User masquerading in Lion Server
November 17, 2011 
4 Comments
One of the useful features for administrators is to utilize a feature called user masquerading. This allows for an administrator to imitate a specific user over AFP. While this does not work for Kerberos for at the LoginWindow, it provides a useful method to test file permissions to home directories and verify group membership if SACLs (Service Access Control Lists) are utilized.
In versions prior to Lion, there is an option in AFP settings you can select to enable this capability. When checking “Allow administrator to masquerade as any registered user”, you can login with any username and replace the password with the password of the administrator (root) account. However, in Lion, there is no option to set this. To enable this option in Lion, you will need to do the following:
- Navigate to /Library/Preferences
- Copy to a safe location com.apple.AppleFileServer.plist (to have a backup)
- Open com.apple.AppleFileServer.plist and change the key attemptAdminAuth from No to Yes
- Save the file
- Restart AFP
Once that is done, you will be able to use the password for your admin account on any user account authorized to access an AFP share on that server.
Hey Randy,
I haven’t gotten this to work yet in my limited testing, but in the third step/bullet, are you sure you don’t mean change false to true? Also, can’t you achieve this via serveradmin, a la sudo serveradmin settings afp:attemptAdminAuth = yes?
Allister.,
The Yes / No or True / false can depend on what app you are using to edit the plist. I’m using Property List Editor which is yes / no in the GUI and then gets changed to true / false for the CLI.
You can also use the command you provided which is a great way to manage systems so you don’t need to do the physical GUI touching.
Thanks for the feedback!
What about with clients? I have always had the following setup:
Client connected to OS X Server and Active Directory. AD user logs in they get a temporary home made from the local User Template. If a user locks the screen with a screen saver and I as an Admin have to login I could. Can’t do that anymore with Lion.
Dan,
I’m not sure on that one since I’m not using Lion with AD, but I would assume it should be the same as it has been before. I’ve always had fast user switching tuned on so when I’ve gotten the “User1″ screen saver password I’ll switch back to the admin account to do work.