AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name.
OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name. Login attempts using the long name or domain\username will not be granted a Kerberos ticket.
Friday, September 30, 2011
Shaking Log-on in OS X: The Ongoing Saga
Yet more things to check if a bound Mac refuses to allow authentication by an AD user:
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Sunday, September 18, 2011
Changing the Machine Password Interval on a Mac and Windows
Sometimes when a user can not log into their computer (shaking login) the problem is with the machine password and not the user account password. By default Windows machines reset their machine password every 30 days but Macs do so every 14. If a computer is on the network but can not connect to a DC at its password change interval it can subsequently prevent the user from logging in and/or changing their password from the computer.
To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:
http://support.apple.com/kb/HT3422
Setting the passinterval to "0" is the recommended fix.
Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset. This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.
Here is a good article describing the entire machine password change proces:
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
And here is Microsoft's KB on the process for PCs:
http://support.microsoft.com/kb/154501
To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:
http://support.apple.com/kb/HT3422
Setting the passinterval to "0" is the recommended fix.
Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset. This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.
Here is a good article describing the entire machine password change proces:
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
And here is Microsoft's KB on the process for PCs:
http://support.microsoft.com/kb/154501
Labels:
Apple,
computer passwords,
login,
login problems,
Machine Passwords,
OSX,
Windows
Tuesday, September 6, 2011
Snow Leopard: Allowing standard users to add printers
In Snow Leopard standard users are not allowed to modify the print queues. Apple has a work-around in this KB article: http://support.apple.com/kb/HT3511
Run this command:
dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin
Where "admin" is the short name for the local admin account and "student" is the name of the user
Run this command:
dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin
Monday, September 5, 2011
How to configure a hidden account that has ARD access and also must request control from the user
I was asked to create a hidden account that had remote control access through ARD but that also had to request permission from the user before being allowed access to the computer
Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:
dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes
A "UniqueID" lower than 500 will create a hidden account.
To remove the account (run as root through ARD):
dscl . -delete /Users/hidden
This works for Leopard and Snow Leopard
Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:
dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes
A "UniqueID" lower than 500 will create a hidden account.
To remove the account (run as root through ARD):
dscl . -delete /Users/hidden
This works for Leopard and Snow Leopard
Labels:
account configuration,
Apple Remote Desktop,
ARD,
DSCL,
OS X,
Snow Leopard,
Terminal
Subscribe to:
Posts (Atom)