[Anonymous]

No. These were added from scratch.

I called Apple on this and reported it as a bug. I have not heard back yet but level I thought this was expected behavior. When pressed, level I could not explain how it was a security issue to NOT change passwords when the rest of the world seems to think changing passwords is a good thing.

[Anonymous]

[quote:f67910efda=”MacTroll”]yes you can use the Windows home, from the windows server, as you OSX home.

man dsconfigad

for more info.[/quote:f67910efda]

Any chance you can explain? The man pages are a little over my head.

Also, any chance this can be done via the GUI?

[Anonymous]

Did you use anything to import the user into workgroup manager?

[Anonymous]

If you arent using any of the security features workgroup manager it’s not going to be a bid deal but if you are the will not work with the security. Panther uses different version of ldap and netinfo.

[Anonymous]

Hi,

I think I figured out where the problem is… It seems to be a ‘feature’ of VaporSec that I do not quite understand.

Description:

On my PB4 I have two VPNs defined – one to the WORK network and one to the HOME network. The HOME one is not enabled by default but VPN to WORK one is. At present I am connected to the HOME network (behind the HOME firewall) which already has a VPN to WORK (by way of OpenBSD to OpenBSD connection).

In this state, I just need to start up VaporSec (enter the password for sudo access) and then immediately after that close it (without ever pressing the Vaporise button), and the SPD entries for the _enabled_ VPN get created?! I can see them using the “setkey -PD” command!!

In this case I can no longer ping/connect the WORK network.

I need to manually flush the SPD database (after VaporSec has been closed) by means of a “setkey -FP” command and then the normal routing is restored.

Is this expected behaviour?
Many thanks in advance.

–Nino

[Anonymous]

Thanks for your response.

No, I did *not* setup a local IP for VaporSec – I have only entered the

Remote IPsec device = a.b.c.d
Remote Network = e.f.g.1/24
Local Netmask (32), and
Shared Secret

entries in the VaporSec setup. However, I would like to see the routing before and after VaporSec runs… Is there a way to do that?

The only reason I mentioned netstat is that I am used to using IPsec on OpenBSD and there I can see the encapsulated routes by using “netstat -rnf encap” command.

–Nino

[Anonymous]

Hi,

I’ve set this up. When I received that error it was because kerberos was working but the server didn’t recognise the user associated with the ticket or I hadn’t shared anything for that user on the server. Try creating a test user on the server and sharing an empty folder with them as the owner.

Paul Cowan.

[Anonymous]

NAT does, in fact, require the firewall to be running. When natd starts up, it creates a firewall rule that redirects traffic to itself so it can process it. That’s the only way natd can intercept all of your network traffic.

You need to do two things, I think. First, simply turn the firewall on. If you don’t actually want firewall functionality, just create an “allow everything” rule and disable all other rules: allow any traffic from any source address on any port to the 192.168-net address group. That essentially makes the firewall invisible. Not the best security idea, but useful for getting things working.

The second thing you need to do is turn on IP forwarding. This is off by default, and I believe it’s necessary for what you’re trying to do. There’s a way to do this without rebooting, but the rebooting way is easier: edit /etc/hostconfig and change the line “IPFORWARDING=-NO-” to “IPFORWARDING=-YES-“, then reboot. (It’s possible this is not necessary. I do it out of habit, frankly. If you like, you can try just doing the firewall thing and skipping this step and reporting whether it works or not.)

I just set up NAT on a Mac OS X Server this weekend, so all of this stuff is fresh in my mind. I hope this was helpful.

[Anonymous]

It’s making me crazy. I’m having the same problem; proftpd appears to be running, I can access the machine, but I cannot login with my mysql users, using both plaintext and backend authentication (different users, obviously…) I’ve tried using it in inetd and standalone versions, and no luck.

I’m using 10.2.8 Server, the mysql that shipped with it, and the latest Proftpd and SQL plugin. (1.2.9 and 4.08, I think).

Anyone have any tips? What else do you need to know before you do?

Also, I cannot for the life of me find any logging for either proftpd or the sql plugin. The manuals are not particularly useful in this respect.

