Symptom
After binding a Mac AD account log-ins fail (shaking login). Console logs report the following:
SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services
kinit [username] will generate a Kerberos ticket
id [username] will produce a list of LDAP info for the AD account
login [username] fails
Solution
If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in. Try creating a mobile account from Terminal first:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username
Log out and back in with the user's AD credentials.
Showing posts with label "OS X". Show all posts
Showing posts with label "OS X". Show all posts
Sunday, December 18, 2011
Friday, September 30, 2011
How OS X uses login names to generate Kerberos tickets
AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name.
OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name. Login attempts using the long name or domain\username will not be granted a Kerberos ticket.
OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name. Login attempts using the long name or domain\username will not be granted a Kerberos ticket.
Shaking Log-on in OS X: The Ongoing Saga
Yet more things to check if a bound Mac refuses to allow authentication by an AD user:
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Thursday, August 18, 2011
Cannot exit Snow Leopard Screen Saver with AD credentials
On bound Macs there is a problem where a computer that has been left on, with the screen saver active, for more than 10 hours has its Kerberos ticket expire. If this happens a user is unable to unlock the screen saver using their AD credentials.
Here is the KB article from Apple on how to fix this problem:
http://support.apple.com/kb/TS3287
Here is the KB article from Apple on how to fix this problem:
http://support.apple.com/kb/TS3287
Thursday, July 28, 2011
How to display the DHCP server in OS X
It has always frustrated me that I could never find a way to display the DHCP server on a Mac- something like ipconfig /all on a PC. I finally discovered a way:
ipconfig getpacket en0 (en1 if you are on wi-fi)
Look for the line that says "server identifier" and that is the IP of your DHCP server
ipconfig getpacket en0 (en1 if you are on wi-fi)
Look for the line that says "server identifier" and that is the IP of your DHCP server
Saturday, July 23, 2011
scutil to change host names
Apparently "changeip" isn't the recommended way to change DNS names in Snow Leopard so we must use "scutil" instead.
Take a look at the man page but mostly we will problem use it to change computer and host names:
sudo scutil --set ComputerName [new name]
sudo scutil --set HostName [new name]
Take a look at the man page but mostly we will problem use it to change computer and host names:
sudo scutil --set ComputerName [new name]
sudo scutil --set HostName [new name]
--set pref [newval]
Updates the specified preference with the new value. If the new value is not specified on the command line then it will be read from standard input.
Supported preferences include: ComputerName LocalHostName HostName The --set option requires super-user access. --dns Reports the current DNS configuration.
Friday, July 15, 2011
Mac Disk Showing 0Kb. Disk totally full for no reason.
Several users were reporting a problem where their disks were showing 0 space free. It turned out that Photoshop 5 was creating (and not deleting) massive log files. Deleting the log files reclaimed the missing space.
The log files are in:
/var/log/asl
The log files are in:
/var/log/asl
Thursday, July 7, 2011
Windows 2008 server and ExtremeZIP: AFP Shares appearing as read-only to Mac users
After moving data from a Windows 2003 server to a Windows 2008 server via robocopy Mac users were unable to write to some folders. The files and folders appeared to copy correctly, along with the permissions and Windows users could access the folders without a problem.
The Windows 2008 server is running ExtremeZIP and the problem only occurs if the clients connected via AFP- SMB connections were fine. The problem affected both AD bound and unbound Macs.
FIX: it turned out that file permissions didn't fully copy (or perhaps robocopy doesn't have the flags that Windows 2008 Server requires). Folders that the Mac users could only see as read-only were missing a tick in "Delete subfolders and files and folders" in the Advanced folder settings.
Go to the security properties of the folder and click on the "Advanced" tab
Highlight the user/group that you want to check permissions on and click "Change Permissions"
Highlight the user/group again and click "Edit"
Make sure there is a tick in "Delete subfolders and files"
Make sure you propagate the permissions to all child objects.
The Windows 2008 server is running ExtremeZIP and the problem only occurs if the clients connected via AFP- SMB connections were fine. The problem affected both AD bound and unbound Macs.
FIX: it turned out that file permissions didn't fully copy (or perhaps robocopy doesn't have the flags that Windows 2008 Server requires). Folders that the Mac users could only see as read-only were missing a tick in "Delete subfolders and files and folders" in the Advanced folder settings.
Go to the security properties of the folder and click on the "Advanced" tab
Highlight the user/group that you want to check permissions on and click "Change Permissions"
Highlight the user/group again and click "Edit"
Make sure there is a tick in "Delete subfolders and files"
Make sure you propagate the permissions to all child objects.
Monday, June 6, 2011
How to disable auto mounting network shares in OS X
To disable auto-mounting of network shares in OS 10.5 and 10.6 do the following:
- Go to /Users/username/Library/Favorites
- Remove the server names or IP addresses
Monday, April 11, 2011
Shaking Login: corrupt Kerberos file
Apple has informed us that sometimes anti-virus software can corrupt the kerberos files found in:
/var/db/dslocal/nodes/Default/config/
They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.
sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*
then restart.
/var/db/dslocal/nodes/Default/config/
They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.
sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*
then restart.
Thursday, March 31, 2011
How To Refresh MCX Preferences on a Mac
From Terminal type: sudo mcxrefresh –n [user short name]
eg: sudo mcxrefresh –n tsmith
For further info see the man page, "man mcxrefresh
You can also delete the /Library/Managed Preferences folder
Here is a list of MCX refresh commands for each OS:
http://krypted.com/mass-deployment/refreshing-managed-client-cache/
eg: sudo mcxrefresh –n tsmith
For further info see the man page, "man mcxrefresh
You can also delete the /Library/Managed Preferences folder
Here is a list of MCX refresh commands for each OS:
http://krypted.com/mass-deployment/refreshing-managed-client-cache/
Tuesday, March 29, 2011
Mac clients can not do LDAP (GAL) lookups
An office reported that Mac clients were unable to do LDAP (GAL) lookups from Entourage or Outlook 2011.
All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.
It was found that the local DC was not a global catalog server. When this was fixed, lookups worked.
Here is the TechNet article on determining whether or not a DC is a GC it:
http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx
All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.
It was found that the local DC was not a global catalog server. When this was fixed, lookups worked.
Here is the TechNet article on determining whether or not a DC is a GC it:
http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx
How to check a user's password from the command line using DSCL
Here is the command for checking a user's password via DSCL:
dscl /Active\ Directory/domainname authonly username
(where "domainname" is the name of the AD domain and "username" is the short name of an Active Directory user)
No output indicates that the user's password was verified.
dscl /Active\ Directory/domainname authonly username
(where "domainname" is the name of the AD domain and "username" is the short name of an Active Directory user)
No output indicates that the user's password was verified.
Saturday, February 26, 2011
Missing admin accounts on Mac: FIX
Shut down the computer if it is on.
Press the power button to start the computer.
Immediately press and hold the Command (Apple) key and the "s" key for single-user mode.
Type "mount -uw /" and press return.
Type "passwd" and press return.
Enter new password (this will be for the root user account) and press return.
Type "reboot" and press return.
Enter Account settings and when prompted for administrator account and password, use the user name root and the password you just setup
Check box for you standard account to administrate box
If all goes well you are admin again.
Then log in as Root:
dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password [password]
dscl . -create /Groups/admin GroupMembership root
Original post: http://macosx.com/forums/howto-faqs/299801-howto-fix-user-lost-administrator-privileges.html
Press the power button to start the computer.
Immediately press and hold the Command (Apple) key and the "s" key for single-user mode.
Type "mount -uw /" and press return.
Type "passwd" and press return.
Enter new password (this will be for the root user account) and press return.
Type "reboot" and press return.
Enter Account settings and when prompted for administrator account and password, use the user name root and the password you just setup
Check box for you standard account to administrate box
If all goes well you are admin again.
Then log in as Root:
dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password [password]
dscl . -create /Groups/admin GroupMembership root
Original post: http://macosx.com/forums/howto-faqs/299801-howto-fix-user-lost-administrator-privileges.html
Thursday, October 28, 2010
Snow Leopard Error -50 when copying to an SMB share
Symptom
Snow Leopard client copying file to SMB will get a –50 unkown error and the copying will halt. This only happens to Snow Leopard and only to SMB. Copying the same files to AFP works fine. It is also only on certain files. We can take this file to another Snow Leopard machine and reproduce it every time.
Cause
We found out that it has to do with files with resource fork. I think Snow Leopard and Leopard no longer embed resource fork into files anymore. But I am guessing these files were touched or created by older Apple OS. This explains why out of thousands of files, we only see some files with this problem. This is due to the fact that the Snow Leopard Client now defaults to using NTFS Streams rather than AppleDouble files (dot underscore files) to store the resource fork.
Solution
Turn off NTFS Streams support in Snow Leopard. You can do this on the client by running this command.
echo "[default]" | sudo tee -a /etc/nsmb.conf
echo "streams=no" | sudo tee -a /etc/nsmb.conf
Of course this would be a pain if you have to touch every clients. An easier way is to touch the share by creating a file at the root of the share called ".com.apple.smb.streams.off". As this is a hidden file, it is probably best to do this from the command line.
cd /Volumes/sharename/
touch .com.apple.smb.streams.off
No reboot is needed. Client just need to dismount and mount the share again.
Thursday, October 7, 2010
Mac Binding Fails- Advice from Apple
Apple's KB regarding binding problems and possible work-arounds involving clearing out Kerberos config files and DNS config check:
http://support.apple.com/kb/TS2691
http://support.apple.com/kb/TS2691
Wednesday, October 6, 2010
Snow Leopard (10.6) can not connect to server using SMB: RESOLVED
Problem: AD bound 10.6.x Macs were experiencing problems connecting to SMB shares on Windows servers. Users could not connect to the shares, or it would take several minutes to open/browse folders.
Cause: It was found that the issue happens when there is a folder or file on the share for which the security list includes an “Unknown SID”. When listing the content of the share, the OS X Directory Service plugin attempts to resolve all SIDs to AD objects. In this case, the plugin encounters a “Unknown SID” and expends 60 seconds attempting to resolve the SID. Once 60-second timeout is reached, the plugin skips the entry and will list the share contents. Now, if there are multiple files or folders of “Unknown SIDs”, the time for listing the content will multiply base on how many of these “Unknown SIDs” on there thus explaining the different delay time users are experiencing.
Resolution:
Test indicates that once these “Unknown SIDs” are removed from the affected file/folder, the speed of SMB will return to normal. The mount and content listing of the share will take seconds instead of minutes.
Apple will take the finding back to their product engineering to determine how they might be able to mitigate the timeout issue from OS X.
The problem of resolving this issue for server administrators is that it is not practical to identify these “Unknown SIDs” and remove them manually. After some research, it seems that Microsoft has a tool to do this.
SUBINACL - Display or modify Access Control Entries (ACEs) for file and folder Permissions, Ownership and Domain.
Download the MSI and install it to your file server. You can then run it using the following syntax. It will removed all the “Unknown SIDs” from the files and folders you specify.
subinacl /subdirectories X:\* /cleandeletedsidsfrom=IPGNA
Subscribe to:
Posts (Atom)