AD/OD integration with Directory Binding

[bborofka]

We are pulling our hair out trying to get this to work. We want to have Macs use AD for authentication and OD for computer list policies, while using Directory Binding for OD. We don’t want to have to manually enter the MAC address into the WG Manager Computer List every time.

We are a University with a pretty large Active Directory that we use for authentication. We have an Xserve and we’re ready to start doing some policy enforcement on the computers with Open Directory, but it doesn’t work if we try to do both AD and OD and use Directory Binding. If we don’t use Directory Binding, things work fine, but that’s not what we want to do. I should note that we do not use any network home directories, and when we bind a Mac to either AD or OD, things work fine, but not when we bind a Mac to both.

Here’s what happens. We’ll try binding a Mac to AD first then bind to OD, and put it in the right computer list. After the first reboot, everything is OK. I can login through AD and all my policies are enforced on the client through OD. However, after the next reboot, problems arise. I no longer get any OD policies, but AD still works. This is with the AD node above the OD node in the Authentication tab of Directory Access. If the nodes are reversed, so are the problems; AD logins will stop working but we still get policies from OD. When we do it the first way (AD on top of OD), we get the following errors in system.log once the policies stop working:

Jan 25 13:55:21 S34030 DirectoryService[52]: DSLDAPv3PlugIn: Required Policies not Supported: No ClearText. LDAP Connection for Node odserver.csuchico.edu denied.
Jan 25 13:55:21 S34030 DirectoryService[52]: DSLDAPv3PlugIn: Policy Violation. Disabled future attempts to bind to [odserverip] for 1 hour.

I feel like I have read everything and tried everything. I’ve read the white paper at: https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf but it doesn’t even mention the Directory Binding features of Tiger server. I have read through all other sorts of documentation, message boards, and mailing lists and I just get confused and more unsure about what I’m supposed to do. I have yet to find anyone that is successfully using AD for auth., OD for policies, and using Directory Binding on OD. I have been told that our issue has to do with Kerberos, so I have tried all sorts of things with that. I’ve tore down the KDC, rebuilt LDAP numerous times, ran dsconfigad -enableSSO, specified different Kerberos realms, etc. Some things yield different problems, some things yield the same problems. Instead of just listing everything out, I’d rather just get a better understanding of what our real problem is what what we should be doing. We don’t have a fundamental understanding of how to set this up.

In our situation, should we be binding only the server to Active Directory and just bind the clients to the server, or don’t bind the server to AD and bind the clients to both AD and OD? I’ve tried both scenarious. I thought binding clients to both, and not binding the server, would be the best setup. But the white paper says we can bind the server to AD now in Tiger.

Also, what Kerberos realm should we be specifying on the server? I’ve used the server’s DNS name (ODSERVER.CSUCHICO.EDU) and our campus’ Kerberos (CSUCHICO.EDU). Someone said that because our server’s Kerberos is in Active Directory’s namespace, that it could be causing our problems. That is why I have been messing around with Kerberos so much.

I don’t know, I am just lost and out of ideas. I don’t really know what to do next because I don’t really know what the problem is. If anyone has any ideas, things to try or adive, I’d love to hear it.

[bborofka]

The rationale is simply ease of setup. We deploy hundreds of Macs all over our University, and there’s always going to be more Macs coming in as upgrades/replacements. If we have to manually enter the MAC Address into Workgroup Manager every time we bind (which could be a few times a day), that is one more hoop for a tech to jump through, and possibly mess up or accidentally skip. Having Directory Binding work (like how it does for our Active Directory) would be so much easier and better.

I realize that getting Directory Binding working in our OD/AD environment is not easy, but if it is technically possible, I’d like to do it. We have no rush or time constraints, we have access to any other administration resources on campus if we need. I just need an idea of how to get this setup. If you have any ideas, that would be great.

Thanks.

[sphen]

Just to let you know that you arent the only one trying to figure this out. I have for the last week or so off and on been working with AD and OD interoperation, and have come across this exact problem you are describing.

It is most definitely a Kerberos problem. As for how to fix it I am not sure at this point. I may go into the edu.mit.Kerberos config file and make some manual modifications. But in general setting up single sign on for the server i notice that each service, be it afp, smb, ssh etc can respect service tokens for one kerberos realm only. I would really like things like ssh to respect a token whether it came from the OD KDC or the AD KDC. but im not sure if thats possible. The problem i think we are running into is that the AD kerberos realm is the default in the server and when the LDAP plug in for directory service starts up it tries to authenticate with the OD master using a kerberos but fails. as for is this is more a loginwindow problem or what im not sure.

This this ended up being more confusing than helping – but I have to assume that someone has run into this or has a more in depth understanding of things to point us in the right direction.

[sphen]

yes that makes sense. I guess im not exactly clear on what i want – i had figured out that having services respect both OD and AD kerberos tokens requires the trust between the two realms – something that is not really necessary and i dont care about.

but i am also very interested in the OD binding issue as stated above as well.. any input on that?

[schilled]

Hate to say it guys but I am also in the same boat. Exactly the same situation but I just started yesterday and have been able to get both to bind and can log in perfectly but none of my OD specifications for Groups or Computers are being grabbed by the client. If either of you can figure this out please post your findings.

[pme]

I were in the same boat in August. Same problem, same solution.
Strange things happend with both our OD servers and our servers for home folders.
Then I met Michael Bartosh (4am media) and he adviced me not to bind my macs to OD. He’d seen some strange things doing that. So I took a separate approach.

Using OpenDirectory (ordinary Apple Script or bash/pearl/etc will also do) I:

1. check for computer records with the MAC address your going to add:

dscl localhost search /LDAPv3/<your LDAP search path>/Computers macAddress <MAC address>

2. If not present, then:

dscl -u <admin name> -P <admin password> /LDAPv3/<your LDAP search path> -create /Computers/<computer name> macAddress <MAC address>

3. add it to a present computer list:

dscl -u <admin name> -P <admin password> /LDAPv3/<your LDAP search path> -merge /ComputerLists/<Computer List> apple-computers <computer name>

Renaming computer records were a little bit trickier (as I recall), so if I need to rename a record, I either do it using WGM or do a delete+add using dscl. As long as you remember that the computer lists doesn’t change when you delete or rename a computer record all should be just fine…

Since we’re using FileMaker for our assets/cases that became our hub for computer records as well (but anything that can make a list of computer names paired with MAC addresses will do).

hth

/P-M
ps. If you still want to do the double-bind stuff, you certainly need to create your own edu.mit.Kerberos file, setting your AD as default_realm.

[slazar]

Yeah I can confirm that in the AD-OD setup you should not do directory binding with the OD directory. Add the OD server in the LDAPv3 settings, but don’t enter credentials. Just click continue. Been wrestling with this for a while, just broke through.

[kainewynd2]

[quote] — Yeah I can confirm that in the AD-OD setup you should not do directory binding with the OD directory. Add the OD server in the LDAPv3 settings, but don’t enter credentials. Just click continue. [/QUOTE]

Does this somehow avoid having to manually input the MAC address into WGM? My guess is no, unless something has changed recently.

[Author]

Posts