mapping UID to uidNumber breaks lookup of secondary groups

Question

Level 1

0 points

mapping UID to uidNumber breaks lookup of secondary groups

Hello,

we have our Macs bound to an Active Directory Server 2008 R2 with Unix-Extensions. In Snow leopard, we used to map UID to uidNumber in Directory Uitility. Doing so in Lion on hitherto unknown accounts breaks lookup of secondary groups. In the examble below, janeroe is a valid AD account that was never logged into the computer, johndoe (see further down) logged in before.

nb:~ admin$ id janeroe

id: failed to retrieve group list: Undefined error: 0

uid=33333(janeroe) gid=100(_lpoperator)

This throws the following error in /var/log/system.log:

Jul 26 15:35:13 nb opendirectoryd[13]: GetGroups couldn't find uid 33333

Or, using groups:

nb:~ admin$ groups janeroe

groups(516) malloc: *** error for object 0x7fff67eb1bd0: pointer being freed was not allocated

*** set a breakpoint in malloc_error_break to debug

Abort trap: 6

output in system.log is similar:

Jul 26 15:35:07 nbcale opendirectoryd[13]: GetGroups couldn't find uid 33333

Jul 26 15:35:07 nbcale ReportCrash[511]: Saved crash report for groups[510] version ??? (???) to /Users/admin/Library/Logs/DiagnosticReports/groups_2011-07-26-153507_......cras h

Users are nevertheless able to log into their mobile account and after logging in once their secondary groups are listed fine:

nb:~ admin$ id johndoe

uid=30377(johndoe) gid=100(_lpoperator) groups=100(_lpoperator),403(com.apple.sharepoint.group.2),405(com.apple.sharepo int.group.4),12(everyone),62(netaccounts),402(com.apple.sharepoint.group.1)

nb:~ admin$ groups johndoe

_lpoperator com.apple.sharepoint.group.2 com.apple.sharepoint.group.4 everyone netaccounts com.apple.sharepoint.group.1

AD integration with standard plug-in seems worse than in Snow leopard...

Anyone having the same problem? Or better anyone any idea of how to solve this issue?

Thanks,

Peter

Mac OS X (10.7)

Posted on Jul 26, 2011 6:53 AM

Reply

Answer 1

Jul 27, 2011 7:06 PM in response to pwcaligari

I'm experiencing this too among a bunch of other issues! Did they perform any testing of this before they released it?

Reply

Answer 2

-PhS-

Level 1

10 points

Oct 18, 2011 6:32 AM in response to pwcaligari

I have the same problem ... and 10.7.2 did not solve the problem.

how did you manage to create the mobile account ? (was the mobile account created before Lion ?)

Because on my newly installed iMac, I cannot login.

I was wondering if you solved this issue.

PhS

Reply

Answer 3

Sinerg1

Level 1

0 points

Feb 10, 2012 8:11 AM in response to pwcaligari

Hey! Am currently having the same issue - have you managed to progress since 10.7.3 has came out?

Reply

Answer 4

bloke101

Level 1

0 points

Mar 1, 2012 3:14 PM in response to pwcaligari

I had the same thing in the console talking about GetGroups not being able to find the uid. I also could not login; after I typed in my credentials, it would just sit at the colowheel. Not froozen, just wouldn't go anywhere.

What I did to solve both problems was open Directory Utility and edit the LDAPv3 option. I then changed the Location to Automatic. After that my exact domain name was available under search policy (/Active Directory/BP-*******/bp-*******.test wasn't available before I changed the LDAP setting) so I removed all the the directory domains except the one I needed under Authentication and Contacts.

After that the errors stated above were no longer in the Console log. I was also able to login just fine.

Hope this helps someone. BTW Client OS was 10.7.3 and Server OS was Windows Server 2008 R2.

Reply

Answer 5

Ih8macs

Level 1

0 points

Mar 14, 2012 12:13 PM in response to bloke101

Bloke101, could you please clarify what you did. I confirmed that my LDAPv3 Location is set to Automatic, but I am still unable to add the FQDN of my domain to the search paths. Only /ALL Domains. And I am unable to log into macs if I have the uidNumber set.

Reply

Answer 6

bloke101

Level 1

0 points

Mar 15, 2012 2:27 PM in response to Ih8macs

You could try unchecking "Allow authentication from any domain in the forest" and also enter the ip address for of a domain controller in the "Prefer authentication from this server" option.

Also try putting the Location of LDAPv3 on whatever one is there, then hit Apply and close everything, then go back and add the Automatic option. Then try to add it again.

There are a few other problems i've ran into that i'm trying to remember but i'm writing a guide currently on binding Mac OS X operating systems to Windows Server 2008 R2 (client side guide) for my work anyway. This guide will also have solutions to the problems I have run into.

I will also be cutting the names out and posting it online; I will post a link when it is complete which should be by next week. (At least the Leopard and Lion sections. Snow Leopard is an OS I still need to take screenshots for).

Also, make sure the attributes are correct. They are case sensitive and i've made a silly mistake before by capitalizing the first letter. When using NIS for Windows Server 2008 (x86 or x64) the correct attributes are:

And for a reference I changed the one that was checked to the one that says Automatic:

Message was edited by: bloke101

Reply

Answer 7

Ih8macs

Level 1

0 points

Mar 23, 2012 6:42 AM in response to bloke101

I was able to correct my problem by editing the plist files located in /Library/Preferences/OpenDirectory. All I needed to do was add the FQDN of my Active Directory domain to the Search.plist file and create an LDAPv3 directory. The steps are outlined below:

1. Bind your MAC to Active Directory mapping. Either using the command line dsconfigad or the Directory Utility. Ensure that your uid/gid/ggid mapping are set up like bloke101 has mentioned.

2. Open a Terminal from Applications > Utilities.

3. Type cd /Library/Preferences/OpenDirectory/Configurations

4. Convert the Search.Plist to XML by typing plutil -convert xml1 Search.Plist

5. Edit the Search.Plist file to include the FQDN of your Domain:

<key>dsAttrTypeStandard:CSPSearchPath</key>

<array>

<string>/Local/Default</string>

<string>/Active Directory/NetBiosName</string>

<string>/Active Directory/NetBiosName/Some.Domain.com</string>

</array>

6. Save the Search.Plist and convert it back to binary plutil -convert binary1 Search.Plist

7. Navigate to /Library/Preferences/OpenDirectory/DynamicData

8. Create an LDAPv3 directory: sudo mkdir LDAPv3

9. Navigate to /Library/Preferences/OpenDirectory/DynamicData/LDAPv3/

10. create a plist file named after the FQDN of your domain: touch some.domain.com.plist

11. Edit the new plist file with your information:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>lastused server</key>

<dict>

<string>some.domain.com</string>

<key>other</key>

</dict>

</plist>

12. Convert the newly created plist file to binary: plutil -convert binary1 som.domain.com.plist

13. Reboot the machine and hopefully everything will be working

Reply

Answer 8

chymb

Level 1

0 points

Jun 27, 2012 8:21 AM in response to Ih8macs

For anyone still suffering with this, it appears that unchecking:

Services -> Active Directory -> Administrative (Advanced Options) -> Allow authentication from any domain… allows you to add the FQDN (rather than All Domains) in the Search Policy -> Authentication

at least it did for me.

Reply