Thread-topic: 10.4.3 nest AD groups in OD groups - FIX
User-agent: Microsoft-Entourage/11.2.1.051004
>>> IIRC, the addition to Mac OS X was to allow mcx to propagate to nested
>>> groups.
>>>
>>> So you would need to add your AD group to an OD one and apply the mcx to the
>>> OD group. The big gain here is that we don't need to do all those group sync
>>> scripts anymore.
>>>
>>> (I've not had a chance to test this yet.)
>>>
>>
>> I have been working very hard on this for several weeks now. It definitely
>> did not work under 10.4.2 and I couldn't get it going with the 10.4.3 betas
>> either. Been trying since the final release and still no luck. MXC on nested
>> OD groups now works ok, but it doesn't seem to work out group membership on
>> AD users - ie: AD user logs in and mcx only sees OD groups the user is
>> directly in.
>>
>> I don't think the group membership on my AD users is being resolved
>> correctly. With panther, browsing an AD user with WGM you could see all the
>> AD groups that user belonged to. On a tiger system, WGM only shows "domain
>> users". So something changed there. Using "id" and "groups" from the cli
>> yields the same results (or lack of).
>>
>> I have opened an Alliance ticket on this, if I manage to solve it I will
>> feed it back to the list...
>
> Intersting. I just did the following on my Tiger test server.
>
> 1. Made an OD group named "ADProxy".
> 2. Added an AD group I am a member of to it. The AD group "citrix_admins" is
> the only member of the OD group.
> 3. Set the dock prefs on the "ADProxy" OD group.
> 4. Logged in and my dock reflected the correct MCX settings.
>
> So... it's working for me in some really simple testing.
>
> Let us know what Alliance tells you. I really do think that's a smart purchase
> to make if you have Mac OS X Server.
Ok I have resolved this now. Basically, in our domain "authenticated users"
do not have rights to read group membership of other accounts. This is
apparently for security reasons. So I need to put an ACL on the mac computer
accounts container that enables those accounts to read that atttribute.
The reason it works at most places is either the accounts arent as tightly
locked down, or it was an NT domain upgraded - in which case the permissions
are VERY relaxed, everyone can read all attributes. Apparently a few sites
had this issue.
The reason I could read group membership in panther was because of the way
it pulled down the group info directly and stored them in the
ADGroupCache.plist - which ironically bypassed the security the AD admins
had setup! Also interesting is that by default any user can read group
membership of a domain admin - should have seen their faces when I showed
them that :)
I really should have worked all this out a lot sooner......
JK.
--
Justin Krisko
Editorial Systems Analyst
Time Inc Europe (IPC Media Ltd)
London, UK
Desk: +44 207 261 6829
Mob: +44 7985 207 334
AIM: email@hidden
-----------------------------------------------------------------------
This E-mail is from IPC Media Ltd whose registered office is at Kings
Reach Tower, Stamford Street, London SE1 9LS, registered number 53626.
The contents and any attachments to it include information that is
private and confidential and should only be read by those persons to
whom they are addressed. IPC Media accepts no liability for any loss or
damage suffered by any person arising from the use of this e-mail.
Neither IPC Media nor the sender accepts any responsibility for viruses
and it is your responsibility to check the email and attachments (if any).
No contracts may be concluded on behalf of IPC Media by means of e-mail
communications. If you have received this e-mail in error, please destroy
and delete the message from your computer. For unbeatable savings on
magazine subscriptions and great gift ideas visit www.giftmags.co.uk
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Client-management mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/client-management/email@hidden
This email sent to email@hidden
