[Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
[Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
- From: Walter Adams <email@hidden>
- Date: Sat, 06 Sep 2008 00:26:06 -0400
- Thread-topic: Fed-talk Digest, Vol 5, Issue 243
Shawn,
Is there any chance that we can get a list / matrix of the CAC cards and
readers that have been tested with 10.5.4 and proven to work?
We have been reduced to running Active Card 2.2 on Xp within Parallels to
access CAC card PKI enabled systems.
We need to get off of this dead point and implement CAC cards on our Macs.
Thanks,
Walter
On 9/5/08 11:07 AM, "email@hidden"
<email@hidden> wrote:
> Send Fed-talk mailing list submissions to
> email@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.apple.com/mailman/listinfo/fed-talk
> or, via email, send a message with subject or body 'help' to
> email@hidden
>
> You can reach the person managing the list at
> email@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fed-talk digest..."
>
>
> Today's Topics:
>
> 1. Re: Defense Acquisition University now on iTunes (Dave Schroeder)
> 2. Re: "Bad" Active Directory records as far as Mac OS X is
> concerned..? (Simon, Gary)
> 3. Re: Fed-talk Digest, Vol 5, Issue 242 (Daniel Hoit)
> 4. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Simon, Gary)
> 5. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Daniel Hoit)
> 6. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Simon, Gary)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 04 Sep 2008 14:10:15 -0500
> From: Dave Schroeder <email@hidden>
> Subject: Re: [Fed-Talk] Defense Acquisition University now on iTunes
> To: Stephen Bates <email@hidden>
> Cc: Functional Area 53 Mailing List <email@hidden>,
> "email@hidden Talk" <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sep 4, 2008, at 12:50 PM, Stephen Bates wrote:
>
>> Should launch iTunes and take you to the new iTunes U site for
>> Defense Acquisition University
>>
>> http://deimos.apple.com/WebObjects/Core.woa/Browse/dau.mil
>>
>> Could it be that DoD is finally getting how to harness Web 2.0
>> technologies?
>
> I don't know, but the Intelligence Community has been harnessing Web
> 2.0 technologies for a while now, and making them available to many
> components across the US government.
>
> See Intelink:
>
> NIPRNet/DNI-U: http://www.intelink.gov
> SIPRNet: http://www.intelink.sgov.gov
> JWICS: http://www.intelink.ic.gov
>
> Wiki, blogs, RSS, tagging, instant messaging, video/picture/document
> sharing, iPhone-compatible email, and more, available on three
> security domains, and available for use by anyone in defense,
> intelligence, law enforcement, homeland security, or diplomatic areas.
>
> You can even access the unclassified network and tools from home or
> other remote sites using Intelink Remote Access: http://ra.intelink.gov
>
> All of these tools are fully Mac/Safari-compatible, available now, and
> centrally supported by the DNI's Intelligence Community Enterprise
> Services (ICES).
>
> This is a really good briefing on the Web 2.0 and social software
> movement within the Intelligence Community:
>
> http://www.fcw.com/specials/intellipedia/
>
> For those in the DC area and interested in moving these tools forward,
> a reminder that the 2008 WIRe and ICES Conference is scheduled for
> 8-10 September at the Johns Hopkins University Applied Physics
> Laboratory (APL) in Laurel, MD, hosted by CIA's World Intelligence
> Review (WIRe) and the DNI's Intelligence Community Enterprise Services
> (ICES). The theme of this conference is:
>
> How does a member of the IC successfully perform his or her job in an
> enterprise information environment that is ever-growing in volume and
> complexity?
>
> An expanding community of users, newly-exposed Web services, user-
> generated content, multimedia sharing, the broader reach of cross-
> domain solutions, and attribute-based access controlled systems are
> making the task of discovering, connecting, and vetting information
> evermore challenging yet crucial to our success.
>
> Conference registration is free, and some space is still available.
> This event will have many interesting speakers, panels, and topics,
> and direct interaction with peers involved in emerging information
> technologies from across the IC. The entire conference will be held at
> the UNCLASSIFIED level. Those already attending the DNI Open Source
> Conference on 11-12 September may be interested in including this
> event as well.
