Admin User Screw Up - Need Help Please!

[tj2001]

Ok... I was attempting to fix someone else's mess up, but ended up fixing one problem and creating a worse one.

The only user account (Admin) had a wrong short-name assigned to it... I had assumed that by going into Netinfo Manager and using root I could change this... I had went to users and for that user I change all values that had the wrong "short-name" to the one I wanted and it seemed to work... thing is it stripped "Admin" access from the new short-name user...

So now there is no user with admin access. When I log in I don't have it set to use root user... it is disabled... I know there has to be a way to grant this user admin status from the terminal or something? Any ideas or please let me know how ti fix this... I would be sincerely thankful.

 

[Doctor Q]

Can we assume that you can't get back into Netinfo Manager and change anything because you can't get superuser (root, admin) status?

Can we assume that there is no recent backup of this system?

Can you open the Terminal application, type "su", type the root password, and get to the prompt that uses a hashmark instead of a percent sign?

 

[zimv20]

Originally posted by Doctor Q
Can we assume that you can't get back into Netinfo Manager and change anything because you can't get superuser (root, admin) status?

he should be able to do this

Can you open the Terminal application, type "su", type the root password, and get to the prompt that uses a hashmark instead of a percent sign?

this won't work unless superuser is enabled

 

[zimv20]

i'm not sure if this will help you, but...

if you can't get UI NetInfo to work, log into the console (type ">console" at the username prompt, it'll give you a password prompt) and see if you can log in that way.

if you can, you might be able to use the niutil command line command to fix things.

i've never tried this, but it may come in handy.

 

[Les Kern]

I look at it differently... IF it's an OS9 bootable machine. Just boot to 9, take the apps and docs you want and do a complete install. Why waste time going through all that if it is 9 bootable, nicht war? (In my job time is a luxury so I look for the simplest fix!)
If it's NOT 9 bootable, well, there are a LOT smarter folks than me here.
Good luck.

 

[Doctor Q]

I've used niutil to do NetInfo changes from the command prompt, if you get that far. You'll have to be superuser to make changes.

 

[Les Kern]

I look at it differently... IF it's an OS9 bootable machine. Just boot to 9, take the apps and docs you want and do a complete install, then drag them back. Why waste time going through all that if it is 9 bootable, nicht war? (In my job time is a luxury so I look for the simplest fix!)
If it's NOT 9 bootable, well, there are a LOT smarter folks than me here.
Good luck.

 

[tj2001]

Originally posted by Doctor Q
Can we assume that you can't get back into Netinfo Manager and change anything because you can't get superuser (root, admin) status?

Correct... any changes I try to do it asks for admin pass & there is no admin. Also if I try to enable root user, once again it asks for admin pass. So nothing there.

Can we assume that there is no recent backup of this system?

It's a brand new, maybe 3 day old, iMac... so wiping the drive is my next case scenario. Though I'm trying to avoid that.

Can you open the Terminal application, type "su", type the root password, and get to the prompt that uses a hashmark instead of a percent sign?

I went into the terminal and type "su -" and asked for the password; when I entered the pass it gave a message stating that "usernamehere" is not in the list of sudoers and that it has been logged.

So now I'm lost... any more ideas. Can someone elaborate on the "niutil" command and how to properly use it?

 

[zimv20]

try the >console trick first and see if you can get that far. perhaps before that, you want to boot from the install CD and (re)set the root password. use that for the >console login.

 

[tj2001]

Originally posted by zimv20
try the >console trick first and see if you can get that far. perhaps before that, you want to boot from the install CD and (re)set the root password. use that for the >console login.

Not quit sure on exactly what you mean...? So put in the install CD reset the root's or the user's password? Then what "console trick" are you saying the niutil?

 

[mmcneil]

Originally posted by tj2001
Not quit sure on exactly what you mean...? So put in the install CD reset the root's or the user's password? Then what "console trick" are you saying the niutil?

You need to boot from the install CD [Disk 1]. One of the options is to reset passwords. However, since you do not have root enabled, not sure how this will work.

