AD Groups inside OD groups

[slazar]

Hi, I have the golden triangle setup working well with AD users inside OD groups. Workgroup Manager preferences work well on the OD groups and they apply to my AD users when they log in. In AD-OD-2.1.pdf it states that since 10.4.3, AD groups can be nested in OD groups. I am having trouble making this work correctly. They just don’t apply. If I hold down option when logging in it says there are no groups. As soon as I put the AD user directly in the OD group it works great. What am I missing here? My AD group is a Global Security Group. I am running 10.4.5 on both server and client.

[slazar]

Nevermind, I deleted the OD group and created a new one. It worked after that. I think that group got corrupted.

[slazar]

hmm okay, seems like the nested groups works best with just one AD group inside the OD group. If I do the dscl command and take a look at the LDAP group, my apple-group-nestedgroup only shows four separate group Generated IDs. I have seven AD groups in the OD group.

[slazar]

Hmm, I made one OD group per AD group and placed only one AD group in each OD group. But it seems to apply inconsistently. Anyone have this type of problem or has gotten it to work with nested groups? What does your setup look like?

[slazar]

It is inconsistent when the users log in. I have dock settings on seven different OD groups. Sometimes the dock settings show up, and sometimes the dock settings don’t show up. Each OD group has a corresponding AD group inside of it. There are alot of AD users and each user is in one of those AD groups.

example:

OD Group         AD Group      AD User
---------------------------------------------
odkinder         kinder        studentk
odfirstgrade     firstgrade    student1
odsecondgrade    secondgrade   student2
odthirdgrade     thirdgrade    student3
odfourthgrade    fourthgrade   student4
odfifthgrade     fifthgrade    student5
odsixthgrade     sixthgrade    student6

Some of the OD groups seem to work, and some don’t. No clue why.

[slazar]

AHA! When a group works, it always works, until you reboot…
My users are in only one group. If I hold down option the window shows no groups. I am managing the machines with computer lists.

This is what is going on:

I am mistakenly binding my clients to the OD directory. If I do this, then I get huge inconsistencies in whether the managed preferences apply or not. I was doing it with AD users inside the OD group. That was also inconsistent but at least the settings would be cached for that user and they would show up most of the time. With a AD group in the OD group, it appears to be worse and the user does not get cached managed prefs.

So the lesson here is: If you are doing a golden triangle setup, DON’T bind your machines to the OD domain! At the directory binding section don’t type in a username or password. Just click Continue.

[slazar]

Totally! I see immediate results. I deleted both the LDAPv3 connection and the account in the server. Then I re-added the LDAPv3 connection but without binding to the directory. Then I logged out and back in, and the settings stuck for every user. Then I changed it back to a bound connection and it barely worked or worked slowly.

little dance

[Author]

Posts