Active directory plugin

Similar Messages

• Active Directory plugin not correctly creating users home directories

  Is there a trick to getting the Active Directory plugin in 10.4.7 to correctly create home directories for AD users? It is creating them with the root owning everything in it, and this is unacceptable.
  Our setup: We have a Active Directory network (Windows Server 2003 SP1 as DCs), and are trying to integrate some of our Mac clients to user AD single-sign logins. We are not using OS X Server at all.
  We do not user any sort of network home directories, as our users always use the same computers.
  We just want a user to have a local home directory created when they log on for the first time. Unfortunately, the directories are being created with the wrong permissions.
  One thing that may be the problem: the UID that are assigned to the AD users on the Mac clients are very high (> 60000000000). There is an error in the log that a UID that high cannot be added to the lastlog db, so that may be another symptom of the problem.
  Is there a way to fix this wihout changing anything on the domain?

  Is there a trick to getting the Active Directory plugin in 10.4.7 to correctly create home directories for AD users? It is creating them with the root owning everything in it, and this is unacceptable.
  Our setup: We have a Active Directory network (Windows Server 2003 SP1 as DCs), and are trying to integrate some of our Mac clients to user AD single-sign logins. We are not using OS X Server at all.
  We do not user any sort of network home directories, as our users always use the same computers.
  We just want a user to have a local home directory created when they log on for the first time. Unfortunately, the directories are being created with the wrong permissions.
  One thing that may be the problem: the UID that are assigned to the AD users on the Mac clients are very high (> 60000000000). There is an error in the log that a UID that high cannot be added to the lastlog db, so that may be another symptom of the problem.
  Is there a way to fix this wihout changing anything on the domain?

• Active Directory plugin: Preferred credentials not recognized

  I have installed the Active Directory Plugin 2.0.2.1.0 in my Grid Control (10) and I am getting the following error:
  Version 2.0.2.1.0
  Description Microsoft Active Directory monitoring including reports
  Deployment Requirements: Requires network access and credentials of the host where Microsoft 'Active Directory' is installed and running
  I set the preferred credentials for the agent. They are a user/password for someone that has "installation" and "admistration" privileges on the Active Directory server.
  Is there a specific format the userid and password should be entered? (i.e. cn=xxxx)

  If entering username only is having an error, enter the username as DOMAIN_NAME\username. Where domain_name is the domain of the AD host

• Add OU(Organizational Unit)  to active directory plugin

  Hi Guys,
  i am using Ad plugin with BOE 3.1 to authenticate Active directory users, i am able to map AD Groups while configuring the ad plugin.
  my question is, is it possible to map OU instead of the AD Groups ? in my production active directry i have all OU's, how should i map them?

  Only security groups are supported in the plugin, no distribution groups, and no ou's. We follow the rules based on Microsoft Architecture. You cannot assign access permissions to an OU or DL in AD, therefore these have not been tested with our product.
  Regards,
  Tim

• Active Directory Plugin for Crystal Reports Server XI

  Post Author: pkhot
  CA Forum: Deployment
  Hello,
  I Installed Crystal Reports Server XI on a test W2K3 R2 machine. When I try to logon using the Business View Manager or the Administrator LaunchPad, selecting the Active Directory Authentication I get an error saying secWinAd plugin is not available. How do i fix this?
  Is there a plugin available and if yes where can i download it from?
  Any help will be greatly appreciated.
  thanks

  Did you lon on to the console and go to authentication-> windows ad and enter in your domain info ?

• Authenticating Workgroup Manager to Active Directory.

  Dear all,
  I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
  I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
  Logging on to a client machine with an AD login works fine, no issues.
  System image deployment over the network from the Xserve work fine.
  The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
  *Viewing directory: /Active Directory/All domains. Not authenticated*
  When I click the padlock to authenticate, and enter my domain admin username and password, it says:
  *The login information is not valid for this server.*
  My login works as it allows me  to add machines to the domain.
  More info available as needed. If anyone can assist, thanks in advance.
  Regards,
  M.

  Hi
  Viewing directory: /Active Directory/All domains. Not authenticated
  When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
  This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
  If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
  Apologies if you already know this, Tony

• Binding to Active Directory - strongauthrequired

  I am trying to bind a 10.4.3 machine to a Windows 2000 Active Directory, but experiencing problems.
  The Active Directory plugin hits step 5 then displays "Unable to access domain controller: This computer is unable to access the domain controller for an unknown reason".
  A look at the contents of ./Library/Preferences/edu.mit.Kerberos shows that the machine has got the correct Domain Controllers for the domain (all be them rather odd choices, on sites that are some distance away).
  I've captured the traffic using TCPDump and analysed on a WinXP box using Ethereal, and it seems that the Bind request is being answered by:
  'Bind Result, StrongAuthRequired'
  with further info in the packet:
  'The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v893'
  I've analysed the traffic of an XP machine binding as well, and it seems that at exactly the same point it receives a 'bind success' packet. The only obvious difference I can see is that the OS X box shows the SASL mechanism as GSSAPI, and the XP machine shows it as GSS-SPNEGO.
  They are both using port 389 (which certainly doesn't imply the use of SSL).
  I've investigated the frequently mentioned 'Digitally sign client communication' Domain Security Policy settings, and haev replicating them in my test network (which has been tested with default settings and the machine binds successfully), and that still results in a successful bind so I'm not convinced they are related.
  If anyone else has any other suggests they'd be greatly appreciated!
  iBook   Mac OS X (10.4.3)  

