Windows 7 beta can't authenticate to Tiger Server PDC

Similar Messages

• How can I share a Tiger server's User database to a Panther server?

  I need some help to set this up. Keep in mind I do not have a DNS server.
  I have a Tiger server with Xserve and an older Panther server, both on the same local network. I have a whole bunch of users setup on the Tiger server. The Panther server does not have any users setup on it. I do not want to have to type in all the users all over again in the Panther server. What I'd like to be able to do is somehow share and syncronize the user database on the Tiger server with the Panther server.
  I looked into the Open Directory settings but I do not understand what to do. How do I configure the Tiger and Panther servers respectively so the Panther server can sync with the Tiger server's users database. Is this possible? It seems like it with Open Directory, one being the Open Directory Master and the other being the Open Directory Replica? But I just don't understand how to set this up. Also the Panther OD settings seem quite different than Tiger's in Open Directory.
  Any help would be appreciated.
  Message was edited by: robocub1

  Hi
  It may be best to set up your 10.4 Server as an Open Directory Master first and then use Directory Access on your 10.3 Server to connect to the Tiger Server so as it can use the same User Database. This should be possible. OD Master/Replica relationships are not possible if the OS versions are different, even if the Master was 10.4.11 and the Replica was 10.4.10. You have no chance when its 10.4 and 10.3.
  http://images.apple.com/server/macosx/docs/OpenDirectory_Adminv10.5.pdf
  The link is for 10.5 but the basics are the same. This is a recent post that describes how to set up an OD Master:
  http://discussions.apple.com/thread.jspa?threadID=1377046&tstart=0
  I'm guessing that your 10.4 Server is Standalone and is serving simple file services only (AFP and possibly SMB/Windows). If this is the case (and I can't see how it can't be) then your users will be in the local NetInfo node. This will be the default node that is presented to you in WorkGroup Manager. You always get a warning that your are working in an invisible node (if you have not disabled this) when working in the Server's local node. Don't worry there is nothing wrong with the warning. WorkGroup Manager on Panther (10.3) Server works the same way.
  You could if you wanted to simply export the Users and Groups from WGM in 10.4 and import them into WGM on 10.3. This should save you having to key them all in again. If the prospect of configuring internal DNS Services and all that goes with it seems to much for you then this is probably the simplest option. How do you do this? Launch WGM (its the same for both versions), select the Server Menu and select Export after first selecting desired users. Do the same for Groups. Use the same procedure in reverse. The Users and Groups files are not very big and can easily be transferred using a memory stick etc.
  There are differences between the two versions which are mostly to do with Server Admin. In 10.4 Server there are more services. One of the Services will be Open Directory. In 10.4 Open Directory will only show a green light by the side of the service if it is in any role other than Standalone. Server Admin on 10.3 Server will always show the green light by the side of the Open Directory Service. This does not mean that it is an OD Master, you have to click on Settings and inspect the Role to see what it actually is.
  You should be able to connect to a 10.3 Server with 10.4's Admin tools but don't be tempted to use Server Admin to configure/change anything on the 10.3 Server. You should not be able to go the other way 10.3 > 10.4 using the same tools.
  Internal DNS Services are a requirement for LDAP Services (and pretty much everything else) on Servers generally, although for simple file services not absolutely necessary. Internal DNS Services do not have to be configured on the Server itself just as long as they are configured on another server, for example, on the same network. If these are the only two servers on the network then you will have to configure DNS Services on either one or both of them depending on what you want.
  Not available on your 10.3 Server but is on your 10.4 Server are Access Control Lists (ACLs). This is a permissions model that is in addition to the standard POSIX permissions. Think carefully about how you provide permissions to your network clients if there is a mix of client OS, 10.3, 10.4 etc.
  Hope this helps, Tony

• IChat & iCal can't authenticate to Lion Server 10.7.2

  I've enabled iChat and iCal Server through our local 10.7.2 Server which has DNS set up correctly. I can add the server account via a client's System Preferences (under other - Mac OS X server) and it authenticates with my shortname correctly.
  However, when I load iCal or iChat, I get this error message:
  iChat can't login to servername.ourdomain.co.nz because your login ID or password is incorrect.
  Where the account is [email protected]
  The password and username is correct.
  Console throws this error:
  >22/11/11 3:03:31.135 PM imagent: [Warning] XMPPConnection: Error: Error Domain=XMPPErrorDomain Code=105 "The operation couldn�t be completed. (XMPPErrorDomain error 105.)" UserInfo=0x7f81bbe2a3e0 {XMPPErrorText=service requested for unknown domain}
  DNS is set up correctly and we are using a FQDN to connect (it's working for Profile Management, Software Update Server and Web Services) but I can't get iChat or iCal to work correctly.
  How can I get clients to authenticate?
  I have also asked this question on Serverfault, here: http://serverfault.com/questions/333468/ichat-and-ical-cant-authenticate-to-lion -server-10-7-2

