What is a mac client joined to a Open Directory server supposed to show?

Similar Messages

• When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?

  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  I have made a magic triangle
  Thanks

  Malik-O wrote:
  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  1 ) I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  Authentication (with open directory admin username & password) is off by default. In Mountain Lion there is no longer a GUI to manage that and some of the other binding options. In Lion, I think you could use Server Admin (or was it Workgroup Manager) -- I can't remember, but there were little checkboxes.
  To make authentication mandatory in Mountain Lion, you can use this on the Server:
  sudo slapconfig -setmacosxodpolicy -binding required
  Use the following to check the binding policies:
  slapconfig -getmacosxodpolicy
  You might want to check the slapconfig man page, you'll find some of the other options that were in Server Admin in Lion, e.g. disable cleartext, block man-in-middle, etc.
  Edit, I just saw you're still using Lion Server, not Mountain Lion. I'm pretty sure the above commands will work on Lion Server as well.

• 10.3.9 clients not working with 10.4.9 open directory server

  I have a 10.4.9 server running open directory and managing about 20 10.4.9 clients. I am trying to have it manage our remaining 10.3.9 clients, but for whatever reason, I cannot seem to get the 10.3 clients to "attach" to the server.
  I have the 10.3 clients set up in a computer list on the server, and in directory access I have it set to "get ldap mappings from server". At one point, it was suggested to me that I have the clients "get ldap mappings from open directory server". I tried this, and manually set the search base suffix. My search base suffix was "dc=example,dc=local". I even tried doing "cn=config,dc=example,dc=local" (where in both cases example.local was replaced with my real DNS name). Any suggestions on what else I could try to get this to work?

  That's the odd thing though. I've done this with 10.4 no problem. Settings always worked. For some reason though, even though the clients are able to login using a network user, none of the preference settings sync.
  For example - I always put a loginwindow message on as a sort of "test" to see if preferences are being set. If that works, then I rarely have a problem. No matter what I do, though, I cannot get the loginwindow message to display on the 10.3 clients. It works really well on 10.4, but not at all on 10.3. I've tried this on multiple 10.3 machines, as well, (and they're both based on different system images) but it still doesn't work. When I get back to work on Friday, I'll have to see if preferences will work for network users; that's the one thing I haven't tried.
  Other than dumping the directoryaccess preferences, is there another preference setting that could be dumped on the client that may make it grab prefs from the server?

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• 10.7.5 client shows open directory server not responding

  Hello,
  I am just starting to learn to use OS X Server.  I have created an Open Directory Master and want to connect my various Mac's around the home to.  My iMac is currently running 10.7.5 client and have tried to add the server as a Network Account Server  - re: below, but it shows it is not responding.
  As I am a real novice, have I missed something and how do I get this to work?
  Thanks,
  Nick

  You are likely having issues because you are not using DNS correctly.  The name "CowShed.local" is a bonjour name.  In order to properly use Open Directory you need DNS set up internally.  The reason is that the Kerberos component of Open Directory is very dependent on DNS.
  Generally, I would discourage the use of bogus top level domain.  However, since you say this is for home use, you can likely get away with the use of one (mac.leedern.int, mac.leederm.private, etc).  However, if you do, then you will not be able to use hosted services (mail, calendar, contacts, etc) transparently between the home and external networks (names will not route).
  If you own a domain name, you can use it internally and setup your DNS on the server.  Then distribute the servers's LAN IP address to all clients as the first DNS server.  This way, all your client devices can resolve the server's host name while on the LAN.
  Your journey starts at DNS.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• I can not open Adbe Reader on a iMac, joined into a Open Deirectory server

  Dear All,
  I setted up a MAC OS X 10.6.2 server with Open Directory.
  I created sevral netwrok account on the server
  I have some iMac 10.6.2 and users log into the server and work with their remote file.
  The user preferences /Library/Preferences are store on the server.
  No home are on the iMacs (local).
  This configuration cause me some problems and particularely with the last version of Adobe Reader
  When I open first time Adobe Reader and I accept the licende it crach and ask me to send a report to adobe. But If I log me with a local account (admin), I can open it. only with a network account it freeze.
  I think it is because it can not read or create the adobe reader preference file into the server. But the user has the permission to write into the remote home folder (o the server)
  Do you have an idea why I can not open Adobe reader with a nwtork account?
  Many thank for your advice

  This is a known problem with no known solution. I believe it predates SL and existed with Leopard and perhaps earlier network-based accounts.

