Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
- From: "Simon, Gary" <email@hidden>
- Date: Fri, 5 Sep 2008 09:06:16 -0600
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
Title: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
The interesting thing is, that in Workgroup Manager, the user’s UID shows up fine in the Basic tab, but nothing at all shows up in the Inspector tab. I’m working on getting ADSI Edit installed on my VMWare XP machine so I can directly view the AD account from a PC’s perspective....
Gary
On 9/4/08 5:26 PM, "Daniel Hoit" <email@hidden> wrote:
Yes, thats a static map. Normally, the AD plugin auto-generates the UID based on some of the AD attributes.
For your users who are finding a -2 value, is there any chance they are getting bad data from the directory?
Is the value correctly mapped? If you look at their user record using ADSI Edit or even workgroup manager, can you tell if that field is being correctly populated?
My guess is something is wrong with the attribute, or the mapping and you could uncheck the box to map the UID, and your users could login fine (assuming their cached credentials are cleared).
--DH
On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote:
I’m mapping the UID to a field that was added to our Active Directory schema, which is our unix user id field. I guess you could call that static?
On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
Are you mapping the UID to a static attribute in Directory Access/Directory Utility?
--DH
On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
I have submitted this as a bug to Apple, but I am curious to see if anyone else has seen this problem:
-------------------------------------------------------------------------------------------------------------------------------------
We are seeing an increasing amount of our Active Directory users that are being locked out from logging into Mac OS X after their initial login. The are able to login once, but after that they are no longer able to login with their Active Directory credentials. If you look at their account after a failed login attempt in the Accounts preference panel (advanced options) you see that the User UID is now set to -2 (nobody user).
We are using mobile accounts on all of our Mac OS X computers.
These same users are able to log into a Windows XP computer in the same Active Directory domain with their same credentials, but cannot log into any Mac OS X system in the domain.
If you try to read the record using the dscl read command you get the following error message:
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
You can see that the record exists by doing a dscl ls command on the users directory, but cannot read the actual record.
The user cannot log in even if the computer has been disconnected from the network as the cached record seems to be broken.
Comparing a "broken" user record to a "working" user record did not seem to shed any light on the problem.
-------------------------------------------------------------------------------------------------------------------------------------
Gary
Daniel Hoit
System Management Solutions Group
Lawrence Livermore National Laboratory
Email: email@hidden <mailto:email@hidden>
Phone: 925.424.5256
Pager: 877.402.6321
Daniel Hoit
System Management Solutions Group
Lawrence Livermore National Laboratory
Email: email@hidden <mailto:email@hidden>
Phone: 925.424.5256
Pager: 877.402.6321
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden