Tiger and Active Directory

[Raven]

How is the path to the user's home folder specified in AD ? Is it added as a home folder path in the User Object ?
Also, in the Directory Access AD pluggin, is "Force local Home.." check marked ?

[prof.morbius]

I'm attaching an iMac G5 to the office Windows 2003 domain for a test. The iMac has OS X 10.4.2, nothing else significant.

I can authenticate, and log in (network profile or forced local), but regardless about 2-3 minutes after login, no new programs will launch. I can continue using any applications that are currently running (as long as they don't call a helper app), but launching a process (incl. a new tab in iTerm) or clicking on the Apple menu will lock the whole thing up.

The logs show different errors depending on what services I have on, but I presently have Active Directory, Bonjour, SLP, and SMB/CIFS on and configured in Directory Access, and the firewall is off.

This is driving me nuts, and I don't really want to pay Apple Enterprise Support $250 to fix something that should work -- that way lies MadnesS. (It's a pun. Get it?)

Thanks,
Kevin

[yellow]

This is highly unusual.. and if you take it out of the AD domain, you don't have the problem?

[lancepr]

I have been working on getting a lab of 30 emacs to use the curretn windows 200 domain control, usernames and home directories.
I can authenticate against the AD server now, but some users get an error on login
Error, can not connect. Home folder for the user account is located on an AFP or SMB server

No kidding! That is what I want. Another issue I am having is that some accounts when they log in have no network home folder just a local folder, so they save their work then lose it when they log off.

Any ideas on how to trouble shoot these strange problems. I do not see anything obvious in the widdows event logs. Can I turn up the logging somewhere to see why these accounts are failing on the OS X machines?

[jvandyke]

Lancepr,
I don't have an answer for you but am in a similar situation.
I'm getting ready (hopefully in the next few days) to add 25 eMacs in a W2Kserver world running AD.
I'm still working on the windows side but just this morning, for fun tried to bind the eMac to the AD and it failed, I have done nothing yet but read through most of what I've found here.
I'm a self taught sys admin, I know precious little but there is no one else, so I'm the guy, just a teacher volunteering to do what otherwise wouldn't get done.

[twm1010]

My problem is odd...

I can only bind one Mac at a time to the domain with my user account, but I can join as many PCs as I feel like.

I don't get it.

[dv64villa]

Hi Raven,
Thanks for your reply. I tried as you suggested "its best to create the Computer Object in AD first, them match your local Computer name to that.
Also, when you try to bind, you need to use AD credentials that have access to the Computer object that was created for your machine."
(I had done that before and it didn't make any difference.) But I still cannot get the mac machine to bind to the AD.

Any other suggestions? Anyone?

[lancepr]

twm1010,

When you add the Mac to your AD make sure to give each Mac a unique name in AD plugin in Directory services..

[lancepr]

jvandyke,
I do not have any problems binding to AD, I just have problems with the home folders.
When you are logged into your mac can you connect to you DC
Go | connect to server | smb://servername

[thom]

Quote: Originally Posted by yellow I've really only had it happen on 1 Mac so far of the many, many, many I've moved into AD. Still not sure why it happened, but no matter how hard I tried to fix it, there ended up being nothing I could do besides a complete reinstall.

I looked but was unable to identify what you were referring to, but it sounds like my issue. I'm at a predominantly pc University and am sole suuport for about 50 Macs. I first touched a Mac about 3 months ago.

I have successfully moved Panther and Tiger machines to AD and I believe with what I have read in this forum I will be able to work out the issues that need tweaking, so thanks for that, but I am now working on figuring out why a mobile AD account will suddenly not allow the user to log in. This has happened twice in the last week on two different G4 PowerBooks. Both have OS 10.4.2. The first laptop for some reason started working again (after a nightmarish time for the user 2500 miles away from support) once it was back on campus, although I was still able to experience the problem for myself before it righted itself somehow. The second time was with my Mac prototype. The only way I was able to get the user account working again, was to unbind the laptop from AD then bind it again. I actually deleted the account via root and attempted to re-log in to the network using the same account information and was still refused. Unbinding and binding again was what got me back. It should be noted I was the user and I have domain privs which is what I successfully used to unbind and rebind even though I was not able to log in to the machine with the same user information. I know I may not be giving enough info, but if this sounds familiar, I would appreciate even a verification that my waffled forehead is not in vain.

[Raven]

One question on dv64villa's post: when you bound the machine to AD, did you specify the complete Organizationnal Unit (OU) path and Computer Name (CN) when your prmpted for the login ? Not specifiying this will bind the Mac to a default on the main tree and not to the proper Computer Object for some reason...

[ECastro]

My 10.4.2. server keeps freezing. I have it connected to an AD server and it it also an OD master. For some reason it keeps freezing up and none of my share points work. I have to reboot the server the get things to work again. Is anyone else having the problem?

Thanks

[Amishguy]

Hello
In the past 3 months we have deployed 20 new ibooks preloaded with tiger on them. We configured them to log on to our Win 2003 AD domain and we set them up to use mobile accounts.

The goal is to keep everything on the server but still have it available offsite when people want to work at home and are not connected to our network.

I have had no issues with this at all for a long time now I have an issues on 3 of the 20 laptops.

I get home Sync errors. It usually starts out with a large number of errors and then number goes down as you try to sync again. Then the number goes back up.

I have looked in to permissions they all seem to be fine I have even set them to full access for all.

Does anyone have a clue as to what is going on? It is becoming a large issue for us.

Here is a screenshot of the error (hopefully it comes through):


Thank you in advance

[yellow]

Quote: Originally Posted by Amishguy Does anyone have a clue as to what is going on? It is becoming a large issue for us.

Yes. Whenever I see this, there are files with illegal characters in their filename. In your case, contained within that folder. The other errors might point you at them particular files.

If a file has \ | / ? " : * < or > in the file name, you will get a sync error. Those sync error messages will point you at the errant file (more often then not) and a simply change to the file name will fix the issue.

There's no magical way to keep this from happening. Your best bet is constant user education until they all "get it".

[mrwyano]

I have been binding many different macs to AD 2003 and have found the following issues....
AD authentication suddenly qquits:
Check the clock, if its an old mac and the time is off, AD login will quit working until you login local and reset time. Common on laptops.

If the home folder doesnt mount edit the security policy on the AD server...
here are my notes: Go under administrative tools and click domain controller policy..... Under Security options, change the two listed in the right hand pane:
LDAP Server signing policies = None
Digitally encrypt or sign…. = Disabled

also have had to do this on all AD servers:
Change this Reg Key on the 2003 Server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
The value of RequireSecuritySignature needs to be changed from '1' to '0'.

Sync Errors: If you use Entourage delete the contents of this folder
Macinthosh HD/Users/username/Documents/Microsoft User Data/Entourage Script Menu Items/
the files in these folders have slashes in the name, if they make it to the home folder, Windows freaks out when you try to delete them locally on the server.

Hope this helps.

[Raven]

Very nice tips. Most of them have been covered else where in different hints and threads but its nice to have all of them in one place.
The computer time issue will also happen on Windows and Linux machines if the time is off by more than 5 minutes. Its a known thing and part of the standard ADF config steps include making sure that the time is set properly on the machine before trying to bind it.
The encryption/security issue is one that gave quite a few headaches before people started to figure it out. It causes issues as well even when simply trying to connect via samba to a share on Win2k3 servers.
The Entoruage one is new to me though. Had not tought of this as a possible issue since we don't have users saving their Entourage files to the server as they are all on Exchange and thus already have server backup.

Another one you may not have encountered: If you have DFS active on your Win2k3 server, Mac users cannot use those paths as DFS is not supported on the Samba version on OS X (including Tiger). You need to use the full path to the folder or file to be able to connect to it. Here its causing us a headache as the home folder location is specified with the DFS path (since most users are on Windows) so it does mount the home folder, but its not possible to view or browse its content.

[Amishguy]

I have run in to that problem as well but, it is not the case with this sync error issue.

I have made a little progress with this issue:

1. Although it gives you all those errors it actually does copy the files to the server. It says no but means yes.

2. Also I discovered that if I make the person a domain admin it works with out error. I'm not sure what that is all about though because the particular user has full access to his own home folder.

I assume there is some other resource that it talks to that is causing the error messages.

[Raven]

If I remember correctly, when you startup and it has this kind of error it will write to the System log for that user. So could you go and check in the Console (in the Utilities folder) and see if anything shows up for the time at which the person logs in, or for when you try to transfer the files and get an error. Post your findings back here as it may help uncover whats the underlying issue.
Also, are you using Tiger or Panther ?

[Rilex]

Here are the most restrictive settings I've been able to get away with:

Domain Member

Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled

Interactive Logon

Interactive logon: Number of previous logons to cache (in case domain controller is not available) 50 logons

Microsoft Network Client

Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees) Disabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled

Microsoft Network Server

Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Access

Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves

Network Security

Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM & NTLM
Network security: LDAP client signing requirements Require signing

[dreed2]

Quote: Originally Posted by dv64villa Hi Raven, Thanks for your reply. I tried as you suggested "its best to create the Computer Object in AD first, them match your local Computer name to that. Also, when you try to bind, you need to use AD credentials that have access to the Computer object that was created for your machine." (I had done that before and it didn't make any difference.) But I still cannot get the mac machine to bind to the AD. Any other suggestions? Anyone?

You mentioned earlier that you had changed your computer's name. This may not help with the problems you're having, but is worth a try. Turn file sharing off and then turn it on again, which is necessary after changing the computer's name.