Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OD clients binding problem


On 08.03.2007, at 18:48, Knight, William H. ((NIH/NIAID)) [C] wrote:

When you authenticate during the binding process like that I believe you are performing a trusted bind.  If you are doing a golden triangle setup, with your OD master bound to the AD domain so it can just push out computer list and group policies/prefs then you shouldn’t use trusted/authenticated binding.  Look in your edu.mit.Kerberos file and make sure your realms and such are accurate.  Apple doesn’t recommend using trusted binding when you are using the AD/OD setup.  You can enable trusted binding on the Open Directory Master, but you shouldn’t require it.  When you bind the client to OD, just leave the username and password blank when your prompted to enter the computer name and a directory administrator’s name and password…

 

Thats the way i do things now. But does this then still allow me to create computer lists in workgroup manager and e.g. assign printers to them (from the preferences panel of the computer list)? I tried that but the printer didn't show on the clients.  Setting preferences for my Mac clients is the only feature I'm missing right now. If someone could point me how to do this in a AD/OD scenario I would be very gratefully. 



Try adding the DNS servers in the client’s network preferences if your not already… even if they are getting them from DHCP….  Are you sure you have correct forward/reverse lookup DNS entries for your ODMaster?  Also check your domain search paths in network prefs… for our environment its vital for the root forest to be the first domain search path: domain.local, child.domain.com

 

DNS settings are correct...



Also if your ODM is bound to AD and Kerberos is still showing up as running in Server Admin, the ODM’s KDC may be clashing with the Active Directory Kerberos client and causing a number of issues… though, I am not sure if that would impact trusted binding or not…

 

I configured the ODM to participate in the AD kerberos. On serveradmin it says OD Master but kerberos itself is stopped. Nevertheless single sign on to the ODM via ssh or fileservices with an AD account works.

The unbind thing means that it can't find the server… so I'm betting that once you authenticate the LDAPv3 plugin to bind to Open Directory, its rewriting the edu.mit.Kerberos file in /Library/Preferences/ so that its braking your settings for AD as well.

 

After bind (and unbind) Kerberos settings still point to AD kerberos. Should a trusted bind automatically try to establish a new kerberos connection? I was thinking that kerberos is an optional way of authentication so that I can a "full" OD domain without kerberos.


When you clear the config of a client to start over, remove the edu.mit.kerberos file and also remove /etc/krb5.keytab… optionally you may want to also remove the directory /Library/Preferences/DirectoryService/

 

 

 

William H. Knight
******************************************
Network Engineer
Contractor - NIAID/OTIS
perotsystems® 
Government Services
(301) 402.4942
National Institutes of Health
10401 Fernwood Rd.
Room 2A05D
Bethesda, M.D. 20892
******************************************
"The bad news: there is no key to the universe.  The good news: it was never locked." –Swami Beyondananda
****************************************************************************
Disclaimer:
The information in this e-mail and any of its attachments is confidential and may contain sensitive information.  It should not be used by anyone who is not the original intended recipient.  If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage devices.  The National Institute of Allergy and Infectious Diseases (NIAID)  shall not accept liability for any statement made that are the sender's own and not expressly made on behalf of the NIAID by one of its representatives.
****************************************************************************

From: Josh Budde [mailto:email@hidden]
Sent: Thursday, March 08, 2007 11:26 AM
To: Christian Hutter; email@hidden
Subject: Re: OD clients binding problem

 

I never ‘bind’ my machines to the directory.  Whenever I do, I see the same errors that you are.  They can authenticate fine without binding so I just skip it.


On 3/8/07 10:30 AM, "Christian Hutter" <email@hidden> wrote:

Hello,

I'm trying to bind my Mac OS X 10.4.8 client computers to an intel xserve OD (also running 10.4.8). Using directory access I configured  LDAPv3 and added a new LDAP server by submitting the name in the first window. On the next window I give the credentials of an OD admin and bind the client to the OD domain. This seems to be successful, no error message occurs and the client is listed in the Workgroup Manager.

But I don't get any information from the OD domain. Using "dscl localhost"  in a terminal window I can see the full qualified name of the OD server under /LDAPv3 but if i try to cd into it i get "cd: invalid path".

If i try to do an unbind in Directory Access i get "Could not contact server. Could not contact the LDAP server to unbind. Would you like to forcibly remove this configuration". When I say OK to that I can browse all info with dscl and OD users/groups are visible to the client machine.

I could live with that situation as I mainly need the authentication to work, but I would also like to be able to administer the computers from Workgroup Manager.

I think I must miss something as I just don't believe that this is normal behavior, so do you have any idea what I'm doing  wrong or into which direction I need to investigate to get this running?

One last note:  All machines also use the  AD plugin to connect to a Windows 2003 AD domain but I did some tests without AD integration and  it was exactly the same behavior.
 

Thanks,

 Christian



-------------------------------------------------------------

Christian Hutter (email@hidden)

Phone: (+352) 46 66 44 5449

Service Informatique Université

University of Luxembourg

6, rue Richard Coudenhove-Kalergi

L-1359 Luxembourg

 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

 

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.





-------------------------------------------------------------

Christian Hutter (email@hidden)

Phone: (+352) 46 66 44 5449

Service Informatique Université

University of Luxembourg

6, rue Richard Coudenhove-Kalergi

L-1359 Luxembourg

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >OD clients binding problem (From: Christian Hutter <email@hidden>)
 >Re: OD clients binding problem (From: Josh Budde <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.