Question re magic triangle/kerberos

Hi
Bit of a newbie question - we have a Windows 2003 domain in school to which we are planning to add a Mac SL server, using OD / AD "magic triangle"
I've followed the instructions here -
http://www.copiouscom.com/2010/08/magic-triangle-setup-with-windows-file-server- backed-portable-home-directories/
- to set this up and all seems to be OK bar Kerberos authentication.
If I log on to the server as admin, and in terminal enter id <AD username> I get the correct info returned, but if I then enter su <AD username> I get "authentication error" (tried different usernames, and passwords are known to be correct)
Can anyone help ?
Thanks

Hi
+"Our AD does not provide Kerberos services"+
Are you sure? AFAIK it's practically impossible to disable SSO on the Domain Controller while it's in a DC Role. Kerberos starts by default and is always running when issuing DCPROMO. If it's a Standalone Server then it won't be running anyway. In which case it wont be an Active Directory environment. Not in the sense I understand it to be?
+"Do I need to have kerberos enabled somewhere for the Magic Triangle?"+
Assuming you mean 'Classic AD-OD Integration' and assuming you want users to participate in a Single Sign On environment - Yes.
+"If so, can I provide it on the ODM instead of the AD?"+
Yes but only for users that exist on OD. But then you would not have a Magic Triangle in the sense I understand it to be. If all your users are in AD they can be authenticated using other authentication mechanisms available on OSX Server for Services those users are authorised to use. You don't strictly need OD for that to happen. You can create an OD Master providing SSO for AD users if you export those users from AD into OD assuming parallel environments?
There are so many variables here it's difficult to know what to advise? If your DC does not provide SSO (hard to see how) what is it doing exactly?
HTH?
Tony

Similar Messages

  • Can't figure out how to make my OSX Server / AD (magic triangle) work- Please help

    Hi there,
    I have set up a machine with Mac OS X 10.9.1 and Server.app 3.0.2. I think installation and configuration was made ok (I do have experience with Macs and I am part-time admin for the Active Directory in my organisation). I set up a magic triangle by binding my Mac server to an Active Directory domain. Now, I am not a specialist for this so I bought and used "OS X Mountain Lion Server For Dummies" by John Rizzo, which helped me. I did set up everything, even including AD users to OD groups on the Mac server.
    Now, I'm biding a Mac client to my OD server, and trying to log in. Can't do that. Any username I type that is not a local client name does not work. I have tried to use 'username' as a login and also 'DOMAINNAME\username', none of which work. I also tried to create a local network user on my OD server, and even with that username I can't log in on the client.
    I did check System preferences / Users and groups :
    - There is a green light next to my OD server name
    - I checked the "allow network users to log in" and checked that "All users" are ok for login.
    Two things that don't seem normal but I can't understand :
    - Kerberos seems off on the server (klist in terminal returns nothing and Ticket Viewer.app shows no ticket)
    - If I try to specify network users that CAN log in (i.e. not "everyone") I see users in the editor window but can't add them to the list
    I'm kinda lost here. Anyone wishing to help?

    No reason to be angry as it's in his book on page 112. You possibly did not understand its significance until you'd done it yourself?
    In an AD-OD integrated environment (I prefer this to 'Magic Triangle' as there is no triangle as such) there are no users in OD. They're all in AD. You nest AD Users or Groups (best to use groups) into an OD Group and apply managed preferences that way. You could bypass group nesting if you wish and simply create OD Computer Groups instead. Manage the workstations directly. All users admin or not, local or otherwise would have have those preferences applied.
    "Are preferences correctly inherited between AD and OD groups and users?"
    In my experience they are.
    "What if I want users in some AD Groups to be controlled users on the client and users in other AD groups to be admins on the client?"
    You can do the first part of the question using the provided Server Tools, PM or WGM. To make users local admins you use a terminal command. You don't want to be doing this for student accounts. To make AD groups administrators access Directory Utility's Advanced Options section in the AD plug-in. Clicking on the Administrative tab should give you the option you may be looking for? Alternatively you could use the command line (man dsconfigad) as there are more settings available using it than there are in the GUI.