>
> For more information, and a conference agenda, see:
>
> http://www.intelink.gov/wiki/WIRe_and_ICES_Conference
>
> To register, visit:
>
> http://www.intelink.gov/wiki/WIRe_and_ICES_Conference_Registration
>
> Anyone interested in attending, feel free to contact me for info.
> There will be a lot of users of Apple technologies here as well...
>
> - Dave
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2398 bytes
> Desc: not available
> Url :
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/9c898172/
> smime-0001.bin
>
> ------------------------------
>
> Message: 2
> Date: Thu, 4 Sep 2008 16:15:14 -0600
> From: "Simon, Gary" <email@hidden>
> Subject: Re: [Fed-Talk] "Bad" Active Directory records as far as Mac
> OS X is concerned..?
> To: "Simon, Gary" <email@hidden>, fed-talk
> <email@hidden>
> Message-ID: <C4E5BA12.39B6%email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Here is what I have tried so far:
>
>
> * I have upgraded a computer to the latest 10.5.5 apple seed. I still get
> the dscl error when trying to read the "broken" accounts. I am waiting to get
> one of the "broken" users to try to actually login with the new seed.
> * I unbound from Active Directory. Unchecked the box to map the User UID.
> Rebound to AD. - Still got the dscl error on those particular accounts.
>
> Gary
>
>
> On 9/4/08 12:58 PM, "Gary Simon" <email@hidden> wrote:
>
> I have submitted this as a bug to Apple, but I am curious to see if anyone
> else has seen this problem:
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
> We are seeing an increasing amount of our Active Directory users that are
> being locked out from logging into Mac OS X after their initial login. The
> are able to login once, but after that they are no longer able to login with
> their Active Directory credentials. If you look at their account after a
> failed login attempt in the Accounts preference panel (advanced options) you
> see that the User UID is now set to -2 (nobody user).
>
> We are using mobile accounts on all of our Mac OS X computers.
>
> These same users are able to log into a Windows XP computer in the same Active
> Directory domain with their same credentials, but cannot log into any Mac OS X
> system in the domain.
>
> If you try to read the record using the dscl read command you get the
> following error message:
>
> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>
> You can see that the record exists by doing a dscl ls command on the users
> directory, but cannot read the actual record.
>
> The user cannot log in even if the computer has been disconnected from the
> network as the cached record seems to be broken.
>
> Comparing a "broken" user record to a "working" user record did not seem to
> shed any light on the problem.
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
>
> Gary
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/01d1822c/
> attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 4 Sep 2008 16:10:08 -0700
> From: Daniel Hoit <email@hidden>
> Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
> To: email@hidden
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="us-ascii"
>
> Are you mapping the UID to a static attribute in Directory Access/
> Directory Utility?
>
> --DH
>
> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>
>> I have submitted this as a bug to Apple, but I am curious to see if
>> anyone else has seen this problem:
>>
>> ----------------------------------------------------------------------
>> ---------------------------------------------------------------
>> We are seeing an increasing amount of our Active Directory users
>> that are being locked out from logging into Mac OS X after their
>> initial login. The are able to login once, but after that they are
>> no longer able to login with their Active Directory credentials.
>> If you look at their account after a failed login attempt in the
>> Accounts preference panel (advanced options) you see that the User
>> UID is now set to -2 (nobody user).
>>
>> We are using mobile accounts on all of our Mac OS X computers.
>>
>> These same users are able to log into a Windows XP computer in the
>> same Active Directory domain with their same credentials, but
>> cannot log into any Mac OS X system in the domain.
>>
>> If you try to read the record using the dscl read command you get
>> the following error message:
>>
>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>
>> You can see that the record exists by doing a dscl ls command on
>> the users directory, but cannot read the actual record.
>>
>> The user cannot log in even if the computer has been disconnected
>> from the network as the cached record seems to be broken.
