PDA

View Full Version : AD and Mac




zalmax
Sep 11, 2012, 07:53 PM
I am at a loss. Maybe someone in these forums has some experience with what I am going to describe, and/or shed some light on what could possibly be wrong.

I work in an environment that has been dual platform (Mac/Windows), for many years. The windows machines always talked to the windows servers, and the Mac gear talked to Mac servers.

This year we had a mega influx of new Mac equipment. Laptops, iMacs, iPads etc. We decided to finally have the Mac bind to AD, since it made sense for things like Internet filtering by groups, a single set of credentials for login/mail/googledocs etc. AD makes sense for a number of reasons in this environment, so I donít want to really dispute that in this post.

Here is what happened. I hired a Mac engineer to come out, look at our system (just added Casper Suite as well). Told them how we want to manage, and that we also want to bind to AD, but also provide some services on some older server OSes. The plan became to have AD binding, set up some OD servers to interact with AD, and use Casper Suite to push/pull things we needed. Seemed simple enough except we needed to add 20 or so more servers to the mix for OD purposes (which we havenít done yet so the environment hasnít changed at all).

All clients are running 10.8.1. The DC servers are 2008R2. The OD server is 10.8. We bound the machines via script from casper (actually I think it is now built into the image we are using), created home shares on the windows network for users to save data, made sure OD was bound to AD. Tried logging in on the Mac with AD credentials, and everything worked great. Left for the weekend, and came back to an inability to log into the Macs. No error number, it just says that an error occurred in a window with a picture of a small house in the upper left corner.

We made sure the binding was to the full domain name, there are only 2 dc machines that handle login, and they were both running smoothly, this worked one day with every user account we tried. We made up some new users just to verify that it worked, and it did. 3 days later, absolutely nothing works. No account can log in.

We tried rebooting the OD server. Nothing. Fresh image. Nothing. Fresh install/rebind. Nothing. All of the sudden one account worked. We noticed that some accounts had a home folder created in the new area that we would be using to house home folders (I think the person making sure the home folders were created just had not finished yet). We thought...wait maybe the error is because the home folders donít yet exist for everyone. We made a few more, and a few more people could log in. Then just to rule it out, we made a new user with no home folder. That new user could log in with no issues. Suddenly, only a few of us could log in, yet nothing had been changed.

I am basically at my wits end with this issue. I want to bind, just for the sake of using AD to perform some functions that make life easier. I am wondering if it is just a huge waste of time, and energy. Can anyone think of what could cause this random issue? Even the AD expert and Mac engineer were at a loss. They combed through the AD, and the network looking for some sign of trouble, but came up with nothing. Any ideas/suggestions/comments welcome.



Mattie Num Nums
Sep 12, 2012, 10:43 AM
Any specific reason why you are using OD/AD and Casper?

AD + Casper is enough and is a lot less moving parts for a growing environment without a dedicated engineer.

zalmax
Sep 12, 2012, 06:39 PM
We were advised to use it because some of the older software we are running requires it. Until such time as we can upgrade/change software I guess we'll be stuck with it. We also have some older machines that aren't capable of running the newer OSes, so those will continue to work the way they always have with OD. I wasn't a fan of using all three pieces, but I'm not an Apple engineer.

matspekkie
Sep 13, 2012, 06:24 AM
I have had similar issues when ipv6 was on. somehow it would not resolve right. Of course there is no way of telling if this has anything to do with your problem but i guess it is worth a try to disable ipv6 on the macs.
The above is probably not the problem but i mentioned anyway just in case.
A more likely problem is if you have a .local trailing domain. check out this site as it mentions the problem. http://www.vuzzlevuzz.org/2011/10/active-directory-login-problems-with.html

Hope it points you in the right direction.