Home Forums OS X Server and Client Discussion Active Directory Active Directory Group Membership Resolution

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • January 3, 2011 at 4:25 pm #380216
    kennyj
    Participant

    I have a problem where Active Directory Group Membership is not properly resolved. I first noticed this by checking membership via the id command. An administrative user comes back fine with group membership, however a normal user only returns the “Domain Users” group. Performing a lookup using DSCL, I do see the correct group membership listed. I just found the dsmemberutil command and discovered that this also says that a user who is a part of a group is not. Please see my example below.

    I have opened a ticket with Apple on this as it is affecting the role out of some new servers. Has anyone come across this? I am using 10.6.5 server and bound to Active directory using the native tools. My shares are setup by adding an AD group to an ACL… obviously this isn’t working but does if I add users individually or add users to a local group on the server.

    One other thing I should state… I ran some tcp dumps and did notice a lot of bad checksum packets… I dont’ know if this is normal, but it seemed to be more than I would think is usual… almost every other packet.

    Example:

    [b][i]Using DSCL to lookup group membership of ‘dltmacprd’ group[/i][/b]
    [quote]app14350ml:~ kedgar$ dscl
    Entering interactive mode… (type “help” for commands)
    > read Active\ Directory/ad.schoolspecialty.com/Groups/SCHOOLSPECIALTY\\dltmacprd GroupMembership
    GroupMembership:
    SCHOOLSPECIALTY\edgar-test, ken
    SCHOOLSPECIALTY\dickson, franklin
    SCHOOLSPECIALTY\connell, aileen
    SCHOOLSPECIALTY\silva, scott
    SCHOOLSPECIALTY\ackley, diane
    SCHOOLSPECIALTY\edgar, ken
    > [/quote]
    [b][i] Using dsmemberutil to verify that a user is a part of the group, kedgar is an administrative user[/i][/b]
    [quote]app14350ml:~ kedgar$ dsmemberutil checkmembership -U ssilva -G dltmacprd
    user is not a member of the group
    app14350ml:~ kedgar$ dsmemberutil checkmembership -U kedgar -G dltmacprd
    user is a member of the group[/quote]

    Please drop me a line if you have seen similar issues and if you have or have not resolved it. I will keep this thread updated with my progress.

    -kennyj

    May 5, 2011 at 7:50 pm #380698
    kennyj
    Participant

    I resolved this by finding a white paper from apple on AD Best Practices. I forwarded this to our Windows Engineer and he saw a part saying something about you may need to modify ACE for LDAP lookup. We have an LDAP lookup group for certain users that we placed the computer accounts for the serves in. Once this was done… voila Everything was working like magic!

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.