1 3 4 5 6 7 Previous Next 98 Replies Latest reply: Sep 2, 2012 10:34 AM by Dave.Maltby Go to original post Branched to a new discussion.
  • 90. Re: Active Directory broken in Lion?
    Gerrit DeWitt Level 4 Level 4 (3,900 points)

    In regard to the "cannot store password" error, I should note that Lion employs a new method for storing the password of the machine account that it uses to connect to Active Directory.  In Snow Leopard and earlier (probably all the way back to Panther), the machine account password was scrambled and stored as a value for an attribute in the ActiveDirectory.plist file.  File permissions on this were such that nobody had access to it except for the root account.

     

    In Lion, the AD password is stored in the system keychain instead.  You can view the corresponding entries by viewing the /Library/Keychains/system.keychain file in the Keychain Utility.  Sometimes those entries must be cleared for a successful bind following several failed ones.  Or you can clear and reset the whole system keychain with this command...

     

    sudo systemkeychain -fcCv

  • 91. Re: Active Directory broken in Lion?
    Gerrit DeWitt Level 4 Level 4 (3,900 points)

    You can inside the Library folder for your account by removing the hidden ago on it... chflags nohidden ~/Library

     

    For all existing user accounts on a computer... sudo chflags nohidden /Users/*/Library

     

    For any new account that will be created on the computer... sudo chflags nohidden /System/Library/User\ Template/*/Library

  • 92. Re: Active Directory broken in Lion?
    dingdini Level 1 Level 1 (0 points)

    I installed Lion for the first time last week and had been having a lot of problems with Active Directory.  The first problem I encountered was an issue getting the extended groups for a domain user.  Using "id adusername" would return to me the username uid and the gid for the domain user, but would also return me "id: failed to retrieve group list: Undefined error: 0".  I don't have a clue how to fix this. 

    So I decided to do a fresh install to see if this fixed anything.  After the fresh install I counldn't bind to the Domain to save my life.  This was either crashing the opendirectoryd process with a 10002 error from dsconfigad or a 5002 error from dsconfigad.  I continued digging to find out that my computer was having problems getting to the KDC of the domain.   When researching this, I came accross this support page https://discussions.apple.com/thread/3189202?start=0&tstart=0.  Using the information from that page, I checked for both a /etc/krb5.conf file and a /Library/Preferences/edu.mit.Kerberos file, both of which did not exist.  So I created a /etc/krb5.conf file with the following

     

    [realms]

         DOMAIN = {

              admin_server = tcp/KDCSERVERNAME.DOMAIN:749

              kdc = tcp/KDCSERVERNAME.DOMAIN:88

              default_domain = DOMAIN

         }

     

    The AD setup here uses the AD server as the KDC so the KDCSERVERNAME.DOMAIN was the DNS name of the AD server.  I'm not sure if that information was truly needed as none of that information actually made it into the opendirectoryd log file. 

     

    Once this was configured I was able to use dsconfigad from the command line to configure opendirectoryd without a problem. 

     

    As a secondary benefit, I am now able to do "id adusername" and get the UID, GID, and extended group info for the user. 

     

    I hope this helps. 

     

    Message was edited by: dingdini

  • 93. Re: Active Directory broken in Lion?
    dingdini Level 1 Level 1 (0 points)

    looks like I was wrong about the extended groups.  It was working after I bound to the AD and was querying the adusername as the localadmin.  However, once I logged into the computer as the user, the groups went away. 

  • 94. Re: Active Directory broken in Lion?
    ProgRocker Level 1 Level 1 (0 points)

    Running 10.7.3 at work and it connects to the domain fine, network accounts authenticate fine. It however does NOT create mobile accounts nor can I choose AD groups to administer the computer. In fact in the "Allow Administration by" box, you can type anything and it accepts it. Shouldn't there be some sort of verification that the group exists either locally or in AD? It works fine (most of the time) in 10.6.

  • 95. Re: Active Directory broken in Lion?
    LCTech Level 1 Level 1 (0 points)

    An update to my post from awhile back. AD is working well enough (with one odd issue so far). I wrote it up here for the whole world to see:

     

    http://noeasysearch.blogspot.com/2012/02/binding-to-active-directory-domain-with .html

  • 96. Re: Active Directory broken in Lion?
    fsck! Level 1 Level 1 (30 points)

    Reviving this thread for input/comments on 10.7.4 update?  My AD issues had pretty much been resolved with 10.7.3.  After applying 10.7.4, I now have a longer delay on the logon screen before AD becomes accessible.  Status is red.   Anyone else experiencing this issue since 10.7.4?

  • 97. Re: Active Directory broken in Lion?
    cticompserv Level 1 Level 1 (5 points)

    After the 10.7.4 update I found that I had to change the Directory Utility authentication path to the default.  The previous paths that I had used no longer worked consistantly.

     

    Kent

  • 98. Re: Active Directory broken in Lion?
    Dave.Maltby Level 1 Level 1 (0 points)

    I thought I'd throw in my 2p's worth here.

     

    I've just tried to do an AD intergration on a large domain with multiple sites and approximatly 70 domain controllers.

     

    The issue we were getting when binding was "Authentication Server Unreachable (5200)".

    After some digging and finding out that you can enable debug loging for the AD Plugin by running odutil set log debug in terminal followed by tail -f /var/log/opendirectoryd.log to view the log we found the following being repeated in the log file:

     

    2012-09-02 13:40:08.127 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: udp [SERVER-IP]:kerberos ([FQDN OF SERVER])

    2012-09-02 13:40:08.133 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host disconnected: udp [SERVER-IP]:kerberos ([FQDN OF SERVER])

     

     

    It turns out that since OS X uses the SRV records in DNS to find out domain information, specifically where to look for the domain controllers etc it was just trying EVERY server that had an SRV record.

     

    The plugin would eventually time out before reacing the SRV record for the local domain controller which it did have access to with the error:

    2012-09-02 13:40:40.428 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server unreachable' (5200)

     

    So all this points to a DNS issue which I currently have no fix for.

     

    So for those of you having issues it would be worth you running the following in temrinal

     

    dig -t SRV _ldap._tcp.example.com 

    Where example.com is the name of the domian you are trying to bind to.

     

    If you don't see the name or IP of the server you are trying to bind to in that list I'd guess you are probably experiancing the same issue as myself.

     

    Over all this still leaves me wondering why Windows boxes are happy picking up the local domain controller from SRV records but the Mac won't leading me to believe it's as much the fault of the plugin as it is of the huge DNS structure we have.

    It might also be worth you looking at the following documentation as thats where I got most of the above info from:

    http://training.apple.com/pdf/wp_integrating_active_directory.pdf

     

     

    Hope this helps someone and you can find a fix made on the info I've given you.


    Dave

1 3 4 5 6 7 Previous Next