PDA

View Full Version : "User is not permitted to access the system at this time"




umiwangu
Apr 26, 2011, 01:17 PM
I have a Mac Mini server running Server 10.6.7, and I'm running it on a mixed network. I've used Workgroup Manager to add users to the LDAP directory, but I'm running into problems authenticating users from Windows machines.

The main problem I'm getting is when I try to access the server from a Windows machine. If I type the server's IP address in the address bar, it prompts me for a username and password. With one username, I don't get any problem. With another username, it acts as if it doesn't recognize the account. I noticed that connecting via AFP on my works just fine with all user accounts, so I checked the SMB logs. Here's what it says. Let me just say that looking at the two accounts in Workgroup Manager, I can't see any differences between the accounts that do work with SMB and those that don't. I even created a new test account, and it doesn't work with SMB. I did recently upgrade to 6.7, not sure if that had anything to do with it.

Anyway, the error from the logs.
[2011/04/26 19:51:10, 0, pid=3099] /SourceCache/samba/samba-235.6/samba/source/lib/opendirectory.c:get_opendirectory_authenticator(247)
failed to read DomainAdmin credentials, err=67 fd=19 errno=34
[2011/04/26 19:51:10, 0, pid=3099] /SourceCache/samba/samba-235.6/samba/source/auth/pampass.c:smb_pam_account(567)
smb_pam_account: PAM: User mgawi is NOT permitted to access system at this time
[2011/04/26 19:51:10, 0, pid=3099] /SourceCache/samba/samba-235.6/samba/source/auth/pampass.c:smb_pam_accountcheck(784)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User mgawi!

Any ideas?



umiwangu
Apr 26, 2011, 01:25 PM
Wow. This is embarrassing. :o Even though I've only started working with Mac OS X server a couple months ago, I should have caught the problem much sooner. It seems like when you create a new user in Workgroup Manager, it doesn't automatically add them to services (such as SMB). But when you create them via Server Preferences > Users, it loads them up with SMB, iCal, Mail, etc. So... as soon as I went to Server Preferences > Users and edited the services for the user (mgawi), it worked fine.

I'm going to leave this thread here, in case it helps someone else.

Doctor Q
Apr 26, 2011, 02:37 PM
Thanks. I've been using Mac OS X Server for years and I didn't know this.

Consultant
Apr 26, 2011, 03:06 PM
Wow. This is embarrassing. :o Even though I've only started working with Mac OS X server a couple months ago, I should have caught the problem much sooner. It seems like when you create a new user in Workgroup Manager, it doesn't automatically add them to services (such as SMB). But when you create them via Server Preferences > Users, it loads them up with SMB, iCal, Mail, etc. So... as soon as I went to Server Preferences > Users and edited the services for the user (mgawi), it worked fine.

I'm going to leave this thread here, in case it helps someone else.

Might want to write to Apple.com/feedback

VideoFreek
Apr 26, 2011, 05:02 PM
It seems like when you create a new user in Workgroup Manager, it doesn't automatically add them to services (such as SMB). But when you create them via Server Preferences > Users, it loads them up with SMB, iCal, Mail, etc. So... as soon as I went to Server Preferences > Users and edited the services for the user (mgawi), it worked fine.

I'm going to leave this thread here, in case it helps someone else.But, you get a warning to this effect when you create a new user in WGM:

http://farm6.static.flickr.com/5188/5615598992_67381e2991.jpg

I avoid Server Preferences (it doesn't even work for me anymore), but this problem can also be fixed in Server Admin-->Access

umiwangu
Apr 27, 2011, 08:53 AM
But, you get a warning to this effect when you create a new user in WGM:

Image (http://farm6.static.flickr.com/5188/5615598992_67381e2991.jpg)

I avoid Server Preferences (it doesn't even work for me anymore), but this problem can also be fixed in Server Admin-->Access

Thanks VideoFreek. When I went to make a new user, I didn't see the warning. I wonder if the person who created the accounts before turned it off.

Why do the various Server utilities overlap? It seems confusing sometimes which one I should use...

VideoFreek
Apr 27, 2011, 02:42 PM
^^^
Yes, most likely the warning was turned off.

As for the utilities, your two workhorses are Workgroup Manager, which handles user, group and machine accounts, user and machine preferences, etc., and Server Admin, which handles configuration of the various services (DNS, DHCP, file sharing, etc.).

Server Preferences was apparently intended to be a simplified, integrated administration tool for newbie admins, but it's full of fail (and bugs) and best avoided.

umiwangu
Apr 27, 2011, 04:00 PM
^^^
Yes, most likely the warning was turned off.

As for the utilities, your two workhorses are Workgroup Manager, which handles user, group and machine accounts, user and machine preferences, etc., and Server Admin, which handles configuration of the various services (DNS, DHCP, file sharing, etc.).

Server Preferences was apparently intended to be a simplified, integrated administration tool for newbie admins, but it's full of fail (and bugs) and best avoided.

Thanks for the tip!