You might try reinstalling with the preserve and archive option.

If you have another drive or partition, try installing OS X on one of them, set up your user correctly and then copy the contents of the old user directory over.

 

[bankshot]

What probably happened was that you didn't change the username in the admin group's list of users. Thus you were no longer in the admin group and not able to make any more changes.

Just reboot into single-user mode. When the computer starts up, hold down Command-S and you'll get a prompt with superuser access. From there, you'll use niutil to re-add the new username to the "admin" group.

niutil -appendprop . /groups/wheel users newuser

Replace the "newuser" part with the new username you made. Once you're back up and running, you can get into NetInfo Manager and remove the old username from the admin group since it's not necessary to be in there anymore.

 

[tj2001]

bankshot... your reply sounds clear and concise! I will try it tomorrow and will post an update on the outcome. I appreciate everyones effort on trying to rectify this issue. Thank you all very much.

 

[Westside guy]

Originally posted by bankshot
...
niutil -appendprop . /groups/wheel users newuser
...

Shouldn't that be "/groups/admin" instead of "/groups/wheel"? When I just checked netinfo, I'm in the "admin" group but not the "wheel" group. Only root is in "wheel".

Perhaps this was not true in older versions of OS X? I'm running 10.3.2.

 

[bankshot]

Originally posted by Westside guy
Shouldn't that be "/groups/admin" instead of "/groups/wheel"? When I just checked netinfo, I'm in the "admin" group but not the "wheel" group. Only root is in "wheel".

Ehh, you're right. Good catch! I copied that from an old note I had when I was first learning about niutil, forgot to change it to the admin group.

 

[tj2001]

Originally posted by bankshot
Ehh, you're right. Good catch! I copied that from an old note I had when I was first learning about niutil, forgot to change it to the admin group.

Ok I'm at the machiine now and I attempted what was said; booting up into Single-User mode and issuing the command... thing is it seems to hang. I put the command in and it doesn't return a prompt. Does it take a long time to add the value??

Any more feedback will be appreciated.

 

[dchung]

I did something similar to what you did on my own mac.

To fix it, I restarted in single-user mode.

Then I ran visudo. It's an editor that lets you edit the sudoers file in /etc/

I added my new short name to the sudoers file then restarted.

I don't remember what I did after this (it was a few months ago). But now that I had su access I was able to clean stuff up in netinfoutil.

I found out about this on some security website that talked about this vulnerability.

Hope this helps.

 

[bankshot]

Originally posted by tj2001
Ok I'm at the machiine now and I attempted what was said; booting up into Single-User mode and issuing the command... thing is it seems to hang. I put the command in and it doesn't return a prompt. Does it take a long time to add the value??

Any more feedback will be appreciated.

Oops, it looks like OS X's single user mode is very bare bones, so the NetInfo daemon is not started yet. So scratch that idea!

Instead, you can do something like what dchung suggested. Boot into single user mode, add yourself to the sudoers file using visudo, then exit the shell and the machine will start up normally. Login as yourself, open Terminal, and do the above niutil command, but with sudo:

sudo niutil -appendprop . /groups/admin users newuser

Now, all of this hinges on your knowing enough about vi to edit the sudoers file and save it. If not, I can walk you through the steps.

Oh, and note that before you run visudo, you need to remount the hard drive as read-write:

mount -uw /
visudo

 

[Westside guy]

It shouldn't take that long for the "niutil" command to finish. I wonder if you've got a corrupted netinfo database?

One possibility (don't do this until there's some feedback from others here) would be to restore the netinfo database from a time before the problem started. This probably won't work if you're working with a laptop, because by default the netinfo backups occur at 3:15am - so unless the computer is on at that time, the backup won't happen.

Apple has instructions on restoring your netinfo database from backup at

http://docs.info.apple.com/article.html?artnum=107210

IF YOU CHOOSE TO DO THIS, DON'T SKIP A STEP. The first instruction basically gives you a backup of the current, possibly corrupted, netinfo database. This means if you run into too many problems you can at least get back to the point you're at now. Backing up is important!!!

 

[tj2001]

Originally posted by bankshot

Instead, you can do something like what dchung suggested. Boot into single user mode, add yourself to the sudoers file using visudo, then exit the shell and the machine will start up normally. Login as yourself, open Terminal, and do the above niutil command, but with sudo:

sudo niutil -appendprop . /groups/admin users newuser

Now, all of this hinges on your knowing enough about vi to edit the sudoers file and save it. If not, I can walk you through the steps.

Oh, and note that before you run visudo, you need to remount the hard drive as read-write:

mount -uw /
visudo

That's what I'm going to have to do. I'm not at the computer right now... it's going to have to wait until tomorrow again... The gentleman had to go out to dinner; I told him I'd research it more and get a solution.

Once again I really appreciate your input. I'm really trying NOT to wipe the drive and starting over.

 

[tj2001]

Wait... you said to boot into single user add me to the sudoers using visudo and then reboot up regularly and then run that niutil command?

I'm assuming that adding me to the the "sudoers" list will let me use sudo??

 

[Doctor Q]

Originally posted by tj2001
I'm assuming that adding me to the the "sudoers" list will let me use sudo??

Right. File /etc/sudoers has lines like this:

root ALL=(ALL) ALL

to specify a user name and its privileges. The syntax can be much more complicated, but that's the simplest form of an entry. It's a text file with one entry per line.

 

[Westside guy]

Sudo - in case it's not obvious

Note that when you run sudo and are asked for a password, it wants YOUR password - not roots.

That one threw me for a bit, since my first thought was "I'm running a command as root, I must need root's password". Heh.

 

[tj2001]

Originally posted by bankshot
Now, all of this hinges on your knowing enough about vi to edit the sudoers file and save it. If not, I can walk you through the steps.

Oh, and note that before you run visudo, you need to remount the hard drive as read-write:

mount -uw /
visudo

Ok can you please post a detailed walk through after I have booted into single user mde to accomplish this and what to do? I'll print it out and take it with me when I go to his house. Thanks Again

 

[bankshot]

Originally posted by tj2001
Ok can you please post a detailed walk through after I have booted into single user mde to accomplish this and what to do? I'll print it out and take it with me when I go to his house. Thanks Again

Sure! I'll assume then that you aren't familiar with vi. It's a powerful editor but not user friendly if you're not used to it.

Just to recap:

1. Restart
   
2. Hold Command-S, wait for the prompt
   
3. Type mount -uw /
   
4. Type visudo
   
   Once you type visudo, you're in the vi editor and you should see the sudoers file. The bottom section probably looks like this:
   
   

   root ALL=(ALL) ALL
   %admin ALL=(ALL) ALL

5. Use the down arrow key to move the cursor all the way to the bottom of the file.
   
6. Hit the o key. The cursor should go to a new line and you can begin typing.
   
7. Type a new line just like the one with root, but with your username instead:
   

   newuser ALL=(ALL) ALL

   (replace newuser, obviously) The first whitespace after the username is a tab character (don't know if this is critical, but best to keep it the same as the other entries).
   
8. Hit the ESC key. This gets you out of edit mode.
   
9. Type ZZ (that's capital ZZ). It's a shortcut for save and quit. When I tested this, I got an error message about "Can't write .viminfo" or something, but it seems harmless. The sudoers file gets saved and that's the important part. Hit enter to get past this if it shows up.
   
10. Now you're back at the prompt, so you can just type exit and the machine will resume normal bootup.
    
11. Login as the newuser and start up Terminal.
    
12. Type sudo niutil -appendprop . /groups/admin users newuser As Westside guy noted, it's asking for your password.
    [/list=1]
    
    Now you should have full admin access again! You can go into NetInfo Manager if you want and remove the old username from the admin group. Or not, it's probably harmless, and up to you if you want to tempt fate.
    
    I hope this helps!