Snow Leopard and Active Directory

[wrcooke]

Hi all,
We have one snow leopard machine on AD at present - thankfully! This machine seems to have the machine account on AD removed after the user logs in. If the user logs back out they cannot log back in again until the machine is re bound. I see we are not the only ones having this problem! We sync the time on our mac;s to the apple time server but even if the time was out this should not remove the computer from AD.
All of our 10.5 machines do not have this problem!
Anyone hear of a fix yet?
Bill

Quote: Originally Posted by wrcooke Hi all, We have one snow leopard machine on AD at present - thankfully! This machine seems to have the machine account on AD removed after the user logs in. If the user logs back out they cannot log back in again until the machine is re bound. I see we are not the only ones having this problem! We sync the time on our mac;s to the apple time server but even if the time was out this should not remove the computer from AD. All of our 10.5 machines do not have this problem! Anyone hear of a fix yet? Bill

Have you patched to 10.6.3?

Quote: Originally Posted by wolli Hi there, since i`ve upgraded to Snow Leopard, I was wondering about that the Directory Services app with which I was able to setup quickliy AD support to mac os in previous versions like 10.5, but in 10.6 i didn`t find the Directory Services app .. it`s no more ... does anyone got a tip for me ... how i can add the AD support ? I now that are some changes with mail and exchange ... but the problem is .. we´re still running a 2003 exchange so it won`t work, it only works on 2007 exchange... Thanks ... Greetz Wolli

Hi, try this, open system preferences> Accounts> Login Options> Network Account Server> click on join Buttom, and there is Directory Utility

Quote: Originally Posted by father2a-f For AD testing purposes, I did an erase and install of 10.6 on a test machine (MBP, 1st gen). Bound it to our AD domain without issue. But, when I tried logging in using my network account, no go (shook off). Green lights for Network Accounts Available and Network Account Server. id'ing my username from the CLI finds my network identity, and running the following lookup returns the expected results: Code: dscl /Active\ Directory/All\ Domains -read /Users/myusername But, when I try and test my login from that machine using dirt, it's not there. Anyone else seen this? And what replaced dirt I wonder in SL? Thanks in advance.

Hello all!

This is my problem exactly. I have a Snow Leopard MacBook Pro (brand new). I was able to bind it to AD and the computer name shows up in AD, but I can't login with AD credentials. It just shakes it off. I have tried the following formats for login name:

domainname\username
domainname.com\username
username@domainname.com
username@domainname
username

None of these will allow me to login. If I login with a local account and use Terminal to run the command: kinit username, I am able to provide my proper password and it recognizes if I don't provide a proper password. But I cannot login using an AD user account.

Any suggestions would be GREATLY appreciated!

You should be able to just enter domain credential in the format below:

username: username
password: domain password

This format works for me.

Does anyone know how to cached the Windows domain credential, so that you can login without being on the domain network?

You need to enable this user for mobile home account.

[JBDynamics]

Hello,

I am trying to import my AD into three custom built Mac Mini Snow Leopard Servers (8GB DDR3-1333, 1x 1TB (7200 RPM) 1x 512GB Corsair RealSSD). Basically, this is a test project to see if I can convert my network to Open Directory and get rid of my loud Windows servers. If I am able to keep most of the functionality I had in Windows, I plan to buy 2x Mac Pro Servers and make them the Domain Masters. However, I am stuck at the Connect to a Directory Server screen in setup. None of my domain accounts will login to any of the Domain Controllers. All of the accounts I've tried have the highest of permissions, including at least Enterprise Admin, DnsAdmin, and Domain Admin.

Here is what I have tried, however each time I get a "Cannot authenticate to server".

Server: SERVER, SERVER.DOMAIN.NET, server, server.domain.net (also I have tried all 9 DCs with these combinations)
Server Type: Active Directory (Shows up after one login attempt)
Client Computer ID: MACSERVER, macserver
Admin User Name: NETBIOS\Username, DOMAIN.NET\Username, DOMAIN\Username, Username, netbios\username, domain\username, domain.net\username.
Password: The correct password that works on any Windows workstation.

For workstations, I have 2x 17" MacBook Pros 2.66GHz i7's (both 8GB DDR3-1066, one has a 512GB SSD, the other has a 512GB SSD and a 1TB 7200 RPM drive). I have a 27" iMac 16GB DDR3-1333 i7 edition. I have a Windows Workstation with 2x i7-980X procs and 24GB DDR3-2000, and an Asus G72, and a Dell XT2. I will need all of these to authenticate against the Open Directory.


For the Windows server setup: I have a server farm (3 Servers running VMware Infrastructure 4.1) each server is running 3x Windows Server 2008 R2 Data Center. All my VMs are global catalog servers. I run Exchange 2010, Sharepoint 2010, and I have an IIS server farm between the 9 VMs. Each server has a minimum of 2x Quad-core Opteron processors with 64GB RAM, the best being 2x Six-core Opterons with 128GB RAM.

I don't know if this is relevant, but I have LDAP setup as SSL with each Server having a GeoTrust SSL cert. However, LDAPS is not required in order to connect with LDAP. But, simple authentication will not allow a user to bind to LDAP, it needs to be Digest, Windows Integrated, Kerberos, etc.

As for my network, I am running an Extended Star. I have a 5-block of Static IPs from Comcast Business Class and a 100MB/s broadband connection. Internally, I have a Cisco ASA-5520, a Symantec Gateway Security System (SGS-5660), a Cisco SA-520W, a Netgear SRXN3205, and 2x Cisco 24x Gigabit port Managed switch with 2x 10Gigabit add-on NICs. I use the SGS, Cisco ASA, Cisco SA-520W, and the Windows Server Farm as my DNS servers.

The weird thing is I can't find a correpsonding error in the event viewer on any of my DCs, so I have no idea what's going on with the Windows side. I've checked about every applicable branch in event viewer and I don't see anything related.

Should I just decline to connect and import AD in the setup process, and continue setting up Open Directory, and then connect with the Directory.app later on?

Please Help,
Thanks!

Quote: Originally Posted by JBDynamics Hello, I am trying to import my AD into three custom built Mac Mini Snow Leopard Servers (8GB DDR3-1333, 1x 1TB (7200 RPM) 1x 512GB Corsair RealSSD). Basically, this is a test project to see if I can convert my network to Open Directory and get rid of my loud Windows servers. If I am able to keep most of the functionality I had in Windows, I plan to buy 2x Mac Pro Servers and make them the Domain Masters. However, I am stuck at the Connect to a Directory Server screen in setup. None of my domain accounts will login to any of the Domain Controllers. All of the accounts I've tried have the highest of permissions, including at least Enterprise Admin, DnsAdmin, and Domain Admin. Here is what I have tried, however each time I get a "Cannot authenticate to server". Server: SERVER, SERVER.DOMAIN.NET, server, server.domain.net (also I have tried all 9 DCs with these combinations) Server Type: Active Directory (Shows up after one login attempt) Client Computer ID: MACSERVER, macserver Admin User Name: NETBIOS\Username, DOMAIN.NET\Username, DOMAIN\Username, Username, netbios\username, domain\username, domain.net\username. Password: The correct password that works on any Windows workstation. For workstations, I have 2x 17" MacBook Pros 2.66GHz i7's (both 8GB DDR3-1066, one has a 512GB SSD, the other has a 512GB SSD and a 1TB 7200 RPM drive). I have a 27" iMac 16GB DDR3-1333 i7 edition. I have a Windows Workstation with 2x i7-980X procs and 24GB DDR3-2000, and an Asus G72, and a Dell XT2. I will need all of these to authenticate against the Open Directory. For the Windows server setup: I have a server farm (3 Servers running VMware Infrastructure 4.1) each server is running 3x Windows Server 2008 R2 Data Center. All my VMs are global catalog servers. I run Exchange 2010, Sharepoint 2010, and I have an IIS server farm between the 9 VMs. Each server has a minimum of 2x Quad-core Opteron processors with 64GB RAM, the best being 2x Six-core Opterons with 128GB RAM. I don't know if this is relevant, but I have LDAP setup as SSL with each Server having a GeoTrust SSL cert. However, LDAPS is not required in order to connect with LDAP. But, simple authentication will not allow a user to bind to LDAP, it needs to be Digest, Windows Integrated, Kerberos, etc. As for my network, I am running an Extended Star. I have a 5-block of Static IPs from Comcast Business Class and a 100MB/s broadband connection. Internally, I have a Cisco ASA-5520, a Symantec Gateway Security System (SGS-5660), a Cisco SA-520W, a Netgear SRXN3205, and 2x Cisco 24x Gigabit port Managed switch with 2x 10Gigabit add-on NICs. I use the SGS, Cisco ASA, Cisco SA-520W, and the Windows Server Farm as my DNS servers. The weird thing is I can't find a correpsonding error in the event viewer on any of my DCs, so I have no idea what's going on with the Windows side. I've checked about every applicable branch in event viewer and I don't see anything related. Should I just decline to connect and import AD in the setup process, and continue setting up Open Directory, and then connect with the Directory.app later on? Please Help, Thanks!

Sounds like a DNS issue...be sure your DNS server knows who your AD Server is and that you have the DNS server set on your client (LDAP Server)...also to be clear...you're trying to make a Samba/LDAP server into a Secondary Domain Controller and Migrate your settings from the Primary...(Windows AD) so that in time you can make the Samba/LDAP your primary...right?

Also, I'm getting the Node Name wasn't found (2000) error when connecting my Mac to an AD Directory and cannot determine why...AD has the Computer name, DNS server working...but this weird error keeps popping up

I am a long time Mac user, but new to connect the Mac to AD. I am running OS X 10.6.6.

I have the Mac bound to AD, works fine. I can see printers on the network and also connect to NFS devices. My problem is with windows shares.

I want the Mac to use the Kerberos ticket to automatically connect to a Windows share. When I connect to a share it asks me for authentication info (user/password). I've tried connecting two ways (where the domain is xxx.local):

smb://server/share
smb://server/share.xxx.local

Both ask me for authentication. I was expecting it to automatically authenticate. I'm also trying to figure out how to mount share share automatically each login. Can't figure that out either (I do know how to do it with NFS).

Thanks in advance

Hi All,

I'm trying to join a 10.6 machine to a Linux-run Samba domain controller, running Samba 3.3.8.

I believe our Samba domain is functioning more like an old-style "PDC" vs. a new-style Active Directory domain.

Is this even possible? At the very least, I might be able to do it via LDAP, but I can't seem to find any good instructions for that...

...sorry if this is the wrong place to be asking.

[hume]

I might be the only person in the universe with an Active Directory with the ACLs configured in a "default deny" mode... you don't get access to an attribute unless you're explicitly allowed. That said, I think some people might have use for this information.

My Windows boxes had no issues joining the domain, but Snow Leopard was giving me the typical "shake" when logging in. With some SACLs, I was able to determine the attributes that Snow Leopard looks for when logging a user in:

- userPrincipalName
- samAccountName
- loginShell
- jpegPhoto (not essential)
- unixHomeDirectory
- homeDirectory (called "Home Folder" in the Windows Security GUI)
- commonName
- displayName
- mail (E-Mail Address in the GUI)
- objectGuid
- objectSID
- primaryGroupID (not essential)
- printerName (?)

Some others are obvious, the ones the directory would fall apart without, distinguishedname, objectclass, and so on.

Hopefully someone somewhere finds this useful.

The person previous to me had setup the Macs here in Active Directory and they seem to function well for the most part.

People complain though, because when you boot them up his name comes up to click on for login. Then if you wait a minute, the "Other" icon comes up. They can click on it and login.

I've never seen it done this way before... how can I get rid of his name coming up so they can just log in with their AD credentials without waiting for the "Other" to come up?

I'm actually looking for help in the other direction. 10.6.x server with Windoze 7 clients. Need to provide login authentication and home directories on the 10.6.x server to the Win7 clients. We have had this working fine with 10.0.x through 10.5.x servers and WinXP clients. But new iMacs will only dual-boot with Win7. But Win7 doesn't play well with the version of SAMBA provided by Apple. Any suggestions? Is adding an AD/2008 server into the mix a necessary step?

Quote: Originally Posted by roodavis I'm actually looking for help in the other direction. 10.6.x server with Windoze 7 clients. Need to provide login authentication and home directories on the 10.6.x server to the Win7 clients. We have had this working fine with 10.0.x through 10.5.x servers and WinXP clients. But new iMacs will only dual-boot with Win7. But Win7 doesn't play well with the version of SAMBA provided by Apple. Any suggestions? Is adding an AD/2008 server into the mix a necessary step?

The default Win7 security settings are what's causing your problem here. I've got a similar setup -- Win7 clients connecting to a 10.6.x server. For each Win7 client, do the following:

open Control Panel/Administrative Tools/Local Security Policy
Under Security Options, change these settings:

Network security : LAN Manager authentication level
- Set to Send LM & NTLM responses

Network security : Minimum session security for NTLM SSP (Client)
- Disable Require 128-bit encryption

After you do that, the Win7 clients should be happy.