DNS, Open Directory, and wow my head hurts

Similar Messages

• Open Directory and passwords

  Hi, I have come across something really odd someone pointed out to me with Tiger Server, and this is something I've not been able to duplicated on Panther Server, or at least I don't think I have been able to.
  The situation is this: There are three people in my workgroup who have "administrative" privileges for our small server cluster. When logging into one of the servers, it is possible for a person with administrative privileges to log into the server with any user existing user name, and use their own password, or the global administrative password to log into any account. This does seem weird to me. Is there an article somewhere that explains this? I've done a bit of searching, but am not sure on what I am looking for here.
  I am starting to work with Open Directory and LDAP sharing of login information across a series of three servers and am wonder if it might be linked to this, and why/how, etc. Anyone with any good or bad thoughts on this.
  Thanks so much.

  Hi trotter,
  In fact this is a feature called 'masquerading' by Apple which can be very helpful, particularly when when troubleshooting permissions issues on mouted volumes. It allows admins to mount volumes via afp 'as users'.
  It was first implemented for Apple servers back in ASIP 6, and the feature exists in both Panther and Tiger.
  If you don't want this feature you can uncheck Serrver Admin > AFP > Access > Enable Administrator to masquerade... I believe the box is unchecked by default so one of the admins must have checked it.
  IMHO it would also be very useful for admins to be able to have the options to masquerade to user OD/NetInfo accounts also.
  HTH,
  b.

• Open Directory and Mobile Home Folders

  Hi All,
  I am a bit confused about Open Directory and Mobile Accounts! here is our scenario. We have an Open Directory setup and all Accounts are set to mobile, accounts are almost 250+, my main problem is the Synchronization Conflicts, the accounts are automated to sync every 30 mins, the problem is every now and then schronization conflict windows popups, our users are complaining almost everytime, another problem is all of the users home folder has a qouta of 5GB, problem is there are users who excedd on the qouta some goes up to 60GB and 100GB, how do i solve this two problems. i am about to loose my mind. We setup like this in order for us to have a backup of all files of the users in case problem arises in the workstation. i have notice that synching file error comes up if you have temporary files used by any applications. the home folder of each user will exclude library, trash, music and entourage databse. Please Do help me.!!! Anyone who knows..?
  Environment
  OD Server - MacOS X Server Tiger 10.4.4
  Workstations - mix MacOS X Tiger 10.4.4 - 10.4.7
  AFP Home Folder - MacOS X Server Tiger 10.4.6 mounted Xsan Volume for home folders
  johnaris
  PLEASE HELP!

  Thanks for the info, by now i will look into that little utility that is very helpful (console!)
  Yes, I was thinking of synching our users at login and logout, the problem here is that, users here has bigger home folders.. mostly about 3GB, and it will took time to login a user, about 6-10 mins, depends on the network, we have networks users that that has slow networks and fast network on video editing users. What I did is that i excluded the Library in the synch options on each unit here, since we are not using Apple's Mail and iCal, it did minimize the synching error but the temp files and date discripancies are mostly that will generate an error, I am having really problems with this.
  thanks for the info i really appreciate it.

• OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

  OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old opeopen directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

  I wonder if the disk being referred to is actually your iPod which is not plugged in. Maybe something has stuck thinking the iPod should be there.
  Try completely removing all the iTunes related programs according to this method.
  http://support.apple.com/kb/HT1923
  Restart you PC and see if startup improves.
  If it doesn't improve you need to consider the possibility that there is something else going on.
  If The problem goes away, hopefully a fresh install will be OK.

• Terminal Commands to clean Open Directory and Profile Manager

  Hi,
  So I've made the fun decision to move to ML Server as we are just getting services up and we should be on the most recent software to start. I have had interment luck with Open Directory and Profile Manager and was looking for a way to wipe the data bases and start clean.
  I have tried getting to the  ( usr/share/devicemgr/backend and running wipDB.sh. however the database doesnot exist.
  It would be nice to clean the databases and setting instead of doing a full reinstall of MT Lion.
  Thanks!
  ~FSU IT

  So just found the fix for Profile Manger.
  http://support.apple.com/kb/HT5349
  Thanks to this post for finding it - https://discussions.apple.com/thread/4142185?tstart=0

• Setting up Open Directory and iCal server.

