Home Forums OS X Server and Client Discussion Active Directory Using OD to authenticate users to an AD domain

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #367298
    cbloch
    Participant

    I have a question that I’m hoping someone has had experience with. We have a rather large XSAN system that I have been tasked to administer. We have integrated this system into our rather large Active Directory domain. Because of the extensive topology of the AD domain, we have had intermittant problems with OS X clients losing their binding to AD and therefore locking users out of the machines. I spoke with one of the XSAN techs who helped install the system and he indicated there was a way to use an OD master bound to AD to authenticate AD users without the clients themselves being bound to the OD domain. I have set up such a test xserve but I have not been successful as of yet. All of the information I have been able to find only describes binding the clients to BOTH AD and OD and simply using OD for management. Is it possible to authenticate to AD through an OD master without binding the client to AD at all? If so, how is this accomplished?

    #367301
    cbloch
    Participant

    Yes the goal was to use the OD master as a proxy to authenticate AD users. One of Apple’s XSAN engineers that helped set up and configure our system indicated to me that this was possible but perhaps he wasn’t totally clear of exactly how it works. Our problem exists primarily in the clients that are connected to the main AD DC. At seemingly random intervals, they will drop from the domain and have to be rebound. We stuck wireshark on the switch to capture the port data flow and found pre-auth request denied kerberosv5 errors and also found that the machine would go looking for other DCs in the AD tree that are not located in our building for authentication after giving such errors. We see this even on sucessful binds. The network services team has made numerous changes to the managed cisco switches and still we have similar problems. Specifying a preferred DC doesn’t seem to help either. Any suggestions?

    #367307
    Anonymous
    Guest

    If you simply trying to authenticate your users when binding to an OS X server for AFP services, you can bind the server to AD, and if you want to use Kerberos authentication, copy the edu.mit.kerberos file on the server to the /Library/Preferences folder on the clients. If the clients are bound to OD, they could get their MCX settings from there. This won’t work if you want people to log in to the client machines using AD credentials, but for accessing servers this should be OK.

    #367336
    Ross
    Participant

    Have you tried to checked “Prefer the domain server” under the Active Directory advanced options in Directory Access? I have found with large AD domains and connectivity issues doing this helps… Also unchecking “Allow auth from any domain forest” and defining the right domain under the authentication tab in directory access helps as well.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed