Tiger and Active Directory

[Raven]

Are your forest and domain on the same server ? Also you state they are linked by the domain contoso.com On the Mac you actually should use the Win2k3 server AD domain name. Is it different than the one you use with the XP machines for linking ?

Quote: Originally Posted by Xtremist I have a Windows server 2003 box set up with DNS and active directory, i have 5 xp nodes attached to this server with redirect profiles and active directory. They are linked using the dns name contoso.com it works perfectly but i have a problem doing this in OSX, i put in contoso.com as the AD domain, then i click bind and it asks for authencation, i put in the network administrators password and user name, but i get this error saying "An Invalid Domain and Forest Combination was Specified" erm..... so what do i do now........ confused

[Raven]

Could you possibly setup something that flushes the cache when the user logs out ? (Just suggesting a path of resolution, not sure it can be done that way though). Find it very odd though that you need to manually update on the server since even a cached mount should work the second time around as it worked the first time.

Quote: Originally Posted by dave621 Hi All, Great read lots of good information. I'm a systems admin for a large school district and we are AD authenicating using 10.4.6 and managing the computers via Workgroup Manager. Everything is going great now, big change since the early days of trying to get AD and Macs to talk and being managed. I have run into a problem however but it is not a show stopper for us. When a user logs into a computer the first time the users server space is auto-mounted and everything looks great. If the user logs out and back in again their auto-mount doesn't mount. I have found that if the Cache on the Workgroup Manager server gets updated the users auto-mount will mount again, but not until the cache is updated manually or by making a change in WGM to update the cache. Has anyone seen anything like this? I would love to get it fixed. Thanks, Dave

[tramahound]

I'm running 10.4.6 Server connected to an Win2k3 Server Active Directory environment. I can bind to our domain fine but occasionally it will magically unbind itself for what seems like no apparent reason. Even stranger, yesterday my system (and another 10.4.6 client system) had its hostname changed to something entirely different. before my system was named helpg5.corp.local but yesterday it changed to randomusernamexp.corp.local. I changed my hostname entry in hostconfig from -AUTOMATIC- to helpg5.corp.local and now it shows up correctly in server admin and terminal, but it is still showing as randomusernamexp.corp.local under workgroup manager. Under the account summary of my system admin in workgroup manager i have randomusernamexp.corp.local/NetInfo/DefaultLocalNode as my location as well. Is this happening to anybody else? Why, and how can I change it systemwide?
Thanks

[draken]

This is a great forum, wish I had found it a year ago!

I have about 20 Macs on our network, all running Tiger. All Macs have only local accounts, but are bound to AD for Mail, LDAP, network server access, etc.

Each user has an AD account in addition to the local one. Once past the initial "adventure" of binding Macs to AD, it has worked well.
Until the 10.4.6 update.

On 2 of the Macs, the users are getting locked out of their AD accounts at very random intervals. They can go for a day without a lockout, or they can be locked out 5 times in an hour.

I've deleted preferences, turned off all of the startup items, even unbound the Macs and disabled LDAP. (Mail still works, just can't look up addresses). The problem shows up via an error message from Mail, or from Entourage. I can probably fix this by creating a new (local) user account, but really want to avoid that.

We're running Exchange 2003, and AD is on Windows Server 2003. The randomness really has me baffled, as I don't feel that I've found anything yet that causes this. Some server logs do seem to indicate a problem with MSUAM, but neither Mac seems to be running this. Any ideas?

Thanks!

[Kevins]

Quote: Originally Posted by yellow Some things to watch out for (in my experiences so far).. Don't delete off the networked share! This will delete the local copy at next sync. Yikes!

Perhaps that (delete off the networked share) is exactly what I've done, but my lack of knowledge in the area of user accounts has got me in trouble. I'm posting this in case anyone has an ideas (other than restoring from backup, which I rather lamely forgot to do):

I have a G4 running 10.4.6. I set up the Mac to use Active Directory but found out that the main local user account conflicted with the AD account (both had the same name). So I saved copies of all the key files from the the main account (most of those were on the desktop) and home folder, then deleted that account and logged in with the AD account. I put all of the key files that had been on the old main account's desktop onto the desktop of the home folder account. Then I deleted the old account.

