PDA

View Full Version : OSX Server Add Computers To Domain




DoFoT9
May 3, 2010, 04:55 AM
Hey all,

I feel like some sort of idiot posting this question - but a intense google doesn't give me the answers I am after!

I have a VM of OSX Server, and I would like to trial adding some real computers (such as my MBP running 10.5.8, thus having a UUID) to this virtual machine.

Here is a basic rundown of the network.
10.0.1.1 (router address, Time Capsule)
10.1.1.3 (iMac address)
->10.0.1.21 (OSX VM) - this is running on the iMac.
10.1.1.4 (MBP address)

I would like to test adding my MBP into the domain of the virtual OSX server. Is this possible? I presumed that because the MBP and VM are on the same network that I could just create a new computer via Workgroup Manager (add machine name, UUID etc), reboot the MBP and then attempt to login from the MBP using a user account created from the VM. Is this not possible? Do I have to tell the MBP to connect to the OSX domain like on a Windows machine?

I do not have OSX server giving out DHCP - because I have a router to do that, does this matter?

Any help is greatly appreciated :)

DoFoT9



calderone
May 3, 2010, 10:00 AM
Yes, you have to bind the machine to the OS X Server. Even if the Server knows about a machine with those attributes, the client has no idea that it should be looking in another directory.

I am assuming you have DNS running on the Server? And you are pointing your clients to the server for lookups? DNS is crucial for directory services.

If that is already setup, and you have tested the clients ability to lookup your server. Then you can bind the machines via Account Preferences (10.6) or Directory Utility.

What is required to bind will depend on what you set up in Server Admin. For example it may be set up to require authenticated binding.

When you add a server, it typically will automatically add the search policies. In your case it will something like /LDAPv3/domain.example.com, where domain.example.com is your domain name.

Once the machine is bound, you will be able to login assuming the network user has a home folder defined. This can be local or network based, but it must be defined in WGM.

DoFoT9
May 4, 2010, 03:49 PM
Yes, you have to bind the machine to the OS X Server. Even if the Server knows about a machine with those attributes, the client has no idea that it should be looking in another directory.

I am assuming you have DNS running on the Server? And you are pointing your clients to the server for lookups? DNS is crucial for directory services.

If that is already setup, and you have tested the clients ability to lookup your server. Then you can bind the machines via Account Preferences (10.6) or Directory Utility.

What is required to bind will depend on what you set up in Server Admin. For example it may be set up to require authenticated binding.

When you add a server, it typically will automatically add the search policies. In your case it will something like /LDAPv3/domain.example.com, where domain.example.com is your domain name.

Once the machine is bound, you will be able to login assuming the network user has a home folder defined. This can be local or network based, but it must be defined in WGM.

i do have a DNS server but had decided not to use it thus far - i didnt think it was important.

i have setup the computer in WGM - if i then add the servers address into the DNS part of the client, should that work? if not, could you explain what Account Preferences are? is that on the client side or server side (i couldnt find the application on either).

i have already assigned a test user with a home profile etc, it can be logged on from the server so i know that its operational (and defined in WGM).

any further help would be great! thanks so much for your time :)

calderone
May 4, 2010, 04:51 PM
i do have a DNS server but had decided not to use it thus far - i didnt think it was important.

Yes, it is important for directory services. You need a DNS server, whether it be OS X Server or some other DNS Server.


i have setup the computer in WGM - if i then add the servers address into the DNS part of the client, should that work? if not, could you explain what Account Preferences are? is that on the client side or server side (i couldnt find the application on either).

No, that is not sufficient. The client still has no idea that is should be using your server for directory access. Adding the address to your DNS server on the client only instructs the client to perform lookups off your server.

The client must be bound to the server.

Account Preferences refers to the Accounts Preference Pane in System Preferences on the client. In 10.5, Directory Utility was used for this and it was located in /Applications/Utilities. In 10.6, Directory Utility was moved to /System/Library/CoreServices, but the ability to join a Network Account Server was added to the Login Options section of Account Preferences.


i have already assigned a test user with a home profile etc, it can be logged on from the server so i know that its operational (and defined in WGM).

any further help would be great! thanks so much for your time :)

If everything else has been setup properly, you should be able to log in.

DoFoT9
May 4, 2010, 05:43 PM
Yes, it is important for directory services. You need a DNS server, whether it be OS X Server or some other DNS Server.



No, that is not sufficient. The client still has no idea that is should be using your server for directory access. Adding the address to your DNS server on the client only instructs the client to perform lookups off your server.

The client must be bound to the server.

Account Preferences refers to the Accounts Preference Pane in System Preferences on the client. In 10.5, Directory Utility was used for this and it was located in /Applications/Utilities. In 10.6, Directory Utility was moved to /System/Library/CoreServices, but the ability to join a Network Account Server was added to the Login Options section of Account Preferences.



If everything else has been setup properly, you should be able to log in.

thank you very much for that clarification cal! everything that you just said makes so much sense :rolleyes:, now that i think about it anyway!

i shall have a look when i get home from work/uni today and report back! thanks :D

calderone
May 4, 2010, 08:03 PM
In 10.6, you can still use Directory Utility, and you should if you want to setup more advanced options lie custom search paths, etc.

DoFoT9
May 4, 2010, 10:52 PM
In 10.6, you can still use Directory Utility, and you should if you want to setup more advanced options lie custom search paths, etc.

ok that makes sense. currently my laptop only has 10.5.8 - any real drawbacks to this? as long as it logs on i dont care.

question time!: so i have various computers in my house, dads ibook, dads imac etc - then my imac, my MBP. if i add say, dads imac - can he still logon using the local account that he has? and then can i log him out (via fast user switching for example) and log myself in using the server domain? im hoping so :)

also: once "added" to the domain, on the login page is there an option like in windows to choose the domain? im still roughly 7hrs from getting home :P just finished work! :(

calderone
May 4, 2010, 11:40 PM
There should not be any drawbacks to using 10.5.8 in regards to network accounts.

Yes, he can still log himself in. However, be aware that if you are using network home directories, two network users cannot be logged in at the same time. Thus, fast user switching is a no no in a network home directory environment.

All you are doing when you bind the machine is telling it: "Hey, look at me for user accounts too."

You are not required to choose a domain in OS X. It will query all the network account servers, for example the local, OD and AD until it finds the account.

If, for example, there was a local and OD account with the same name, the login window will alert you and let you choose which you want to use.

DoFoT9
May 5, 2010, 12:00 AM
There should not be any drawbacks to using 10.5.8 in regards to network accounts.
wonderful! can you have the same user logged onto multiple computers at the same time?

Yes, he can still log himself in. However, be aware that if you are using network home directories, two network users cannot be logged in at the same time. Thus, fast user switching is a no no in a network home directory environment.
i see - i would only have 1xlocal + 1xnetwork logged onto the 1 machine at any time. is that acceptable?

All you are doing when you bind the machine is telling it: "Hey, look at me for user accounts too."

You are not required to choose a domain in OS X. It will query all the network account servers, for example the local, OD and AD until it finds the account.

If, for example, there was a local and OD account with the same name, the login window will alert you and let you choose which you want to use.
aahh i see now! great explanation :) thankyou

calderone
May 5, 2010, 09:37 AM
wonderful! can you have the same user logged onto multiple computers at the same time?

Yes.


i see - i would only have 1xlocal + 1xnetwork logged onto the 1 machine at any time. is that acceptable?

Yes, but remember, the issue is only when using network homes. If the network accounts are assigned local home directories, it wouldn't be an issue to have more than one network account logged in.



aahh i see now! great explanation :) thankyou

No problem.

DoFoT9
May 5, 2010, 07:24 PM
ok so setup OD and DNS. have come across this error when trying to logon (http://blog.nerdstargamer.com/2008/you-are-unable-to-log-in-to-the-user-account-at-time/)

http://blog.nerdstargamer.com/wp-content/uploads/2008/08/unable-to-log-in.png



i can see that the users account is there and being shared etc... maybe a simple reboot of the client is needed? that doesnt seem logical though...

calderone
May 5, 2010, 07:31 PM
Was the AFP share setup as an automount share for home directories?

Also, at the login window click the computer name and keep clicking until it shows the status of network accounts. Does it say "Network accounts available?"

DoFoT9
May 5, 2010, 07:39 PM
Was the AFP share setup as an automount share for home directories?
hhmmm. i setup an account share myself. see attached image, is that it?

Also, at the login window click the computer name and keep clicking until it shows the status of network accounts. Does it say "Network accounts available?"
yup it says "network accounts available" with a little green dot :D

calderone
May 5, 2010, 07:46 PM
No, in Server Admin, the share has to be setup as an automount point.

DoFoT9
May 5, 2010, 07:55 PM
Wirelessly posted (nokia e63: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE63-1/100.21.110; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413)

oh I Aww.... I will report back in an hour

calderone
May 5, 2010, 08:02 PM
In Server Admin, highlight the sharepoint and click the sharepoint tab. Check that the "Automount" option is checked and is setup for AFP and user home folders.

DoFoT9
May 5, 2010, 08:56 PM
In Server Admin, highlight the sharepoint and click the sharepoint tab. Check that the "Automount" option is checked and is setup for AFP and user home folders.

OH OF COURSE!!! :eek:

i was looking through there before but was in the wrong tab!

i have enabled "enable automount" for the /volumes/Mac HD/Users share - however i have just realised that the user accounts that i create automatically go to /Network.Servers/gallery.com/Users/"username". do you think that it will be shared? im at uni so cant test right now :(

DoFoT9
May 5, 2010, 11:31 PM
hmm ok this is confusing me.

i have created a user - and the home folder has been saved to /Network.Servers/gallery.com/Users/"username".

i then tried the alternative, saving to /Network/Services/gallery.com/Users"username" but the same error comes up.

totally confused here, i thought users would be saved into /Users/"username".

hmm i think i may know now.. trying...

that didnt work either. when i attempt to logon from a client computer - it creates the user folder in the users/"username" directory! but then continues to chuck up that error.. hmm

calderone
May 5, 2010, 11:59 PM
There are errors on the path names you have given, so it us tough for me to help.

I can tell you that it should be /Network/Servers/example.com/Users/username for the full path in WGM.

At this point you should check the client logs and the server AFP and OD logs.

DoFoT9
May 6, 2010, 12:00 AM
There are errors on the path names you have given, so it us tough for me to help.

I can tell you that it should be /Network/Servers/example.com/Users/username for the full path in WGM.

At this point you should check the client logs and the server AFP and OD logs.

they arent errors. ;)

checking logs now :)

well i dont know where im looking - but i cannot find one single thing..

DoFoT9
May 6, 2010, 03:20 AM
ok so tried pretty much everything i could think of.

have even went as far as setting AFP to allow all users to access it (via System Admin). i still keep getting the same error, very confusing. DNS is working, and this is happening on multiple computers....

ill keep trying i guess. might be worth resetting the server?

DoFoT9
May 7, 2010, 09:33 PM
SUCCESS!

i can now login using one account only from my ethernet on my MBP. using the same account on my wireless iMac it does not work!

everything appears to be setup the same, but it refuses to work.. i am continuing to troubleshoot.

calderone
May 7, 2010, 09:36 PM
Congrats. Hope you are able to get the iMac working.

DoFoT9
May 7, 2010, 09:40 PM
Congrats. Hope you are able to get the iMac working.

haha you are an A class stalker :D jks

its very odd. wired clients seem to work, and wireless ones wont. is there a setting for that somewhere?

when adding the computer into WGM - i put in the ethernet ID MAC, the MBP can login using ethernet. if i put in the airport MAC, then it refuses to work. hmph.

calderone
May 7, 2010, 10:22 PM
No setting that I know of.

I have wireless clients working just fine here. Is the machine actually connected to Wi-Fi when you are trying to log in?

DoFoT9
May 7, 2010, 10:26 PM
No setting that I know of.

I have wireless clients working just fine here. Is the machine actually connected to Wi-Fi when you are trying to log in?

yes all machines are connected to my home wireless. all machines can be ping'd and can ping the server, its just a setting somewhere.

when you setup the machine in WGM - you have to specify a MAC address, does it matter which you use? should the other one still work? this is all very confusing...

calderone
May 7, 2010, 10:51 PM
What I am asking is if they are connected when you are at the login window?

It should not matter, I have a Macbook working over wireless and WGM has the en0 Mac. I have also had an Air working, in this case it was using the Airport MAC address.

Try this:

1. Unbind the iMac.
2. Remove the WGM computer record.
3. In Server Admin, enable and require authenticated binding (also known as trusted binding, I will leave it up to you to figure this out)
4. Bind the iMac again.

The record will be created automatically, let the trusted bind do the work.

DoFoT9
May 7, 2010, 11:10 PM
What I am asking is if they are connected when you are at the login window?
well, at the same time i am using Apple Remote Desktop on the same machine (using the local account) which has a connection.. so i am presuming that it keeps the connection. the green light is in :P "network accounts available"

It should not matter, I have a Macbook working over wireless and WGM has the en0 Mac. I have also had an Air working, in this case it was using the Airport MAC address.
right ok thanks for clarifying that, i presumed that but wasnt sure :(

Try this:

1. Unbind the iMac.
2. Remove the WGM computer record.
3. In Server Admin, enable and require authenticated binding (also known as trusted binding, I will leave it up to you to figure this out)
4. Bind the iMac again.

The record will be created automatically, let the trusted bind do the work.

will do this soon just going shopping :( sorry to bother you yet again, im sure i will figure it out. thank you so so much!

DoFoT9
May 8, 2010, 01:56 AM
gonna die soon. correctly have everything working - have enabled "require auth binding" like was instructed, then readded machine - everything went ok. and its still having a spastic lol.

i will figure it out. so determined now! haha

got the MBP working on wireless now!

now to get this blasted imac :(

calderone
May 8, 2010, 01:49 PM
Check the logs, that is the best way to figure out what is happening.

When you said you "added" the machine do you mean you bound the machine to the server?

And have you checked that the iMas is able to find your server via DNS lookup?

DoFoT9
May 9, 2010, 01:32 AM
Check the logs, that is the best way to figure out what is happening.

When you said you "added" the machine do you mean you bound the machine to the server?

And have you checked that the iMas is able to find your server via DNS lookup?

got it all sorted! the iMac wanted some time to "refresh" with the DNS i think.. seems to be working great now :D

thank you so much calderone for your patience

calderone
May 9, 2010, 01:38 AM
In the future do this:

dscacheutil -flushcache

To flush the DNS cache on the machine.

DoFoT9
May 9, 2010, 01:39 AM
In the future do this:

dscacheutil -flushcache

To flush the DNS cache on the machine.

guess i should have asked eh? :P

cheers