>>
>> Comparing a "broken" user record to a "working" user record did not
>> seem to shed any light on the problem.
>>
>> ----------------------------------------------------------------------
>> ---------------------------------------------------------------
>>
>> Gary
>
> Daniel Hoit
> System Management Solutions Group
> Lawrence Livermore National Laboratory
> Email: email@hidden
> Phone: 925.424.5256
> Pager: 877.402.6321
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/b62b5701/
> attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Thu, 4 Sep 2008 17:19:04 -0600
> From: "Simon, Gary" <email@hidden>
> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
> To: "Daniel Hoit" <email@hidden>, fed-talk
> <email@hidden>
> Message-ID: <C4E5C908.39BE%email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I'm mapping the UID to a field that was added to our Active Directory schema,
> which is our unix user id field. I guess you could call that static?
>
>
> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>
> Are you mapping the UID to a static attribute in Directory Access/Directory
> Utility?
>
> --DH
>
> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>
> I have submitted this as a bug to Apple, but I am curious to see if anyone
> else has seen this problem:
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
> We are seeing an increasing amount of our Active Directory users that are
> being locked out from logging into Mac OS X after their initial login. The
> are able to login once, but after that they are no longer able to login with
> their Active Directory credentials. If you look at their account after a
> failed login attempt in the Accounts preference panel (advanced options) you
> see that the User UID is now set to -2 (nobody user).
>
> We are using mobile accounts on all of our Mac OS X computers.
>
> These same users are able to log into a Windows XP computer in the same Active
> Directory domain with their same credentials, but cannot log into any Mac OS X
> system in the domain.
>
> If you try to read the record using the dscl read command you get the
> following error message:
>
> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>
> You can see that the record exists by doing a dscl ls command on the users
> directory, but cannot read the actual record.
>
> The user cannot log in even if the computer has been disconnected from the
> network as the cached record seems to be broken.
>
> Comparing a "broken" user record to a "working" user record did not seem to
> shed any light on the problem.
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
>
> Gary
>
>
> Daniel Hoit
> System Management Solutions Group
> Lawrence Livermore National Laboratory
> Email: email@hidden <mailto:email@hidden>
> Phone: 925.424.5256
> Pager: 877.402.6321
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/d3b4fe09/
> attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Thu, 4 Sep 2008 16:26:33 -0700
> From: Daniel Hoit <email@hidden>
> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
> To: "Simon, Gary" <email@hidden>
> Cc: fed-talk <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="windows-1252"
>
> Yes, thats a static map. Normally, the AD plugin auto-generates the
> UID based on some of the AD attributes.
> For your users who are finding a -2 value, is there any chance they
> are getting bad data from the directory?
> Is the value correctly mapped? If you look at their user record using
> ADSI Edit or even workgroup manager, can you tell if that field is
> being correctly populated?
> My guess is something is wrong with the attribute, or the mapping and
> you could uncheck the box to map the UID, and your users could login
> fine (assuming their cached credentials are cleared).
>
> --DH
>
> On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote:
>
>> I‚m mapping the UID to a field that was added to our Active
>> Directory schema, which is our unix user id field. I guess you
>> could call that static?
>>
>>
>> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>>
>> Are you mapping the UID to a static attribute in Directory Access/
>> Directory Utility?
>>
>> --DH
>>
>> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>>
>> I have submitted this as a bug to Apple, but I am curious to see if
>> anyone else has seen this problem:
>>
>> ----------------------------------------------------------------------
>> ---------------------------------------------------------------
>> We are seeing an increasing amount of our Active Directory users
>> that are being locked out from logging into Mac OS X after their
>> initial login. The are able to login once, but after that they are
>> no longer able to login with their Active Directory credentials.
>> If you look at their account after a failed login attempt in the
>> Accounts preference panel (advanced options) you see that the User
>> UID is now set to -2 (nobody user).
>>
>> We are using mobile accounts on all of our Mac OS X computers.
>>
>> These same users are able to log into a Windows XP computer in the
>> same Active Directory domain with their same credentials, but
>> cannot log into any Mac OS X system in the domain.
>>
>> If you try to read the record using the dscl read command you get
>> the following error message:
>>
>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>
>> You can see that the record exists by doing a dscl ls command on
>> the users directory, but cannot read the actual record.
>>
>> The user cannot log in even if the computer has been disconnected
>> from the network as the cached record seems to be broken.
>>
>> Comparing a "broken" user record to a "working" user record did not
>> seem to shed any light on the problem.
>>
>> ----------------------------------------------------------------------
>> ---------------------------------------------------------------
>>
>> Gary
>>
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden <mailto:email@hidden>
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>>
>>
>
> Daniel Hoit
> System Management Solutions Group
> Lawrence Livermore National Laboratory
> Email: email@hidden
> Phone: 925.424.5256
> Pager: 877.402.6321
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/cc058ff1/
> attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Fri, 5 Sep 2008 09:06:16 -0600
> From: "Simon, Gary" <email@hidden>
> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
> To: "Daniel Hoit" <email@hidden>
> Cc: fed-talk <email@hidden>
> Message-ID: <C4E6A708.39D8%email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> The interesting thing is, that in Workgroup Manager, the user's UID shows up
> fine in the Basic tab, but nothing at all shows up in the Inspector tab. I'm
> working on getting ADSI Edit installed on my VMWare XP machine so I can
> directly view the AD account from a PC's perspective....
>
> Gary
>
>
> On 9/4/08 5:26 PM, "Daniel Hoit" <email@hidden> wrote:
>
> Yes, thats a static map. Normally, the AD plugin auto-generates the UID based
> on some of the AD attributes.
> For your users who are finding a -2 value, is there any chance they are
> getting bad data from the directory?
> Is the value correctly mapped? If you look at their user record using ADSI
> Edit or even workgroup manager, can you tell if that field is being correctly
> populated?
> My guess is something is wrong with the attribute, or the mapping and you
> could uncheck the box to map the UID, and your users could login fine
> (assuming their cached credentials are cleared).
>
> --DH
>
> On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote:
>
> I'm mapping the UID to a field that was added to our Active Directory schema,
> which is our unix user id field. I guess you could call that static?
>
>
> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>
>
> Are you mapping the UID to a static attribute in Directory Access/Directory
> Utility?
>
> --DH
>
> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>
>
> I have submitted this as a bug to Apple, but I am curious to see if anyone
> else has seen this problem:
>
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
> We are seeing an increasing amount of our Active Directory users that are
> being locked out from logging into Mac OS X after their initial login. The
> are able to login once, but after that they are no longer able to login with
> their Active Directory credentials. If you look at their account after a
> failed login attempt in the Accounts preference panel (advanced options) you
> see that the User UID is now set to -2 (nobody user).
>
> We are using mobile accounts on all of our Mac OS X computers.
>
> These same users are able to log into a Windows XP computer in the same
> Active Directory domain with their same credentials, but cannot log into any
> Mac OS X system in the domain.
>
> If you try to read the record using the dscl read command you get the
> following error message:
>
> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>
> You can see that the record exists by doing a dscl ls command on the users
> directory, but cannot read the actual record.
>
> The user cannot log in even if the computer has been disconnected from the
> network as the cached record seems to be broken.
>
> Comparing a "broken" user record to a "working" user record did not seem to
> shed any light on the problem.
>
>
> ------------------------------------------------------------------------------
> -------------------------------------------------------
>
> Gary
>
>
>
> Daniel Hoit
> System Management Solutions Group
> Lawrence Livermore National Laboratory
> Email: email@hidden <mailto:email@hidden>
> Phone: 925.424.5256
> Pager: 877.402.6321
>
>
>
>
>
>
>
>
> Daniel Hoit
> System Management Solutions Group
> Lawrence Livermore National Laboratory
> Email: email@hidden <mailto:email@hidden>
> Phone: 925.424.5256
> Pager: 877.402.6321
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080905/409b59e6/
> attachment.html
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> http://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 5, Issue 243
> ****************************************
--
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden