AD users in local groups=authentication problem for both Macs+PCs

[macdojo]

Hi folks. Sounds like a few of us are banging our heads against the same wall. Here’s my scenario…

Goal: Setup Xserve browseable in AD domain, and auth with single sign-on. Setup a few sharepoints with group priviledges derived from active directory domain. AD groups need not be used, but could be if that would contribute to a resolution. Avoid maintaining two separate directories, if possible.

Known: DNS is properly configured, fwd and ptr. Problem appears to be entirely related to authentication against domain, since we can verify services work using local users. On one occasion, with server as either Stand Alone or “Connected to Directory System,” we were able to get Macs (OS9 and X) and PCs to work, until the system was rebooted. We have been unable to replicate even that limited success since.

Suspected: In general, no reason why the server need be setup as an OD master, and based on prior setups, this would be likely to cause problems anyway. “Connected to Directory System” seemed the reasonable approach, but suspect it is introducing another layer of attempted binding at startup. Stand Alone now seems the best approach.

Scenario 1: Mac OS X Server initial setup as “Connected to Directory System,” use AD plugin to bind (no problems) and added search policy for Auth. Use Server Admin->Windows to make server a Domain Member server (credentials accepted OK same as binding). AD user/group list comes in beautifully. Setup local groups with AD users, assign to sharepoints.

Result: Config seemed to work on first attempt, until reboot, whereupon binding breaks and you get the dreaded -14007 error in WGM. Subsequent attempts we cannot get either Macs (AFP or SM or PCs, except as admin or other local user, wherein SMB and AFP do work. Once we removed the search policy for auth, the binding survived reboots. The attempt to rebind at startup appears to bollux the configuration. However, we CANNOT login from any nonlocal user via AFP/SMB/Windows.

Scenario 2: Mac OS X Server initial setup as “Connected to Directory System,” use AD plugin to bind, use Server Admin/Windows to make server a Stand Alone.

Result: Same as in Scenario 1, except you can no longer browse for server, except in WorkGroup. Cannot auth from Macs or PCs, except as admin or other local user.

Scenario 3: Mac OS X Server initial setup as “Stand Alone” use AD plugin to bind, use Server Admin/Windows to make server a Domain Member server.

Result: Same as in Scenario 1. Cannot auth from Macs or PCs, except as admin or other local user.

Summary: the main problem is whether the AD users can be dragged into local groups and WORK. This appears not to work. AD groups also do not work.

[Author]

Posts