Thanks!
Ken

[Anonymous]

After much gnashing of teeth and cleanup, I was finally able to recreate the KDC using the ‘First Look’ article. Now, how do I force a refresh of the KDC from the ldap server? TIA.

[Anonymous]

[quote:cd02e3ac25]No real
administrator of systems capable of handling thousands of users will ever care about the GUI tools. [/quote:cd02e3ac25]

I’d avoid the generalizations if I were you. 16,000+ users here. We do hourly imports of 14,000 of them. I use both the GUI tools and the command-line tools–just for different purposes. I wouldn’t want to lose either of them.

All of the attributes you mentioned can be modified either using OpenLDAP tools (ldapadd/ldapdelete/ldapmodify) or dscl. The disk quota, for example, is HomeDirectoryQuota; just create an LDIF file with the appropriate action for the user’s dn.

E.g.: if the file deletequotas.ldif has this entry:

    dn: uid=joeuser,dc=mydomain,dc=com
    changetype: modify
    delete: HomeDirectoryQuota

Then you just run the command

    ldapmodify -f deletequotas.ldif

and the quota attribute will be deleted. Set the the delete line to “replace: HomeDirectoryQuota” to reset it. To add a user record, use ldapadd; to delete one, use ldapdelete. All pretty straightforward; consult the man pages for more information and examples. As for deleting a user’s home directory, you can just parse the attributes for the user as returned by ldapsearch, and use “rm -R” on the directory.

The one thing the OpenLDAP commands can’t do is to set an Open Directory (i.e., non-crypt) password, since they aren’t stored in the directory itself. For that, you’d need to use dscl, which is not too hard, either:

    dscl -u root -p /LDAPv3/127.0.0.1 -passwd /Users/joeuser <newpassword>

David Walton
Lane Community College

[Anonymous]

Joel —

More info on the network opposite the SonicWall TZ-170:
Router/Firewall is a NetLINE Wireless Broadband Gateway model 8581, originally sold by Farallon, now owned by Proxim [url]www.proxim.com[/url]

The latest firmware upgrade for this device adds IPSec support. (It seems your guess about not allowing IPSec pass through was perfectly correct.)

I’ll have the remote worker do the firmware upgrade and we’ll try again. By the way, will we need to open/allow him to receive IKE traffic? Someone at SonicWall said that their devices use TCP port 50 and UDP port 500 for this. Can you confirm what you understand is necessary?

[Anonymous]

Joel —

Still looking into the remote network/router setup….

By the way, there are two public links for VaporSec right now:
[url]https://www.afp548.com/etc/VaporSec.zip[/url]
which gives only the application

and

[url]https://www.afp548.com/Software/VaporSec/index.html[/url]
application as .dmg with help file

Either way, the item downloaded shows a version number of 1.0 (v100) and has access to my older settings.
❓ Are they the same?
❓ Is this the latest version?
❓ Is seeing the old settings expected?

[Anonymous]

OK, I’m getting closer – I’ve got SSH to work now. I still don’t have the keytab set up and the official “Apple” services are still dead, but at least this is progress. To get SSH working with a corporate KDC, you need to use PAM:

– edit edu.mit.Kerberos to point at the correct KDC
– compile and install a PAM Kerberos module…the one I used is at http://www.math.gatech.edu/~villegas/pam_krb5/
– configure SSH PAM authentication in /etc/pam.d/ssh by adding the line:
auth sufficient pam_krb5.so
– configure SSH in /etc/sshd_config by removing the comments from the 3 Kerberos entries and changing “no” to “yes”

This will allow SSH connections, although for some reason my home directories are not being picked up in the shell’s environment, so you get an error at login when it tries to cd to the home directory. There is a note in the docs about SSH home dirs with LDAP not working – anyone have ideas on how to work around this?

I am still trying to solve the service principal/keytab issues for AFP and other Apple services, but next up is getting Samba to work. This should be fairly simple as Samba can be compiled to support Kerb and PAM, although I may have to go back to v2 as there are many problems with v3. Again, if anyone has experience with this, I’d love to hear about it.

[Anonymous]

I found a method for reconstructing the db on the Apple Discussions forum. This seems to have cured the problem with the user getting the (75) error but not the one getting the (65) error. One down and one to go.

[Author]

Posts