates.
  Each user (currently) has their own machine with their (Unix style) home folder & files on that machine (the MacBook may have more than one account on it) and is logging locally onto their specific machines.
  I do NOT want to have the user's (Unix style) home folder (and all folders within) to be on the server.
  Users must be able to log onto their machines (i.e. MacBook) when outside the LAN and be able to access their local machine files.
  Now we come to the question of which type of OS X + OS X Server (OD) account do I use for people — keep the local machine account? Use server account? If so then which — server 'Local User' or 'Local Network User'. Of course this can be framed as which OD a user authenticates against and what are the ramifications of each method.
  Also relevant is the point that I don't believe OS X Server + OD supports the same concept of Windows called 'cached credentials'. Which means that I couldn't have, for example, files on a computer (MacBook) which have an ACL referencing a server user account GUID because they could not be accessed if the user account was not able to authenticate (outside the LAN) with the OD server.
  Anyway to the questions — to achieve all, most of, the five functionality points in the list should I use (and why if someone could explain rationale):
  Combination of computer (standalone) Local + server 'Local User' accounts? Obviously as users will be accessing resources on the server it cannot be just Computer (standalone) Local accounts.
  Combination of computer Local + server 'Local Network User' accounts?
  Just server 'Local Network User' accounts
  I am suspecting that it will be option 1, combination of computer (standalone) Local + server 'Local User' accounts. If this option is used would there be a problem if the two accounts have the same username?
  Thanks for any help, advice, and/or instruction. Also if anyone has links to further information that would be much appreciated.

  Most services (calendar, contacts, vpn) require that your users authenticate via Open Directory.
  Your admin account can be local, but put your users in Local-Network (in 10.8 terms)

• DNS not resolving on one Mac but the other works fine in same local network

  Snow Leopard is doing something strange to the DNS or the permission to ping.
  I have 2 Macs on the same local network, connect through the same ISP (verizon FIOS). One has no problem resolving any domain, but the other is constantly not resolving some domains.
  The problem progresses like this:
  * All of a sudden, DNS is not resolving from Ethernet (when it did perfectly well a minute ago).
  * Then I switched to wireless (using the same LAN), and it resolved fine.
  * Then it failed completely a few minutes later.
  * Then I reboot my Mac, and it seemed to clear that, and worked for a day.
  * Then it failed again in both Ethernet and Wireless; rebooting does not fix it.
  * I cleared all the caches using Onyx, did "dscacheutil -flushcache", zapped the PRAM, reinstalled 10.6.2 combo update, repaired the permission, nothing works.
  * Since the unresolved domain is my own domain, I changed the nameserver, and waited for it to propagate to see if that may be the problem, since it appeared that it is not resolving the A Record, and I waited 72 hours, and it is not resolved or propagating to the local DNS, but it worked perfectly well on my other Mac within the same network.
  * Then I added other DNS, such as google DNS 8.8.8.8 or openDNS servers to it, but it didn't fix anything.
  * Then I "ping" either the unresolved domain or my own Mac .local, and it gave me the error "permission denied". (Whereas I have no problem pinging my own Mac or the unresolved domain in my other Mac that works!).
  * Then I "sudo ping" the unresolved domain or my own Mac, and it pinged perfectly well.
  * Then I tried "ping6" my own Mac or the unresolved domain on the broken Mac, and it worked fine!
  * Also, I used http://network-tools.com to ping it, and noticed that during the trace, somewhere along the route through te7-2.dsr02.dllstx3.theplanet.com and po2.car04.dllstx5.theplanet.com, it timed out along the route, so I don't know if the timeout could have been causing the reject, but I doubted, because "sudo ping" locally will get through but "ping" does not.
  So I think I traced the Snow Leopard DNS problem as follows:
  * Why does "ping6" works, but "ping" permission is denied unless the user is root?
  * I tried to "chmod 4755 ping" but it won't let me.
  * Is it because DNS is resolving using IPv6 but not IPv4?
  * Or is Snow Leopard somehow screwed up the permission to access ping or similar DNS service?
  * Why DNS has no problem in one Mac but caused problem on the other Mac, even though they are in the same local network?
  * The only difference between the Macs maybe because I have Parallels installed in the Mac that failed to resolve DNS (with the extra Parallels Shared Ethernet), which may be interfering with it, but I tried to turn Parallels Shared Ethernet off, and it did not fix the problem.
  Can anyone help or have any idea that I can fix this nagging bug with DNS? The DNS had worked before, but it simply quit working all of a sudden, and nothing can resurrect it.
  Thanks.

