Home Forums OS X Server and Client Discussion Active Directory 10.6 Workgroup Manager sees AD computers, won’t create OD computer account.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • January 11, 2010 at 5:01 am #377797
    xenedar
    Participant

    Hi –

    Having a problem with our upgraded OD setup. Our equipment was replaced, and we ended up with 10.6 Server. We operate with a Magic Triangle, which has worked for years and years.

    What I’m struggling with is that in Workgroup Manager, I need to create accounts for each of the machines, or rename existing ones (for various reasons). But I’m running into a message:

    “The name you have chosen conflicts with a name assigned to another computer.”
    “You can’t assign the name “TEST-02” to two different computers. Remember that names are not case-sensitive when checking for conflicts.”

    The computer does not exist in the OD domain. I’ve trolled through the whole thing, exported the entire database and looked through it, and that computer does not exist in the OD domain.

    However, it [i]does[/i] exist in the AD domain, since it has been added to AD for authentication. Workgroup Manager is seeing the AD account and figuring the one I’m trying to setup/rename in OD (/LDAPv3/127.0.0.1) is a duplicate. This is different than my experience on our our (10.4) OD domain, where I could create OD computer accounts even if the server is in AD and an AD account for a computer already exists.

    I’ve confirmed this by disabling Active Directory in the server’s Search Policy. Once that’s done, I can create an account with the name I need. Once I re-enable Active Directory (to get back the AD users and groups), and add a computer to a Computer Group, Workgroup Manager sees two computer accounts when using the “Search Policy” (as opposed to /Active Directory/All Domains or /LDAPv3/127.0.0.1/)

    I can’t add the AD computer account to an OD computer group, because a) the AD accounts don’t have MAC addresses (or at least, the attribute is not mapped) and b) I don’t have write access to the AD domain to add the MAC anyway.

    I understand why it’s doing what it’s doing – DirectoryServices is seeing all the resources in all available directory services. I just seem to be missing something as to how drive this thing correctly (and apparently, differently to 10.4). I have checked the 10.6 Open Directory guide, but didn’t see much there to help. Augmented records seemed kind of interesting, but as I understand it, is for user records, not computers.

    The Triangle requires accounts in both OD and AD in order to work properly – so how do you do that and still be able to use the AD users and groups? And am I missing something stupidly obvious?

    November 1, 2010 at 2:01 pm #379739
    PuLSe
    Participant

    Just ran into this and found a workaround — use the dsimport tool. Create a text file with the following contents:
    [code]
    0x0A 0x5C 0x3B 0x2C dsRecTypeStandard:Computers 3 dsAttrTypeStandard:RecordName dsAttrTypeStandard:RealName dsAttrTypeStandard:ENetAddress
    TEST-02;TEST-02;aa:bb:cc:dd:ee:ff
    [/code]
    Edit the computer name and MAC address as needed. Copy the text file onto the OD master into /tmp/TEST-02-import.txt using scp or your favorite file transfer method, then run the following command:
    [code]
    /usr/bin/dsimport /tmp/TEST-02-import.txt /LDAPv3/127.0.0.1 I -username diradmin
    [/code]
    Enter diradmin’s password when requested. Adjust the filename and location to taste. Experienced dsimport users can adjust where the import happens from to taste. If you have multiple machines that are problems you can do each one on a separate line in the import file.

    Once this is complete you can edit the computer record using Workgroup Manager as usual. Given that this works through dsimport, I suspect it’s actually a Workgroup Manager bug.

    December 29, 2010 at 2:57 pm #380207
    walt
    Participant

    Another way to workaround this is to enable Inspector in WGM. Then create a “non-duplicate” computer via WGM (name it anything that won’t throw the error). Then on the newly created computer record’s inspector tab edit the RealName and RecordName attributes to be the actual name you want the computer to have. Then you won’t get the duplicate error. I filed a Bug Report with Apple about this, hopefully they’ll fix it.

    September 19, 2011 at 3:11 pm #381207
    WestNab
    Participant

    I have this problem using 10.5.8 WGM as well. Thanks for the posts, hopefully they’ll help …

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2024 AFP548. All Rights Reserved.