  • Authentication errors in Magic Triangle set up

    Hi All,
    I have recently integrated a SL server into AD to provide MCXs to Mac workstations as well as network homes, time machine server etc.
    Everything is working fine and there aren't any major problems - clients can log into AFP homes and the majority of MCXs are working well.  One thing I have noticed though is that exactly every 2 hours I get an error in Windows event viewer complaining of a Kerberos authentication error (Event ID 4768).  The account name specified in the event log is the computer record for the OD master.
    I did a bit of digging through the logs and can see the successful logging in of the Mac server computer account to the Password server.  In the password server service log, I get this:
    RSAVALIDATE: success.
    Apr  8 2012 14:10:12    USER: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} is the current user.
    Apr  8 2012 14:10:12    AUTH2: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} CRAM-MD5 authentication succeeded.
    The computer account 'server.domain.com$' is listed when you go into WGM and go to 'show system records' and is the computer account for the mac server that is the OD master.
    I believe that the server is trying to authenticate to the Windows DC, receiving an error (and generating the 4768 error code) and then successfully authenticating to OD. 
    I have changed the search policy on the server to authenticate against OD first and then AD, but I am still getting this error.  I don't know whether Directory Utility is buggy and incorrectly shows LDAP before AD as I cannot find the dscl command to list search policies anywhere, only to add, delete and amend search policies.
    Questions:
    1) Why is the server authenticating to itself every 2 hours?
    2) Does anyone know how to list the search policy order in dscl, so I can verify that the server is actually authing against OD first?
    3) If the search policy is OK, and I suspect it is, why is the server trying to auth against AD?
    4) Has anyone else seen this error and, if so, how did you resolve?
    Coincidently, I also get this error when I log into WGM using the directory admin username/password.
    TIA

    Hi James,
    Received wisdom for Magic Triangle is to bind the Mac server to AD and ensure that Kerberos is disabled on the Mac server. It sounds like you may not have done it that way?
    This reference may help:
    http://www.afp548.com/netboot/mactips/activedir.html
    Just a guess - but perhaps the re-authentication every 2 hours is due to Kerberos ticket expiration?
    Best

  • Mobile Home problem with Magic Triangle

    So I have been setting up a magic triangle for the past few days with an OSX Lion server.  I believe it is working properly.  The server is running OD and is bound to my AD.  I have made an OD group which contains my AD users, and I have set that OD group to have limited application preferences (one of them is to block the App store).  All my users have MacBook Airs which they will take off-site, so I enabled mobile home folders in the AD bind and in the OD group mobility settings (with confirmation required).
    When I tested it today, with Airs running 10.7.4, here is what happened.
    When the system was on the network, it would log a user in, ask to create the mobile account, and successfully create it.  Once logged in they were limited to the application preferences that I set on the server.  I considered this a complete success.
    When I disconnected them from the network, I had expected that they would still be able to log in and the system would fuction the same way with the exception that they would not sync their changes until they were back on-site.
    Instead...
    When the same user trys to log in it says the AD server is unavailable and then logs them in anyway.  However, once they are at the desktop, none of the permissions are in place.  They can go to the app store, or do anything else they feel like.  Once they are back on the network, all the server based preferences reappear and lock the system down.
    So my questions are:
    1. Should a mobile account based system compain that it cant find the AD domain when offsite?
    2.  Why is it not checking some cached verison of the permissions and locking down the notebook when offsite?  I can tell that it is caching the user name and password (as loging in as a user the air has never seen before will simply give a login error), as it will let them in, but it is not holding any preferences. 
    3.  How can I prevent users from simply disconnecitng from the network to bypass all my server based policies?
    Hope someone can help

    Hi,
    I'm having a similar problem with exactly the same setup, our clients are 10.7.4 wired not wireless the OD server is 10.7.4 and the clients are authenticating via an AD 2008 R2 domain.
    We've had this scenario in the past running 10.5 and 10.6 without any problems but with 10.7.4 the clients' MCX settings are lost when they're not connected to our network. It seems to only lose the settings applied to user groups but not computer groups.
    At this moment in time I don't have an aswer I'm still looking, have you found a solution?
    I know configuration profiles are the way forward and in the future I'll move over to them but they don't seem to work that well with PHD's at the moment.
    If anyone has any thought on this it would be much appreciated.
    Thanks,
    Jay.

  • OD / AD / Magic Triangle configuration in Snow Leopard Server

    Hi:
    I'm working on training / setting up a magic triangle. I've been able to perform the necessary binding of my 10.6.4 Server to the AD, Set up OD as an OD Master connected to AD and finally, binding a client 10.6.4 Mac to both AD and OD. FYI - I'm using the Apple Training Series: Macs OS X Directory Services v10.6 as my guide.
    I'm running into issues which are based upon how I connect / authenticate. I tried the 4 scenarios listed below with different results. The first scenario is the way to view/administer the directories according to the training guide. I tried the other 3 scenarios just to see what might happen:
    1 - local mac - run WGM and View Directories: Result: Can authenticate to AD directories, but can't authenticate to the OD directory on the OS X server.
    2 - local mac - run WGM and Authenticate to OS X Server: Result: Can authenticate to OD directory on the Server, but cannot authenticate to AD directories as AD Administrator
    3 - from the OS X Server - run WGM and Authenticate to OS X Server: Result: Automatically authenticate to OD directory on the Server, but cannot authenticate to AD directories as AD Administrator
    4 - from the OS X Server - run WGM and View Directories Result: Automatically authenticate to OD directory on the Server, but cannot authenticate to AD directories as AD Administrator
    Earlier today, while using #2 scenario, I was able to see the contents of the Active Directory and could even add computers/users to the groups I had created on the server's ldap directory and successfully tested attributes on the users/computers I assigned to the respective groups. This evening though, I can no longer see users/computers in the AD and the users I added to the OD groups have lost their connections - when I look at Members, each listing name initially shows loading then changes to not found. (The ID for each still appears though).
    Any ideas? I've completely reset the server configuration for OD and its binding to the Active Directoy a couple of times now, but still can't get it working. I have the sense I've missed some detail here.
    Thanks!

    It sounds like you lose the AD connection intermittently from at least the server.
    You are using the "AD" DNS?
    Reverse lookup of the OS X server name works (OS X server name added to forward zone and IP added to reverse zone for your LAN in "AD" DNS)?
    In SA, OD, Kerberos is not running (should use AD kerberos realm)?
    Anything in logs about this (DirectoryService)?

