[mlinde]

This is a known issue in OS X Server prior to 10.5.3. I’m not sure it’s fixed in 10.5.3, as I don’t have a deployed 10.5 server at this point (I’m still running my OD setup in 10.4.x). It was, however, supposed to be fixed in Server 10.5.3 (although from what I’m hearing Server 10.5.3 isn’t running so well…

[mlinde]

Create groups in OD. Assign AD accounts as members. Affect changes to the OD groups.

[mlinde]

[QUOTE][u]Quote by: mlinde[/u][p]I have a similar (but not exactly the same) issue. I have a bound client that can access two different shares, but not a third (when logged into a domain account). If I log in with the local admin account on the box I can access the share, and if I use the terminal to connect directly via smb I can connect (but I’m sending passwords in the clear there). In addition, from a different box I can access any shares. Only obvious difference is the AD binding on the box that is failing, so I think it has to do with authentication. Any suggestions on tracing this further?

Log only shows this:
mount_smbfs: session setup failed (extended security lookup2): syserr = Input/output error
mount_smbfs: could not login to server SMBEVHILLSFILE0: syserr = Input/output error

And no, there is no hardware failure on the SMB server – I can access it fine as long as I don’t try to go through the GUI.[/p][/QUOTE]

This has been resolved – the server was linked to a bad NTP server, and time had drifted beyond 5 minutes. Goes to show sometimes the correct answer isn’t an easy one, but if the infrastructure is setup correctly some errors won’t occur

[mlinde]

I have a similar (but not exactly the same) issue. I have a bound client that can access two different shares, but not a third (when logged into a domain account). If I log in with the local admin account on the box I can access the share, and if I use the terminal to connect directly via smb I can connect (but I’m sending passwords in the clear there). In addition, from a different box I can access any shares. Only obvious difference is the AD binding on the box that is failing, so I think it has to do with authentication. Any suggestions on tracing this further?

Log only shows this:
mount_smbfs: session setup failed (extended security lookup2): syserr = Input/output error
mount_smbfs: could not login to server SMBEVHILLSFILE0: syserr = Input/output error

And no, there is no hardware failure on the SMB server – I can access it fine as long as I don’t try to go through the GUI.

[mlinde]

Not to hijack, but I’m running against this again, and I don’t know what I did to fix it the first time that I can’t repeat. My logs (when I tail DirectoryService.debug.log) show an error/collision when trying to get a cross-domain authentication, and I don’t know how to resolve that. My AD config enables cross domain authentication, but won’t get more than UID,GID – and not even the GID name:

Last login: Wed May 28 11:08:04 on ttys001
SEG-Loaner-MacBook-Pro:~ cssadm$ id encore\\mlinde
uid=127773712(mlinde) gid=951704675
SEG-Loaner-MacBook-Pro:~ cssadm$

The Tail shows this when that’s happening:

2008-05-28 11:08:50 MDT – T[0xB0103000] – Internal Dispatch, API: dsGetRecordList(), Search Used : DAR : Node Ref = 16777223 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_uuid:079DAC10-3FEF-43DC-B85C-023DF913B4EF – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_gecos:Michael Linde – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_uid:127773712 – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_name:mlinde – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getpwnam (1) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0218000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure = getpwnam (1)
2008-05-28 11:08:50 MDT – T[0xB0218000] – CCachePlugin::getpwnam – Cache hit for mlinde
2008-05-28 11:08:50 MDT – T[0xB0218000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getpwnam (1) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: GetAllGroups, Server Used : mbrmig DAC : uid = 127773712
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: GetAllGroups, Server Used : mbrmig DAR : Total groups = 0
2008-05-28 11:08:50 MDT – T[0xB0185000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure Request = getgrgid
2008-05-28 11:08:50 MDT – T[0xB0185000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getgrgid (7) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure = getgrgid (7)
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::getgrgid – Cache hit for 951704675
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getgrgid (7) : Result code = 0

So what is causing the collision, or the inability to get ANY group memberships? The big thing here is that I am authenticating across domains (the unit is bound to one AD domain, the account is in another) – this works in 10.4.x

[mlinde]

[QUOTE][u]Quote by: MacTroll[/u][p]FCS does /not/ work with AD at this time.

AD only allows specific authentication types. FCS wants to use an MD5 hash which AD won’t actually use without quite a fight.[/p][/QUOTE]

You are kidding me. !@#$#%

I hope that’s changed before this fall. I’m supposed to evaluate that as a core workflow tool in our environment, and no AD integration makes FCS dead in the water for us. MacTroll, where do you get these details???

[mlinde]

Is your FCS server set up in “workgroup” mode? I’m still trying to wrangle this, but I keep hearing that the appropriate method to get AD working in 10.5 server is to configure workgroup mode.

I can’t validate at this moment, as I don’t have my 10.5 server test box here – but I will try this week.

[mlinde]

I’ve been looking for this post!

I am experiencing the same problem, but only with portable systems. None of my desktops. I can verify AD connectivity (dsconfigad -show) but user/account information is not syncronizing (id domain/user). If I use id, I get the local cached information but nothing from the domain. If I unbind and rebind, it works.

However, that’s not an viable solution, since our password policy has a 120 day expiration, and portable users aren’t always in the office when their password expires.

What gives, and how do I fix it?

[mlinde]

Hi there. I have the same problem in 10.4.11 Server. I have a support contract, so contacted Apple. Don’t shoot the messenger here…

[quote]The group nesting issue, is something that we have seen before and engineering has deemed fixed in Leopard. This is not something that is/will be addressed in Tiger, and is expected to work in Leopard by at least 10.5.3.

Thanks,
AppleCare Enterprise Customer Support Engineering[/quote]

[mlinde]

I’ve seen this as well, and even if you set up a “preferred” DC, it still queries the entire forest. I’m with you on 10.5.3 – it almost seems like AD integration took a step or two back with 10.5, I’m hoping to get back to 10.4.9 functionality soon…

[mlinde]

That’s an odd one. My problem may be a multi-domain forest (I’m troubleshooting a new angle here) where the OD server is in one domain, and a user account is in another. I can work fine in just AD, but when I also bind to OD it starts to fail with both domains. Of course, it works if AD and OD are from the same domain…

[mlinde]

Probably not the answer you want, but if the user has two AD accounts in the same domain, you want to combine them into one, and give them membership rights that allow the access they need for both.

I doubt somehow the PC resolves correctly two identical names in AD, unless somehow you’ve got the computer and the user nested in specific OUs, and it can resolve that.

I have two accounts in our AD environment (one in each domain) to enable me to bind/manage macs across both domains (that’s an issue with Mac AD implementation), and I know our AD administrator was unhappy with me having two accounts if I could be managed in one…

[mlinde]

Well, I found my own resolution/answer, so I thought I’d share.

AD has a replication cycle, up to (in our environment) 30 minutes. If a new machine is bound in a different location (like an office in a different state), it could take up to 30 minutes for that replication cycle to get into the primary DC and back to the local DC, which would potentially also prevent the computer object from showing up right away.

That’s for anyone else who runs into this.

[mlinde]

[QUOTE][u]Quote by: macshome[/u][p]Yeah it removes the older updates when a newer one is there. You can always set it to not auto-release the updates in order to get around it[/p][/QUOTE]

How do you do this? I was looking for that option in the settings – didn’t see anything that appeared to do that. Or, is it a CLI-only setting?

[mlinde]

– bump –
I have a related question to this original, unanswered one. I notice that SUS doesn’t keep older updates as an option (only the new ones), so I can’t have Quicktime 7.2 (or even 7.3) – only 7.4.

Also, I don’t see any 10.5 updates listed (I am running Server 10.4.11 but may have 10.5 clients before I upgrade my servers).

Is there a clean/legit way to get and continue to offer (if chosen) older updates in SUS?

[Author]

Posts