Unable to access server files shares with Active Directory Users

Similar Messages

• Mac OS X Server File Shares and Active Directory Users

  About ready to pull my hair out on this one...
  We have a department that only uses Macs. At the moment, it's a hodgepodge of different setups. We were able to convince the department to standardize, and purchase a Mac Mini Server. To keep things a bit simpler, we are setting up their department shares on the server as well.
  To make my life simpler (or so I thought...) I decided to bind the OS X Server to our AD, and use the AD users/groups to allow access to the shares. The OS X Server app lists all of our AD user and groups, and I can apply them to the shares, however, when we try to access the share, it fails.
  I don't think the server is talking to our AD correctly.
  I can login to the Mac Server with my network account, my network account works for accessing Server.app, but nothing I've tried will allow our Mac or Windows clients to access the shares with the AD credentials. The log file comes up with:
  mccsrvrmac.mcc.local smbd[441]: check_account - [7]: [permission denied] pam_acct_mgmt
  Also seeing this:
  mccsrvrmac.mcc.local kdc[57]: Asked for LKDC, but there is none
  A bit of background: We added this Mac to the domain once before, realized that the HDDs weren't setup in a RAID config, so wiped it and reinstalled. I did remove the computer account before rebinding.
  Any help is appreciated!

  I figured this out. In Mountain Lion Server, it doesn't matter if you give the user rights to a shared file or folder, if the user doesn't have access the File Sharing service, they can't get it. I had to find the specific users in the Server app under the AD in the Users tab, and give them rights to the File Sharing service. I think you can do this for a whole AD group as well, but I haven't tried.

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• Unable to login @ login window with Active Directory User

  I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.
  When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.
  Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.
  Thanks,
  Ken

  I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
  I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
  31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services
  31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname
  31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing

• Cannot log into DTR with Active Directory User

  Greetings,
  I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
  500   Internal Server Error
    SAP J2EE Engine/6.40 
    Application error occurred during the request procession.
    Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
  Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
  This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
  Any help is greatly appreciated.
  Thanks,
  Marty

  Hi Marty,
  In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
  http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
  It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
  Regards,
  Manohar

• Tighter Integration with Active Directory User Groups

  I just wrapped up a Jabber deployment with IM&P 9.1(1) and J4W clients 9.1(3).
  The customer asked me if it is on Cisco's roadmap to allow groups in Active Directory to be pulled into the Jabber client.  The primary business case is to allow those in IT to send out IM blasts to the corporation or certain departments.
  Obviously, this would require a significant amount of development and a much tighter integration with Active Directory, but I need to ask anyway.
  Has something like this been identified and placed on any roadmap?
  Thanks,
  Matthew Berry

  Unfortunately this kind of questions cannot be addressed here, roadmap questions need to go thru official channels for an answer.
  You need to reach your SE/AM for this question.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Integrating Final Cut Server 1.5 with Active Directory

  Following the directions in the Final Cut Server Setup Guide and I am running into errors. Fun with Final Cut Server. Fun with Kerberos.
  Final Cut Server v.1.5 is running on an Intel Xserve running 10.5.6 Server, joined to AD. Active Directory is running on a Windows Server 2008 setup.
  I dropped the ini files on the domain controllers, as directed by Apple KB (http://support.apple.com/kb/HT3688) and I ran the commands directed in the setup guide.
  The adprincadd command should be run literally, of course, but there's a mistake straight-away when it should read "./adprincadd.pl", the ".pl" is missing. Also it says "fcsvr/fqdn of fcsvr", so naturally I replaced the fqdn, but the "fcsvr" prefixed threw me off. It gave me errors until I opened Kerberos.app and notcied that the kerb ticket was in ldap/, then the command worked for me. At least no errors, until I checked the ticket and it said I had no permissions and that the keytab entry was invalid. Wheeee.
  1. First I tried:
  (some info redacted)
  node09:sbin root# ./adprincadd.pl -dc dc01.example.com. fcs.example.com.
  Getting kerberos principal for computer account
  Kerberos principal is ---
  Getting computer id...---
  Getting AD Domain...---
  Base DN is dc=example,dc=com
  getting kerb ticket using [email protected] got ticket
  SASL-bind to dc01.example.com. successful
  Computer record is at CN=---,CN=Computers,DC=example,DC=com
  Checking to see if ---.--.---. exists...000020B5: AtrErr: DSID-031529F7, #1:
  0: 000020B5: DSID-031529F7, problem 1005 (CONSTRAINTATTTYPE), data 0, Att 90303 (servicePrincipalName)
  at ./adprincadd.pl line 165
  2. Then I noticed the /ldap in Kerberos.app and changed the adprinadd command:
  Everything ran well, with no errors...
  Finding kvno...2
  Reading /etc/krb5.keytab...done.
  Creating new keytab file...done.
  Writing out temporary keytab...done.
  Making backup of old keytab and moving new keytab into place...done.
  Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab ldap/---.example.com"
  3. Verifying with kinit gave me the keytab errors:
  kinit matx; kvno -k /etc/krb5.keytab ldap/fcs.example.com
  Please enter the password for [email protected]:
  ldap/[email protected]: kvno = 2, keytab entry invalid
  kvno: Permission denied while decrypting ticket for 'ldap/[email protected]'
  Thoughts?

  Hello, I'm having issues with the client login after AD integration. I followed the steps from http://support.apple.com/kb/HT3818 and the Terminal output reported a success.
  I'm able to add AD groups in Final Cut Server Group Permissions. However, when I try logging in on the FCServer client using credentials associated with AD group I've added, I'm getting an error message from the client stating:
  "Please re-enter the username and password or contact the server administrator. Please note that the username and password are case-sensitive."
  The FQDN is correct in the Server field of the client.
  I'm able to log into the client using locally created user accounts that I've created on the server so I know the client is communicating correctly.
  The only thing I can find in the Console for the client machine is this:
  11/25/09 10:50:12 AM /Users/*/Desktop/Final Cut Server.app/Contents/MacOS/Final Cut Server[1773] Warning: accessing obsolete X509Anchors.
  In the server Console, this is a suspect message: /Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/MacOS/fcsvr_stored[77891] pps proxy error: dsDoDirNodeAuth = -14091
  Not finding much info out there regarding this. Any guidance is appreciated.

• Problems with Active Directory Users showing as not found in Open Directory work group manager

  I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?

  Hi Zero
  It's very reassuring to know im not the only one having issues with this..
  Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
  So today im going to re- run the terminal commands as layed out in the online guides.
  However i was kinda hoping someone would be able to supply us with an answer.
  thanks
  J

• Wireless Deployment with Active Directory User Group Integration

  I am trying to find out the best practice in deploying a WLAN for users in the cooperate environment, which uses their company active directory integrated laptops to join to the WLAN.
  I know this can be done using certificates easily but I want to just find a way to deploy this without certificates and only based on the AD user group. Maybe a Radius server + LDAP server integration solution would be great.
  Please advice. Thanks.
  Cheers
  Lal Antony
  www.lalantony.com

  The easiest way to deply this is with a Microsoft toolkit, it has everything you need included, manuals, scripts to install and configure server-side components and it's very easy to use. You can get it from here:
  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
  It's based on Win2003 server but I've been advised by MS that it should be OK on Win2008 as well.

• Can not open Active Directory Users and Computers

  Problem Reported:
  Out of the blue this has started happening:
  When I go to "Active Directory Users and Computers" I get this message.
  "MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
  This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
  Additional information:
  This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
  As far as I know the system has no backup.
  dsa.msc IS located in the system32 folder
  I am using the administrator account.
  OS:
  Microsoft Windows Server 2003 R2
  Standard x64 Edition
  Service Pack 2
  Please help with detail. Thank you.

  Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Active Directory Users and Computer not displaying column data?

  I am running Windows 8.1 Enterprise with RSAT installed.  My Domain controllers are Server 2008 R2.
  I am having and issue with Active Directory Users and Computers.  Typically I will turn on Advanced Features and then add Columns for Email address and Display Name.  This for example allows me to easily export lists of users and there email
  addresses among other things.
  The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty.  It simply will not display this information.  It only displays Name, TYpe and Description.
  If I use a Windows 7 client, the information displays correctly.
  Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?

  ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
  ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
  Example:
  Import-Module ActiveDirectory
  Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
  So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.

• Exchange Server CCR 2007 unable to see the File Share Witness resulting in mailbox failover ?

  Hi people,
  Here's my Exchange Server 2007 SP3 in the ideal and normal situation:
  Mailbox Server (CCR – Stretched Cluster) Nodes
  PRODEXMBX01-VM (Active Mailbox, Quorum) – 10.1.1.53
  DREXMBX01-VM (Passive mailbox) – 192.168.1.88
  Hub Transport and Client Access Server Nodes
  PRODEXHTCAS02-VM – 10.1.1.54
  PRODEXHTCAS03-VM (FSW holder) – 10.1.1.55
  DREXHTCAS02-VM – 192.168.1.89
  Saturday early morning, for some unknown reason the Active Mailbox Server (PRODEXMBX01-VM)
  cannot access or see the FSW on the HT server PRODEXHTCAS03-VM, thus
  the mailbox gets failover to the DR Mailbox server (DREXMBX01-VM).
  Here’s the Events logged:
  Log
  Name:      System
  Source:        Microsoft-Windows-FailoverClustering
  Event ID:      1564
  Task Category: File Share Witness Resource
  Level:Critical
  User:          SYSTEM
  Computer:      PRODEXMBX01-VM.domain.com
  Description:
  File
  share witness resource 'File Share Witness (\\PRODEXHTCAS03-VM \FSM_DIR_ExMbxCluster01)'
  failed to arbitrate for the file share '\\ PRODEXHTCAS03-VM \FSM_DIR_ExMbxCluster01'.
  Please ensure that file share '\\ PRODEXHTCAS03-VM \FSM_DIR_ExMbxCluster01'
  exists and is accessible by the cluster.
  Log Name: System
  Source: Microsoft-Windows-FailoverClustering
  Event ID:      1177
  Task Category: None
  Level:       Critical
  User:     SYSTEM
  Computer:PRODEXMBX01-VM.domain.com
  Description:
  The Cluster service is shutting down because quorum was lost.
  This could be due to the loss of network connectivity between some or all nodes
  in the cluster, or a failover of the witness disk.
  Run
  the Validate a Configuration wizard to check your network configuration. If the
  condition persists, check for hardware or software errors related to the
  network adapter. Also check for failures in any other network components to
  which the node is connected such as hubs, switches, or bridges.
  So I had to perform manual failover back from DR to production so that both Active mailbox and the Quorum
  are held by the Production Mailbox server (PRODEXMBX01-VM).
  On Sunday Morning, the Event ID Critical 1564 occurred again thus causing only the quorum only to failover
  to the DR mailbox server (DREXMBX01-VM) but the Active mailbox role is still held by the Production Exchange server (PRODEXMBX01-VM). 
  So now the situation is like the following:
  Mailbox Server (CCR – Stretched Cluster) Nodes
  PRODEXMBX01-VM (Active Mailbox) – 10.1.1.53
  DREXMBX01-VM (Passive mailbox, Quorum) – 192.168.1.88
  Hub Transport and Client Access Server Nodes
  PRODEXHTCAS02-VM – 10.1.1.54
  PRODEXHTCAS03-VM (FSW holder) – 10.1.1.55
  DREXHTCAS02-VM – 192.168.1.89
  So what causing the mailbox servers unable to contact the File Share Witness?
  /* Server Support Specialist */

  Did you check the blog above? 
  The account used in the clustered machine should have access to
  \\PRODEXHTCAS03-VM\FSM_DIR_ExMbxCluster01. Please check the permissions. Try giving full permission to admins as well (just to try)
  MAS
  I've followed this (http://technet.microsoft.com/en-us/library/bb124922(v=exchg.80).aspx) instruction and there is no mentioning other than the Cluster Service Account. 
  /* Server Support Specialist */

• Quicktime would fail to write/export to server windows share with "Error -43: file not found" errors

  Summary:
  With the combination of Windows 7 and Quicktime 7.x, Quicktime would fail to write/export to server windows share with "Couldn't create output movie storage" and "Error -43: file not found" errors
  Steps to Reproduce:
  Trying to render to Quicktime files using network shared folders as a destination:
  Unable to open file. (-1610153459)
  The funny thing: it only happens when there are at least two shared folders mapped on the workstation, and the destination folder used for the rendered movie is not the first one.
  If we have only two mapped drives, F: and G: for example, and we try to render something to F:, everything works fine and no error is showed. But, when the destination is the G: drive, rendering never works, the error is showed, but a zero-byte file is created in F: (!!). ODD! If we remap F: drive with a different letter, but a letter BEFORE G:, the problem always happens. If we remap drive F: to any letter AFTER G:, making G: the first available network drive, rendering works. Also, simply unmapping F: and leaving G: as the only connected network folder makes render to work.
  We do not have a D: drive in our Windows 7 workstations, they are all C: only.
  It is a 100% reproducible problem. We tried with three different Active Directory networks and workstations. It has all of the features of a software bug.
  Any help would be appreciated.
  Cheers!
  Expected Results:
  Error -43: file not found
  Actual Results:
  The workaround seems to be to use the full path to the servers instead of the mapped mount point (ie //server/z/... instead of Z:/...
  Regression:
  All versions of quicktime 7 in combination with windows 7 client and more than one smb share point mapped in a letter.
  Notes:
  All software that uses quicktime movie exports showed this error.

  Not sure what file your are referencing?  Thanks for your suggestion, however, it's not relavant.
  It renders fine if you render to either the UNC path or the first mapped drive.
  i.e. If you have two mapped drives G: and H:
  they both point to \\fileserver\share1\folder
  If you render to H: it will fail, if you render to G: it works!  Same path, same user, same permissions.
  The only difference is H comes after G, so it fails... BUG.  If it was to do with anything else, underscores, permissions etc, it would fail on both.

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• Unable to access ebooks any longer with adobe digital edition

  unable to access ebooks any longer with adobe digital edition ..instead i keep getting the error message ''unable to access ebooks any longer with adobe digital edition''

  Not seen that message before, but two standard suggestions that may help.
  1) ~~~~~
  Sometimes ADE gets its registration/activation confused and in a semi-authorized state.
  Uninstalling and reinstalling does not help.
  Unfortunately, it often then gives misleading error messages about what is wrong.
  A common incorrect message informs you that the ID is already in use on another computer and cannot be reused.
  This can often be resolved by completely removing any authorization using ctrl-shift-D to the Library screen on ADE (cmd-shift-D if on Mac).
  Restart ADE, and then reauthorize with your (old) Adobe ID.
  In extreme cases on the mac, the following extra step has helped some people.  Navigate to /Users//Library/Application Support/Adobe/Digital Editions and drag the activation.dat file to the trash. If you are using 10.7, see Access hidden user library files | Mac OS 10.7 Lion. http://forums.adobe.com/thread/1265248?tstart=0
  2) ~~~~~~~~~
  There are lots of bugs in ADE2.0 (and 2.0.1).  Try replacing ADE2.0 with the older but more reliable v1.7.2.
  (You can have them both installed at once if you like.)
  Version 1.7.2, it is a little difficult to find, available on Adobe site for Windows and for Mac.
  http://helpx.adobe.com/digital-editions/kb/cant-install-digital-editions.html
  The forum software is sometimes corrupting the link above.  There shouldn't be a blank in 'editio ns.html'.  The following redirects to the same page: http://tinyurl.com/diged172
  Some people have found ADE trying to upgrade automatically. 
  It appears (not 100% sure) that if you install ADE2.0 as a new install (not as an upgrade) that your 1.7.2 will continue to run.
  Probably best to say no if 2.0.x installation asks if you want to migrate your library.