Our OSX server 4 Yosemity 10.10 is bound to AD where an unrelated user "operator" exists. Reportedly the OSX server tries to use account "operator" without the proper password, and this action locks the valid AD account "operator".
What service in OSX server needs to authenticate as user "operator" ?
- 21
- 1
1 Answers
operator
is a system group with gid=5
at least on OS X 10.10.5, you can find this by running:
dscacheutil -q group |grep -A2 "name: operator"
Which should produce this output on a non-AD linked system:
name: operator
password: *
gid: 5
--
name: operator
password: *
gid: 5
I know that shows the group name not the user, but it is a start in the right direction I think. I am working on figuring out what that group is used for and will update the answer when I have figured it out.
I know that using LDAP it is possible to override certain local user and group settings, one example would be with the %wheel
group which is typically gid=10
. It should be possible to do something similar with the operator
user and/or group with AD but I am not certain what specific configurations on the server and host would be required.
I was able to find a bit more information and historical context for the operator
user at this answer. I am still trying to work out if the user is actively used or has been deprecated but is still included.
-
Thank you for the information on the group "Operator". Additional information from the security log is " Message=Kerberos pre-authentication failed." I stopped non-critical services and synchronised the mac clock to the same server as the AD clock. – Paul Sep 10 '15 at 13:41
-
I am still looking into what the operator user does modernly but updated the answer with a link that has more info about the historical context of the `operator` user. – Matt Sep 10 '15 at 15:31
-
Thanks Matt, the historical context is interesting. In server log's I did not find any error authenticating or even mentioning user "operator". Your link indicates to me that I should look into the OS logs rather then server logs. Paul – Paul Sep 11 '15 at 20:11