Help! Cant get Managed AD logons to work!

[topcat]

Can somebody explain the correct way of running a system where mac users can login using AD accounts, but we can manage the AD groups mac preffs.
We are running 10.4.2 server and clients.

What I have done so far is this:
Setup the server as a OD Master and created a usergroup called TestGroup. Server is NOT bound to AD.
The clients are then bound to AD and OD.
The plan then was to use one client and install the admin tools, login using AD, use WM and connect to 127.0.0.1, dragging AD users into my test OD group.

I have come up with 2 big problems though. First the clients will only log into whatever is at the top of the authentication list in Directory Access. I have AD at the top at the mo0ment, and cant login using OD, as soon as I change them round, I can with OD, not AD.

So I made AD the top, and I can log in fine using AD. The next problem is that when I try to browse the LDAP in WM to drag AD users into my OD group, it comes up with an error message.

Anybody else got this to work. I am getting verry worried now as we dont have much time to get this running.

[dom9inic]

When you log in using the AD account are the users bound by your MCX policy from WGM? If they are, then I’m not sure you have a problem.

What do you want in the way of clients? All AD logons or a mix of OD and AD?

Have you made sure your authentication tab in directory access has both OD and AD lookups?

[camps]

This is possible and I’ve got a working environment in 10.3.x server and client. I would assume that 10.4.x is the same setup.

In regard to your first problem of authentication order. Directory Services uses the list of Authentication Paths to look for the username that you supply when logging in. By default it checks against the local netinfo database and that can’t be changed (hence the grayed out listing). If it doesn’t find a matching username there, it moves onto the next listing. Now if you have an account in AD that matches the supplied username in the loginwindow then the client will pass on the password supplied to see if it matches that found in AD. If it does, you’re in, if not, then the authentication stops as it has found a matching username but the password doesn’t match up. It doesn’t even try to move onto the OD listing in Authentication because it found the matching username in AD. Basically you can’t have the same user name in AD as in OD. If you have a username in OD but not in AD it won’t matter what order the Authentication paths are in as it will search them all until it finds a match. I’m not sure why you would have the same user account in AD & OD anyway. What’s the purpose for that since the AD user accounts can’t be migrated into OD user accounts, only added to OD groups.

As for the problem with WGM & browsing LDAP, first check in terminal on the machine you are using WGM with the ‘dscl’ tool. This allows you to see what Directory Services sees. Type ‘dscl localhost’ in the terminal so you get a prompt that looks like ‘>’ Use normal commands like cd and ls to move around the structure. ‘ls’ the first prompt and you should see Active Directory and LDAPv3. If not then you don’t have Directory Services setup properly. ‘cd’ into LDAPv3 and ‘ls’. You should see the LDAP server name or IP that you setup in Directory Services. If you can see that then WGM should also. If all that pans out you can also try using an LDAP tool like Ldapper (check versiontracker) to check that you have the right settings entered into Directory Services.

Also a note on managing AD users with WGM. You will have to extend the AD schema to include the Mac specific containers for the WGM settings. You can’t just connect to an AD structure and start managing clients. Talk to your Apple SE for more info on that.
You can start managing clients with OD out of the box, though. The OD group you have will work fine. Also keep note that the order of override in WGM is User overrides Computer overrides Group. Most settings applied at the Computer level will override Group settings of the same.

Hope this helps.

-Eric

[topcat]

Thanks for your help.
At our college we have a mixture of macs and PCs and students use both. We used to make them have a seperate username for OD and AD and carry work betrween the two on usb pen drives.
This was a pain for the students and a lot of work for us admins.

What I am trying to do now is have all our macs running 10.4 and logging in using our AD. I want to manage the users in WM, but I will not be able to change the schema.

I have been following this guide:
https://www.afp548.com/article.php?story=20040915152755925&query=active%2Bdirectory

and its very good but I still cant seem to get things working. As far as I can tell from reading up, my login problem is due to a kerberos conflict. I do not have the same usernames in OD and AD, but it still is tempremental which logs in. Im going to look into this conflict this morning.
So following the AD/OD whitepaper on AFP548 I need to have the clients bound to both AD and OD, and when I have got that working, I can setup the preffs for my OD groups, and fill the groups with AD users.

I then will need to to create smb shares on our Xraid and change the mac users AD account for their personal drive to come off the Xraid. The mac users should then be able to log into a PC and their personal P drive mounts off the xRaid, or if they log in a mac, their home folder comes from teh same share on teh xRaid.

Im sure Im doing this right, it just doesnt work!

Anybody know what I may be doing wrong here?

[maczilla]

I am having the same problem….Posted the following forum a few weeks ago…

https://www.afp548.com/forum/viewtopic.php?forum=24&showtopic=7798

[dom9inic]

Might be obvious, but always worth asking. Is your DNS good, as in, can you do forward and reverse lookups?

[topcat]

I think Im almost there now. I can now login using a AD username and ity mounts the windows home folder as the os x home folder!

To do this I had to get teh clients pointing to AD and OD, then I edited the Kerberos hostname in WM so that it doesnt conflict with the Windows side. I then have to login locally on a client mac with admin tools installed. Connect to 127.0.0.1 with the local acount. Then browse the OD, create a OD group, assing preffs, and the drag users into it from the AD draw.

This is very long winded, but it works sometimes. WM seems to crash a lot, sometimes not show the AD users, or say it cant browse the OD or AD. After a restart it seems to be OK again.

I really dont think this will be OK in a live enviroment though!

The other problem is that I have no idea how to quota AD users homes when their homes are smb shares on the mac.

[dom9inic]

You would need to set quotas at the AD machine if I understand it correctly. You cannot manage individual AD users from your OD master, only add them to OD groups and manage those groups.

[topcat]

thanks, i have moved the xraid to a windows server now as it makes things more simple.
Im still having trouble working out how to setup group policy though.

[jkonrad]

I did not want to start another thread, since this is close to the same problem I’m having. I too am following the AD/OD Integration article from AFP548 and it’s wonderful. Thanks so much Joel and Aaron. Anyway all works exactly as stated till I bind my cliends (10.3.9) to both AD and OD. If they are bound to only AD, the AD users login, access their home folders from an 10.3.9 Server and away they work. Those same users can login on win XP clients and use their home folders.

However, I would like to manage preferences, so I bound an admin Mac to OD and AD and WGM works just like described. Then I bind a client to both OD and AD and when I user ties to log in it just stops at the spinning progress bar.

Help!

[jkonrad]

Sorry to double post, but I want to add some info. When a client Mac is bound to both OD and AD, if a user I define only in OD logs on it works. It’s only when an AD user tries to logon that it hangs.

I have disabled Kerberos on the OD master following Apples instructions in article http://docs.info.apple.com/article.html?artnum=300765

It still might be with Kerberos. If I kinit an AD user it works if I use my domain in all caps, but not if it’s small. If I open edu.mit.Kerberos the realm is listed in small letters so why do I need the all caps?

[jkonrad]

Again, sorry for another self post, but the problem is evolving and I’d like help getting it fixed.

I setup a brand new client and it all works! However, I can’t format and install all 120 of my Macs, so I think what must be happening is my old server LDAP settings are somehow stuck in the machine. I suspect this because when I ran the Kerberos GUI tools my old Kerberos server appeared as a real favorite even though it is nowhere in me edu.kerberos.mit file.
How can I clean out all traces of Kerveros on a client and start fresh?

[AMSR]

Try deleting the /Library/Preferences/DirectoryService/DSLDAPv3.plist file. You can also go into netinfo manager and delete any MCX_caches as well as deleting any MCX plists in /Library/Preferences. Removing the DSLDAPv3.plist will clear out the LDAP stuff.

[Author]

Posts