Major problem with ActiveDirectory

Apple has resolved the Bonjour issue with .local. When you configure the network pane, for search domains, you enter local (or .local) in there, and it has to be the last entry (or first).

LOL, I'm really vague on recollection because this doesn't affect me directly but I know it's been resolved. You can check the Kbase 🙂

Hi William, In 10.4 the .local namespace issue was addressed but with 10.5 it seems to have reared it's ugly head again. We are now back to a situation similar to what we had with 10.3, and the fix for that was to edit the /etc/resolver file. We run 600+ Mac clients 95% of which are 10.4 and entering local in in the search domains they work flawlessly.The other 5% are 10.3 and rely on the /etc/resolver fix. Along comes 10.5 and binding to the Domain on a clean install would take 10 mins+ from clicking bind to finishing and trying to log into an Domain account took ages, I gave up after 15mins. This is using the setting I would use with a 10.4 client, local in search domains etc... So on a hunch I tried iservebox and got the results I posted.
I have not encountered, or noticed, any issues working without bonjour for now at least.

Cheers

Right then, I eagerly raced to work this morning to try out the solution - which after only getting 6 hours of sleep because of my laptop's own personal leopard nightmare wasn't fun. So I tried adding companyname.internal to search domains box in Network Preferences. No dice. I've try unbinding, rebinding, rebooting all to no avail - login still takes minutes.

I have noticed though that in sharing preferences 1) the share name still appears as machineName.local and 2) the line that reads "You can access this computer by typing..." has some completely random machine name, but I'm willing to accept that's our DHCP's fault.

I don't know if I want to be disabling Bonjour to fix this - however if people are getting definite results from that, and it's reversible I'll give it a go.

Cheers

OK I disabled bonjour using "iServeBox 1.3 (Universal Binary)" and boom login time is now down to normal again. I've obviously lost the ability trouble shoot using the New iChat with bonjour but login times were more important.

Is apple likely to fix this anytime soon, do we think. Did this issue come and go during developer builds ?

I then had to contend with SAMBA shares not being Writeable off the bat but some tinkering on the Windows server fixed that. Basically Apple have caused two significant issues with Leopard that are quite serious deal breakers when trying to convince Network Admins and IT managers that Macs and Windows just work together, you can expect to disable a high profile service on the macs like Bonjour and then go running attrib commands across your entire server to get basic functionality to work. BAD APPLE. Especially when it worked previously.

The chatter is that Apple have brought the code base up to spec. and made it compliant to this and that. However this simply isn't cricket to just say "Well out bit's spiffy now... don't care that it doesn't work in the real world"... anyway sorry </rant>

Yeah, the .local in the sharing preferences is for Bonjour. You can't change that because it's hard coded in the OS. I'll have to rename to domain tonight to .internal and see if there's still a problem. Thanks...

They resolved it in 10.4, but the conflict is back in 10.5. In 10.5 you cannot enter the ".local" without the prefix as in 10.4 and you must enter the "domain.local" in 10.5. I have added the domain.local manually and it is duplicated because it is there via DHCP.

No help. The only solution I have is disabling Bonjour and that creates many other problems.

Okay, well... I came back the next day and it wouldn't authenticate after rebooting.

The issue persists.

Matthew, I see you said you put your root domain in your search domain field. Is your root domain your active directory domain? Because if not you can try to add your active directory domain in there too and make it the first entry. The way I've always setup search domains is for example:

activedirectory.entomology.someuniv.edu, entomology.someuniv.edu, someuniv.edu

That way your network client always searchs for netbios named hosts in "activedirectory.entomology.someuniv.edu", if it doesn't find it there it will look next in "entomology.someuniv.edu" and so.

You probably already know this, but just wanted to throw that out there for troubleshootings sake. Although when binding to the domain you should be using the FQDN of the domain anyway, so things should work. Take care and good luck.

here all is ok.
I've "updated" from tiger, so the machine it's already binded with the domain and i had to change some minor config in the DirectoryServices panel. In particolar I added the LDAP server (2 in my topology) that Leopard present me as "LDAPv3/[server]", i've uncheched to prefer a server to authenticate (so, the machine ask to the dns for the first domain controller available).
All the other settings are the same that i used with Tiger.

I obtain the kerberos ticket as usual and i can browse and attach netowork share even to 2003 server (Tiger had some incompatibility with the sign of cifs communications). I was unable to control if now i can attach to printer in the 2003 printer server (i think yes, 'cause now i can attach share to the same server).
Unfortunately no support for the DFS...:(

My domain is a 2003 native mode, with a .it TLD (.local is a WEIRD choice, like root as password for root), with 3 domain controller.

ummm... ok I'm having a hard time understanding why .local is a weird choice like using root as the password for the root account. Doesn't make much sense Andrea. Glad it's working for you, luckily you weren't using the .local suffix as MickeySoft recommends for small business private domains. Enjoy...

Imho, never use a pre-formatted solution (such as .local as tld or root pw for root user), because in the future you'll could encounter problems. As bonjour/randevouz used .local for their private addressing creating problems with Panther ( http://docs.info.apple.com/article.html?artnum=107800, and tiger too?) to join domain with .local dns namespace. As refereced by Iana ( http://rfc.net/rfc2606.html), the "world" of .tld is pretty instable and none will guarantee that your private tld it will be used for public namespace (especially if it's "famous" as .local). So i prefere to use real registered namespace also in private envirornment (if possible and if I am the owner of that namespace) or subdomains of that. In other hands, if u need a dns namespace, register it.
Btw, in this matter there aren't a clear true.

Sorry for the OT, have a nice day.

Hi Andrea,

Point well taken, however I respectfully agree to disagree. Of course no Net Admin in their right mind would use "root" for their root password. It's been done for a long time, is it the way I would do it in a production environment? Probably not. For a test environment? Why not. The fact that people use it is enough reason for it to be fixed.

I was told this is a known issue and recommended not to bind to AD at this time by our Apple rep.

I'm waiting for a patch before any Mac here gets 10.5

Just to clarify my last post, I was reading the newest one that came in and notice what I wrote.

When I said "It's been done for a long time, is it the way I would do it in a production environment? Probably not. For a test environment? Why not. The fact that people use it is enough reason for it to be fixed."

I was referring to the fact that .local has been used for a long time and yadiyadiya, not using root for your root password which is something I would never advocate. Just wanted to clarify that.

--mistype---

Message was edited by: Andrea_RM