[mgnicks]

I am seeing the same issue on 10.8. WGM allows you to add ad users /groups into the OS X groups to allow MCX management but as soon as you change tabs or refresh the view the groups come back with not found. We did manage to drag in a couple AD groups that “stuck” after a refresh, but as we cannot view the AD, we are not sure what differences there were between the groups/user accounts.

I found a post on experts exchange with the same issue and he suggested a fix. This was to change the security group from global to domain local. However, after checking with the admin for the AD, the groups that we could add had the same settings as the groups that we couldn’t.

Your mileage may vary though.

[mgnicks]

That sounds like a plan or the start of one at least.
We don’t actually change the users in the OD that often. So backing up the users once a month would perhaps be often enough in our case.

Thanks for your help.

[mgnicks]

At the moment there is no Backup being done at all whether it be LDAP, OD or anything. I didn’t know the best way to do this. You could say that it’s a bit foolish to not do any backups at all. 😳

I just need to know the best ways to go about setting up a backup procedure. Is there a way to automate the OD Schema backups? I know that you can backup the OD Schema using Server admin but is there a a way to automate this using a schedule. You’re going to say scripts now aren’t ya? 😉

I have looked a SuperDuper. There is an option to download a free version to do a complete backup. But it also does scheduled automatic backups for $30. I think that’s quite reasonable. I will look into this software further. Thanks for the heads up.

I have scheduled the MySQL admin tool to backup the MySQL database. This was quite easy to do through the software 😀

Thanks for your input.

Mark

[mgnicks]

Thanks Jeff.

Would you say this is the same when the server is set to be an OD Master? The server in question is an OD master, Mail server and Web server.

I have read a few stories of concerns over backing up a fully functioning OD Master while the service is still switched on. Would you say this is a non-issue with Cloning?

Thanks for the reply. Most appreciated.

[mgnicks]

Does the “New Augmented Record” option in WGM do this or do i need to do something else before this to get it working?

I have turned on Clear text authentication and re-tried. I get this error:

[b]Login Failed[/b]
Your password was rejected by the server myserver.domain.com for the login AD User.

If i use Kerberos authentication it pops up asking me to validate my credentials (i am logged on as a local admin on this machine) and then it says:

[b]Account information not found
Request encountered an unexpected error (domain CalDAV No Calendar Home Error / code 1).[/b]

Both of these use the auto complete option for the account url.

Now if i log onto a client machine with the AD users account i get:

[b]The Server is Busy or Unavailable.
The server is currently unable to handle the connection due to a temporary overloading or maintenance of the server. If this continues you should contact the server administrator.
You may try to connect to the server again or cancel to go back to account setup.[/b]

This is the same whether i use clear auth or kerberos. It also doesn’t matter if i use auto or type in the account url http://myserver.domain.com:8008. I auto completes the rest fine adding /principals/users/ADUser on the end. But it still won’t connect me to the AD server.

What can i do now to try and resolve this.

Thanks for the reply though. Most appreciated.

[mgnicks]

I have since managed to get the ical service to respond. I demoted the server back to stand alone and then back up. I restored all my user,groups and computers and also have a functioning ical server. How do i know? Well i created a couple of OD users and configured them to connect to the ical server and they connect fine. Without any changes i try the AD users and they fail. It says the principal for the AD user cannot be found.

2008-09-26 12:00:46+0100 [-] caldav-8009 AMP,client Could not find the principal resource for user id: ADUser
2008-09-26 12:00:52+0100 [-] caldav-8009 http://HTTPChannel,35,127.0.0.1 GetClientAddress(host=’127.0.0.1′, port=50985)
2008-09-26 12:00:52+0100 [-] caldav-8009 AMP,client result = AmpBox({‘_answer’: ‘2d’, ‘host’: ‘192.168.16.93’, ‘port’: ‘60565’})
2008-09-26 12:00:52+0100 [-] caldav-8009 AMP,client Unauthenticated users not enabled with the ‘calendar’ SACL
2008-09-26 12:00:52+0100 [-] caldav-8009 http://HTTPChannel,36,127.0.0.1 GetClientAddress(host=’127.0.0.1′, port=50986)
2008-09-26 12:00:52+0100 [-] caldav-8009 AMP,client result = AmpBox({‘_answer’: ‘2e’, ‘host’: ‘192.168.16.93’, ‘port’: ‘60566’})
2008-09-26 12:00:52+0100 [-] caldav-8009 OpenDirectoryService Faulting record ADUser into users record cache
2008-09-26 12:00:52+0100 [-] caldav-8009 OpenDirectoryService Record (users) AD User is not enabled for calendaring but may be used in ACLs
2008-09-26 12:00:52+0100 [-] caldav-8009 OpenDirectoryService Added record /Active Directory/domain.com) 674FD9B8-4878-4059-BF28-AC7BBD47E1FD(AD User) ‘AD User’> to OD record cache
2008-09-26 12:00:52+0100 [-] caldav-8009 AMP,client Could not find the principal resource for user id: ADUser

Any ideas for this bit?

It seems to be the last step now.

Thanks

[mgnicks]

Hello,

i am trying to configure dsconfigldap through ARD but am stuck on the -c switch. You say above that it is required although the man page states otherwise. Is there a workaround i can use to get it to work from ARD?

I thought about some sort of variable set with the computerid on the client but do not know where to start to implement this.

Is it just a case of declaring a variable then setting it with whatever is used to get the computerid direclty in the “send unix command” or do you have to create a script first then run it?

I don’t know much about scripting so please forgive my innocence

Thanks for any help you may be able to give.

[mgnicks]

Hello JDyck,

I am also looking into adding the mail attribute to the ad schema, but am unsure as to how to go about it.

How should the attribute be entered into the schema. I cannot find any information on how the entries should look, and i don’t really know where to start since it will be the first time i will have done this. Any help would be fantastic.

I have registered the dll for the ad schema snap-in already and looked around but that is all. I will also be testing this on a test AD first!!

I was looking at just enabling mail through the SACL but I also require the quota function.

Thanks for any help that you can give.

😀

[mgnicks]

Sorry, forgot the main point.

The Login worked-ish. I was able to log in except that the Managed preference (the dock was managed to the right as per the leveraging doc) did not apply. This suggests to me that the accounts that are not available are the OD managed group accounts but as i am relatively new to this and all seems to be correct with the configuration it is proving difficult to find the problem. Where would be the best place to track down issues, i.e, which log would be the best one to browse for answers. I have looked through each log on th OD but nothing seems obvious. I checked the kerberos app when logged in as an AD User and can see that it has picked up the kerberos ticket for the right domain.

If you need any more information or can point me in the right direction to help with this problem it would be most appreciated.

Many thanks for your time.

[mgnicks]

I foound most of my answers to the first post by reading the leveraging OD to use the AD document properly. It states that the realms can be set to whatever you like really but for the main realm use the org name.

This is what the realm is set to on the AD and i set the realm on the mac side to macrealm.orgname.

I promoted the 10.4.8 to OD Master and then proceeded to bind it to the AD. I followed the instructions to remove the OD realm macrealm.org so as not to confuse the clients.

I continued to WGM and set up some groups on the OD and moved the AD groups into these OD groups to manage them.

I moved on to the clients to configure them to connect to the AD via the plugin and the OD. I moved the AD above the OD in the authentication list.

I proceeded to restart the machine to test the login of a user.

Once at the login window i cycled through the information and found a yellow ball stating some accounts available. I have tried all i can think of but cannot resolve this issue.

What have i missed?

[mgnicks]

If anyone could point in the right direction with the FQDN questions that would be a great help as it would allow me to proceed on the right foot throughout the rest of the procedure.

One thing i have thought about is this…

If i have joined the Boot Camped XP side to the AD and then need to bind the computer to the AD through OS X to have that working. What about the computer accounts in the AD? If i for example name the XP computer1 and then bind using computer ,1 the account will already exsist. What effect will this have on the computer account in the AD for the XP side if i choose to replace it?

I will check this out as soon as i finish the install of OS X Server

[Author]

Posts