New to supporting mac... best AD alternative?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Spyrule, Apr 12, 2017.

  1. Spyrule macrumors newbie

    Spyrule

    Joined:
    Apr 12, 2017
    Location:
    Ottawa, Canada
    #1
    Hello guys,

    Long time AD admin, that is now in charge of a small business with 8 Mac's most running El Capitan.

    We don't have a huge infrastructure: NAS (Synology), LB4M Gig Switch, Firewall, ESXi 5.5. <~~ currently the ONLY VM running on here is our current Windows 2008 AD Server. I have some plans to move AD to a physical box, if it worth keeping AD.

    I'm totally comfortable with the Windows AD environment however, I seem to be having issues with maintaining support within OSX.

    We don't explicitly NEED Windows AD, but I thought this would be the best method to maintain access permissions between each OSX User and our NAS's folder structure. Turns out, its not quite working the way I envisioned.

    So, I'm picking brains here on what might be a less risky, or a best practices way of maintaining access for OSX machines.

    Some of the problems that I've repeatedly had:
    - User's suddenly losing read/write access to their own desktop, documents, application randomly.
    - Some macs completely lose internet access until a reboot is performed.
    - Sudden loss of permissions to print to a networked printer (Xerox)

    If there is a better way, or if there is an easy way to get away from AD, or a best practices for AD > OSX connectivity, I'm all ears. I like suggestions.

    Thanks in advance,

    Spyrule
     
  2. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #2
    When we had a server 2008s2 in out office we had to put in a Time Server in the Server and then point the Time Settings to the server IP in the OS X machines! That fixed our problem right away with Mac OS X 9.5.x machines staying on while sleeping then waking up staying connected to the Domain so YMMV!
     
  3. Spyrule thread starter macrumors newbie

    Spyrule

    Joined:
    Apr 12, 2017
    Location:
    Ottawa, Canada
  4. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #4
    If this was a network time issue, logins would fail; you wouldn't see permissions issues.
    If your users are using the same computer all the time, trying to make network homes or portable home directories work is probably not worth the trouble. If you're using the latter, that functionality is dead in Sierra so you'll need to make the change away from those sooner than later.
    AD is perfectly appropriate for managing accounts on the server and permissions for files there as well.
    This is a bit dated but may still be helpful for you: http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Directory.pdf

    The inability to access the internet or a network printer sounds like you have network issues that have nothing to do with AD. DNS issues, perhaps? If your domain is a .local domain, you have a mess on your hands.
     
  5. Spyrule thread starter macrumors newbie

    Spyrule

    Joined:
    Apr 12, 2017
    Location:
    Ottawa, Canada
    #5
    Luckily, no my domain is a .net domain, so I've avoided that whole mess. I don't suspect it was a time sync issue, as yes, as you mention, I'd be having a lot of other problems. I'm trying to troubleshoot the machine that keeps dropping its internet as a localized problem, however, the desktop permissions issues have occurred now on 3 separate machines over several months, so I'm a bit stumped. I'm not even sure where to start looking for the cause of that. I'm tempted to write a Cron job that runs every hour that checks and resets the permissions... but that's sorta fishing with a battleship approach.

    I'll read through that article and see if I can gleam any useful tidbits.

    Thanks in advance
     
  6. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #6
    How do you have the home folders set up? Are the users using network homes, where their home folder lives purely on the server?
     
  7. Spyrule thread starter macrumors newbie

    Spyrule

    Joined:
    Apr 12, 2017
    Location:
    Ottawa, Canada
    #7
    No, Since we are pretty small, for now, each users folder resides on their local workstation. I literally use AD to authenticate logins and validate folder permission access on our NAS, that's pretty much it.
     
  8. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #8
    Ok, that's a pretty standard setup and you shouldn't be having the home folder permissions issues- I use exactly this configuration with a set of about 800 users. Apple's terminology is called a "mobile account" for this, which may help your research. Apple rolls AD fixes into OS updates pretty regularly and it seems like 10.12.4 is pretty solid on the network. You might want to try an upgrade in a test environment. I don't have time at the moment to offer more in-depth troubleshooting but will check back on the thread later.
     
  9. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #9
    Yes that is Network Time Protocol! It has to with time drift and Microsoft Kerberos between older Microsoft to Unix NTP protocol setups! Setting up an active Time server in Server2008s2 would fix the Domain problems Mac OS X had with older Microsoft Servers!
     
  10. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #10
    Again, if time were a problem then logins would be failing. This isn't the fix here.
     
  11. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #11
    It helps when the Mac is sleeping for evening then a worker comes back in to log back into his mac so the domain account will be verified from the 2008s2 server. Like I said before the NTP server is not activated in Server 2008s2 by default and has to be started! Sense the OS X machine is using and open standard looking for a NTP server and then dirt in Kerberos in the 2008s2 server. This way the Mac will stay in Kerberos if the Server 2008s2 server has the NTP server running (hint: is not on by default and many IT so-called experts miss that fact)!
     
  12. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #12
    Great but how does this affect file permissions or Internet access?

    Also why do call it 2008s2?
     
  13. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #13
    Microsoft Server 2008R2 (my bad calling it s2)!
     
  14. Geeky Chimp macrumors member

    Joined:
    Jun 3, 2015
    #14
    So just to throw a different option in, Apples macOS Server (was OS X Server) includes Open Directory. Would your NAS authenticate with that as an LDAP server rather than AD. Would also mean you don't need that Windows Server hanging around. Or, does your NAS have an LDAP server package so it could be your authentication server?

    Also, with regard to NTP, I'd point the windows server to apples time server rather than all your clients to your windows server.
     
  15. Flint Ironstag macrumors 6502

    Flint Ironstag

    Joined:
    Dec 1, 2013
    Location:
    Houston, TX USA

Share This Page