[chwebster]

Nevermind on the dsconfigad – syntax (user) error…

Craig

[chwebster]

Found a blog which had us tweak some Kerberos related policies on the W2K3 server, and also am now making sure we uncheck the Allow Authentication from any Domain in the Forest box. Now it’s giving me the Active Directory/mydomain.com as an option in the search path and I’m able to log in as the user.

Not sure which (or both) of those items did the trick for me.

Now I’m trying to script joining the computer with dsconfigad and it binds correctly but does not set any of the other options properly for me (for instance I’m running -alldomains disable but it still comes up checked when I launch the GUI).

Craig

[chwebster]

When I go into Directory Access I see All Domains on both the authentication and contacts tab under Search: Custom path.

When I put DS into debug mode it says no matching processes were found – maybe i’m not doing it correctly.

The system.log shows mcxd:dsOpenNode:dsOpenDirNode(Active Directory/All Domains) == -14002.

Craig

[chwebster]

Ok, took me a while to get around to looking at the man pages for dscl and dsconfigad. Unfortunately, I’m still lost as to how to proceed. Here is the dscl info – now what?:

test-Mac-G4-client:~ test five$ dscl /”Active Directory”/”All Domains”/ -read /Users/”test five”
accountExpires: 9223372036854775807
ADDomain: dataviz.com
badPasswordTime: 0
badPwdCount: 0
cn: test five
codePage: 0
countryCode: 0
displayName: test five
distinguishedName: CN=test five,CN=Users,DC=dataviz,DC=com
dn: CN=test five,CN=Users,DC=dataviz,DC=com
givenName: test
instanceType: 4
kerberosPrincipal: [email protected]
lastLogoff: 0
lastLogon: 127710288674378426
logonCount: 3
name: test five
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dataviz,DC=com
objectClass: top person organizationalPerson user
objectSid: 01050000 00000005 15000000 68536340 bd692767 585dc85b 810a0000
primaryGroupID: 513
pwdLastSet: 127710278240967854
sAMAccountName: test five
sAMAccountType: 805306368
sn: five
userAccountControl: 512
userPrincipalName: [email protected]
uSNChanged: 4281623
uSNCreated: 4281619
whenChanged: 20050912194344.0Z
whenCreated: 20050912194344.0Z
AppleMetaNodeLocation: /Active Directory/dataviz.com
AuthenticationAuthority: 1.0;Kerberosv5;A29D1569-8A9F-4F99-AE71-FB3EEAA9601A;[email protected];DATAVIZ.COM;
FirstName: test
GeneratedUID: A29D1569-8A9F-4F99-AE71-FB3EEAA9601A
LastName: five
MCXFlags:
has_mcx_settings

MCXSettings:
mcx_application_data

com.apple.MCX

Forced


mcx_preference_settings

com.apple.cachedaccounts.CreateAtLogin

com.apple.cachedaccounts.WarnOnCreate

com.apple.dock

Forced


mcx_preference_settings

AppItems-Raw

DocItems-Raw

MCXDockSpecialFolders-Raw

AddDockMCXOriginalNetworkHomeFolder

contents-immutable

static-only


mcx_union_policy_keys


mcx_input_key_names

AppItems-Raw

mcx_output_key_name
static-apps
mcx_remove_duplicates


mcx_input_key_names

DocItems-Raw

mcx_output_key_name
static-others
mcx_remove_duplicates


mcx_input_key_names

MCXDockSpecialFolders-Raw

mcx_output_key_name
MCXDockSpecialFolders
mcx_remove_duplicates

loginwindow

Forced


mcx_preference_settings

AutoLaunchedApplicationDictionary-raw


AuthenticateAsLoginUserShortName
MCX-NetworkHomeDirectoryItem


DisableLoginItemsSuppression

LoginUserMayAddItems

mcx_union_policy_keys


mcx_input_key_names

AutoLaunchedApplicationDictionary-raw

mcx_output_key_name
AutoLaunchedApplicationDictionary-managed
mcx_remove_duplicates

NFSHomeDirectory: /Users/testfive
PasswordPlus: ********
PrimaryGroupID: 807021230
RealName: test five
RecordName: test five testfive [email protected] DATAVIZ\testfive DATAVIZ\test five test five
RecordType: dsRecTypeStandard:Users
SMBAccountFlags: 805306368
SMBGroupRID: 513
SMBLogoffTime: 0
SMBLogonTime: 127710288674378426
SMBPasswordLastSet: 127710278240967854
SMBPrimaryGroupSID: S-1-5-21-1080251240-1730636221-1539857752-513
SMBSID: S-1-5-21-1080251240-1730636221-1539857752-2689
UniqueID: 580719977
UserShell: /bin/bash
test-Mac-G4-client:~ test five$

[chwebster]

Ok, you have given me some hope. I was wondering what tool would help me find out what usernames the OS was using other than “id Craig Webster”.

I will have to read up on the man page for dscl to see how to use it however.

In addition (maybe I’m getting ahead of myself), once I see what OS X is using for the shortname, what is the next step? I feel like I am missing just a few pieces of the puzzle but not always sure which pieces, so I apologize if my questions are out there!

Craig

[chwebster]

Their Exchange alias would work as a shortname. How would I static map that?

Just to clarify, though, I created a test user who did have one AD attribute with a field with a name with no spaces – and then logging into the AFP server broke.

Craig

[chwebster]

I made the changes in the AD. The end goal is to be able to have users in one place only – and for us that one place is the AD. Those users already exist and people are already used to logging into Windows with their full names that have spaces in them. If we could make it work so they log in to Windows with a full name, and the Mac with a short name, that might be acceptable, as long as it’s still one AD user we’re working with.

When I create an AD user with no spaces in the username, I have everything working. That’s what makes me think I’m so close!

I’m not doing any managed preferences at this point, and I’m just using local home folders on the Mac.

Craig

[chwebster]

I double checked my Directory Access authentication tab and for some reason the AD custom path wasn’t listed. I added that in and restarted the server and it is now keeping the users properly in WGM as their username.

I was able to log in to the AFP server from a Mac client using the AD user. However I have one AD user whose names are different in AD (Pre-Windows 2000 name vs just plain User logon name) and that user cannot log into the AFP server. I need to find some documentation on what fields to map the schema to – on both the AD and the OS X side.

Craig

[chwebster]

I found one problem – my AD user had a short name with a space in it. Seems the AD plug-in pulls the attribute from AD labeled Pre-Windows 2000 logon name, and that entry for this user had a space in it. When I changed that attribute in AD and removed the space, after trashing the ‘profile’ on the Mac client and logging in again with that user, I was able to open all of the home directories.

Craig

[chwebster]

I just formatted a G4, put on a fresh install of 10.4.2, and then bound to the AD. I am seeing the exact same thing. When the Mac boots I am able to log in with my AD user, but if I try to open any of the folders like Desktop, Music, Documents, etc. it tells me I don’t have permissions.

If I log in as the local admin, however, and look at the permissions, it shows the AD user as the owner.

Has any one else solved this problem?

Craig

[Author]

Posts