Posts RSS Comments RSS 48 Posts and 155 Comments till now

Enabling clear text passwords in Snow Leopard with AppleScript

Update: It appears that clear text passwords for AFP connections only work when booted into 32 bit mode. I’ve updated the script to check for which kernel the user is booted into. If they are running 64 bit it asks them if they want to switch to 32 bit. If they say “Yes” then it makes the switch and reboots the machine for them.

A nice article explaining how to see if you are running in 32 or 64 bit mode is here at MacObserver.

There is an Apple Knowledge base article dealing with servers but with good information on switching kernels here.

The procedure for enabling clear text passwords for AFP connections is the same in Snow Leopard as it is in Leopard with one very critical difference. The details about how and why are already in my post on Leopard. If you want the background information you should check out that page. This post will only deal with the Snow Leopard-specific changes.

The big change for enabling clear text passwords for Snow Leopard is that the .plist file is now a binary. This is something Apple has been moving towards since 10.4 and there is a built-in utility that allows you to change the format back and forth to allow for easy editing called “plutil”. The full path to it is “/usr/bin/plutil”

The flag we need to be aware of in “plutil” is the “-convert” flag. There are two formats that we’ll use for this flag, “xml1” and “binary1”.

To convert the plist file to XML to allow editing we have to run the following command:
/usr/bin/plutil -convert xml1 /Users/joe/Library/Preferences/com.Apple.AppleShareClient.plist

This will convert the file to XML for editing. Now we will do the actual editing. This line is the same as in Leopard.
defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool YES

Now that we have edited the file we have to convert it back to binary form. So we use the “plutil” tool again with a different format:
/usr/bin/plutil -convert binary1 /Users/joe/Library/Preferences/com.Apple.AppleShareClient.plist

Now the preference file is converted back to binary and can be used by the AFP client.

Here is an updated version of the Leopard AppleScript for changing this setting.

If you would prefer to download a pre-complied script file click below:
Snow Leopard Clear Text Script

[codesyntax lang=”applescript” lines=”no”]
set afp_pref_path to ((POSIX path of (path to preferences from user domain)) & “com.Apple.AppleShareClient.plist”)
set OS_version to (do shell script “sw_vers -productVersion”)
set kernel_answer to “”

--check if the user is running 32 or 64 bit kernel.
if OS_version contains “10.6” then
set kernel_version to (do shell script “/usr/sbin/systemsetup -getkernelbootarchitecturesetting”)
if kernel_version contains “x86_64” then
set kernel_answer to button returned of (display dialog “You are currently running in 64 bit mode. Clear text passwords only work in 32 bit mode. Would you like to change to 32 bit mode? This will require a restart.” buttons {“Yes, change it and restart”, “No, just enable clear text”} default button 1)
end if
end if

try
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
on error
--the first command will throw an error if the afp_cleartext_allow setting does not exist
--if there is an error we’ll assume that the setting isn’t there and set our variable to the disabled setting
set clearStatus to 0
end try
--a status of “1” means it’s enabled. So ask if they want to disable it
if clearStatus is 1 then
display dialog “Do you want to disable clear text passwords?” buttons {“Cancel”, “Disable”} default button 2
if the button returned of the result is “Disable” then
do shell script “/usr/bin/plutil -convert xml1 ” & afp_pref_path
do shell script “defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO”
do shell script “/usr/bin/plutil -convert binary1 ” & afp_pref_path
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
--check to make sure the change really took effect
if clearStatus is 0 then
display dialog “Clear text passwords have been disabled” buttons {“OK”}
else
display dialog “There was an error disabling clear text passwords!” buttons {“OK”}
end if
end if
else
display dialog “Do you want to enable clear text passwords?” buttons {“Cancel”, “Enable”} default button 2
if the button returned of the result is “Enable” then
do shell script “/usr/bin/plutil -convert xml1 ” & afp_pref_path
do shell script “defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool YES”
do shell script “/usr/bin/plutil -convert binary1 ” & afp_pref_path
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
--check to make sure the change really took effect
if clearStatus is 1 then
display dialog “Clear text passwords have been enabled” buttons {“OK”}
else
display dialog “There was an error enabling clear text passwords!” buttons {“OK”}
end if
end if
end if

if kernel_answer contains “Yes” then
do shell script “/usr/sbin/systemsetup -setkernelbootarchitecture i386” with administrator privileges
do shell script “/sbin/shutdown -r now” with administrator privileges
end if

[/codesyntax]

19 Responses to “Enabling clear text passwords in Snow Leopard with AppleScript”

  1. on 02 Sep 2009 at 6:56 pmnwadmin

    I have tried this script on Snow Leopard 10.6

    But it still comes up with please check the servers name or ip address

    the macs with 10.5 still work with your other script that we put in earlier in the year but not with the latest 10.6

  2. on 03 Sep 2009 at 5:21 amAnnoyed

    This fails for me as well. Works when booting into 32bit mode tho.

  3. on 03 Sep 2009 at 9:41 amwebmaster

    As I understand it most if not all Macs should boot into 32 bit mode by default. I think only a few of the new servers are booting directly into 64 bit mode.

    However, it does look like clear text passwords don’t work for AFP when in 64 bit mode. That seems logical. Why make a 64 bit version of a very old protocol?

    I’ve updated the script to check the kernel version before changing things. If it’s running in 64 bit mode it will ask if they want to change it to 32 bit. If they say yes it will reset the mode and then restart the machine.

    I’ll be interested to know if this fixes things for those of you having problems. Please leave a comment if things are working or not.

    Thanks!

  4. on 04 Sep 2009 at 2:26 amMichael

    Unfortunately this doesn’t seem to work. I have checked that I’m booted into 32 bit & tried all the Terminal voodoo, the Applescript, etc. Does the fact that the Finder is running in 64 bit change this?
    I manage to get right to when the shares I can connect to show up (i.e. past the point where I’ve entered my username & password), but when I select one of them I get the “check with your administrator” message because the server name or ip address is not valid.

  5. on 04 Sep 2009 at 6:14 amAnnoyed

    Still fails when my Mac Mini is booted into 32 or 64 bit mode. There is an error in your script /usr/sbin/systemsetup -getkernelbootarchitecturesetting dosnt seem to detect wether i am in 64 bit. running the command uname -m does however. When i am in 64 bit mode it picks it up as x86_64 when i am in 32 bit mode it says i386

  6. on 04 Sep 2009 at 8:33 amwebmaster

    So far I can confirm that this does work when connecting to a netatalk server on Linux. Other then that I don’t have other machines to try it on. At least one other person confirms that it does work in 32 bit mode. So the issue here is trying to figure out where and why it doesn’t work.

    Michael’s post is interesting in that if it was the clear text authentication that was failing he shouldn’t be seeing shares. In that case its authorization, not authentication, that seems to be failing.

    I’ve found a potential bug in systemsetup when you upgrade to Snow Leopard instead of doing a clean install. “systemsetup” in upgraded machines doesn’t always seem to get upgraded and so it doesn’t have the “-getkernelbootarchitecturesetting” or the ability to reset what kernel you’re in, as at least one person has found out. In those instances it looks like you can at least use “uname” to find the architecture but you’ll have to manually reboot into the preferred mode. I have found at least one other person with this issue and in both cases after multiple reboots the command appeared. Go figure.

    Everyone should feel free to post information and experiences on getting clear text to work in Snow Leopard here. Maybe with everyone putting heads together we can all figure out where the issues are.

    What type of servers is clear text working on? Failing on? Feel free to post log entries if they are relevant.

  7. on 04 Sep 2009 at 5:18 pmMichael

    I did a clean install.
    At my work (a school) we basically have a bunch of Windows machines but to login to the Network we have to go through a Novell client. Screensharing between my various Macs at work still works fine as does file sharing.

  8. on 04 Sep 2009 at 5:38 pmMichael

    Have found the following. Looks like we are in for a bit of a wait.
    http://groups.google.com/group/macenterprise/browse_thread/thread/4ed6d432dd6c2b45

  9. on 04 Sep 2009 at 6:00 pmStone

    This worked. Beautiful. Took a microsecond.

  10. on 04 Sep 2009 at 7:31 pmAnnoyed

    OK, This works to Netatalk but not for appleshare windows

  11. on 14 Sep 2009 at 5:33 pmAlan

    Running in 32-bit mode and trying to connect to Novell servers. Get to the list of shares but receive the dialog :

    “http://www.aut.ac.nz/cms/

    There was an error connecting to the server “SHARE”. Check the server name or IP address, and then try again.

    If you are unable to resolve the problem contact your system administrator.”

    Did an upgrade but will try a clean install to see if that makes any difference.

  12. on 14 Sep 2009 at 6:45 pmwebmaster

    Check out the link in Michael’s comment above. It sounds like this is a known issue with Novell and Snow Leopard.

  13. on 14 Sep 2009 at 8:03 pmAlan

    Read that and hoped I could bypass it. Did a clean install and same results so I have to wait to see if the university is going to upgrade/patch in November.

  14. on 27 Oct 2009 at 2:11 amnwadmin

    It does work

    But with one extra step

    yes under 10.5 there was no problems
    but under snow leopard 10.6 if you created a new user it does not put com.apple.AppleShareClient.plist file under the user library preference folder once we copied this file into the folder it all worked

    but it is not the sort of thing that I would like to do for a campus though the file doe exist on the mac but it doesw not populate to the user folder area now

  15. on 27 Oct 2009 at 9:00 amwebmaster

    So, copying a com.apple.AppleShareClient plist file that’s had the changes made to it works in your situation? Or do you have to copy a fresh copy of the plist file and then make the changes to allow cleartext authentication?

    If the second is the issue then try adding this to the beginning of the script to create the file and then the script can modify it. You can send the script out to everyone via ARD or have them download and run it.

    set theUserPath to (the quoted form of POSIX path of (path to preferences from user domain))
    do shell script “touch ” & theUserPath & “com.apple.AppleShareClient.plist”

  16. on 02 Nov 2009 at 8:16 pmnwadmin

    Thanls for that addin for the script file but

    when I add the lines that you suggested below I get a syntax error
    Expected end of line, etc, but found unknown token at ” touch ”

    Been new to mac I dont know how to correct it can you advise

    nwadmin

    set theUserPath to (the quoted form of POSIX path of (path to preferences from user domain))
    do shell script “touch ” & theUserPath & “com.apple.AppleShareClient.plist”

  17. on 03 Nov 2009 at 8:40 amwebmaster

    You’re hitting one of those issues with “copy and paste” from a web page. Script Editor doesn’t like the quote marks around the command in the second line. Delete those quotes marks and re-enter them and it should work correctly.

  18. on 03 Nov 2009 at 3:25 pmnwadmin

    Thanks for the tip

    I will remember that

    I will test the new script addition in the coming weeks when we get the new mac pro’s in

  19. on 08 Nov 2009 at 11:21 pmnwadmin

    I have added the lines and when it runs I get this error

    /Users/admin/Library/Preferences/com.Apple.AppleShareClient.plist: Cannot parse a NULL or zero-length data