+ Post New Thread
Results 1 to 7 of 7
Mac Thread, Logging into macs with domain account in Technical; Hi All, I am helping run a windows server 2003 domain network. On this network we have a number of ...
  1. #1

    Join Date
    May 2006
    Posts
    1,319
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25

    Logging into macs with domain account

    Hi All,

    I am helping run a windows server 2003 domain network. On this network we have a number of macs running osx 10.5.6 and 10.5.2. We have a xserve running osx server 10.5.2 for setting policies on these macs and they are linked to active directory for authentication. The system is set up in a triangular fashion i.e. open directory on the xserve links to active directory on the windows domain, and the mac clients link to both active directory on the windows domain and open directory on the xserve.

    This system has recently been set up, previously the macs were all used with local accounts.

    Other than the below problem, there hasn't really been many issues with the setup, it pretty much works as expected.

    Since they have been added to the domain, all of the macs have had to be switched on for around 20-30 seconds before they will log in with a domain account successfully. Logging in before this time will simply not work - the login window shakes to say the credentials are wrong. My assumption is that it is still loading the network processes in the background, even though the login screen has already appeared.

    All IPs are received from DHCP - setting a static IP does not seem to resolve the issue. Updating the client OS has also not resolved it.

    Is this a known issue on macs?

    Thanks for any advice.

    James

  2. #2

    Join Date
    May 2009
    Location
    UK
    Posts
    107
    Thank Post
    3
    Thanked 10 Times in 10 Posts
    Rep Power
    12
    at the login box on the Mac you can click on the details (name, serial etc) and it will spin round, one of them is the network status (or something like that) it has a traffic light next to it and it will be red (no network accounts available) yellow (some network accounts available) and then green (network accounts available)

    once its gone green you can log on, its just the way the Mac's work checking the network before allowing logon.

  3. Thanks to Boon72 from:

    _Bat_ (29th September 2009)

  4. #3

    Join Date
    May 2006
    Posts
    1,319
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25
    Quote Originally Posted by Boon72 View Post
    at the login box on the Mac you can click on the details (name, serial etc) and it will spin round, one of them is the network status (or something like that) it has a traffic light next to it and it will be red (no network accounts available) yellow (some network accounts available) and then green (network accounts available)

    once its gone green you can log on, its just the way the Mac's work checking the network before allowing logon.
    Thanks, must have missed that. Will look at it tomorrow.

    It's not a major issue, but it is confusing some people who are used to the windows machines and gives them the impression that the macs are temperamental, when it seems that it's actually by design.

  5. #4

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    You mention a xserver so I'm assuming your using WGM (why the 10.5.2 version?!), you can set a policy for your directory machines to use; under login > window tab > heading can be set to 'directory status' to show the traffic lights by default.

  6. Thanks to nicklec from:

    _Bat_ (1st October 2009)

  7. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,474
    Thank Post
    10
    Thanked 500 Times in 440 Posts
    Rep Power
    114
    Quote Originally Posted by _Bat_ View Post
    Thanks, must have missed that. Will look at it tomorrow.

    It's not a major issue, but it is confusing some people who are used to the windows machines and gives them the impression that the macs are temperamental, when it seems that it's actually by design.
    It's more a design flaw. The unix network services start independently from the directory services. Ours have the same delay when using open directory and AD, although AD is usually ready before the OD preferences are applied.

    Same happens with windows pre vista though so it's not like apple are the only ones.

  8. Thanks to DMcCoy from:

    _Bat_ (1st October 2009)

  9. #6

    Join Date
    May 2006
    Posts
    1,319
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25
    Quote Originally Posted by nicklec View Post
    You mention a xserver so I'm assuming your using WGM (why the 10.5.2 version?!), you can set a policy for your directory machines to use; under login > window tab > heading can be set to 'directory status' to show the traffic lights by default.
    Interesting you should say this - this has bought another problem into the spotlight. Until now, I've only set policies on a per AD user group basis, I've not set policies per machine. Upon trying it, I've realised it doesn't work. Is there a step I'm missing out? I don't know if the fact that the user policies are set by putting an entire AD group into a workgroup manager group and with the machine policies I've simply imported each machine individually into the workgroup manager group will make a difference.

    Thanks for all the help so far.

  10. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,474
    Thank Post
    10
    Thanked 500 Times in 440 Posts
    Rep Power
    114
    To apply OD preferences reliably to OS X with the AD/OD combination you need to do this:

    Assuming it's 10.5 (10.4 is more painful, needing different AD/OD names when binding)

    Install/Clone OS X
    Change the computer name in sharing section of preferences
    Generate a new LocalKDC: /usr/libexec/configureLocalKDC
    Reboot
    Add the OD directory - Bind the machine to OD (if you set it as required on OD then you have no choice anyway)
    Join the machine to AD (add administrators group if needed, untick force local homes).
    Alter the search priority to AD above OD.

    On WGM create a new computer group
    Each machine bound to OD will have 3 entries:

    Machine Name
    fqdn
    LocalKDC (the long number)

    For the OD machine group add the machine name account, not the others.

    Group level: just add the AD groups to a new OD group (with a different name to the AD group!)

    User level is impossible without augmented records which are nasty or extending AD.
    Group level is possible utilising the existing AD groups by adding them to OD
    Machine/Machine group level is possible by using only OD specific groups, it's easier when binding.

    Do note that OS X can have OD issues when in a different subnet to the server if it is not bound.

  11. Thanks to DMcCoy from:

    _Bat_ (5th October 2009)

SHARE:
+ Post New Thread

Similar Threads

  1. adding macs to a 2003/2008 domain
    By sted in forum Mac
    Replies: 16
    Last Post: 31st July 2009, 06:53 PM
  2. Replies: 6
    Last Post: 12th January 2009, 03:20 PM
  3. Stop Users Logging In to Domain
    By moggy in forum Windows Server 2000/2003
    Replies: 7
    Last Post: 17th December 2008, 04:05 PM
  4. Replies: 4
    Last Post: 19th September 2008, 11:06 AM
  5. Is my domain Admin account screwed?
    By HodgeHi in forum Mac
    Replies: 2
    Last Post: 9th January 2008, 03:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •