[Fed-Talk] Certificate selection and secure web sites.
[Fed-Talk] Certificate selection and secure web sites.
- Subject: [Fed-Talk] Certificate selection and secure web sites.
- From: Walter Adams <email@hidden>
- Date: Wed, 10 Sep 2008 10:41:02 -0400
- Thread-topic: Certificate selection and secure web sites.
Certificate selection and secure web sites.
As I understand it the current Apple model is for users to go to the
Keychain Access utility select a certificate (for those of us with CACs -
one of those) and then you add a "new identity preference".
You won't hear this often from me - but Microsoft got this right - they have
the user navigate (with the browser) to a secure web site and then they
present the user with a list of certificates for the users to select the
certificate.
Note: I don't know if the is a Windows OS characteristic or an Application
(IE) characteristic)
What they did not do is make that selection persistent - like Apple has.
In my humble opinion the solution is to make the certificate selection
context sensitive (al la Microsoft) and persistent (a la Apple). That would
make this process a lot more straight forward. The only thing that is
missing from both approaches is the ability to edit persistent associations
- so that if you make a mistake or if something changes - a new CAC, etc...
You can move on.
Walter
email@hidden
On 9/9/08 10:14 PM, "email@hidden"
<email@hidden> wrote:
> Send Fed-talk mailing list submissions to
> email@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.apple.com/mailman/listinfo/fed-talk
> or, via email, send a message with subject or body 'help' to
> email@hidden
>
> You can reach the person managing the list at
> email@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fed-talk digest..."
>
>
> Today's Topics:
>
> 1. Re: NMCI OWA CAC Tiger change and fix (Carlos)
> 2. OT: Officially Addicted to the Iphone
> (Villano, Paul Mr CIV USA TRADOC)
> 3. RE: Re: Fed-talk Digest, Vol 5, Issue 243
> (Losasso, Jonathan E ITSR CCG, N63)
> 4. Bitmap issues (Angry Smurf)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 07 Sep 2008 13:16:45 -0400
> From: Carlos <email@hidden>
> Subject: [Fed-Talk] Re: NMCI OWA CAC Tiger change and fix
> To: <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="US-ASCII"
>
> I only had to change the server I was using to login. No other problems
> here. However, I had removed all patches before the change in order to get
> NERP working.
>
> Carlos
>
> On 9/6/08 10:20 AM, "email@hidden"
> <email@hidden> wrote:
>
>> ------------------------------
>>
>> Date: Fri, 5 Sep 2008 14:40:20 -0700
>> From: "Dann, Geoff (NFESC)" <email@hidden>
>> Subject: [Fed-Talk] NMCI OWA CAC Tiger change and fix
>>
>> Last weekend, NMCI changed the way they check for CAC on OWA.
>> Up till then, NMCI OWA on Tiger with CAC just worked.
>> After some fumbling, I got it working again.
>>
>> Before the change, Keychain Access showed 3 certs for the CAC.
>>
>> - downloaded the "AFC Certificate Control" from Thursby. The URL was:
>> http://www.thursby.com/files/AFC/AFCCertificateControl.dmg
>>
>> - installed the patch, which installs an item in System Preferences,
>> - unchecked the box it provides, "Make Identity certificates available
>> to applications",
>> - reinserted CAC.
>> **No joy**.
>> - Checked Keychain Access. Only one cert showed.
>> - Brought up System Preferences again,
>> - checked the box.
>> - Reinserted CAC.
>> - Checked Keychain Access. Two certs showed now.
>> - Tried OWA, and it worked!
>>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 08 Sep 2008 11:39:29 -0400
> From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
> Subject: [Fed-Talk] OT: Officially Addicted to the Iphone
> To: email@hidden
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset=us-ascii
>
> Forgive me for this off-topic post, but I thought those of you using Iphones
> should be warned of their addictive quality. I have two phones. My Iphone
> and a Rzr which I use as a second alarm by my bed. (No land lines.) I set
> them both to get me up earlier than usual this morning and found myself
> repeatedly pressing the screen on the Rzr to shut the alarm and wondering why
> the lousy thing wasn't shutting off, worrying it was broken...ahem...Rzrs
> don't have touch screens. Iphones do. When I was fully awake I pushed the
> button on the Rzr and was okay, though embarrassed. :)
>
> ----- Original Message -----
> From: Matthew Smith <email@hidden>
> Date: Saturday, September 6, 2008 10:19
> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
> To: email@hidden
>
> <SPAN>
> <P>
> <TABLE>
> <TBODY>
> <TR>
> <TD style="WORD-WRAP: break-word; webkit-nbsp-mode: space; webkit-line-break:
> after-white-space">
> <P>
> <DIV><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>Walter,</DIV>
> <DIV><BR></DIV>
> <DIV><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>Shawn posted a fix for this until
> 10.5.5 comes out, which is supposed to address all the problems as I
> understand. Of course, I also believe that this version only works on
> Intel macs. I cut and pasted below. I know at least one person in
> my squadron used this with success.</DIV>
> <DIV><BR></DIV>
> <DIV><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>Matthew</DIV>
> <DIV><BR></DIV>
> <DIV><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>-----</DIV>
> <DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><U><B><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE:
> normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>UPDATE</B></U></FONT></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><B><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE:
> normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>The "Smart Card Services
> Update" installer noted in the original message has been updated to v1.1.
> </B></FONT></DIV>
> <DIV style="MIN-HEIGHT: 17px; MARGIN: 0px; FONT: 14px Optima"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><B><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE:
> normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>Background on a Fix:<SPAN
> class=Apple-tab-span style="WHITE-SPACE: pre"> </SPAN></B></FONT></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>The "Smart Card Services Update v1.0"
> installer contained all of the appropriate components, however, for some
> customers, the installer failed to effectively replace the two tokend modules
> (CAC.tokend and PIV.tokend). The failure to replace those two modules
> resulted in several folks unable to access / still access their US Federal
> Smart Cards. </FONT></DIV>
> <DIV style="MIN-HEIGHT: 17px; MARGIN: 0px; FONT: 14px Optima"><BR></DIV>
> <DIV style="MIN-HEIGHT: 17px; MARGIN: 0px; FONT: 14px Optima"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><B><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE:
> normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>Delivery
> Vehicle:</B></FONT></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>After extensive testing with several
> Federal Mac OS X 10.5.4 Users affected, I am happy to announce that there is
> an updated installer on my iDisk:</FONT></DIV>
> <DIV style="MIN-HEIGHT: 17px; MARGIN: 0px; FONT: 14px Optima"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><SPAN class=Apple-tab-span style="WHITE-SPACE: pre"></SPAN><A
> href="http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Ser
> vices_Update_v1.1.zip" target=1><FONT style="COLOR: #0036e1"
> color=#0036e1><U><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">>
> </FONT>http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Se
> rvices_Update_v1.1.zip</U></FONT></A></FONT></DIV>
> <DIV style="MIN-HEIGHT: 17px; MARGIN: 0px; FONT: 14px Optima"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT: 14px Optima" face=Optima
> size=4><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>These component updates are also
> integrated into the Mac OS X 10.5.5 Software Update (beta build right now) for
> those authorized with access and able to test.</FONT></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">>
> </FONT>-----</DIV></DIV><BR>
> <DIV>
> <DIV><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px; FONT-STYLE: normal;
> BACKGROUND-COLOR: #f5f8f0">> </FONT>On Sep 6, 2008, at 12:26 AM, Walter
> Adams wrote:</DIV><BR class=Apple-interchange-newline>
> <BLOCKQUOTE type="cite">
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>Shawn,</DIV>
> <DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>Is there any chance
> that we can get a list / matrix of the CAC cards and</DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>readers that have
> been tested with 10.5.4 and proven to work?</DIV>
> <DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>We have been
> reduced to running Active Card 2.2 on Xp within Parallels to</DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>access CAC card PKI
> enabled systems.</DIV>
> <DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>We need to get off
> of this dead point and implement CAC cards on our Macs.</DIV>
> <DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">> </FONT>Thanks,</DIV>
> <DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
> <DIV style="MARGIN: 0px"><FONT style="FONT-WEIGHT: normal; FONT-SIZE: 14px;
> FONT-STYLE: normal; BACKGROUND-COLOR: #f5f8f0">>
> </FONT>Walter<BR></DIV></BLOCKQUOTE></DIV><BR></TD></TR></TBODY></TABLE></SPAN
> ></P>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> talk/email@hidden
>> This email sent to email@hidden
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 8 Sep 2008 10:34:48 -0700
> From: "Losasso, Jonathan E ITSR CCG, N63" <email@hidden>
> Subject: RE: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
> To: <email@hidden>
> Message-ID:
> <email@hidden>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Has anyone actually been able to log into to any navy website that uses
> CAC to login with safari or firefox using this fix? I have applied the
> v1.1 smartcard services update to a fresh Leopard install with recent
> updates applied. Under keychains I am seeing my three certificates using
> a SCM Micro SCR3310 card reader. All seems good up until I try to access
> OWA through either browser, I am getting a client certificate error,
> just the standard 403.7 forbidden. It doesn't seem like they are seeing
> the certificates in keychains. Am I missing a step here with loading the
> certificates into safari?