  We've now got to the bottom of this problem, it's due to a particular policy which demands all clients sign their LDAP communications.
  This setting doesn't appear in the Windows Domain Policy unless you're using a 2003 MMC snap-in, which certainly added to the time it took me to diagnose the problem (Apple's phone support simply said "we don't support the AD module").
  Incase anyone else has the same issue, the registry key in question is:
  HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
  When the key exists and is set to '2' (I'm unsure what '1' would do at present) OS X clients will received the following sequence of packets when binding:
  Mac: Bind Request
  Domain: SASLBindinprogress
  Mac: ACK
  Domain: SASLBindinprogress
  Mac: ACK
  Domain: Bind Result = Fail; StrongAuthRequired
  I'd be interested to hear the official line on this, as it appears that we are now in a situation where we need to reduce our domain security level if we want Macs to be able to bind.
  iBook   Mac OS X (10.4.3)  

• Active Directory client not dynamically updating DNS

  Hi,
  There has been some other issues mentioned on other threads regarding the Active Directory Plugin within Lion, it does appear to be flaky.
  I just wanted to make sure that the issue I'm having is not down to a mis-config by myself.
  We have several Macs running 10.7.1 and are bound into Active directory (Windows 2008 r2) however, it appears that the DNS records for these machines are not being dynamically created within AD. (All Zones are AD intergrated) All 10.6.x clients seem to work fine and records are created and updated dynamically as IPs change etc.
  Is anybody else having this issue? If not, any ideas why this is happening?
  Thanks in advance.

  Hi!
  I'm having exactly the same problem and nobody seems to have an answer.
  Regarding the reply you got, this has nothing to do with Lion Server. We're talking about Lion clients bound to an AD (Windows Server 2008 R2, in my case) not dynamically registering their DNS entries.
  I also noticed that the DHCP entries for those clients are missing the "Name" property, which is already symptomatic of something going wrong.
  Anyone?

• 10.4, active directory and smb mounts

  I am having a problem mounting windows shares using smb mounts. I am getting the dreaded data could not be read or written error -36 problem. I have tracked it down to the number of groups an account is a member of. If I login with an account that is a member of roughly 6 groups, I can connect to shares just fine. But if I connect to shares with an account that is a member of roughly 30+ groups, I get this error. I get the error about Socket is not connected when I try to connect through the terminal. I have tried the nsmb.conf file. This is a fresh install of 10.4.1 with the 10.4.4 patch applied. I am also using the Active Directory plugin (Windows 2003 domain, shares are located on 2003 also).

  all security groups. They have the network set up for every share there is a group setting permission. Te accounts I am having trouble with is the student accounts. They have a default set of groyup membership that allows them access to all related student activity. This has lead to some very large number of groups that they are members of.

• Active Directory Binding Post 10.5.2 (Domain authentication that works!)

  Main points: Be sure your local time is being updated by a time server on your network, be sure that all devices are syncing with the same NTP server.
  Pre add your computer you want to bind in your domain.
  Key: in Directory Utility, choose to authenticate against a known server. So under the Administrative tab choose "prefer this domain server" and enter in the DNS name of a DC in your domain. Also uncheck authentication with any DC in the forest.
  Now bind and click Ok.
  Now in Directory Utility, click on Search Policy, and add servers in the Authentication tab by choosing Custom Path. Click the + and you should see your domain or multiple domains in your forrest listed. Add them appropriately. In some configurations, you may want to do this for "Contacts".
  You can now go back into the Active Directory plugin, and choose to authenticate from any DC in the forest, and remove the selection that allows only authenticating against one server.
  Sorry for the lack of deep explanation, but if you are at the point where the AD and DNS is working fine, then this should be pretty straightforward and to the point.

  alex.est wrote:
  miscategorized and inaccurate this post is from 2004 and has no relevance to 10.5.2
  What? I wrote this the day that it says I did. And, yeah this solved issues with 10.5.2's AD binding issues.

• Active Directory Offline Login work??

  Hey all,
  I'm having an issue with loging in to a Leopard client which is bound to Active Directory. Whenever I unhook this MacBook, off the network, it won't allow me to login to the machine via the domain credentials. In Tiger, I remember there was a check mark option under the AD plugin referring to Caching login credentials for AD, but this is not present in the Active Directory plugin in Leopard.
  I also read that caching is a bit dicey in Leopard, so users have just been check marking creating a Mobile User account, and this seems to offer the ability to signing in to your machine without being connected to the network.
  But what happens in my case, is that the user goes from being an admin account to a standard account, when offline from the network. Once I re-hook the machine back on to the network, I regain admin control of the machine. This is very odd, as I have not run into this issue before. I am not interested in syncing the home folder to the server at all, and I hope I have not accidentally triggered this, although I think you have to set this up also on the server in order for the syncing to occur, right?
  Anyway...all I want to be able to do, is setup offline login of AD credentials on a MacBook. Is this possible while retaining the admin rights of the computer?
  Message was edited by: Syrcle

  We've always used the "Create Mobile Account at Login" check in both 10.4 and 10.5, but I have experienced the admin coming and going like you mentioned (If I remember right 10.4 did it too). On my personal machine (and others in the tech department) I've just opened system prefs and checked the "Allow User to administer this computer" box which makes it permanant, though it's unfortunately not a good solution for large scale deployment.
  It does work for our situation because generally we're the only ones administering machines and ours are the only ones we need the rights off the network, so it may be a solution for you as it sounds like you're only working with one machine.

• Active Directory Problems

  We have Windows Active Directory running here. I think I got the mac mini connected properly to active directory, I can login as AD users and that seems to work ok. My problem is the home folder. I need it to be set to a network location, not local. From everything I've found it appears to be setup correctly. I also set the home folder settings in AD, but it doesn't map a drive at all, let alone make it the home directory. Please help!

  Have you have specified in the AD accounts for your users the path to the home folder? Does this work correctly for you on a Windows machine? If so, then the setup is correct for the Mac as well.
  Also in the Active Directory plugin on the Mac have you adjusted your settings to connect to a network home folder via SMB?
  bill
  1 GHz Powerbook G4   Mac OS X (10.4.9)  

• Monitoring Microsoft Windows 2008 Active Directory by a remoted Agent

  Oracle documentation (E14542-01) said that for remote Agent monitoring with default settings, Grid Control can monitor only the Active Directory associated with the primary domain controller.
  But for Microsoft Windows 2008 Active Directory primary domain doesn't exist anymore, can we use a remote Agent to monitor Microsoft Windows 2008 Active Directory ?
  Thanks
  Dominik

  Dominik wrote:
  Oracle documentation (E14542-01) said that for remote Agent monitoring with default settings, Grid Control can monitor only the Active Directory associated with the primary domain controller.
  But for Microsoft Windows 2008 Active Directory primary domain doesn't exist anymore, can we use a remote Agent to monitor Microsoft Windows 2008 Active Directory ?I think , you can monitor it . Please check :
  Oracle Enterprise Manager Grid Control Certification Checker [ID 412431.1]
  How to Install the Microsoft Active Directory Plugin for Grid Control R2 [ID 359621.1]
  Regards
  Rajesh

• Imacs not seen by active directory

  We are running Leopard, snow leopard, and soon lion. We have joied ad with directory utility, and connot see them on Windows 2008 AD Server.
  We log users on through AD.

  This worked.......
  http://hinkle.wordpress.com/2007/10/27/leopard-problems-active-directory-integra tion-now-fixed/
  main points
  Main points: Be sure your local time is being updated by a time server on your network, be sure that all devices are syncing with the same NTP server.
  Pre add your computer you want to bind in your domain.
  Key: in Directory Utility, choose to authenticate against a known server. So under the Administrative tab choose “prefer this domain server” and enter in the DNS name of a DC in your domain. Also uncheck authentication with any DC in the forest.
  Now bind and click Ok.
  Now in Directory Utility, click on Search Policy, and add servers in the Authentication tab by choosing Custom Path. Click the + and you should see your domain or multiple domains in your forrest listed. Add them appropriately. In some configurations, you may want to do this for “Contacts”.
  You can now go back into the Active Directory plugin, and choose to authenticate from any DC in the forest, and remove the selection that allows only authenticating against one server.
  http://discussions.apple.com/thread.jspa?threadID=1393387&tstart=0

• Active Directory not binding in AD Plugin

  I cannot bind to the Active Directory at work using the ActiveDirectory Plugin for the Directory Access utility.
  I keep getting the error message "Invalid Domain"
  If I try to ping server.domain.local it does not work. If I try to ping the IP of the server, it works.
  The DNS server is Windows Server 2003 based, and has the entire subnet under Reverse Lookup.
  I can connect to Samba Shares based on server names, so it knows how to find servers on the network when looking for shares, just not when looking to ping, bind to domain, or browse websites on local servers.
  I am able to bind to the LDAP server and browse all the users and computers using LDapper just fine.

  In case someone else tries this, this DOES NOT WORK IN LEOPARD!
  Leopard added an official Active Directory module that effectively drops any Active Directory support. I have not heard of anyone getting it to work consistently. I was able to check out a kerberos ticket then enable AD authentication, and it worked great, until I turned off the computer and came back the next day and it broke. As soon as the kerberos ticket expires, so does any hope of authenticating against the AD Domain Controller.
  Incredibly frustrating.