Mac OS X Server v10.5 and later: Mobile users may not be able to log in when using a password policy
Products Affected
Mac OS X Server 10.5, Mac OS X Server 10.6
Symptoms
Mobile users may not be able to log in to a client computer after a set number of unsuccessful login attempts has been exceeded, if that password policy is in effect.
Re-enabling the user account in the Workgroup Manager may not restore user account access on the client computer. The disabled user account may not appear in a login window's list of account, or in the Accounts pane of System Preferences on the client computer.
Resolution
- On the server, use Workgroup Manager to re-enable account access for the disabled user.
- Save the user record.
- On the affected client computer, log in as a local admin user.
- Open Terminal.app (located in /Applications/Utilities/Terminal).
- Execute this command: sudo -s
- Enter the admin password when prompted.
- Navigate to the local user database directory with this command:
cd /var/db/dslocal/nodes/Default/users/
- Make a backup copy of the disabled users plist file with this command (replacing username with the affected account's user name):
cp username.plist username.plist.bak
- Using your preferred text editor, open the affected user's .plist file. The nano editor is used in this sample command:
nano username.plist - Locate the "authentication_authority" key within the .plist file; it looks similar to this:
<key>authentication_authority</key> <array> <string>;ShadowHash;</string> <string>;DisabledUser;;Kerberosv5;;abcd@LKDC:SHA1.9965008CC9FE7938B5CC06EE8DE79B6159989$ </array> - Delete the text ";DisabledUser;" that appears in the key. Be careful to only delete ";DisabledUser;".
- Save the file with the text editor.
- Type exit, then press Return.
- Quit Terminal.
- Log out.
The disabled user should now be able to log back in to the client computer.
Twitter
Facebook