AD for users, OD for client management: client-side config?

[macdojo]

I have successfully bound to my domain using the AD plug-in 10.3.4 server, but cannot seem to authenticate from the client side. I have setup the client to bind via LDAP, but now sure how Server knows to link the AD node with the local LDAP node. I know there’s something I’m missing here. Do I need to do alot of Kerberos teaking under the hood even to verify client credentials at the 10.3.4 login screen? Does AFP have to be Kerberized by me first?
Any help is appreciated.

[macdojo]

I should describe what I am trying to achieve: single-signon to the AD domain with client management (e.g., WGM, possible netboot ) via Xserve. Not sure how to configure Xserve beyond the AD plug-in, or how to configure Directory Access on the client side (LDAP, AD, etc).

Thank!

[macdojo]

Thanks, Joel. For now, here’s what I am trying…

Xserve was bound to AD, unbound it and made it an OD master.

Clients are bound to domain AND bound to Xserve via LDAP. MCX is working (mgmt by computer, of course).

I can login to AD network shares, so I know my creds are being accepted— but not yet login at the login pane.

My homdirs are on a Dell NAS, and the Win gusy have installed ExtremeZIP, but its still in default state. That’s where I’m at so far.

BTW, tho I’ve got the AppleCare Premium contract, the Apple guys stated that all Active Directory integration stuff requires an Enterprise Support contract ($6K+/yr).

Thanks!

[craigh]

I second macdojo’s call for help [in fact, he might even be me; we’ve got the same almost-useless Premium Support plan…]. We’ve successfully bound to the AD on the Xserve side, and can even log in to the XServe itself using a known AD username and pwd. We think the problem lies in the process of passing the authentication through the XServe from a client – our XServe is acting as a KDC, and we can get tickets from it.

Running kinit, we get a very cryptic error message when trying to use an AD user account – “Kerberos Login Failed: KRB5 error code 68”

Thanks a ton for any information about solving this.

Cheers!

[macdojo]

Just an update folks – oh, and craigh? I feel your pain –

OK, I now can login from clients with AD creds, AND get client mgt – the key was to put the AD server policy ahead of the LDAP policy in Directory Access. While mgt by comp is OK, I want more granularity. I am hoping that by doing LDAP in Dir Acc to the AD servers, I can get a user list which I can use to manage the Mac clients by user. Currently I can browse the tree with LDapper, but I haven’t been able to bind with Dir Acc. I get the typical delays when booting the Xserve. When trying to access the new LDAP node in WGM, it allows me to select it, but the OK button will not close and authenticate me to the node. I get: DSOpenNode(): dsOpenDirNode(“/LDAPv3/10.101.0.47”) == -14002… aka… something is up with my credentials. LDapper wants credentials in this form: DOMAIN\Administrator, whereas, Dir Access wants the distinguished name. I cannot seem to get it right and I’ve tried every combination of OU,CN,DC that seem correct. 

Working through it…

[Author]

Posts