passwd general failure for non-admins

spookybathtub · 03-10-2012, 04:46 PM

I'm running 10.7.3 server. When a non-admin user issues the "passwd" command, the response is "general failure". Is this expected behavior? I can't find it in the man page.

Part 2 of my question: If that's not going to work, I need to find another way to change passwords. I have several non-admin user accounts created only for wiki access. They do not have ssh or AFP or GUI login access. I wanted to use this php script (http://msyk.net/macos/changepassword), which works using the passwd command. But if that's not going to work, what am I supposed to do?

agentx · 03-11-2012, 01:02 PM

Standard users will not be able to use passwd command even with own account as i think it is a restricted binary for admin users/sudoers.

However Users can use the Server "web portal" to change password once it is all turned on in Server.app and default web services site is being served out on network.

You edit the Default site > Allow User to change their password checkbox.
However you have to have Profile Manager enabled for this to work which opens another can of worms ;-)

spookybathtub · 03-11-2012, 05:55 PM

Oh great. That is a can of worms indeed. Here are the problems I have:
1. When I try to enable Profile Manager in Server.app, it looks like it's on, but then if I leave that pane or quit the app and come back to it, Profile Manager is turned off.
2. If I try to configure Profile Manager in Server.app, it says "This certificate isn't signed by a trusted certificate authority..." I'm using a self-signed certificate, but it won't let me simply dismiss the error.
3. In the Web server pane, if I try to edit the default site, all the options are greyed out, including the one to allow users to change their password.

agentx · 03-11-2012, 06:46 PM

Welcome to lion server :-) it is still very quirky.
Too late here to go into it. But it involves resetting profile manager, maybe web services, getting push notifications cert, self cert is ok for small installs.

But you could also look at using /etc/authorisation it may allow you to achieve allowing password changes in sys prefs.

spookybathtub · 03-12-2012, 10:49 PM

Thanks for the tips. I got Profile Manager to work by simply resetting some of apache's config as described here. So now the password change web portal is working, but only for admin users. If a non-admin tries, it gives the error: Your request could not be completed. The password server may be unavailable. Any ideas here?

agentx · 03-14-2012, 07:15 AM

I have seen this issue when the Users were first created as local users then OD is enabled
Is this the case ?

If so you wil have to recreate/reimport users into OD. Or to test create a new OD standard user and see if passwordreset works.

You can laso check WGM > Username > Advanced Tab > Options check to see if Allow User to change password is checked.

spookybathtub · 03-14-2012, 03:55 PM

I'm sort of fuzzy on the OD. I've never thought we had a need for it, but maybe we do now. I did create the users using WGM. But I'm not really sure if we're even running OD. How do I tell if a user is local or OD?

agentx · 03-14-2012, 04:49 PM

Welcome to the wonderful but PITA world of directory services. It is big topic but many of the services on Lion server are reliant on having OD user not local user accounts.

What is your setup ? And what are you trying to achieve ?

Network accounts and local accounts are different. In server app if there is a little blue globe next to user and more than likely the user ID is >1000 this is a network account. Once a machine is bound to the directory you can login with these network acc details and have either a local home directory, a portable home directory or network home directory. Big topic :-)

I think some reading is in order....

spookybathtub · 03-19-2012, 05:21 AM

OK I figured out a lot of things this weekend. All my users accounts had uid's above 1000 because they were created in Leopard's open directory. For some reason, open directory had been turned off between then and now, so the Lion user accounts were all local. I deleted them all, and enabled open directory, then recreated network users and all is well. Users can change their own passwords via the web portal. Thanks for all your help!

agentx · 03-19-2012, 05:26 AM

Glad to be of help and well done for getting it all sorted.

03-10-2012, 04:46 PM	#1
spookybathtub Prospect Join Date: Apr 2007 Posts: 12	passwd general failure for non-admins I'm running 10.7.3 server. When a non-admin user issues the "passwd" command, the response is "general failure". Is this expected behavior? I can't find it in the man page. Part 2 of my question: If that's not going to work, I need to find another way to change passwords. I have several non-admin user accounts created only for wiki access. They do not have ssh or AFP or GUI login access. I wanted to use this php script (http://msyk.net/macos/changepassword), which works using the passwd command. But if that's not going to work, what am I supposed to do?

