+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Mac Thread, OD integrated with AD with full Kerberos Support in Technical; Hello all, we have just taken delivery of some imacs and a macbook mobile trolley. We plan to use the ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    OD integrated with AD with full Kerberos Support

    Hello all,

    we have just taken delivery of some imacs and a macbook mobile trolley. We plan to use the laptops and imacs for both windows and OS X and that in turn means we need to be able to maintain the security of the OS X side of things. We currently have a small mac mini running the Serve side as it should do for what we need at the moment (until the new financial year anyhow).

    The problem i am having is integrating the OS X server into the AD domain with full kerberos support.

    I have setup the DNS on the AD and have set up the pointer for the OD server which is recursivley resolving.

    I have joined the OD server to the AD using the Directory Access and have then procedded to join the Kerberos realm which was successful (i think as i didn't get any errors). I then made the OD a Direcory Master and then moved the Active Directory above the LDAP in Directory Access in the authentication tab.

    I can access the Active Directory through the WGM and see the users and groups. I can also connect to the OD and create groups to add the AD users to to manage them.

    But the managing does not take hold. This is true to both users and computers.

    Upon joining a OS X tiger client to the AD and OD to manage both user and computer upon the login window it says only some accounts are available. I think this is the problem but do not know how to solve it as i don't know where the problem lies. I think it is something to do with AD OD configuration in the directory access but i don't know where.

    But using the AFP whitepaper to set things up i get a problem when logging into the windows box and trying to access a home share on the OD Server. It asks for a password but should not since Kerberos is working. So i have a problem on both OSes at the moment. Any help resolving these two issues would be fantastic.

    For more information on my setup please see this post of some more questions.

    AFP548

    PS sorry for the long post.

    Cheers

  2. #2

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: OD integrated with AD with full Kerberos Support

    I've just finished doing this at our place and didn't have any of those kinds of issues- but it seems to me that there is definitely a problem somewhere in DNS or OD (or both). Reading your post I am assuming that you have put a reverse lookup (PTR) record in your DNS for your OD server and that you also (by inference) have an A record (Host record) in your forward lookup zone too?

    If you do, at the Mac Server open the terminal and type:

    Host (IP address of Windows AD Server)

    You should get a response that sends back the hostname of the server.

    Then type:

    dig (Hostname of Windows server)

    And you should (obviously) get back a valid response.

    All that being equal, here are a few caveats to operating inside both an OD and AD domain using OS X Server:

    1. You really need to install OS X Server vanilla- don't install any services at the start. Just get it installed and patched first.
    2. After step 1, install OS X Server as an OD Master. Make sure in the LDAPv3 component of Directory Access Tool that you are in the list of servers and that this is the same for the authentication and contacts search lists.
    3. When OD is working properly, use the Directory Access Tool to bind your server to your AD. Generally you only need to put your domain name in the required field and your OS X Server name in the second field. Don't do much else with the extra options at this stage. Check those authentication and contact lists again- make sure Active Directory is first in the search path for both. If it isn't in the list, add it manually.
    4. Once completed your OS X Server is a member of AD and an OD Master- which essentially means you get directory information from AD and then can manage Apple systems through OD. It can do more- but at a basic level that's what it sounds like you need for now.

    If you have done all that in Server Admin you should notice for Open Directory that Kerberos is running. If it doesn't say it is, check:

    HD > System > Core Services

    and look for a tool called (funnily enough) "Kerberos". Once opened, use the "Tickets > Get Tickets" command from the menu and see if you have been granted a TGT from the KDC.

    You only need to "kerberise services" if there are specific things you want to add to the normal kerberos TGT chain- things like SSH and FTP etc are examples of this.

    Open WorkGroup Manager and see if you can get it to list all of your AD users. If it doesn't then make sure you are actually looking at the Active Directory directory list rather than localhost- just change it if you are by clicking the disclosure triangle. Make sure ALL your users are coming through there. If they are, most of the battle is over.

    Change to localhost/local directory view in WorkGroup Manager and make a local OD group ("Test" or something) and load some users into that group from your AD list. Five or so would do for a test. Then click the Preferences icon and set a dock preference that puts the dock on the left hand side of your Mac screen and shrink it some. Just so you can test authentication and preferences.

    On a client make sure you bind to AD FIRST. Then log out and in as a student in your test group. If that works fine, log out and back in as a local admin and now use the same Directory Access Tool to bind to your OD for management by clicking the "Configure" button on the LDAPv3 section of the tool. Put in there the IP address of your OD Master and click continue until it tells you it has found the OD Master. Check your authentication and contacts lists again. AD must be first in the list.

    Log out and back in as a student. Are the preferences taking effect?

    Lots of things to go through right now and you have probably been through a lot of them. Sorry if that's the case. For now see if any of this helps and if not post back and I will walk you through some other things you can do to see if we can get this to work for you.

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181

    Re: OD integrated with AD with full Kerberos Support

    Did you perform ALL the checks on AD in the Apple whitepaper? IIRC I had to tweak some settings to get all the checks to pass... I was extra careful at this point because I had heard stories of things going wrong if DNS was slightly borked.

  4. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    All of the preliminary tests of the DNS seem to come back positive. I checked the Host command on both the FQDN and the ip and it resolved correctly both times. I checked the Host Name using the scutil --get HostName and it came back fine. PTR and HOST records are in the AD DNS.

    I proceeded to promote the OS X server to OD Master and then bind the server to the AD in that order as per the leveraging doc, checking the authorisation order as i went.

    During the bind process i use the setting FQDN of AD server, computer id of OD server, allow administration by AD admins, no preferred servers, allow auth from any forest.

    This process completes OK. (Ihave noticed however that when unbinding and then re-binding i HAVE to restart the AD server since the re-bind will ALWAYS crash Directory Access and will not bind until it has been restarted).

    The binding to both AD and OD are now working since i can go to WGM and create Managed groups in the OD side and then use AD groups inside of these managed groups to manage preferences.

    When configuring the client the procedure is the same except i bind to AD first. I did not check each bind beforehand however.
    I proceeded to restart the client and then upon seeing the login screen scanned through the information in the menu and found that only "some network accounts were available".

    Once logged in with an AD user i checked the kerberos app and had indeed been granted a kerberos ticket for the AD Domain.

    But the managed preferences were not applied.

    Could it be the AD Groups inside the OD Groups? I don't imagine it could be since it suppose to support nested groups.

    Kerberos has been stopped on the OD as per the leveraging doc using the SSO_util. This is now where i am stuck as it were. Just need the preferences to apply then i can move onto the next part of moving the home directories to the network share and checking the kerberos services.

    Thanks for your help by the way. Most appreciated.

    PS Which apple whitepaper? Is this the one from their server documentation on open directory services?

  5. #5

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181

    Re: OD integrated with AD with full Kerberos Support

    When I said whitepaper I meant the leveraging doc.

    I assume that you added the machines/users into workgroup manager and everything too?

  6. #6

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: OD integrated with AD with full Kerberos Support

    Hi.

    Yeah- nested groups are *supposed* to work but I have heard bad things about them. I guess it's a "proof of concept" I have never tried them so can't be sure. What you can do to test the theory is just take out your nested group structure and instead use a dozen or so accounts from AD in an OD group. Change some preferences for said group and then log in and see if they apply.

    I would be a little worried about the binding process crashing your AD server and the need to reboot it when you unbind. It should be as seamless as joining and unjoining a domain from an XP machine.

    HTH

    Paul

  7. #7

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: OD integrated with AD with full Kerberos Support

    Can I ask why you stopped kerberos on the OD server? I didn't do this at all and it works fine. When you bind to AD your services (HTTP etc) are kerberised, and so long as AD is first in the authentication list AD acts as the Kerberos authority through it all- so your server and clients will use only AD as the kerberos realm and not the OD Master.

    I haven't read the paper you both are talking about so I'm not sure on the reasoning behind turning kerberos off at the OD Master, but I do know that all of the Apple Server training guides I have state clearly that kerberos should be running when integrating on the OD server.

    Not saying it's wrong!

    Just interested...

  8. #8

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    It is said that although Tiger is supposed to be able to cope better with the different realms than Panther it is still advisable to turn off the kerberos realm for the OD so as not to have any confusion for the client swhen being biinded to both directories.

    So this is what i did.

    The doc is on the Mike Bombich site if you wish to read: -

    Leveraging Active Directory on Mac OS X

  9. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    I would be a little worried about the binding process crashing your AD server and the need to reboot it when you unbind. It should be as seamless as joining and unjoining a domain from an XP machine.
    Yeah, Me too. I have had quite a few problem with my network in general. So it looks to be a complete rebuild of the domain too see if it resolves the issues. I just can't seem to pin down the problems the clients are having logging in. Sometimes they pull all the information from GP other times they just get a blue screen. But thats another issue. Right now i would just settle for something to work.

    Apple Server training guides I have
    where did you get these from? Are they freely available?
    There is a integration meeting comping up in Toronto. Just need to get the boss to OK it!!

    What you can do to test the theory is just take out your nested group structure and instead use a dozen or so accounts from AD in an OD group
    This was my next port of call. Once i restart the DC (the main on as well)
    and then rebind the OS X Client. I have left it overnoght as well so it can't be a replication issue.

    Thanks for your help by the way.

  10. #10

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    Ok, I have gone through your list of things with a brand new install both OS X Server and client. Have restarted the DC with Computer accounts deleted ready for the new re-bind.

    I have slowly gone through the list one at a time. I got to the point where it says to join kerberos when joining the AD. I did nothing. I did not use the SSO_util to join and left the OS X server running the kerberos on the OD.

    I then proceeded to the workgroup manager and found that i could not access the active directory users. I re-checked the directory access and it was fine. I restarted the server and this must have triggered something as i could now access the active directory users.

    I then proceeded to create a group on the OD and dragged one User in to the group (my username).

    I proceeded to configure the client at this point.

    I joined to AD FIRST like you said to and then proceeded to joing the OD. I logged out and found that i could not log in as my AD user. I logged back in and checked the Directory Access and everthing was in the correct order. So i restarted the client.

    Upon restart i logged in as admin (the other ball does not come up at first, but i think it is down to the airport connection as opposed to ethernet) then logged back out. I c hecked the info on the login screen and found a yellow ball saying some network accounts are available. Something is not right. I don't know what it is but it is really fustrating as i think it is close. But i can login as the AD user but it does not get the managed settings.

    One point is that when i tried to unbind from the OD it could not find it. I find this quite strange since it had no problem when binding and using Host in the terminal along with dig brings a correct response.

  11. #11

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: OD integrated with AD with full Kerberos Support

    OK.

    Let me try and help you with the login screen problem first. I actually think there are three mai issues here:

    1. Wireless connection
    2. Services are loading too quickly at startup
    3. Your LDAPv3 list is populated with a reference "From Server" rather than the IP address and hostname of your LDAP (OD) server.

    The first isn't easy to fix, since that's really infrastructure dependent. Can't help you with that except to say look at your channel settings to see if you have overlap problems or buy an Apple Extreme station. There are some problems with Apple wireless connections to third party APs at this time. One issue I am aware of is that if your wireless password is not stored in your Keychain it can stop network services from catching up. Try the laptop with a wired connection and see if it works. If it does post back and we can look at adding your wired password to your keychain.

    The second is where I would really focus my attention right now. There is a value you can set called "StartupDelay" that holds the login window where it is until everything has loaded behind it properly, and be default this is set too low. It's a simple integer setting and you can edit it by opening WGM on your OS X Server, clicking on the computers button, clicking on "Guest", and then "preferences". Click on the "Details" window when there- and you should see a list of at least two or three PLIST references. Find COM.APPLE.LOGINWINDOW and click "edit".

    In the context window that appears there are (I think) three main areas- choose to look at "always" and add two new keys.

    (a) "StartupDelay" (without the quotes) type "integer" and value "30"
    (b) "AdminHostInfo" type is "string" and value "DSStatus"

    Reboot at least twice.

    If this doesn't work, delete the entry in the Directory Access Tool to your OD Master and re-add it, making sure to use its IP address and making sure it finds the hostname in the first field. Uncheck "Contact" if that is checked, reboot and try again.

    Number (3) has been covered in the above anyway so I won't go through that again.

    Now let's look at your wider network problems:

    (i) GPs not applying and causing blue screens
    (ii) Binding and unbinding Apple systems causing network reboots and instability
    (iii) OD-AD integration problems

    I am thinking you are right. A re-build of your AD domain would work wonders for your integration plans. I know it's easier said than done but it really does sound like there are too many underlying problems on the network to be thinking about integration at this stage. LDAP is finnicky at the best of times, let alone introducing it into a shaky underlying network.

    Server books:

    Do a search for Schoun Regan on Amazon UK and you should find a book called "Mac OS X Server Essentials". I think it is the best resource to look at and is official Apple curriculum for server training.

    HTH!

    Paul

  12. #12

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    Kingswood,

    Thanks for sticking with me through this time (unlike my hair has managed to ). I have tried the first point you suggested using a cable instead of wireless and i see your point about the third-party WAPs which is why i dumped the connection to the netgear and switched over to the new extreme AP. The wifi WPA key is also in the keychain since it doesn't ask me on login to connect.

    I will look into the services loading thing as soon as i re-build the server since i had problems yet again with the binding thing and so demoted the server to stand alone and now it has picked up the wrong default realm and can't be bothered to figure out how to change this setting especially as i can no longer log into the WGM or kerberise the domain either.

    I used the ip address for the server bind to the OD and it did use the from server option. I did change this to open directory but if the 2nd point you mentioned is the problem then all of this would have been for nowt.

    I do beleive that i am banging my head against a brick wall at the moment with this and cannot rule out the network issues as being the main cause. I have scheduled the domain re-build for the easter break so will be able to get a better understanding of the issues with this resolved. Until then i may just duplicate the AD to the OD setup and manage the users and computer across both directories. When looking a future changes i can't see any major changes affecting the users apart from moving OUs at the end of july.

    For the time being anyway.

    The books WILL be ordered (through the School) and so hopefully i will have a better understanding of the process.

    I do feel that it needs more support from Apple with regards to this side of things as it is what wil be predominantly happening across the UK, thats if they want a bigger market share.

    PS. One more thing i meant to ask. You said that you have just rolled this sort of thing out in your first post. Does this also entail the Boot Camp area as well since i am a little confused aboout this part. and heres why:-

    If i join the AD domain under windows XP it will create a Computer account.

    Then when i try to bind using OS X the computer account will already exist. How would this cause issues if any?

    Once again thanks for any help.

  13. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    It's a simple integer setting and you can edit it by opening WGM on your OS X Server, clicking on the computers button, clicking on "Guest", and then "preferences". Click on the "Details" window when there- and you should see a list of at least two or three PLIST references
    I have just tried to set this setting and lo and behold i have NO plists just to make my day a little better. Can it BE any worse?????

    I think i am the only one that is having such an issue, so there must be something that is slipping past without detection. It doesn't help that i have been pounding at this for two weeks solid (nearly straight through as well considering the hours put in)!!

    I won't let it beat me though!! Grrrrr

    PS i downloaded the 10.4.9 combo update as it came out just as i updated my server and did not see it in the list.

  14. #14

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: OD integrated with AD with full Kerberos Support

    Update! and it s good news!!!!

    I have created a small-ish network at home to try and resolve the issue without the other crap involved. I set up my mac-mini as the os x server, the macbook pro running server 2003 in parallels and turned off the g5 cuz its too loud and borrowed a laptop from work.

    I have configured each piece as described above in your first post Kingswood and reached the point where i needed to add the clinet to the OD. Do you think this would bind? Would it hell. I then went though the leveraging doc to find the piece that would put dsconfigad into debug mode and stumbled across the piece of just continuing without the binding.

    I tried this and then logged out. I then proceeded to checkthe info and i got some network accounts are available. Bloody great!!so i restarted the lappy and then voila, a green ball full of accounts so i logged in spelling the password wrong a few times in my haste to get in and YES a managed dock popped up on the left. Fantastic. I now need to re-produce these steps in work, but i am now more optimistic.

    Also being as it is not bound to the OD it should not cause an issue with the Boot Camp either.

    Thanks for the help. Will let you know how it goes at work tomorrow!!

  15. #15

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: OD integrated with AD with full Kerberos Support

    Great news!

    You are getting further every day- there's a light somewhere

    I'm a little perplexed that without binding your client to OD you are picking up managed settings from somewhere. Binding to AD only provides authentication/authorisation and identification. AD cannot offer any management of OS X systems or groups. But hey- if it works before you rebuild your network that's brilliant!

    Yes- I recently took delivery of an XServe and XServe RAID and integrated them into our AD network with the help of a very capable Apple Server Engineer. I learnt so much that day that my notes are chapters long! I had already installed several Apple servers before, but always within an OD domain. I had never integrated except at home on my own systems. The process was very easy and smooth. After the engineer had configured things we took it off the network again and I did it myself so that I could get my head around what had just happened. It's cool stuff. I now have the OD Master pull AD information into in and use that to configure groups and preferences for the Apple systems on the school network. Preferences are running great, and I am about to investigate other things that will help our media and music teams leverage their systems better than they have been.

    As for Bootcamp: haven't tried that, but I will at home and let you know. It's interesting but we have 10 new Macs (Macbooks and MacBook Pros) and they have gone out to staff, but none have yet been integrated into the domain. The plan was to do this over easter, so I should have fun with them at that time.

    Anyway, let me know how it goes for you!

    Paul

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. OSX server ,AD & kerberos
    By pooley in forum Mac
    Replies: 3
    Last Post: 7th September 2007, 12:05 PM
  2. Group Policy / Kerberos problem
    By ajbritton in forum Windows
    Replies: 2
    Last Post: 25th March 2006, 06:18 PM
  3. WinInstall Full
    By ZeroHour in forum Windows
    Replies: 5
    Last Post: 20th January 2006, 11:53 AM
  4. Kerberos error - All policies disappeared
    By ajbritton in forum Windows
    Replies: 13
    Last Post: 2nd November 2005, 02:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •