10.7 clients unable to connect to legacy NAS and AFP devices

In Lion Apple disabled older, less secure protocols like DHCAST128.  This has caused problems with older NAS devices running AFP and some Novell servers.

Most manufactures have released updates to resolve this problem but there is also a way to re-enable the protocol from the command line.

Here are the instructions from Apple's KB:

Lion maintains a list of authentication methods that are not allowed. These are the older, less secure authentication methods. You may need to enable one or more of these methods to support legacy devices or protocols.

Open Terminal.
Execute the following commands:

sudo chmod o+w /Library/Preferences
sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_host_prefs_version -int 1

Make an AFP connection to another system so that the AFP Client preference file will be filled in with the default set of values. Note: You must connect as a registered user, not as a guest.
Execute the following command to see a list of the disabled User Authentication Methods (UAMs)

defaults read /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams

By default the disabled UAMs are "Cleartxt Passwrd", "MS2.0", "2-Way Randnum exchange", and "DHCAST128". Note: if you don't see a list, restart your computer and repeat step 3.

To enable one of these UAMs, remove it from the list of disabled UAMs. For example, this command enables DHCAST128 by removing it from the list of disabled authentication methods:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange"
After the desired changes have been made, restore the permissions on the Preferences folder with this command:

sudo chmod o-w /Library/Preferences
Additional Information
If you want to undo the changes described above, you can either delete the /Library/Preferences/com.apple.AppleShareClient file or use the following command to re-disable the default set of older UAMs:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange" "DHCAST128"

The full article can be found here:  http://support.apple.com/kb/HT4700

Lion clients unable to connect to Snow Leopard server

If you are attempting to connect from a bound Lion client to a bound Snow Leopard server you must use the FQDN for the server. 

For example:  myserver.test.network.com

If you do not you may receive an error that says "The version of the server you are trying to connect to is not supproted.  Please contact your system administrator to resolve the problem."

Also check what authentication method you are using.

• Open Server Manager
• Highlight "AFP"
• Click on the "Access" tab
• Change "Authentication" to "Any Method"

Attempt to connect from at Lion client using the FQDN of the server.

Note: changing the authentication to Any Method can possibly break single-sign-on for Snow Leopard client.  If this happens change the authentication to "Kerberos".  Lion clients should still be able to access the server.

Shaking login with console error: Could not get a user record for [username] from Directory Services

Symptom

After binding a Mac AD account log-ins fail (shaking login).  Console logs report the following:

SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services

kinit [username] will generate a Kerberos ticket

id [username] will produce a list of LDAP info for the AD account


login [username] fails


Solution

If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in.  Try creating a mobile account from Terminal first:


sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username

Log out and back in with the user's AD credentials.

Shaking login: duplicate accounts

We had a user who couldn't log into any bound Mac but was able to log into Windows machines.  After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.

Macs search forest-wide for authentication information and the PCs only look in the current domain.  Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in.  By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.

Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest".  One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect.  In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.

Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains".  Therefore it will look in all available AD domains in the forest for authentication information.

iOS5: The iPhone ... Could not be synced because the sync session failed to start

iOS5 continues to be a problem.  One of the main complaints is an error encountered when attempting to sync an iPhone or iPod to iTunes:

"The iPhone [device name] Could not be synced because the sync session failed to start"

Several work-arounds have been suggested including simply restarting the iOS device. One procedure that seems to work well is to remove the device backups from iTunes.  Before you do this, make sure you backup your backups folder: ~/Library/Application Support/MobileSync/Backup/

• Connect your device and open iTunes
• Go to Preferences/Devices
• Delete all backups
• Click "OK"
• Restart iTunes and attempt another sync

Sometimes you may see duplicate backups listed.  I found that by deleting all but one backup also allows the device to sync.

Apple's iOS troubleshooting page has some good tips:  http://support.apple.com/kb/ts2529

"You are unable to log in to the user account [account name] at this time.

Problem:  an AD bound Mac shakes off login attempts and returns a message that says:

"You are unable to log in to the user account [account name] at this time.  Logging in to the account failed because an error occurred."

There are two things to to try:

First, update the Automounter master map as outlined in this Apple KB article:

http://support.apple.com/kb/TS3346

Secondly, if the user has a home folder path specified in their AD profile (Profile tab), remove it.

How OS X uses login names to generate Kerberos tickets

AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name. 

OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name.  Login attempts using the long name or domain\username will not be granted a Kerberos ticket.

Shaking Log-on in OS X: The Ongoing Saga

Yet more things to check if a bound Mac refuses to allow authentication by an AD user:

Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab.  Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.

Changing the Machine Password Interval on a Mac and Windows

Sometimes when a user can not log into their computer (shaking login) the problem is with the machine password and not the user account password.  By default Windows machines reset their machine password every 30 days but Macs do so every 14.  If a computer is on the network but can not connect to a DC at its password change interval it can subsequently prevent the user from logging in and/or changing their password from the computer. 

To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:

http://support.apple.com/kb/HT3422

Setting the passinterval to "0" is the recommended fix.

Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset.  This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.

Here is a good article describing the entire machine password change proces:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

And here is Microsoft's KB on the process for PCs:

http://support.microsoft.com/kb/154501

Snow Leopard: Allowing standard users to add printers

In Snow Leopard standard users are not allowed to modify the print queues.  Apple has a work-around in this KB article:  http://support.apple.com/kb/HT3511

Run this command:

dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin

Where "admin" is the short name for the local admin account and "student" is the name of the user

How to configure a hidden account that has ARD access and also must request control from the user

I was asked to create a hidden account that had remote control access through ARD but that also had to request permission from the user before being allowed access to the computer

Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:

dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes

A "UniqueID" lower than 500 will create a hidden account.

To remove the account (run as root through ARD):

dscl . -delete /Users/hidden

This works for Leopard and Snow Leopard

Cannot exit Snow Leopard Screen Saver with AD credentials

On bound Macs there is a problem where a computer that has been left on, with the screen saver active, for more than 10 hours has its Kerberos ticket expire.  If this happens a user is unable to unlock the screen saver using their AD credentials.

Here is the KB article from Apple on how to fix this problem:

http://support.apple.com/kb/TS3287

How to display the DHCP server in OS X

It has always frustrated me that I could never find a way to display the DHCP server on a Mac- something like ipconfig /all on a PC.  I finally discovered a way:

ipconfig getpacket en0 (en1 if you are on wi-fi)

Look for the line that says "server identifier" and that is the IP of your DHCP server

scutil to change host names

Apparently "changeip" isn't the recommended way to change DNS names in Snow Leopard so we must use "scutil" instead.

Take a look at the man page but mostly we will problem use it to change computer and host names:

sudo scutil --set ComputerName [new name]
sudo scutil --set HostName [new name]

 --set pref [newval]
       Updates the specified preference with the new value. 

       If the new value is not specified on the command 

       line then it will be read from standard input.

         Supported preferences include: 

         ComputerName LocalHostName HostName

         The --set option requires super-user access.

     --dns
         Reports the current DNS configuration.

Mac Disk Showing 0Kb. Disk totally full for no reason.

Several users were reporting a problem where their disks were showing 0 space free.  It turned out that Photoshop 5 was creating (and not deleting) massive log files.  Deleting the log files reclaimed the missing space.

The log files are in:

/var/log/asl

Windows 2008 server and ExtremeZIP: AFP Shares appearing as read-only to Mac users

After moving data from a Windows 2003 server to a Windows 2008 server via robocopy Mac users were unable to write to some folders.  The files and folders appeared to copy correctly, along with the permissions and Windows users could access the folders without a problem.

The Windows 2008 server is running ExtremeZIP and the problem only occurs if the clients connected via AFP- SMB connections were fine.  The problem affected both AD bound and unbound Macs.

FIX: it turned out that file permissions didn't fully copy (or perhaps robocopy doesn't have the flags that Windows 2008 Server requires).  Folders that the Mac users could only see as read-only were missing a tick in "Delete subfolders and files and folders" in the Advanced folder settings.

