Currently Being ModeratedOct 14, 2011 5:09 AM (in response to T_Rex)
I have been trying to make this work for a while and with 10.7.2 I have a working login and control system. When I connect to the Active directory domain and look at the possibilities in Directory utility for Authentication and Contacts I get three possibilities when I click the "+" button. I can create a custom tree including:
I added them all and then went to System Preferences > Users and Groups > Login Options > Allow network users to login at login window > Options.
I chose, "Only these network users" and clicked the plus sign." I got a list of AD users. I then went to the Directory Utility and deleted AD choices from the three above until I found that only the Active_Directory/My_Domain_Forest/My_Domain choice gave me a list of users in the System Preferences window. I kept that one in my Authentication and Contacts search in AD. Note: I had unchecked the box in AD > Advanced > Administrative for allowing connection to all domains in the AD forest.
Once I had AD set up I connected to an OS X LDAPv3 server and then bound to the OS X 10.6.8 server. It all worked. I notice that connecting to the OS X server and binding to the server are to separate steps in Lion. I also found earlier in Beta testing that I needed to disable SSL before connecting to the OS X server would work. I have not yet checked to see if I can re-enable SSL on the server.
I have not until now updated the OS X server to Lion. I will do that now and test more.
My Authentication search tree in Directory Utility now looks like:
At this point I am almost back to the configuration that worked in Snow Leopard.
Currently Being ModeratedOct 14, 2011 5:17 AM (in response to lmadden)
At the moment whatever I do I never get the "Allow network users to login at login window" checkbox back.
Much as I love Apple products I think I'm just going to have to tell our corporate customeres that it's not ready for deployment in the enterprise as yet
Come on Apple, I'm not willing to format machines just to get the sodding things to log on...
Oh, and any more than an additional two second delay on bootup isn't acceptable. Two minutes? Jog on...
Currently Being ModeratedOct 14, 2011 6:14 AM (in response to lmadden)
10.7.2 (11C73) only fix auth problem, but do not fix speed problem.
Stil very-very-very slow login as AD user and slooooooooooow connect to shares on other computers.
Incidentally the same thing happens in 10.6.8, but everything was working fast in 10.6.7
Currently Being ModeratedOct 14, 2011 9:27 AM (in response to T_Rex)
I am an apple systems engineer in so cal. (used to work at Apple as a QA engineer).
We have 200 macs, rest PCs in a 5000 user environment. Active Directory 2003 (upgrading to AD 2008 soon).
It's been long known that Apple's own AD plugin over the years has been shaky. All one has to do is use Centrify's own plug-in and AD bind / auth works just great. This has been true probably since 10.5 Leopard.
I have rolled out 10.4, 10.5, 10.6, and now 10.7 and AD binding / authentication functionality always comes up.
In beta testing of these GM version of these OS's, in every case, AD would not work on the shipping GM version. We have had to wait for the x.2 or x.3 release, etc.
And typically when a brand new OS X was coming, say 10.4 to 10.5, 10.5 to 10.6, etc. Previously functioning AD binding / authentication was now broken. This is once again the case going from 10.6 to 10.7
So needless to say we are not rolling out Lion until Apple fixes AD in 10.7.2, 10.7.3 etc. Of course there is nothing stopping anyone from using the now free Centrfiy Express, which works great.
I can say in our environment 10.7.2 Does Fix AD Binding (but the actual Binding part worked in 10.7 / 10.7.1), but now one can actually login (authenticate), and have OS X create a local user account (folder), using AD / Kerb authentication, and cache those credentials locally, meaning if you are off / away from your AD network, you can still login.
(Apple has yet to fix the red / green ball inidcators totall, kind of work, I see no green ball)
I can login in 2-5 seconds, and copyig to SMB volumes is pretty fast.
One has to take into account one's network topology and architecture. We have a brand new Foundry Gig E wired and Aruba wireless 802.11n network, brand new NetApp NAS's, Infoblox DNS, AD 2003 (going to 2008).
And as I say AD login and SMB is working and working fast in 10.7.2
I am not saying that the AD plugin in 10.7.2 is perfect or totally fixed, I am still testing. I am sure Apple has more work to do.
Apple can not know everyones unique network topology, impossible.
As someone did above, take a fresh 10.7 / 10.7.1 install and then update with 10.7.2, if after this AD bind / auth is still not working, there is something going on relative to your network topology and / or the 10.7.2 AD plugin.
As I say this 10.7.2 AD plugin is working fine in our rather extensive and sophistacted network, so Apple has done something correctly with regards to fixing the code in the 10.7.2 AD plugin (maybe not totally or fully).
A suggestion for AD would be to, once logged in (if taking a long time to log in), run tcpdump. There may even be an AD debug tool / log that can be run from the CL (dsconfigad or some other tool). Apple has a such a tool in Lion, for Open Directory, odutil (man odutil).
Since this happens at login, one might be able to grab a stackshot, when the issue occurs. (How to below).
Stackshot will be especially helpful and telling in the case of SMB slowness, spinning BB's, etc.
Point is yes of course it is frustrating, but in my experience Apple needs actual data from various user's network environments, in order to have any idea what may be the potiential or actual issue.
This is exactly what I did when Lion 10.7 shipped (bug was already filed in beta and GM versions).
Took a lot of back and forth, but I am pretty sure the data I captured was helpful in getting this fix (at least that I am seeing) in 10.7.2.
1. Enable stackshot by typing the following command at the prompt in the Terminal application (Terminal.app can be found in /Applications/Utilities):
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.stackshot.plist
2. When the problem occurs, press the following keyboard keys simultaneously:
Control + Option + Command + Shift + . (Period)
3. Wait for a minute or two for the stackshot files to be written to disk.
4. Check /Library/Logs/stackshot.log and /Library/Logs/stackshot-syms.log files.
Apple Bug Reporting
Currently Being ModeratedOct 14, 2011 9:39 AM (in response to johnfromlos angeles)
I concur with several items posted by john above. For lack of a technical explanation, suffice to say that AD binding was tricky but functional in 10.4, totally broken in 10.5 (up until 10.5.3 I think?), worked fine in 10.6, and broke again in 10.7.
For my domain, 10.7.2 AD binding works the same way as 10.6. The binding process is almost the same as 10.6, with some slight modifications. I have a step-by-step "new user" checklist that I've created and my "How to Bind in 10.7.2" section is only slightly different than the same section in my 10.6 documents.
My Lion checklist is as follows, and again, this is specific to my domain, where I have both an AD domain and an Open Directory domain running on a OSX Leopard Server. Therefore, I need to join both, but I want authentication to happen by AD.
- Sharing Pref, change computer name to AD computer name
- Create the computer account in AD FIRST. Do not assume that the AD binding process will create the computer account for you, like it does in the Windows world.
- Open Directory Utility (in Users Preferences / Log In Options)
- Open the actual directory utility for AD binding tasks. Don't use the initial prompt that appears when you click the Join.. button
- Use Edit button to Add Active Directory Server
- Active Directory Domain: MYDOMAIN.NET <yes, in caps, with the .NET>
- Computer ID: (should already be filled in)
- AD Administrator and Password: <use an account with admin privs on the domain>
- Go to Services Tab, edit Active Directory Service
- Enable Mobile Accounts, enable the Confirmation checkbox below it
- Administrative Tab: Enable the checkbox next to "Allow administraton by...
- Exit directory utility, go back to the Join.. button (now says Edit)
- In the pop up box, put open-directory-server.mydomain.net, accept the fact that there's no SSL cert.
- Open Directory Utility again
- Enter the LDAP configuration, and change LDAP Mappings from "From Server.." to "Open Directory"
- Accept whatever the next prompt is - usually empty fields.
- Go to Search Policy Tab
- Verify that Active Directory is above LDAP (it should be)
- Restart system
- While waiting at login prompt, push the little "back arrow", and wait until Other.. shows up, which verifies that it can see the directory servers. Sometimes this take 30 seconds or so.
Again, the above steps may not work for your situation, it's what works for mine, and the above 10 steps have been more or less the same since 10.4. The above steps did NOT work with 10.7.0 or 10.7.1, and if I remember correctly, they didn't work in 10.5.0 - 10.5.3.
- Sharing Pref, change computer name to AD computer name
Currently Being ModeratedOct 14, 2011 10:11 AM (in response to plochner)
Yes, very good point.
I assumed users would already know some of the protocol for adding Objects to AD, and proper computer name, and time and date, etc. (AD loves to have the proper time and date and could cause issues if not correct).
- In Sys Prefs > Sharing, take that computer name, copy it
- In terminal run: scutil --set Hostname <paste name you just copied>
This will ensure the OS X client has the proper computer name, even after reboots, etc. In other words this name will stick, always.
- In ADUC (Active Directory Users and Comps), create the "Object" of the Mac you are going to be binding, the same exact name as in the step above, and in the proper OU that the AD admin has setup. We have a specific OU in AD called: "MAC". All Mac Objects (computers) go there.
- When one uses Directory Utility, when it is asking for info, I always delete the CN=Computers, and insert, OU=Mac, dc=x, dc=x, dc=x, etc. This ensures that OS X will see the "Existing Object" you just created, and you get the "Join Existing" message.
- We use Infoblox for our DNS, DHCP, and date and time server, so I just have a 10.6 / 10.7 image with that IP address of the server.
Also, we do not use an Open Directory server, nor rely on one, or use the "OD / AD Triangle setup" which is a long and deep discussion.
I have a few Xserver, but we do not use Open Directory at all, after much work on this. There is no need. I don't even have these servers in AD, although they are in the DNS.
So we are using the AD plugin in 10.7.2 entirely, there is no entry for LDAPv3/OD at all.
(On the topic of OD /AD, I'll chime in, after much work and research on OD in AD, to me there was little to no upside, all that one gets is "Managed Prefs", and to me Managed Prefs abilities are extremely limited and usually applied globally. Nothing like MS's Group Policy with a lot of granularity.
The other thing is you have to have dual binding one to AD and one to the OD server (in AD), if something goes whacky with either one of those bindings, no login).
I think someday we may use Centriy, if we want that power.
Currently Being ModeratedOct 16, 2011 2:55 AM (in response to lmadden)
With regards to time in a corporate environment wouldn't it make sense to be able to configure an ntp time source in the Date & Time GUI?
If you can easily configure a local known time source it removes a potential Kerberos problem when it comes to authenticating.
Currently Being ModeratedOct 16, 2011 9:37 AM (in response to lmadden)
This is getting silly now. I've flattened my MBP and reinstalled to 10.7.2 on a formatted drive. I can bind to my hearts content but at no point do I now get the option to allow network users to log on.
What could possibly cause this? I've enabled mobile services but whatever I do I don't get the checkbox to allow them to logon.
I'll be going back to Vista (spit) at this rate...
Currently Being ModeratedOct 24, 2011 4:02 AM (in response to RBrookbanks)
I've got the same problem, I've managed to bind to the Active Directory Server, Network Account Server: Green but can't login to AD on startup, only had the red dot until I clicked Allow Network User to Log on which made the red dot turm amber. I've gone back to the System Preferences > User & Groups but this option has now disappear and I can't work out how to get it back. Any ideas anyone?
Currently Being ModeratedNov 9, 2011 4:45 AM (in response to Austin_Helps)
I was able to add the OSX Lion 10.7.2 through CLI and it works perfectly fine.
dsconfigad -f -a COMPUTERNAME -domain <domainname>-u <username> -p ‘<password>’
dsconfigad -preferred <server.domain> -multidomain disable
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/<domain name>"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/<domain name>"
the above two commands may not work. You may identify the Active directory path sing the below commands and put same in the <domain name> field for above two commands
root# dscl (used dscl to check the Active Directory path)
> cd Active\ Directory/
/Active Directory > ls
/Active Directory > cd [ADS domain]
[there's a few seconds of wait time here...]
/Active Directory/[ADS domain] > ls
/Active Directory/[ADS domain] > exit
then activate the create mobile user at logon from the Login Account configuration
Currently Being ModeratedNov 9, 2011 12:18 PM (in response to lmadden)
Are there procedures/instructions anywhere on the web that will help an old Windows guy like me learn how to bind a new iMac sitting on our LAN w/Windows Server 2011 to Active Directory? I think this is the Mac terminology for what is referred to in the Windows world as "joining to a domain". This is unexplored territory for me and so it is a little disconcerting that I may be learning on the job with a flawed OS. But I have to start somewhere!
Currently Being ModeratedNov 9, 2011 12:24 PM (in response to MjFranek)
email me, I can guide you thru it.
Although as has been stated previously (binding a 10.7x Mac has been a bit troublesome) and I am not sure about 2011 AD Server, we are on 2008.
Currently Being ModeratedNov 9, 2011 1:39 PM (in response to MjFranek)
One important thing is MAKE SURE YOU ARE UPDATED TO 10.7.2. If you are not at 10.7.2 your best efforts will not work. AD only became useable once 10.7.2 was installed.
Currently Being ModeratedNov 10, 2011 12:41 AM (in response to lmadden)
A definitive guide that works consistently would be very useful.
For Windows, any AD requirements and DNS server settings
For the MAC, not just from a clean boot but how to change the domain menbership etc.
I'd like to know what Apple produced in the lab and signed off so I can reproduce it in the field.
Currently Being ModeratedNov 10, 2011 2:46 PM (in response to lmadden)
Centrify have managed to come up with a workaround. You don't need to use their plug-in, it also works with Lion's own AD plug-in. Also no need to mess around with search paths etc. I did this workaround on a suite of brand new Lion machines and it works a treat:
Apple have finally acknowledged the problem as a bug.