I didn't much like the results (mainly trying to access iTunes and iPhoto files from the old account, which I could not seem to incorporate with the AD account's home folder), so I decided to switch back. I created a new user account with the same name as the old one, and transferred everything back from the deleted account into the new account's home folder (logged in as the root user). Again, the "new" user account had the same name as the AD account, which perhaps was a grave mistake.

When I logged back in, I realized that the new local account didn't have the old local account's desktop items (mostly because I'd failed to put them there). Believing that those desktop items would appear if I logged back in with the AD account, I once again got rid of the latest new account and logged back in with the AD account.

Logged back in as the AD user: No desktop files were there, and again, those files (several folders of various projects) were important (yes, important enough to back up to our tape drive, but at this point I've violated everything I've ever preached for years about the importance of backups, so I'm feeling pretty silly).

I believe at a certain point I deleted the local backup copy of the key files, so I'm wondering if a disk recovery utility of some sort can find them. Then again, with all of the account switching I've done, perhaps that won't even work. If anyone has any advice (other than don't jump without knowing you've got a parachute), please let me know.

Kevin

[Rilex]

Quote: Saqme goes actually for a WIndows computer... You have to give rights to users to the share for them to authenticate to your share on your computer (though I think its possible to have a default policy that automatically adds the Everyone aka "All Users" group name to shares so that all users have acces).

While Windows will check against the local SAM, joining an NT4-style or Active Directory domain automatically adds "Domain Users" to the Local Users group and "Domain Admins" to the Local Administrators group.

However, in Windows you can easily give a single domain user access to a share -- the Windows box will automatically verify the credentials against Active Directory and not the local SAM. Unfortunately, it looks like OS X breaks that ability, even with Sharepoints AFAICT.

[Guru Evi]

I am implementing an AD integration in the Mac world in the company (aargh). I tried different things but I can't seem to become a local administrator although I specified the groups and I am definitely in the groups (I browsed with dscl and I am in the group I specified).

Does anybody have any idea if I need certain permissions or have any experience with this and tips what I can look for?

I am not a Domain or Enterprise administrator due to policies. The clients are 10.3.9 with a W2k3 AD implementation but I have the same problem on a 10.4.6

I can login correctly, and mounting a directory seems to work with a work-around on the AD side (not MacOS's fault, they are using a non-standard way of mounting SMB directories).

Evi

[yellow]

In Tiger at least..

What I did was create a group in AD for Mac admins, and then in the AD plug-in in Directory Access under the Administrative tab, I add that group to the "Allow administration by" (and of course, check that checkbox).

[Raven]

Quote: Originally Posted by Rilex While Windows will check against the local SAM, joining an NT4-style or Active Directory domain automatically adds "Domain Users" to the Local Users group and "Domain Admins" to the Local Administrators group. However, in Windows you can easily give a single domain user access to a share -- the Windows box will automatically verify the credentials against Active Directory and not the local SAM. Unfortunately, it looks like OS X breaks that ability, even with Sharepoints AFAICT.

Very simply... OSX doesn't unserstand AD GPOs and user policies as ACLs and ACEs on AD do not follow ACL (who would have guessed this from MS huh !) standards so the Mac even though it can undestands ACLs from OD servers cannot understand the AD ones. You'd have to get a third party software such as the new DirectControl software which allows Macs to read properly AD ACLs and GPOs.

[Mikeintosh]

I have several Apple laptops (PowerBooks and MacBooks) running 10.4.6 bound to my companies Active Directory running on a Windows 2000 domain controller. The "Create mobile account at login" option in the AD plugin of Directory Access is checked, networks users have logged in and their credentials have been cached. Our domain controller is behind a FireWall and runs a subdomain which is only accessible in the building or via a VPN connection.

