MagicTriangle-AD-Kerberos + ML Server

Question

MagicTriangle-AD-Kerberos + ML Server

Hi there,

Joining an AD domain and authenticating against an AD controller works fine wirth 10.6 and 10.7 server.

We've followed these instructions http://support.apple.com/kb/PH9388 without any problems.

10.8 Server seems to be different joining an AD domain. We need to kerberize AFP and other services to login to an ML server share, using the AD credentials.

MagicTriangle is not longer working with 10.8 server, there's no manual or help how to join an AD controler and using SSO (Single Sign-On) and kerberize OS X services.

Does anyone get SSO, Kerberos and AD up and running with Mountain Lion Server?

Any information could be helpful.

Philipp

Posted on Jul 30, 2012 2:56 AM

Reply

Answer 1

Aug 1, 2012 10:01 AM in response to Philipp Reinheimer

I think it is different now.

I had big difficulties with Lion Server. Lately, OD and AD kerberos worked side by side, without turning off OD kerberos! I think it is enough to join the server with the directory utility, either from System Settings via User Panel or via SERVER.APP, there is a menu to open it up.

In my config, an update to ml from 10.7.4, all settings were kept. I think there is one big change now: AD users are just listed in server.app in users (dropdown menue to select the kind of users) and are no longer imported as augments into OD. (the update brought them as augments into ML, but could not find any reason for now, so I removed the augments)

Kerberos auth seems to work side by side. So I can login to my mac with my users credentials.

It is just important to have the search orders in directory utility setup correctly. And I reduced them to my domain and not the whole forest.

Perhaps an additional

sudo dsconfigad -enableSSOhelps.

So I would try:

1. setup ML

2. join to AD via directory utility and check search order and AD server to search for (AD as far on top as possible) and make settings, (german system, check the admin group and add the german group in case)

3. try to login with AD credentials

4. in case when logged in make admin via systemsettings Users

5. install server.app

6. check user tab for external directory via dropdown menue

7. check if login still works

8. check some service like cal, wiki or so and if it is possible to login

9. in case it does not work try sudo dsconfigad -enableSSO in terminal.

10. turn on open directory, which makes a default group in server.app groups

11. check via terminal and sudo serveradmin settings dirserv if the AD is listed and the main kerberos server

I have no Idea, if one has to make any settings like in Lion for some services to work with AD, as all work for me right now.

Only one thing is strange: I had Open directory setup with my SSL certificate and tried to turn it of before upgrading, which left my OD not working. As I have not to many users right now, I dismissed my OD master and turned it back on without a SSL cert.

But, it stops when i try to set up the certificate afterwards.

Hope that helps somehow.

Best

H

Reply

Answer 2

Aug 1, 2012 12:41 PM in response to hartmutfromberlin

Step 1 - 8 worked for me. i can log in with my AD credentials and connect to AFP shares. But after setting up OpenDirectory I can't log in anymore wirh my AD account. I still see AD users and groups and i can add them to my AFP shares.

Apple removed sso_util -k remove ..... to remove Kerberos services and dsconfigad -enableSSO has no effect after turning on OpenDirectory. so this is the point. if you turn on Open Directory, login with AD credentials did not work anymore and i have no idea how to bring back the MagicTriangle to ML Server.

Philipp (from Berlin)

Reply

Answer 3

Aug 2, 2012 1:58 AM in response to Philipp Reinheimer

1. Both kerberos instances run side by side without a problem here, as far as I can judge. So, do not remove the OD kerberos instance. This is even valid for Lion server.

2. dsconfigad -enablesso (I am not at the mac, so it was changed in lion, check man dsconfig) not sur if it is necessary at all

3. check directory utility if the search is still set up correctly?! otherwise you won't be able to login

4. I think it is no longer the classic magic triangle, like the years before. In server.app, AD users are in a seperate listing now

5. see 11. check via terminal and sudo serveradmin settings dirserv if the AD is listed and the main kerberos server

6. have you "set" permissions to the AD users in server.app -> select from listing, are they allowed to acces the fileshares?

7. can also be set for an OD group globally

8. AD users can be OD group members

Best

Hartmut

Reply

Answer 4

Aug 2, 2012 4:44 AM in response to hartmutfromberlin

Two more things to check:

in system prefs > users

User uploaded file

check your options in "allow network users to log....." that you are allowed to login....

and this is how my settings in serveradmin appear:

dirserv:kerberizedRealmList:availableRealms:_array_index:0:dirNodePath = "/LDAPv3/127.0.0.1"

dirserv:kerberizedRealmList:availableRealms:_array_index:0:realmName = "ODFQDN"

dirserv:kerberizedRealmList:availableRealms:_array_index:1:dirNodePath = "/Active Directory/ADFOREST/adfqdn"

dirserv:kerberizedRealmList:availableRealms:_array_index:1:realmName = "ADFQDN"

dirserv:kerberizedRealmList:availableRealms:_array_index:1:nodeIsAD = yes

That's what it looked like since Lion server 10.7.4.

Give a note if it works.

Hartmut

Reply

Answer 5

pts

Level 1

16 points

Aug 4, 2012 9:29 PM in response to hartmutfromberlin

What do you mean by: "in system prefs > users"? Is this server.app? Or the system preferences? I don't have any option that says: "allow network users to log....." in the server.app, unless I'm looking in the wrong place. Where is this?

Reply