Can’t see /Active Directory/All Domains, but can see individual domains

[chwebster]

I am binding a 10.4 client to our AD with an empty root forest and a sub-tree under it. I’m able to successfully bind to the sub-tree domain, however when I do “id user” I get no such user.

If I dscl /Active\ Directory/All\ Domains -read Users/test I get “data source is not valid”.

If I dscl /Active\ Directory/mycorp.domain.com -read Users/test I get all the info about the user.

I am not able to log in at startup with this test user either.

So with dscl I am able to read the directory, but only if I specifiy the sub-tree domain. And with id I am not able to read the directory at all. What is my next step?

Craig

[chwebster]

When I go into Directory Access I see All Domains on both the authentication and contacts tab under Search: Custom path.

When I put DS into debug mode it says no matching processes were found – maybe i’m not doing it correctly.

The system.log shows mcxd:dsOpenNode:dsOpenDirNode(Active Directory/All Domains) == -14002.

Craig

[chwebster]

Found a blog which had us tweak some Kerberos related policies on the W2K3 server, and also am now making sure we uncheck the Allow Authentication from any Domain in the Forest box. Now it’s giving me the Active Directory/mydomain.com as an option in the search path and I’m able to log in as the user.

Not sure which (or both) of those items did the trick for me.

Now I’m trying to script joining the computer with dsconfigad and it binds correctly but does not set any of the other options properly for me (for instance I’m running -alldomains disable but it still comes up checked when I launch the GUI).

Craig

[chwebster]

Nevermind on the dsconfigad – syntax (user) error…

Craig

[Author]

Posts