When I log into any of the laptops with a valid network account, while connected to the companies network, the log in works. If I turn off AirPort and unplug the ethernet cable the log in works. So at this point logging in works either when connected to the companies network or when all network interfaces have no connectivity. The fact that logging in works with all network interfaces down tells me that the caching of the network account is okay.

Now here's the problem. If I'm connected to an external network (i.e. cable modem, dsl, etc) either wirelessly or wired it takes anywhere from 2 to 10 minutes to log in. If the connection is wireless I have to turn off the wireless router for the log in to work. If the connection is wired I have to unplug the ethernet cable for the log in to work (this is of course assuming that AirPort is disabled because if it hasn't been I have to turn off the wireless router as mentioned previously).

I've played around with the different settings in Directory Access with no success. Has anyone seen this problem before and if so have suggestions as to how to fix it?

[yellow]

Quote: Originally Posted by Mikeintosh Now here's the problem. If I'm connected to an external network (i.e. cable modem, dsl, etc) either wirelessly or wired it takes anywhere from 2 to 10 minutes to log in. If the connection is wireless I have to turn off the wireless router for the log in to work. If the connection is wired I have to unplug the ethernet cable for the log in to work (this is of course assuming that AirPort is disabled because if it hasn't been I have to turn off the wireless router as mentioned previously). I've played around with the different settings in Directory Access with no success. Has anyone seen this problem before and if so have suggestions as to how to fix it?

This is a normal and unfortunately limitation in this version's AD plug-in. It's timing out while waiting to try and contact and mount the user's specified home directory in the AD profile. So far I've just had to tell my users that they have to 'deal' with it. As an emergency measure, I'mcreating a local user with rights to the local cached user's home directory for login and access to needed data.

[Raven]

This happens even without using the mobil account. The moment your bound to AD and trying to login with an AD user, it will try to contact the AD server and time out. Unfortunately its also not possible to change the timeout period for this. What I do personnaly is unless I need to connect via airport, I turn it of and simply boot the computer before plugging in the computer to a wired jack... Though it would be possible if you ahhve a router at home that supports VPN to have the router do the auto-comnnection to the ISP and to VPN... Then since you'd be on the network, having the cable plugged in doesn't have the machine timeout... But I think thats probably beyond what the average user can or will do.

[Mikeintosh]

Thanks for the replies yellow and Raven.
I had a feeling it was a timeout issue when trying to contact the AD server.
Seems like with this problem binding *Books (or any Macs that will not have direct access to the AD server) to an AD is pretty useless.

Has anyone filed a bug with Apple regarding this issue? I mean, doing what you two have suggested to work around the issue is not what I think should be necessary to get logged in.

[Raven]

People have been sending to Apple about their AD pluggin since Panther got it and not even all the issues that were in Panther have been fixed yet, or at least to most peoples liking. Most of us are crossing our fingers for Leopard... and at least hope it has a more recent SAMBA client too cause the old one on Tiger now is outdated and missing many good features the new versions have.

[Mikeintosh]

I guess we'll wait and see. Here's to hoping.

One other question while I have your attention. I'm going to switch to local accounts as a temporary solution. I want to delete the home folder in /Users that was created after the network user logged in. Since the network user doesn't show up in the Accounts preference pane what's the best way to delete the user? I see in Netinfo Manager an entry for the user. Is it safe to delete this entry then delete their home directory? Thanks again for your help with this.

[Rilex]

Quote: Originally Posted by Raven standards so the Mac even though it can undestands ACLs from OD servers cannot understand the AD ones. You'd have to get a third party software such as the new DirectControl software which allows Macs to read properly AD ACLs and GPOs.

That has very little to do with the problem of Windows machines not being able to attach to Mac shares as you can easily add Domain Admins, etc. to the share list.

