You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: GeniusChris
GeniusChris Author
User level: Level 1
0 points

Major Permissions Issue

Alright, I'm a fairly seasoned admin, but I'm pretty stumped here. I've installed Lion (clean), then installed Lion Server. In the process I decided to set up a Radius Server. The config seemed super easy and thus it automatically did the setup for me. I then needed to make a few changed and I went into Terminal to "su root" only to find out that its no longer allowing root login. I get "su: Sorry"


Simple? I must just need to go to Directory Utility to re-enable it or change the password? AHH. No way! Lion Server Open Directory completely breaks the local authentication server. I've tried to go into Server utility to go back to standalone (destroy the Open Directory), but this does not fix the problem. I have verified that the Directory Utility is running the auth on /Local/Default node.


Also all users cannot change passwords, When I try to change user passwords I get a "passwd: authentication token failure". Thank GOD I can still issue sudo commands, but I've got to fix this. I tried reinstalling (not clean), but it didnt' make any difference. I did notice that /etc/groups and /etc/passwd were blank before the reinstall, however the reinstall fixed this.


What to do? What to do?


HELP! I'm starting to miss Windows Server 2008!

MacBook Pro, Mac OS X (10.7)

Posted on Jul 22, 2011 1:55 PM

Reply
5 replies
User profile for user: GeniusChris
GeniusChris Author
User level: Level 1
0 points

Jul 23, 2011 6:50 PM in response to GeniusChris

I found the solution to the above problem after 2 full days of research...


Go to Directory Utility

Disable Root User

Go to Viewing "Users" in node "/Local/Default"

Pull up System Administrator

Delete AuthenticationAuthority completely

Go back and re-enable root. It will ask for a new password.


Solved. You can now su root.


I'm glad the community has an answer to this terrible terrible glitch.

Reply
User profile for user: davidh
davidh
User level: Level 4
1,890 points

Aug 24, 2011 11:11 AM in response to GeniusChris

Far too many people default to and rely on "just do"-ing everything as root.

That is a misinformed and misguided practice for any production server, especially any public-facing one ⚠


Why do you need to work as root ?

Use sudo instead.

Root is disabled by default for good reasons, proper security (best) practices and your misunderstanding of this intentional configuration does not mean Apple did anything wrong.


Root was disabled by default in 10.6, 10.5, 10.4 even, so at least three whole major OS versions prior to 10.7, and

as a would-be OS X sysadmin, you should have known about that already/by now ;-)


http://hints.macworld.com/article.php?story=20090909081659323


http://hints.macworld.com/article.php?story=20071025100950309



http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1549.html

Reply
User profile for user: davidh
davidh
User level: Level 4
1,890 points

Aug 30, 2011 6:59 AM in response to Adrian Nier

Ostensibely (emphasis on that), the root account has the same password as the initial admin passsword one chooses when installing OS X Server. I've had mixed results with that over various installs and iterations of OS X Server.


On 10.4 this appears to be the case by default.


On one in-house 10.5 server, I can indeed su root with the password in question (as mentioned above).

Although for a great number of reasons I may have enabled it long ago (it's not public-facing,

won't ever be). On another server elsewhere, extremely stock install & config, this does not work.


On my 10.6.8 server, I can't su root.


Haven't had any need nor tried to do anything as root on 10.7 server thus far (using sudo instead).


Having root disabled is still highly advisable.


Some further info,

http://images.apple.com/support/security/guides/docs/SnowLeopard_Security_Config _v10.6.pdf


http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.s html

Reply
User profile for user: Adrian Nier
Adrian Nier
User level: Level 1
4 points

Aug 30, 2011 8:06 AM in response to davidh

All the links provided pertain to the client version of Mac OS X. Both security configuration guides specifically state:

This guide can assist you in securing a client computer. It does not provide information about securing servers.


Page 19 of the Mac OS X Server 10.3 Security Configuration guide:


Mac OS X Server includes a root account like other Unix-based systems. Initially, its password is set to that of the first administrator account.


Page 70/71 of the Mac OS X Server 10.4 Security Configuration guide:


By entering su root, you can log in as the root user. [...] To remove the ability of the root user to log in: [...]


Page 98 of the Mac OS X Server 10.5 Security Configuration (2nd Edition) guide:


By default, the root account on Leopard Server is enabled and uses the same password as the first created admin user.


Page 79 of the Mac OS X Server 10.6 Security Configuration guide:


By default, the root account on Snow Leopard Server is enabled and uses the same password as the first created admin user.


The information for Mac OS X Server 10.7 suggests that the root account is disabled by default:


You can enable the root account and change its password using Directory Utility.
Reply

Major Permissions Issue

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up