OD Binding question and problems

[aessing]

Hello,

at the moment I’m trying to figure out a secure OD configuration. I have played a little bit around and found out that:

When the option “Digitally sign all packets” is activated, binding a client is not possible.
When the options “Digitally sign all packets”, “Encrypt all packets” and “Block man-in-the-middle attacks” are activated, a to the directory bound client can not authenticate against a replica if the master is down.
When the client is not bound to the directory and the options “Disable clear text passwords”, “Digitally sign all packets”, “Encrypt all packets” and “Block man-in-the-middle attacks” are activated authentication against the replica works like a charm.

So, can some please tell me the benefits of binding the clients to the directory… What are your configuration settings? Is it better to have all four options active, or to bind the client to the directory?

Thanks in advance
and greetings from germany

Andre

[cmra]

I am also having problems trying to setup the secure binding settings. In my case I am trying to setup a trust relationship between client and server to run a login script on a client in a golder triangle setup. According to the documentation if you are using an AD directory you need “Digitally Sign All Packets” to be ticked. If I tick this and reboot the server i can no longer authenticate as the diradmin in workgroup manager or bind clients to the OD. I have tried running a repair permissions on the Master as someone had recommended in another post but this didnt fix the issue. I can only authenticate as diradmin when this feature is unticked and the server rebooted. I wonder if this is anyway related to the kerberos being sourced from active directory with the OD kerberos not running (the feature requires kerberos).

[Author]

Posts