Go to the security properties of the folder and click on the "Advanced" tab

 Highlight the user/group that you want to check permissions on and click "Change Permissions"

Highlight the user/group again and click "Edit"

Make sure there is a tick in "Delete subfolders and files"

Make sure you propagate the permissions to all child objects.

Incorrect date/time in Outlook forward and reply messages

If your mail server is in a different time zone from your mail client, e-mail Replies and Forwards in Outlook display the time zone of the mail server, not the client.

To fix this open Outlook go to Preferences/Composing and under "Attribution of original message" set the "Custom attribution format" as it appears below:

Apple Server Admin Not Starting

Problem: OS X Server Admin will either not launch or after it has launched it will not allow connections.

Fix from Apple:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.servermgrd.plist

cd /var/severmgrd

Note: verify that you are in the right path, because the next command will delete everything in the current folder.

rm -rf *

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.servermgrd.plist

Server Manager should now launch and allow logins.

Tomcat problems on a JSS

It is important that Apple's Tomcat does not conflict with Jamf's on your JSS.  If both instances of Tomcat are trying to run at the same time you can experience an inability to access the JSS along with over all poor server performance.

To disable Apple's Tomcat follow these steps:

On your JSS, launch Server Admin
Click on "Web"
Click on the "Settings" icon
Click on the "General" tab
Remove the tick from "Enable Tomcat"

Bound Mac Clients Can't Exit Screensaver Using AD Credentials

Bound Macs that have the screen saver set to lock after a certain amount of time and require AD credentials to unlock sometimes are unable to unlock the screen saver.

Fix

Open Terminal
Type: cd /etc
Type: pico authorization
Find the "system.login.screensaver” and look for this text in a string: 

"The owner or any administrator can unlock the screensaver"

and change it to:

"(Use SecurityAgent.) The owner or any administrator can unlock the screensaver."

For full details refer to Apple KB: http://support.apple.com/kb/TS3287

How to disable auto mounting network shares in OS X

To disable auto-mounting of network shares in OS 10.5 and 10.6 do the following:

• Go to /Users/username/Library/Favorites
• Remove the server names or IP addresses

OS X Server: users can not connect to SMB or AFP shares

We have been troubleshooting several reports from offices with bound OS X servers where Mac and PC clients are unable to connect to shares using AFP or SMB.  Additionally these offices have reported that Macs will randomly drop their AFP connections to the OS X server.

When the connection problem occurs often times the server shares will display generic ACL GUIDs: a series of numbers and letters instead of the group name.   In cases such as these restarting Directory Services generally resolves the problem- at least temporarily:

sudo /usr/bin/killall DirectoryService

Other times the GUIDs display normally but the connection problems still persist.  In these cases two things are suggested:

1. Nest AD users into local groups and then use the local groups to populate the ACLs
2. Flush the group membership cache by running this command:  

sudo dsmemberutil flushcache

Generally these problems occur most often on Leopard servers- Snow Leopard servers have improved group membership caching.

Mac administrator account changing to a standard account

We have had several reports of Macs that have their admin account changed to a standard account.

The fix is to login to the machine as root, go to "Accounts", select the admin account and put a tick in "allow user to administer this computer".

If the root account is disabled or you do not know the password you will have to boot the machine from the OS DVD and enable the account/reset the root password.

Full instructions can be found here:

http://support.apple.com/kb/TS1278

Shaking Login: corrupt Kerberos file

Apple has informed us that sometimes anti-virus software can corrupt the kerberos files found in:

/var/db/dslocal/nodes/Default/config/

They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.

sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*

then restart.

Outlook 2011 Profiles Disappearing

There have been some reports that when a user launches Outlook their profile is no longer there.  It seems to have something to do with the database daemon thinking the user's database has vanished.


Here is one reported work-around:

• Keep Outlook open
• Go to Terminal
• Type, ps aux | grep Microsoft
• Look for the MS Office 2011 processes
• Note the number after the user name- this is the Process ID (PID)
• In Terminal type, sudo kill –9 [PID number]
• Do this for each of the Microsoft processes
• Re-launch Outlook

How To Refresh MCX Preferences on a Mac

From Terminal type:  sudo mcxrefresh –n [user short name]

eg:  sudo mcxrefresh –n tsmith

For further info see the man page, "man mcxrefresh

You can also delete the  /Library/Managed Preferences folder

Here is a list of MCX refresh commands for each OS:

http://krypted.com/mass-deployment/refreshing-managed-client-cache/

Mac clients can not do LDAP (GAL) lookups

An office reported that Mac clients were unable to do LDAP (GAL) lookups from Entourage or Outlook 2011.

