AFP548

Active Directory Group Membership Resolution

kennyj
I have a problem where Active Directory Group Membership is not properly resolved. I first noticed this by checking membership via the id command. An administrative user comes back fine with group membership, however a normal user only returns the "Domain Users" group. Performing a lookup using DSCL, I do see the correct group membership listed. I just found the dsmemberutil command and discovered that this also says that a user who is a part of a group is not. Please see my example below. I have opened a ticket with Apple on this as it is affecting the role out of some new servers. Has anyone come across this? I am using 10.6.5 server and bound to Active directory using the native tools. My shares are setup by adding an AD group to an ACL... obviously this isn't working but does if I add users individually or add users to a local group on the server. One other thing I should state... I ran some tcp dumps and did notice a lot of bad checksum packets... I dont' know if this is normal, but it seemed to be more than I would think is usual... almost every other packet. Example: [b][i]Using DSCL to lookup group membership of 'dltmacprd' group[/i][/b] [quote]app14350ml:~ kedgar$ dscl Entering interactive mode... (type "help" for commands) > read Active\ Directory/ad.schoolspecialty.com/Groups/SCHOOLSPECIALTY\\dltmacprd GroupMembership GroupMembership: SCHOOLSPECIALTY\edgar-test, ken SCHOOLSPECIALTY\dickson, franklin SCHOOLSPECIALTY\connell, aileen SCHOOLSPECIALTY\silva, scott SCHOOLSPECIALTY\ackley, diane SCHOOLSPECIALTY\edgar, ken > [/quote] [b][i] Using dsmemberutil to verify that a user is a part of the group, kedgar is an administrative user[/i][/b] [quote]app14350ml:~ kedgar$ dsmemberutil checkmembership -U ssilva -G dltmacprd user is not a member of the group app14350ml:~ kedgar$ dsmemberutil checkmembership -U kedgar -G dltmacprd user is a member of the group[/quote] Please drop me a line if you have seen similar issues and if you have or have not resolved it. I will keep this thread updated with my progress. -kennyj
Exit mobile version