Screen Sharing Broken for Network Account Admins Mac OS X Server

Question

Screen Sharing Broken for Network Account Admins Mac OS X Server

Re: OS X 10.8.4, Server.app 2.2.1

After replacing a failed Airport Extreme -- and the resulting changes in server IP address -- Screen sharing is now broken for "Network" account administrators. "Local" adminstrators can screen share successfully.

When logging in as a Local Admin, the System Log contains a single entry:

Authentication: SUCCEEDED :: User Name: localadmin :: Viewer Address: 10.0.1.6 :: Type: DH

When logging as a Network Admin, a similar line appears:

Authentication: SUCCEEDED :: User Name: testnetwork :: Viewer Address: 10.0.1.6 :: Type: DH

followed by screen-fulls of other log messages, eventually ending -- a minute or two later -- with:

screensharingd[77693]: uid 1034 not found

screensharingd[77693]: unable to get width and height of display.

at which point the client sees a "Error: Network connection lost." alert. 1034 is the UID of "testnetwork", as seen in

dscl /LDAPv3/127.0.0.1 -list /Users UniqueID

So apparently, Network users are authenticated, but screensharingd cannot find the user.

changeip -checkhostname returns "success". Just to be sure, I "Updated the Host Name" as suggested by the "Network Configuration Has Changed" alert in Server.app -- problem remains.

How does one debug this? Are there more comprehensive debug logging options available for screensharingd or login window? Anyone else seen this problem?

OS X Server

Posted on Jul 15, 2013 3:06 PM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Jul 15, 2013 7:09 PM in response to Larry Goldman

Is Screen Sharing or Remote Management enabled on the VNC server?

Why did you have to change the server's IP address?

What are the "other log messages?"

Reply

Answer 2

Jul 16, 2013 7:01 PM in response to Linc Davis

Linc: thanks for your inquiry.

Here are more steps I've taken to solve this problem:

1) From a Time Machine backup to a test partition, I restored the server from before the failure of the base station and found that the login problems were present then.

2) On yet another test partition, I created from scratch a new OS X Server. Added a local administrator, and a network admistrator and discovered the same problem: network administrators cannot screen share, although in this case, they are simply unauthorized.

Using dscl, things look OK: there is a /Local/Default/Groups/com.apple.access_screensharing that lists only the admin group, and the admin group contains networkAdmin.

Furthermore, I can log in as the networkadmin from the login window, as "Other".

Furthermore, I can ssh into the server using the networkadmin credential.

I used odutil to boost the logging OpenDirectory log level. The logs are very verbose, but to my eyes, it looks like OD recognizes the networkUser, but screensharingd fails to authorize. See logs below.

Can someone confirm that screen sharing from network admin accounts works at all? Is there a way to elevate screensharingd logging to find out more about why it rejects network admins?

TIA

/var/log/opendirectoryd.log

.

4643.65273.65277, Module: search - ODQueryCreateWithNode request, NodeID: 3D4241C6-FAFF-4816-8F7C-B3E0ED6F56A6, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): networkadmin, Requested Attributes: dsAttributesStandardAll, Max Results: 1

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: search - queuing request to connection - '/LDAPv3/127.0.0.1:ldap:406935A6-9ADB-413A-A82B-7F30F4E9E5A1'

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RecordName' for ambiguous name query

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RealName' for ambiguous name query

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAc count)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=networkadmin )(cn=networkadmin)))', baseDN - 'cn=users, dc=testserver,dc=local'

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - found result - 'uid=networkadmin,cn=users,dc=testserver,dc=local'

4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - ODQueryCreateWithNode completed, delivered 1 result

4643.65273, Node: /Search, Module: search - ODQueryCreateWithNode completed, delivered 1 result

4643.65278 - Client: screensharingd, UID: 0, EUID: 0, GID: 0, EGID: 0

4643.65278 - ODNodeRelease request, NodeID: 184CFA31-1EB8-4384-B9CA-D04A93736CB1

4643.65278, Node: /Search - ODNodeRelease completed

clearing all node authentication connections

/var/log/system.log:

screensharingd[4665]: Authentication: FAILED :: User Name: networkadmin :: Viewer Address: 10.0.1.6 :: Type: DH

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Jul 16, 2013 7:55 PM in response to Larry Goldman

Is there a name conflict between OD and non-OD users? Or is an OD user missing some attributes that it should have?

Reply

Answer 4

Jul 17, 2013 9:21 AM in response to Linc Davis

Linc:

The test server only has three accounts: the original admin account that I used to set up the server, a local admin and a network admin, all with different names. I used Server.app to create the users.

The networkadmin is a member of admin group. It can log in at the login window (it doesn't appear in the local user list, but can log in as "Other") and via SSH. Only screen sharing seems to have a problem.

The local admin account can screen share, so I believe my log-in procedures are OK.

What other kind of attributes could interfere?

Reply

Answer 5

Jul 17, 2013 11:34 AM in response to Larry Goldman

I solved my original problem: Could not screen share to OS X Server from network admin accounts.

Solution: System Preferences -> Users and Groups -> Login Options -> Allow network users to log in at login window

Unfortunately, this fix did not work on the test server, but that's OK for now. Back to work.

Reply

Answer 6

Jun 14, 2016 12:17 AM in response to Larry Goldman

Hi Larry et all, with regard to

Problem:

OSX 10.11..x OSX Server.app V5.1 and apparent failure of Local Network Users to utilise (connect) screen sharing to another OSX host via ARD, despite being ALL the below being TRUE:

initially authenticated over LDAP (master or replica)
access to screen sharing host (e.g. macmini-03-server) via ssh etc
Open Directory/ LDAP specifically enabled in the list of good blokes OSX Server.app UI / server name/ Access / custom / Screen Sharing
Open Directory local network account (sharescreen) Access to Services "Screen Sharing" enabled.
screen sharing host (e.g. macmini-03-server) System Preferences/ Users Groups/ Login Options/ host permission to "Allow network users to log in at login window" (general or explicit) checked..
screen sharing host (e.g. macmini-03-server ) System Preferences/Sharing/Remote Management/Options all options enabled - (full access)

The message we see is typical in /var/log/system/log for test local network account "sharescreen" as:

Jun 14 14:28:43 macmini-03-server screensharingd[2828]: Authentication: SUCCEEDED :: User Name: sharescreen :: Viewer Address: 10.0.2.9 :: Type: DH

And:

There is NO WAY to add a Local Network Account (managed via OD) to the System Preferences / Sharing / Remote Management / Options / Users .. Such advice in other threads is folly.

Our Resolution:

From some research and the SETTINGS we used on this host (macmini-03-server) to access ALL the options for Remote Management, it seems that ADMIN access is required for the Local Network account.

I.M.O: This doesn't seem logical if the workflow requires BROWSING only of the ARD.... however in our case administrators are the only ones to utilise ARD.

So.. simply enable these Local Network accounts the require screen to Admin - Such advice won't be of use for everyone.

Will update this issue should this change.

Please post your results for others to see.

Warwick

Hong Kong

Reply