Mac client logging into Tiger Server with AD user

[Anonymous]

I’ve seen a few questions on this but no answers that make sense to me. I have a 10.4.2 Server and a 10.3.9 client. I’d like to do the following:

1. Have the Mac client log in to the 10.4 server at boot time using a valid AD username and password. Home directories don’t matter to me much at this point; I just don’t want to have to manage local login accounts on each Mac or for people to have a different password to log into their Mac than they do for the AD domain.

2. Set permissions/ACLs on the AFP sharepoints on the 10.4 server using the AD users and AD groups.

3. When the Mac client logs in at boot time, if they try to connect to the 10.4 Server AFP sharepoint, they don’t need to enter a username or password again because the AD user that they logged in with at boot time is the same user which is allowing them onto the 10.4 AFP service.

This would get me single sign on, as well as a single set of users to manage.

I have tried setting up my 10.4 Server both as Connected to Directory System, and Open Directory Master. I’ve been able to get users to connect to the AFP sharepoint via their AD username and password, but never been able to get them to log in at boot time with their AD username and password. Any suggestions?

By the way, I am only using a 10.3 client because it was handy. If this is made easier by getting 10.4 clients, please let me know. I thought that the key was in the 10.4 Server, because of all the hoopla that was made about the AD integration working better in Tiger.

Craig

[Anonymous]

Hey Josh, thanks for the reply. I was able to bind the Tiger Server to AD, and Join Kerberos worked (at least I didn’t get any errors and now the Join Kerberos button is gone).

Thanks for the reminder on the 10.3 client restrictions with AD groups. However I don’t think I’ve gotten that far yet.

It’s your last sentence I’m trying to dissect. How should my clients be configured? Should they be trying to connect to the Tiger server at boot time, and the Tiger server is the one passing off the authentication to AD? Or are the clients connecting to AD directly at boot time? If so, doesn’t that preclude me from “logging in” to the Tiger Server at boot time?

I’m getting confused about what features/services are controlled from where.

Also, should my Tiger Server be set as an OD Master which is also joined to the AD domain, or just as Connected to Directory System?

Craig

[dom9inic]

Hi,

does that mean Apple advocate setting up Tiger server as an OD master and also bound to AD?

I must admit I’m having real difficulty getting the magic triangle working. I have a 10.2.8 server as an OD master, no home dirs. My admin machine is bound to AD and I drag and ddrop my AD users into my OD groups on the server.

Clients Directory Access is set to AD first then OD master. MSX is set on the OD master at the group level.

Yet when my AD user logs into a client, the MCX seems messed up. The dock in particular seems to not play friendly and what applications a user can open, all of which is restricted to some extent at the group level on the OD master.

Perhaps I’m just befuddled.

[Anonymous]

Josh:

I just bound the 10.3 client to AD and logged in to the Mac at boot time via my AD user. Great stuff. However, when I go to Go:Connect to Server and choose my Tiger Server, I get the application “Kerberos Login Server” giving me a login dialog which says “Finder Requires that you type your Kerberos password”. When I put in my AD username and password and AD Realm it doesn’t accept it. If I hit cancel then I get another regular login box and I can log in to the AFP server.

What happened to SSO? I wanted to be able to get access to all my services just from loggin in at boot time with the right user. At this point I’m not trying to do any MCX management yet. I don’t think.

Craig

[jscott]

I was having the same problem and the Terminal command sudo dsconfigad -enablesso worked for me. I now have SSO from my Mac clients. this has to be run on the server, just in case it wasn’t clear.

[pixelgrunt]

Pardon my anonymity, I’m on a different computer at work and forgot my afp548 login…

Is anyone aware of what the following error means when attempting the dsconfigad -enablesso command?:

Unable to configure service http error = 2

I having a heckuva time keeping a Tiger server Kerberized in our AD environment. We managed to get this working a few days ago, but Kerberos broke after a server restart and I can’t get it running again. We had to do some magic dance involving trashing kerberos and directory preferences, setting up an open directory standalone server, and then joining the kerberos domain, with a few restarts in between all of that. Could anyone point me toward any information regarding any of this?

XServe OS X Server 10.4.2 bound to native 2003 AD

I’d be happy to provide more details if requested.

[pixelgrunt]

[QUOTE] Youch. You’re working too hard there.[/QUOTE]

I couldn’t agree with you more.

I know the server is functioning as a stable service otherwise, but tying this into our AD is a nightmare. Most of this due to the fact that the server group doesn’t feel compelled to let us know when changes are to be made in AD. There’s no need for that rant here…

I’m not sure that I can provide too many more details about the AD side. If you have some specific questions, I can try to contact our server group to get the answers. I understand that some change was made within the last three weeks to our AD environment that seems to have precipitated this.

To clarify the symptoms- afp and smb connections from an OS X Mac (10.3.9 client) are successful. An attempt to map the drive from XP erroneously returns an incorrect password error. The Windows File Service Log on the server says the following:

[2005/10/14 10:53:51, 2] /SourceCache/samba/samba-92.9/samba/source/auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [USER1] -> [USER1] FAILED with error NT_STATUS_WRONG_PASSWORD

I can repeat this on a development 10.4.2 server.

The server is a file server only, sharing via afp and smb. I have the administrative power to bind and unbind to AD, but that’s about the extent of my AD powers here.

[pixelgrunt]

…and thanks for the quick reply.

This site rocks.

[Author]

Posts