Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Interesting issue with root account

Hi All.


I have a clean install of Lion Server running, and I was able to enable the root account, set a password and then after I was finished, disable the account.

Now it seems to be in a state - that the next time I want to use the root account, I can enable it, but I cannot authenticate at all.


Directory Utility gives me what appears to be a complete password change process - but not notification that its failed.


sudo passwd root returns the following error.


passwd: Could not verify credentials because directory server does not support the requested authentication method. Could not verify credentials because directory server does not support the requested authentication method.


Testing to see if the directory is having issues, I reset a password via Workgroup Manager without any issues. I also confirmed that Open Directory is configured to accept all authentication types.


Using the following also worked


Open Directory Account: sudo passwd abc

Local Standard Account: sudo password xyz


The main reason I enabled the root account is because I can then ssh in using root and via sftp open / view config files - in particular fstab and edit via a GUI rather then via vi, vim or nano.


On my server - the accounts are setup as follows in Dir Util.

xyz has the following under AuthenticationAuthority

;ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE>

;Kerberosv5;;root@LKDC:SHA1.<SNIP>

Administrator has the following under AuthenticationAuthority

;ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE>

;Kerberosv5;;root@LKDC:SHA1.<SNIP>


root has the following under AuthenticationAuthority

;Kerberosv5;;root@LKDC:SHA1.<SNIP>


In all instances the Kerberos value is identical.


On my laptop root has the following under AuthenticationAuthority (SL Upgrade)

;ShadowHash;HASHLIST:<SALTED-SHA512>


I am taking a wild guess here, that the passwd / dirutil password change only works on Shadow Hash's and not Kerberos records.

Now knowing that OD does link in with Kerberos I was going to try and update pull up the local record in WGM, except it can't show hidden records any more - telling me to use Directory Utility.


Any ideas?

Mac mini, Mac OS X (10.7), Server

Posted on Jul 27, 2011 5:10 AM

Reply
12 replies

Jul 27, 2011 8:03 PM in response to Caledai

First, WOW for your more-than-well-documented question...


I do have the same problem as you after having successfully used my root account to rename a 'not-well-shortnamed' user.


I disabled root, re-enabled it using the 'Apple' method - and I get this message, now... So there is no way I can move my pre-configured user folders in the /Users folder... 😠


Please HELP!

Jul 27, 2011 8:41 PM in response to m4r10

For your account, you can always do the following.


  • Create a new admin user.
  • Go into terminal and use sudo to run the command, or sudo -s to get a root level command.


If what you want to do is move the location of your home director you can do the following (even within that account)


  • Go to System Prefs > Accounts
  • Authenticate and then right click on your username and go to Advanced Options
  • Change the Home Path.
  • Reboot your computer.

Jul 28, 2011 3:57 AM in response to capaho

Hi Capaho.


The issue is.


Using sudo passwd username, I can change OD accounts.

Using sudo passwd localusername, I can change Local accounts.


What I can't do is use sudo passwd root to change the root accounts password, nor can I use Directory Utility - which is the documented Apple way to change the root password, along with enabling/disabling the root account.


OD via WGM does not allow you to view the all records / hidden records any more, you have to use Directory Utility, and using Directory Utility as I indicated above, the root account seems to be linked purely to Kerberos, not using a ShadowHash any more.

Jul 29, 2011 4:56 AM in response to Caledai

Just resolved this.

;ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE>

What I did, was add an additional AuthenticationAuthority within Directory Utility to the root record using the administrator account as a template.


I was then able to reset the password via the terminal, and subsequently authenticate via SSH into the server under the root account.

Jul 29, 2011 8:53 PM in response to m4r10

Directory Utility is at /System/Library/CoreServices - on both Client on Server.


  • Open it up, via Finder - and then click on Directory Editor
  • Make sure you are viewing Users on /Local/Default and that you are authenticated as root. (It does this auto)
  • Select the "Administration Account"
  • On the right under AuthenticationAuthority should be two keys - one ShadowHash and one Kerboeros
  • Copy the value - on my client its ;ShadowHash;HASHLIST:<SALTED-SHA512>
  • Select the "System Administrator
  • Select the AuthenticationAuthority and click the add symbol to the right.
  • Paste the value you copied into the new key.


Once I did this I was able to use sudo passwd root to change the password, and tested it.


A word of warning here - what I did gets it working - but it may be the wrong key, or add in insecure auth-authorities, as there is a diff between Lion Upgraded and Lion clean from what I can across my two computers and as such your root account may not be as secure as apple intended it should be.

Aug 2, 2011 10:37 AM in response to Caledai

I had the same problem, so first thanks for the hint here.


The easy way seems to be to simply delete the whole AuthenticationAuthority key/key-group. Then select the activate root item in the menu (Directory Utility) and it should recreate both AuthenticationAuthority keys (Kerberos and hash).


At least that's what worked for me just a few minutes ago...

Dec 16, 2011 9:49 AM in response to Caledai

What seems to be happening is that the ShadowHash key is being deleted when the Root User is disabled in Directory Utility. You can what it get deleted if you select System Administrator and then Disable Root User.


This key is not restored when the Root User is Enabled. So you cannot login as Root after enabling Root user.


What I did is copy the Shadowhash key from my local admin user account and pasted that in to the new key under AuthenticationAuthority group. It works since the password is the same.

Interesting issue with root account

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.