AD / WGM mcx_cache Problem 10.4 Server

[dave621]

Currently we are trying to use Active Directory authenication and Workgroup Manager to manage all of our clients. We have recently had to upgrade our Open Directory Server to 10.4 Server to resolve many problems that we were seeing with 10.3.9 server crashing. After upgrading to 10.4 Server we have run into a problem were the client computers (10.3.9) will only write one piece from the Directory Access Directory Node search order. If LDAPv3 is over Active Directory in the Search order the LDAPv3 settings will be written to the mcx_cache. If Active Directory is over LDAPv3 the AD information is written.

Here’s what happens if LDAPv3 is over AD the settings from Workgroup Manager is written to the mcx_cache so if the computer is offline it keeps the managed settings, but If you log in before WGM updates the cache Your auto-mounted server space isn’t mounted.

If AD is over LDAPv3 in the directory node order then your server space will mount all the time, but the Workgroup Manager settings won’t be there when the computer doesn’t have a network connection.

Also since our Apple SE had us put the LDAPv3 ( Workgroup Manager ) over AD we get are getting a ton of “You cannot login at this time, Please contact your system administrator” Error messages. I have check the /etc/hostconfig file and the FQDN is correct and DNS is working correctly.

Also when our Apple SE was in to look at this problem they also had to disable Kerberos on the Open Direcotory Workgroup Manager server as well as have us move LDAPv3 over AD. ***They said it was a Bug*** If anyone has seen any of these problems or have any idea what would cause this problem or could cause this problem that would be great.

Also this problems happens with 10.4.2 client computer and a 10.3.9 client computer. I’m not sure before that but I would guess it would. We never saw anything like this before we upgraded tot Tiger server either, but 10.3 Server was so unstable we had to move to 10.4. Also we are managing 49 different computer lists and around 1200 computers with WGM. Does anyone think that this could be a load problem. It doesn’t appear to be taxing the server in anyway.

Thank You for any information you provide
David

[dave621]

Hi Thanks for the reply, We are using Managed Mobile AD accounts on our laptops and we are using just AD authenicated being Managed by WGM in our stationary labs. We get the “You cannot login” message in both environments about 10% of the time and is completly random. When we get the message it lets you log in, but often the users folder is owned by system and everyone has no access permission. Leaving the account useless.

The mcx_cache thing is really weird. If I have LDAPv3 over Active Directory the computer will keep it’s managed settings while offline, but If a user logs in before the WGM server updates the cache the users auto-mounted AD specified server space won’t mount. If I have AD over LDAPv3 the way it is suppose to be the auto-mount works all time, but if the computer is off the network the computer isn’t managed. Leaving the user as a Standard No Limits user. Major problem in a high school lab kids figured out if they log in with the local student account while unplugged they have no limitations then only had to plug the network cord in to get a network connection. So this is why Apple had us put LDAPv3 over AD.

This problem only started after we upgraded to 10.4 server to resolve problems that we were having with 10.3 server trying to manage 49 different computer list. 10.4 is more stable, but it comes with some headaches of it’s own. Any ideas??? I’m fresh out ideas and were getting ready to escalate with Apple.

Thanks,
Dave

[Author]

Posts