OD user can't vnc?

Question

Level 1

8 points

OD user can't vnc?

I have bought a server licence for a MacPro intel for using the iCal server and TimeMachine. After some struggle ( 3 installs in advanced mode) I appears I can have iCal server running only if the users are defined in OD (LDAP) At least this is the only way I have managed. Having done that I appears to me that only the first admin ( defined in local domain and NOT in OD) can initiate a VNC session. I can use ServerAdmin or WorkgroupManager logged in as a OD user with full admin rights, but if I try to use Screen Sharing from my laptop, the OD defined admin login/password is refused. Is this intentional or did I miss something? ON NON server 10.5 in sharing one can authorize all or only specific users to use screen sharing. Where is the equivalent on the server setting in advanced mode?
Thanks in advance for any advice

MacPro, MBP, Mac OS X (10.5.1)

Posted on Jan 27, 2008 11:49 AM

Reply

Answer 1

Jan 29, 2008 8:49 AM in response to echoer

Just to clarify...you have turned on Remote Management and selected ONE Administrator user that has access to Remote Management functions? If you want to use ARD or a VNC client, this is the place to set them up. This is found in the Sharing Pane of 10.5

Reply

Answer 2

echoer Author

Level 1

8 points

Jan 29, 2008 11:58 PM in response to idontlikescreennames

Thanks for the reply but this is exactly where the problem is.
- If I enable ALL users, that do not change anything.
- If I keep selected users and try to add more users, the ones defined in OD (LDAP) do not show up.
- if go to the computer settings and define "VNC users can control with this password" apple Screen Sharing application still fails at authentication.

😟

Reply

Answer 3

echoer Author

Level 1

8 points

Jan 30, 2008 2:29 AM in response to idontlikescreennames

Just to clarify: I have one user ( the first declared admin at install) in the local directory all the others defined in the LDAP (OD master). The first one can do screen sharing the ones in OD do not seem to have right to start a screen sharing to access the server.

Reply

Answer 4

echoer Author

Level 1

8 points

Jan 30, 2008 5:51 AM in response to echoer

Ok Let me continue my monolog:
In the sharing panel in the remote login I do see local user, network (LDAP) users and groups
In the sharing pane remote management only the single admin user shows up, No groups, no LDAP users.
stucked

Reply

Answer 5

echoer Author

Level 1

8 points

Jan 31, 2008 2:11 AM in response to echoer

Ok let me answer my question:
- go to System Preferences and disable remote management
- now screen sharing is enabled (previously it told you Remote Management controls screen sharing) NOW you can add any user or group either from the local directory OR from the LDAP directory
done

The bottom line is that (either a bug or feature) when Remote Management is on only local users can be enabled?

Reply

Answer 6

Feb 22, 2008 9:25 AM in response to echoer

I came across the same issue. I expected this to just work, and was really surprised to find I couldn't add the OD users and groups in the remote management control panel.

Call it a bug or a feature either way it's an issue or me

Reply

Answer 7

Feb 23, 2008 2:32 AM in response to David B Brown 2

So it seems after a little more digging you can actually fix this. However looks like you need to do so from Apple Remote Desktop, as that's the only place from where you can tell "remote management" to allow users from your Open Directory domain.

Easiest way seems to be first to add some new groups using Workgroup Manager, there are four specific names you must use for these groups, ard_admin, ard_interact, ard_manage, and arp_reports, each giving various levels of access. Create the groups and add the relevant people into the relevant groups. The ard_interact groups seems to be the one to use to manage screen sharing. The second step is then using apple remote desktop you need to select the clients you want to update and choose "change client settings" from the manage menu. There is then an option on the third screen called "enable directory based administration", selecting this will allow those groups access to remote management with the relevant privileges that come with each group.

Note even after you have done this, you will not see any difference when you look at the remote management system preference, but it certainly worked for me.

More details can be found in the Apple remote desktop manual round about page 69, 79 in the section titled "Apple Remote Desktop Administration using Directory Services"

Hope this is useful

Dave

Reply

Answer 8

Feb 28, 2008 10:14 PM in response to David B Brown 2

Yes. In order to make ARD function using an Open Directory user, you will probably need to create a Custom Installer package and then use AFP to transfer the installer to your administrator account on the server. This way you can either use screen sharing to install the package or do it physically at the machine. From what I can tell, there are still some glitches using ARD with Leopard Server....I haven't quite gotten Leopard Server to do what I need it to in ARD yet....but i'm hoping ARD will soon have a patch issued and will start working on my network....for some reason trying to use ARD on a network with 2000 mobile computers doesn't quite work as well as screen sharing.....

Reply