Computers not managed when bound, only when unbound

[teqman]

Hey all,

This has been giving me headaches for months. I have three Intel iMacs in this network. They all need to be managed by my Xserve. When I set up their Directory Access, I chose to bind them to the Xserve’s directory. They would never be managed, and no amount of mcx_cache obliteration would fix it. I finally went and unbound them and lo and behold they are managed.

Am I going crazy here, or should this not work at all?

[Patrick Gallagher]

I’m having this problem as well. Are you bound to AD as well? It appears if you bind to OD, it makes unwanted changes to /L/P/edu.mit.kerberos. Makes OD the default realm.

The only drawback to not binding appears to be that you have to add the computer record to WGM afterwards (or before, it doesn’t matter). I now carry around a copy of WGM on my thumbdrive so I can the computer to OD after putting it on the domain.

[teqman]

I am doing list management, but if binding isn’t necessary then I won’t do it.

[teqman]

AUGH! Thanks to Digidesign, it is now necessary that we use login/logout scripts to automatically copy Pro Tools project files from the Xserve to a local Firewire drive (instead of just using the networked home folder).

Which means these machines need to be trusted-bound to the Xserve. Which would break things.

*head hits desk*

[jkonrad]

This sounds very similar to a problem I’m having. I have 12 new Intel iMacs which I would like to be bound to AD for user accounts, and OD for mcx management.

I just setup my lab (mix eMac ppc and iMac intel). The eMacs work perfectly, but the iMacs often hang during boot. Restarting multiple times will eventually get the student to a log in screen.

I have been “binding” macs to AD and OD since 10.3, however, I’m not a master of behind the scenes commands or text files. So if you have any ideas

If I am not bound to OD, how will the computers get their preferences? Will it only work with group managed preferences not machine level?

I’m used to setting up computer lists and then modifying simple things like proxy server, logon items, printers. How would this function if these computers are not bound to OD?

The client and sever software is at 10.4.7. Thanks for any help

Jonathan ([email protected])

[morgant]

I’m having a similar problem with a Tiger Server Open Directory Master that had its configuration imported from a Panther Server OD Master (not upgraded, but imported). There were, for some reason, no network views in the 10.3 OD Master, so there are still none in the 10.4 OD Master (don’t know how much of a difference this makes).

Basically the Tiger OD Master has: lookupd, LDAP, password server, and Kerberos all running; SSL disabled; directory binding enabled (but not required); clear text passwords disabled; and forward and reverse DNS are working and correct. Now, there are a couple other Xserves manually configured (server DNS address & search base manually entered) to get authentication (and Address Book, although only used for testing ldap requests) from the Open Directory master… this has worked correctly since day one.

I can use Directory Access on workstations to do an add new LDAP server and bind successfully with the directory administrator’s account (it creates the computer record in Open Directory). However, you can’t search for users in the domain using Address Book and the login window declares that “Network Accounts Unavailable”. When you try to unbind the workstation from the Open Directory domain using the same directory administrator’s account, it fails stating that it couldn’t communicate with the Open Directory server.

The odd part is that I can take any workstation, and manually add the LDAP server (and search base) without binding, manually add it to the search path for authentication and the address book and it all works (mostly) correctly: searching for users in Address Book is immediately functional and the login window immediately states that “Network Accounts [are] Available”.

I’ve been reading through the User Management Admin and Open Directory documentation, but don’t quite understand why this is functioning in this way. Is it something residual from the import from the 10.3 OD Master? Is it because I’m not using LDAP or Kerberos?

Any assistance would be greatly appreciated as I’d like to get this corrected before I start rolling out any number of workstations using Open Directory authentication (primarily local home directories, but a few are planned to be network home directories).

[VirtualWolf]

I’m having the same problem as morgant, except only with one machine. My Power Mac G5 bound and worked without issue, the iMac G5 however refuses to work if it’s bound to the Open Directory. If I [i]don’t[/i] bind, it works fine. 😕

All machines are running 10.4.8 (clients and server), and it’s a totally fresh install of OS X Server.

[arronkau]

*bump*

I’m having this same problem on a new setup.

Sounds identical: when I bind clients to the OD master, they get added to the computer list and then all communication between them and the server seems to stop. id lookups from the terminal don’t work; you can’t even successfully unbind them.

When I add the LDAP information but do NOT bind the computers, everything works well (though, as mentioned earlier) they don’t get added into WGM.

Does anyone have a solution for this yet? I hate to patch together broken workarounds on a brand new server.

Thanks in advance.

[fherbert]

Make sure your security policies match on the client and server. Since you are using trusted binding, I think you will find the client will not try to authenticate using clear text passwords, but the server may not be configured for this (or it might be the other way round).

[bigmeek]

I am having the exact same problem on a new install of OS X Server.

I have just set up a new server along with 12 intel iMacs all running 10.4. When I bind the clients to the OD master they get added to the computer list, but then the client is unable to communicate with the OD master any longer. When I add the LDAP info but don’t bind the machine – low and behold it will communicate with the OD master once again.

I have double checked and the clients and server both have clear text passwords disabled. I have even tried it with both clients and server with clear text passwords enabled, still no go. I am at a total loss.

[fherbert]

Hi guys

Are you getting any errors in /var/log/system.log regarding DirectoryService on the clients? If you are, post the relevant section so we can have a look.

Cheers

[morgant]

[QUOTE][u]Quote by: fherbert[/u][p]Make sure your security policies match on the client and server. Since you are using trusted binding, I think you will find the client will not try to authenticate using clear text passwords, but the server may not be configured for this (or it might be the other way round). [/p][/QUOTE]

Okay, I don’t quite understand where the security policies are on the client (no, I hadn’t been checking system.log on the client either), but this did get me pointed in the right direction. I had clear-text passwords disabled, but was not using SSL. When enabling SSL (using just the default self-assigned certificate), but not requiring all packets to be encrypted or to block man-in-the-middle attacks, I was able to successfully bind the clients to the domain.

I’ll tighten up security as I go, but for now I’m happy to have it working correctly. Why would this function this way? Is SSL required when not sending clear-text passwords (and not noted anywhere)?

[fherbert]

The security polices on the client are accessed using the Directory Access Utility in the Utilities folder. If you click on your LDAP config for the required server, and click the Security Tab and you will see your client security policies: Disable clear text passwords, Digitally sign all packets, Encrypt all packets, block man in the middle attacks. No SSL is not required when disabling clear text passwords, to put it simply, SSL just enables encrypted communication between the client and server.
In the end as Josh noted above, Trusted binding is not actually required for most networks, unless you have security issues with non-authorized machines joining your OD. I have many systems in place that run managed login/login scripts that sync from the server at startup, login and logout which means I can have this feature without having to use trusted binding – note it only came into effect with 10.4 – what was every one doing before 10.4 came along if they wanted managed login/logout scripts.
If you want some really good reference material, have a look at the Apple Training Series book “Mac OS X System Administration Reference Vol1” using the link on the left hand side of this page, it’s a really good book and also contains the required study material for ACSA.

[Author]

Posts