  Where are you adding these users? You should be adding them on the Lion SERVER, in the server app, under Accounts -> Users. I presume you are running open directory?
  I am adding them on the Lion Server, under Accounts -> Users. 
  The usernames have no domain in them. So, example name might be steve. When you are adding a new user on the lion server through serverapp, the user name shown in the box that says "Account Name" is what goes in the user name fields in iCal and address book. Those are added by adding a new account within iCal or Address Book app on the client.
  I'm only using the short name to add the accounts on the Lion client. However, both iCal and iChat require a FQDN as part of the login - they amend @servername.domain.co.nz as part of the account. This is normal behavior for both iChat and iCal on Lion Server.
  "I can add the server account via a client's System Preferences (under other - Mac OS X server)". Where!? I don't see any other - Mac OS X server on any client. I assume Mac clients? Are you doing Lion server network accounts? Local accounts?
  Anyway, the name that is the user name is the short name. There is no domain part. So, not sure why you have a domain part to the name. The domain gores in the server address in address book or iCal.
  You're correct - you only add the shortname in the client's system preferences, but iChat and iCal add the FQDN part to the login.
  Here is what the dialogue box that I am talking about on the client:

• Can I install OSX Tiger server version on my G4 Powerbook?

  Hi everyone...
  I cannot find the disk(s) for my Powerbook G4 (1.67GHz PPC)... so I've resorted to purchasing them. I found (on ebay) a set of disks being described as such: "Apple Mac OS X Server 10.4 Tiger M9769Z/A (PPC)"
  My obvious question is... will this work on my PB G4?
  I'm attempting to clear out the laptop and give it away but would like to re-install the OS for the new owner (a neighbor's teen getting started in music with Garageband)...
  Any quick advice?  Thx...

  You may be able to call AppleCare directly to ask an OS X specialist about the availability of Replacement DVD system discs for Tiger 10.4, and Leopard 10.5, with white labels, for supported PowerPC macs; these were available and cost about $20. each DVD. These may not be available still, and knowledge of their exact availability may also be limited; if not plain unavailable (again.) They'd need the PB's serial number & method of payment, if they have the discs available I'd get both 10.4 & 10.5. And look online for iLife '05 or other.
  If an OS X Tiger Server 10.4.x is older than a retail version which may have shipped with a computer when new, it may not work in that computer. You could try the installer, to see if it would, but it could be rejected, or fail part way into the process. So, in those instances, a retail OS X install DVD of later version is the path to installation, if you can't get the grey original install-restore disc set the computer shipped with. They have part numbers.
  The server edition is a bit different than retail Tiger 10.4; you can see some versions of Server 10.4 Tiger as listed in the downloadable freely available MacTracker.ca database that works offline...
  {from  http://mactracker.ca downloaded database OS X Server 10.4 Tiger}
  Note the above list ALSO shows PowerPC and Universal for Intel-based Mac.
  +System discs that shipped with a Mac, be it PPC or Intel, do not interchange.
  The company welovemacs seems to have a similar Server version Tiger 10.4 with like product number and it does not say it can't work on specific PowerPC Macs (there is an Intel version, won't work in PPC) so for comparison here is there link: http://www.welovemacs.com/m9769za.html
  Server versions of OS X can run in machines the standard one can, with a few exceptions in hardware; or in situations where the OS X version is older than the computer, so compatibility with hardware is lacking. In some cases, the installer may work OK, but would need additional Software Update to fully work, so the Combo update 10.4.11 may help.
  There are some applications that may be missing from a retail or server edition of Tiger (or Leopard, etc) that would have been included in the computer's original as-shipped system and backup restore/install DVDs. The iLife applications would be on a separate retail disc set, a later iLife version than shipped with Tiger in a computer may be used in Tiger; to a limit. There (or was) a Support article on vintage iLife versions and OS X system they were supported in. Some bookmarks fail and links have changed, content moved or removed.
  Several PowerBook 1.67GHz models exist, some shipped with Tiger 10.4.2 variants on their own DVDs so the Tiger Server would likely need to be later than 10.4.3 to work. But it would be worth a try, if you have it. Could be it may install (or not) but if it does, it may run in SafeBoot, and accept update to 10.4.11 Combo. Or you may be looking for a different installation DVD.
  There may be a way around this, if you have a second Mac that can use the Tiger Server, and use it to install into the PowerBook, in Target Disk Mode, and see if it can accept the Combo update, then boot up. Not sure if this idea would even work. Been awhile and my target disk and firewire experiences are rusty!
  Not sure if this helps...
  Good luck

