Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Matt286
Matt286 Author
User level: Level 1
0 points

Active Directory and Open Directory with Kerberos "magic triangle"

Hi,

Has anyone had any luck binding a 10.5 client to both Active Directory and Open Directory with Kerberos working seamlessly?

I have 10.5 clients and 10.5 server. The server is bound to the universities' Active Directory and feeding off the AD's kerberos. I have groups in the 10.5 server that contain AD members. The client 10.5 machine is bound to BOTH the Active Directory and the 10.5 Open Directory. Thus when I log on to the client using my Active Directory account I get in and the open directory group settings are correctly applied.

The problem is that when I go one step further and open iCal (or any other kerberised program) on the client after logging in I don't see the group calendar I set up on the OD server. Also when I try to access the Group Wiki on the OD server it denies me access.

I am assuming this is some kind of kerberos problem. I'd be keen to find out if anyone else out there has been able to set up this "magic triangle" authentication.

xServer, Mac OS X (10.5.4), AD/OD integration

Posted on Sep 13, 2008 4:03 PM

Reply
6 replies
User profile for user: Paul Munro
Paul Munro
User level: Level 2
220 points

Sep 13, 2008 11:43 PM in response to Matt286

Hi,

In WGM have you enabled calendaring for your user(s)? You can find this in the user's Advanced settings for each account and use the "Enable Calendaring" check box specifying the server that is running the service in the drop down box. Also look at your password type for your users- are they authenticating using "Crypt" or "Open Directory"?

Similarly, for Wikis to work you must specify a group or users in the "Web Services" section of the web service in Server Admin, and check the boxes for which services you need users and/or groups to use (check wiki and blog and also Web calendar here). In WGM you then have to enable the use of these services for your chosen group(s) by selecting your group and clicking the "Basic" tab and then in the right pane selecting the correct site from the drop down menu "Enable the following service for this group on..." tick "Wiki and blog..." and "web calendar" and you will also notice that there are permissions associated with these settings- you can allow for example "group members only" to read and write to them and also set view permissions.

You may have already looked at all of this, and if that i she case accept my apologies for waffling and carry on searching for a solution!

Failing that I will leave it to others more capable than I 🙂

Hope that helps a little,

Paul
Reply
User profile for user: Matt286
Matt286 Author
User level: Level 1
0 points

Sep 14, 2008 6:34 PM in response to Paul Munro

Thanks Paul,

Feel free to waffle - every bit helps. You're right though, I have already worked my way through the settings in the WGM.

WGM Group settings:
- wiki and blog enabled (both calendar and mailing list ticked)

in server admin:
- AFP, iCal, iChat, OD, web are all running
- in the "access" tab - "For all services" "Allow all users and groups"

I log in to a client bound to both the AD and this OD server. This works fine and the group settings are applied (simply move the dock from the bottom to the left side). So from this I can see that my client is authenticating correctly to the Active Directory and applying the group settings from the Open Directory.
The problem comes when I try to access the group calender or wiki. using iCal it simply doesn't see any group calendar. when I go to the OD server's default web page and try to access the group wiki it asks for a password the shakes it's head when i enter the client's AD credentials (the same credentials i used to log into the account successfully).

So if anyone out there has any idea what's going wrong - or if you're happily running this "magic triangle" authentication please don't hesitate to reply!

Cheers,
Matt
Reply
User profile for user: ericc56
ericc56
User level: Level 1
124 points

Sep 16, 2008 5:05 PM in response to Matt286

Here is my standard response to AD related questions.

I have been successful in doing the following for imported Active Directory (AD) users in both Advanced and Workgroup mode in 10.5.3:

- creating calendars in iCal
- subscribing to group calendars in iCal
- accessing group Wiki's

But there are a few workarounds that must be applied and some simple steps that must be followed in order to be able to get this functionality to work.

Whenever people have a problem doing any of the above, I find that it's usually due to one of the following:

1. The binding was not done correctly.

The OD Master should have a binding to the AD server, and the client machine must be bound to both the OD Master and AD server. If the OD Master or client machine cannot bind to the AD server, it could be that these machines are not entered into the DNS, and/or are not entered in forward/reverse check. (I'm not an expert on DNS so I won't speak to that.)

2. An older version of Leopard server is being used.

It's been my experience that the OD/AD config works much better in 10.5.3. In fact, the version of Workgroup Manager (WGM) that was released in 10.5.3 provides a means for enabling calendaring for imported AD users in Advanced mode. (Discussed below.) Before 10.5.3, I don't know of any way to enable calendaring for AD users in Advanced mode (although it worked in Workgroup mode).

3. Workarounds to enable clear text for both iCal and Wiki have not been applied.

Clear text authentication must first be enabled for both Wiki and iCal in order for certain functionality to work. So there are a couple of workarounds that must be applied.

For Wiki, there is a KBase article that provides instructions and background info on this subject:

http://docs.info.apple.com/article?artnum=306750

For iCal, you must edit the /etc/caldavd/caldavd.plist file for the following:

<key>Authentication</key>
<dict>
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/> <----- change to true
</dict>
<key>Digest</key>
<dict>
<key>Algorithm</key>
<string>md5</string>
<key>Enabled</key>
<true/> <---------- change to false
<key>Qop</key>
<string></string>
</dict>
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string></string>
</dict>
</dict>

4. AD users have not been imported.

This primarily relates to calendaring. Binding to an AD server will allow you to see the AD users in WGM, but binding alone will not enable the users for calendaring.

In Advanced mode, what you need to do is select the 'New Augmented User Records' item from the 'Server' window in WGM. In the resulting window, select the 'Calendar Server' from the drop down list at the bottom. Then select the AD user(s) you want to import.

In Workgroup mode you would import the AD users using Server Preferences.
Reply
User profile for user: Matt286
Matt286 Author
User level: Level 1
0 points

Sep 16, 2008 5:22 PM in response to ericc56

Wow. Thanks for all that - it's a lifeline.

I came back from a recent Apple conference all excited about how easily I could integrate our macs into the wider university. "No Problems!" they (apple people) said. "Simple!" they said. It now looks far from simple - grrr.

Thanks for your post. I'll digest it over the coming days and report back on my progress.

Cheers,
Matt
Reply

Active Directory and Open Directory with Kerberos "magic triangle"

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up