Open Directory, Active Directory, Both????

Similar Messages

• Open Directory Active Directory users want to know Is there a method?

  Help
  Open Directory Active Directory users want to know Is there a method?
  Or can I make the Active Directory users to share on the Open Directory.
  My goal is to use our school Mac computers with SSO

  If I understand your question correctly, using Active Directory with OSX, there are a few ways this can be accomplished.
  One way is by joining each Mac directly to Active Directory. This doesn't take advantage of the additional managed preference available to OSX, but does allow AD users to authenticate on OSX. On each machine, one would open System Preferences > Accounts > Login Options > Click Join next to Network Account Server. Follow the prompts and provide the domain name of your Active Directory deployment to join the system.
  Another method is to follow the steps above, but only after extending the Active Directory Schema to support the OSX-specific managed preferences. It's a mostly harmless operation and means that you'll have a single administration interface for both OSX and Windows systems. The AD Schema information is available from Apple Support, but may also be readily available on the Internet.
  Because our Windows team preferred to not change our AD schema any more than we already had, we used a different method. We created an Open Directory Master on one of our OSX servers, then we joined it as a member server to Active Directory. Next, we join all of our OSX workstations and laptops as members to the Open Directory domain instead of to Active Directory.  This way, SSO still works.  New user accounts are added to Active Directory and all managed preferences for OSX can be managed through the native OSX Workgroup Manager tool.
  I think there are some instructions in the User Management PDF (Mac OS X Server, User Management, Version 10.6 Snow Leopard) or in the Advanced Server Admin PDF (Mac OS X Server, Advanced Server Administration, Version 10.6 Snow Leopard) but not completely certain. This page might have the docs.

• Open Directory / Active Directory SSH access

  I have recently bound all of our web and database servers on our active directory and open directory realms. I am able to augment the AD records for my account and the accounts of the other admins, give them NFS home directories and all is great. We can login to any machine with our AD password and get our homes. Problem is 9 times out of 10 we all prefer using SSH and the CLI for most of what we do. I can login to any of these machines with an OD user and get their home directory, but when I try with an AD user I cannot authenticate.
  So to recap:
  * Login works for both OD / AD users at the login window
  * SSH login works for OD users
  * SSH login does not work for AD users.
  I don't even know where to begin with debugging this one. Any help would be greatly appreciated.
  Message was edited by: Coleman Nitroy

  Okay adding even more information to this (maybe this topic needs to be moved to a different sub forum)
  Instead of assuming SSH would automatically work via AD/OD binds like the Login window does (apparently magically) I went thru and setup the SSHd on a test box to work via kerberos logins.
  On the client side I enabled GSSAPIAuthentication as well and here is the error I get for (ssh -v [email protected]):
  debug1: Unspecified GSS failure. Minor code may provide more information
  Server not found in Kerberos database.
  Then it kicks over to the next authentication method. To enable AD login via the login window I didn't have to do anything special. Kerberos tickets are generated and all is well. I am not certain as to why or how SSH works via OD automagically but still no luck getting it to work with AD. Not getting this working would be a large loss for our lab.
  Anyone....?
  Message was edited by: Coleman Nitroy

• Open Directory & Active Directory

  Dear Mac community,
  We got a couple of Mac servers running in our company and we have around 140 Mac clients running in our company. We use Open directory for the policies on our macs and we use active directory for all of our computer accounts. Cause we mainly use RDP for Mac to connect to a terminal server except our graphical department.
  This works perfect but now we have adjusted our password policy in Active directory and users must change password when they first login they do that on the mac witch authenticates with Active Directory. After typing there username and password like normal they get a new windows witch notify the user to change there password and conform it and a hint to fill in, after they fill this in they can't get pass that window, it just shakes so it does not work.
  Any answer would be appriciated.

  Hi, can you help me how to put a windows machine on active directory on my MacOS X Server 10.6 ?
  Thank You!
  Reynolds

• New Branch Office Opening. Active Directory Options

  Hello.
  Our company has a new branch site in Canada that's been in operation for some time now. the "admin" of that branch office is wanting to setup 2 new domain controllers, i was going to suggest that we could add a Canada site via Active directory
  sites and services and configure it that way.
  he suggested that he would like the to have a separate domain name, for instance if we're contoso.co.uk, they want to be contoso.ca
  is the best option in this situation to have them setup there own domain and then just federate between them?
  i have good experience with AD but as were a small company (geographically) so i have little knowledge of multi site / federation topology.
  any suggestions would be most welcome. 
  Many Thanks

  Hello
  If you decide to deploy new Domain this will lead to new administrative tasks to able to support users(creating trust to support access to resources in other domain, other suit of GPOs etc.). Instead if second site is added this will be more simple solution.
  semi -solution is to have child domain which back again will lead to other admin tasks. Also Recommendation by the vendor to have simple solution.

