We are pulling our hair out trying to get this to work. We want to have Macs use AD for authentication and OD for computer list policies, while using Directory Binding for OD. We don't want to have to manually enter the MAC address into the WG Manager Computer List every time.
We are a University with a pretty large Active Directory that we use for authentication. We have an Xserve and we're ready to start doing some policy enforcement on the computers with Open Directory, but it doesn't work if we try to do both AD and OD and use Directory Binding. If we don't use Directory Binding, things work fine, but that's not what we want to do. I should note that we do not use any network home directories, and when we bind a Mac to either AD or OD, things work fine, but not when we bind a Mac to both.
Here's what happens. We'll try binding a Mac to AD first then bind to OD, and put it in the right computer list. After the first reboot, everything is OK. I can login through AD and all my policies are enforced on the client through OD. However, after the next reboot, problems arise. I no longer get any OD policies, but AD still works. This is with the AD node above the OD node in the Authentication tab of Directory Access. If the nodes are reversed, so are the problems; AD logins will stop working but we still get policies from OD. When we do it the first way (AD on top of OD), we get the following errors in system.log once the policies stop working:
Jan 25 13:55:21 S34030 DirectoryService[52]: DSLDAPv3PlugIn: Required Policies not Supported: No ClearText. LDAP Connection for Node odserver.csuchico.edu denied.
Jan 25 13:55:21 S34030 DirectoryService[52]: DSLDAPv3PlugIn: Policy Violation. Disabled future attempts to bind to [odserverip] for 1 hour.
I feel like I have read everything and tried everything. I've read the white paper at: https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf but it doesn't even mention the Directory Binding features of Tiger server. I have read through all other sorts of documentation, message boards, and mailing lists and I just get confused and more unsure about what I'm supposed to do. I have yet to find anyone that is successfully using AD for auth., OD for policies, and using Directory Binding on OD. I have been told that our issue has to do with Kerberos, so I have tried all sorts of things with that. I've tore down the KDC, rebuilt LDAP numerous times, ran dsconfigad -enableSSO, specified different Kerberos realms, etc. Some things yield different problems, some things yield the same problems. Instead of just listing everything out, I'd rather just get a better understanding of what our real problem is what what we should be doing. We don't have a fundamental understanding of how to set this up.
In our situation, should we be binding only the server to Active Directory and just bind the clients to the server, or don't bind the server to AD and bind the clients to both AD and OD? I've tried both scenarious. I thought binding clients to both, and not binding the server, would be the best setup. But the white paper says we can bind the server to AD now in Tiger.
Also, what Kerberos realm should we be specifying on the server? I've used the server's DNS name (ODSERVER.CSUCHICO.EDU) and our campus' Kerberos (CSUCHICO.EDU). Someone said that because our server's Kerberos is in Active Directory's namespace, that it could be causing our problems. That is why I have been messing around with Kerberos so much.
I don't know, I am just lost and out of ideas. I don't really know what to do next because I don't really know what the problem is. If anyone has any ideas, things to try or adive, I'd love to hear it.