>
> Any help is appreciated, thank you
>
> -----Original Message-----
> From: fed-talk-bounces+jonathan.losasso=email@hidden
> [mailto:fed-talk-bounces+jonathan.losasso=email@hidden] On
> Behalf Of Matthew Smith
> Sent: Saturday, September 06, 2008 7:19
> To: email@hidden
> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 243
>
> Walter,
>
> Shawn posted a fix for this until 10.5.5 comes out, which is supposed to
> address all the problems as I understand. Of course, I also believe
> that this version only works on Intel macs. I cut and pasted below. I
> know at least one person in my squadron used this with success.
>
> Matthew
>
> -----
> UPDATE
> The "Smart Card Services Update" installer noted in the original message
> has been updated to v1.1.
>
> Background on a Fix:
> The "Smart Card Services Update v1.0" installer contained all of the
> appropriate components, however, for some customers, the installer
> failed to effectively replace the two tokend modules (CAC.tokend and
> PIV.tokend). The failure to replace those two modules resulted in
> several folks unable to access / still access their US Federal Smart
> Cards.
>
>
> Delivery Vehicle:
> After extensive testing with several Federal Mac OS X 10.5.4 Users
> affected, I am happy to announce that there is an updated installer on
> my iDisk:
>
> http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Ser
> vices_Update_v1.1.zip
> <http://idisk.mac.com/geddis//Public/SmartCards/Installers/Smart_Card_Se
> rvices_Update_v1.1.zip>
>
> These component updates are also integrated into the Mac OS X 10.5.5
> Software Update (beta build right now) for those authorized with access
> and able to test.
> -----
>
> On Sep 6, 2008, at 12:26 AM, Walter Adams wrote:
>
>
> Shawn,
>
> Is there any chance that we can get a list / matrix of the CAC
> cards and
> readers that have been tested with 10.5.4 and proven to work?
>
> We have been reduced to running Active Card 2.2 on Xp within
> Parallels to
> access CAC card PKI enabled systems.
>
> We need to get off of this dead point and implement CAC cards on
> our Macs.
