Mac Thread, Logging into macs with domain account in Technical; Hi All,
I am helping run a windows server 2003 domain network. On this network we have a number of ...
29th September 2009, 06:08 PM #1
Logging into macs with domain account
I am helping run a windows server 2003 domain network. On this network we have a number of macs running osx 10.5.6 and 10.5.2. We have a xserve running osx server 10.5.2 for setting policies on these macs and they are linked to active directory for authentication. The system is set up in a triangular fashion i.e. open directory on the xserve links to active directory on the windows domain, and the mac clients link to both active directory on the windows domain and open directory on the xserve.
This system has recently been set up, previously the macs were all used with local accounts.
Other than the below problem, there hasn't really been many issues with the setup, it pretty much works as expected.
Since they have been added to the domain, all of the macs have had to be switched on for around 20-30 seconds before they will log in with a domain account successfully. Logging in before this time will simply not work - the login window shakes to say the credentials are wrong. My assumption is that it is still loading the network processes in the background, even though the login screen has already appeared.
All IPs are received from DHCP - setting a static IP does not seem to resolve the issue. Updating the client OS has also not resolved it.
Is this a known issue on macs?
Thanks for any advice.
IDG Tech News
29th September 2009, 07:27 PM #2
- Rep Power
at the login box on the Mac you can click on the details (name, serial etc) and it will spin round, one of them is the network status (or something like that) it has a traffic light next to it and it will be red (no network accounts available) yellow (some network accounts available) and then green (network accounts available)
once its gone green you can log on, its just the way the Mac's work checking the network before allowing logon.
Thanks to Boon72 from:
_Bat_ (30th September 2009)
30th September 2009, 12:50 AM #3
Thanks, must have missed that. Will look at it tomorrow.
Originally Posted by Boon72
It's not a major issue, but it is confusing some people who are used to the windows machines and gives them the impression that the macs are temperamental, when it seems that it's actually by design.
1st October 2009, 09:31 AM #4
You mention a xserver so I'm assuming your using WGM (why the 10.5.2 version?!), you can set a policy for your directory machines to use; under login > window tab > heading can be set to 'directory status' to show the traffic lights by default.
1st October 2009, 09:56 AM #5
It's more a design flaw. The unix network services start independently from the directory services. Ours have the same delay when using open directory and AD, although AD is usually ready before the OD preferences are applied.
Originally Posted by _Bat_
Same happens with windows pre vista though so it's not like apple are the only ones.
1st October 2009, 07:42 PM #6
Interesting you should say this - this has bought another problem into the spotlight. Until now, I've only set policies on a per AD user group basis, I've not set policies per machine. Upon trying it, I've realised it doesn't work. Is there a step I'm missing out? I don't know if the fact that the user policies are set by putting an entire AD group into a workgroup manager group and with the machine policies I've simply imported each machine individually into the workgroup manager group will make a difference.
Originally Posted by nicklec
Thanks for all the help so far.
1st October 2009, 08:14 PM #7
To apply OD preferences reliably to OS X with the AD/OD combination you need to do this:
Assuming it's 10.5 (10.4 is more painful, needing different AD/OD names when binding)
Install/Clone OS X
Change the computer name in sharing section of preferences
Generate a new LocalKDC: /usr/libexec/configureLocalKDC
Add the OD directory - Bind the machine to OD (if you set it as required on OD then you have no choice anyway)
Join the machine to AD (add administrators group if needed, untick force local homes).
Alter the search priority to AD above OD.
On WGM create a new computer group
Each machine bound to OD will have 3 entries:
LocalKDC (the long number)
For the OD machine group add the machine name account, not the others.
Group level: just add the AD groups to a new OD group (with a different name to the AD group!)
User level is impossible without augmented records which are nasty or extending AD.
Group level is possible utilising the existing AD groups by adding them to OD
Machine/Machine group level is possible by using only OD specific groups, it's easier when binding.
Do note that OS X can have OD issues when in a different subnet to the server if it is not bound.
Last Post: 31st July 2009, 07:53 PM
Last Post: 12th January 2009, 04:20 PM
By moggy in forum Windows Server 2000/2003
Last Post: 17th December 2008, 05:05 PM
Last Post: 19th September 2008, 12:06 PM
Last Post: 9th January 2008, 04:38 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)