13 Replies Latest reply: Jul 8, 2012 8:57 PM by Zero Six
wildlyons Level 1 Level 1 (0 points)

Hi,

 

I'm fairly new to Lion Server but am pretty good when it comes to Active Directory setups in windows. Unfortunately as far as I can tell, Open Directory and Active Directory don't bear a great deal of resemblance to each other.

 

My problem is this:

I have create a home network/server setup on my brand spanking new iMac. I've set up a netowrk user account so that I can store all the user data of my MBP on the iMac so it's part of the iMac's Time Machine backup, as well as the security of knowing my data if safe if my laptop ever gets lifted etc etc. So far the setup is working perfectly while I remain in the local network (binded to server.local), but as soon as I go remote with the laptop I can't bind to the Open Directory (using System Preferences > Users & Groups > Login Options > Network Server Account)

 

The iMac is running 10.7.2 Server and the MBP 10.7.2 Client.

 

As far as I can tell, the iMac computer name is solid (no spaces) and the external server.domain.com is pointing back to my static IP address and I have forwarded ports 4500, 1701 and 500 at the router. Not sure if this is related (I'm assuming it is) but I also can't connect to the VPN remotely. I've tested the ports using yougetsignal.com and they are open.

 

The network account has full administrator privilages, the user is added to Remote Management and Remote Login access lists on the server and like I said everything works fine internally.

 

DCHP and DNS are setup on the server and I believe working correctly and the firewall is off.

 

I'm sure it's something basic that I've missed but can't for the life of me figure it out. Any thoughts/help?


iMac, Mac OS X (10.7.2)
  • Douggo Level 4 Level 4 (2,740 points)

    I'll preface this with the fact that I am in no way an expert on Portable Home Directories...

     

    So far the setup is working perfectly while I remain in the local network (binded to server.local), but as soon as I go remote with the laptop I can't bind to the Open Directory (using System Preferences > Users & Groups > Login Options > Network Server Account)

     

    I'm pretty sure that you're going to need to use the FQDN of the server for OD to bind remotely. server.local just doesn't resolve to anything when you are in the wilds of the WAN instead of the comfortable confines of your LAN.

     

    Your VPN issue may be related to which ports are open in your router and firewall of the Server software (if you are running it). Getting my VPN working was a struggle to get configured because of that.

     

    -Doug

  • wildlyons Level 1 Level 1 (0 points)

    Hi Doug,

     

    Sorry I should have explained better. When I try and bind using server.domain.com either internally or externally it doesn't work, so for the moment I am just using server.local internally and have no external access.

     

    How did end up resolving your VPN issues?

  • Douggo Level 4 Level 4 (2,740 points)

    Your ports for VPN service look correct (500, 1701, 4500) but I believe you also need GRE (Generic Routing Encapsulation protocol) open as well. Beyond that, I found that trying to run DHCP in combination with VPN caused problems even with reserved addresses for each service. It's been so long I don't recall the exact solution to fixing VPN other than lots of testing opening firewall ports, restarts and testing connections.

     

    Firewall issues may also be behind your not being able to bind to OD remotely: LDAP Service uses port 389 and LDAP Secure uses port 636. Not sure what other dependencies there may be for accessing LDAP/OD remotely..

     

    -Doug

  • wildlyons Level 1 Level 1 (0 points)

    Well played sir...I'm not sure what exactly did the trick, but it was one of the ports 389/636. I added both to the routher table and bang VPN is working. I haven't tested the remote binding yet, but if it doesn't work I now at least have the VPN as a backup.

     

    Man many thanks!

  • Douggo Level 4 Level 4 (2,740 points)

    You're welcome! Glad to have helped. Please update on your being able to bind to OD remotely.

     

    -Doug

  • wildlyons Level 1 Level 1 (0 points)

    Just as an update, I have been able to bind remotely, though at this I can only bind remotely after connecting the VPN even when trying to bind to server.domain.com

     

    Still, it's progress and does what I need it to do

  • Douggo Level 4 Level 4 (2,740 points)

    If VPN is reliable and working consistently, that is a much-preferred way to get your connection to OD for binding.

     

    -Doug

  • rshibley Level 1 Level 1 (0 points)

    I am trying to figure out a way to bind to Open Directory remotely and actually log in with an account that is not cached on the laptop. My VPN is working and I can probably bind that way, but since the VPN signs off when I log out, I don't think that is going to enable me to sign on as a different, network user. Is there a way to do this? It would make configuring my company's Macbooks way easier than always having to have them at our headquarters to bind them to the OD server on the LAN.

  • wildlyons Level 1 Level 1 (0 points)

    In my setup when I go to the Advanced options of my VPN connection there are some session options. The first on the list is Disconnect when switching user Accounts and teh second is Disconnect when User logs out.

     

    I have both of these unchecked, so I login to the local client, set up the VPN bind to the OD, and then can use fast user switch to take me back to the login screen where I can now login as a network user. I'm not sure if this is the most efficient way to do things, but it is working for me

  • rshibley Level 1 Level 1 (0 points)

    Hey, that is a great idea. I will give that a try and let folks know if it works. I am going to reformat my Macbook Air, sign onto the VPN, uncheck those things, bind the Air to the network over the VPN, and then try to sign in as a network user.

  • rshibley Level 1 Level 1 (0 points)

    Just an update - that worked perfectly. While I would prefer to have the Mac sign onto the VPN at startup and before login, this works too. Thanks for the help, all!

  • Zero Six Level 1 Level 1 (0 points)

    Using VPN is not a good solution for us, although I can confirm that this is the current behavior. 

     

    Surely there is a way to get network user accounts working outside of LAN.  Any further insight on this?

  • Zero Six Level 1 Level 1 (0 points)

    ...or if I can just sync to network homefolder on login/logout once on vpn, that'd be okay too i suppose.