Active Directory & Open Directory integration
Hello,
Here is the scenario I would like to accomplish. let me know if its possible or not.
Currently I have a cluster of domain controllers on a fairly large Active Directory domain. We have a lot of mac clients that are running totally independant and want to get them on the domain.
On the mac side, we want to run some mac services such as ichat server and get some of the other open directory features.
So is it possible to do this:
(Ad Domain) - one way replication -> (OD server) -> Mac Clients
Basically I would like to have an OpenDirectory server for the mac workstations, is there anyway to replicate all the users from the AD server? Then be able to specify the mac related options such as ichat on the OD server? Maybe I am going at this the wrong way, let me know!
Thanks
Nick
xServe Mac OS X (10.4.6)
Hi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com
Similar Messages
-
Using iChat Server with Windows clients in an integrated Active Directory/Open Directory environment
A co-worker (Super Brent) and I were working on using iChat as an internal IM server after having used Openfire for a couple days. The reason for switching was basically that we had a Mac Mini Server that was available so we decided to take this on.
First problem: Knowing whether or not Kerberos was needed for AD/OD integration. We spent a ton of time on this, not knowing a huge amount about AD and with our server administrator on courses, we just kept poking at it and removed Kerberos.
For the AD/OD integration, we first bound the Mac Mini to our Active Directory server. We shut off LDAPv3 support as we only wanted to use the AD functionality. Additionally, we ensured that the search policy in Directory Utility only used Active Directory. Then we created an Open Directory master in the Open Directory service. We enabled a self-signed certificate and trusted it locally. After creating the iChat service, ensure that you use the self-signed SSL Certificate and set authentication to Standard. (no kerberos).
Second problem: Once this was complete, we started to test clients out. We were unable to successfully login using our AD credentials using Spark IM and Pandium IM. After trying nearly 100 different variations of server configs, we decided to try a new client. I installed Miranda IM on my Windows XP machine and tried a few different setups. It turned out that the magic potion was to make sure that the "resource" field was set to "Home" and use SSL for encryption. This resource setting was the deal breaker for the other IM clients as many of them such as Spark and Pandium do not have this as a login option.
We ended up using Pidgin IM as the Windows client of choice as it did have the resource variable and it's interface was the best suited for our environment and users.
I hope this helps someone out there as we spent days looking all over the internet trying to figure this out.
Cheers,
Frenchy and Super BrentHi,
iChat Server is not something that I know a great deal about.
I tend to point people to the OS X Server Communities and to look out for posts by Tim Harris.
Thanks for taking the time to post this.
9:58 PM Friday; February 10, 2012
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images." No, Seriously -
Directory Binding Script (Active and Open Directory) 10.7
Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
SeeHi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See -
Date and Time Sync at boot for Active Directory/Open Directory Authenticati
All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?
I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.
-
Active Directory Open Directory Disable Users
Can you make an Active Directory Account disabled in the Open Directory, but still have it function in Active Directory?
We are trying to disable a generic lab account in Active Directory from being able to comment on our Blog Pages.Hi
Did you read what you typed before you posted? Because the question does not make sense and contradicts itself.
Users that exist in the AD node do not as such exist in the OD node. In the OD node you are simply looking at them as they are presented to you from AD. Neither can you disable AD accounts from the OD node. You have to do that on the AD itself.
If you have enabled augmented records for AD users then disable them using the reverse process you used to enable them. That way AD users are stopped from commenting Blog Pages but are still active in AD.
Tony -
Active Directory - Open Directory Magic Triangle
I have a 10.5.5 server that I am trying to bind to our AD so I can provide SSO to our Mac users.
I start from a Standalone installation and Bind to AD through the Directory Utility without issue. The servers computer record is created in AD. However I am unable to join a kerberos realm because the "Join Kerberos" button never appears in the Open Directory settings in Server Admin.
I thought this part should be straight forward, but I am unable to get the button to appear. Am I missing something here?
Any help would be greatly appreciated.Hi
If you can verify the edu.mit.Kerberos file has been created in /Library/Preferences then you have received your ticket and in that sense you are already 'joined'.
For lack of any definitive documentation I think the 10.5.4 Combo Update has made AD binding much simpler and easier. Because of this the button is no longer there because its no longer required? I've not had time to do any extensive testing but I think this is the case? If your Server Install Disk is 10.5 or 10.5.2 and you leave it as it is rather than updating I think you do see the button?
