+ Post New Thread
Results 1 to 7 of 7
Mac Thread, AD-OD binding issues in Technical; My questions in order of confusion: 1) At the time of joining OD into AD, do I need to hit ...
  1. #1

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    AD-OD binding issues

    My questions in order of confusion:

    1) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?
    2) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy - authentication) ?
    On the Mac client, does it have to be the other way around? Search Policy order - AD first & OD second?
    3) The "Enable authentication to directory binding" option in Open Directory - Server Admin - does this have to be enabled or does it matter?
    4) I was looking at WGM, after a test client was bound to AD first and OD second - my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of "Computers" in WGM (not the AD records) ?

    Really would love to hear some answers to these! Thanks.

  2. #2

    Join Date
    Jul 2005
    Location
    Rugby
    Posts
    432
    Thank Post
    17
    Thanked 66 Times in 61 Posts
    Rep Power
    35
    1) I promote the server to an OD master then join it to AD.
    2) AD before OD in search order.
    3) No idea.
    4) It should show in both AD and the "All Computers" WGM list, then add it to a custom group to apply preferences.

    Matt

  3. #3

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by saundersmatt View Post
    1)

    2) AD before OD in search order.

    4) It should show in both AD and the "All Computers" WGM list, then add it to a custom group to apply preferences.

    Matt

    Thanks for the reply matt

    2) This search order would be on the OD server or clients or both?

    3) Yes it does show the test client (bind to first AD & OD) in WGM, but this is under the list of AD objects but would not show up under the list of OD Computers, i.e., you change the WGM directory browsing to /LDAPv3/myodserver.com (I can see the OD master listed in there though).

  4. #4
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39
    Hi

    It all depends on what you want. If you want a 'classic' AD-OD Integration and you're not interested in Augmented Records then:

    (a) make sure relevant DNS Entries have been made OSX Server

    (b) Bind OSX Server to the DC using the relevant plug-in Module in Directory Utility
    What you should see after doing this is AD Users and Groups 'flow' into the /Active Directory/All Domains node in Workgroup Manager. At this point OSX Server is simply behaving as a Domain Member. The Open Directory Service will report it as being 'Connected to a Directory System'. /Active Directory/All Domains will be listed first in the Search Policy in Directory Utility.

    (c) Promote OSX Server to OD Master. This should not take too long. If it does review the DNS Service as well as looking at the slapconfig.log in Console. Everything gets logged in OSX Server.

    (d) If Promotion has been successful you should see in the Open Directory Service's Overview Pane that everything except Kerberos is Running. Kerberos should be stopped. Since 10.5.4 you don't get the 'Join Kerberos' button anymore. Any Services that can be 'kerberized' will already have service principals records created for them. You can test this by starting a service and issuing:

    sudo kadmin.local -q list_principals

    from the command line. If you launch Directory Utility and inspect the Search Policy you should now see the Server has promoted itself above the /Active Directory/All Domains listing. Inspect the LDAPv3 Plug-in and you should see the server has added an entry for itself using the loopback address 127.0.0.1.

    This is all normal. The only time this would change would be if you're interested in providing Augmented Records for OSX Server Services for Active Directory Users and Groups. For example: iCal, iChat, Wiki & Blog etc. In that environment you would make the Server an OD Master first and then bind to AD.

    Client side and if you're not using Augmented Records you always bind to AD first followed by a join to LDAPv3.

    Give the above and to answer your questions specifically:

    (Q) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?

    (A) See above

    (Q) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy - authentication). On the Mac client, does it have to be the other way around? Search Policy order - AD first & OD second?

    (A) See above

    (Q) The "Enable authentication to directory binding" option in Open Directory - Server Admin - does this have to be enabled or does it matter?

    (A) Not required. Don't forget User authentication is coming from Active Directory. AD would not know or even necessarily care about Open Directory. Besides Kerberos is with the AD and not OD. NB: This can be altered if you wish but only if you're prepared to alter the AD Schema fairly extensively.

    (Q) I was looking at WGM, after a test client was bound to AD first and OD second - my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of "Computers" in WGM (not the AD records)

    (A) A mac client computer will only show in WGM once it has been bound to OD (regardless of whether it is bound to AD or not) if you add it to a computer list using the diaresis button (3 dots) in the relevant area in Workgroup Manager.

    Depending on how you have your OUs, DHCP and DNS Services configured you may well see an 'entry' for it appear in Active Directory. However I doubt there would be much you could with it once there unless you had something like Centrify installed on your DC. Centrify allows AD-style GPOs and management preferences to be 'passed on' to mac clients without the need for OSX Server.

    Does this help?

    Antonio Rocco (ACSA)

  5. Thanks to AntonioRocco from:

    jasonthat (3rd July 2009)

  6. #5

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Antonio for the excellent reply!! Please read my replies inline in blue.

    [I]It all depends on what you want. If you want a 'classic' AD-OD Integration and you're not interested in Augmented Records then:

    Yes a classic AD-OD integration is all I am looking for at the moment, don't want to try out anything crazy with macs, mostly because I am still new to macs and although I have read a few things about Augmented Records, the topic is still not fully understood to me. However from a user point of view, what kind of OS X related services are available to AD users, i.e, for an AD user logged into a mac, what are things that DOES/DOES NOT work if augmented records WERE/WERE NOT setup respectively, say if, they were using iChat?

    (a) make sure relevant DNS Entries have been made OSX Server

    Perfectly working with all DNS forward & reverse records setup ,entry in DHCP, etc.

    (b) Bind OSX Server to the DC using the relevant plug-in Module in Directory Utility
    What you should see after doing this is AD Users and Groups 'flow' into the /Active Directory/All Domains node in Workgroup Manager. At this point OSX Server is simply behaving as a Domain Member. The Open Directory Service will report it as being 'Connected to a Directory System'. /Active Directory/All Domains will be listed first in the Search Policy in Directory Utility.


    Happy to say that this is exactly the method I followed and saw the AD listed first.

    (c) Promote OSX Server to OD Master. This should not take too long. If it does review the DNS Service as well as looking at the slapconfig.log in Console. Everything gets logged in OSX Server.

    Good tip. Might help in future also.

    (d) If Promotion has been successful you should see in the Open Directory Service's Overview Pane that everything except Kerberos is Running. Kerberos should be stopped. Since 10.5.4 you don't get the 'Join Kerberos' button anymore. Any Services that can be 'kerberized' will already have service principals records created for them. You can test this by starting a service and issuing:

    Now I have to ask (one of my doubts), Are you absolutely sure that since 10.5.4 the "Join Kerberos" button does not show anymore? Because I could swear on my life that this shows up for me - Server is running on 10.5.7 Leopard. I would have shown you a screenshot of this but I am away from the network right now. While testing over & over again (demoting, removing from domain, etc. must have tried 5 or 6 times) I kept seeing that button but never clicked on it. I just went ahead and promoted the server to Master, after joining to AD., after which, in the Overview of OD settings, I see everything except Kerberos started and with proper LDAP search base below (No kerberos realm here, guess does not show in Leopard).

    sudo kadmin.local -q list_principals
    from the command line. If you launch Directory Utility and inspect the Search Policy you should now see the Server has promoted itself above the /Active Directory/All Domains listing. Inspect the LDAPv3 Plug-in and you should see the server has added an entry for itself using the loopback address 127.0.0.1.
    This is all normal. The only time this would change would be if you're interested in providing Augmented Records for OSX Server Services for Active Directory Users and Groups. For example: iCal, iChat, Wiki & Blog etc. In that environment you would make the Server an OD Master first and then bind to AD.


    This definitely makes sense...the fact that I have been getting confused a lot from reading people's post on many forums about promotion to OD Master first or binding first.

    Client side and if you're not using Augmented Records you always bind to AD first followed by a join to LDAPv3.

    Clear!

    Give the above and to answer your questions specifically:
    (Q) I was looking at WGM, after a test client was bound to AD first and OD second - my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of "Computers" in WGM (not the AD records)
    (A) A mac client computer will only show in WGM once it has been bound to OD (regardless of whether it is bound to AD or not) if you add it to a computer list using the diaresis button (3 dots) in the relevant area in Workgroup Manager.


    Sorry but your bracketed line broke up the sentence - Do you mean even after binding a client to OD, I would still not see it in WGM and further I have to "manually" add the computer to a computer list by going into "New Computer" option. Would there be no way of making the mac client show up automatically?

    Depending on how you have your OUs, DHCP and DNS Services configured you may well see an 'entry' for it appear in Active Directory. However I doubt there would be much you could with it once there unless you had something like Centrify installed on your DC. Centrify allows AD-style GPOs and management preferences to be 'passed on' to mac clients without the need for OSX Server.

    Yes I have come across this topic (I see the bound clients in default computers OU). Which is I have been looking into those options - Centrify & Likewise.
    But thanks again for the wonderful lesson Antonio Definitely helps a lot.

  7. #6

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by AntonioRocco View Post

    This is all normal. The only time this would change would be if you're interested in providing Augmented Records for OSX Server Services for Active Directory Users and Groups. For example: iCal, iChat, Wiki & Blog etc. In that environment you would make the Server an OD Master first and then bind to AD.

