+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
Mac Thread, **Active Directory Authentication How To** in Technical; Thanks for the reply, hum, I've not found any useful info on the web about this as yet either. I've ...
  1. #16

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the reply, hum, I've not found any useful info on the web about this as yet either.

    I've searched for some stuff I found in the console logs, but I think it's unrelated, it's quite hard to pin it down to when it's happening.

    I'm running 10.6 Server and Clients, and I'm not using Deploy Studio, in fact this is my first test client that I'm having the problem with.

    Thanks, Ed

  2. #17

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I've now tried a number of other things:
    I stopped the clients from sleeping and it didn't drop the connection to AD for over 24hr, but then I tried a reboot and it didn't reconnect.
    I've restarted a number of times today and sometimes it comes back up with both AD and OD connected, sometimes without OD.
    It always looks bound in Directory Utility and it's always in the search path though

    I've rebound to OD using the command line and this has changed nothing.

    I'm getting to the point where I might try to run a script to "killall DirectoryService" as a startup item in order to kick it back into life, but I'm not too sure how to get this working and it would certainly be bodging it.

    I have noticed this in my DirectoryService.error.log

    2010-06-21 00:08:56 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
    2010-06-21 00:10:24 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
    2010-06-21 00:11:41 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563
    2010-06-21 00:21:12 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563

    I'm also seeing
    21/06/2010 00:23:34 ServerScanner[148] Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
    Sometime this refers to OD and sometimes AD?

    Any ideas please?

  3. #18

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Here's a System log where the client fails to reconnect to AD:
    Jun 21 01:04:46 macosx1 com.apple.launchd.peruser.501[129] (com.apple.AirPortBaseStationAgent[154]): Exited: Killed
    Jun 21 01:04:46 macosx1 SecurityAgent[273]: NSDocumentController's invocation of -[NSFileManager URLForDirectory:inDomain:appropriateForURL:create: error:] returned nil for NSAutosavedInformationDirectory. Here's the error:\nError Domain=NSCocoaErrorDomain Code=513 UserInfo=0x100140a40 "You don’t have permission to save the file “Library” in the folder “empty”." Underlying Error=(Error Domain=NSPOSIXErrorDomain Code=13 "The operation couldn’t be completed. Permission denied")
    Jun 21 01:04:47 macosx1 loginwindow[42]: DEAD_PROCESS: 42 console
    Jun 21 01:04:47 macosx1 com.apple.loginwindow[42]: LogoutHook: Executing /etc/hooks/LOcleanupclean.hook...
    Jun 21 01:04:47 macosx1 macadmin[311]: LogoutHook: Starting for macadmin
    Jun 21 01:04:47 macosx1 shutdown[316]: reboot by macadmin:
    Jun 21 01:04:47 macosx1 shutdown[316]: SHUTDOWN_TIME: 1277078687 279376
    Jun 21 01:04:47 macosx1 mDNSResponder[18]: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) stopping
    Jun 21 01:04:47 macosx1 mDNSResponder[18]: mDNS_Deregister_internal: 51 _kerberos.macosx1.local. TXT LKDC:SHA1.4DC7A1D1C03651E88DAFDF1E20B08E8FAE91136B already marked kDNSRecordTypeDeregistering
    Jun 21 01:04:47 macosx1 WindowServer[65]: hidd died. Reestablishing connection.
    Jun 21 01:04:47 macosx1 DirectoryService[244]: dnssd_clientstub read_all(18) failed 0/28 0
    Jun 21 01:04:47 macosx1 WindowServer[65]: bootstrap_look_ip failed: Unknown service name
    Jun 21 01:04:47 macosx1 DirectoryService[244]: BUG in libdispatch: 10D578 - 1960 - 0x10004004
    Jun 21 01:05:26 localhost com.apple.launchd[1]: *** launchd[1] has started up. ***
    Jun 21 01:05:26 localhost com.apple.launchd[1]: *** Verbose boot, will log to /dev/console. ***
    Jun 21 01:05:31 localhost blued[16]: Apple Bluetooth daemon started
    Jun 21 01:05:31 localhost mDNSResponder[18]: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) starting
    Jun 21 01:05:32 macosx1 configd[14]: setting hostname to "macosx1.oakwood.local"
    Jun 21 01:05:32 macosx1 configd[14]: network configuration changed.
    Jun 21 01:05:34 macosx1 bootlog[53]: BOOT_TIME: 1277078726 0
    Jun 21 01:05:35 macosx1 com.apple.usbmuxd[34]: usbmuxd-190 built for iTunesNineOne on Mar 8 2010 at 20:25:36, running 32 bit
    Jun 21 01:05:35 macosx1 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[42]: Login Window Application Started
    Jun 21 01:05:36 macosx1 configd[14]: network configuration changed.
    Jun 21 01:05:38 macosx1 loginwindow[42]: Login Window Started Security Agent
    Jun 21 01:05:38 macosx1 WindowServer[64]: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
    Jun 21 01:05:38 macosx1 com.apple.WindowServer[64]: Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer[64] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
    Jun 21 01:06:08 macosx1 com.apple.DirectoryServices[11]: Enter machine password:
    Jun 21 01:06:09 macosx1 com.apple.DirectoryServices[11]: DNS update failed!
    Jun 21 01:06:56 macosx1 /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[78]: CGSKeyTranslateInitialize: KLGetCurrentKeyboardLayout or KLGetKeyboardLayoutProperty is not available, fall back to USA keymap
    Jun 21 01:07:02 macosx1 SecurityAgent[86]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
    Jun 21 01:07:03 macosx1 loginwindow[42]: Login Window - Returned from Security Agent
    Jun 21 01:07:03 macosx1 com.apple.loginwindow[42]: LoginHook: Executing /etc/hooks/LIclean.hook...
    Jun 21 01:07:04 macosx1 _mdnsresponder[127]: LoginHook: Starting for macadmin
    Jun 21 01:07:04 macosx1 loginwindow[42]: USER_PROCESS: 42 console
    Jun 21 01:07:04 macosx1 com.apple.launchd.peruser.501[135] (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
    Jun 21 01:07:07 macosx1 ServerScanner[154]: Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
    Jun 21 01:07:08 macosx1 com.apple.launchd.peruser.501[135] (com.apple.Kerberos.renew.plist[158]): Exited with exit code: 1
    Jun 21 01:07:10 macosx1 com.apple.launchd.peruser.501[135] (com.apple.CSConfigDotMacCert-ehartley7@me.com-SharedServices[161]): Exited with exit code: 1

    And Here's the console messages from the same reboot:
    21/06/2010 01:05:26 com.apple.launchd[1] *** launchd[1] has started up. ***
    21/06/2010 01:05:26 com.apple.launchd[1] *** Verbose boot, will log to /dev/console. ***
    21/06/2010 01:05:38 com.apple.WindowServer[64] Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer[64] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
    21/06/2010 01:06:08 com.apple.DirectoryServices[11] Enter machine password:
    21/06/2010 01:06:09 com.apple.DirectoryServices[11] DNS update failed!
    21/06/2010 01:07:03 com.apple.loginwindow[42] LoginHook: Executing /etc/hooks/LIclean.hook...
    21/06/2010 01:07:04 com.apple.launchd.peruser.501[135] (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
    21/06/2010 01:07:07 ServerScanner[154] Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath
    21/06/2010 01:07:08 com.apple.launchd.peruser.501[135] (com.apple.Kerberos.renew.plist[158]) Exited with exit code: 1
    21/06/2010 01:07:10 com.apple.launchd.peruser.501[135] (com.apple.CSConfigDotMacCert-ehartley7@me.com-SharedServices[161]) Exited with exit code: 1
    21/06/2010 01:09:23 com.apple.WebKit.PluginAgent[185] Debugger() was called!
    21/06/2010 01:09:39 com.apple.WebKit.PluginAgent[185] Debugger() was called!
    21/06/2010 01:09:45 com.apple.WebKit.PluginAgent[185] Debugger() was called!
    21/06/2010 01:09:46 com.apple.WebKit.PluginAgent[185] Debugger() was called!

    Don't know if I'm looking in the right place here, but clutching at straws now!

  4. #19
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Hi

    Your problem is DNS. I'm surprised you could not find anything as this forum (as well as others) is full of threads such as yours. The platform will struggle and more than likely display the behaviour you're seeing if you're basing your domain around .local. Why? Because it reserves .local for Bonjour/Rendezvous Services. All macs will broadcast and discover themselves using it. It's not a good idea to switch it off either. How you name your macs could also display similar behaviour. Don't use hyphens or any other non letter/number character. Using .local can be made to work but don't be surprised if you see problems. Having said that other AD environments that don't use .local can also display similar or even different problems which could be due to something else.

    The most successful integrations of my experience are invariably with environments that have (a) been built to accommodate macs in the first place (b) the AD structure/organisation is fairly flat/simple (c) don't base the internal domain around .local (d) are not using RM.

