OS X Server 10.6 bound to Active directory, serve that as Open Directory

Similar Messages

• How to integrate active directory users(credentials) to Open Directory LDAPv3?

  -I don't want to have a separate directory anymore.

  Hi RM,
  It would require that you setup your Portal in such a way being able to handle Windows Integrated Authentication via Kerberos. This is already very well explained in the following blogs:
  /people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source
  http://wiki.sdn.sap.com/wiki/display/EP/SingleSignOntotheJ2EEEnginefromWindows
  After setting up your datasource, in your case the ADS, you will need to run SPNego Wizard in NWA to have it integrated with SSO.
  Best regards,
  Andre

• Using iChat Server with Windows clients in an integrated Active Directory/Open Directory environment

  A co-worker (Super Brent) and I were working on using iChat as an internal IM server after having used Openfire for a couple days. The reason for switching was basically that we had a Mac Mini Server that was available so we decided to take this on.
  First problem: Knowing whether or not Kerberos was needed for AD/OD integration. We spent a ton of time on this, not knowing a huge amount about AD and with our server administrator on courses, we just kept poking at it and removed Kerberos.
  For the AD/OD integration, we first bound the Mac Mini to our Active Directory server. We shut off LDAPv3 support as we only wanted to use the AD functionality. Additionally, we ensured that the search policy in Directory Utility only used Active Directory. Then we created an Open Directory master in the Open Directory service. We enabled a self-signed certificate and trusted it locally. After creating the iChat service, ensure that you use the self-signed SSL Certificate and set authentication to Standard. (no kerberos).
  Second problem: Once this was complete, we started to test clients out. We were unable to successfully login using our AD credentials using Spark IM and Pandium IM. After trying nearly 100 different variations of server configs, we decided to try a new client. I installed Miranda IM on my Windows XP machine and tried a few different setups. It turned out that the magic potion was to make sure that the "resource" field was set to "Home" and use SSL for encryption. This resource setting was the deal breaker for the other IM clients as many of them such as Spark and Pandium do not have this as a login option.
  We ended up using Pidgin IM as the Windows client of choice as it did have the resource variable and it's interface was the best suited for our environment and users.
  I hope this helps someone out there as we spent days looking all over the internet trying to figure this out.
  Cheers,
  Frenchy and Super Brent

  Hi,
  iChat Server is not something that I know a great deal about.
  I tend to point people to the OS  X Server Communities and to look out for posts by Tim Harris.
  Thanks for taking the time to post this.
  9:58 PM      Friday; February 10, 2012
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
    iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• Reconfigure Open Directory in Yosemite Server

  Is it possible to delete and reconfigure Open Directory in Yosemite server?
  The host name and configuration were modified after Open Directory was activated and I get the message "Unable to load replica list" in the Settings Tab of Open Directory on the Server App (Server 4.0.3 (Build 14S350)). I think the best way would be to start over the automatic configuration.

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Only if you're still running Mavericks server, follow these instructions to rebuild the Kerberos configuration on the server.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. Disable any internal firewalls in use, including third-party "security" software.
  10. If you've created any replica servers, delete them.
  11. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
  12. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
  If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• Open directory and Active directory

  Hello everyone.
  I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
  We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
  what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
  "Error while saving record "Finchley\Level 1@ Error -14140
  Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
  Sorry if that didnt make alot of sense im typing abit fast
  Thanks

  Have you been here?
  http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
  It should be straight forward, depending on how your AD accounts are setup.
  Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
  If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder.

• How to migrate Open Directory from 10.6 to another server with 10.8?

  Hello all,
  I have a Mac Pro running Mac OS X Server 10.6.8 with Open Directory active. Now I bought a new Mac Pro running MAC OS 10.8 and I also bought the OS X Server app.
  What I want to know is how can I migrate the users and their home folders from old server with Snow Leopard to the new one? The Open Directory Archive does this job?
  Regards,
  Carlos.

  Ok. I did a test and I saw that it exports only the information account. So I suppose that I have to copy the home folder using scp or something similar. Is that correct? 
  I also have to keep the same hostname from the old server in the new server or this can be done in a different way?
  Thanks.

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas

• Unable to replicate Open Directory server

  I have a Master OD server that is currently being replicated to an offsite OD.
  But im looking to run a dedicated Mini for the offsite, but i cannot get the new mini to replicate.
  The slapconf log says the credentials are invalid. and exits with error code=69
  I have reset the directory admin password. made sure the network settings were all correct and the hostname and DNS name are correct.
  the OS and server versions are identical between the 2 servers.
  Anyone have any thoughts???

  Can't Create Replica in Open Directory
  Failed to setup Open Directory Replica.
  Still not possible to create OD Replic under Lion Server

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• How can I share a Tiger server's User database to a Panther server?

  I need some help to set this up. Keep in mind I do not have a DNS server.
  I have a Tiger server with Xserve and an older Panther server, both on the same local network. I have a whole bunch of users setup on the Tiger server. The Panther server does not have any users setup on it. I do not want to have to type in all the users all over again in the Panther server. What I'd like to be able to do is somehow share and syncronize the user database on the Tiger server with the Panther server.
  I looked into the Open Directory settings but I do not understand what to do. How do I configure the Tiger and Panther servers respectively so the Panther server can sync with the Tiger server's users database. Is this possible? It seems like it with Open Directory, one being the Open Directory Master and the other being the Open Directory Replica? But I just don't understand how to set this up. Also the Panther OD settings seem quite different than Tiger's in Open Directory.
  Any help would be appreciated.
  Message was edited by: robocub1

  Hi
  It may be best to set up your 10.4 Server as an Open Directory Master first and then use Directory Access on your 10.3 Server to connect to the Tiger Server so as it can use the same User Database. This should be possible. OD Master/Replica relationships are not possible if the OS versions are different, even if the Master was 10.4.11 and the Replica was 10.4.10. You have no chance when its 10.4 and 10.3.
  http://images.apple.com/server/macosx/docs/OpenDirectory_Adminv10.5.pdf
  The link is for 10.5 but the basics are the same. This is a recent post that describes how to set up an OD Master:
  http://discussions.apple.com/thread.jspa?threadID=1377046&tstart=0
  I'm guessing that your 10.4 Server is Standalone and is serving simple file services only (AFP and possibly SMB/Windows). If this is the case (and I can't see how it can't be) then your users will be in the local NetInfo node. This will be the default node that is presented to you in WorkGroup Manager. You always get a warning that your are working in an invisible node (if you have not disabled this) when working in the Server's local node. Don't worry there is nothing wrong with the warning. WorkGroup Manager on Panther (10.3) Server works the same way.
  You could if you wanted to simply export the Users and Groups from WGM in 10.4 and import them into WGM on 10.3. This should save you having to key them all in again. If the prospect of configuring internal DNS Services and all that goes with it seems to much for you then this is probably the simplest option. How do you do this? Launch WGM (its the same for both versions), select the Server Menu and select Export after first selecting desired users. Do the same for Groups. Use the same procedure in reverse. The Users and Groups files are not very big and can easily be transferred using a memory stick etc.
  There are differences between the two versions which are mostly to do with Server Admin. In 10.4 Server there are more services. One of the Services will be Open Directory. In 10.4 Open Directory will only show a green light by the side of the service if it is in any role other than Standalone. Server Admin on 10.3 Server will always show the green light by the side of the Open Directory Service. This does not mean that it is an OD Master, you have to click on Settings and inspect the Role to see what it actually is.
  You should be able to connect to a 10.3 Server with 10.4's Admin tools but don't be tempted to use Server Admin to configure/change anything on the 10.3 Server. You should not be able to go the other way 10.3 > 10.4 using the same tools.
  Internal DNS Services are a requirement for LDAP Services (and pretty much everything else) on Servers generally, although for simple file services not absolutely necessary. Internal DNS Services do not have to be configured on the Server itself just as long as they are configured on another server, for example, on the same network. If these are the only two servers on the network then you will have to configure DNS Services on either one or both of them depending on what you want.
  Not available on your 10.3 Server but is on your 10.4 Server are Access Control Lists (ACLs). This is a permissions model that is in addition to the standard POSIX permissions. Think carefully about how you provide permissions to your network clients if there is a mix of client OS, 10.3, 10.4 etc.
  Hope this helps, Tony

• How to promote my OSX10.6.8 replica server to Open Directory server

  My Open Directory Server crash and i would like to promote my replica Server to Open Directory.  can you tell me how to do this.

  Hello Dave,
  Check out the steps quoted below to promote your replica to the Open Directory master.
  Provide Open Directory service
  https://help.apple.com/advancedserveradmin/mac/3.1/#apdD1F7D8CA-CF07-40CE-B2D4-8 E3ACF4BCA40
  Promote a replica to Open Directory master
  If an Open Directory master fails and you can’t recover it from a backup, you can promote a replica to be a master. The new master (promoted replica) uses the directory and authentication databases of the replica.
  Select Open Directory in the sidebar.
  Click Servers.
  Select a replica to promote, then choose Promote Replica to Master from the Action pop-up menu (looks like a gear).
  Enter the directory administrator name and password.
  If you archived Open Directory data with certificate authority keys, you can restore them by entering the Open Directory archive location or clicking choose to locate the archive.
  Click Next.
  Enter the user name and password for the replica that’s being promoted, then click Connect.
  Regards,
  -Norm G.

• OSX Server 4 missing open directory

  Hi,
  Recently updated my Mac Mini to Yosemite then subsequently updated the Server app to 4.0.
  After a quick reboot I realized that the Open Directory was disable.
  When i tried to enable the OD, it wants me to create a new OD. No error message was shown.
  Any ideas what happen to the existing OD? I have about 50+ users.
  Let me know what kinda info is needed. Thanks!
  Alwyn

  Hi,
  Recently updated my Mac Mini to Yosemite then subsequently updated the Server app to 4.0.
  After a quick reboot I realized that the Open Directory was disable.
  When i tried to enable the OD, it wants me to create a new OD. No error message was shown.
  Any ideas what happen to the existing OD? I have about 50+ users.
  Let me know what kinda info is needed. Thanks!
  Alwyn

• 10.6 iCal server using 10.5 Open Directory

  Has anyone had any experience with getting a 10.6 server's various collaboration services working with a 10.5 Open Directory? I have the web services working fine, but I'm having trouble getting iCal running correctly. First, 10.5 clients trying to connect to the 10.6 iCal server won't work via Kerberos. The other problem, is when I connect via digest mode (or whatever the unsecure mode is), the iCal clients don't seem to get anything back from the server. I can create events and I see them via the web interface, but events created or edited via the web interface don't get pushed back to the client.
  Thanks for any help...

  I don't think 10.6 does the enabling stuff the same as 10.5 if I remember correctly. A lot of it is done via the web interface. I know creating a wiki in 10.5 meant creating a group in WG manager and setting it up through that. In 10.6 you go to the wikis part through a browser and hit "Create new wiki". Permissions are setup via the settings page on the wiki.
  I'm not sure if the same goes for calendaring because we haven't ever used the iCal server to the full extent but I think it might be a similar change. When you sign into your "my page" on a 10.6 web server, it creates a calendar for you that you can edit via the web interface or iCal. Wikis also have calendars created, but I'm not sure how to get them in iCal.
  Hopefully that helps some...

• Three new groups in Open Directory Server

  I noticed that my Open Directory server has three new groups in WGM,OD Users, OD Administators and com.apple.limited_admin. Should I treat these as I treated the other groups by assigning them members and group folders? I also noticed that now I have a System Administrator and a Directory Adminstrator, does that sound right? Should I keep both? Thanks

  Ok, thanks, I had forgoten the "show system records" trick.
  For the guest user, I don't see it in dscl.
  So I suppose it's not a user, just an "anonymous" authentication option in the sharing preferences.
  It's a bit like "others" in the posix rights permissions : User, group, other. User and group are existing and named, other are not named, it's just anybody that is not the named user and not a member of the named group.
  To keep things understandable, you should use an other name if you wish to configure a "guest user"
  You can manage the "enable guest account" option from WGM if you select a computergroup, in the preferences pane / login / options.
  Hope it helps
  Nicolas