SSH user, via Open Directory, can't SUDO...

Similar Messages

• How to create email users with open directory?

  I'm trying to used a mac mini as a mail server for my domains. It works well for SMTP server/gateway for multiple locally networked systems running Lion, Mountain Lion and Maverick. The server is running Mavericks 10.9.2 server 3.1.1.
  I need to add email users to it, so I tried Open Directory. I added a user with an email address with a domain listed in the mail server's domains. Then used the server app to give the user permission to use the mail service and selected to have the mail be saved on the server.
  However, even though I set the mail server to accept any authentication method, I couldn't log in to get mail (via IMAP) from any email client on my computer. I tried Mail and Sparrow.
  The IMAP log on the server says 'Disconnected (auth process communication failure)'. I tried everything that I could from the server app and the workgroup manager app. When using 'Mail.app', the IMAP log shows an empty user name. Trying with Sparrow shows the user name in the log, but still fails.
  I restricted authentication to Open Directory, but that didn't help either. Tried with Secure Connection and without.
  Am I missing something? Is there anything that I need to do to make the server accept IMAP connections? The mail service is running and handling SMTP.
  The domain has an MX record pointing the server's domain name.
  All the services are secured with a self signed certificate.
  Doing a CLI check with 'sudo serveradmin fullstatus mail' results in the following:
  [snip]
  mail:protocolsArray:_array_index:0:status = "ON"
  mail:protocolsArray:_array_index:0:kind = "INCOMING"
  mail:protocolsArray:_array_index:0:protocol = "IMAP"
  mail:protocolsArray:_array_index:0:state = "RUNNING"
  mail:protocolsArray:_array_index:0:service = "MailAccess"
  mail:protocolsArray:_array_index:0:error = ""
  [snip]

  Didn't find a way to edit my post above.
  UPDATE:
  Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
  imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
  How do I 'enable' this user?

• Windows users and open directory

  Since Server for 10.7 I've found I've had to create Windows users as local users rather than local network users to give them access to shares via SMB. Is this correct, or am I missing something? I was aware that you can't bind a Windows PC to Open Directory, but can it not authenticate at all through OD?
  thanks

  If I understand your question, then you are looking for a tool like Centrify.  This will put all management on one platform.

• Migrating NIS users to Open Directory

  Was wondering if anyone has any experience with migrating NIS users over to Open Directory? I have setup an Open Directory server (10.6) and am looking to move about 150 users from my NIS server to it.
  I can move the users/GIDs easy enough but want to move passwords also so the move it transparent to the users.
  Any ideas?
  Thanks!

  The answer appears to be that as long as your local pre-existing account password matches your domain account, then once the machine is bound, shared servers managed by Active Directory are automatically authenticated. No migration necessary. Only issues I came across had to do with old keychain entries that needed to be removed.
  Hope someone out there can learn from my confusion.

• Services won't allow users to authenticate via Open Directory

  Greetings! I have been pulling my hair out for a long time over this and wondering if anyone has seen something similar or has anything I can try.
  It's a bit confusing so I'll try to lay it out so it's not to crazy.
  *The setup:*
  Leopard server hosing services including Podcast Producer, AFP, SMB and iCal
  External OpenLDAP directory server
  *The problem:*
  I have setup our test Leopard server and got services all working. While this server is setup as an OD master I can authenticate and use the services without problem. However, we have an external LDAP server using OpenLDAP. If I try to authenticate with any of these users from the external ldap server they are not able to login on any service except afp!!!
  *What I've Done:*
  I've setup the server trying two methods: Magic triangle and augmented records. Both seem to yield the same thing. I can see the ldap users in workgroup manager and I can even nest them into groups on the local leopard ldap server. Some other possible info:
  A log entry in the Podcast producer log dealing with authentication:
  [error] [client xxx.xxx.11.122] moddigestapple: Unable to authenticate for URI "/podcastproducer/workflows" from user "testuser" for realm "PodcastProducer" at location "/LDAPv3/ldap.ourschool.edu" from the directory because user's password type is not compatible with digest authentication.
  If I edit /etc/smb.conf and delete the line : passdb backend = opendirectorysam guest windows users can successfully authenticate via smb.
  On our old Tiger server, we had a magic triangle setup. That machine only ran SMB and AFP and it experienced the same problem with SMB and needing to delete that line.
  I think these things may be related, but I'm not sure where to look next. Any help would be greatly appreciated! Thank you for any suggestions you can provide.
  Steve

  I've followed the apple kb articles for enabling WIKI access and Podcast Producer access. Users can now authenticate.

• Populating Users With Open Directory Archive

  I have a New 10.8.2 Lion server that I would like to bring all the 10.7.5 users over. what is the best way to do this. It seems that the 10.7.5 arcive is not compatable with 10.8.2.  Any ideas would be great. I can't upgrade the 10.7.5 system becuase its an an old system.

  Didn't find a way to edit my post above.
  UPDATE:
  Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
  imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
  How do I 'enable' this user?

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• Lightroom Catalog and Apple Open Directory Users

  We are attempting to run Lightroom in our photo journalism classes and we are unable to setup the application because it will not create the Catalog file. 
  All of the users in Open Directory have their OSX 10.8 home folder stored on our Apple Server. This enabled them to log into any one of the computers in the lab and have access to their data/documents.
  Lightroom refuses to create the Catalog file because it treats the home folder as a network folder.
  My predecessor found some way around this in the past but he didn't document it and I can't find any evidence of it either.
  Can anyone help me out here?  Surely there are other people out there trying to use Adobe Products who also utilize Apple's "Open Directory" (its like apple's version of Active Directory).
  The only help online I've found was to try and create symbolic links but even after making symbolic links from the local HD to the Network user Home folder lightroom still refused to create the catalog file.

  its been almost a year and we still don't have any good answers to this issue.
  Lightroom is not usable for any domain/directory enabled accounts because their home directories are stored on the network. 
  Is there anything else we can do?  We do not want them to "share" their catalogs but we really need them to be able to store their catalog on their network home because they do not always use the same computer and policy disallows saving documents or files to the local hard drives for students.

• New Open Directory System - Losing Licensing Information

  I have a handful of Macs that I'm converting from a group of stand-alone computers to a X Server-administered open directory cluster such that each user's information is stored on the server.
  One thing I'm noticing is that previously licensed software components like Microsoft Office are starting to lose this information when a user logins via open directory (comes up with trial prompt), as opposed to any of the local accounts in which the license is retained. Is there a simple fix to this in my configuration?

  Hi
  http://manuals.info.apple.com/enUS/OpenDirAdminv10.6.pdf
  Chapter 4 onwards. Page 60 initially explains what can be done. TBH I doubt if you'll find anything detailed? Each environment will be specific to that site and its needs. Ultimately you will benefit if you get someone in (a suitably qualified consultant) to do this for you. Here's a list of UK based Professionals:
  https://i7lp.integral7.com/durango/do/pr/prSearchResult;jsessionid=7397436DE3969 286E7E35DB6FC4A37F6
  HTH?
  Tony

• Strange login problem with Open Directory

  Hi,
  I created a web tool that calls dscl to create users in Open Directory from a bound web server.
  Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
  Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
  The only thing I've found that indicates a problem is the following from the ldap log:
  Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
  (note the redactions and username were put in by me...paranoia etc)
  I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
  I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
  Thanks ahead of time!
  -Matt

  Hi,
  I created a web tool that calls dscl to create users in Open Directory from a bound web server.
  Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
  Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
  The only thing I've found that indicates a problem is the following from the ldap log:
  Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
  (note the redactions and username were put in by me...paranoia etc)
  I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
  I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
  Thanks ahead of time!
  -Matt

• Open Directory users can't access shares

  Greetings all.
  I apologize if this has been covered, but I couldn't find a search term that would locate the issue.
  I have a 10.5.8 Server running on a MDD dual 1Ghz G4. I have it set up as an OD Master and providing time services, DNS, file sharing, portable home directories and calendaring for a small workgroup of 7 computers. At least that's the idea when it's functional.
  It is behind a NAT and only serves the local network.
  Until I have the user's data all transferred from local directories to portable home directories, I need to make it so that the users can access the shares.
  In testing, when I try to access a share, I get an error message that the login failed because the username or password was invalid.
  However, when I go look at the Password Service log, the user was authenticated and in good standing.
  Any ideas?
  Thank you,
  John

  maybe some additional information or rephrasing might help.
  I have users and groups set up with ACLs on the shares that are set up with automount over NFS. The shares should also be available via appleshare, but not automount.
  The users are configured now with Portable Home Directories.
  The client computers are bound to the Open Directory Master on which the shares reside.
  The server runs network time services and the client computers use that for their time service.
  The server also runs DNS, and the client computers use that DNS.
  Users can log into their Portable Home Directories ok.
  Users can not log into shares via "connect to server" as it says that the username/password is invalid, even though the password service log says that the user was authenticated and in good standing.
  Users can see the NFS automount shares at /Network/Servers/Library (where it is supposed to be), but they cannot write, even though the ACL gives the user account permission to do so.
  For the permissions on the automount, I can't tell if the user is not being detected as the authenticated user, and is therefore being given "everyone" permissions, or if the ACL is not working on the mount and so the user is being given ""everyone" permissions.
  Anyone have any idea how I can find out?
  As to why a user can't log in via "connect to server" I'm clueless.
  Thank you,
  John

• How can I enforce Parental Controls on a group of network users on an Open Directory client?

  I have a Mac mini running OS X Server (Mountain Lion) and have a client family iMac that is a client of the Open Directory server. I have created network users for my kids and put them into a group and created Parental Control restrictions that apply to members of the group. However, the kids can log into the iMac with the same network accounts and no Parental Control policies are enforced on the iMac.
  I'd like to restrict times and hours per day, as well as the obvious content/website restrictions. I'm not sure why the Parental Control policy isn't being enforced. While I'm not great at it, I do have a basic understanding/overview of knowledge on Windows Server administration, but OS X Server seems to be waaay different...
  I have fiddled with the certificate, and I have told the client iMac to trust the certificate coming from my Open Directory server, but it doesn't seem to make much of a difference with the enforcement of the kids group's Parental Control policies.
  Can anyone assist or offer any suggestions?

  Related logs from the OD client iMac below:
  2013-07-13 20:37:45 -0400 mdmclient[12003]: *** ERROR *** [Agent:501] Sending 'OTA-Phase2' request to server: https://server.local/devicemanagement/api/device/ota_service (<NSURLErrorDomain:-1001> The request timed out.
  UserInfo: {
      NSErrorFailingURLKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSErrorFailingURLStringKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSLocalizedDescription = "The request timed out.";
      NSUnderlyingError = "Error Domain=kCFErrorDomainCFNetwork Code=-1001 \"The request timed out.\" UserInfo=0x7fef6a82b2b0 {NSErrorFailingURLStringKey=https://server.local/devicemanagement/api/device/ota_service, NSLocalizedDescription=The request timed out., NSErrorFailingURLKey=https://server.local/devicemanagement/api/device/ota_service}";
  2013-07-13 20:37:45 -0400 mdmclient[12003]: *** ERROR *** [Agent:501] ProcessOTABootstrapProfileCore (<NSURLErrorDomain:-1001> The request timed out.
  UserInfo: {
      NSErrorFailingURLKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSErrorFailingURLStringKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSLocalizedDescription = "The request timed out.";
      NSUnderlyingError = "Error Domain=kCFErrorDomainCFNetwork Code=-1001 \"The request timed out.\" UserInfo=0x7fef6a82b2b0 {NSErrorFailingURLStringKey=https://server.local/devicemanagement/api/device/ota_service, NSLocalizedDescription=The request timed out., NSErrorFailingURLKey=https://server.local/devicemanagement/api/device/ota_service}";
  2013-07-13 20:37:45 -0400 System Preferences[11138]: *** ERROR *** [CPInstallerUI:501] Profile installation (Device Enrollment (com.apple.ota.server.local.bootstrap)) (<NSURLErrorDomain:-1001> The request timed out.
  UserInfo: {
      NSErrorFailingURLKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSErrorFailingURLStringKey = "https://server.local/devicemanagement/api/device/ota_service";
      NSLocalizedDescription = "The request timed out.";

• Can't create new open directory user

  hi.
  If I use the workgroupmanager to create a new user it automatically creates one with a "crypt" password.
  first it is shown as open directory, but then if I re-load, it says "crypt" password.
  If I try to change it to open directory the system tells me that I am not authorized to do so.
  it does not matter if I try the workgroupmanager locally or via my macbook remotely.
  if I create them via the server preferences it works fine.
  since I am a newbie here, maybe I am doing something wrong... ideas? please.
  thanks.
  martindavid

  Check out this tread, you are not alone but there doesn't seem to be a single solution...
  http://discussions.info.apple.com/thread.jspa?threadID=2262981
  I had this code and MY solution came from the fact that I had turned OFF DNS because I couldn't see that "I" was using it. turning it back on and ensuring that it was correctly configured solved it for me!

• Open Directory Users can't add printers

  Hi all,
  I've set up my teachers on OD on OS X Server 10.5 but now when they log in, they cannot add any printers. I've tried many different things to get the lock on the Print & Fax System Pref to be unlocked by default but nothing I've tried works.
  When I log into the computer as an admin, the Print & Fax is unlocked. Logging in as a user via OD locks it. I've checked to make sure that the users are not being managed via OD prefs. Even if they are the lock still appears. Does anyone know what I can do to fix this?
  thanks!

  Ah! Thanks! No wonder I cannot do this...
  Unfortunately, the printers are all USB shared printers connected to computers on the network. Is there anyway to preset these printers? They don't show up in the Print manage settings at all.

• Open Directory Error -14136 occurred - Can't Create New User

  I am trying to create a new user account so a contract employee and I am repeatedly getting this error.
  The Server Reported the Error "Open Directory Error -14136 occurred" while trying to create this user.
  I've done a search for this error code and no dice. Any ideas. Is something hosed in my Directory file?
  I am hoping not to have to redo the whole lot as we are on a deadline.
  Any help would be appreciated.

  Check out this tread, you are not alone but there doesn't seem to be a single solution...
  http://discussions.info.apple.com/thread.jspa?threadID=2262981
  I had this code and MY solution came from the fact that I had turned OFF DNS because I couldn't see that "I" was using it. turning it back on and ensuring that it was correctly configured solved it for me!