    Antonio Rocco (ACSA)

  5. Thanks to AntonioRocco from:

    speckytecky (23rd April 2012)

  6. #20

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    Thanks for your feedback, I have been wondering if it could be the .local domain name that I'm using for windows that's cauing me problems.

    My Mac's are being added to an OU in the Root of the domain so I guess I have a fairly flat structure from that point of view and I'm not using any of that RM rubbish as we scrapped that years ago.

    Could you tell me what you mean when you say "an enviroment that has been built to accomodate macs in the first place?

    If in the future when I replace the DC and have the time to create a new domain in order to get rid of the .local issue what else must I do to ensure that it as easy for the Macs to integrate as possible?

    Many thanks,

    Ed

  7. #21
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Hi

    I mean building an environment that takes account of the platform rather than adding them to a mature/legacy environment that was only ever built to accommodate the Windows platform.

    In no particular order I would say it would mean:

    Correctly resolving DNS on both pointers
    Making sure there are no malformed SRV Records
    Not using .local for your TLD
    Making sure the PDC Resolve itself to itself on both pointers
    Not having a folder structure that nests folders within folders within folders etc
    Making sure time synchronization is the same for all principals in the Realm
    Removing 'ghost/dead' users and/or groups from Network Home Parent Container as these permissions will be honoured by the platform
    Star Topology rather than a Cascading One
    Gigabit to Desktop
    WAPs that are N rated

    The list is not exhaustive by any means. Basically all the things your PCs don't care really care about. If you build the environment 'properly' and along Microsoft's Best Practices you should not see too many problems.

    If all of the above seems like too much hard work you could consider using a 3rd-Party Solution such as Likewise or Centrify. Or modify the Schema yourself. Any of these methods would not necessarily involve OSX Server.

    Perhaps you should re-post in the main forum?That way others who've been a similar position to you will get a chance to offer some of the things they've tried that may or may not have worked.

    Antonio Rocco (ACSA)

  8. Thanks to AntonioRocco from:

    speckytecky (23rd April 2012)

  9. #22

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for all those surggestions, if I ever get the time I might set up a fresh domain.

    What does seem a little odd is that my 10.6 server doesn't seem to drop the connection to AD in the same way as the clients? Can't really see how this is any differant?

    Thanks,

    Ed

  10. #23
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Hi

    I don't know why you would assume this because the Server should not configured the same as the clients. Perhaps you've forgotten? What I do is bind the Server to AD first, verify I can access and 'read' User and Group information from Active Directory and then promote to Open Directory Master with Kerberos stopped. This is 'classic' AD-OD Integration or - if you like - Magic Triangle Deployment. Once the Server has been promoted to OD Master it places itself automatically and by default above the Active Directory/All Domains entry in the Directory Utility's Search Policy field.

    On the Server in a classic AD-OD Integration this is how it should be.

    Clearly on the client this does not happen. Clients are generally bound to AD first and then joined to OD with no requirement for any authentication or contact information when configuring the LDAP plug-in.

    Perhaps this is contributing to the problems you're seeing?

    Antonio Rocco (ACSA)

  11. 2 Thanks to AntonioRocco:

    kingswood (19th August 2010), speckytecky (23rd April 2012)

  12. #24
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    440
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Hi guys, I'm not sure if I should be replying in here or creating a new thread, it's regarding some issues we're having connecting 12 iMacs to our Active Directory domain.
    I've successfully bound them to the Domain, however, only 8 of the 12 are able to log on at any one time.
    The 8 that are able to connect are also random, so it's never the same 8.
    Any suggestions would be greatly appreciated!

    Thanks!

  13. #25
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33
    Those of you who maybe interested I have made a new article on AD integration for 10.7

    | Active Directory integration 10.7

  14. 2 Thanks to Rozzer:

    rob_coles (2nd May 2012), speckytecky (23rd April 2012)

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  2. PDA and Active Directory
    By localzuk in forum Windows
    Replies: 4
    Last Post: 10th October 2007, 03:54 PM
  3. script for active directory
    By chalkwellstu in forum Scripts
    Replies: 8
    Last Post: 24th September 2007, 01:53 PM
  4. Active Directory Web Administration
    By localzuk in forum Windows
    Replies: 12
    Last Post: 13th July 2007, 02:09 PM
  5. Website authentication with active directory
    By dhassen in forum Web Development
    Replies: 15
    Last Post: 6th April 2006, 01:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •