Environment
Novell Open Enterprise Server 2 SP1 (OES2SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Domain Services for Windows
DSFW
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Domain Services for Windows
DSFW
Situation
New installs of VMWare View 4.5 or upgrades from earlier version of VMWare View to View 4.5 will be affected.
A View Client user sees the assigned desktop pools, but receives error "Your user account is disabled" when starting a session.
View Client is requesting the logonHours attribute for the user during the access of the virtual desktop.
A View Client user sees the assigned desktop pools, but receives error "Your user account is disabled" when starting a session.
View Client is requesting the logonHours attribute for the user during the access of the virtual desktop.
Resolution
Apply the November 2010 Scheduled Maintenance Patch or OES2SP3 to resolve this issue.
The workaround until a patch is released is to populate the logonHours.
Below is a script to populate the logonHours to the default setting for all users in a domain.
Create a file called logonHours.pl (touch logonHours.pl)
Change the permisions to executable (chmod +x logonHours.pl)
After coping the script, run the script (./logonHours.pl). You will login as administrator and the script will do the rest.
##############################################################################
# logonHours.pl
##############################################################################
#!/usr/bin/perl
use strict;
use warnings;
use Net::LDAP;
use Net::LDAP::Control;
# set the environment variables
$ENV{'LDAPCONF'}="/etc/opt/novell/xad/openldap/ldap.conf";
my $arch=`arch`;
if (lc($arch) eq "x86_64") {
$ENV{'SASL_PATH'}="/opt/novell/xad/lib64/sasl2"
} else {
$ENV{'SASL_PATH'}="/opt/novell/xad/lib/sasl2"
}
# Get the Domain Naming Context
my $val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b "" -s base | grep -i defaultNamingContext`;
my @mems = split(/:/, $val);
my $domainNamingContext = $mems[1];
chomp($domainNamingContext);
$domainNamingContext =~ s/^\s+//g;
print "Domain Naming Context : $domainNamingContext" . "\n";
# Get the Domain Name
$val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b "" -s base | grep -i dnsDomain`;
@mems = split(/:/, $val);
my $dnsDomain = $mems[1];
chomp($dnsDomain);
$dnsDomain =~ s/^\s+//g;
print "Domain Name : $dnsDomain" . "\n";
# Get the Domain mapped's partition information
my $mappedNC = "";
open FH, "</etc/opt/novell/xad/xad.ini" or die "/etc/opt/novell/xad/xad.ini file not found";
while (<FH>) {
if (/^Mapped Domain NC = /i) {
$mappedNC = $_;
$mappedNC =~ s/^Mapped Domain NC = //g;
chomp($mappedNC);
last;
}
}
die "Mapped partition information for this domain is not available. Check the /etc/opt/novell/xad/xad.ini file\n" if ($mappedNC eq "");
print "Domain mapped to partition : $mappedNC\n";
# Get the Domain Administrator Name
my $domainAdmin = "cn=Administrator,cn=users,$domainNamingContext";
my $domainAdmin_input;
print "Enter the Domain Administrator [$domainAdmin]: ";
$domainAdmin_input = <STDIN>;
chomp($domainAdmin_input);
if ( $domainAdmin_input ne "" ) {
$domainAdmin = $domainAdmin_input;
}
#print "Domain Administrator is $domainAdmin\n";
# Get the Domain Administrator Password
my $password;
print "Enter the Domain Administrator Password: ";
system("stty -echo");
$password = <STDIN>;
chop($password);
system("stty echo");
print "\n";
# Create LDAP control
my $ctrl = Net::LDAP::Control->new(
type => "2.16.840.1.113719.1.513.4.5",
value => "1",
critical => 1 );
my $ld = Net::LDAP->new($dnsDomain, scheme => "ldaps", port => 636) or die "$@";
my $mesg = $ld->bind($domainAdmin, password => $password);
if ($mesg->code != 0) {
print("LDAP bind failure \n");
}
# Search the Domain users
my $filter = "(&(objectClass=user)(samAccountType=805306368))";
$mesg = $ld->search(
base => $domainNamingContext,
scope => "sub",
filter => $filter);
if ($mesg->code != 0) {
print("LDAP search failure \n");
}
my $attrvalue = "ffffffffffffffffffffffffffffffffffffffffff";
my $hex = pack("H*", $attrvalue);
# Iterate through the domain users and set the logonHours attribute
for (my $idx = 0 ; $idx < $mesg->count ; $idx++)
{
my $entry = $mesg->entry($idx);
my $dn = $entry->dn;
chomp($dn);
$dn =~ s/$domainNamingContext/$mappedNC/g;
print "Modifying entry $dn \n";
my $res = $ld->modify ($dn, replace => [
'logonHours' => $hex
],
control => $ctrl);
if ($res->code != 0) {
die"Modify failed $dn : " . $res->error . "\n";
}
}
$ld->unbind();
The workaround until a patch is released is to populate the logonHours.
Below is a script to populate the logonHours to the default setting for all users in a domain.
Create a file called logonHours.pl (touch logonHours.pl)
Change the permisions to executable (chmod +x logonHours.pl)
After coping the script, run the script (./logonHours.pl). You will login as administrator and the script will do the rest.
##############################################################################
# logonHours.pl
##############################################################################
#!/usr/bin/perl
use strict;
use warnings;
use Net::LDAP;
use Net::LDAP::Control;
# set the environment variables
$ENV{'LDAPCONF'}="/etc/opt/novell/xad/openldap/ldap.conf";
my $arch=`arch`;
if (lc($arch) eq "x86_64") {
$ENV{'SASL_PATH'}="/opt/novell/xad/lib64/sasl2"
} else {
$ENV{'SASL_PATH'}="/opt/novell/xad/lib/sasl2"
}
# Get the Domain Naming Context
my $val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b "" -s base | grep -i defaultNamingContext`;
my @mems = split(/:/, $val);
my $domainNamingContext = $mems[1];
chomp($domainNamingContext);
$domainNamingContext =~ s/^\s+//g;
print "Domain Naming Context : $domainNamingContext" . "\n";
# Get the Domain Name
$val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b "" -s base | grep -i dnsDomain`;
@mems = split(/:/, $val);
my $dnsDomain = $mems[1];
chomp($dnsDomain);
$dnsDomain =~ s/^\s+//g;
print "Domain Name : $dnsDomain" . "\n";
# Get the Domain mapped's partition information
my $mappedNC = "";
open FH, "</etc/opt/novell/xad/xad.ini" or die "/etc/opt/novell/xad/xad.ini file not found";
while (<FH>) {
if (/^Mapped Domain NC = /i) {
$mappedNC = $_;
$mappedNC =~ s/^Mapped Domain NC = //g;
chomp($mappedNC);
last;
}
}
die "Mapped partition information for this domain is not available. Check the /etc/opt/novell/xad/xad.ini file\n" if ($mappedNC eq "");
print "Domain mapped to partition : $mappedNC\n";
# Get the Domain Administrator Name
my $domainAdmin = "cn=Administrator,cn=users,$domainNamingContext";
my $domainAdmin_input;
print "Enter the Domain Administrator [$domainAdmin]: ";
$domainAdmin_input = <STDIN>;
chomp($domainAdmin_input);
if ( $domainAdmin_input ne "" ) {
$domainAdmin = $domainAdmin_input;
}
#print "Domain Administrator is $domainAdmin\n";
# Get the Domain Administrator Password
my $password;
print "Enter the Domain Administrator Password: ";
system("stty -echo");
$password = <STDIN>;
chop($password);
system("stty echo");
print "\n";
# Create LDAP control
my $ctrl = Net::LDAP::Control->new(
type => "2.16.840.1.113719.1.513.4.5",
value => "1",
critical => 1 );
my $ld = Net::LDAP->new($dnsDomain, scheme => "ldaps", port => 636) or die "$@";
my $mesg = $ld->bind($domainAdmin, password => $password);
if ($mesg->code != 0) {
print("LDAP bind failure \n");
}
# Search the Domain users
my $filter = "(&(objectClass=user)(samAccountType=805306368))";
$mesg = $ld->search(
base => $domainNamingContext,
scope => "sub",
filter => $filter);
if ($mesg->code != 0) {
print("LDAP search failure \n");
}
my $attrvalue = "ffffffffffffffffffffffffffffffffffffffffff";
my $hex = pack("H*", $attrvalue);
# Iterate through the domain users and set the logonHours attribute
for (my $idx = 0 ; $idx < $mesg->count ; $idx++)
{
my $entry = $mesg->entry($idx);
my $dn = $entry->dn;
chomp($dn);
$dn =~ s/$domainNamingContext/$mappedNC/g;
print "Modifying entry $dn \n";
my $res = $ld->modify ($dn, replace => [
'logonHours' => $hex
],
control => $ctrl);
if ($res->code != 0) {
die"Modify failed $dn : " . $res->error . "\n";
}
}
$ld->unbind();
Additional Information
The
patch does not populate the logonhours like the script does. The
logonHours attribute will not be present unless it is explicitly set.
Instead the loginAllowedTimeMap is mapped to logonhours. This way the
logonHours attribute is displayed over LDAP.
Over NDAP (ConsoleOne Others tab), the attribute is not
present unless it is explicitly set.
The patch works for the following conditions:
- logonHours attribute is not present (default unless explicitly set).
- loginAllowedTimeMap is present and is mapped to logonHours.
logonHours attribute is displayed over LDAP.
Over NDAP (ConsoleOne Others tab), the attribute is not
present unless it is explicitly set.
The patch works for the following conditions:
- logonHours attribute is not present (default unless explicitly set).
- loginAllowedTimeMap is present and is mapped to logonHours.