07-21-2005, 05:23 PM
|
#21 |
|
Prospect
Join Date: Jul 2005
Posts: 9
|
This is a great thread.
What does the create mobil account option do in AD connector? Here is the situation I am working on. I want to use the built in tools to lock down the OS X box. Have users login with windows username/password to the macs and get a standard looking desktop with restrictions. Basically I need a default profile like in XP Another question, under accounts login items. How can I make all users connect to the same resources. Thanks, Lance |
|
|
|
07-22-2005, 09:54 AM
|
#22 | |||||||||||||||||||||||
|
Triple-A Player
Join Date: Jun 2005
Location: Westchester, NY
Posts: 105
|
I'm just curious as to what locked my account as it was fine when I logged into the domain. I seemed to have solved the printing problem, for now. I've just tried it logged in locally to the G4, not logged into the domain. Users have to be authenticated to use the printers, I took a look at the logs and noticed when my Mac tried to print it would get denied. A closer look showed it was passing the username wrong, say my username is homers and domain was nuclear, it was passing it as nuclearNTLMchomers. Weird. So I tried something else, when selecting the print server and then the printer from "more printers" I authenticated with just my username and password instead of the doman\username & password as I normally did. Bingo, no more error messages and I print fine. I'm guessing the Mac passes the domain name independantly of the username unlike a Windows pc? Still choosing a printer off the initial list doesn't work, and it never asks me for authentication. Also it says "Open Directory" is that really a list from AD or LDAP? Off to try this logged into the domain... |
|||||||||||||||||||||||
|
|
|
|
07-28-2005, 02:37 PM
|
#23 |
|
Hall of Famer
Join Date: Jul 2003
Location: Montreal
Posts: 4,782
|
When it states that its Open Directory, it means that it looks at all services in Directory Access. So Rendez-Vous/Bonjour, LDAP, AD, etc printers will show up if they are detected on the local network or on the AD or LDAP list. At lest thats wha I understand from this. As for the printers and authentication, since our users are only allowed to use the printers while bound to the network, or via IP printing (no logon for some printers but then they are limited to print requests from the local subnet), so we never ran into the authentication issue. But its nice to know though.
__________________
Waffled foreheads are a symptom of broken keyboards and inexperienced users 
|
|
|
|
|
07-31-2005, 05:14 PM
|
#24 |
|
Registered User
Join Date: Jul 2005
Posts: 1
|
Hi All
Some very interesting reading in this thread. Generally all my 10.3.9 machines have bound and work perfectly in the AD domain BUT I've just installed 3 10.4.2 macs into the domain, they bind fine entourage syncs with the exchange server but when we bring up an afp sharepoint from our xserve/xraid the 3 users in question can copy files/folders from the server without issue but when they try to copy back we get the "insufficient priviledges" dialogue box, now the strange thing is they can copy single files ie one by one across but as soon as they try to either copy multiple files or folders the dialogue box pops up. Any ideas? Don't particularly wanna roll them back to 10.3.9. BTW it's machine specific any user who logs into it has the same problem yet when we log in from the 10.3.9 machine it doesn't exhibit that behaviour nor does the 10.4.1 install that I have. Thanks in advance. |
|
|
|
|
08-02-2005, 05:50 PM
|
#25 | |||||||||||||||||||||||
|
Prospect
Join Date: Oct 2004
Location: NM, USA
Posts: 3
|
Thanks for all the great information in the thread thus far, I'm impressed with the quality of the posts here.
I am pleased with the ease of adding my Mac 10.4.2 machine to our AD domain and authentication seems to work great. However, I have an issue if I specify my home directory for my user account in AD. With a valid home directory specified in AD (\\server\share), attempts to login to my Mac fail with the error:
In Directory Access.app in the configuration under User Experience I have selected "Use UNC path from Active Directory to derive network home location" with SMB: as the network protocol to be used. Perhaps I misunderstand this but what I'd like to do is have my Windows home directory mount and map as my home directory on the Mac when I authenticate via AD. Am I missing something obvious here? Any suggestions are greatly appreciated. |
|||||||||||||||||||||||
|
|
|
|
08-05-2005, 04:54 AM
|
#26 |
|
Registered User
Join Date: Aug 2005
Posts: 1
|
Binding to AD Problem
i am using Mac OS X 10.4.2 and have a bit of a problem binding to my active directory domain.
When i specify my domain and click on the Bind Button and specify my username and password for the domain it tells me that i have specified an incorrect domain and to use the fully qualified domain name of the domain, which i have "littlemore.home" I am running a Windows 2K server (SP2) and have read that you all have had no problems, i am using the Air Port Card in my iBook to link to the Domain, there is no communication error as i can view my local intranet pages on the server. Can any of you provide me with any assistance on this problem please? Thank You In Advance Paul Littlemore |
|
|
|
|
08-05-2005, 05:55 PM
|
#27 |
|
Prospect
Join Date: Oct 2004
Location: NM, USA
Posts: 3
|
Paul, a couple of questions for you and a couple ideas:
|
|
|
|
|
08-05-2005, 06:14 PM
|
#28 | |||||||||||||||||||||||
|
Prospect
Join Date: Oct 2004
Location: NM, USA
Posts: 3
|
I found out what was going on. The path being used in AD for my home directory is a DFS path and Mac OS X doesn't understand DFS paths. I found the path to the actual server my home directory share resides on and used that instead. (must use FQDN!) Bingo! Apparently ADmitMac by Thursby adds DFS support to Mac OS X but it's costly ($119) and not compatible with Tiger *yet*. There is a beta out for current customers. But now I have another problem. I can only successfully authenticate and login using AD credentials if I have the "Force local home directory on startup disk" option selected in the Active Directory advanced configuration settings in Directory Access.app. If I deselect that option, I get the spinning beach ball of death at the login screen and have to force reboot the mac. The system.log file later shows tons of automount[955] and automount[150] errors with "(13) Permission denied" This is strange though because I can mount the home directory manually when logged in otherwise. I'm done for the week though! 
|
|||||||||||||||||||||||
|
|
|
|
08-08-2005, 11:18 AM
|
#29 |
|
Hall of Famer
Join Date: Jul 2003
Location: Montreal
Posts: 4,782
|
This is due to the fact that AD still looks at authenticationg you even when "roaming", not connected to the network. Personnally what I've done is split the HD to make two partition and on each did an exactly identical Tiget install. However, I only did the AD bind on Tiger 1 not on Tiger 2 which I configured for home use instead. I also setup the exact same accounts on Tiger 1 and 2... Then I went to Netinfo on Tiger 2 (the secondary partition, not for work) and changed the path for the accounts so they map to their Tiger 1 "alterego".
With this setup, I still load the same profile and same info. I only skip the annoying AD timeout issues as even opening the terminal can take a while at that point, which is realy annoying. As for the DFS situation, we ran into it as well here when they decided to activate it. The only 100% sure solution for now is to use the real path and not the DFS one, even if this can create problems if they move the objects to a different location. The other solution would be to be able to install the latest version of Samba on your Tiger installation as it has DFS support. I haven't successfully done this though, but I was told it is possible and has been done.
__________________
Waffled foreheads are a symptom of broken keyboards and inexperienced users
|
|
|
|
|
08-14-2005, 12:49 AM
|
#30 |
|
Prospect
Join Date: Aug 2005
Posts: 2
|
AD wierdness
I guess this is sort of on topic - I have managed to get my powerbook to bind to AD - however I can't figure out to get my home directory to automap - is there a tick box I am missing?
Thanks |
|
|
|
|
08-15-2005, 09:56 AM
|
#31 |
|
Hall of Famer
Join Date: Jul 2003
Location: Montreal
Posts: 4,782
|
Are you sure that your home folder is properly mapped for your user name in the AD tree ? Make sure of that first... Also, are you using 10.3 or 10.4 ?
__________________
Waffled foreheads are a symptom of broken keyboards and inexperienced users
|
|
|
|
|
08-15-2005, 10:13 AM
|
#32 |
|
Prospect
Join Date: Aug 2005
Posts: 2
|
Hi - thanks for the reply
I am using 10.4.2 - and I know it works as I can login to a wintel machine and it maps with no problem. When I first logged in to my PB with a domain account after setting up AD access there was some keychain wierdness (ala many messages about unable to open) but I saw my home directory. I granted the AD account admin rights and logged out and back in - They keychain messages are gone, but I lost my home directory. So something went strange, I just have no idea what Thanks Sean |
|
|
|
|
08-15-2005, 05:28 PM
|
#33 |
|
Prospect
Join Date: Oct 2004
Location: manchester, U.K.
