PDA

View Full Version : When Admin is not Admin



unclemac
07-06-2004, 03:35 PM
OK Gurus, here is a riddle:

If I clone or install 10.3.x, and create a second (third, fourth, fifth) user, and check the Admin box in Accounts for the newly created user, why is the new admin user not a full admin user? And what is he?

Let me 'splain.

If, in this situation, if I delete the first user - the one created with the Setup Assistant during a fresh install - I cannot do certain things, such as install software with the only existing user (the second account to be setup). The proof is going to NetInfo to try and authenticate. Cannot do it. Cannot turn on root, without an "admin" password...keeping in mind that the only user on the box *is* an admin user according to Accounts, just not the original admin user....

Seen this several times consistantly, which has me begging the questions:

-Can any user ever be a *real* admin, except the first created via the Setup Assist?
-Anyway to change a *fake* admin to a *real* admin via the GUI???
-Anybody else ever see this?

Hope this is a simple one, cause I would love to be dumb and wrong about this... So far, all I have been able to do is rename the orginal admin user via Accounts (and Netinfo for short user name) as opposed to deleting it.

ricks
07-06-2004, 03:52 PM
BatSignal to Jazzbo:

http://www.macgurus.com/images/batlogo.gif

Jazzbo
07-06-2004, 07:48 PM
I'm thinking that it comes down to a user's group affiliation.

There are two groups involved in administering the system as an "Admin" user: 'admin' and 'wheel'. In particular, the 'wheel' group is the one that sudo is configured to allow to become the root user during installation and such.

In NetInfo Manager, select the 'groups' table and then each of those two groups. Verify that the userid in question is a member of each. You should be able to (1.) toggle the "users" definition into a list and (2.) Duplicate (Edit->Duplicate or Command-D) an existing entry, then change the clone to the (short) username of the account needing administrative privileges.

Save the table when you're done, then select Management->Restart Local NetInfo Domains to be sure the new data are live.

The next time that account logs in, s/he should have administrative access.

Jazzbo

unclemac
07-07-2004, 12:30 AM
Hi Jazz,

Sweet!

Whatdaya think, is this me gettin stuff twisted, or is it a case of "it just does that"? Seems like I have noticed this before, but not ever pursued it...don't recall this with 10.2, but it was so different (in my limted view anyway) whenever mucking around with this sorta stuff: deleting users, tweaking NetInfo/user shortname, etc.

If I can carve out some time, I will try to document whatever I can duplicate. Hopefully it is all me, or as simple as your tip to tweak.

Thanks a million!

Jazzbo
07-07-2004, 10:15 AM
Hiya, Unk

We'll be able to guess better what happened once the results of your inspection of the group table are known. If you have "Admin" users that aren't in both of those groups, perhaps we've uncovered a bug in the Accounts preference pane. I haven't seen this one before, and all I'm really going on is a surmise about what underlying issue could yield the symptoms.

Jazzbo

eric
07-07-2004, 10:17 PM
Hey guys,

One thing to bear in mind is that Apple has changed group membership for admins over the years.

In the early versions of OS X, admins were by default members of both admin and wheel. But somewhere (either 10.2.x or 10.3.x), they changed things: admins are no longer by default members of wheel (only admin). I can't remember at which point this switch occurred, but I'm pretty sure it was 10.2.x -- although point is moot since unclemac's using 10.3.x. (I remember this switch since it caused me some probs with syncing with Palm Desktop, until Palm updated the software.)

It wouldn't surprise me if only root is a member a wheel. That's all I'm seeing now -- I wiped my HD and installed 10.3.x clean.

I also recall some posts at Apple about problems activating root with NetInfo Manager. I didn't really follow the threads however. Could be a problem with NetInfo Manager itself or how it sits on top of the unix tools. (There is somewhere buried the sudoers list -- I forgot where.)

Have you tried activating root from the command line while logged in with these other admin accounts? Use: sudo passwd root

oldfogey
07-08-2004, 07:14 AM
Hi Eric

"It wouldn't surprise me if only root is a member a wheel"

Yes, as of 10.3.

"There is somewhere buried the sudoers list -- I forgot where."

/etc/sudoers. But this only lists groups, not individual users.

BTW if you "Allow this user to administer this computer", he becomes a member of "appserverusr", group 79, and "appserveradm", group 81, as well as "admin", group 80, at least on my machine.

Also "activating root from the command line" doesn't play nicely with NetInfo Manager's "Enable Root User" any more. Wait for Tiger to sort this out, I guess!

eric
07-08-2004, 08:53 AM
Hey oldfogey,

I'm glad you stopped by to give some comments on this one. I was thinking I'd have to send you a bat signal on this. But lo and behold it's already here.

Thanks for the heads up about the command line and NI Manager. I always do it from the command line, so I suppose I should keep doing it for awhile.

Thanks.

unclemac
07-08-2004, 09:48 AM
Thanks for all the input on this everyone.

As you can tell I have not done much digging on this, so this is all new to me. Not to mention over my head. No, have not tried anything as serious as command line yet, was hoping this was something simple that I had missed and was saving the heavy lifting (CLI) for last....not a pressing problem, more of a mystery to be solved at this point.

A reader's digest recap:

I think anyone can test to see if this is in fact a 10.3 bug/oversight by simply creating a new account with admin permissions, and then testing if one can do everything admin (enable root, install apps, tweak permissions, etc.) while using this new account.

If one cannot, then admin is not admin. Not to be hardheaded, but, well, that ain't right!

I know with the help of Unix wizards (thanks wizards!!) almost anything is possible, but it should not be that hard. Let's face it: most people buy and use Macs so that they don't have to fight these sort of battles.

oldfogey
07-08-2004, 04:19 PM
Not to be hardheaded, but, well, that ain't right!
No, it isn't, and I have no explanation for it. Apple changed the method of storing passwords between 10.2 and 10.3. Did they tell anyone? What do you think?

When I saw your post I thought I would check my 'test' admin account and was somewhat surprised to see it no longer had admin privileges! Now, it could have been me messing around, I don't remember. It <i>could</i> have happened when I did an Archive and Instal of 10.3.

Anyway I altered that in the "Accounts" pane of System Preferences and then checked the groups assigned for that account all seemed well, as I posted. I have since checked using NetInfo Manager and all is OK there too.

My 'test' admin has all the same privileges as my original admin account. There really is <b>no</b> distinction. Either an account is a member of the 'admin' group or it isn't. That's the only qualifying factor.

That's not to say there aren't bugs. As I posted above, NetInfo Manager doesn't always play nicely with other "account-related" activities, although in my case it seems to have done the right thing for System Preferences. I think all the signs are that NetInfo Manager will eventually get dropped.