AD & OD: Trying to manage clients

[Tracy Gerke]

Our network is running Windows 2003 servers with Active Directory. We have about 50 macs that we have successfully connected using the active directory plugin in 10.4. Now we want to manage the mac clients like we do our windows clients, so I installed OD on our Xserve. I followed all of the instructions that I could find, but here is my problem.

When I log on to a client with a local account, it is managed, but when I log on using an AD account it is not. Does anyone have any ideas? I have had a OJT crash course in macs and xserve over the last couple of months so I am still new, but any help would be appreciated.

[maccanada]

Did you read our AD/OD White paper? It goes through it all in detail.

~Ian

[Tracy Gerke]

Yes, I did use this document. This helped me solve several issues that I had, but I still have this one problem that I can’t figure out.

[chrisjasper]

Silly question I know, but have you added the OD server as an LDAP entry on the directory access app?
You should have the local database, then the AD settings then the OD/LDAP entry on the authentication and contacts tabs.

Also are you trying to apply the settings to AD user groups added to the managed OD groups or are you adding the AD users to managed OD groups?
The first method doesnt work for us, but adding AD users to OD groups works most of the time, there are a few oddities if the AD users are in too many OD groups.

[Tracy Gerke]

I have added the entries in the order that you indicated. I have tried it adding both users and groups from AD to OD. Neither allowed it to work. Still can’t figure out what is going on.

[Anonymous]

If your Xserve is your Mac DHCP server set it up to send the LDAP info to clients in server admin. On clients instead of adding the LDAP settings manually try (in directory access – LADP – configure) checking the automatic box at the top and restart. This should pick up the LDAP settings automatically. The reason why I say to try this way is that it seemed to work for me while adding manually and binding which was successful would not allow login. It might be worth a try. I am not sure how it will go with the AD plugin. I did it in 10.44. Are you able to resolve your FQDN on both the server and client. Sometimes it is better to use the FQDN rather than IP address when adding the LDAP manually in directory access. Not sure if you have tried all these things.

[Anonymous]

Picked these threads up of another forum – hope they help.

Hi
The OD group are managed by MCX settings. You use the view directories command from a workstation. Its recommended under tiger to not bound the server to both AD and OD. It confuses kerberos and the OD KDC dies. There are ways around this though. I have a seperate OD server ( Not much load ) and a AD bound faster server that serves home dirs to both mac and pc clients thats only bound to AD.
To manage OSX clents you use the View directories command in Workgroup manager from a workststaion that is bound is both AD and OD as all your OSX clients must be.
Ignore the Not node warning,

Select the Open Directory Domain,
Click the lock to authenticate ( Usually diradmin ),
Create a group,
Click the plus sign to add a memeber,
Change the the top of the list that appears to the AD domain (little world click thing , you may have to select other and naviagte the tree to find the AD domain),
Drag the User to the OD group,
Manage that groups preference as normal,

As I mentioned before you can do it with one but becuase of the recomendations I prefer to keep them seperate.

If you combine OD with AD in the client search path, make sure each computer record name in OD are not the same as a computer record name in AD (minus the trailing $). Be aware that AD adds computer records when the client binds.

If the computer record names are the same, the record that is first in the search path partially hides the computer record farther up the search path, and you get flaky behavior.

Steve

[bezzoh]

That just doesnt work for me unfortunately. I’m on Leopard (10.5.7 server & client now, however issue has persisted since 10.5.3)

I have AD users in multiple AD groups (between 4-10 in some cases). I can add every single one of these, or just 1 to an OD group but the MCX settings do not apply.

The *only* group I can get to work is DOMAIN\domain users

Its doin mi head in! Especially as on another one of our sites, in the same domain we have managed to get some of the groups to work but I cant work out the difference between the two…

[bezzoh]

What actually seems to be the issue is that if I view AD groups via Workgroup Manager, I can’t see the Long Name or User ID, only the shortname. I can however see all of the information for the ‘Domain Users’ group which is odd. I thought it was security permissions on the AD groups, however I gave authenticated users Full Control of a test group I created and the problem persisted.

[Author]

Posts