Tony -
How to turn off Open Directory in OS X Server 10.8.2
I am configuring a MacPro with ML Server 10.8.2 for internal-only use. I have DNS working on it (with the annoyance that it goes out of its way to break wildcard host names, and it doesn't know how to properly create the zone files to allow a secondary DNS server to do reverse-name-lookups properly). I have only 2 users (admin and Time Machine), Time Machine is working for client Macs using the Time Machine user account, and File Sharing is working (using either account), sharing a RAID of internal drives an a pair of USB-attached external drives.
I briefly turned on Open Directory, just to see if I wanted or needed to go that route. I entered an Open Directory admin (diradmin) with a password. Looked around the options and decided I did NOT need to use Open Directory just to get the Time Machine stuff working, and I was right.
However, now the Server App shows Open Directory is "On." When I go to that tab, I get a message stating that there was an error reading the settings file for Open Directory services. I click it "Off" but it refuses to turn off. When I come back to the tab, I get a pop-up window with a message about an error reading the settings and the Off/On switch moves back to "On" and the green light never goes off next to Open Directory in the list of services.
I've rebooted the machine and after the reboot, sometimes, it appears as if I can add/delete/modify Users and Groups. Other times, after the reboot, the +/- buttons are greyed out and I cannot add/edit/modify Users and Groups. I have not yet tried to add/delete/modify users yet because I'm leery of trusting the server with this error message.
Can anyone help me to remove anything and everything related to Open Directory so that it is "off" as if I never ever turned it on? Or any suggestions on how to fix this short of a reinstall?
Can I download and install the Server app on a differnt machine and then just copy the Server app over to this machine? Will that zero out the Open Directory stuf that I'm trying to get rid of?
Thanks in advance.I think I solved my problem by running the following command:
sudo slapconfig -destroyldapserver diradmin
diradmin is the name of the Open Directory admin account I created.
The Open Directory Service now appears "off" and no longer had the green dot next to it in the list of services.
Obviously, NOT a good solution to someone who was actively using Open Directory as this appears to have deleted all the data associated with Open Directory.
Users and Groups now allow me to add/delete/modify.
Sad to see an Apple product have such issues. -
10.6 home directory mounting with active directory and open directory integration
Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
I feel like this is the problem with the home folders not mounting.
Can anyone provide some help with this?
Thanks,
DaniHi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com -
Convert Open Directory mobile accounts to Active Directory mobile accounts
We have 200 or so Macs using OD mobile accounts.
Implementing Active Directory, getting rid of Open Directory.
How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
I can convert accounts this way:
a. Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
b. Log into users’ account by choosing the other option, thus creating a mobile account.
c. Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
Any other ideas? Preferably a script I can deploy to all computers?I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
Cheers,
Rob -
Problems with Active Directory Users showing as not found in Open Directory work group manager
I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?
Hi Zero
It's very reassuring to know im not the only one having issues with this..
Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
So today im going to re- run the terminal commands as layed out in the online guides.
However i was kinda hoping someone would be able to supply us with an answer.
thanks
J -
Open Directory / Active Directory SSH access
I have recently bound all of our web and database servers on our active directory and open directory realms. I am able to augment the AD records for my account and the accounts of the other admins, give them NFS home directories and all is great. We can login to any machine with our AD password and get our homes. Problem is 9 times out of 10 we all prefer using SSH and the CLI for most of what we do. I can login to any of these machines with an OD user and get their home directory, but when I try with an AD user I cannot authenticate.
So to recap:
* Login works for both OD / AD users at the login window
* SSH login works for OD users
* SSH login does not work for AD users.
I don't even know where to begin with debugging this one. Any help would be greatly appreciated.
Message was edited by: Coleman NitroyOkay adding even more information to this (maybe this topic needs to be moved to a different sub forum)
Instead of assuming SSH would automatically work via AD/OD binds like the Login window does (apparently magically) I went thru and setup the SSHd on a test box to work via kerberos logins.
On the client side I enabled GSSAPIAuthentication as well and here is the error I get for (ssh -v [email protected]):
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database.
Then it kicks over to the next authentication method. To enable AD login via the login window I didn't have to do anything special. Kerberos tickets are generated and all is well. I am not certain as to why or how SSH works via OD automagically but still no luck getting it to work with AD. Not getting this working would be a large loss for our lab.
Anyone....?
Message was edited by: Coleman Nitroy -
Open directory and Active directory
Hello everyone.
I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
"Error while saving record "Finchley\Level 1@ Error -14140
Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
Sorry if that didnt make alot of sense im typing abit fast
ThanksHave you been here?
http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
It should be straight forward, depending on how your AD accounts are setup.
Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder. -
Open Directory & Active Directory
Dear Mac community,
We got a couple of Mac servers running in our company and we have around 140 Mac clients running in our company. We use Open directory for the policies on our macs and we use active directory for all of our computer accounts. Cause we mainly use RDP for Mac to connect to a terminal server except our graphical department.
This works perfect but now we have adjusted our password policy in Active directory and users must change password when they first login they do that on the mac witch authenticates with Active Directory. After typing there username and password like normal they get a new windows witch notify the user to change there password and conform it and a hint to fill in, after they fill this in they can't get pass that window, it just shakes so it does not work.
Any answer would be appriciated.Hi, can you help me how to put a windows machine on active directory on my MacOS X Server 10.6 ?
Thank You!
Reynolds -
Open Directory, Active Directory, Both????
Good morning from Paris,
My company will migrate its Macintosh to Mac OSX 10.5 and I'm wondering what's best for Authentification and SSO.
I did investigate a bit and finally choosed to add an Open Directory among our existing Active Directory. In order to have pretty managed Macs, I also intend to use MCX, ARD and of course Netboot among Mac OSX Server OD to manage Workstations and deployments. We don't for now intend to use solutions like Centrify's direct control or Likewise solutions...
So here's my question. If we do use two discussing directories, is it required or simply usefull to extend the Active Directory schema? I have read several discussions about the extension and the Active Directory Domain we use is quite ready for it.Hi There,
Have just read your post and wondered how you have decided to manage your Mac's.
I am looking at extending our active directory schema and manage our Mac's via mcx via the AD.
Im really looking for if anyone else has done this and how you got the schema extensions, i have read all about it, in getting an OD up and running looking at what extensions there is and editing the file e.t.c. but surely apple can provide this information?
Thanks for any advice? -
Open Directory Active Directory users want to know Is there a method?
Help
Open Directory Active Directory users want to know Is there a method?
Or can I make the Active Directory users to share on the Open Directory.
My goal is to use our school Mac computers with SSOIf I understand your question correctly, using Active Directory with OSX, there are a few ways this can be accomplished.
One way is by joining each Mac directly to Active Directory. This doesn't take advantage of the additional managed preference available to OSX, but does allow AD users to authenticate on OSX. On each machine, one would open System Preferences > Accounts > Login Options > Click Join next to Network Account Server. Follow the prompts and provide the domain name of your Active Directory deployment to join the system.
Another method is to follow the steps above, but only after extending the Active Directory Schema to support the OSX-specific managed preferences. It's a mostly harmless operation and means that you'll have a single administration interface for both OSX and Windows systems. The AD Schema information is available from Apple Support, but may also be readily available on the Internet.
Because our Windows team preferred to not change our AD schema any more than we already had, we used a different method. We created an Open Directory Master on one of our OSX servers, then we joined it as a member server to Active Directory. Next, we join all of our OSX workstations and laptops as members to the Open Directory domain instead of to Active Directory. This way, SSO still works. New user accounts are added to Active Directory and all managed preferences for OSX can be managed through the native OSX Workgroup Manager tool.
I think there are some instructions in the User Management PDF (Mac OS X Server, User Management, Version 10.6 Snow Leopard) or in the Advanced Server Admin PDF (Mac OS X Server, Advanced Server Administration, Version 10.6 Snow Leopard) but not completely certain. This page might have the docs.
Maybe you are looking for
-
Hi Gurus, Is it possible to give free goods for a period of one month to all customers?? then how? thanks for replying.. harish
-
WRT150N needs to be reset every week
WRT150N V1.1 Firmware 1.01.9 On average once per week all of the devices in the house can no longer connect to the WRT150N. Unplugging the WRT150N for 30 seconds and replugging it in invariably solves the problem. My WRT54 did this too, but I figured
-
HOW CAN I PLACE 2 PUSHBUTTONS SIDE BY SIDE ON THE SELECTION-SCREEN?
i want to place 2 buttons but using my code, the other goes below the first. Can anyone help me?
-
500 Internal Server Error In output of OA frame work
[http://techxis:8988/OA_HTML/runregion.jsp] Hi All I am new starter for OA Frame work.i have design normal hello world page on Jdeveloper but when i run that page followin error is coming.
-
Linux Clients Unable to Connect to VPN
Hello all, There are a few linux clients that need to be able to access our OS X VPN server but I have been unsuccessful at setting up a connection. I have enabled PPTP and windows clients can connect just fine, but using the linux network manager, I