Home Forums OS X Server and Client Discussion Active Directory AD authentication to Leopard Wiki via nested AD groups

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • May 30, 2008 at 10:50 pm #372950
    nakima731
    Participant

    in short – it does not work.

    I have a 10.5.3 Server, OD Master, bound into AD.

    I can take an AD user, add it to an OD wiki enabled group, and access the groups’ wiki. No problem. (after configuring the Wiki service as per [url]http://support.apple.com/kb/TS1619[/url])

    If I place that same user inside an AD group, add that group to the OD-wiki group (and remove the user from the OD-wiki group), then the user is unable to log in to the wiki.

    I am certain that AD authentication works, as I have duplicated the steps with the AFP service, but not replicated the results. The AD user can authenticate to an AFP share via rights assigned via AD group membership.

    My intended work around at this point is to resurrect the [url=https://www.afp548.com/article.php?story=20040825001211784]AD/OD Group Synchronization[/url] script.

    Can this script be run from the same (AD bound) OD master? or must it run from a 3rd workstation?

    I’ll be testing it over the weekend, but any thoughts / input would be appreciated.

    June 4, 2008 at 4:50 pm #373010
    nakima731
    Participant

    An update – I have posted this as a bug – and am working with our Sales Engineer. (primarily b/c if this isn’t fixed they will be missing out on a few sales….)

    The Wiki server will resolve an OD user in a nested OD group (an OD group w/in an OD group), but not an AD user in an AD group w/in an OD group. But does resolve an AD user inside a wiki enabled OD group.

    I’ll post if / when this gets acknowledged / resolved.

    June 13, 2008 at 9:59 pm #373117
    mlinde
    Participant

    This is a known issue in OS X Server prior to 10.5.3. I’m not sure it’s fixed in 10.5.3, as I don’t have a deployed 10.5 server at this point (I’m still running my OD setup in 10.4.x). It was, however, supposed to be fixed in Server 10.5.3 (although from what I’m hearing Server 10.5.3 isn’t running so well…

    July 30, 2008 at 8:55 pm #373585
    oranki
    Participant

    This is may be inherited from Samba, which had a long-standing bug in nested groups expansion. I submitted a patch to fix this and it’s included in Samba 3.2.0. Since the fix itself is very simple, some binary hacker may be able to patch this directly into the winbind binary.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.