Friday, September 30, 2011

How OS X uses login names to generate Kerberos tickets

AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name. 

OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name.  Login attempts using the long name or domain\username will not be granted a Kerberos ticket.

Shaking Log-on in OS X: The Ongoing Saga

Yet more things to check if a bound Mac refuses to allow authentication by an AD user:

Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab.  Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.

Sunday, September 18, 2011

Changing the Machine Password Interval on a Mac and Windows

Sometimes when a user can not log into their computer (shaking login) the problem is with the machine password and not the user account password.  By default Windows machines reset their machine password every 30 days but Macs do so every 14.  If a computer is on the network but can not connect to a DC at its password change interval it can subsequently prevent the user from logging in and/or changing their password from the computer. 

To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:

http://support.apple.com/kb/HT3422

Setting the passinterval to "0" is the recommended fix.

Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset.  This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.

Here is a good article describing the entire machine password change proces:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

And here is Microsoft's KB on the process for PCs:

http://support.microsoft.com/kb/154501



Tuesday, September 6, 2011

Snow Leopard: Allowing standard users to add printers

In Snow Leopard standard users are not allowed to modify the print queues.  Apple has a work-around in this KB article:  http://support.apple.com/kb/HT3511

Run this command:

dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin

Where "admin" is the short name for the local admin account and "student" is the name of the user

Monday, September 5, 2011

How to configure a hidden account that has ARD access and also must request control from the user

I was asked to create a hidden account that had remote control access through ARD but that also had to request permission from the user before being allowed access to the computer

Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:

dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes

A "UniqueID" lower than 500 will create a hidden account.

To remove the account (run as root through ARD):

dscl . -delete /Users/hidden

This works for Leopard and Snow Leopard