  • Creating a Magic Triangle

    We want to create a test Magic Triangle where we can test major changes before deploying them in production.
    We have a Mac Xserver 10.6 (matches production), Active Directory at Windows 2008 R2 functional level (Production is at 2003), and NetApp filer running OnTap 7.3.4 (Production is at 8.1). 
    We have augments defined to set the user home directory in Open Directory.  This overrides the AD setting in production.  Our test environment does not request the home directory attribute from Open Directory.
    I have turned on Diretory Service debugging using:
    sudo killall -USR1 DirectoryService
    sudo killall -USR2 DirectoryService
    From the debug logs I see the production Mac OS X client querying AD for user attributes and then OD for the augmented records:
    Here are some relevant records from the client debug log in production:
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAC : 1 : Node Ref = 33610587 : Requested Rec Names = ebuller : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAC : 2 : Node Ref = 33610587 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:AuthenticationAutho rity;dsAttrTypeStandard:HomeDirectory;dsAttrTypeStandard:NFSHomeDirectory;dsAttr TypeStandard:Password;dsAttrTypeStandard:Picture;dsAttrTypeStandard:JPEGPhoto;ds AttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:RealName;dsAttrTypeStandard:R ecordName;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:UserShell;dsAttrTypeSta ndard:GeneratedUID;dsAttrTypeStandard:CopyTimestamp;dsAttrTypeStandard:OriginalN odeName;dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:MCXSettings;dsAttrT ypeNative:_guest;dsAttrTypeNative:external : Attr Type Only Flag = 0 : Record Count Limit = 0 : Continue Data = 0
    ...Some lines left out...
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAR : Node Ref = 33610587 : Number of Found Records = 1 : Continue Data = 3489  : Result code = 0
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAC : 1 : Node Ref = 33557052 : Requested Rec Names = Users:ebuller : Rec Name Pattern Match:8193 = eDSExact : Requested Rec Types = dsRecTypeStandard:Augments
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAC : 2 : Node Ref = 33557052 : Requested Attrs = dsAttrTypeStandard:GeneratedUID;dsAttrTypeStandard:HomeDirectory;dsAttrTypeStan dard:NFSHomeDirectory : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
    2013-08-20 09:53:14 EDT - T[0x0000000100604000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAR : Node Ref = 33557052 : Number of Found Records = 1 : Continue Data = 0  : Result code = 0
    And here are the similar lines from a test client:
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777216 : Node Name = /Active Directory/All Domains
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Active Directory:          Using existing connection for domain.name.here
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Active Directory:    Opening Forest-Level Node
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777216 : Node Ref = 33557146 : Result code = 0
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAC : 1 : Node Ref = 33557146 : Requested Rec Names = ebuller : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAC : 2 : Node Ref = 33557146 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:AuthenticationAutho rity;dsAttrTypeStandard:HomeDirectory;dsAttrTypeStandard:NFSHomeDirectory;dsAttr TypeStandard:Password;dsAttrTypeStandard:Picture;dsAttrTypeStandard:JPEGPhoto;ds AttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:RealName;dsAttrTypeStandard:R ecordName;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:UserShell;dsAttrTypeSta ndard:GeneratedUID;dsAttrTypeStandard:CopyTimestamp;dsAttrTypeStandard:OriginalN odeName;dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:MCXSettings;dsAttrT ypeNative:_guest;dsAttrTypeNative:external : Attr Type Only Flag = 0 : Record Count Limit = 0 : Continue Data = 0
    ... Some lines left out ...
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Active Directory:          DomainConnection Retrieval started
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Active Directory:          DomainConnection Retrieval ended returning 1 results
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), Active Directory Used : DAR : Node Ref = 33557146 : Number of Found Records = 1 : Continue Data = 627  : Result code = 0
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAC : 1 : Node Ref = 33554887 : Requested Rec Names = Users:ebuller : Rec Name Pattern Match:8193 = eDSExact : Requested Rec Types = dsRecTypeStandard:Augments
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAC : 2 : Node Ref = 33554887 : Requested Attrs = dsAttrTypeStandard:GeneratedUID : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
    2013-08-19 09:25:37 EDT - T[0x0000000101C0A000] - Internal Dispatch, API: dsGetRecordList(), LDAPv3 Used : DAR : Node Ref = 33554887 : Number of Found Records = 1 : Continue Data = 0  : Result code = 0
    The big difference is the search for LDAPv3 records.  In production, the client requests these attributes:
    Requested Attrs = dsAttrTypeStandard:GeneratedUID;dsAttrTypeStandard:HomeDirectory;dsAttrTypeStan dard:NFSHomeDirectory 
    but in the test environment the list is shorter:
    Requested Attrs = dsAttrTypeStandard:GeneratedUID
    We see the augments in both ODs so I don't know why our test client is not requesting the necessary attributes to mount the user's home folder.
    The client connections to AD and OD do not show any obvious issues.  Using dscl to read records from AD and OD works fine.
    Can anyone explain why a Mac OS X 10.6.8 client would not request the augmented attributes from OD when also connected to AD?

    Thanks for your reply ..
    I now see what's going on.
    so if I simply disabled kerberos of the existing OD as described here:
    http://docs.info.apple.com/article.html?path=ServerAdmin/10.6/en/odfd7bf26f.html
    it should be fine ?
    Mac OS is serving a few macs ; but most machines are Windows PCs now.
    What it does do however, is providing the mail; calendar and wiki server.
    My understanding is that if I do not run OD; it will be much more work to allow mail for AD users to work. And transferring the current mail files is going to be a pain provided it uses stuff like BC86E956-9107-4761-8EE1-C58D4019F559.
    So my plan was to bind the OD to AD ; create the same username on AD so OD would keep all the apple related entries (mail entry, GeneratedUID etc..)
    Re-creating all users from scratch looks like it's going to be a long task otherwise
    The other thing I'm worried about is that I would loose aliases. The way OD lets you create aliases is great; and I believe this isn't possible with AD.
    Last thing, when I last try to make the os X server to bind to AD ; it then wouldn't let the admin authenticate in workgroup manager kept telling me the password was incorrect.
    Which was very weird as the password would be accepted everywhere else (ssh, email, wiki etc..)
    Only workgroup manager would complain that my login details weren't correct. And in the mean time, I couldn't edit any of the remaining users.
    Thanks

  • What is the risk for my Active Directory when you make a magic triangle ?

    Hi hello
    I want know that because, i need installed a lion server in my company, in the production server.
    Now i have make a magic triangle in my labo, i don't have noted a problem with my AD.
    1 ) What's risk for my AD when i make a magic triangle ?
    2 ) The Director Administrator ( diradmin )  of Open direcory need rights in the Active Directory for manage Mac os x client ? if yes what's rights ?
    3 ) Can confirm me that ==>>> When i want manage users Macs, i need create a local group in the open directory " MacUsers" , and in this group i add users from the "AD" is that ??  i want to be sure what i do ....
    4 )  for the account computer Mac in registred in my AD, what's i can do ?  
    5 ) For the MCX, i appply the preference in the Users or Computer ?
    Thanks you for your help

    Hi
    Q3 - You create a shared directory (the LDAP node) when you promote the Server to an Open Directory Master Role. Judging by what you're saying you've already done this. The Users and/or Groups you're creating after promotion will be in the shared directory (the LDAP node). You can tell which node Users and/or Groups are in by simply looking at them in the Server App. If they have a small blue globe icon on their right shoulder they will be in the LDAP node. If they don't they will be local users and not in the shared directory (the LDAP node).
    To view them in WorkGroup Manager, launch the application and authenticate using the Directory Administrator account. Above the main interface window you should see a small blue globe. The shared directory will be listed by the side of this icon as: Viewing Directory:  /LDAPv3/127.0.0.1 etc.
    Q5 - MCX (Managed Cleint X) is Apple's equivalent to GPOs (Global Policy Objects). If you're familiar with Active Directory you'll know what this means.
    Deprecation means "not using anymore". In other words you should not be using WorkGroup Manager to apply mac-style GPOs. You should be using Profile Manager instead. Profile Manager is the 'new' way to apply mac-style GPOs.
    Profile Manager is part of Lion Server. It's also known as the MDM Server (Mobile Device Management Server).
    It's up to you to decide what is good for your environment and needs. In some situations I'll use both and possibly augment them with Apple Configurator and Apple Remote Desktop. Then again in other sitations I'll use other numerous 3rd-Party tools available.
    HTH?
    Tony

  • How to manageimported users, groups, and computers in the "Magic Triangle"

    How do I manage imported users, groups, and computers? Server Preferences versus Workgroup Manager? I can import users and groups with the former but it offers limited configurable options. I can view all users. groups. and computers (from active directory) in the latter, but it does not designate which accounts have been imported.
    I've got a magic triangle setup, with my users, groups and computers in Windows Active Directory, and my MacOS X snow leopard server setup as a directory master, abd bound to AD as well. I wish to apply group policy like settings to my Mac OS X leopard and snow leopard clients.
    Here's a summary of my goals:
    1. Time Machine Storage for mac users when they logon to Mac OS X computers.
    2. Automount group shares located on the Mac OS X Server.
    3. Redirect user desktop and document folders to user shares either on the Mac OS X server or my Windows file server.
    4. Automount a custom folder (for each user) located either on the Mac OS X server or my Windows file server.
    5. Setup Mac OS X server as a printer server with quotas for all mac and windows computer users.
    Goal #1 appears to be working. "need help with the rest. Thanks

    I'm not sure you want to import users to use the magic triangle properly. I think importing creates 'Augmented Records' - the user icons have blue dots.
    The principle is this…
    Bind the server to Active Directory (AD) & create an Open Directory master (OD). This can be done from Server Admin, in the OD section, via the change button.
    Then you use Workgroup Manager, set the viewing directory (tiny little globe in top left) to use LDAP records on the server - LDAPv3/127.0.0.1. Authenticate (lock on right of toolbar) add a group, then switch to to its Members tab, click + Then change the user list to show the AD records & add the AD users to the OD group. It sounds weird & wrong, but it is how it works.
    You are never modifying the AD records, just assigning a group to the users in OD. It's why the clients need to bind to AD & OD.
    From there you can set the Managed prefs (MCX) for the members of the OD group. It also helps to add a guest computer account to OD to assign computer prefs based on the macs that bind to the server - it's in the File menu when you select the computes list in OD.
    I hope that's clear, not sure I can help with the other tasks, but they tend to fall into place once you have the complex start in place.

  • Need to Setup Magic Triangle for 10.5

    I already have a xserve running 10.5 that is a OD master and it is joined to the domain, but the passthrough authentication is not working.
    How can I reset or fix the problem. I cannot rebuild the xServe at the moment, but I can ubind and remove the OD, but will this allow me to restart the process?
    -brian

    This is really the 10.6 Directory Services discussion.
    By "...joined to the domain..." you mean an AD domain?
    If bound to AD and running as OD master, Kerberos shouldn't be running (look in Server Admin, OD) as the machine should be using the AD Kerberos realm for kerberized services.
    For SSO / running Kerberos auth to. use services, clients must be bound to the AD.
    (Kerberos needs "clocks to be synchronized", something like no more than 5 min. difference and using same timezone between all machines using it).
    "...passthrough authentication is not working." - passthrough?
    Using AD credentials to access some OS X server hosted services (for example AFP) might work even without client beeing bound to the AD, but not if OS X server demands kerberos auth. for the service in question.
    With "passthrough" you might mean: client wants to ask OS X server for "access" using AD credentials?
    As I understand it (in a service "simplest configuration" - at least not demanding Kerberos auth.) user/client can "authenticate" to OS X server which really asks the AD to auth. the user and (possibly) the OS X server authorize the user to access the service running on the OS X server.
    But if you want to login on a computer using the AD credentials it needs to be bound to the AD AND a corresponding OS X homefolder must be "reachable".

  • Question mark in triangle in place of punctuation marks in email

    Here's situation:
    I'm on MacBook Air with Mavericks. My friend is on MacBook with previous OS(10.8). I write her from Mac Mail, she replies from a free web mail program (Juno). When she replies back to answer my email and I scroll down to see something I wrote to her, in my email now appears black triangles with a question mark in the middle of the triangle in each area where I had originally placed either commas or apostrophes. It seems the periods are fine. I think a dash mark is replaced also. So what is the reason and how to prevent it? Is it a Mavericks thing? Is it her email program? If its hers then why did it change on iphone-see next:
    Here's a secondary situation: I'm now writing from iPhone (vs 6.1.4) and the same email came into this ph showing square empty boxes (outline of a box) instead of triangle &amp; question mark, in the same location! What gives?