• 10.4.8 open directory server 10.3.9 clients desktop

  OK the 10.3.9 clients to my 10.4.2 open dir server could not find their home directory on login. I changed the contacts tab in the 10.3.9 directory access utility program which seemed to fix things - But things are not completely perfect:
  upon login, the users custom desktop pattern is not loading.

  Further to this problem.
  I have down graded a machine to 10.4.3 and the same problem occurs. If I restart the machine the local user account is the only one that appears. I login through that and logout again the full list of netework users reappears. I can the n login as a network user, all files and folders are there all permissions seem to be respected and the user can wwork fine.
  If you then logout and login to the local user and logout again network users are able to login again for perhaps 2 subsequent logins and then the machine hangs.
  I had a look at my AFP error log which is normally empty and soome MMAP error entry, sorry I'm at home and doing this from memory.
  I supose the ultimate answer is upgrade my server to 10.4.x but this being Botswana that could take a while. I could downgrade the Mini's to 10.3.9 but they don't seem to like that much either.
  This is all a bit wierd as I tested this with a sample machine at 10.4.5 and .6 before upgrading the room.
  Phoning Apple is not really an option here in Botswana so please feel free to wade in.
  Also found the same problem at this URL http://lists.apple.com/archives/client-management/2006/Apr/msg00122.html

• Adding a windows client to a sun one Directory server running on Win 2000

  Hi,
  I am a newbie to sun one directory server but i am familiar with windows active directory.
  I have followed the instructions and installed Sun One Directory Server on Windows 2000 Server using a typical setup and create a domain and also created some users in that domain.
  The next thing i wanted to do was to add a windows 2000 professional desktop on this domain and login with one of the user accounts. I tried to adding the computer to the domain via the "My Computer->Network Identification->Properties->Domain" option and gave the domain name as the one i created on the Sun One Directory Server, but i get an error saying that domain was not found.
  Am i missing something here. Do i need to install some client piece on the windows 2000 desktop to add the box on the sun one domain and login in as one of the users.
  Any help will be deeply appreciated?
  Thanks,
  Raj...

  yes, you can use samba for a windows client to login to ldap
  http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#id2536158
  , but for windows XP clients you need to tweak the registry
  http://www-jerry.oit.duke.edu/linux/docs/samba/winxp_client_registry_edit

• Microsoft office issues with clients bound to my Open Directory Master

  So i converted all of my clients from having a local account on there machine to being bound to my Open Directory Master with a home folder on the server. I deleted there local account on there client machine and then bound it and logged in with there server account. launch microsoft entourage,excel and word and i get weird errors when the applications launch. So i reinstalled on the local admin account of the client machine and all applications now work except for microsoft entourage.
  I can set up an account... see my exchange email server but no email. nothing.. if i log the client machine out of the OD master account and log into a local account on the machine everything works fine. Am i missing something? i even set up for the user account in the allowed applications to run the microsoft office suite with no change.
  thanks,
  Jess

  Note Microsoft Office does not support server-based home directories. You can use portable home directories which syncs stuff down to the client (like a roaming profile but "better" )
  As far as errors with application launch, etc., check the permissions on the applications themselves. Office has an annoying habit of installing itself as the user who installs it (well, except Office 2008 which installs itself as user 502, always, lol). Ensure the permissions on the applications make sense -- this will take some command line use of chmod and chown.
  Also ensure that your home directory permissions are mapped to the user you're logged in as. If you move from local accounts to server-based accounts the UID on the home directory will not automatically change properly, and Microsoft stores its stuff in ~/Documents/Microsoft Office Documents which will have the owner/permissions of who initially created that directory.

