Skip navigation

Active Directory users not made member of Local Network group

792 Views 6 Replies Latest reply: Aug 22, 2013 1:47 PM by chrisale2 RSS
chrisale2 Level 1 Level 1 (0 points)
Currently Being Moderated
Jun 26, 2013 9:19 AM

Hi all,

 

I've just done a clean install from 10.6 Server to 10.8.4.

 

The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.

 

The Setup:

 

In Groups in Server.app under Local Network Group I have created a group call "AccessServer"

Members in that group are:
     - AD-Domain User Group (so should be all users in the domain)

     - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)

     - AD User 1

     - AD User 2

     - AD User 3

 

The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.

 

The Behaviour:

 

AD User 1 can access AFP and other services as expected.

AD User 2 and 3 cannot.

Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected

Yet other users within AD-Domain User Group or netaccounts cannot

 

Furthermore: 


If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!

 

Diagnosis:

 

I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.

 

>dseditgroup -o checkmember -m ADUser1 accessserver

yes ADUser1 is a member of accessserver
>dseditgroup -o checkmember -m ADUser2 accessserver

no ADUser2 is NOT member of accessserver

>dseditgroup -o checkmember -m ADDomainUser/netacc accessserver

yes ADDomainUser/netacc is a member of accessserver

>dseditgroup -o checkmember -m n accessserver

no ADUser2 is NOT member of accessserver

 

When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):


2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.

 

I get the same results even after removing the user from the Groups screen!

 

Failed Solutions


- As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.

- I've let the system just sit, in hopes delayed replication would solve the problem overnight.

- I've deleted and recreated the groups.

XServe (Late 2009), OS X Server, 10.8.4

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.