  Shut down Parallels and restart w/o letting any of Parallels TCP/IP stack resurrect itself. So many network issues with VM solutions. See if the problem persists. Create a new account and ping from there. Are your search domains manually entered on the 10.6 box?

• File sharing and music sharing in iTunes not working on local network

  Hi Folks
  I am now going to make a topic of my own this time. Here is how it doesn´t work:
  I have a MBP with Mac OS 10.5.4 connected via Airport to my local network. The switch is a zyXel 2602HW-D1A. On my network there is an iMac Flat Panel 800 mHz and an even older iMac bondiblue rev. A. Both of the old ones are running (smoothly) on Panther. The two old ones are connected via ethernetports (wired) on the zyXel-switch. I also have an Apple TV connected wireless to the switch. There is also two printers connected to the network.
  Until recently, don´t know exactly when, everything has worked just fine. The two old macs showing up perfectly in the sidebar of a Finder window. I could also connect to them via the command K. Musicsharing in iTunes also worked very well. But now it is impossible for my MBP to connect to the other Macs. They show up rarely in the sidepane af the Finder window, but when i try to make a connection it is impossible. It just turns the little wheel for a short while and then it says connecting failed. Also the command K command doesn´t work. The other way round is no problem. The two old ones connect perfectly together and to the MBP. Musicsharing is also lost FROM the MBP. There is absolutely no problems in the connection to the Apple TV from the MBP as well. All three Macs connect perfectly to the internet. I can also print from the MBP. AND it strangely connects perfectly to all PCs on my job-network, it is a PC only, LAN.
  So far i have tried almost any combination of turning on and off firewall, allow only special sharing etc. For now the firewall is set allow everything to connect (and it has always been that way) Network settings has also been toggled in any way they can. I have done all three cron jobs and repaired permissions a few times. The zyXel switch has also been reset and restarted.
  I also have a strange minor problem: I can´t open log via the show log button in the advanced pane of firewall settings. There just nothing happening when i click the button. I also had another problem in turning on Airport the other day. I toggled on and off a few settings (Appletalk on and off did the trick) and then it suddenly worked.
  I have a strange feeling of something corrupt on my MBP. Or is it just that networking on Leopard is a bit unstable??
  I would appreciate some help her. I am sure that the problem lies within the MBP, or what do you think?
  Cincerely
  Mads

  Thanks - the weekend was very pleasant indeed!
  I agree that something seems to awry in the Leopard MBP. The question is "what". The symptoms now are:
  1) iTunes music sharing from MBP is broken
  2) Connecting to Panther Mac via AFP is broken (although one Mac can be connected via IP address)
  3) Machine works well on a Windows network
  Based on all of this, I would guess that there is a problem in the "Bonjour" networking of the MBP. You could try:
  1. Using a different account to see if it is local to your user id.
  2. Failing that, removing your com.apple.AppleFileServer.plist and com.apple.AppleShareClient.plist files from /Library/Preferences
  Outside of that, I would have to do some more digging.

• Submit button to local/network folder

  Goal: Place a Submit button on a PDF form that will save a copy of the entire form to a local/network folder.
  Software: Windows 7, Adobe Acrobat X Pro
  Per the Adobe Acrobat X Pro help files, it states that you can add a folder path in the URL field when adding a submit button.
  4. In the Submit Form Selections dialog box, do one of the following:
  To collect form data on a server, type the location in the Enter a URL for this link. For example, http://www.[domain]/[folder]/[subfolder]/ for an Internet address or \\[server]\[folder]\[subfolder]\ for a location on a local network.
  Issue: When using a folder path, for example "\\lfdemo\C\PDFsubmit\" the submission does not work, as it first gives me a prompt saying if I trust the site and after accepting, it throws
  Server Not Found    
      http://\\lfdemo\c\pdfsubmission\/
  I understand the issue at hand, having the http:// and not being able to locate a network folder, but I don't understand the solution. Has anyone had any success with the previous setup? I read a few other threads regarding setting up a javascript within the button with trust functions and folder level scripts but that's a bit beyond my level of comprehension.
  I appreciate any feedback and help.

  nevermind, I figured it out using http://acrobatusers.com/tutorials/how-save-pdf-acrobat-javascript

• Can't create Local Network Users in Yosemite

  I can't create Local Network Users (or change passwords)
  Logged on to /LDAPv3/127.0.0.1 as directory administrator
  When I try to create a new user (press the [+], fill in the form), it brings up the message:
  existing connection is not authenticated or secure: password change denied
  I suspect this is emblematic of other issues. I can authenticate for Mail and SMB, but not for AFP or Xcode