>
> Thanks,
>
> Walter
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 9 Sep 2008 21:13:27 -0500
> From: "Angry Smurf" <email@hidden>
> Subject: [Fed-Talk] Bitmap issues
> To: email@hidden
> Message-ID:
> <email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gents and Ladies,
> I'm having some speed issues on my Mac, so I recently picked up a copy
> of Drive Genius 2 and it is NOT helping. No matter what action I take I get
> this message: "Volume bitmap shows block 8495919 to be free but the catalog
> shows it to be used. (1637652, 8495919, 4963). I don't know how to fix
> this, but I do not have the time to make an appointment and lose my computer
> for several days. I cannot successfully verify, repair, or copy my
> harddrive, and it is killing my operational tempo with work. Any
> takers?....Thanks in advance for help...Keith
>
> On Fri, Sep 5, 2008 at 10:07 AM, <email@hidden> wrote:
>
>> Send Fed-talk mailing list submissions to
>> email@hidden
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.apple.com/mailman/listinfo/fed-talk
>> or, via email, send a message with subject or body 'help' to
>> email@hidden
>>
>> You can reach the person managing the list at
>> email@hidden
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Fed-talk digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Defense Acquisition University now on iTunes (Dave Schroeder)
>> 2. Re: "Bad" Active Directory records as far as Mac OS X is
>> concerned..? (Simon, Gary)
>> 3. Re: Fed-talk Digest, Vol 5, Issue 242 (Daniel Hoit)
>> 4. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Simon, Gary)
>> 5. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Daniel Hoit)
>> 6. Re: Re: Fed-talk Digest, Vol 5, Issue 242 (Simon, Gary)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 04 Sep 2008 14:10:15 -0500
>> From: Dave Schroeder <email@hidden>
>> Subject: Re: [Fed-Talk] Defense Acquisition University now on iTunes
>> To: Stephen Bates <email@hidden>
>> Cc: Functional Area 53 Mailing List <email@hidden>,
>> "email@hidden Talk" <email@hidden>
>> Message-ID: <email@hidden>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> On Sep 4, 2008, at 12:50 PM, Stephen Bates wrote:
>>
>>> Should launch iTunes and take you to the new iTunes U site for
>>> Defense Acquisition University
>>>
>>> http://deimos.apple.com/WebObjects/Core.woa/Browse/dau.mil
>>>
>>> Could it be that DoD is finally getting how to harness Web 2.0
>>> technologies?
>>
>> I don't know, but the Intelligence Community has been harnessing Web
>> 2.0 technologies for a while now, and making them available to many
>> components across the US government.
>>
>> See Intelink:
>>
>> NIPRNet/DNI-U: http://www.intelink.gov
>> SIPRNet: http://www.intelink.sgov.gov
>> JWICS: http://www.intelink.ic.gov
>>
>> Wiki, blogs, RSS, tagging, instant messaging, video/picture/document
>> sharing, iPhone-compatible email, and more, available on three
>> security domains, and available for use by anyone in defense,
>> intelligence, law enforcement, homeland security, or diplomatic areas.
>>
>> You can even access the unclassified network and tools from home or
>> other remote sites using Intelink Remote Access: http://ra.intelink.gov
>>
>> All of these tools are fully Mac/Safari-compatible, available now, and
>> centrally supported by the DNI's Intelligence Community Enterprise
>> Services (ICES).
>>
>> This is a really good briefing on the Web 2.0 and social software
>> movement within the Intelligence Community:
>>
>> http://www.fcw.com/specials/intellipedia/
>>
>> For those in the DC area and interested in moving these tools forward,
>> a reminder that the 2008 WIRe and ICES Conference is scheduled for
>> 8-10 September at the Johns Hopkins University Applied Physics
>> Laboratory (APL) in Laurel, MD, hosted by CIA's World Intelligence
>> Review (WIRe) and the DNI's Intelligence Community Enterprise Services
>> (ICES). The theme of this conference is:
>>
>> How does a member of the IC successfully perform his or her job in an
>> enterprise information environment that is ever-growing in volume and
>> complexity?
>>
>> An expanding community of users, newly-exposed Web services, user-
>> generated content, multimedia sharing, the broader reach of cross-
>> domain solutions, and attribute-based access controlled systems are
>> making the task of discovering, connecting, and vetting information
>> evermore challenging yet crucial to our success.
>>
>> Conference registration is free, and some space is still available.
>> This event will have many interesting speakers, panels, and topics,
>> and direct interaction with peers involved in emerging information
>> technologies from across the IC. The entire conference will be held at
>> the UNCLASSIFIED level. Those already attending the DNI Open Source
>> Conference on 11-12 September may be interested in including this
>> event as well.
>>
>> For more information, and a conference agenda, see:
>>
>> http://www.intelink.gov/wiki/WIRe_and_ICES_Conference
>>
>> To register, visit:
>>
>> http://www.intelink.gov/wiki/WIRe_and_ICES_Conference_Registration
>>
>> Anyone interested in attending, feel free to contact me for info.
>> There will be a lot of users of Apple technologies here as well...
>>
>> - Dave
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/pkcs7-signature
>> Size: 2398 bytes
>> Desc: not available
>> Url :
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/9c898172
>> /smime-0001.bin
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 4 Sep 2008 16:15:14 -0600
>> From: "Simon, Gary" <email@hidden>
>> Subject: Re: [Fed-Talk] "Bad" Active Directory records as far as Mac
>> OS X is concerned..?
>> To: "Simon, Gary" <email@hidden>, fed-talk
>> <email@hidden>
>> Message-ID:
>> <C4E5BA12.39B6%email@hidden<C4E5BA12.39B6%email@hidden>
>>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Here is what I have tried so far:
>>
>>
>> * I have upgraded a computer to the latest 10.5.5 apple seed. I still
>> get the dscl error when trying to read the "broken" accounts. I am waiting
>> to get one of the "broken" users to try to actually login with the new seed.
>> * I unbound from Active Directory. Unchecked the box to map the User
>> UID. Rebound to AD. - Still got the dscl error on those particular
>> accounts.
>>
>> Gary
>>
>>
>> On 9/4/08 12:58 PM, "Gary Simon" <email@hidden> wrote:
>>
>> I have submitted this as a bug to Apple, but I am curious to see if anyone
>> else has seen this problem:
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>> We are seeing an increasing amount of our Active Directory users that are
>> being locked out from logging into Mac OS X after their initial login. The
>> are able to login once, but after that they are no longer able to login with
>> their Active Directory credentials. If you look at their account after a
>> failed login attempt in the Accounts preference panel (advanced options) you
>> see that the User UID is now set to -2 (nobody user).
>>
>> We are using mobile accounts on all of our Mac OS X computers.
>>
>> These same users are able to log into a Windows XP computer in the same
>> Active Directory domain with their same credentials, but cannot log into any
>> Mac OS X system in the domain.
>>
>> If you try to read the record using the dscl read command you get the
>> following error message:
>>
>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>
>> You can see that the record exists by doing a dscl ls command on the users
>> directory, but cannot read the actual record.
>>
>> The user cannot log in even if the computer has been disconnected from the
>> network as the cached record seems to be broken.
>>
>> Comparing a "broken" user record to a "working" user record did not seem to
>> shed any light on the problem.
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>>
>> Gary
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/01d1822c
>> /attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 4 Sep 2008 16:10:08 -0700
>> From: Daniel Hoit <email@hidden>
>> Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
>> To: email@hidden
>> Message-ID: <email@hidden>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Are you mapping the UID to a static attribute in Directory Access/
>> Directory Utility?
>>
>> --DH
>>
>> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>>
>>> I have submitted this as a bug to Apple, but I am curious to see if
>>> anyone else has seen this problem:
>>>
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------
>>> We are seeing an increasing amount of our Active Directory users
>>> that are being locked out from logging into Mac OS X after their
>>> initial login. The are able to login once, but after that they are
>>> no longer able to login with their Active Directory credentials.
>>> If you look at their account after a failed login attempt in the
>>> Accounts preference panel (advanced options) you see that the User
>>> UID is now set to -2 (nobody user).
>>>
>>> We are using mobile accounts on all of our Mac OS X computers.
>>>
>>> These same users are able to log into a Windows XP computer in the
>>> same Active Directory domain with their same credentials, but
>>> cannot log into any Mac OS X system in the domain.
>>>
>>> If you try to read the record using the dscl read command you get
>>> the following error message:
>>>
>>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>>
>>> You can see that the record exists by doing a dscl ls command on
>>> the users directory, but cannot read the actual record.
>>>
>>> The user cannot log in even if the computer has been disconnected
>>> from the network as the cached record seems to be broken.
>>>
>>> Comparing a "broken" user record to a "working" user record did not
>>> seem to shed any light on the problem.
