VPN and admin permissions
Hi
I've a VPN server with Mac OSX Server 10.6. We can connect to the VPN (PPTP). But we can connect if we are admins. If we are not, we can't connect.
How can I enable to the VPN to non admin users?
Thanks in advance
I've found the solution. In Server Admin - Access you can define who can access to any service like VPN.
Thanks
Similar Messages
-
Configuring Admin Util to allow me to use VPN AND surf the rest of the net
I am having a problem when I connect to my work network via VPN. When I do, I can no longer connect to the rest of the Internet. I was able to do this until I started using an Express (so it has been allowed by my work network).
Here's my setup: Express is connected via Ethernet to my Verizon Fios modem. When I connect my computer directly to the Verizon modem all works fine. I have been advised that what's happening is that my Airport Express is creating a behind-the-device network that has the same exact IP address space as your office's network (when I'm connected to it via VPN).
To fix this I've been told to "Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again."
The problem is that the advisor is using Airport Admin Util version 5.x and I am using version 4.2. The screen he suggests is not where his is in his version. Could someone advise me of how I can do this via 4.2?Reset your iPad and see if that fixes this.
Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider if it appears on the screen - let go of the buttons. Let the iPad start up. -
IpSec VPN and NAT don't work togheter on HP MSR 20 20
Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
Clientless SSL VPN and ActiveX question
Hey All,
First post for me here, so be gentle. I'll try to be as detailed as possible.
With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports. However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center. I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup. Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective. My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server). I am unable to browse (via bookmark) to the internal address of the remote web server. Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal. I am testing this external connectivity using a cell card to be able to simulate outside access. Is accessing the external IP address by design, or do I have something hosed?
Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions. I am not able to use controls that require my company's ActiveX controls (video, primarily). I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through. The stream only runs at about 5 fps, so it's not an intense stream.
I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail. I do see a decent number of "no translates" from a show nat:
match ip inside any outside any
NAT exempt
translate_hits = 8915, untranslate_hits = 6574
access-list nonat extended permit ip any any log notifications
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_in extended permit icmp any any log notifications
access-list outside_in extended permit tcp any any log notifications
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.16.34 / syslog *****
mtu inside 1500
mtu outside 1500
ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.16.32 255.255.255.224
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
192.168.2.0 is my corp network range
192.168.2.171 is my internal IP for corp ASA5510
97.x.x.x is the external interface for my corp ASA5510
192.168.16.34 is the internal interface for the remote ASA5505
64.x.x.x is the external interface for the remote ASA5505
192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505. I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN. Am I going about this the right way? Anyone have any suggestions, or do I have my config royally hosed?
Thanks much for any and all ideas!Hey All, I appreciate all of the views on this post. I would appreciate any input - even if you think it might be far-fetched. I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself. Thanks, in advance!!
-
"screen shot can't be saved" and other permissions issues
After having my iMac at the Apple Store for four days solving a problem with "quit unexpectedly" issues with all Apple built-in Apps on OS X Yosemite, I got the machine back with those problems solved. It involved re-installing OS X and restore files from backup. I thought all was well; the Genius Bar dude showed me that it's fixed. He said it took so long because of bizarre permissions issues he'd never seen before.
Now that I've lugged this 40lb machine back home (after verifying the fixes in the store) I now find that several (other) functions don't work. When I try to do a screenshot, I get this message:"Your screen shot can't be saved. You don't have permission to save this file in the location where screen shots are stored." Message could have been more helpful; the "location" is the desktop. Pretty descriptive, though. Seems I can't save anything to the desktop.
I tried creatng a folder on the desktop. Got this message: "Finder wants to make changes. Type your password to allow this". Type password and new folder appears. Drag the new folder to the trash, get same message..
I tried copying a file from a network drive to the desktop. I get this dialog: "Modifying Desktop requires and administrator name and password. I clicked "authenticate" and after a 3 minute delay (with "Preparing.." ) I get this dialog; "Finder wants to make changes. Type your password to allow this". I type the password and the file appeared on the desktop. Before the work at the Apple Store, this never happened. BTW I have only one user account and it's marked "Allow user to administer this computer". Thinking something might be goofy with the pw, I changed it (took 3 minutes to do, oddly) and rebooted. No joy. Same thing happens when I try to drag something from the desktop to the trash. Long time "moving" message followed by having to provide and admin pw.
I tried to save a Safari attachment to the Downloads folder and got this message: "Safari could not download the file xxxxx because there is not enough free disk space". Since I have more than 600GB of available space, I think the message is wrong and that it's really a permission issue with the Downloads folder.
Tried to reset the password again. Click to unlock the Users & Groups panel, get "System Preferences is trying to unlock Users & Groups preferences. Type your password to allow this".
All this tells me that somehow Yosemite is in "nag" mode (reminiscent of Windows Vista.
Any ideas?
ChazBack up all data before proceeding.
This procedure will unlock all your user files (not system files) and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.
Step 1
If you have more than one user, and the one in question is not an administrator, then go to Step 2.
Triple-click anywhere in the following line on this page to select it:
sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting.
You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.
Step 2 (optional)
Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.
Start up in Recovery mode. When the OS X Utilities screen appears, select
Utilities ▹ Terminal
from the menu bar. A Terminal window will open. In that window, type this:
res
Press the tab key. The partial command you typed will automatically be completed to this:
resetpassword
Press return. A Reset Password window will open. You’re not going to reset a password.
Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.
Select your username from the menu labeled Select the user account if not already selected.
Under Reset Home Directory Permissions and ACLs, click the Reset button.
Select
▹ Restart
from the menu bar. -
I set up a VPN on my OS X Lion server however it seems there is a probelm with the file permissions. I set the permission to Read and Write, however when connected through the VPN I open a document, edit and save, it saves as a "read only" document and locks file. In Filemaker Pro if I create a document when connected through the VPN and save it on my server, no one connected to the network can open it. Any ideas?
Thanksany help please?
I read that it my be firmware 7.5.2 and downgrading to 7.4.2 resolves it. Well, that would work if I had 7.4.2 but it's not available under the firmware update. -
Lion server VPN + Server Admin Tools 10.7
Hi,
I followed this guide http://macminicolo.net/lionservervpn to try to set up VPN on my lion mac mini server.
I also used Server Admin Tools 10.7 as instructed in the guide.
After completing the steps in the guide, I cannot get VPN to work, plus I have extra problems as below:
my mini cannot connected to the Internet or local network shares. I found under "Network" setting there was extra VLan created by the system automatically showing as "System Test--Connection error". After I delete this extra connection and revert my Ethernet to its original settings I can connect to the Internet again.
Server Admin Tools 10.7 seem to retains all its settings from the guide on NAT, Firewall etc. doesn't matter if I had removed the current server and created a new server in the left pane. Is there anyway I can restore the Server Admin Tools to its programme defaults? I suspect these settings are affecting my networks and I cannot get rid of them completely.
Would VPN still work if I just set it up in the server app? I haven't been able to get it work this way. I also want to find out is your guide for using the VPN to connect to the Internet off the server as a way to bypass restrictions? Do I have to set it up this way as the guide if I just to want to set up a VPN for simple fireshareing?
What did this command in the guide do to my mini? I was hopping if I cannot get VPN to work, then I should at least reverse the effects of this command. How do I undo this command please? "sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.2.1"Thanks BrianFL. This helps hugely. Yes, I just to set up a simple filesharing VPN not the kind of VPN that bypass Internet censorship. I use ethernet connection directly from my router yes.
1. I just need to use the server app to set up a VPN and port forwarding. That is it?
2. The setting I have made according to the guide with Server Admin Tools seems never going away, even after I deleted the server that has all the settings inside Server Admin Tools. Upon creating a new server inside Server Admin Tools, the new server inherits all the settings from the one I just deleted. Any idea how I can restore to Server Admin Tools's defaults settings?
3. Even VNC (I use RealVNC) on the mini stopped working after I made changes according to the guide and deleted all the changes I can find. What is the address format for lion's build in VNC (192.168.0.100:5800?) like? I forgot how it is.
Thanks so much! -
System Admin and Admin Problem...
Can any one tells me the different between system admin and admin?
It seems like system admin is messing up my file permissions, and it seems like system admin has more control than the admin (me)...
I had this experience today: everytime when I create a folder, the permission's gone under "system", I was not able to have any folder action nor create a new folder under it.
I search the forum with solutions and I think I've fixed it and it works fine now, but the permission is still not under my account name; it goes under "root" (system Admin).
Any one has a solution for this?
And how can I delete the system admin account?
Thanks,
ArnoldI input dscacheutil -q user in terminal, and I got this:
Would it help to solve my problem? :P I'm wondering if anyone has the same problem too?
name: _amavisd
password: *
uid: 83
gid: 83
dir: /var/virusmails
shell: /bin/tcsh
gecos: Amavisd User
name: _appowner
password: *
uid: 87
gid: 87
dir: /var/empty
shell: /usr/bin/false
gecos: Application Owner
name: _appserver
password: *
uid: 79
gid: 79
dir: /var/empty
shell: /usr/bin/false
gecos: Application Server
name: _ard
password: *
uid: 67
gid: 67
dir: /var/empty
shell: /usr/bin/false
gecos: Apple Remote Desktop
name: _atsserver
password: *
uid: 97
gid: 97
dir: /var/empty
shell: /usr/bin/false
gecos: ATS Server
name: _calendar
password: *
uid: 93
gid: 93
dir: /var/empty
shell: /usr/bin/false
gecos: Calendar
name: _clamav
password: *
uid: 82
gid: 82
dir: /var/virusmails
shell: /bin/tcsh
gecos: Clamav User
name: _cvs
password: *
uid: 72
gid: 72
dir: /var/empty
shell: /usr/bin/false
gecos: CVS Server
name: _cyrus
password: *
uid: 77
gid: 6
dir: /var/imap
shell: /usr/bin/false
gecos: Cyrus IMAP User
name: _devdocs
password: *
uid: 59
gid: 59
dir: /var/empty
shell: /usr/bin/false
gecos: Developer Documentation
name: _eppc
password: *
uid: 71
gid: 71
dir: /var/empty
shell: /usr/bin/false
gecos: Apple Events User
name: _installer
password: *
uid: 96
gid: -2
dir: /var/empty
shell: /usr/bin/false
gecos: Installer
name: _jabber
password: *
uid: 84
gid: 84
dir: /var/empty
shell: /usr/bin/false
gecos: Jabber User
name: _lp
password: *
uid: 26
gid: 26
dir: /var/spool/cups
shell: /usr/bin/false
gecos: Printing Services
name: _mailman
password: *
uid: 78
gid: 78
dir: /var/empty
shell: /usr/bin/false
gecos: Mailman user
name: _mcxalr
password: *
uid: 54
gid: 54
dir: /var/empty
shell: /usr/bin/false
gecos: MCX AppLaunch
name: _mdnsresponder
password: *
uid: 65
gid: 65
dir: /var/empty
shell: /usr/bin/false
gecos: mDNSResponder
name: _mysql
password: *
uid: 74
gid: 74
dir: /var/empty
shell: /usr/bin/false
gecos: MySQL Server
name: _pcastagent
password: *
uid: 55
gid: 55
dir: /var/pcast/agent
shell: /usr/bin/false
gecos: Podcast Producer Agent
name: _pcastserver
password: *
uid: 56
gid: 56
dir: /var/pcast/server
shell: /usr/bin/false
gecos: Podcast Producer Server
name: _postfix
password: *
uid: 27
gid: 27
dir: /var/spool/postfix
shell: /usr/bin/false
gecos: Postfix User
name: _qtss
password: *
uid: 76
gid: 76
dir: /var/empty
shell: /usr/bin/false
gecos: QuickTime Streaming Server
name: _sandbox
password: *
uid: 60
gid: 60
dir: /var/empty
shell: /usr/bin/false
gecos: Seatbelt
name: _securityagent
password: *
uid: 92
gid: 92
dir: /var/empty
shell: /usr/bin/false
gecos: SecurityAgent
name: _serialnumberd
password: *
uid: 58
gid: 58
dir: /var/empty
shell: /usr/bin/false
gecos: Serial Number Daemon
name: _spotlight
password: *
uid: 89
gid: 89
dir: /var/empty
shell: /usr/bin/false
gecos: Spotlight
name: _sshd
password: *
uid: 75
gid: 75
dir: /var/empty
shell: /usr/bin/false
gecos: sshd Privilege separation
name: _svn
password: *
uid: 73
gid: 73
dir: /var/empty
shell: /usr/bin/false
gecos: SVN Server
name: _teamsserver
password: *
uid: 94
gid: 94
dir: /var/teamsserver
shell: /usr/bin/false
gecos: TeamsServer
name: _tokend
password: *
uid: 91
gid: 91
dir: /var/empty
shell: /usr/bin/false
gecos: Token Daemon
name: _unknown
password: *
uid: 99
gid: 99
dir: /var/empty
shell: /usr/bin/false
gecos: Unknown User
name: updatesharing
password: *
uid: 95
gid: -2
dir: /var/empty
shell: /usr/bin/false
gecos: Update Sharing
name: _uucp
password: *
uid: 4
gid: 4
dir: /var/spool/uucp
shell: /usr/sbin/uucico
gecos: Unix to Unix Copy Protocol
name: _windowserver
password: *
uid: 88
gid: 88
dir: /var/empty
shell: /usr/bin/false
gecos: WindowServer
name: _www
password: *
uid: 70
gid: 70
dir: /Library/WebServer
shell: /usr/bin/false
gecos: World Wide Web Server
name: _xgridagent
password: *
uid: 86
gid: 86
dir: /var/xgrid/agent
shell: /usr/bin/false
gecos: Xgrid Agent
name: _xgridcontroller
password: *
uid: 85
gid: 85
dir: /var/xgrid/controller
shell: /usr/bin/false
gecos: Xgrid Controller
name: chowmein
password: ******
uid: 501
gid: 501
dir: /Users/chowmein
shell: /bin/bash
gecos: Arnold Chow
name: daemon
password: *
uid: 1
gid: 1
dir: /var/root
shell: /usr/bin/false
gecos: System Services
name: nobody
password: *
uid: -2
gid: -2
dir: /var/empty
shell: /usr/bin/false
gecos: Unprivileged User
name: root
password: ******
uid: 0
gid: 0
dir: /var/root
shell: /bin/sh
gecos: System Administrator -
Make mobile account with admin permissions without administrator INFO...
How do you bypass the admin permissions with mobile account? How do you make mobile account unlock things? You do you do the secret and rare system administrator login screen, where it says up on the top System Administrator, where nothing would be there? How to force your computer to go to single user mode, not command s or apple s, because that doesn't work for me? How do enable isight -camera without no admin password, no terminal? Is there extension for mac so that it will run and unlock things or open programs without administrator permissions? I need something that will UNLOCK MY macbook, please help. Where can I download password reset.APP for free that comes in the mac os x leopard disc? Thanks for the help...
Why don't you just use your OS X install disc? It has a password reset utility on it.
-
User and role permissions getting reset on managed server
Hi..
I am not sure whether this is really a clusteing problem. I have a clusted server
with one admin server and one managed server. I have deployed the some of my own
applications alongwith the Weblogic Integration application on the managed server.
I have some users and roles defined in the BPM studio to access and execute the
workflows.
But every time I restart the managed server, the user and role permissions are
reset and the workflows are not executed. I get the following error.
####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08> <managed1_eai2d2A>
<ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
1:21ad542a0d3cc527> <000000> <<wlpirequest>
<started>2003-05-13 10:01:22.230</started>
<requestor>wlisystem</requestor>
<templateid>1</templateid>
<template-name> WLI Logging Framework V2.0 Installation test</template-name>
<templatedefinitionid>1</templatedefinitionid>
<instanceid>2001</instanceid>
<actions>
<error time="2003-05-13 10:01:22.427">WorkflowException: The server was unable
to complete your request.
The WebLogic Integration role "logging" is not mapped to a WebLogic
Server security group.</error>
</actions>
<completed>2003-05-13 10:01:22.428</completed>
</wlpirequest>
>
And the only remeady I need to do here is to delete the role and recreate it with
specific permissions every time the managed server is bounced. The same thing
also happens for the created user also where the user loses all the permissions.
Can anyone please help me on this issue ?
Thanks in advance
Mandar
are you using filerealm?
This seems like a security related question - can you please post this
question to the security newsgroup you may get a faster answer there.
sree
"Mandar Gandhe" <[email protected]> wrote in message
news:[email protected]...
>
> Hi..
>
> I am not sure whether this is really a clusteing problem. I have a clusted
server
> with one admin server and one managed server. I have deployed the some of
my own
> applications alongwith the Weblogic Integration application on the managed
server.
> I have some users and roles defined in the BPM studio to access and
execute the
> workflows.
>
> But every time I restart the managed server, the user and role permissions
are
> reset and the workflows are not executed. I get the following error.
>
> ------
> ####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08>
<managed1_eai2d2A>
> <ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
> 1:21ad542a0d3cc527> <000000> <<wlpirequest>
> <started>2003-05-13 10:01:22.230</started>
> <requestor>wlisystem</requestor>
> <templateid>1</templateid>
> <template-name> WLI Logging Framework V2.0 Installation
test</template-name>
> <templatedefinitionid>1</templatedefinitionid>
> <instanceid>2001</instanceid>
> <actions>
> <error time="2003-05-13 10:01:22.427">WorkflowException: The server
was unable
> to complete your request.
> The WebLogic Integration role "logging" is not mapped to a
WebLogic
> Server security group.</error>
> </actions>
> <completed>2003-05-13 10:01:22.428</completed>
> </wlpirequest>
> >
>
> ------
>
> And the only remeady I need to do here is to delete the role and recreate
it with
> specific permissions every time the managed server is bounced. The same
thing
> also happens for the created user also where the user loses all the
permissions.
>
> Can anyone please help me on this issue ?
>
> Thanks in advance
> Mandar
>
-
Mac OS X 10.5 destroyed my Admin permissions
Ok. I had originally installed Mac OS X 10.5 on my Macbook, but the hard drive got screwed due to an impact on the floor while running Windows XP. I decided to install 10.5 on my Mac Mini, and for some reason, my Admin permissions were destroyed. No Admin account is available, and it says my account (which is the only account on there) is a standard account. I tried to reset the password, but that failed. Can anyone help?
I wouldn't THINK it is private: it is in the User Tips forum, and it would seem rather counter-productive for that to be private. I hope no one, like Michael (whom I think the world of) gets mad at me, but here it is:
Re: I lost my admin user
Posted: Nov 1, 2007 12:31 PM
Revised to incorporate Niel's corrections:
I lost my admin user (OS X 10.5)
If you are unfortunate enough to delete your only admin user, or remove his admin capability, then as long as you have another user with login capability, you can give that user admin rights as shown below. You can then re-create the original user or reinstate the admin capability using the Accounts Pane in System Preferences.
Print this post out in a mono-spaced font, and type carefully, paying attention to spaces and punctuation, since you cannot copy/paste in Single User mode.
Caution: in single user mode you have root privileges. Be careful! Substitute the name of 'youruser' below.
Boot into single user mode (Command-S) at startup which will eventually get you a shell prompt (ending in #). Then type the following:
fsck -fy
Repeat the above until it says your disk is OK. Then continue with
mount -uw /
dscl . -merge /groups/admin users youruser
If you get a message saying "invalid path", then type these two commands first:
dscl . -create /groups/admin gid 80
dscl . -create /groups/admin passwd '*'
and then repeat the "dscl ... -merge" command. Then:
reboot
You will now be able to login as 'youruser' and have administrative privileges.
Membership of the 'admin' group is the only thing that distinguishes administrative users from ordinary users.
Michael Conniff -
QTSS file and folder permissions
I am having a lot of problems getting QTSS and QTSS Publisher working correctly. I think this may be due to file and folder permissions. Does anyone know what the correct ownership and access settings should be for the folders containing my quicktime files?
Thanks.Try setting the ownership and permissions of those files to the ones mentioned on the end of this page, which are: owner: qtss, group: admin, permissions for owner and group: Read & Write, and Read only for others.
(13414) -
Solved - How to take ownership and change permissions for blocked files and folders in Powershell
Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
TonyHello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost. -
Admin permissions won't let me save photoshop files
I moved my MacBook Pro to my son and made him administrator. That worked fine, but now something must have happened because he now can't save Photoshop files anymore as photoshop says he doesn't have permissions. He's running Snow Leopard as he has to use Canvas X, which won't run in Lion. Anyone have an idea what may be screwing up permissions? He did run Repair Permissions in Disk Utility. He is listed as the administrator in Accounts. He also made sure the file Get Info permissions allowed the Admin. He even changed the Get Info permissions to enable everyone.
He's just trying to save a tiff file from PhotoShop back over the original tiff on the Mac's internal hard drive.
He changed the permissions to allow everyone access on the original tiff that he had Opened in PhotoShop.
A little more history: He had an unrecoverable hard drive crash about 2 months ago. So we installed the backup drive that had a SuperDuper copy of the crashed drive that was about 3 weeks old (from the crashed drive's data).
This drive worked fine until this week when the clock reset to 2000. That's the same time the permissions problems started.
I had earlier made him the administrator, but now he had to login with my password and I was shown as the startup admin. Since I was the original owner and admin, I had placed all my applications in the top level Applications folder of the hard drive, not in my Home Applications folder; and now it appeared that he only had access to Applications in the Home folder as a User instead of Admin, thus explaining why he didn't have access to the applications he needed.
So he reset the PRAM to address the clock and other screwy things.
Now he is shown as the administrator in System Preferences>Accounts, but without the permissions of an administrator.
Maybe you are looking for
-
Loops missing and not downloading
I upgraded to GB'11 via the app store. Some of the loops are there, but not all of them. When I click on the "ghosted" loops I get a dialogue that says "the software instrument or Apple loop selected is currently being installed." How long does it
-
How to hyperlink in my pdf ? (rather urgent)
I made a pdf file from my InDesign original. The first page is an introduction/title page, and at the bottom I added two links to my two websites. I think I did this correctly in InDesign, but not certain. In any case, I need to make bookmarks on my
-
Filter condition in query designer
Hi Friends, Can any one please tell me? Query is done on Multiprovider (made of Cube 1 to Cube 6 ) and in query designer under filter tab i have seen case 1: 1) Fiscal year variant F4 2) Cube 1 Questions: 1) what is the use of Fiscal year variant F4
-
Hi I want to create a linked list in labview. How can i do that in labview? If its not possible how can i implement in labview?
-
CONNECT BY with a join, keeping the top joined record for the entire tree?
Faced with a Groupe TABLE, and a Groupe_Role TABLE, i am trying to get a user's rights FROM Groupe_Role for each and every member in Groupe. However, the user's rights should be the same right as where we entered the tree. Here are sample TABLEs, wit