All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.

It was found that the local DC was not a global catalog server.  When this was fixed, lookups worked.

Here is the TechNet article on determining whether or not a DC is a GC  it:

http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx

com.apple.launchd[1] (org.samba.winbindd3733) Exited with exit code: 1

A 10.5.8 server dropped all SMB connections and the Console log was filled with these errors:

Mar 29 12:36:37 ... com.apple.launchd[1] (org.samba.winbindd[98460]): Exited with exit code: 1
Mar 29 12:36:37 ... com.apple.launchd[1] (org.samba.winbindd): Throttling respawn: Will start in 10 seconds
Mar 29 12:36:47 ... com.apple.launchd[1] (org.samba.winbindd[98461]): Exited with exit code: 1
Mar 29 12:36:47 ... com.apple.launchd[1] (org.samba.winbindd): Throttling respawn: Will start in 10 seconds

Work-around (but not a full fix as it doesn't address the root cause)

Open Terminal and log in as sudo -s and type:

launchctl unload /System/Library/LaunchDaemons/org.samba.winbindd.plist

Then edit /System/Library/LaunchDaemons/org.samba.winbindd.plist
and the following:

This keeps the winbindd daemon from launching at startup, which it  isn't doing anyway, to re-enable it  change "true" to "false".

How to check a user's password from the command line using DSCL

Here is the command for checking a user's password via DSCL:

dscl /Active\ Directory/domainname authonly username

(where "domainname" is the name of the AD domain and "username" is the short name of an Active Directory user)

No output indicates that the user's password was verified. 

DHCP Error while importing scope "Option 6"

While importing a DHCP scope from a Windows 2003 to 2008 server I encountered an error:

"Error while importing option "6"."

This is a reference to the scope options in DHCP.  Option 6 is the DNS server, option 15 is DNS Domain Name, etc.

To remedy this particular error delete the offending options form the DHCP's "Server Options" and then attempt the import again.

Export (2003/2008): netsch dhcp server export c:\[filename.txt] all
Import: netsch dhcp server import c:\[filename.txt] all

More details on the error can be found here:

http://mykbit.blogspot.com/2010/03/error-while-importing-option-6-while.htmlhttp://mykbit.blogspot.com/2010/03/error-while-importing-option-6-while.html

How to force a 10.6 client to generate a Kerberos ticket at login

Refer to this Apple KB article:

http://support.apple.com/kb/HT4100

You need to add the string:

builtin:krb5store,privileged

Under the key:

system.login.console

In the /etc/authorization file

Generating a kerberos ticket from the command line in OS X

kinit [user name]

You will be prompted for the user's password

Missing admin accounts on Mac: FIX

Shut down the computer if it is on.
Press the power button to start the computer.
Immediately press and hold the Command (Apple) key and the "s" key for single-user mode.
Type "mount -uw /" and press return.
Type "passwd" and press return.
 Enter new password (this will be for the root user account) and press return.
Type "reboot" and press return.
Enter Account settings and when prompted for administrator account and password, use the user name root and the password you just setup
Check box for you standard account to administrate box
 If all goes well you are admin again.

Then log in as Root:

dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password [password]
dscl . -create /Groups/admin GroupMembership root

Original post:  http://macosx.com/forums/howto-faqs/299801-howto-fix-user-lost-administrator-privileges.html

Convert plist to xml

plutil -convert xml1 your_file.plist

To convert an XML .plist file to binary for use: 

plutil -convert binary1 your_file.plist

Remove an ODM from the command line

To remove an Open Directory Master first delete the LDAP entries in Directory Services and then open the Terminal and type:


sudo slapconfig -destroyldapserver

It will take a while to complete.  After it has finished you should be able to remove the Opendirectory and DNS services from Server Manager (restart will be required).