Am I doing my 10.5 server AD/OD integration right?

[topcat]

I have read the AD/OD white paper, but obviously this was done for 10.4, so not sure how much I should stick to it.

What Im trying to do is this:
We have a Win 2003 domain, all users and groups in AD. Just setup a 10.5 server, want to manage AD groups and users in 10.5, and the mac clients to login using AD credentials but still get a managed environment, SSO to our windows services such as network shares, but also SSO if possible to AFP shares, ichat server, and the built in wiki.

What I have done so far is to install 10.5 server, setup as a standalone. Then I used dir util to bind to our AD. Then I made the server an OD Master.
Next on a client I bound it to both the new OD master and our AD. Then installed the server utils and used workgroup manager to create a OD group, and placed an AD user in that group.
Now this seems to kind of work. I can login on the client using my AD credentials, and I get managed preffs from OD. Trouble is some services seem v flakey. For example, webservices is enabled, with wiki/blog enabled for the default site and I managed to create a blog using my ad account on a client, and edit teh blog fin. when somebody else tried it, it found their account in AD and opened teh basic blog page, but when they went to edit and it asked for their creditials, it failed. (yes Ive done all the tips on working these services with AD such as send password in clear text, but enable SSL)

Do you know where im going wrong? could anybody give me a basic few lines run though? such as:
1: bind server to AD
2: make server od master
3: bind a clinet to od and ad
4: install admin tools, create an od group, add an ad user/group
5: do x to get sso working

The 10.5 server documentation is a bit confusing and contradictory. One page it says to bind to ad and create it into an OD, and a few pages on, it says do not bing teh same server to ad while it is an od master! it makes no sense!

Thanks

[dds]

I would suggest this order:

0: install admin tools and set up server & admin station(s)
1: make server od master, create an od group. Disable KDC if you are using Kerberos via AD
2: bind server to AD
3: bind a clinet to OD (LDAP) and AD
4: ad users/groups as needed
5: get sso working “dsconfigad -enableSSO”

[topcat]

cool, thanks.

So, im basically doing things kind of right.

The 10.5 server od doc seems to say that the server should be bound to ad before creating the od master though?

Also, by disable the KDC, i imagine you mean to rename the attribute under config in the workgroup manager? Once this is done, then if i have a wiki/bog under web servers on the 10.5 server, will ad users need to authenticate when editing their blog?

[topcat]

oh, one more thing. I may sound like an idiot asking this, but dsconfigad -enableSSO is done on the client right? so i guess i would need to do this on every client that needs ad sso?

[dds]

[QUOTE][u]Quote by: MacTroll[/u][p]No -enableSSO is only needed no the server.

And in 10.5 if you join AD and then create an OD Master you shouldn’t have to worry about disabling Kerberos as this should be done automatically.[/p][/QUOTE]

Joel – are saying that now in 10.5 we should bind the server to AD *BEFORE* we create the OD master on the server? This is the reverse order from 10.4 and earlier, correct? Has Apple documented this anywhere?

[Mr. B.]

FWIW I followed the 10.4 guide to bind a 10.5 server to AD and this works. So basically I just the ‘old’ guide step by step.

[Mr. B.]

Erhm, the Bombich guide that is… 😳 🙂

[dds]

I used the Bombich 10.4 guide for my 10.5 server too, but it appears that some of my Windows PC are having what looks like KDC/SSO conflicts on my LAN. User accounts are being locked in AD. So far my troubles lead back to the new OD 10.5 server. I think it still has a lingering KDC service running. WHen the OD server is taken offline the errors stop. Havent tracked it down yet. Any advice would be helpful.

Here is a sample of the auth errors I am seeing on my AD DCs when my OD server is online (the 10.0.50.171 IP is my OD server) Obviously, it appears that perhaps the KDC service is still running on my OD server, even though I think I successfully disabled it:

675,AUDIT FAILURE,Security,Wed Nov 28 07:30:57 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x0 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:39 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: SAS User ID: %{S-1-5-21-1557471342-1885686607-751859383-5452} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171

(This is a small sample – I saw hundreds and maybe thousands of these lockouts until I killed my OD server. Good thing my AD server unlocks accounts after 30 min of being locked or I would have a lot of angry users.)

[dds]

According to Mike Bombich and Apple, when I do a “klist -ke” on my OD server, I *should* see 3 (three) entries per kerberos realm of each service on the server. However, when I am bound to AD and running an OD master on the same server and I type “klist -ke”, I see 6 or more entries per server, all in the same realm (!). I assume this is a KDC problem. I dont know how to get rid of these extra entries. My OD master is a dedicated OD master server for the purpose of MCX policies, and it probably wont ever be used for CIFS or AFP.

[topcat]

Well, it all seems to be working for me. Like Mactroll said, when bound to AD, then making an OD Master, its seems to sort kerberos out

So now I have my client bound to AD and OD, and have my AD account with an OD group with managed preffs. I can now login on the client wsing my ad credentials, then have sso for smb shares, and can sign in to teh wiki/blog off teh 10.5 server via AD credentials.

All very good so far. 10.5 server seems to be much earlier versions so far!

Thanks for your help

[dds]

topcat

Just to confirm that I’m not crazy, did you bind your 10.5 server to AD *first* and THEN you made the server an OD master? This seems totally backwards to me. Enlighten me as to how you discovered to do the DS stuff in this specific order.

[Mr. B.]

[QUOTE][u]Quote by: MacTroll[/u][p]No -enableSSO is only needed no the server.

And in 10.5 if you join AD and then create an OD Master you shouldn’t have to worry about disabling Kerberos as this should be done automatically.[/p][/QUOTE]
Hmmm MacTroll and Topcat are saying the same thing here. Now I want to know what’s correct. I’m just in a lab/test environment so I might have the same problems dds has when I go online in bigger environments. Please clarify guys!

[dds]

Where did everyone go?

[jscott]

Once I’ve bound my server to AD should I log in using the local admin account or an AD authenticated account? With 10.4 I just use the local admin account and everything works fine but I’ve always wondered if this is the best way and since I’m updating to 10.5 might as well get it worked out.

[Author]

Posts