10.3.9, 10.4.2 and Active Directory
05 August 2005, 04:03 PM
#1
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
10.3.9, 10.4.2 and Active Directory
Good morning all,
Not sure how many of the mac chaps here have machines that authenticate via the AD Directory Service Plugin, but thought I'd ask, just in case.
After finally getting my AD server setup correctly (Windows 2003 SP1) I can finally bind my 10.3 and 10.4 clients to AD, yay
The only problem I have is that the machines will not login as any of the AD accounts and I cannot work out why. The system.log, console.log and directoryaccess.log give no meaninful information as to why it won't work, there aren't any errors that I can determine in them.
I'm somewhat confused as if I login into the 10.4.2 client, jump into terminal and issue dsconfigad -show, it shows the machine as being bound correctly, but I know I'm bound ok as the bind did not fail.
So, I jump into dscl and issue an 'ls' and I can see "Active Directory" listed, so, long story short, I can cd /Active Directory/All Domains/Users/alpha (alpha being one of my users) I can then issue a -read command and it does show me the MCX settings plus other info (home directory path, SID's etc).
Now, maybe I'm mistaken here, but would the above not indicate that the machine can indeed connect and read information from the AD domain, in which case, why won't the authentication on the login dialog work? Is there a piece of the puzzle I'm missing here?
Not sure how many of the mac chaps here have machines that authenticate via the AD Directory Service Plugin, but thought I'd ask, just in case.
After finally getting my AD server setup correctly (Windows 2003 SP1) I can finally bind my 10.3 and 10.4 clients to AD, yay
The only problem I have is that the machines will not login as any of the AD accounts and I cannot work out why. The system.log, console.log and directoryaccess.log give no meaninful information as to why it won't work, there aren't any errors that I can determine in them.
I'm somewhat confused as if I login into the 10.4.2 client, jump into terminal and issue dsconfigad -show, it shows the machine as being bound correctly, but I know I'm bound ok as the bind did not fail.
So, I jump into dscl and issue an 'ls' and I can see "Active Directory" listed, so, long story short, I can cd /Active Directory/All Domains/Users/alpha (alpha being one of my users) I can then issue a -read command and it does show me the MCX settings plus other info (home directory path, SID's etc).
Now, maybe I'm mistaken here, but would the above not indicate that the machine can indeed connect and read information from the AD domain, in which case, why won't the authentication on the login dialog work? Is there a piece of the puzzle I'm missing here?
05 August 2005, 04:16 PM
#2
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
what you loging in as?
are you using the upn name? is dns configured correctly?
(Know nothing at all about macs!)
Can you query ad via LDAP?
David
are you using the upn name? is dns configured correctly?
(Know nothing at all about macs!)
Can you query ad via LDAP?
David
05 August 2005, 04:40 PM
#3
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
I'm logging in using the value specified in D as "login name" in this case a user account called "alpha"
UPN name? wassat? assume that is probably alpha@ads.hires-test.com (ads.hires-test.com being the domain and forest name - this is the domain controller btw)
as far as I'm aware DNS is configured, that was my inital problem in getting the mac to bind to the domain, the DNS was not setup, after seting it up the Mac will bind, so it "sees" the server.
as for query via LDAP, ok, how would I do that? what unix command could/would I use?
UPN name? wassat? assume that is probably alpha@ads.hires-test.com (ads.hires-test.com being the domain and forest name - this is the domain controller btw)
as far as I'm aware DNS is configured, that was my inital problem in getting the mac to bind to the domain, the DNS was not setup, after seting it up the Mac will bind, so it "sees" the server.
as for query via LDAP, ok, how would I do that? what unix command could/would I use?
05 August 2005, 05:45 PM
#4
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Ok, think I've cracked the LDAP browsing thing.
I downloded LDAP Browser and also had a bit of a read of this article.
Bottom line, on the mac I'm trying to authenticate from, I can use LDAP browser to connect to the server and I do get a list of various things (CN=Users, CN=Computers, etc) and I can view records.
I downloded LDAP Browser and also had a bit of a read of this article.
Bottom line, on the mac I'm trying to authenticate from, I can use LDAP browser to connect to the server and I do get a list of various things (CN=Users, CN=Computers, etc) and I can view records.
05 August 2005, 06:27 PM
#5
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
so dns is working correctly.
run eventvwr on the domain controller and see if there is anything in the security log.
I would guess that you need to use the UPN name unless you can specify the domain name.
your guess is correct for the upn name.
you should be able to do nslookup ads.hires-test.com which should resolve to the IP add's for the dc's for that domain.
Do they mention anything about what version of kerberos authentication it supports?
David
run eventvwr on the domain controller and see if there is anything in the security log.
I would guess that you need to use the UPN name unless you can specify the domain name.
your guess is correct for the upn name.
you should be able to do nslookup ads.hires-test.com which should resolve to the IP add's for the dc's for that domain.
Do they mention anything about what version of kerberos authentication it supports?
David
05 August 2005, 08:11 PM
#6
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Thanks David, I'll run through those things. Pretty sure I have done the nslookup thing and it does resolve to the IP addy of the server.
As for kerberos, I'll have a look at that.
Thanks again
As for kerberos, I'll have a look at that.
Thanks again
11 August 2005, 06:35 PM
#7
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
First up,
David, thanks for all your suggestions. I tried nslookup and it showed the correct DNS resolution. I also tried using LDAP Browser and could connect and view the information.
Next up,
I've resolved the issue. It was my own silly fault, or lack of troubleshooting (I should know better). There is a "mappings" section in the configuration that allows you to map AD atrributes instead of dynamically generated info from OS X.
Since turning off the mappings, it works, lovely
David, thanks for all your suggestions. I tried nslookup and it showed the correct DNS resolution. I also tried using LDAP Browser and could connect and view the information.
Next up,
I've resolved the issue. It was my own silly fault, or lack of troubleshooting (I should know better). There is a "mappings" section in the configuration that allows you to map AD atrributes instead of dynamically generated info from OS X.
Since turning off the mappings, it works, lovely
Thread
Thread Starter
Forum
Replies
Last Post
domu
ScoobyNet General
7
03 October 2015 03:46 AM