• Windows and Phanter can't connect to Tiger

  Hi all, i've got:
  Windows XP Service pack 2
  Mac mini G4 1,2ghz under Tiger 10.4.6
  Mac G4 AGP 400mhz under Phanter 10.3.9
  The thing is that when i try to connect from the windows or phanther machine it sais that the current file or direction isn't there anymore, or something like that. The thing is that i can't copy or paste any file to the tiger mac. What can i do to fix that??.
  Ohh, the other thing is that the mac mini has the printer connected to the USB port and i want to share the printer for the PC (with the g4 works fine), and the same problem happens. Please help
  Greeting to everyone
  G4 AGP 400mhz, Mac Mini   Mac OS X (10.4.6)   DVD-RAM USB2, 512 RAM

  You don't need to change around the PC's workgroup. If you are running Windows file sharing, you need to let the PC be the boss. It is running its native protocol, so you shouldn't have to mess with the PC. The Macs run Samba, which has always been flaky, those those are the ones you need to work on.
  You need to check all these machines and make sure they are using the same workgroup.
  Then, share a folder on the PC. Make sure both the Macs can connect to the PC and access its shared files. At this point, you have verified that all the machines can talk to each other.
  Now, turn off file sharing on the PC and turn on Windows file sharing on the Mac. Both the other Mac and the PC should be able to access it. If they can't, check your firewall settings. If you still can't get it to work, post another message here and, now that you have narrowed down the problem quite a bit, someone might know how to fix it.

