Active Directory broken in Lion?

You can inside the Library folder for your account by removing the hidden ago on it... chflags nohidden ~/Library

For all existing user accounts on a computer... sudo chflags nohidden /Users/*/Library

For any new account that will be created on the computer... sudo chflags nohidden /System/Library/User\ Template/*/Library

I installed Lion for the first time last week and had been having a lot of problems with Active Directory. The first problem I encountered was an issue getting the extended groups for a domain user. Using "id adusername" would return to me the username uid and the gid for the domain user, but would also return me "id: failed to retrieve group list: Undefined error: 0". I don't have a clue how to fix this.

So I decided to do a fresh install to see if this fixed anything. After the fresh install I counldn't bind to the Domain to save my life. This was either crashing the opendirectoryd process with a 10002 error from dsconfigad or a 5002 error from dsconfigad. I continued digging to find out that my computer was having problems getting to the KDC of the domain. When researching this, I came accross this support page https://discussions.apple.com/thread/3189202?start=0&tstart=0. Using the information from that page, I checked for both a /etc/krb5.conf file and a /Library/Preferences/edu.mit.Kerberos file, both of which did not exist. So I created a /etc/krb5.conf file with the following

[realms]

DOMAIN = {

admin_server = tcp/KDCSERVERNAME.DOMAIN:749

kdc = tcp/KDCSERVERNAME.DOMAIN:88

default_domain = DOMAIN

}

The AD setup here uses the AD server as the KDC so the KDCSERVERNAME.DOMAIN was the DNS name of the AD server. I'm not sure if that information was truly needed as none of that information actually made it into the opendirectoryd log file.

Once this was configured I was able to use dsconfigad from the command line to configure opendirectoryd without a problem.

As a secondary benefit, I am now able to do "id adusername" and get the UID, GID, and extended group info for the user.

I hope this helps.

Message was edited by: dingdini

looks like I was wrong about the extended groups. It was working after I bound to the AD and was querying the adusername as the localadmin. However, once I logged into the computer as the user, the groups went away.

Running 10.7.3 at work and it connects to the domain fine, network accounts authenticate fine. It however does NOT create mobile accounts nor can I choose AD groups to administer the computer. In fact in the "Allow Administration by" box, you can type anything and it accepts it. Shouldn't there be some sort of verification that the group exists either locally or in AD? It works fine (most of the time) in 10.6.

An update to my post from awhile back. AD is working well enough (with one odd issue so far). I wrote it up here for the whole world to see:

http://noeasysearch.blogspot.com/2012/02/binding-to-active-directory-domain-with .html

Reviving this thread for input/comments on 10.7.4 update? My AD issues had pretty much been resolved with 10.7.3. After applying 10.7.4, I now have a longer delay on the logon screen before AD becomes accessible. Status is red. Anyone else experiencing this issue since 10.7.4?

After the 10.7.4 update I found that I had to change the Directory Utility authentication path to the default. The previous paths that I had used no longer worked consistantly.

Kent

I thought I'd throw in my 2p's worth here.

I've just tried to do an AD intergration on a large domain with multiple sites and approximatly 70 domain controllers.

The issue we were getting when binding was "Authentication Server Unreachable (5200)".

After some digging and finding out that you can enable debug loging for the AD Plugin by running odutil set log debug in terminal followed by tail -f /var/log/opendirectoryd.log to view the log we found the following being repeated in the log file:

2012-09-02 13:40:08.127 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: udp [SERVER-IP]:kerberos ([FQDN OF SERVER])

2012-09-02 13:40:08.133 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host disconnected: udp [SERVER-IP]:kerberos ([FQDN OF SERVER])

It turns out that since OS X uses the SRV records in DNS to find out domain information, specifically where to look for the domain controllers etc it was just trying EVERY server that had an SRV record.

The plugin would eventually time out before reacing the SRV record for the local domain controller which it did have access to with the error:

2012-09-02 13:40:40.428 BST - 351.10639, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server unreachable' (5200)