Skip navigation

10.7.3 AD authentication

2210 Views 10 Replies Latest reply: Feb 24, 2012 7:09 PM by Tenn_Surety RSS
Troy Shafer Calculating status...
Currently Being Moderated
Feb 11, 2012 7:32 AM

Had to change the name of the server, it warned me this may break some stuff.

 

I changed it, rebound to AD. Now when trying to login to webmail it fails. However, logging into the server using an AD account works just fine.

 

Am I missing something? I have set AD to trust the mac server for delegation, first using kerberos and then for all protocols.

 

before the name change it was working, because i assume Mac setups the trust relationships it needs. Would i be better off to just start over, reinstall?

Mac mini, Mac OS X (10.7.2)
  • elifrombrooklyn Calculating status...
    Currently Being Moderated
    Feb 22, 2012 7:26 AM (in response to Troy Shafer)

    I'm running a mac mini lion server 10.7.3 connected to AD.

     

    I am running into the exact same issues. I went through the same articles and can not get AD to let me login to mail. Everything else seems to work fine I'm just having a problem with mail.

     

    I get this error in the log when I try and login to webmail.

     

    dovecot[17052]: auth: Error: od(username ipaddress): verify plain: user account: username not enabled for mail

     

    Username = Whatever account I try with

    Ip address = The server IP address

  • Tenn_Surety Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 9:11 AM (in response to elifrombrooklyn)

    I get that dovecot error only when I try to authenticate an AD user on webmail from outside our firewall via NAT translation. If I try from inside the network to its private IP ad auth on webmail works great.  It also works if I setup an email client, but webmail is a big no.

     

    So you're saying that Trying to login to webmail with an AD account doesn't work at all for you? Inside or outside?

  • Tenn_Surety Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 9:13 AM (in response to elifrombrooklyn)

    Did kerberize services? Under server admin/OD there is an option to do so.

  • elifrombrooklyn Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 9:22 AM (in response to Tenn_Surety)

    It does not work with any AD accounts, only local accounts.

     

    I'm at the point of just re-doing the whole server.

     

     

    yes I kerbilized the services and I also ran through those same guides that you had posted.

     

    Maybe Ill just take a step back before I chuck it out the window here.

  • Tenn_Surety Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 9:22 AM (in response to elifrombrooklyn)

    On your ad bind adv options, I pointed mine to the DC.

     

    Also your ad may require Kerberos for authentication. I would try to kerberize the services.

     

    In your dns, it should list the ip of your dc or at least one running the directory DNA along with 127.0.0.1

  • Tenn_Surety Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 9:28 AM (in response to elifrombrooklyn)

    Try this (unless you already have) support.apple.com/kb/HT4778

  • elifrombrooklyn Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 11:17 AM (in response to Tenn_Surety)

    I pretty much have tried everything here.

     

    Maybe Ill setup a 2008 DNS and see if I can connect it to that with any more luck.

  • elifrombrooklyn Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 12:14 PM (in response to elifrombrooklyn)

    Ok so far here is what I have tried:

     

    I did this:

     

    http://support.apple.com/kb/HT4778

     

    But I didnt even need to edit the file it was already correct.

     

    And I did this:

     

    http://support.apple.com/kb/HT4776

     

    and nothing seems to have changed my situation.

     

    I'm getting this error:

     

    I get this error in the log when I try and login to webmail (with an AD user).

    dovecot[17052]: auth: Error: od(username ipaddress): verify plain: user account: username not enabled for mail

     

    Username = Whatever account I try with (AD Users)

    Ip address = The server IP address

     

     

    The error seems to only be with my active directory users. The local users on the machine itself can login to the webmail just fine.

  • Tenn_Surety Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 24, 2012 7:09 PM (in response to elifrombrooklyn)

    Check your dovecot.conf file. We have similar issues, mine was just outside our firewall it wouldn't work. I had to change the login_trusted_networks to include our entire private ip range and the public ip of the NAT.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.