    There is always some idiot in the audience who will yell stupid things about the issue being a PC problem or a Macintosh problem ...
    Without seeing the actual PowerPoint presentation file as well as the fonts involved, a definitive diagnosis cannot be provided. Having said that, instinct would suggest that the problem is associated with cross-platform differences in characters sets used by PowerPoint and/or differences in the fonts between the platforms. This is
    exactly why using PowerPoint files as opposed to a PDF file (with all fonts embedded) created from the PowerPoint file for an actual presentation is not a particularly good idea.
    One of the problems is that PowerPoint on Windows and PowerPoint on Macintosh handle fonts and character sets differently. PowerPoint on Windows has used Unicode encoding for a number of years; I believe that PowerPoint 2008 on the Macintosh is the first Mac version to support Unicode, at least for new documents.
    - Dov

  • New to the Magic Triangle - can't get ichat/messages to work

    Hey all, thanks for your support right away, I have a feeling I will become a regular.  So lets get too it!
    I'm using the latest OSX server on Yosemite. I've also attached this server to our Active Directory Server.  I've been able to configure and use the following services:
    * file sharing
    * time machine
    * Netinstall
    * open directory
    I'm working on getting messages to work, to which I feel should have been pretty simple.  The error that is persisting is "Messages can't communicate..." "The host domain.com does not support Kerberos authentication." 
    In the log on the server i'm getting : connect then right after disconnect jid=unbound packets 0
    So some of the things i've done: (which probably made it worse)
    - In active directory I set the computer to trust this computer for delegation to any service (Kerberos only)
    - I've set on the client to "Use Kerberos v5 for authentication"
    - I've made sure the DNS is legit with the PTR record.
    - I've tried setting the host array
    - sudo serveradmin fullstatus shows the following:
    jabber:state = "RUNNING"
    jabber:roomsState = "RUNNING"
    jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
    jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
    jabber:logPaths:JABBER_LOG = "/var/log/system.log"
    jabber:proxyState = "RUNNING"
    jabber:currentConnections = "0"
    jabber:currentConnectionsPort1 = "0"
    jabber:currentConnectionsPort2 = "0"
    jabber:pluginVersion = "10.8.215"
    jabber:servicePortsAreRestricted = "NO"
    jabber:servicePortsRestrictionInfo = _empty_array
    jabber:hostsCommaDelimitedString = "domain.com,ODSERVER-01.domain.int"
    jabber:hosts:_array_index:0 = "domain.com"
    jabber:hosts:_array_index:1 = "ODSERVER-01.domain.int"
    jabber:setStateVersion = 1
    jabber:startedTime = "2015-04-09 19:44:53 +0000"
    jabber:readWriteSettingsVersion = 1
    The strange bit, is that on the Message page it shows Available on your local network at ODSERVER-2.local.  While the hostname on the main overview page shows the correct hostname.
    So i'm a bit at a loss where to go from here.  But while i'm poking around the interNETz, I figured i'd chime in here to see if you guys could give me some sweet sweet assistance.