  Hello:
  I'm new to open directory - please help or point me in the right direction. I'm trying to set up a OSx server 10.5 running on a PowerMac G4.
  I need iCal/DNS/FS/VPN/WEB/Open Directory as services enabled.
  For testing purposes I've set up a small network with three machines all running 10.5.6.
  I've tired over and over to do this via an advanced server but have not be able to get everything to work so I did a basic server allowing the server set up to input all my settings. Everything built and started up without issue but I could not get iCal to work. I let the set up sit over night and when I returned the next morning the MacMini screen had a window saying that a directory server has been found that offers these following services ...WEB - iCal etc. Do you want to configure your workstation. I did and everything worked as aspected. I thought that I finally got it!
  I wanted to see the all of the settings so I converted the server to an advanced server and everything still worked. ( From the one workstation ).
  I imported a users exported file from the server I'm trying to fix then the groups file. Everything still worked from the Mac Mini but I could not connect from the other workstation.
  I never received the Open Directory message about services being offered etc.
  Both machines have identical network settings ( Fixed I.P. pointing the DNS to the server.) AFP sees the server from both workstations but I can not login from the third workstation using any known good user name and password not even the admin or the Macmini account and password that works from the Mac mini. I don't really know anything about open directory, do you need to register the computer name with the server or something to that effect.
  Why would it take hours for that original service offering to go out to the first workstation?
  Thanks for any help you can offer. All of my OSX server experience has been setting up file servers never any of the other offerings.
  Thanks,
  Rick

  Sorry,
  I posted this to the wrong forum. I re-posted in Open Directory.
  Thanks,
  Rick

• Open Directory and AFP

  Hello, I have been having some problems setting up Tiger Server to have the clients home directory hosted on the server. When the client tries to login, it gives them an error saying they are unable to log on at this time because of afp. If anyone could help or point me to a guide it would be appreciated.
  -Bobby

