Yesterday I set up a brand new MBA13''. Nice, but I prefer the MBPwRD for the same money.
As usual I created an local admin account to access the system if anything goes wrong. The user account was an mobile user for obvious reasons. Both users had access to the filevault2.
I gave the system to the user for data migration, task done.
Today I got it back with the trademark words "It Just Broke, I Did Nothing". First thing I noticed as I switched the thing on, no local admin account. And guest access was activated. Huh?
Logging in with the users password started the system, but dumped me to the normal login screen where only the guest user was visible and the "more..." button for other (normally network) accounts.
Trying to sign in with the "more..." button yielded nothing, so off to start from the recovery partition.
First bump: filevault2 encrypts the whole disk, how do I start the Recovery?
Quick Google: holding cmd-R works, even if the Recovery partition is not listed on the alt boot menue.
I still could enable the filevault2 partition with the old user password.
I tried to reset the password of the user with resetpassword (See blog post in Febuary) but it did not work. Well duh, it's a mobile user, of cause it does not work. The local admin stayed gone.
Well then, of to single user mode! (cmd-s at startup)
First, I fixed the file permissions like this:
> /sbin/fsck/ -fy
A look into the /Users directory showed the local admin account as deleted. Well, someone did something...
Ok, the user account was somehow borked, the local user was gone... what to do?
Easy:
(in single user mode)
> mount -uw /
> rm /var/db/.AppleSetupDone
> reboot
After the reboot, the fresh installation assistent greets you, wants to register your device, show you how to natural scroll and creates a user with admin rights!
I took a gamble and gave it the same name and credentials als the deleted local admin account, and it worked like a charm.
Ok, after the system was accessible, the thing that caused all this was obvious:
The "Allow network users to log in at login window" login option was deactivated. Well durr, good lock signing in Mr Mobile User. Together with the deleted local admin account this was, well, stupid.
At least I can now be sure that the local admin stayes on the system, that my colleges got a good laugh and I a blog post out of it. =)
Samstag, 28. Juli 2012
Dienstag, 24. Juli 2012
Kerberos Auth works again!
After trying again to analyse the problem, I've found that only the MCX prefs I've applied to the main group of the users would not get pulled down to the clients.
Looking for this specific problem, I've found this:
http://lists.apple.com/archives/client-management/2012/Jun/msg00005.html
Durr, now everything is clear.
Just as the post stated, I've created a new group with the AuthWhiteList preference set and ... voila!
Looking for this specific problem, I've found this:
http://lists.apple.com/archives/client-management/2012/Jun/msg00005.html
Durr, now everything is clear.
Just as the post stated, I've created a new group with the AuthWhiteList preference set and ... voila!
Abonnieren
Posts (Atom)