• Windows XP SP3 can't authenticate in 802.1x

  Hi all,
  I'm trying to get working a fresh install with 802.1x in it. I have a serious issue with Windows XP SP3 not authenticating at all... I can see (with a Wireshark) EAPoL Start messages going out from the host, but nothing happens after. The switch is pretending that it has a timeout on dot1x exchanges. We don't have any issue with Windows 7 at all !!!!
  I'm giving you details about the setup :
  Switches : Cisco switching architecture (IOS IP Services K9 12.2(55)SE)
  Authentication Server : Cisco Secure ACS 4.2
  Directories : Microsoft Active Directory and OpenLDAP for the directories
  PKI : External (opensource)
  Clients : Windows XP SP3 and a very few Windows 7
  EAP Method for the moment : PEAP MSCHAPv2
  Concerning switches, typical config is the following (only necessary things appear) :
  swi-test-802.1x#sh run
  Building configuration...
  Current configuration : 6481 bytes
  aaa new-model
  aaa group server radius ACS
  server X.X.X.X auth-port 1645 acct-port 1646
  deadtime 60
  aaa authentication login ACS_RADIUS group ACS local
  aaa authentication dot1x default group ACS local
  aaa authorization exec ACS_RADIUS group ACS local
  aaa authorization network default group ACS
  aaa accounting dot1x default start-stop group ACS
  aaa accounting exec ACS_RADIUS start-stop group ACS
  aaa accounting network ACS_RADIUS start-stop group ACS
  aaa session-id common
  ip device tracking
  dot1x system-auth-control
  interface FastEthernet0/X
  description Typical FlexAuth port 802.1x
  switchport mode access
  switchport voice vlan 160
  ip access-group Acl_Default_Acl in
  authentication event fail action next-method
  authentication event server dead action authorize vlan 99
  authentication event no-response action authorize vlan 99
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  ip access-list extended Acl_Default_Acl
  permit ip any any
  radius-server host X.X.X.X auth-port 1645 acct-port 1646 key XXX
  radius-server vsa send accounting
  radius-server vsa send authentication
  end
  If I'm using Windows 7, no problem...
  I've tried to modify different registry keys concerning authMode, SupplicantMode (twice applicable but only right until XP SP2), BlockTime for reauth, following everytime Microsoft recommandations and the different published kb...
  I've tried with GPO for a global change or modifying XML template of the interface, but nothing changes...
  I'm giving you the debugs (radius authentication and dot1x events) :
  swi-test-802.1x#
  swi-test-802.1x#
  *Mar  1 01:19:25.727: dot1x-ev(Fa0/1): Interface state changed to UP
  *Mar  1 01:19:25.735: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
  *Mar  1 01:19:26.230: dot1x-ev(Fa0/1): Interface state changed to DOWN
  *Mar  1 01:19:26.230: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on FastEthernet0/1
  *Mar  1 01:19:28.327: dot1x-ev(Fa0/1): Interface state changed to UP
  *Mar  1 01:19:28.336: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
  *Mar  1 01:19:28.697: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
  *Mar  1 01:19:29.510: %AUTHMGR-5-START: Starting 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:19:29.510: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
  *Mar  1 01:19:29.510: RADIUS(0000000B): Config NAS IP: 0.0.0.0
  *Mar  1 01:19:29.510: RADIUS/ENCODE(0000000B): acct_session_id: 11
  *Mar  1 01:19:29.510: RADIUS(0000000B): sending
  *Mar  1 01:19:29.510: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
  *Mar  1 01:19:29.510: RADIUS(0000000B): Send Access-Request to 10.248.64.20:1645 id 1645/19, len 206
  *Mar  1 01:19:29.510: RADIUS:  authenticator 3C AE B6 01 13 26 4E 77 - 94 33 B1 40 B7 A6 06 F8
  *Mar  1 01:19:29.510: RADIUS:  User-Name           [1]   14  "60eb699a0e0f"
  *Mar  1 01:19:29.510: RADIUS:  User-Password       [2]   18  *
  *Mar  1 01:19:29.510: RADIUS:  Service-Type        [6]   6   Call Check                [10]
  *Mar  1 01:19:29.510: RADIUS:  Framed-MTU          [12]  6   1500                     
  *Mar  1 01:19:29.510: RADIUS:  Called-Station-Id   [30]  19  "00-1A-6D-FE-AA-83"
  *Mar  1 01:19:29.510: RADIUS:  Calling-Station-Id  [31]  19  "60-EB-69-9A-0E-0F"
  *Mar  1 01:19:29.510: RADIUS:  Message-Authenticato[80]  18 
  *Mar  1 01:19:29.510: RADIUS:   2F C3 4E 65 14 AF D3 8E B9 E5 29 C3 28 13 C6 B8             [ /Ne)(]
  *Mar  1 01:19:29.510: RADIUS:  EAP-Key-Name        [102] 2   *
  *Mar  1 01:19:29.510: RADIUS:  Vendor, Cisco       [26]  49 
  *Mar  1 01:19:29.510: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AF80215000000030048C250"
  *Mar  1 01:19:29.510: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  *Mar  1 01:19:29.510: RADIUS:  NAS-Port            [5]   6   50001                    
  *Mar  1 01:19:29.510: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/1"
  *Mar  1 01:19:29.510: RADIUS:  NAS-IP-Address      [4]   6   10.248.2.21              
  *Mar  1 01:19:29.519: RADIUS(0000000B): Started 5 sec timeout
  *Mar  1 01:19:29.527: RADIUS: Received from id 1645/19 10.248.64.20:1645, Access-Reject, len 50
  *Mar  1 01:19:29.527: RADIUS:  authenticator B0 3B E5 8F 22 D1 C1 66 - F6 8F 1A 7E 88 49 AA BB
  *Mar  1 01:19:29.527: RADIUS:  Reply-Message       [18]  12 
  *Mar  1 01:19:29.527: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D          [ Rejected]
  *Mar  1 01:19:29.527: RADIUS:  Message-Authenticato[80]  18 
  *Mar  1 01:19:29.527: RADIUS:   91 5F 64 12 73 8E 76 0C 31 DD 2B B7 2E EC 6E BA          [ _dsv1+.n]
  *Mar  1 01:19:29.527: RADIUS(0000000B): Received from id 1645/19
  *Mar  1 01:19:29.527: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
  *Mar  1 01:19:29.527: %MAB-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:19:29.527: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:19:29.527: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:19:29.527: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
  *Mar  1 01:19:29.527: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x9E000002 (60eb.699a.0e0f)
  *Mar  1 01:19:29.535: dot1x-ev(Fa0/1): Created a client entry (0x9E000002)
  *Mar  1 01:19:29.535: dot1x-ev(Fa0/1): Dot1x authentication started for 0x9E000002 (60eb.699a.0e0f)
  *Mar  1 01:19:29.535: %AUTHMGR-5-START: Starting 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:19:29.535: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
  *Mar  1 01:19:29.535: dot1x-ev(Fa0/1): Role determination not required
  *Mar  1 01:19:29.535: dot1x-ev(Fa0/1): Sending out EAPOL packet
  *Mar  1 01:19:30.290: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
  *Mar  1 01:19:39.828: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
  *Mar  1 01:19:39.828: dot1x-ev(Fa0/1): Role determination not required
  *Mar  1 01:19:39.828: dot1x-ev(Fa0/1): Sending out EAPOL packet
  *Mar  1 01:19:50.113: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
  *Mar  1 01:19:50.113: dot1x-ev(Fa0/1): Role determination not required
  *Mar  1 01:19:50.113: dot1x-ev(Fa0/1): Sending out EAPOL packet
  *Mar  1 01:20:00.414: dot1x-ev(Fa0/1): Received an EAP Timeout
  *Mar  1 01:20:00.414: %DOT1X-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID
  *Mar  1 01:20:00.414: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for 60eb.699a.0e0f
  *Mar  1 01:20:00.414: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:20:00.414: dot1x-ev(Fa0/1): Received Authz fail for the client  0x9E000002 (60eb.699a.0e0f)
  *Mar  1 01:20:00.414: dot1x-ev(Fa0/1): Deleting client 0x9E000002 (60eb.699a.0e0f)
  *Mar  1 01:20:00.414: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:20:00.414: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:20:00.414: %AUTHMGR-5-VLANASSIGN: VLAN 99 assigned to Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:20:00.422: dot1x-ev:Delete auth client (0x9E000002) message
  *Mar  1 01:20:00.422: dot1x-ev:Auth client ctx destroyed
  *Mar  1 01:20:00.422: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
  *Mar  1 01:20:00.733: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
  *Mar  1 01:20:00.733: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
  *Mar  1 01:20:00.733: RADIUS(0000000B): Config NAS IP: 0.0.0.0
  *Mar  1 01:20:00.733: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
  *Mar  1 01:20:00.733: RADIUS(0000000B): Started 5 sec timeout
  *Mar  1 01:20:00.741: RADIUS: Received from id 1646/9 10.248.64.20:1646, Accounting-response, len 20
  swi-test-802.1x#
  swi-test-802.1x#
  If anyone has an idea. Another thiong to mention, hosts have a Trend OfficeScan solution for Host protection, but the same on Windows 7 and everything is OK.
  Thanks for your precious help.
  Pierre-Louis

  Hi Pierre-Louis,
  A couple of questions here:
  -We have a voice vlan defined for the port and multi-domain config.During your tests, do you have the PC connected behind an IP Phone?
  -Which authentication method do you want to go for PC/IP phone?
  -Whats the IP Phone model/vendor ?
  In the logs , we have an Access-Reject for the client MAB auth attempt and then failover to dot1x auth.However, I dont see a Phone MAC in the logs.
  On the switch debug, we see several EAPOL packets to client 60eb.699a.0e0f, which seems a Quanta computer based on the MAC vendor.
  However no EAPOL packets seen from client side.You did indicate seeing an EAPOL Start from the host PC on a sniffer trace.
  -Are you sniffing on the client adapter itself or the switchport to which client is connected?
  -If we have an IP phone inbetween, do you also see the EAPOL start packet from the client when sniffing on the switchport ?
  Windows XP ,SP3 has some changes as compared to earlier SP versions:
  http://support.microsoft.com/kb/949984
  The following output would help to further isolate on problem.You will need to ensure that we have timesync between sniffer traces and debug logs for correlation.
  On switch, save logging output of:
  debug radius
  debug dot1x all
  debug authentication all
  debug authentication feature mab_pm all
  debug authentication feature mda all
  debug authentication feature voice all
  Simultaneously you can capture sniffer trace by spanning switch port interface to  which Phone/PC is connected.Please don't use any filters during the sniffer capture.
  After above steps please do a shut/no shut for tested port interface and replicate the problem with Win XP SP3.
  Following the test, you can also obtain the output of "show auth sessions int
  HTH,
  Alex