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

03-11-2012, 01:02 PM	#2
agentx Hall of Famer Join Date: Feb 2003 Location: Brighton, UK Posts: 3,811	Standard users will not be able to use passwd command even with own account as i think it is a restricted binary for admin users/sudoers. However Users can use the Server "web portal" to change password once it is all turned on in Server.app and default web services site is being served out on network. You edit the Default site > Allow User to change their password checkbox. However you have to have Profile Manager enabled for this to work which opens another can of worms ;-)

03-11-2012, 05:55 PM	#3
spookybathtub Prospect Join Date: Apr 2007 Posts: 12	Oh great. That is a can of worms indeed. Here are the problems I have: 1. When I try to enable Profile Manager in Server.app, it looks like it's on, but then if I leave that pane or quit the app and come back to it, Profile Manager is turned off. 2. If I try to configure Profile Manager in Server.app, it says "This certificate isn't signed by a trusted certificate authority..." I'm using a self-signed certificate, but it won't let me simply dismiss the error. 3. In the Web server pane, if I try to edit the default site, all the options are greyed out, including the one to allow users to change their password.

03-11-2012, 06:46 PM	#4
agentx Hall of Famer Join Date: Feb 2003 Location: Brighton, UK Posts: 3,811	Welcome to lion server :-) it is still very quirky. Too late here to go into it. But it involves resetting profile manager, maybe web services, getting push notifications cert, self cert is ok for small installs. But you could also look at using /etc/authorisation it may allow you to achieve allowing password changes in sys prefs.

03-12-2012, 10:49 PM	#5
spookybathtub Prospect Join Date: Apr 2007 Posts: 12	Thanks for the tips. I got Profile Manager to work by simply resetting some of apache's config as described here. So now the password change web portal is working, but only for admin users. If a non-admin tries, it gives the error: Your request could not be completed. The password server may be unavailable. Any ideas here?

03-14-2012, 07:15 AM	#6
agentx Hall of Famer Join Date: Feb 2003 Location: Brighton, UK Posts: 3,811	I have seen this issue when the Users were first created as local users then OD is enabled Is this the case ? If so you wil have to recreate/reimport users into OD. Or to test create a new OD standard user and see if passwordreset works. You can laso check WGM > Username > Advanced Tab > Options check to see if Allow User to change password is checked.

03-14-2012, 03:55 PM	#7
spookybathtub Prospect Join Date: Apr 2007 Posts: 12	I'm sort of fuzzy on the OD. I've never thought we had a need for it, but maybe we do now. I did create the users using WGM. But I'm not really sure if we're even running OD. How do I tell if a user is local or OD?

03-14-2012, 04:49 PM	#8
agentx Hall of Famer Join Date: Feb 2003 Location: Brighton, UK Posts: 3,811	Welcome to the wonderful but PITA world of directory services. It is big topic but many of the services on Lion server are reliant on having OD user not local user accounts. What is your setup ? And what are you trying to achieve ? Network accounts and local accounts are different. In server app if there is a little blue globe next to user and more than likely the user ID is >1000 this is a network account. Once a machine is bound to the directory you can login with these network acc details and have either a local home directory, a portable home directory or network home directory. Big topic :-) I think some reading is in order....

03-19-2012, 05:21 AM	#9
spookybathtub Prospect Join Date: Apr 2007 Posts: 12	OK I figured out a lot of things this weekend. All my users accounts had uid's above 1000 because they were created in Leopard's open directory. For some reason, open directory had been turned off between then and now, so the Lion user accounts were all local. I deleted them all, and enabled open directory, then recreated network users and all is well. Users can change their own passwords via the web portal. Thanks for all your help!

03-19-2012, 05:26 AM	#10
agentx Hall of Famer Join Date: Feb 2003 Location: Brighton, UK Posts: 3,811	Glad to be of help and well done for getting it all sorted.