ACLs also has nothing to do with it (again, same reasoning). The Mac would be the one verifying that the SID requesting the resource was valid if a Windows machine was attempting to connect to a share on the Mac. We know that Macs can verify the SIDs of users logging in locally and given proper file permissions based on that logon (e.g. I can keep a specific AD group or user out of /Applications based on file permissions, if I wanted to).

Since this isn't a problem on Linux or FreeBSD with Samba, for some reason Apple has chosen to prevent domain-joined Macs from having an accessible SMB file shares on them.

Quote: Very simply... and user policies as ACLs and ACEs on AD do not follow ACL (who would have guessed this from MS huh !)

The POSIX drafts for ACLs (.1e and .2c) were withdrawn and there is no set "standard" for ACLs from POSIX, even though some refer to a certain set of ACLs as "POSIX ACLs".

Quote: OSX doesn't unserstand AD GPOs

By the way, the addition of Domain Users to Users and Domain Admins to Admins isn't enforced by Group Policy.

[yellow]

I would like to state for the record that AD, BootCamp, and Parallels all work EXCELLENTLY together, should anyone wonder.

[jfmartel]

Hello, I am happy to found a thread like this because I've been searching for the whole week for this to work.

Here is my setup scenario:

We've got a new lab (our first one) with MacOS X 10.4.7 installed on them. We would like to get these Mac authenticated with the AD and automount their user "home directory" specidified in their account.

So far I've been able to successfully bind the Macs and authenticate with my users.

Now my problems are:

Can't mount the homedir. The property is specified, there is no DFS. The property is set with "\\servername\share$\username". So far I've tried

Even worse, when I log with a simple user, the user can log on. But if I try with my super domain admin account, it says that it can't log in because the homedir is located on a SMB or AFP server...

So here is what I did so far

On the Windows server side
-Created a brand new OU for my Mac
-Generated a computer account for all my Mac when binding them to AD
-Populated the homedir property for my users. (Works in Windows)

On the clients side:
-In directory apps in the Utility folder AD plugin is activated
-In the authentication tab, removed the all domain (We are a child domain) and then added my domain
-in the contact tab, did the same thing as above.
-Now in the AD plugin configuration in the advanced config, selected the 3rd option which is use UNC path for Active Directory and selected SMB.
-In map tab, nothing has been configured
-In the administrative tab, unchecked the use of all domain
-In the SMB/CIFS plugin configuration, modified the workgroup name to my short domain name.

Now what's wrong?

Thanks!

[madspire]

Hello - I'm a pc tech who suddenly finds himself responsible for supporting Mac users - I need a little help - we have our macs (vers 10.4.x) bound to our AD domain - a user's password expired, forcing her to change it. Since then, she is getting locked out on a continual basis. I have reset her AD password back to the original, but she still continues to get locked out. Some reading I have done points to removing all keychain passwords, or there was a post early in this forum that seemed to be the Mac equivalent of creating a new user profile. Can someone confirm if one of these methods will solve the problem, and maybe post a link to step by step instructions? Any help would be most appreciated.

[cmwoodman]

OK Let me set the stage...

We are part of a 2003 AD Forest, the Root is 2T.local
our FQDN for our local domain is GJ.2T.local

When we attempt to bind an OSX system to the domain it flows fine through 4 of the 5 Steps:

1. Searching for Forest/Domain informaiton
2. Finding nearest Domain controllers
3. Verifying credentials
4. Searching for existing computer

When it gets to setp 5 of the process we get the following error:

5. Binding computer to Domain
Error: The container you specified for hte computer does not exist. Please verify the container informaiton and try again.

i am using the default container of CN=Computers,DC=gj,DC=2t,DC=local and i am able to create new systems in that container in the windows environment with no problems.

The only thing i can think of as being any kind of problem is when i open Directory Access, my Active Directory Forest: field states Automatic and i cannot change it.

Is there anyone who can help with this.

I am not able to find any kind of logs to go with this error to give me any more detail as to what is happening.