It seems that there's a major problem with the ActiveDirectory integration... the login / logout and all the operation on the Windows 2003 server are VERY slow.. (the login take around 40 seconds)..
With the other mac running Tiger all is running well.. so it's not a network problem or windows issue!
May someone confirm the same issue??.. Do you have a solution?
There's clearly something wrong with the product itself. Most of are experienced users, I've been using AD since the early windows 2000 days and binding MAC clients to it well before there even existed a OS X AD client. The product is flawed period. If PC can join no problem and OS 10.4 and 10.3 clients can bind without a hitch that would indicate a problem with the OS and not the network infrastructure.
Can we get a sense of how many people are trying to bind to directories that end in .local? I just tried it using a .edu domain and it was fine. My test domain uses .local but has never been a problem before. Maybe it has a problem with the .local suffix is what I'm thinking. Anyhow, it would still need to be addressed if that was the case.
Yes, but in betas there were some pretty clear entries in the logs that were describing why AD wasn't working in that particular build, and it sure as heck wasn't what the GUI was saying.
If we look at the logs we'll all have a better idea of what's going on.
BTW, my environment is perfectly fine. Everything worked without a hitch, although I did notice how long it took to log in... of course it was still faster than Windows so I can't kvetch too much.
I am binding to a ".local." I am able to bind, but it takes 10 to 15 minutes on a very small network. User login takes 3 to 5 minutes after that. Overall performance is taking a hit after binding versus a system that is not.
To bind I am going into the Advanced Options/Administrative and checking "Prefer this domain server:" and unchecking "Allow authentication from any domain in the forest." This may not be an option for most, but I am able to bind and then recheck "Allow authentication from any domain in the forest."
Name resolution seems to be intermittent and I am specifying a WINS and DNS Server.
Ok boys and girls, I think I know what the problem is...
When I asked everyone who has been posting about their DNS suffixes, everyone replied with something like "local, internal" etc... etc...
My test domain is ".local" and my production domain is ".edu". When I tested on my test domain with ".local" and it didn't work I just assumed the thing was totally broken. But then when I tested on my production domain ".edu" it was as quick as it was with tiger.
So I downloaded the Active Directory domain rename tool (which I've used several times before, a wonderful thing it is...) and renamed the test domain from "domain.local" to "domain.com". Reconfigured my DNS, DHCP and the DC's DNS suffix to reflect the change. Tested it all out, checked the event logs, everything looks healthy.
Finally, released and renewed my IP address on my Leopard client so that it would pick up the new DNS suffix ".com" and attempted to bind to the AD domain. It worked perfectly without a hitch and all was well. Logging in is as fast as it was with Tiger and without the pesky SMB home share error message that we were blessed with starting with 10.4.8.
So in summary I believe the problem most likely is that the leopard client can't handle DNS suffixes longer than 3 characters. It could be something else, it's hard to say.
One other possible problem to check out, although highly unlikely because Tiger was working fine. It that while configuring my DNS after the domain rename I noticed in the old ".local" zone that the _msdcs folder was grayed out and missing data. I didn't check that before the domain rename unfortunately so I can't verify that wasn't the problem. But it probably wasn't like that because Tiger was working great, but do check that and if it grayed out rebuild your zone so it's right and try to bind again. Good luck...
Our domain is ending in .se and I can't bind at all. Worked like a charm with Tiger. If I bind using the advanced options I get a message about "illegal combination of username and password". (It's my network administrator who does this. If I use my own credentials the message is "unauthorized user...".)
Trying to bind using the simplified settings, i.e. hiding the advanced options, I get some kind of unexpected error.
I have to say after renaming my domain now I'm in Joe Swenson's camp. Very satisfied with the performance of Leopard and AD. However they still need to address the .local situation.
Bo, I got your message just before retiring an quickly renamed the domain to have ".se", it worked fine without any problems. Did you perform an upgrade or do a clean install. Your symptoms are reminiscent of my first installation attempt at leopard, where my Tiger installation was bound to AD and then I upgraded to Leopard. The transition didn't go to well, I ended up backing up, formatting and installing from scratch and that resolved my problem of being able to connect and authenticate, but not the slowness, the renaming of my domain solved the slowness. Joe Swenson might have some input on log files, I haven't been able to find any related to this myself. Good luck...
Thanks for your input. I did an archive and install and preserved user settings. Would such an install "inherit" my AD settings from Tiger? If so I should seriously consider to start over again...
Unfortunately I don't know the answer to that question. Archive and Install is the only feature of the installer I've never used. But reading the description it says it has the ability to preserve your user and network settings. So assuming you chose that, I suppose it could of carried over some settings but I couldn't swear to that. I just really don't know.
Somethings to try,
Make sure your connected to the right DNS server.
Make sure your DNS suffix is correct on the DNS tab in your network preferences on the network interface that you're using. Make sure it reads "yourdomain.se".
Try throwing away the "DirectoryService" folder in /Library/Preferences, reboot then try it again.
If those settings are right, you reset the DirectoryService prefs and you're still having problems then there's probably something more significant wrong with your installation.
Ok, did some more testing. First I threw away the Directory Services prefs as suggested and rebooted. The DNS stuff looks correct.
To start with, our AD is set up so that you need to be network administrator to bind to it.
1. I logged on as myself and asked my network admin to the binding for me. During that process I had to authorize as computer admin once. The binding failed with the "illegal combination of username and password". For comparison I tried binding with my own credentials and got a message about not being authorized. Fair enough. I then tried entering a non-existing user name and a random password. The message is then the "illegal combination...". Hmm, strange... So the network admin is seen as non-existent or equivalent.
2. I then created a new local user account with admin rights on my computer for the above mentioned network admin. He logged on and tried to bind again. Same problem: "Illegal combination...". From his account I tried to bind as myself and again get the message that I don't have the authority to do this. So what is going on here? Why isn't our network admin recognized whereas I at least get to know that I haven't got the proper authority?
I should add that we did all this testing whilst connected via Airport. Is that a problem in itself?
Using the airport should be no problem, I used mine throughout my troubleshooting.
One more thing to try before backing up and doing a complete reinstall.
Follow these steps:
throw away DirectoryServices pref again - Leave in trash
go to the folder /etc and delete krb5.keytab - Leave in trash
go to /Library/Preferences and delete any instances of edu.mit.Kerberos - Leave in trash
Then to my knowledge you have removed everything that ever knew you were connected to a domain. Then reboot and try binding again. Probably won't work but worth a try. The only other thing I know to do is reinstall the OS from scratch and move your data and apps over from a backup. Take care.