• Mac Client that can connect to Terminal Server Gateway

  Anyone know of a Mac app that can connect to a remote computer via a Terminal Server Gateway?  The Windows version of MS Remote Desktop will do this but of course that is Windoz only.

  You could try CoRD.  I don't know if it has the TS gateway option either, but it is an RDC client.
    CoRD (Microsoft RDC Screen Sharing)
  <http://www.macupdate.com/info.php/id/22770/cord>

• Open Directory: After enabling of SSL encryption the Open Directory server is not reachable anymore! What's wrong?

  After enabling of SSL encrypton on LDAP I can't connect anymore to the LDAB. I think the Lions Server supports now the SSL encrypton for Open Directory.

  .....

• Is there any way to log in to active directory from a mac without joining the AD domain?

  I am looking for a way to log in to active directory without having the Mac join the AD domain. Basically i have not been able to understand all the ramifications of joining the AD domain. From what I have read in various documentations on the apple site and some of the AD plug in sites, it seems that if the mac joins the domain, all kinds of group policies get 'transfered' to the mac experience. How exactly does that affect the privileges of the local mac user on their machine? do they need to change their mac password? what happens to their existing home directories? what happens when they have their laptops at home?
  TIA
  Costas Manousakis

  Costas Manousakis wrote:
  The reason i am hesitant about binding the macs is that i'm not sure what are all the effects of that. will they have to change their mac passwords / usernames? more than likely the auto login will have to go. If there are multiple accounts on the mac (ex one admin account and other regular and admin accounts) how does binding affect them? how will it work when the mac is not in the office? if they have admin rights on the mac but not on the windows AD, how will that affect them? Do you know of a source i could go to to find answers for questions like these?
  Unfortunately, the source for answers should be your IT department. I can tell you how my machine works. I have a personal machine with no restrictions and a work machine bound to an Active Directory domain. Even my work machine has few restrictions compared to normal. I have a privileged account I can use if necessary. Also, I'm pretty much a goody-two-shoes so I don't try to circumvent restrictions.
  Basically, the Mac uses a system called Open Directory to manage user accounts. Every Mac comes with its own miniature Open Directory server. If you have a network with MacOS X Server, you can use the server's Open Directory. You can also use Microsoft's Active Directory to perform all the same tasks. The user's logins and passwords would be whatever is on Active Directory. They can change their password on the Mac and it will change the Active Directory password. Active Directory can enforce passwords expirations too.
  I am not an Active Directory administrator, so I can't give you specifics. Pretty much everything you have mentioned can be controlled via Active Directory. That is what it is for. It does require active participation of your IT staff. If you don't have that, then I don't see it working out well. It sounds like a paradox. IT wants to control users, but doesn't want to deal with it. You can't have it both ways. Maybe let it be known among the Mac users that visiting those restricted sites could cause IT to get rid of Mac altogether. That does sound like a probable outcome.

• Best way to connect mac clients through Lion Server to AD?

  Ok, so here's what we are trying to set up for our school network. We currently have a 2003 server system hosting our PCs.
  Authentication - through 2003 server AD
  When client logs in:
  Mac Client -------sends info to --------> Lion Server ----passed data through to-----> 2003 Server
  2003 Server -----responds with authentication----> Lion Server ---applies profile management to client------> Mac Client
  My thought is that Lion Server needs to connect to the 2003 server via the active directory setup in Users and Groups, but the clients should be connecting to the Lion server via LDAP3.
  We can authenticate to the AD server directly from the clients or from the server, no issues there. Yet putting the Lion Server in "attached to another server" mode in Server Admin Tools doesn't Kerberize, even after giving proper permissions to the server via AD. I'm assuming that Kerberization needs to happen in order for Lion server to pass ther login data from the mac client to the 2003 server and vice versa, right?
  Also, we would like to have the users' 2003 network user folders on the desktop automatically, or preferrably what they access when they go to Home. I noticed some options in Profile Manager as well as Workgroup Manager to make this happen. I assume that once the data between the 3 is working proerly, this will be close to a no-brainer.
  So, advice is much appreciated here, first time setting up this type of hybrid system. Thanks!

  I appreciate all your help. I really do.
  This is basically what I needed to know - You said,
  "The audio out on a TV will source whatever input is associated with the current screen."
  With my current macmini to TV setup - I have to have a separate audio line (apart from the dvi cable for video ) to the TV. I was not sure if that macmini audio line to the TV would transfer to the receiver. If it did not then I assumed (since the macmini only has one audio out line that I would have to split that audio line - one to the TV and one to the receiver ). That was my thinking anyway, but if whatever is on the screen will transport to the receiver then I should have no problem.
  Thank you again for helping me think through this.
  Pete

• Mac 10.5.8 Client automatically unbinding from Active Directory on reboot

  I have one 10.5.8 iMac client that will is bound to Open Directory and will also bind to Active Directory simultaneously. It works and is able to authenticate accounts in both directories. After a restart or shut down, the active directory binding and listing in the Directory Utility is gone. After reboot, the login screen also states (yellow light) Some Network Accounts available. After a login locally and look at the Directory utility, it shows only the Open Directory server listed. Why is it loosing its binding to Active Directory? If it is not bound to Active Directory at all after a restart, why does it state only "Some Network Accounts Available."?
  I have repaired disk, repaired permissions, trashed Directory Preferences, rebound and re-imaged. It is the only station out of 16 that is behaving this way.

  Two things to look at...
  http://support.apple.com/kb/HT3394
  http://support.apple.com/kb/TS2691
  Hope this helps.
  Thanks,
  Don

• 10.6 Client and 10.7 Server Open Directory

  I´ve got an Mac Mini running Lion Server. It´s configured as an Open Directory Server.
  And I´ve got some 10.6 Clients running on the same local network.
  All Clients have the Mini Server as DNS Server.
  And now I want to use NetworkAccounts form the 10.7 Server on the 10.6 Clients.
  I´ve connected the 10.6 Clients to the Server (without SSL) and all Clients say "Network Accounts available".
  But if I try to log in on the Client it just shakes the login window. I´ve tried it on all my Clients with different Accounts but nothing worked.
  It just won´t work! But why? Can you please help me?
  What I´m doing wrong? Or is the combination of 10.6 Clients and 10.7 Server not Supported by OpenDirectory on 10.7 Server ?
  Thank you !

  Check your authentication against the server from one of the clients using the following command:
  dscl /LDAPv3/<server name or IP> authonly <shortname of an account that cannot login>
       The server name should be the same name or IP you used when binding your 10.6 client to a 10.7 server.
  If you get the response "Failed to authenticate user <shortname> (tDirStatus: -14103)" you are having the same issue I was having. I found an answer to this, but you are not going to like it.
  Apparently Workgroup manager and Server.app deal with accounts differently. If you are using Workgroup Manager to import a long list of accounts, don't. Server.app needs to write an addition setting that is not part of Workgroup manager or in Passenger I doesn't work correctly with accounts that have home folders that are not local. Here are the steps I used to resolve the issue:
  Export all your accounts and groups
  Using Server Admin, demote your OD to a standalone directory
  Once the demotion is complete, use Server.app to promote your server to an OD Master
  Update: I've not found it to make a difference if you use server.app or Server Admin to configure your Open Directory Master.
  Once the server is again an Open Directory Master, import the users that you exported using Server.app instead of Workgroup Manager.
  If you are importing groups, set the Home Directory by editing the account in Server.app before importing groups to avoid overwriting your group settings. Thankfully, you can select multiple accounts at a time.
  Import your groups using Server.app
  Verify group membership and test the loginsIf you test the login using the dscl command from above, you should get no error after entering the password, but as long as you have a bound client, you should be able to login at this point.
  Hope this reaches you in time to help.