I worked that out the last weeks. At least it works for me now. As my system is in german, I apologize if I get a tools name wrong. So here is a basic summary:
1. important: HAVE NO .local domain set in AD windows server. It conflicts with bonjour services! It makes logins unreliable and taking for ages.
2. check permissions in disk utility!
3. sometimes a reboot helps.
Binding to AD: best done via server.app > tools > directory utility or with no server.app installed via users and groups ....
1. services > active directory > enter credentials for the AD server (what you have done allready)
2. > more options (?) > authentification > untick authentification from every forest (?) in the domain > ok
I have local user folders on Startup Disk set for now! No mobile Users, no AD user folder.
3. in directory utility in search path, the "all domains" path should be gone
4. add the domain path by using the + and selecting the AD directly, should look like "/active directory/DOMAIN/domain.whatever"
(5. some people say you have to have a certain order, but it works for me in any search order)
Now on your AD windows server:
1. check for the OS X Server Machine in the domains server manager in computers: is it added correctly?
For kerberizing login to services:
2. double click on the machines name and set in delegation to trust the machine for all services kerberos only
3. set the DNS on the server and add a reverse lookup PTR - refresh/update DNS server by right-klick > refresh.
Back to lion server:
1. Try to login with AD credentials. For now, leave the local admin logged in, so one can change quickly.
2. In System settings (?) > users and groups > select the AD admin user and set to allow administration on the server.
3. Somtimes a reboot is necessary.
Login should work now.
I did now the steps you have allready done:
Just as a remark, in Server Admin, without an OD set, there is a button to kerberize services. I have no clue if it works. I tried several times but did it the way discribed below.
In Server-Admin:
1. Make a Opendirectory Master
2. When done it should show, ldap, password and kerberos running (that's where you are now)
4. let's be optimisitc and say login works
Server.app:
add users in Server.app>Users>+>change to user from other directory (?) and add users
Kerberization of services with an AD
5. in a Terminal, kerberize all services by doing:
http://help.apple.com/advancedserveradmin/mac/10.7/
Kerberize services with an Active Directory server:
sudo dsconfigad -enablesso
Back to Windows server, check the SPNs set for the lion server in Server Manager:
1. go to "View" > advanced features
2. go to the lion server in AD > right click > settings > attribute editior > serviceprincipalname
Those are the kerberized SPN of the lion server.
(3. I somewhrer read one has to reset the AD admins password, I did and used my old password - then restart kerberos service in services - only optional)
Back to Lion:
now for Opendirectories own kerberos realm I followed:
http://help.apple.com/advancedserveradmin/mac/10.7/#apdFAB2EB97-1713-43EF-B0B5-C AE51C7B604F
Integrate with existing directory domains>
Disable Kerberos after setting up an Open Directory master>
sudo sso_util remove -k -a username -p password -r NAME.OF.KERBEROSREALM
(here use the OD diradmin and PW)
4. reboot
5. does login still work? It does for me.
When checking the keytab in /etc/krb5.keytab (forgot the correct command) you should have the list of services on the ADs Kerberos Realm.
Also try to ge tickets from key utility > Ticket viewer or terminal via kinit - do they resolve to the kerberos realm of the AD?
Further steps to kerberize logins are somehow documented in Lion server KBs. Thunderbird is a bit tricky.
Hope that helps.
Hartmut