  So I had this problem last night as well when I upgraded my 10.9.5 OD master to 10.10.
  Two obvious problems after that upgrade:
  1)  Could not add a new Local Network User
  2)  Existing users could not connect via AFP (but could via SMB)
  Through a series of trial and error (and with two Apple Support people...), we found that the following actions seemed to help fix some (but not all) of the problems.:
  Problem #2 seemed to initially be fixed by archiving the OD Master, destroying the OD Master and then reimporting from the archive.  I archived from the upgraded 10.10, but should probably have tried restoring my 10.9.5 archive (which may end up being why I still have some problems...)
  Problem #1 seemed to be solved when I used WorkGroup Manager to reset the password on the Directory Administrator account I use  (I also blew out all references to that account from the Keychain, so everything reprompted me to add that password
  However, we think the root cause of this might have been that in /var/db/openldap/migration, the following "dot" files were still present after the upgrade
  fs:migration root# ls -la
  total 6308816
  drwx------  10 root  wheel         340 Oct 30 18:59 .
  drwxr-xr-x   6 root  wheel         204 Oct 30 18:57 ..
  -rw-------   1 root  wheel           0 Oct 30 18:59 .autossl
  -rw-------   1 root  wheel           0 Oct 30 18:59 .enableODProxyd
  -rw-------   1 root  wheel           0 Oct 30 18:59 .rekerberize
  -rw-------   1 root  wheel           0 Oct 30 18:59 .updateLocales
  -rw-r--r--   1 root  wheel      333436 Oct 30 18:57 authbackup.ldif
  -rw-r--r--@  1 root  wheel      617453 Oct 30 18:57 backup.ldif
  -rw-r--r--   1 root  wheel      617453 Oct 30 18:57 backup.ldif.backup
  -rw-r--r--   1 root  wheel  3228537344 Oct 30 18:59 oldsystem.tar
  Those 4 .dot files were *not* present in that directory on the two other test OD Master servers that I upgraded without issue.
  So we removed them and after having done all the above as well -- I can now add users to the server.   The OD engineer I talked to thought that the presence of those .dot files may have been triggering something to rerun every time PasswordService launched.
  When all was said and done, I was then able to "kinit <mydiradminaccount>" correctly and get a "klist" without issue.
  ALL THAT SAID:  As of this morning, *some* (most?  I don't know yet) of my existing OD user accounts are able to successfully log into the server.   A couple of them (so far) are reporting that their account is "disabled" (which is different from the "shaking"/can't-log-in behavior) -- but they can still log in via SMB -- so I think there was still a problem migrating OD accounts in the upgrade process.
  AND -- I noticed that -- in Server 4.0 -- "change password" is greyed out, so I have to use WorkGroup Manager to change server account passwords. 
  Whee...

• ARD 2.2 Admin Crashes When Scanning Local Network

  Out of the blue, my ARD Admin application began to crash when scanning the Local Network.
  I deleted the application's preferences file (com.apple.RemoteDesktop.plist) and retried with the same results.
  Installed ARD admin application on a different machine with a fresh 10.4.2 OS install and it is still crashing whilst scanning.
  My Network Engineers swears that nothing has changed recently on the network.
  Wondering if anyone else has seen this.

  I was having the same problem until this morning, and one of my associates in a neighbor district discovered the problem. ARD 2.2 is VERY concerned about DNS entries.
  We are using OS X Server for our DNS, and what I did was create a bogus machine entry for each subnet. Thus, if I wanted to search our senior high lab subnet (10.136.43.x) I created an entry for 10.136.43.0. There is no physical machine at that address, but it forces OS X Server to create an IN-ADDR.ARPA record for that subnet. I found that to be a lot easier than manually editing the associated DNS files.
  It does work superbly. Three other folks in our district with ARD crashes tried doing searches and they were all successful. Adding the IN-ADDR.ARPA entries wasn't time consuming as we don't have a ton of subnets . We've defined standards for where machines should be as follows:
  (Device: Range)
  Switches: 10.x.1.100-150
  Printers: 10.x.2.1-50
  DHCP: 10.x.2.150-254
  Classrooms: 10.x.3.1-254
  Labs: 10.x.4.1-100
  Media Center: 10.x.4.101-150
  The junior high and high school are a bit different because they have more lab machines, but we try to stick to the basic scheme. This works great for us because 1) it allows us to know where devices should appear and 2) it greatly limits the range ARD must scan to pick up all machines of a particular kind (e.g. classroom or lab). We have a bit of reconfiguration to do because we should be able to have static classroom and DHCP units all within the 10.x.3 subnet, but that will be taken care of over the course of this year.
  I hope this helps some folks.