>>>
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------
>>>
>>> Gary
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/b62b5701
>> /attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Thu, 4 Sep 2008 17:19:04 -0600
>> From: "Simon, Gary" <email@hidden>
>> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
>> To: "Daniel Hoit" <email@hidden>, fed-talk
>> <email@hidden>
>> Message-ID:
>> <C4E5C908.39BE%email@hidden<C4E5C908.39BE%email@hidden>
>>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> I'm mapping the UID to a field that was added to our Active Directory
>> schema, which is our unix user id field. I guess you could call that
>> static?
>>
>>
>> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>>
>> Are you mapping the UID to a static attribute in Directory Access/Directory
>> Utility?
>>
>> --DH
>>
>> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>>
>> I have submitted this as a bug to Apple, but I am curious to see if anyone
>> else has seen this problem:
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>> We are seeing an increasing amount of our Active Directory users that are
>> being locked out from logging into Mac OS X after their initial login. The
>> are able to login once, but after that they are no longer able to login with
>> their Active Directory credentials. If you look at their account after a
>> failed login attempt in the Accounts preference panel (advanced options) you
>> see that the User UID is now set to -2 (nobody user).
>>
>> We are using mobile accounts on all of our Mac OS X computers.
>>
>> These same users are able to log into a Windows XP computer in the same
>> Active Directory domain with their same credentials, but cannot log into any
>> Mac OS X system in the domain.
>>
>> If you try to read the record using the dscl read command you get the
>> following error message:
>>
>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>
>> You can see that the record exists by doing a dscl ls command on the users
>> directory, but cannot read the actual record.
>>
>> The user cannot log in even if the computer has been disconnected from the
>> network as the cached record seems to be broken.
>>
>> Comparing a "broken" user record to a "working" user record did not seem to
>> shed any light on the problem.
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>>
>> Gary
>>
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden <mailto:email@hidden>
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/d3b4fe09
>> /attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Thu, 4 Sep 2008 16:26:33 -0700
>> From: Daniel Hoit <email@hidden>
>> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
>> To: "Simon, Gary" <email@hidden>
>> Cc: fed-talk <email@hidden>
>> Message-ID: <email@hidden>
>> Content-Type: text/plain; charset="windows-1252"
>>
>> Yes, thats a static map. Normally, the AD plugin auto-generates the
>> UID based on some of the AD attributes.
>> For your users who are finding a -2 value, is there any chance they
>> are getting bad data from the directory?
>> Is the value correctly mapped? If you look at their user record using
>> ADSI Edit or even workgroup manager, can you tell if that field is
>> being correctly populated?
>> My guess is something is wrong with the attribute, or the mapping and
>> you could uncheck the box to map the UID, and your users could login
>> fine (assuming their cached credentials are cleared).
>>
>> --DH
>>
>> On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote:
>>
>>> I'm mapping the UID to a field that was added to our Active
>>> Directory schema, which is our unix user id field. I guess you
>>> could call that static?
>>>
>>>
>>> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>>>
>>> Are you mapping the UID to a static attribute in Directory Access/
>>> Directory Utility?
>>>
>>> --DH
>>>
>>> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>>>
>>> I have submitted this as a bug to Apple, but I am curious to see if
>>> anyone else has seen this problem:
>>>
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------
>>> We are seeing an increasing amount of our Active Directory users
>>> that are being locked out from logging into Mac OS X after their
>>> initial login. The are able to login once, but after that they are
>>> no longer able to login with their Active Directory credentials.
>>> If you look at their account after a failed login attempt in the
>>> Accounts preference panel (advanced options) you see that the User
>>> UID is now set to -2 (nobody user).
>>>
>>> We are using mobile accounts on all of our Mac OS X computers.
>>>
>>> These same users are able to log into a Windows XP computer in the
>>> same Active Directory domain with their same credentials, but
>>> cannot log into any Mac OS X system in the domain.
>>>
>>> If you try to read the record using the dscl read command you get
>>> the following error message:
>>>
>>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>>
>>> You can see that the record exists by doing a dscl ls command on
>>> the users directory, but cannot read the actual record.
>>>
>>> The user cannot log in even if the computer has been disconnected
>>> from the network as the cached record seems to be broken.
>>>
>>> Comparing a "broken" user record to a "working" user record did not
>>> seem to shed any light on the problem.
>>>
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------
>>>
>>> Gary
>>>
>>>
>>> Daniel Hoit
>>> System Management Solutions Group
>>> Lawrence Livermore National Laboratory
>>> Email: email@hidden <mailto:email@hidden>
>>> Phone: 925.424.5256
>>> Pager: 877.402.6321
>>>
>>>
>>>
>>>
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080904/cc058ff1
>> /attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Fri, 5 Sep 2008 09:06:16 -0600
>> From: "Simon, Gary" <email@hidden>
>> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 242
>> To: "Daniel Hoit" <email@hidden>
>> Cc: fed-talk <email@hidden>
>> Message-ID:
>> <C4E6A708.39D8%email@hidden<C4E6A708.39D8%email@hidden>
>>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> The interesting thing is, that in Workgroup Manager, the user's UID shows
>> up fine in the Basic tab, but nothing at all shows up in the Inspector tab.
>> I'm working on getting ADSI Edit installed on my VMWare XP machine so I can
>> directly view the AD account from a PC's perspective....
>>
>> Gary
>>
>>
>> On 9/4/08 5:26 PM, "Daniel Hoit" <email@hidden> wrote:
>>
>> Yes, thats a static map. Normally, the AD plugin auto-generates the UID
>> based on some of the AD attributes.
>> For your users who are finding a -2 value, is there any chance they are
>> getting bad data from the directory?
>> Is the value correctly mapped? If you look at their user record using ADSI
>> Edit or even workgroup manager, can you tell if that field is being
>> correctly populated?
>> My guess is something is wrong with the attribute, or the mapping and you
>> could uncheck the box to map the UID, and your users could login fine
>> (assuming their cached credentials are cleared).
>>
>> --DH
>>
>> On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote:
>>
>> I'm mapping the UID to a field that was added to our Active Directory
>> schema, which is our unix user id field. I guess you could call that
>> static?
>>
>>
>> On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote:
>>
>>
>> Are you mapping the UID to a static attribute in Directory Access/Directory
>> Utility?
>>
>> --DH
>>
>> On Sep 4, 2008, at 11:59 AM, email@hidden wrote:
>>
>>
>> I have submitted this as a bug to Apple, but I am curious to see if anyone
>> else has seen this problem:
>>
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>> We are seeing an increasing amount of our Active Directory users that are
>> being locked out from logging into Mac OS X after their initial login. The
>> are able to login once, but after that they are no longer able to login with
>> their Active Directory credentials. If you look at their account after a
>> failed login attempt in the Accounts preference panel (advanced options) you
>> see that the User UID is now set to -2 (nobody user).
>>
>> We are using mobile accounts on all of our Mac OS X computers.
>>
>> These same users are able to log into a Windows XP computer in the same
>> Active Directory domain with their same credentials, but cannot log into any
>> Mac OS X system in the domain.
>>
>> If you try to read the record using the dscl read command you get the
>> following error message:
>>
>> <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
>>
>> You can see that the record exists by doing a dscl ls command on the users
>> directory, but cannot read the actual record.
>>
>> The user cannot log in even if the computer has been disconnected from the
>> network as the cached record seems to be broken.
>>
>> Comparing a "broken" user record to a "working" user record did not seem
>> to shed any light on the problem.
>>
>>
>>
>> -----------------------------------------------------------------------------
>> --------------------------------------------------------
>>
>> Gary
>>
>>
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden <mailto:email@hidden>
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>>
>>
>>
>>
>>
>>
>> Daniel Hoit
>> System Management Solutions Group
>> Lawrence Livermore National Laboratory
>> Email: email@hidden <mailto:email@hidden>
>> Phone: 925.424.5256
>> Pager: 877.402.6321
>>
>>
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.apple.com/mailman/private/fed-talk/attachments/20080905/409b59e6
>> /attachment.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> Fed-talk mailing list
>> email@hidden
>> http://lists.apple.com/mailman/listinfo/fed-talk
>>
>> End of Fed-talk Digest, Vol 5, Issue 243
>> ****************************************
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20080909/d7d4e4e9/
> attachment.html
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> http://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 5, Issue 245
> ****************************************
--
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden