This discussion is archived
1443 Views 7 Replies Latest reply: Jan 15, 2009 11:23 AM by Ken_Edgar
Currently Being ModeratedNov 3, 2008 10:32 AM (in response to Ken_Edgar)A weird thing I just noticed is if I open up /Applications/Utilities/Directory I can search for users that don't show up in Workgroup Manager. So it looks as if it is working, just that the Server Tools don't seem to be showing all the information.Mixed environment
Currently Being ModeratedNov 3, 2008 12:48 PM (in response to Ken_Edgar)Hi Ken
I have noticed that WGM can struggle to show more than 1000 entries. This was certainly true in my experience for 10.4 Server. I have seen similar behaviour in 10.5. Having said that I have managed to view up to 2,500 AD Users and Groups using WGM recently. In that sense it does seem to be inconsistent?
Not much of a surprise really all things considered! Server Admin behaves in a similar fashion as well.
What you can try is launch WGM and select Preferences from the WGM Menu. You'll see an option to "List a maximum of _ records." Enable this and define a number. See if that helps? What you can also try is using the filter to search for records you can't see. Odds are it will list them. Whilst you are in WGM's Preferences menu enable the "Show all records tab and inspector". This is extremely useful as it will allow you to browse information coming from the AD schema itself as seen by WGM.
I have seen a similar problem with AD Users and Groups not showing correctly in WGM - actually it was more they disappeared and reappeared at random - which was down to SMB Digital Signing not being properly disabled on the DC. If that happens you can issue this command from Terminal after binding with the AD plug-in:
sudo dsconfigad -packetsign disable -packetencrypt disable
Once issued it should report "Settings successfully changed". To verify both options are off issue:
sudo dsconfigad -show
It should show (at the bottom of the list) packet sign = disable, packet encrypt = disable. It's a good idea to issue this anyway when integrating macs into AD regardless of what is disabled or enabled on the DC.
Currently Being ModeratedNov 3, 2008 1:07 PM (in response to Antonio Rocco)Thanks for your post Tony,
I have tried all the suggestions you had except for turning off smb packet signing on the Windows 2003 servers. I've been told by them that it is off already, but I'm bugging them again just to make certain.
Currently Being ModeratedNov 3, 2008 1:46 PM (in response to Ken_Edgar)Hi Ken
Its a good idea to get them to check again. It's not enough for them to be "Not Defined". They must be "Disabled". You may have to get them to check not only the Domain Security Policies but also the Domain Controller Security Policies. I've also known it take some time for those settings to fully propagate outwards.
I know its difficult for you to track down but some Windows Admins apply GPOs at the top OU level which can give permissions problems when accessing home folders for Mac clients. If it turns out that everything is as it should be then I guess it is simply WGM's inconsistent ability to show you any more than you currently see. Who knows if you wait a few weeks they may all appear in their full and unadulterated glory. What a surprise that will be!
Currently Being ModeratedNov 3, 2008 6:23 PM (in response to Ken_Edgar)did you set a limit to the number of records wgm will display? check the prefs.
also, can you search for records that don't show up automatically or use a * in the search field to show all?macbook pro 2.16 ghz, powerbook G4 1ghz, G4 400 mhz, poweredge and some junkers, Mac OS X (10.5.5)
Currently Being ModeratedNov 4, 2008 11:53 AM (in response to foilpan)The Windows admins are skeptical of the smb packet signing causing an issue with this. I don't know weather or not to agree with them. As suggested by foilpan, I have set the limit of user records to 3000, but I still don't get anything over 983 Users.
I can use the AD groups, and the missing users are able to gain access to my kerberized services such as AFP and SMB. I think I will open an Apple Service ticket once I have time to do so.
Thank you all for your help,
Currently Being ModeratedJan 15, 2009 11:23 AM (in response to Ken_Edgar)This is just a test box, and I also found that I have a disjoined dns name. This could be the cause of the problem. I'm thinking I will add it to AD dns and bind to AD... rather than using our unix dns.Mixed environment