    Client side and if you're not using Augmented Records you always bind to AD first followed by a join to LDAPv3.

    Hi Antonio

    I tried the integration according to the methods above but now on the mac clients, after binding to AD & OD, the OD node in the "Directory Servers" tab gives status as "This server is responding normally. This server is not your authentication search policy." The AD is responding normally.

    FYI, all the macs are imaged clients using netstore. Not sure if imaging is an factor to be considered in any sort of binding issues. AD login is working fine.

  8. #7
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39
    Hi Jason

    One thing you must do when joining mac clients to the LDAPv3 node (after binding to AD first) is to uncheck the 'Use for Authentication' option. Clearly you have to do this because the OD Master is not the KDC and besides you will have already had this option pre-selected as part of the AD binding process. The 'Use for Contacts' can be left checked and unchecked although if you're not using the OD Master for anything else other than to provide MCX then you may as well leave this unchecked as well

    One thing you will notice (which is something I've always seen when doing AD-OD Integration) is the LDAPv3 node does not automatically add itself to the Search Policies. You have to manually add this yourself by selecting the '+' icon.

    The appearance or non-appearance of the 'Join Kerberos' button is a tricky one to answer. I sometimes think it's due to the slightly 'schizophrenic' nature of Server Admin as an application. Something you will learn soon enough once you've been using it for a while. The tip with both applications (although Workgroup Manager is not as bad) is to quit the applications whenever you're not using them. Using them remotely is actually better.

    Prior to 10.5.4 I'm fairly certain I used to see the option - but not always? Perhaps the option 'appears' if you started out with a version of the server prior to the 10.5.4 release? Subsequent updates may not have necessarily affected the button being there (or not) as an option? All I'm saying is when I've started out with 10.5.4 and after I've ran the updates, I don't always see the button. I can't remember every single detail of every AD-OD Integration I've ever done, but I think I don't see the button if I've configured required services first and then promoted to OD Master? Although this is not definitive in any way.

    Besides even if it is there it does not mean it's a reliable method for 'kerberizing' OSX Server based services in an AD environment. Due probably to Server Admin behaving the way it does as already mentioned. As ever it may be better to do this sort of thing from the command line instead? Launching Terminal and issuing:

    sudo sso_util configure -r REALM -a admin_name -p password all

    Should do it? The 'all' switch 'kerberizes' all active services capable of supporting Kerberos. You could consult the manual pages for the above command line utility from here:

    Mac OS X Manual Page For sso_util(8)

    Or you could simply issue:

    man sso_util

    in Terminal itself.

    To answer your question about making mac clients show up automatically; I don't offhand know of a way? Not if you've configured your Server using the Advanced Mode at any rate. I have never used the other two Server Configuration Modes: Standard and/or Workgroup. I doubt if Standard would be applicable in your environment as it assumes OSX Server is the only server on the network. Standard Configuration Mode would provide everything exclusively for mac clients alone. Workgroup is a Mode designed by Apple for environments such as yours. Perhaps this could provide a way of auto-discovering and displaying mac clients as you would like them to be? However you must realize OSX Server in an environment where Windows Servers are the primary servers is only there for augmenting what is already being provided by those servers. Whatever expectations you may have based on how Windows Client OS behaves in such an environment would not necessarily be the same for the Apple Client OS.

    In a purely Open Directory environment then you could achieve a level of discovery you may be looking for? This could mean completely ditching everything to do with your Windows environment. Is this something you see happening anytime soon?

    Mike Bombich outlines in detail how to use Augmented Records in an environment such as yours:

    http://www.bombich.com/mactips/activedir.html

    In my view it's still the best one around? Apart from other things Mark (HodgeHi) has used it with some success in his environment. Perhaps you should try and get some feedback from him?

    NB: You can move from Standard to Workgroup and back again as many times as you like. You can also move from Standard to Advanced and/or Workgroup to Advanced. Once you're at Advanced you can't go back to Standard and/or Workgroup. You basically have to start from scratch (format and reinstall) again.

    Antonio Rocco (ACSA)
    Last edited by AntonioRocco; 5th July 2009 at 11:38 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Binding a Mac to Active Directory
    By simongrahamuk in forum Mac
    Replies: 3
    Last Post: 6th November 2008, 01:19 PM
  2. Replies: 0
    Last Post: 19th September 2008, 11:22 AM
  3. Replies: 1
    Last Post: 31st August 2008, 03:07 PM
  4. Replies: 0
    Last Post: 6th August 2008, 07:46 PM
  5. 10.5 AD Binding
    By ahunter in forum Mac
    Replies: 29
    Last Post: 21st April 2008, 10:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •