Forum Replies Created

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • February 20, 2009 at 4:23 pm in reply to: dscl search in AD broken in 10.5.6? #375492
    pme
    Participant

    [QUOTE][u]Quote by: MacTroll[/u][p]If you regress with a previous version of hte plugin and it works… that smells like a bug and you should file that.

    I was asking the size of the AD as you could have been running into issues with paged LDAP responses. Typically AD will only give out 1000 records in response to a list. So you’d only be getting the records that match within the first 1000 records.[/p][/QUOTE]

    Bug filed. (ID# 6607362)

    The mismatch between the “list” and “search” are definitely due to the paged response.

    We’ve backed the servers depending on this search to version 1.6.2 of the .dsplug.

    /P-M

    February 18, 2009 at 6:52 am in reply to: dscl search in AD broken in 10.5.6? #375445
    pme
    Participant

    [QUOTE][u]Quote by: pme[/u]If I replace the “Active Directory.dsplug” with version 1.6.2 (from 10.5.5)[/p][/QUOTE]

    Correcting myself here: it’s plug version 1.6.2 from 10.5.4. Both 1.6.3 (from 10.5.5) and 1.6.4 (from 10.5.6) doesn’t work…

    /P-M

    February 17, 2009 at 9:01 am in reply to: dscl search in AD broken in 10.5.6? #375428
    pme
    Participant

    [QUOTE][u]Quote by: MacTroll[/u][p]I’m assuming you have a large number of users in your domain?[/p][/QUOTE]

    No, not really. 1219 as of today.

    If I replace the “Active Directory.dsplug” with version 1.6.2 (from 10.5.5) everything works as before. Is it a bug in the dsplug or is it a config thing in our AD?

    thanks

    /P-M

    March 3, 2006 at 11:00 am in reply to: Active Directory Binding (PMMUC Error -14006) #365529
    pme
    Participant

    We’ve done some more testing and come up to this: The thing that breaks our computer account is the Samba server.

    On the troubeling server we’ve had problems getting the Samba server to authenticate using Kerberos. Therefore we’ve set it to use:
    security : ntdomain

    This setting seems to break the computer account since the AD forces the computer accounts to change password every 7 days (which Samba apparently can’t handle).

    /P-M

    February 14, 2006 at 5:15 pm in reply to: Active Directory Binding (PMMUC Error -14006) #365319
    pme
    Participant

    [QUOTE BY= macshome] Check the contents of /L/P/edu.mit.kerberos when you are having these auth errors.

    Check to see if any ACLs were placed on the AD schema.

    When you kinit as a user does it work?[/QUOTE]

    I forgot to answer this…

    There’s no problem using /S/L/C/Kerberos to get a tgt for an AD user. The only problem (in our case) is that the computer account stops working.
    Also, if I only restart DirectoryService it states that it can’t find the closest domain controller for the AD.

    /P-M

    February 14, 2006 at 4:55 pm in reply to: Active Directory Binding (PMMUC Error -14006) #365317
    pme
    Participant

    This seems like the same problem as we have. Two of our seven Xserve (10.4.3 and 10.4.4) occasionally gets kicked out from the AD. Only way to get them back in is to unbind+bind.

    When we look in the error log of our AD servers we se the following:
    [QUOTE]The session setup from computer ‘ServerName’ failed because the security database does not contain a trust account ‘ServerName$’ referenced by the specified computer. [/QUOTE]

    On the OSXS side the DirectoryService logs doesn’t show any abnormalities during the failure. (one of my old DS debug logs shows however the same error)

    The AppleFileService log shows:

    IP xx.xx.xx.xx - - [12/Feb/2006:04:56:13 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:56:21 0100] "Logout user" -5023 0 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 8719 13404 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 11831 13404 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 12039 13404 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 12701 13404 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 12807 13404 0
**** - - [12/Feb/2006:04:56:21 0100] "<D> user" 12841 13404 0
[snip]
IP xx.xx.xx.xx - - [12/Feb/2006:04:56:21 0100] "Reconnected User: <Guest>" 13985 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:56:21 0100] "Logout <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:58:34 0100] "Login <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:58:36 0100] "Logout <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:58:36 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:04:59:00 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:00:00 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:03:47 0100] "Login <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:03:49 0100] "Logout <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:03:50 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:06:54 0100] "Login <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:06:56 0100] "Logout <Guest>" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:06:56 0100] "Session Network Error Disconnect: " 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:06:56 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:07:52 0100] "Logout user" 0 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:14:53 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:20:02 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:05:40:03 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:06:00:04 0100] "Logout user" -5023 0 0
IP xx.xx.xx.xx - - [12/Feb/2006:06:20:05 0100] "Logout user" -5023 0 0

    As I began, this only affects two out of seven equally installed and configured machines. Our OD is on separate machines (with Kerberos disabled).
    The only differences between the failing servers and the working ones are that the failing servers are a little bit more used than the others (100 avarage users logged in, compared to 35 users). And… that the AD DC:s for the failing ones are in a separate “site” than the other AD DC:s. (we’ve contacted M$ to see if there’s a misconfiguration in the AD behind it)

    /P-M

    February 14, 2006 at 3:50 pm in reply to: AD/OD integration with Directory Binding #365315
    pme
    Participant

    I were in the same boat in August. Same problem, same solution.
    Strange things happend with both our OD servers and our servers for home folders.
    Then I met Michael Bartosh (4am media) and he adviced me not to bind my macs to OD. He’d seen some strange things doing that. So I took a separate approach.

    Using OpenDirectory (ordinary Apple Script or bash/pearl/etc will also do) I:

    1. check for computer records with the MAC address your going to add:

    dscl localhost search /LDAPv3/<your LDAP search path>/Computers macAddress <MAC address>

    2. If not present, then:

    dscl -u <admin name> -P <admin password> /LDAPv3/<your LDAP search path> -create /Computers/<computer name> macAddress <MAC address>

    3. add it to a present computer list:

    dscl -u <admin name> -P <admin password> /LDAPv3/<your LDAP search path> -merge /ComputerLists/<Computer List> apple-computers <computer name>

    Renaming computer records were a little bit trickier (as I recall), so if I need to rename a record, I either do it using WGM or do a delete+add using dscl. As long as you remember that the computer lists doesn’t change when you delete or rename a computer record all should be just fine…

    Since we’re using FileMaker for our assets/cases that became our hub for computer records as well (but anything that can make a list of computer names paired with MAC addresses will do).

    hth

    /P-M
    ps. If you still want to do the double-bind stuff, you certainly need to create your own edu.mit.Kerberos file, setting your AD as default_realm.

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
Copyright © 2025 AFP548. All Rights Reserved.