• Windows 7 beta: can't make hdd icon disappear while in OSX

  When using OSX now, on the desktop there is now the hdd icon that includes all the windows 7 files. When I go to finder prefs and uncheck Show hard disks the hdd icon containing the windows 7 files still remains. In order to remove the icon I have to uncheck the finder Pref Show CDs,DVDs and iPods. Don't really want to do that since those things won't appear on the desktop when connected. Any ideas why the hdd icon is being recognized by OSX as a CD, DVD or ipod in the finder prefes?
  lenn

  Hi lenn,
  easiest way to not show the Windows Icon while in OSX is to boot into Windows and use the Explorer to rename your Windows partition (the c:) to something starting with a . (point).
  That usually prevents the Windows Icon to be shown on your OSX.
  Regards
  Stefan

• Can I partition my hard drive to hold Windows 8 (Beta), instead of Windows 7, and can I do this with an external CD drive?

  I have a late 2008 Macbook Pro with Mac OS X 10.8 Mountain Lion installed, but my CD drive inside my computer is damaged*, and it's far cheaper to buy an external CD drive than to repair it entirely. Before I do either, I would like some grasp of whether or not it's worth my time and money, as I've yet to order the external drive or make a genius bar appointment.
  Also, the reason I'm choosing Windows 8 (Beta) is because it's free.
  *I dropped my computer once two years ago. I haven't even used my CD drive until recently when trying to install Windows 8. I assume the drop was the issue. I've used compressed air to remove dirt/dust as well as resetting the PRAM multiple times and nothing seems to work, but I'm not worried about it.
  Thank you.

  Can I partition my hard drive to hold Windows 8 (Beta), instead of Windows 7, and can I do this with an external CD drive?
  No and No.
  1: Apple only supports Windows 7 at this time in BootCamp (direct install into a bootable partition) because Win 8 is in Beta and no Mac hardware drivers are available yet from Apple for Windows 8.
  2: You can't install Windows from a external cd drive into BootCamp, it has to be a internal one far as I know, perhaps a USB will work I don't know.
  Yes:
  1: You can download and install Windows 8 Beta into a the free virtual machine software called VirtualBox, which Windows 8 will run in a window in OS X. This is better as it's still in Beta and Windows Beta releases will expire. Plus Windows 8 is a pain in the behind and you will want to be able to have VirtualBox or OS X be able to regain control over the computer.
  http://osxdaily.com/2012/03/03/try-windows-8-consumer-preview-virtualbox/
  Windows in BootCamp or Virtual Machine?

• Mac os x wiki server can't authenticate user password from active directory recently after we upgraded to windows 2008 server.

  after upgraded to windows 2008 server, our  mac os x wiki server can't authenticate user password anymore. How can I re-bind the wiki server to the AD again? thanks in advance.

  Solved it by deleting the user and creating a new one with the same userID.
  Maybe it occured because I marked the "user has to change password after first login" box when resetting the password but didn't yet allow him to do so in the webpages menu?!?

• User can't authenticate...auth-failed/windows workstation not allowed

  Keep on running into an odd problem. I have some users logging in via soft vpn connection. Yesterday, they were able to log in without a problem. Today they are getting 01/31/2007 08:09:21
  Authen failed
  Windows workstation not allowed .. ..
  Why can they authenticate 1 day and then be denied. This happened last week as well. The server adminstrator seemed to think it was a user setup issue and gave them another user account. Now as you can see above, the same thing has happened. I don't get it. Any help would be appreciated.

  For ACS to perform Windows authentications we need to specifiy a workstation name.
  In AD , the user should have access to all computers.
  OR
  A computer account named CISCO should exist.
  All users that Windows will authenticate have permission to log in to the computer named CISCO.
  ACS shows this error message only when the user tries to login from a work station he has no permission to log on.
  If you are using ACS 4.1 this link will be useul.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_installation_guide_chapter09186a008070a63c.html#wp1041202

• Can't Authenticate - but I'm the admin!

  I have a problem. I can't authenticate anything that needs an admin password. Take software update for instance. It says 'Type an administrator's name and password to make changes to Software Update.' So I enter my name and my password and it denies it! Here is the context 1) I am the only OSX user (obviously there are other users, mysql, wheel, etc) 2) I am marked as Admin in the 'Accounts' panel.
  Here's the clincher: this happened to me yesterday as well. I didn't try to find a suitable answer and I enabled the root user with NetInfo. Then I entered the user 'root' and the root password into my 'Authenticate' window and life was good. I disable the root user and went back to normal life.
  But today, I cant do that. Why? Because I have to Authenticate even to enable the root user! My admin longname and shortname both do not work. (Yes, I am sure it is the right password. No, my capslock is not on...)
  Any suggestions? I can program perl, so I am not afraid of the command-line if that is what I need to do. (I can still sudo stuff!)
  -Nate
  Powerbook G3   Mac OS X (10.4.3)  

  My answer was found in Oreilly's 'Mac OSX Tiger for UNIX Geeks'.
  Somehow I had removed myself from the admin group.
  Here's what I had to do:
  sudo dscl . merge /groups/admin users myusername
  I tried flushing the lookupd cache, but that didnt work, I had to restart for it to take effect.

• Client Upgraded from Tiger to Leopard Can No Longer Connect to Tiger Server

  I just finished upgrading a G5 2GHz DP Powermac from Tiger to Leopard. This was an Archive and Install upgrade with importing the old settings. After verifying the account migration, including .Mac connectivity, and fixing all 3rd party software compatibilities/upgrades, I tried to connect to our Tiger 4.11 server by clicking on the server's Icon in the Shared section of the Finder Sidebar. The finder then switches to browse the the server for shares: "Connecting..." is displayed under the tool bar, with a "Share Screen..." and "Connect As..." buttons to the right.
  At this point the "Connecting..." remains displayed with the spinning circle in the bottom right of the Finder window.... spinning. This situation continues for several minutes until is seems the system gives up.
  If I click on the Path button on the Tool Bar, and go up to the Shared level, ALL the Shares on the Network are displayed, including all the Tiger Client machine shares. I can click on the triangle beside the Tiger Client's icon, and all the drives and home directories on the Mac are listed. All the client shares can be accessed without any issues. NOTE: There are no other Leopard clients on the LAN.
  Prior to the Leopard upgrade, this client could connect to the Tiger server as well. All the other clients on the LAN can access the Tiger server also.
  On the Leopard client I have tried clicking and the "Connect As..." button and using the menu "Connect to Server" and specifying the server's IP, and I get the same "Connecting..." message with a "non-connecting" result.
  I can only assume that somehow the Account Name and password are not being passed correctly. But, using "Connect As..." should resolve that. However, "Connect As..." does not give me a user/password window!
  If I check the AFP Access log on the Server, the only messages displayed are "Mounted Volume..." No messages in the error log, and no messages in the "Connections" section.
  Can anyone help me figure out why the Leopard client can not connect to the Tiger Server?
  My apologies if the description of my problem is a bit disjointed. I have been thrown into server admin and am learning "Trial by Fire".
  Any help or suggestions on how to resolve this issue will be greatly appreciated.
  Thanks
  Gary
  Message was edited by: Gary Sumlak

  OK. A quick update.
  After waiting for about 10 minutes for the rotating circle in the bottom right corner to stop, I was able to click on the "Connect As..." button. It took another 10 minutes, but the Connect As window eventual popped up. I entered the Userid and Password (saving to Keychain) and was able to see all the sharepoints on the the server. I browsed all the connected drives and folders without issue.
  I then disconnected from the server. Reviewing the AFP logs on the server shows messages for the connection Login and Logout.
  I then tried to reconnect to the server, and again another 10 minutes wait, although this time the Leopard client eventually connected automatically with the proper User, as per the AFP logs confirms.
  Although, the client can now connect to the server, for it to take 10 minutes will be unacceptable to management, not to mention the end user. Tiger clients can connect in a couple seconds!
  Is there a way to reduce the Leopard login time to, say, a couple seconds, like it does with the Tiger clients?
  Again, any help or suggestions would be greatly appreciated.
  Thanks
  Gary

• Windows VPN clients can't use network servers after 10.5.1 upgrade

  We have two Xserves, both formerly running 10.4.11. One is the OD master, the other a replica. The replica is also the VPN server, and is a DHCP server for the small number of IP addresses reserved for VPN clients.
  The OD master upgrade went fine. I completely reinstalled the OD replica, set the replica up again, and set up the VPN server. It supports L2TP/IPsec connections only.
  After the upgrade, Mac users running Tiger or Leopard can connect to the VPN server and connect to network services without any problems. Windows users can connect, but cannot actually USE anything on my office network. For example, if you try to connect to a web server either by fully qualified domain name or by hostname, the connection from the browser simply times out.
  In the Windows command line I can verify that I have an active connection by pinging and using the tracert command (equivalent of traceroute on UNIX). Hostname resolution works, too. But nothing happens when you try to open a web browser, which is mostly what my users need to do.
  It doesn't matter whether you're logging in with an OD user account or a local account defined solely on the VPN server. Same behavior in Windows.
  I had to take an older XServe running 10.4.11 out of our data center, move it to the office, and set it up on the same external network connection. 10.4.11 server works, 10.5.1 doesn't, from the same Windows client, set up exactly the same way.
  I've been through the hoops with Apple Enterprise support, who now tell me that Engineering kicked it back to them and told them they'd charge me $695 to get it fixed, because it's ostensibly custom configuration work. If that's true, why is Windows XP listed under L2TP/IPSec support on page 127 of the Leopard Network Services Admin guide? I don't want a custom fix, I just want it to work the way it's supposed to work. Or I want Apple to retract the claim that OS X Server is the best workgroup server solution for Macs and Windows.
  Anyone else encounter this problem or know of a fix?

  Had the same problems, started after i tried out the firewall in Leopard server.
  Seems that not all settings are reset even after turning the firewall off.
  To reset the firewall to its default setting:
  1 Disconnect the server from the Internet.
  2 Restart the server in single-user mode by holding down the Command-s keys during
  startup.
  3 Remove or rename the address groups file found at /etc/ipfilter/
  ipaddressgroups.plist.
  4 Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf.
  5 Force-flush the firewall rules by entering the following in Terminal:
  $ ipfw -f flush
  6 Edit the /etc/hostconfig file and set IPFILTER=-YES-.
  7 Complete the startup sequence in the login window by entering exit:
  The computer starts up with the default firewall rules and firewall enabled. Use Server
  Admin to refine the firewall configuration.
  8 Log in to your server’s local administrator account to confirm that the firewall is
  restored to its default configuration.
  9 Reconnect your host to the Internet.
  This solved the problem for me...

• Can't Authenticate in LDAP directory after upgrade from 10.4.11 to 10.5.1

  Hi, all
  Yesterday I have tried to upgrade my Xserve Intel from 10.4.11 Tiger to 10.5.1 Leopard Server
  In my server there is this service:
  -AFP
  -DNS
  -SMB
  -Open Directory Master
  - XSAN Primary MDC
  All works fine but when I try to acces with worgroup manager to LDAP directory I can't authenticate with "diradmin" this thing appen in local machine and with remote worgroup manager connected to the server.
  I have tried with "root" user and I have been able to authenticate for some time, (5-15 min.) after It's impossible to access with all user.
  The client still authenticate with user and password in all computer with 10.5.1 and 10.4.11 workstation, but now i wan't to add some new users and I can't do That!!!!!
  So for now I have restore my old 10.4.11 Server Tiger, but I wish to know if someone have tried new 10.5.2 server upgrade and maybe there is some kind of fix to this problem.
  Thank's In Advance

  After posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I've finally figured out the cause of this issue or at least part of the cause.
  Within 'Server Admin', select "Open Directory",
  under: Settings > Policy > Binding
  there are six check boxes under "Security"... for testing kerberos, I have been checking the first four boxes, which are:
  1. disable clear text passwords
  2. digitally sign all packets (requires Kerberos)
  3. encrypt all packets (requires ssl or kerberos)
  4. block man-in-the-middle attackes (requires kerberos)
  through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.
  referring to the numbers above (1 through 4)...
  2 or 4 by themselves fails
  1 and 3 together fails
  I haven't gone beyond that for testing and don't know what other combinations works or fails.
  I don't know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.
  I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?
  if you are having this problem, uncheck all of these boxes and then reboot before trying to authenticate.

• I received a psd file created in CS6 for MAC, I am unable to find the layers when I open it in photoshop in Windows. What can i do to edit the files?

  I received a psd file created in CS6 for MAC, I am unable to find the layers when I open it in photoshop in Windows. What can i do to edit the files? What can be done so that I can either open and see the layers or how can the sender save it in a way that it doesn't "merge" the layers in some way to just one?

  Could try saving as tiff provided layers and transparency are chosen at the time of saving. But it's hard to give a definitive answer as it depends on the final usage. For example PSD's tend to work better in applications like In Design in comparison with tiff.