Posts: 10
|
active directory setup for beginners
hello
this is the thread i have been waiting for. i have about sixty users using osx 3.9 all with local home folders. i am now trying to link this with AD. have setup my mac in this way. setup test user account on AD. setup directory access with AD plugin with computer name as test user, domain name and forest name as my domain.com switched off multipe domain authentication, typed in correct ou and dc group and authenticated this with AD network admin name and password. then added the AD domain into authentication and contact tabs in directory access. this binds okay and then when logged out and back in again as test user everything is fine. Can get to servers using afp and switched appletalk on in directory access and can get to other macs. only problem at the moment is that i am having to use clear test passwords to log onto servers, which network admin don;t like, but hey it works. i assumed that once i logged onto mac using test user account i wouldn't have to keep logging in to the servers as i have checked kerberos config and have been granted a ticket, so can't understand this any help would be gratefully accepted. |
|
|
|
|
08-24-2005, 09:22 AM
|
#34 | |||||||||||||||||||||||
|
Prospect
Join Date: Aug 2005
Posts: 2
|
AD/DFS/Network User Restrictions
I'm the sysadmin/network/whipping boy for a school district. We've got a number of 10.4 machines and they connected to AD perfectly. I have the same problem with DFS shares. I'm fairly new to MAC, but have been using unix/linux for years. Is there anythign special I need to know, to install the latest Samba? I'd love to get the DFS support? Also, does anyone know if I can restrict networked users from using certain applications? If not maybe I can just remove them? thanks! Sean |
|||||||||||||||||||||||
|
|
|
|
08-24-2005, 10:54 AM
|
#35 |
|
Hall of Famer
Join Date: Jul 2003
Location: Montreal
Posts: 4,782
|
As I stated in that earlier post, its supposed to be possible to install the lates version from samba.org that normally works with Darwin amongst things but I always ran into issues such as it couldn't find some libs even though I had them, or after that asking for libs I couldn't find for OS X... Even with the help of people at bsdforums.org I got stuck... However since I don't have a strong UNIX background, maybe the issues I ran into were just because I don't know unix enough... Maybe if you do a search at bsdforums and see where I got stuck (search for Samba and OS X) you'll figure out something.. IF you do, I hope you'll be nice enough to share it with us here
 As for limiting access to specific applications, that is a bit more complicated as by default, only the most basic accounts can be limited to apps, and users who login from the network have standard accounts, so no application restrictions. I think it would be possible to limit their access if you had an OS X server machine as a bridge between AD and the Macs so they are managed buy the OS X machine as well as the AD. Otherwise, you can simply put all the apps other users should not have access to in an Applications folder within your own user account (if your the only one that is supposed to use those). The apps would work in most cases and other users would not have access to them.
__________________
Waffled foreheads are a symptom of broken keyboards and inexperienced users
|
|
|
|
|
08-24-2005, 05:29 PM
|
#36 |
|
Prospect
Join Date: Aug 2005
Posts: 2
|
thanks!
Thanks for the reply and yes if I do get the latest samba working I will let you know.
Now then...can you point me in the direction of some man files of documents on how to get osx to work through a osx serer and ad? thanks again! |
|
|
|
|
08-25-2005, 11:00 AM
|
#37 |
|
Hall of Famer
Join Date: Jul 2003
Location: Montreal
Posts: 4,782
|
Here are a few refs:
http://www.afp548.com/filemgmt_data/files/AD-OD.pdf http://www.macwindows.com/AD.html Even Apple has some info on this in their Pro section: http://www.apple.com/itpro/articles/adintegration/ Hope this helps... In my case I'm waiting for the result of discussions between my workplace and Apple to see if I'll get an OS X server machine to try integration with.
__________________
Waffled foreheads are a symptom of broken keyboards and inexperienced users
|
|
|
|
|
08-31-2005, 02:15 PM
|
#38 |
|
Prospect
Join Date: Aug 2005
Posts: 7
|
I love this thread too...
so enlighten me... what the heck is DFS? and what do DFS means... :P gilberto |
|
|
|
|
09-12-2005, 11:27 AM
|
#40 | |||||||||||||||||||||||
|
Prospect
Join Date: Oct 2004
Location: manchester, U.K.
Posts: 10
|
authentication
does anybody have any answers to the kerberos question at the end of this thread? |
|||||||||||||||||||||||
|
|
|
 |
|
|
Linear Mode