    Hey all, thanks for your support right away, I have a feeling I will become a regular.  So lets get too it!
    I'm using the latest OSX server on Yosemite. I've also attached this server to our Active Directory Server.  I've been able to configure and use the following services:
    * file sharing
    * time machine
    * Netinstall
    * open directory
    I'm working on getting messages to work, to which I feel should have been pretty simple.  The error that is persisting is "Messages can't communicate..." "The host domain.com does not support Kerberos authentication." 
    In the log on the server i'm getting : connect then right after disconnect jid=unbound packets 0
    So some of the things i've done: (which probably made it worse)
    - In active directory I set the computer to trust this computer for delegation to any service (Kerberos only)
    - I've set on the client to "Use Kerberos v5 for authentication"
    - I've made sure the DNS is legit with the PTR record.
    - I've tried setting the host array
    - sudo serveradmin fullstatus shows the following:
    jabber:state = "RUNNING"
    jabber:roomsState = "RUNNING"
    jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
    jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
    jabber:logPaths:JABBER_LOG = "/var/log/system.log"
    jabber:proxyState = "RUNNING"
    jabber:currentConnections = "0"
    jabber:currentConnectionsPort1 = "0"
    jabber:currentConnectionsPort2 = "0"
    jabber:pluginVersion = "10.8.215"
    jabber:servicePortsAreRestricted = "NO"
    jabber:servicePortsRestrictionInfo = _empty_array
    jabber:hostsCommaDelimitedString = "domain.com,ODSERVER-01.domain.int"
    jabber:hosts:_array_index:0 = "domain.com"
    jabber:hosts:_array_index:1 = "ODSERVER-01.domain.int"
    jabber:setStateVersion = 1
    jabber:startedTime = "2015-04-09 19:44:53 +0000"
    jabber:readWriteSettingsVersion = 1
    The strange bit, is that on the Message page it shows Available on your local network at ODSERVER-2.local.  While the hostname on the main overview page shows the correct hostname.
    So i'm a bit at a loss where to go from here.  But while i'm poking around the interNETz, I figured i'd chime in here to see if you guys could give me some sweet sweet assistance.

  • Question about Java GSS-Kerberos authentication

    Hi,
    I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
    We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
    it says:
    "You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
    Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
    Any links detailing the procedure would be of great help.
    Thanks,
    shetty2k

    We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
    What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
    any help is greatly appreciated.
    R.

  • Active Directory - Open Directory Magic Triangle

    I have a 10.5.5 server that I am trying to bind to our AD so I can provide SSO to our Mac users.
    I start from a Standalone installation and Bind to AD through the Directory Utility without issue. The servers computer record is created in AD. However I am unable to join a kerberos realm because the "Join Kerberos" button never appears in the Open Directory settings in Server Admin.
    I thought this part should be straight forward, but I am unable to get the button to appear. Am I missing something here?
    Any help would be greatly appreciated.

    Hi
    If you can verify the edu.mit.Kerberos file has been created in /Library/Preferences then you have received your ticket and in that sense you are already 'joined'.
    For lack of any definitive documentation I think the 10.5.4 Combo Update has made AD binding much simpler and easier. Because of this the button is no longer there because its no longer required? I've not had time to do any extensive testing but I think this is the case? If your Server Install Disk is 10.5 or 10.5.2 and you leave it as it is rather than updating I think you do see the button?
    Tony

  • Purchase question, Network Magic

    I have a personal home network with 2 PC on it. If I buy the full version of Network magic will I need to buy 2 copies (about $80) or does one copy cover all the computers on my network (Is there a Mac version?)?

    Wrong forum but here's the answer anyway. Network Pro 5.5: 8 computers Network Essentials 5.5: 3 computers Network Basic 5.5: 8 computers The Mac version is sold as an add on. Here is where I go the info from. http://www.purenetworks.com/product/compare.php
    I don't work for Cisco. I'm just here to help.

  • Ubiquitous question mark in triangle shape

    I have seen this pop up several times in the last week, on the net, on power point presentations. Someone in the audience at the power point presentation yelled "It's a PC problem."
    Anyway, here it Is:
    Can anyone here identify the cause of this anomaly?

    There is always some idiot in the audience who will yell stupid things about the issue being a PC problem or a Macintosh problem ...
    Without seeing the actual PowerPoint presentation file as well as the fonts involved, a definitive diagnosis cannot be provided. Having said that, instinct would suggest that the problem is associated with cross-platform differences in characters sets used by PowerPoint and/or differences in the fonts between the platforms. This is
    exactly why using PowerPoint files as opposed to a PDF file (with all fonts embedded) created from the PowerPoint file for an actual presentation is not a particularly good idea.
    One of the problems is that PowerPoint on Windows and PowerPoint on Macintosh handle fonts and character sets differently. PowerPoint on Windows has used Unicode encoding for a number of years; I believe that PowerPoint 2008 on the Macintosh is the first Mac version to support Unicode, at least for new documents.
    - Dov

Maybe you are looking for