  Hi
  For 10.4 Server you should really post in the 10.4 OD Forum here:
  http://discussions.apple.com/forum.jspa?forumID=713
  However it does not really matter. You may find what follows useful:
  A Simplified Method for Deploying Open Directory Services
  A centralized authentication and authorization service providing automounting home folders for network users and control for service administrators using managed preferences. Ideal for Schools, Colleges, Libraries, Universities and in some cases, Private Companies
  These instructions are for the GUI only with no manual configuration and hardly any recourse for the command line. These instructions also assume that this will be the only server on the network.
  Substitute appropriately the examples given for your situation. The example used is for a pretend school called ‘High School’
  Assuming you have installed the Server Software and on restart the Server Setup Assistant has launched. We’ll use Administrator as the long name and admin as the short name with admin as the password for the default Server Administrator account (UID 501). We’ll assign a fixed IP address of 172.16.16.254, a subnet mask of 255.255.255.0 and the router/gateway IP address offering access to the internet as 172.16.16.1. Key in any ISP supplied DNS Server IP addresses in the DNS Servers field in the Network Preferences Control Panel. The server name will be server. You will see the server name in the Sharing Preferences Pane (server.local) as well as Server Admin > Computers & Services. The Server can be reached either using this name, its IP address, its loopback address and later on, after the DNS Service has been configured, its Fully Qualified Domain Name (FQDN). Don’t start any services apart from Remote Desktop, save the configuration as a text file and restart the Server. After the restart log in using the newly created System Administrator account details. Now would be a good time to test internet connectivity as well as running Software Update and installing all the updates relevant for the server.
  Start simple file services first: AFP and if necessary Windows. If there is more than one PC already on the network switch off Workgroup Master Browser and Domain Master Browser found in Server Admin > Windows > Advanced > Services. Create a test user in the local server directory (NetInfo) and test using a client computer to access the default share points: Users, Groups, Public. Don’t be tempted to delete these folders as the server will complain. If you don’t want to use these you can simply unshare the share points and create new ones. You could for example create share points on a connected XServe RAID and share these instead. Save any changes made.
  The instructions that follow are for simple DNS Settings which will do to successfully deploy an Open Directory Master
  Click on DNS Service Settings > Zones > click the + icon > General. The Server IP address will already be there, key in the Fully Qualified Domain Name (FQDN). This can either be a real world domain name or a pretend domain name. As long as it resembles fully qualified domain names it will do, avoid using .local.
  In this example we will use server.highschool.sch.org.
  Save the changes
  Now click Start Service. You will have to click Start Service twice as Server Admin does not start the service the first time as that is when the config files are written. These are kept in two locations: /etc/host.config and /var/named. The second time you click Start Service you will get the green light. Now set the Logging level to Debug and save the changes again. Launch System Preferences > Network > Configure > TCP/IP > key in the Server’s own IP address 172.16.16.254 in the DNS Servers field and remove any other IP address. Apply and save changes. Launch a web browser and see if you can get on the internet. Inspect the DNS logs in Server Admin and you will see entries starting with createfetch as well as received control command channel status: ready. By this time you should be on the internet using the server’s own IP address instead of ones supplied by your ISP or Router. Test and qualify the DNS Service by launching terminal and issuing the host command:
  host server.highschool.sch.org
  server.highschool.sch.org has address 172.16.16.254
  host 172.16.16.254
  254.16.16.172.in-addr.arpa domain name pointer host172-16-16-254.in-addr.server.highschool.sch.org
  This qualifies the forward and reverse pointers for the DNS Service
  Remember that a properly configured and qualified DNS service is crucial to the more advanced technologies available on OSX Server. Apple themselves recommend using DNS even if the Server is providing simple file services such as AFP
  If you want the Server to issue IP addresses then consider using the DHCP Service. If your router is already doing this then there is no need to bother just yet. Once you get comfortable and familiar with the Server you could look at this later on.
  Back to Server Admin
  Click on Open Directory > Settings > Select Standalone and now select Open Directory Master. As soon as you do this you will be prompted to create the Directory Administrator account, by default diradmin. You can’t use the standard administrator account. You dont have to use diradmin as the name you can use another name, but don’t be tempted to use admin. For this example we will leave it as it is as well as defining the password as diradmin. If DNS Services are correctly configured you will see the Kerberos Realm field already filled in for you and it will look like this: SERVER.HIGHSCHOOL.SCH.ORG. As you can see it will be the FQDN but in capitalized form. The search base will be automatically filled in also and it will look like this: dc=server,dc=highschool,dc=sch,dc=org.
  Save changes.
  Launch Directory Access /Applications/Utilities and click on LDAPv3, authenticate if required to do so. Inspect the configuration setting there and you should see the Server’s loopback address 127.0.0.1 has been entered as a New Configuration. This is normal and gets added upon promotion. Now launch Workgroup Manager and select the appropriate Directory Node LDAPv3/127.0.0.1. Authenticate using the newly created Directory Administrator account: diradmin. If everything has gone well you will see the Directory Administrator user (UID 1000) already there. Create a new user called Andrew Barton, short name: andybarton, UID 1025, password andyb, click Save. Select Sharing and make sure that the default Users folder is set to share, now click on Network Mount and click the lock, authenticate using the diradmin account and set the Users home folder to automount Home Directories. Click Save. Click Accounts, select Andy Barton, click Home, verify that the Home Folder path says afp://server.highschool.sch.org/Users, select this and click Create Home Now followed by Save. Navigate to the Finder, double click the Server hard drive, double click the Users folder and verify that the folder andybarton has been created. Double clicking on this folder will show the usual set of home folders with no entry signs on all of them apart from public and sites. Carry on populating the LDAP Directory Node with desired users. Once you have finished click on the Groups tab and create a group and call it Music Class, populate this group with desired users. We will look at Managed Preferences (MCX) for this group later on.
  In this example Music Class has 30 iMacs. Use the first iMac as a model for all the others. Create an administrator account on the first iMac with a strong password. Avoid using Administrator and admin as these could conflict with the Server admin account. Don’t use a User Account already created on the Server. I will use MC Administrator as the long name and mcadmin as the short name, switch off auto log-in. Install all relevant site license software on this mac. Set the iMac’s name in the Sharing Preferences Pane to iMac01, the .local part will be automatically filled in for you, save all changes. Run all software updates available for the mac, restart the mac. You can now use this mac as the ‘Golden Mac’ – a template for all the other iMacs. You can target disk mode this first mac to the second mac and after cloning change the name of the second mac to iMac02. Or you could image iMac01 to an external firewire drive, connect the drive to the server and use Apple Remote Desktop (ARD) to push out the image to all the other macs. You could also use System Image Utility, PackageMaker and NetInstall. As you can see there are numerous ways of doing this.
  Back to iMac01
  Log in using the mcadmin account, launch Directory Access (Applications/Utilities), click on the lock and authenticate, select LDAPv3, click Configure, deselect ‘Add DCHP-supplied LDAP servers to automatic search policies’, click New and key in either the IP address 172.16.16.254 or better still its FQDN. If you are going to use the Server’s FQDN then make sure the Server’s IP address is in the clients DNS Servers field. Server discovery should be fairly quick, you will see iMac01.local’s computer in the first field and you will be prompted for a network user name and password, don’t bother with this just click OK and then continue, you will then see the Server Configuration in the Services window, click OK. Click on Authentication and verify that Custom Path is displayed, you should see /LDAPv3/172.16.16.254 or the server FQDN as the second Directory Domain displayed (the first one will be the local NetInfo node and will be grayed out). Do the same for the Contacts tab, click OK and quit Directory Access, select log out from the Apple menu and you should now see a log in window displaying the local mcadmin account as well as ‘Other’. Click Other, key in andybarton as the name and andyb as the password, you should now be logged into the Home Folder for that user on the server. Launch TextEdit, type a few words and save the Untitled document to the Documents folder, now log out. Go to Workgroup Manager, select Sharing, select Users, select andybarton, select Documents and you should see the Untitled document grayed out.
  Managed Preferences or MCX
  Select the Music Class Group, click on Preferences > Finder > Views > Always > Default View and select the smallest setting for the dock size, click Done, go back to the client and log in again as andybarton and see if the dock size has changed. The order in which managed preferences take precedence are:
  User
  Computer
  Group
  If a setting is defined in Group and also defined differently in Users, the Users setting will take precedence. Managed Preferences can be accumulative also. What can be managed for Users and Groups are the same. Computer Lists are the same with the addition of Energy Saver. Play with these settings as seems appropriate to you. If you decide to manage clients using Computer Liststhen create your own (by type and location), try not to use the default lists. The same advice applies to Network Views.
  As time goes by and you become more familiar and comfortable you can start integrating the Software Update Service, NetBoot/NetInstall, Mail Services, Print Services and any other Service that seems appropriate to you.
  Hope this helps, Tony

• After Updating to Server 4.1 Open directory and LPAD gone

  Hello,
  two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.
  I get the following log entries:
  LDAP Log
  Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $
    [email protected]:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd
  Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"
  Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).
  Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)
  Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed
  Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.
  Open Directory Log
  2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...
  2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'
  2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support
  2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error
  2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden
  2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden
  2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'
  2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden
  2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden
  2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden
  2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'
  2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
  2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'
  2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services
  2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support
  2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests
  2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)
  2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'
  2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'
  2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'
  2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

  I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!
  Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.
  Pre-steps:
  0. Bootable backups, Time Machine backups, and dirserv backups of everything.
  1. Disk Utility: Fix disk permissions, Fix disk
  2. PRAM reset, Command-Option-P-R at boot
  3. DiskWarrior to rebuild the disk directory
  Possible steps to fix OD:
  # Fix Open Directory "Unable to load replica"
  # Try this first:
  # https://support.apple.com/en-us/HT200018
  # Quit Server.app
  sudo mkdir /var/db/openldap/migration/
  sudo touch /var/db/openldap/migration/.rekerberize
  sudo killall PasswordService
  # Open Server.app
  # Try this second:
  # http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err
  sudo serveradmin stop dirserv
  sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
  sudo db_recover -h /var/db/openldap/authdata/
  sudo /usr/libexec/slapd -Tt
  sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
  sudo serveradmin start dirserv
  # Try this third:
  # https://discussions.apple.com/thread/6018956
  sudo serveradmin stop dirserv
  sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
  sudo serveradmin start dirserv
  # Try this fourth (assuming ccc_preflight od backup):
  # https://discussions.apple.com/thread/6018956
  sudo serveradmin stop dirserv
  sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage
  sudo serveradmin start dirserv
  # Try this last:
  sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/
  If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.
  If anyone has reliable advice how to fix a corrupt OD that would be a huge help.

• Open Directory and LDAP questions/difficulties

  Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
  I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
  As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
  Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
  1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
  2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
  3.What services exactly need to be running for the ODMaster to function properly
  3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
  4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
  5.Do user and groups added to the hostname.local become part of the OD Domain?
  I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
  Thanks in advance
  Theo.
  PowerBook G4   Mac OS X (10.4.7)  

  1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
  2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
  If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
  hostname.local = hostname and the standard Bonjour domainname .local ?
  3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
  3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
  If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
  4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
  You can send out LDAP info with DHCP.
  5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
  If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
  In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.

• Open directory and Active directory

  Hello everyone.
  I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
  We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
  what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
  "Error while saving record "Finchley\Level 1@ Error -14140
  Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
  Sorry if that didnt make alot of sense im typing abit fast
  Thanks

  Have you been here?
  http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
  It should be straight forward, depending on how your AD accounts are setup.
  Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
  If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder.

• Open Directory and connection to shared folders fail

  Hi,
  For testing i've setup an Open Directory Master (Leopard server 10.5.2) with shared folders and portable home directories.
  Login and synhronizing works as it should. But once logged in, when i click on the server in finder i just get connection failed. When i choose "connect as" and log in as the same user and password as authenticated at the login to the computer (authenticated to OD) it works.
  I thought it should work like a single sign on?
  Any clues?

  Hi
  If you browse the discussion forum you should find this:
  http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
  Basically browsing using the Finder or Side Panel does not work well or breaks easily (as far as I can tell it has been like this since 10.2). In an OD environment trying to connect and getting a ticket using that method will probably fail. The workaround - or the 'fix' - is to use 'Connect to Server' from the Go Menu using the Server's IP address. In my experience it does not seem to matter whether AFP is set to Kerberos, Any or Standard for the authentication method. It also does not seem to matter whether the Server is configured in Standard or Advanced.
  I've not come across anything yet regarding Workgroup. Probably in that configuration it may not be an issue as this mode - as far as I can see - is ideal for AD-OD integration. In that environment OSX Server would not be the KDC and mac clients will be using the AD for SSO.
  Since this has been happening since 10.2 I don't see Apple addressing this anytime soon, however you never know?
  Tony

• Autherntication using Open Directory and NO home folder

  We are looking to set up an Open Directory on a Snow Leopard server in our medium sized company - we would like to use it for Single Sign On authentication but do not want to create home folders on the server. All we want OD to do is authenticate
  We have been able to authenticate using OD bound and unbound but both need home folders. Is there a way to have no home holder and still authenticate?
  thanks

  What I did was in WGM select a user account. Then select the Home tab. Click the + button to add a home folder. In the sheet that drops down, in the bottom box put /Users/username. Leave the other boxes blank. This will create a home folder locally on whatever machine the user logs into.

• Mac Open Directory and Sun Java DS

  We have Mac Open Directory Servers running on OSX 10.4.x domain. I am thinking about moving this domain by implementing Sun Identity Management solution. However, I am not able to find the Mac Open Directory in the IDM Supported standards. My Sun Directory Server synchronizes with the Windows AD using IDSYNC but I am not sure how a similar environment can be implemented for Open Directory. Is there a product from Sun for synchronizing accounts with Open Directory from the Sun Java DS?

  Mac Open Directory supports the LDAPv3 protocol so you could use Sun IdM's LDAP adapter to manage entries in Mac OD. I would probably set up Sun IdM to perform the synchronization. You configuration would depend on what source was authoritative.
  The tough thing is that Active Sync would probably not work for Mac OD so automatically doing a synchronization based on updates in the Mac OD would not be feasible unless you created and Active Sync adapter. If done it before. It's not too difficult.

• Open Directory and Web service groups disabled

  Hi,
  I am trying to configure Podcast Producer on Leopard Server (got a 10.5.1). the DNS seems to be working fine; same as open direction (ODM) with Kerberos. However, when I created a group in WorkGroup Manager and Directory it is still disabled in the web page (using the domain name). I don't understand why. Could it be a permission problem? Could it be the apache configuration?
  Thanks in advance for any help

  Hi,
  I am trying to configure Podcast Producer on Leopard Server (got a 10.5.1). the DNS seems to be working fine; same as open direction (ODM) with Kerberos. However, when I created a group in WorkGroup Manager and Directory it is still disabled in the web page (using the domain name). I don't understand why. Could it be a permission problem? Could it be the apache configuration?
  Thanks in advance for any help

• Open directory and Directory Utility

  I'm in a public school system that has everything running within a private IP setting. We have a Leopard server that has been set up so that access by means of a public IP and DNS entry is possible. Ports have been opened to allow iChat, iCal, web, and ARD to function. What we have not been able to do is to use Directory Utility to connect to OD. ARD is working well from outside the district. I can use Directory Utility inside the firewall, but not on the public side of it. Can do a lookup on the DNS entry, but not ping the machine by IP nor by name. I've looked to see if I've missed a port, but I'm not sure what might be missing. I've not located anything that would provide a port that Directory Utility might need to be able to make it through the firewall. Any help or possible direction would be appreciated.

  You should post to the server products forums.