I am trying to bind a Lion 10.7 mac to Active Directory

Apparently out IT guys just picked up the 10.7.3 seed and so far the AD binding is working correctly with it... anyone else have any experiences with that?

I can get a 10.7.2 machine to bind to active directory no problem, but the user's network home folder refuses to mount on the dock. I just get a question mark. Any ideas?

This I have seen. This appears to be an issue with 7.2 that Apple broke. I have submitted a bug and they are looking at it as I've been contacted a few times for logs, etc. It worked in 10.7.0 but stopped working in 10.7.2 (I have not tried the most recent release of 10.7.3 but an earlier release did not repair the issue.)

Has 10.7.3 been released officially or is it still in 'Beta'? If it is available for public consumption, can it be downloaded an installed for free, like a Windows Service Pack?

It is still in beta so only developers have access to it. When it does go to general release it will be avaialble just like an MS service pack.

Thanks Jason.

Does anyone have any idea when Mac OS 10.7.3 might be officially released?

Hello,

am I the only one, with these problems?

- Up to 10.7.3, overwritting a file (simple save) corrupt the file.

- From 10.7.3 (11D50), the permissions for active directory accounts are ignored.

For me it looks like Apple tests absolutely nothing...

With best regards Matthias Loenartz

"the permissions for active directory accounts are ignored."

What do you mean? Allow domain admins to administer the Mac? This still doesn't work but you can make the user an admin on the local machine. Not a perfect solution but it is a solution.

Kent

we are having the same issue at a small local college I work at. We have around 200 Mac's on campus mostly running 10.6.8 they are all currently bound to the AD and the OD servers it use to be that after binding I could go in and make a AD group administrators on the machines so once a member of the group would log in they would automatically become an admin this use to work but for some strange reason this policy stopped working on the Mac's it will works on the 4000 windows machines...any idea's?

Craig

Sorry, that was all related to lions smb sharing, in 10.7.3 I don't get access from a windows system whose user has permissions to it. Curiously the error happens most only over fqdn-access and works over ip-access.

But all in all you can not name it stable, it's more like alpfa software...

With best regards Matthias Loenartz

May or may not be related, but I'll add my observations:

fqdn (DNS) is mostly not going to work with client Macs in an AD environment.

Have you ever used ARD to see your Macs in an AD enviroement, and notice the name of the Mac under the DNS info column, is almost always screwed up, some weird name or incorrect name appears. (could be DNS, or more likely a major bug in Apple Remote Desktop, that Apple has yet to fix for the last several years).

If you are using a Mac OS X client machine in this environment, the DNS just does not know what the name of the Mac is, there will be no DNS name resolution.

If you have a Mac OS X Server in this environment, you give the IP address to your DNS admin, with its name and you have him enter a record into the DNS.

In the terminal on OS X Server, you then use the changeip -checkhostname <osxserverhostname>

You should get, the names match there is nothing to change, message.

Finding that Mac OS X Server by name, will now always work: filesharing, ssh, web URL's, you name it.

But using FQDN names of client Mac OS X machines, is just not going to work, unless there is a dns record entered into the DNS, and for DHCP, concerning mac or windows clients, that just does not happen.

If you want to get to a Mac OS X client via sharing, you just have to know the IP address.

The mac is also the mailserver and such as the ping comand (and smb (windows file sharing) with the version previus to 10.7.3) it all works. (At least with W2k8 as adc the dns is automatically set correctly by joining.)

With best regards Matthias Loenartz

Is there a reason you need to use OD. In my experience is it just simply a "bag of hurt".

You have to bind the client Macs to both AD and the OD server (that is bound to AD), assuming this OD Server is also correct and stable.

If the OS X client loses only one of the AD or OD bindings, the Mac cannot log in. That is ridiculous.

Why would a Mac admin or anyone want to introduce these dependencies.

I have seen it a ton of times.

And then there could be issues with Kerberos.

If it was me, and I had to bind to AD. Just use Apple's built in AD plugin in (Directory Utility), by itself.

There is very little reason to use OD in AD, unless one wants Managed Prefs. Are you kidding. Apple's Managed Prefs are more suited for a school lab of 50 Macs or so, they are global and pretty weak. I see no use for it. If you want true policies (MSs Group Policy) Centrify is pretty good.

AD binding does work in 10.6.8 in this manner pretty well.

But as I have mentioned here, in 10.7 AD binding was broken on shipping of 10.7, it seems to be working once again as of 10.7.2.

I am trying to to figure out for the life of me how AD binding of a Mac is even relevant anymore. It makes no sense to do it. We no longer do it, why.

If users need to get to areas on the network, shares, etc, they simply enter their AD credentials.

If one really needs AD binding for some reason (I still cannot fathom), consider using Centrify Express, which works pretty well, at least they are on top of it and are proactive about it always working.

It seems obvious to me AD binding is simply not a priority at Apple, it never has been, and is it even relevant today.

OX Lion 10.7.2 doesn't like talking to SBS 2003/08. Some say it is an AD bind issue. I can tell you it isn't - well from what I have seen it is Java related. You will need to install/update Java SE http://support.apple.com/kb/DL1421 and reboot your machine. Bootnote - Java wasn't included with the LIon install - it's an add on.

I did read that 10.7.3 fixed known AD binding issues with SBS - but cannot confirm right now.

Thanks. I hope you're right about 10.7.3. It would simplify managing a single Mac OS machine in an otherwise all PC shop. Don't know if I will get permission to try installing the Java update as I have to assure management that the update will not break something else that is mission-critical.