Question about Changing User Passwords with Root on Tiger Server

Discussion in 'Apple' started by sammysheep, Nov 14, 2005.

  1. sammysheep

    sammysheep Guest

    Suppose you are running Mac OS X Server 10.4 and would like to change a
    user's password for whatever reason by logging in as the root user.

    You might use "passwd userName" and see the following dialogue under
    the normal Tiger OS:

    root# passwd userName
    Changing password for userName.
    New password:
    Retype new password:

    However, in the Tiger Server case I get an additional prompt asking for
    the root password, which, though the *correct* root log-in password is
    supplied, always fails. Consider the following dialogue:

    root# passwd userName
    Changing password for userName.
    New password:
    Retype new password:
    password for root:

    MY QUESTION: Under Mac OS X Server is there a policy file that may
    restrict root from overriding user passwords? Or perhaps, does the
    authentication process in OS X Server create root passwords in two
    different places?

    Thanks for any advice in this matter.
    sammysheep, Nov 14, 2005
    1. Advertisements

  2. sammysheep

    Simon Slavin Guest

    Under OS X Client, the root account is disabled by default.
    Under OS X Server, the root account is enabled by default. But you don't
    know what the password is.

    Use 'sudo' to run passwd. Don't use root.

    Simon Slavin, Nov 16, 2005
    1. Advertisements

  3. sammysheep

    sammysheep Guest

    In my case, root exists on both machines. Here is the kicker for the
    problem though:

    Whether using root or merely using sudo, the only passwords I can
    change are ones whose authentication authority is "ShadowHash", meaning
    the local shadow database in "/var/db/shadow/" is used for

    The ones I can't change have "ApplePasswordServer" as their
    authentication authority. As far as I can figure, the root user on the
    system (who also uses ShadowHash) is different from the root/admin user
    for LDAP (the service whom Open Directory presumably talks to when it
    sees "ApplePasswordServer" as my authentication authority).

    Moreover, when I do a "mkpassdb -dump" there is no user labeled root or
    admin in one of the slots, so perhaps the LDAP superuser must be given
    explicit control in a configuration file somewhere. I'd like for the
    system root user to be able to act as the root of LDAP without being
    bothered by extra passwords, but I just don't know how to accomplish

    Any help or advice in this matter is GREATLY appreciated. Thanks.
    sammysheep, Nov 17, 2005
  4. sammysheep

    tycho Guest

    In my case, root exists on both machines.

    root is present in Mac OS X, but not activated for login.
    Normally there is a root user created in the LDAP domain when you
    promote the server to OD master. Strange you couldn't find that user
    in the password database with "mkpassdb -dump", normally he occupies
    slot #2.
    Password for this root user is the same as the directory admin you
    gave wen promoting to OD master.
    Was this a clean 10.4 install or upgrade from an earlier verison?

    * posted via
    * please report abuse to
    tycho, Dec 1, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.