Windows users and open directory
Since Server for 10.7 I've found I've had to create Windows users as local users rather than local network users to give them access to shares via SMB. Is this correct, or am I missing something? I was aware that you can't bind a Windows PC to Open Directory, but can it not authenticate at all through OD?
thanks
If I understand your question, then you are looking for a tool like Centrify. This will put all management on one platform.
Similar Messages
-
10.6 home directory mounting with active directory and open directory integration
Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
I feel like this is the problem with the home folders not mounting.
Can anyone provide some help with this?
Thanks,
DaniHi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com -
SSH user, via Open Directory, can't SUDO...
On three of my Xserves I have SSH access restricted to a handful of users and these users are Open Directory-based users. Aside from the fact that these users don't have a home directory on the servers they connect to (as they're not local users to those machines), I'm having an issue where, when they try and run a command via SUDO, they get an error stating they are not in the sudoers file and thus can't complete the command.
I'm wondering if anyone has a solution for this? Should I not be using OD-based users for SSH?
Thanks,
Kristin.Sure, you can use OD-based users and sudo.
Maybe add your users to the domain's Administrators group, which, by default, would grant sudo on the member machines. Careful, though, as that's the _domain_ administration group. If you need to restrict access so they can't make domain admin level changes but so they can do just about anything on your member servers and workstations, you could just create a new sudo group, maybe called "sudo-admins" then append an appropriate line to the sudoers files on all of your machines... maybe a line that reads:
%sudo-admins ALL=(ALL) ALL
(standard warning about using caution while editing sudoers goes here -- be careful) -
Windows users cannot open my Pages documents
Even though I check Windows Friendly Attachment, Windows users cannot open my Pages documents. Is there anyway to fix this problem?
KOENIG Yvan wrote:
I decided that I will not replicate what is printed in the available documents.
If the only questions we're going to answer are the ones that aren't already answered in the manual, then these discussions will consist of little more than directing people to page numbers. Yes, it would be nice if people read the manual before posting here. But everyone's brain works a little differently, and I don't mind if nice people ask questions that can be solved by reading the manual or doing a search in this discussion group. Even figuring out how to find things in the manual isn't intuitive to a lot of people.
In terms of helping people, it's actually a lot less work to provide a solution for them than to look it up in the manual, then come back and report the page number.
We have a saying in America that goes like this: Different strokes for different folks. You can thank Sly and the Family Stone for that one.
-Dennis -
How to create windows users and groups from Java
Hi,
Can any one please tell me, which Package/API will helps to create windows users and groups from Java.
Thanks,
M.Prem.You can't do it with pure Java, and it's not in the core API. You'd have to write a native function to do it, using whatever API Windows provides, and then call it with JNI. Or look for a third party native-based Java library that already does that.
-
hi guys,
i'm a windows user and i really like to switch to mac. i really want to buy macbook pro (non-retina) the latest version because of it's cool features. considering now is already december 2014 should i buy it ? or buy other mac or laptop ? i'm still in high school and only use laptop for doing task,watch movies,hear music, games and some other basic stuffs. can you guys help me choose ? thanks ! appreciate for the reply.Watch the Apple Online Store’s refurb section for non-Retina 2012 models. The 2.9 GHz model is a very nice machine and there were some available within the past week. Check daily, because they go fast. I bought one last summer and I love it, but I am not playing games on it. B&H Photo still has some 2012 models, also.
http://www.bhphotovideo.com/c/product/1014775-REG/apple_z0mt_md1014_13_3_macbook _pro_notebook.html
http://www.bhphotovideo.com/c/product/1011230-REG/apple_z0mt_md1013_macbook_pro_ ci7_2_9g_8gb_1tb_13_3.html
ThisIsAey wrote:
I don't like the 'non-retina' MacBooks, why downgrade when for £100-£200 more you can get a retina Mac which looks and feels 100x better.
It's hardly a downgrade to those of us who care about being able to upgrade our Macs ourselves if and when we need or want to do so. For me, having a FW800 port is also a consideration. -
Adobe Premiere CS5 and Open Directory users - Premiere fails to start
We have several class rooms with desktops that are configured for Open Directory.
When a student logs in he's actually working in his home folder on the server and his user is also managed by the server.
This works fine for all the applications that we're using except for Adobe Premiere CS5 and Adobe After Effects CS5. Whenever a student tries to start one of them the application will hang and only a force quit can stop it. It is impossible to start these applications.
However, it is possible to use Premiere and After Effects using a local standard on the desktops. But I don't want to go that route. I want the managed users to be able to use those applications.
Has anyone found a solution for this?
Are you able to use this applications in a same environment?
I've played a lot with the permissions on the library, system and Adobe folders, but the problem doesn't seem to be related to them.
Setup:
AFP Server: Xserve intel running Mac OS X Server 10.6.5
OD Servers: Mac Mini Servers running Mac OS X Server 10.6.5
Clients: iMacs intel running Mac OS X 10.6.6Safe Mode disables a lot of drivers and services, like networking. That would seem to indicate that something is running on your system that interferes somehow.
I'm just not sure how you'd go about tracking that down. -
Directory Binding Script (Active and Open Directory) 10.7
Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
SeeHi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See -
Screen Sharing and Open Directory (10.8)
I'm trying to allow Open Directory users to login over Screen Sharing to my Mountain Lion servers. I have tried the solution on the page linked below and it isn't working. Maybe I'm missing something:
https://discussions.apple.com/thread/2329389?start=0&tstart=0From the menu bar on the Screen Sharing server, select
▹ System Preferences... ▹ Users & Groups ▹ Login Options
and check the box marked
Allow network users to log in at the login window
If there's a closed padlock icon in the lower left corner of the preference pane, you may need to click it to unlock the settings. Enter your login password when prompted.
Note that this option is only available when the server is bound to a network directory server. -
Creating a windows user in Active Directory
I am trying to create a user in Active Directory that can log on as any other Windows user, but when I try to log into Windows, I get the following error message:
"The local policy of this system does not allow you to logon interactively".
Are there any attributes or objectclass settings that must be set for the user to allow interactive logons?
Thanks in advance!This has nothing to do with JNDI, the object class or attributes.
I assume that you are trying to logon locally to the domain controller with the new user that you have just created.
By default, the domain controller's policy only allows specific users or members of a group to logon locally at the domain domain controller's console.
Either edit the domain controller'sgroup policy and add your newly created user to the list of users permitted to logon locally, or add the user to a group which has already been granted permission to logon locally. -
Active Directory and Open Directory not working
I am experiencing an issue, or several issues that I can't figure out how to resolve.
I have an Active Directory domain set up (running 2003 server R2) and it is humming along quite nicely.
A few weeks ago I got a new XServe running 10.5.4. Booted it up, bound it to AD, and then set up and OD Master on it so that I could manage some new Macs that we have.
The Macs are bound to both directories.
The issue I have comes in when using Workgroup Manager, and trying to add AD user to OD groups. The groups drawer is open, but the little directory menu at the top of the drawer does not include the entry for Active Directory. I see Local, Search Policy, and /LDAPv3/127.0.0.1...
If I try to pull down the directory menu above the user list, I see the following: Loca, Search Policy, Other..., /Active Directory/All Domains, and /LDAPv3/127.0.0.1.
If I select /Active Directory/All Domains from that list I get the following error.
+Unable to open the requested node.+
+The node /Active Directory/All Domains couldn’t be opened because an unexpected error of type -14002 occurred.+
I think these issues are related, but I can find no help on the first item (AD not showing up in the groups menu)
and a search for the second item only reveals the following page form Apple, which means absolutely nothing to me.
http://developer.apple.com/documentation/Networking/Reference/OpenDirectoryRef/Reference/reference.html
The killer is that this all worked at one point. I had an Apple Tech out here and he helped me set up this 'Golden Triangle" method of authenticating against both directories. And it works... sort of... I can create groups in OD and add OD machine accounts to the group to enforce some settings. But I can't bring in AD users, cause I can't see the AD user list.
I hear that this is supposed to work... I can't figure it out.
Any help would be appreciated.
Thanks for your time.
BillHi
Can you access Active Directory from the command line using dscl?
In what order are the LDAP directories listed in Directory Utility on the Server?
Is Kerberos running on the OD Master?
If you issue klist from the command line on the server itself - what is the result?
Or don't bother with any of the above and start again. You've nothing to lose anyway apart from some managed preferences which you can redo in little time. Scrub the configuration in the AD plug-in and demote to Standalone. Restart and go for an AD rebind. Make sure the edu.mit.Kerberos file is created in /Library/Preferences. Launch WGM and you should see AD Users and Groups this time, If you do go for promotion again. What you want to see in the OD Overview pane is everything running apart from Kerberos and the search base reflecting the FQDN of the OD Master. Make sure there is the loopback entry (127.0.0.1) in the LDAPv3 plug in. Finally make sure the OD Master lists itself first in the Directory Search Order.
I'm assuming the Server is configured as Advanced and is updated to 10.5.4.
Tony -
How to create email users with open directory?
I'm trying to used a mac mini as a mail server for my domains. It works well for SMTP server/gateway for multiple locally networked systems running Lion, Mountain Lion and Maverick. The server is running Mavericks 10.9.2 server 3.1.1.
I need to add email users to it, so I tried Open Directory. I added a user with an email address with a domain listed in the mail server's domains. Then used the server app to give the user permission to use the mail service and selected to have the mail be saved on the server.
However, even though I set the mail server to accept any authentication method, I couldn't log in to get mail (via IMAP) from any email client on my computer. I tried Mail and Sparrow.
The IMAP log on the server says 'Disconnected (auth process communication failure)'. I tried everything that I could from the server app and the workgroup manager app. When using 'Mail.app', the IMAP log shows an empty user name. Trying with Sparrow shows the user name in the log, but still fails.
I restricted authentication to Open Directory, but that didn't help either. Tried with Secure Connection and without.
Am I missing something? Is there anything that I need to do to make the server accept IMAP connections? The mail service is running and handling SMTP.
The domain has an MX record pointing the server's domain name.
All the services are secured with a self signed certificate.
Doing a CLI check with 'sudo serveradmin fullstatus mail' results in the following:
[snip]
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "RUNNING"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
[snip]Didn't find a way to edit my post above.
UPDATE:
Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
How do I 'enable' this user? -
I have created a document on my iPad using the Numbers app. How can I send this via email to a Windows user so that it opens correctly? I know you can export a Numbers document to Excel from a Mac, but is there a way to do that on an iPad?
same thing really. under the wrench is "Share and Print", you choose email and then choose the format (XL).
Jason -
Initial setup and Open Directory problem
Hi,
I'm new to the MAC OS X server system and trying to get one up and running on a G5.
Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
I go trough following steps while installing from scratch:
- Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
- Choose keyboard layout, enter license and create an account "admin"
- Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
- Install as a standalone server (so I can configure dns & other network services after basic setup)
- Check "network time server" (so time will be synced for Kerberos)
- Proceed, install and reboot
OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
- create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
- add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
Start the DNS service and reboot
- perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
DNS seems to be working fine, now I would like to get the Open Directory service to work:
- change "Standalone" to "Open directory master" in the server configuration panel
- provide a password for the directory admin
- use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
- Save & start the service and perform a reboot to be sure all the new settings are in use
Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
Starting LDAP server (slapd)
command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
Hostname server.companyname.local is from Rendezvous
Skipping Kerberos configuration
Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
Regards,
Seppe
G5 Mac OS X (10.4.6) /We currently have a static IP and a public dns hosted
by MediaTemple, so I think I can create a subdomain
on MediaTemple and link it to our fixed IP address
("private.companyname.com" >> static ip) instead of
using dydns.. ?
Of course.
I suppose I can then use "private.companyname.com" as
the zone name on my G5 server and use
"server.private.companyname.com" for my local DNS?
Sounds reasonable.
If using this DNS, what will be the Kerberos REALM
and Search Base? And do I still need to specify
private.companyname.com as the Search Base in the
Network Settings of the clients and server?
Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
For the LDAP search domain I'd also follow the road of using domain name space as search base.
When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
HTH
-Ralph -
Migrating NIS users to Open Directory
Was wondering if anyone has any experience with migrating NIS users over to Open Directory? I have setup an Open Directory server (10.6) and am looking to move about 150 users from my NIS server to it.
I can move the users/GIDs easy enough but want to move passwords also so the move it transparent to the users.
Any ideas?
Thanks!The answer appears to be that as long as your local pre-existing account password matches your domain account, then once the machine is bound, shared servers managed by Active Directory are automatically authenticated. No migration necessary. Only issues I came across had to do with old keychain entries that needed to be removed.
Hope someone out there can learn from my confusion.
Maybe you are looking for
-
Is there any way to have two garagebands open at the same time?
I'm remixing a NIN song, and I need to have two garagebands open at the same time, is this possible? If so, please help!!
-
Text Entry Interaction -- Password Processing
Hi everyone, I have this text entry interaction set up to show asterisks when user types the password. I was wondering if it can be done in a way where I have 3 fields: field 1 asking the user to enter current password. field 2 asking the user to ent
-
Why won't photoshop let me save my actions
I'm wanting to know how to fix this issue? Each time I create actions it has the "Save Actions" selection grayed out. So every time photoshop decides to have a fit and kill on itself all my actions are wiped out then I have to recreate them, rinse an
-
There was an error while copying to Clipboard. An internal error occurred.
Hello I'm running a Citrix Presentation Server 4.5 environment, based on Windows Server2003 and providing Adobe Reader as a published application (this issue appears with Adobe Reader 7 and Adobe Reader 8 equally). Sometimes when trying to copy test
-
Can I still download a trial version of Photoshop Elements 11?