Active Directory Groups Not Appearing (again)

[Anonymous]

Hi there,

I posted quite some time ago about problems relating to a large AD integration I was doing with a couple of Xserves. Basically using anything other than 10.3.3 Mac OS X Server did not see any AD groups. It would see the users, but no groups. Under 10.3.3 it would list the groups after a few seconds. The binding process was exactly the same.

In the end we just left the Xserves on 10.3.3 because it was working, but now they’re wanting to use Xsan so we can setup a proper failover system.

Some other things about the system:

– Kerberos has never really worked despite trying pretty much everything.

– The company’s forest is set out as: company.local with the domain we want to connect to as eu.company.local. If we try using those as the forest/domain combo in Directory Access we get “An unknown error occurred” at Step 2 of 5 (Finding nearest domain controllers). If I set debug mode on the logs have error messages of -14008 (I think, something near that, not near the server atm). If we use eu.company.local for both the domain and the forest it binds successfully, but again on anything higher than 10.3.3 we don’t see the groups in WGM.

– We need to set the “Prefer this domain server” to a local server otherwise the AD plugin runs off to Milan and Rotherham to pick one up (and this is a London based company with the main servers 2 feet from the Xserve).

– Forward and reverse DNS is all set up.

– The AD DCs are currently on a separate subnet to the Xserves, but they used to be on the same and there was no noticeable difference.

– The company already had Apple engineers out and they didn’t get anywhere.

If anyone can solve this I will (seriously) buy them an iPod Shuffle or iWork or something. This is driving me crazy and I don’t mind resorting to bribery if it gets me somewhere!

Thanks for any help.

JP.

[sketch]

1: it’s always been my understanding that importing AD groups into WGM “breaks” the OS X server KDC

2: go into your /Library/Preferences/Directory Service/ActiveDirectory.plist file and find the key “Group Search Interval Hours” and change the value to something other than zero (each value represents hours, so if you set it to 1 it’ll update every hour).
I noticed that in some update along the line, Apple set it to 0 (without asking anyone), which has been causing a lot of people headaches.

[Anonymous]

Hi there,

Yeah, I realised after I posted that the Kerberos bit may not have been too clear, sorry about that. I mean that users Kerberos tickets don’t seem to be being honoured properly, so something like SMB doesn’t work when Kerberized. AFP users don’t log in using Kerberos either (even when it’s been set up). Not sure if it’s related or not but probably worth mentioning. The server is just set up as “Connected to a Directory System” so the KDC isn’t running.

I’ll check the group search interval, thanks for that. I’m pretty sure I’ve tried that in the past, but not 100% sure!

Thanks,

JP.

[sketch]

Ah. gotcha. Have you looked at these articles yet?

http://www.4am-media.com/sso

and

http://www.4am-media.com/xrealm/

[Anonymous]

Yep, had a look at both those and I’ve successfully done both the sso and x-realm in the past. The main problem with this one is just the groups not showing up, we can get by without the SSO but not having groups except with 10.3.3 is a serious problem and incredibly irritating!

Thanks for the help though, I appreciate it.

[Anonymous]

I used Apple’s .local script to get it seeing the .local domain. That seems to have worked fine and it does forward and reverse lookups without a problem (just using nslookup).

[Author]

Posts