Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Corbywan
Corbywan Author
User level: Level 1
64 points

SLS changing short/login name

I've seen this in other threads (at least on Apple's discussion board) and thought I had a temp fix, but it hit again today. When you add aliases to a user in Workgroup Manager, it can/has change the primary shortname for one of the aliases, thereby changing the short login name used for network logins, email login etc. It happened again today. I wasn't able to check my email because it wouldn't authenticate, I looked at WGM, and sure enough the primary (first in the list greyed out can't edit) shortname had been changed to one of the aliases I had added for email purposes, and my original shortname had been demoted to an alias.

Does anyone else know id Apple is aware of this? Does anyone had an actual fix?

Message was edited by: Corbywan

MBP (late 2008), iPhone 3G, Mac OS X (10.5.6)

Posted on Nov 3, 2009 12:38 PM

Reply
31 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jan 26, 2010 3:15 AM in response to Corbywan

For what its worth…

When Mac OS X 10.6.0 server was released, the matching Apple Manuals - specifically the User Management manual as per http://images.apple.com/server/macosx/docs/UserManagementv10.6.pdf on page 67 included a change that said it was now allowed to have a first shortname that contains a fullstop/period.

As discussed here this is desirable in order to match many company email address formats like john.doe@example.com

For Mac OS X 10.4, and 10.5 you could only use a fullstop in additional (second, third, etc.) shortnames and not the first. This meant that a user would have needed at a minimum two shortnames, and therefore would have had as a result two email addresses (one for each shortname) and therefore would inevitably receive more spam.

Workgroup Manager in Mac OS X 10.6.1 Server briefly broke this, but Mac OS X 10.6.2 Server restored the ability to define a fullstop in the first (and only) shortname.

In preparation for replacing our current mail server with one that integrates with Open DIrectory for authentication, I am now changing users existing single shortnames, to ones like john.doe

I can confirm another Workgroup Manager bug that is related to this. While it is possible to change most of the shortname related information in Workgroup Manager using the Inspector tab, you need to do an extra step to force the updating of the users kerberos record. This is done by in Workgroup Manager changing the password type from "Open Directory" to "Crypt", and then back to "Open Directory". The change from "Crypt" to "Open Directory" should create a new kerberos record (Crypt password type accounts do not have a Kerberos record). However Workgroup Manager included with Mac OS X 10.6.2, 10.6.1, 10.6.0 and Mac OS X 10.5.x do not create the Kerberos record as they should. This does work in Workgroup Manager included with 10.4.11, so I use a 10.4.11 machine to do this final step.

I then end up with an existing account that has the sole shortname changed to john.doe format and still allows the user to use Kerberos and single sign-on.

Note: You can in Workgroup Manager 10.6.2 create brand new user accounts with a john.doe type shortname straight away and it does create a Kerberos record. It also seems that importing a text file containing user accounts in to Workgroup Manager 10.6.x or 10.5.x also suffers from this bug as the imported accounts are also missing a kerberos record even though they are of password type Open Directory.
Reply

SLS changing short/login name

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up