• OS X Open Directory / Active Directory

  I followed the direction provided by the "MacTroll White Paper" on AD/OD integration (http://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf) which is linked to from various places on Apple's website).
  I can now manage Macintosh client preferences while authenticating through AD, as expected... However I can no longer (from Windows clients) access SMB shares hosted on the OS X (10.4.9) Server (acting as AD member, OD master).
  I'm not sure if it's relevant, but the following error shows up in the smbd log, when starting the "Windows" service:
  /SourceCache/samba/samba-100.5/samba/source/libads/kerberos.c:adskinitpassword(146)
  kerberoskinitpassword host/[email protected] failed: Client not found in Kerberos database
  Can anybody offer any assistance?
  Thanks.

  http://lists.apple.com/archives/macos-x-server/2007/Jan/msg00386.html ?
  Thread starts here:
  http://lists.apple.com/archives/macos-x-server/2007/Jan/msg00335.html
  HTH
  -Ralph

• Connected to Domain but can't log in using Actived Directory Credentials

  Hey everyone.  I've been working on this issue for two weeks now, and I don't know what else to try.  I'm connected to my domain but cannot get my Macbooks to log in using Active Directory credenitals both through our wireless network, and hard wired with an ethernet cable.  The weird part about it is that it is not uniform all across our network.  This only happens to certain Macbooks and as of right now there doesn't seem to be a pattern.  I can say that it has happened to all new Macbook Pros that we have ordered lately though.
  We use Jamf to manage our Macs on our network, and ever since upgrading to a new version (9.01 and now 9.1) we have had this issue.  However I can't connect after manually adding the domain either, so for now it makes me think it is not a Jamf issue.  Has anyone dealt with this issue before, that might know of a fix?  Thanks!

  Hi Burnettb1,
  I have come across a similar issue as yours.  I have included the instructions that I use to bind the Mac at my institution.  In regards to wifi, I have not tried binding the Mac over wifi. Should you need to log in to a Mac with domain user credentials I would suggest to bind the Mac over ethernet.  Once you get to the:
  *Click on triangle to the left of Show Advanced Options to expand"
  portion of the instructions click on the Mappings tab and select the checkbox for creating a mobile account at login.  This will create a domain user profile on the machine that you can log into when not connected to the domain.
  Hope this helps.
  BIND iMac:
            Login into iMac using administrative credentials
            Open System Preferences
                      *Goto Users & Groups
                      *Click on lock in lower left-hand corner
                      *Use same password used to log into iMac
                      *Click on Login Options
    *Click on ‘Join...’ button right of "Network Account Server: "
                      *Click on ‘Open Directory Utility…’ button
                      *Click on lock in lower left-hand corner
                      *use same password used to log into iMac and click on Modify Configuration
                      *Double-click on Active Directory
    Active Directory Domain = domain
                                Computer ID = name of Mac
                      *Click on triangle to the left of Show Advanced Options to expand
                                *Click on Administrative tab
                                *Check  Prefer this domain server
  Type  domainserver_ipaddr -or- servername.domain in this field
                                *Click on ‘Bind…’ button
                                *When prompted for network administrator login
                                          username = [domain admin user]
                                          pwd = [domain user password]
                                *Click OK (Note: search path will be updating. Until completed the ‘OK’
  button will be greyed out
    *Click OK
    *Click lock to lock and close window
                      *Click lock to lock and close window
  BIND CHECK:
            *Search AD for added mac host - it should be there.
            Open Terminal app by either:
                      1)
                                *Press command+spacebar
                                *Type Terminal and select app
                      2)
                                *Click on desktop
                                *Press shift+command+A
                                *Goto Utilities folder located within Application folder (which you should
    be in) and open Terminal
            *Once Terminal is opened type in id [domain username] and press return key.  The output should be
  some some network account information
            *Close app by pressing command+Q and any other opened windows
            *Restart iMac
            *Log in

• Authenticating Workgroup Manager to Active Directory.

  Dear all,
  I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
  I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
  Logging on to a client machine with an AD login works fine, no issues.
  System image deployment over the network from the Xserve work fine.
  The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
  *Viewing directory: /Active Directory/All domains. Not authenticated*
  When I click the padlock to authenticate, and enter my domain admin username and password, it says:
  *The login information is not valid for this server.*
  My login works as it allows me  to add machines to the domain.
  More info available as needed. If anyone can assist, thanks in advance.
  Regards,
  M.

  Hi
  Viewing directory: /Active Directory/All domains. Not authenticated
  When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
  This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
  If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
  Apologies if you already know this, Tony

• Exchange 2013 cu3 setup fails with 'problem... validating the state of Active Directory... supplied credential... invalid'

  Windows Server 2013; Exchange Server 2013 with Cumulative Update 1
  Cannot install Cumulative Update 3 for Exchange Server 2013. It fails with
  [xxx] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.  See the Exchange setup log for more information on this error.
  [xxx] [0] [ERROR] Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.
  [xxx] [0] [ERROR] The supplied credential is invalid.
  (Crosses - XXX - replace original values.)
  I have found that a few others have experienced the same problem but found no solution, nor could come up with anything myself. If it is any hint, Event 40961 was logged in the Event Viewer around the same time on almost all installation attempts to be purely
  conincidental:
  The Security System could not establish a secured connection with the server
  ldap/xxx.xxx/[email protected] No authentication protocol was available.
  Both Windows Server and Exchange Server otherwise work OK, and do not recall any issues with Cumlative Update 1 installation.

  Hi vhr1,
  Based on my knowledge, the Event ID 40961 is a warning message.
  This behavior occurs when we restart the server that was promoted to a DC. The Windows Time service tries to authenticate before Directory Services has started.
  Found some resources for your reference even if the Exchange Version is mismatched:
  http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx
  http://support.microsoft.com/kb/823712/en-us
  About the error message, "Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid."
  The error message InvalidCredentials means: the wrong password was supplied or the SASL credentials cannot be processed.
  Found a similar thread for your reference, hope it is helpful:
  http://social.technet.microsoft.com/Forums/en-US/98e26ad6-8e43-4ef5-8ff9-e9fee6e76bda/bind-operation-is-invalid?forum=exchangesvrdeploylegacy
  Feel free to contact me if there is any problem.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Active Directory Structure Questions

  I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
  My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
  like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
  Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
  I was wondering what if any precedent would support this type of configuration? I am just asking.
  Thanks
  Richard Tamboli

  No Special hardware is required for Active Directory
  Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
  It is a feature and part of Windows Server.
  Hope this may answer your questions.
  http://en.wikipedia.org/wiki/Active_Directory

• Os x server loses active directory binding

  I am running an open directory/active directory network.  Authentication is from the Windows server 2003 active directory.  It has worked fine until the last month. Now clients stop authenticating & when I  check the AD plugin it says network accounts are not available.  I can force the server to unbind, then renew the binding & everything works great.
  Is there any work around or fix for this other than upgrading the windows server to 2008?
  Thanks

  Yes.  You are likely experiencing one of two common issues.  1:  You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.
  Try this command on the server:
  sudo dsconfigad -passinterval 0
  Then:
  sudo dsconfigad -show
  to confirm the setting.  This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting).  The issue is that Apple's plugin does not properly catch an exception.  What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain.  When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch.  This is a common AD integration issue and is likely associated with your binding rights in AD.
  As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.
  Hope this helps.  Easy to fix.

• Adding Active Directory: sErverError

  Hello,
  I've been using active directory with leopard for a couple months without issue. Recently I found that the Directory Utility was telling me that the AD server was 'not responding'.
  So I removed it and tried to add it again. When I try to add it I receive the following error:
  'Unable to add the domain. An unexpected error of type - 14910 (eServerError) occurred.'
  Has anyone seen this before? Since it is in fact contacting the sever (there is a different error if it can't see the server at all) then it leads me to believe that something is wrong on the AD server side. However, I'm still not convinced of that for the following reasons:
  1. Things that have changed on the AD server and network: None.
  2. OS X networking seems to be a little on the fragile side. I almost always have to fiddle around to get things working again after doing something crazy like switching back and forth between wireless and wired connections a few times.
  3. There was something else that was pertinent but I've been interrupted here in my office at least 4 times since I started writing this and now I can't remember.
  Anyway, I'm just wondering if anyone else has dealt with this. .
  Thanks,
  -Travis

  I ran into the same error in my initial setup of some new machines at work and was able to resolve taking the following steps.
  1) Check current time on all Active Directory servers to ensure they're consistent with one another.
  2) Fix any discrepancies between the Active Directory server times and your Apple machines.
  3) Go into the Directory Utility application and select Services at the top.
  4) Open the Active Directory Configuration, enter the appropriate Active Directory information, and attempt to rebind the machine.
  I believe the issue of that error, -14910, is based on the kerberos' strict timestamp checking.

• Active Directory and Open Directory not working

  I am experiencing an issue, or several issues that I can't figure out how to resolve.
  I have an Active Directory domain set up (running 2003 server R2) and it is humming along quite nicely.
  A few weeks ago I got a new XServe running 10.5.4. Booted it up, bound it to AD, and then set up and OD Master on it so that I could manage some new Macs that we have.
  The Macs are bound to both directories.
  The issue I have comes in when using Workgroup Manager, and trying to add AD user to OD groups. The groups drawer is open, but the little directory menu at the top of the drawer does not include the entry for Active Directory. I see Local, Search Policy, and /LDAPv3/127.0.0.1...
  If I try to pull down the directory menu above the user list, I see the following: Loca, Search Policy, Other..., /Active Directory/All Domains, and /LDAPv3/127.0.0.1.
  If I select /Active Directory/All Domains from that list I get the following error.
  +Unable to open the requested node.+
  +The node /Active Directory/All Domains couldn’t be opened because an unexpected error of type -14002 occurred.+
  I think these issues are related, but I can find no help on the first item (AD not showing up in the groups menu)
  and a search for the second item only reveals the following page form Apple, which means absolutely nothing to me.
  http://developer.apple.com/documentation/Networking/Reference/OpenDirectoryRef/Reference/reference.html
  The killer is that this all worked at one point. I had an Apple Tech out here and he helped me set up this 'Golden Triangle" method of authenticating against both directories. And it works... sort of... I can create groups in OD and add OD machine accounts to the group to enforce some settings. But I can't bring in AD users, cause I can't see the AD user list.
  I hear that this is supposed to work... I can't figure it out.
  Any help would be appreciated.
  Thanks for your time.
  Bill

  Hi
  Can you access Active Directory from the command line using dscl?
  In what order are the LDAP directories listed in Directory Utility on the Server?
  Is Kerberos running on the OD Master?
  If you issue klist from the command line on the server itself - what is the result?
  Or don't bother with any of the above and start again. You've nothing to lose anyway apart from some managed preferences which you can redo in little time. Scrub the configuration in the AD plug-in and demote to Standalone. Restart and go for an AD rebind. Make sure the edu.mit.Kerberos file is created in /Library/Preferences. Launch WGM and you should see AD Users and Groups this time, If you do go for promotion again. What you want to see in the OD Overview pane is everything running apart from Kerberos and the search base reflecting the FQDN of the OD Master. Make sure there is the loopback entry (127.0.0.1) in the LDAPv3 plug in. Finally make sure the OD Master lists itself first in the Directory Search Order.
  I'm assuming the Server is configured as Advanced and is updated to 10.5.4.
  Tony

• After rebooting ML server, unable to open active directory.  Error msg is Unable to open requested node error -14006.

  This active directory is a replica of master on 2nd Mac Mini server which still thinks replica is there (perhaps it is) and will not let us delete in order to recreate.  Both servers are running 10.8.4.  Nothing changed on either server, simply did a reboot.  When we logged in, Active Directory was turned off and when trying to turn on or access received message "Unable to open the requested node.  The node LDAPV3/127.0.0.1 could not be opened because of an unexpected error -14006".
  Does any one have experience with this and how can we recover?  Thanks in advance for your help.

  Hi again,
  I've been able to run Reports by changing the "Reports_Tmp" key in the Registry under:
  Hkey_local_machine\software\oracle\home0\
  to the D:\ drive

• Using iChat Server with Windows clients in an integrated Active Directory/Open Directory environment

  A co-worker (Super Brent) and I were working on using iChat as an internal IM server after having used Openfire for a couple days. The reason for switching was basically that we had a Mac Mini Server that was available so we decided to take this on.
  First problem: Knowing whether or not Kerberos was needed for AD/OD integration. We spent a ton of time on this, not knowing a huge amount about AD and with our server administrator on courses, we just kept poking at it and removed Kerberos.
  For the AD/OD integration, we first bound the Mac Mini to our Active Directory server. We shut off LDAPv3 support as we only wanted to use the AD functionality. Additionally, we ensured that the search policy in Directory Utility only used Active Directory. Then we created an Open Directory master in the Open Directory service. We enabled a self-signed certificate and trusted it locally. After creating the iChat service, ensure that you use the self-signed SSL Certificate and set authentication to Standard. (no kerberos).
  Second problem: Once this was complete, we started to test clients out. We were unable to successfully login using our AD credentials using Spark IM and Pandium IM. After trying nearly 100 different variations of server configs, we decided to try a new client. I installed Miranda IM on my Windows XP machine and tried a few different setups. It turned out that the magic potion was to make sure that the "resource" field was set to "Home" and use SSL for encryption. This resource setting was the deal breaker for the other IM clients as many of them such as Spark and Pandium do not have this as a login option.
  We ended up using Pidgin IM as the Windows client of choice as it did have the resource variable and it's interface was the best suited for our environment and users.
  I hope this helps someone out there as we spent days looking all over the internet trying to figure this out.
  Cheers,
  Frenchy and Super Brent

  Hi,
  iChat Server is not something that I know a great deal about.
  I tend to point people to the OS  X Server Communities and to look out for posts by Tim Harris.
  Thanks for taking the time to post this.
  9:58 PM      Friday; February 10, 2012
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
    iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
  "Limit the Logs to the Bits above Binary Images."  No, Seriously