Apple Xserve and Active Directory

C

compaqman

Member
UPDATE:

I have finally fixed the issue.

SOLUTION:

I formatted and installed OSX 10.6.8, and everything worked the first time.


In my own opinion and experience, OSX 10.5.x is really just an awful excuse for an operating system.






Okay, so first off this has worked in the past. I'm having trouble getting it to work again, as my boss want's to utilize it.


--We have:

Apple Xserve running OSX 10.5.8

Dell R520 running Server 2008 R2
with Active Directory and it's dependencies


--What we want to do: (and have done before)

We want to connect the Xserve to our Active directory server and let the xserve inherit Users and Groups from Active Directory.

We want to make the Xserve a file server, and apply permissions for those users and groups inherited from Active Directory.


--Whats Really Happening:

When we browse to the Xserve using the hostname in windows explorer, it asks the user for credentials.
None of the user credentials are working.

Although I can apply user permissions on the Xserve, and see all of the users and groups in Active Directory when I'm modifying the ACL.

--What We Expect:

We want Single Sign On to work through Kerberos. It doesn't seem like it's doing it.
And like I have said multiple times, this has worked during the time period of 2008 - 2012
and then we replaced it with the Dell. Now we want to expand our storage to the Xserve and allow SSO to work.

Thanks in Advance!
- Jon
 
Last edited:
For one, I highly recommend you upgrade to 10.6.8, it's much more robust than 10.5.

We had the same setup working without a problem here using 10.6.8 XServe's and a WS 2008 R2 domain. Are your clients bound to the domain, or are they using a local account? What do your POSIX permissions look like on the share points? Have you propagated the ACL's and POSIX permissions? Have you enabled kerberos via the command line? (sudo dsconfigad -enableSSO)

You are doing things correctly on the server as far as I can tell, all you need to do is set the AD user/group as an ACL, but if you could answer the above questions that would help troubleshoot further.
 
Yes, the clients are bound and authenticated to the Domain.

ACL
[ME] - Allow - Full Control - This Folder, Child Files, Child Folders, All Descendants
Everyone - Allow - Read Only - This Folder, Child Files, Child Folders, All Descendants

POSIX
Administrator - Allow - Read & Write - This folder
Admin - Allow - Read & Write - This folder
Others - Allow - Read & Write - This folder

I have propagated the permissions.

I have used the command in the terminal, and I now see the option to Use kerberos, but it doesn't seem to work. I have rebooted and still nothing.

When we visit the hostname of the Xserve in windows, it reports back
"[\\HOSTNAME] is currently unavailable"

I think that I'll plan a reformat. I'd like to add another 1TB drive to it.

Is there a way to reconfigure the RAID array without booting into OSX?
 
compaqman said:
Yes, the clients are bound and authenticated to the Domain.

ACL
[ME] - Allow - Full Control - This Folder, Child Files, Child Folders, All Descendants
Everyone - Allow - Read Only - This Folder, Child Files, Child Folders, All Descendants

POSIX
Administrator - Allow - Read & Write - This folder
Admin - Allow - Read & Write - This folder
Others - Allow - Read & Write - This folder

I have propagated the permissions.

I have used the command in the terminal, and I now see the option to Use kerberos, but it doesn't seem to work. I have rebooted and still nothing.

When we visit the hostname of the Xserve in windows, it reports back
"[\\HOSTNAME] is currently unavailable"

I think that I'll plan a reformat. I'd like to add another 1TB drive to it.

Is there a way to reconfigure the RAID array without booting into OSX?
Click to expand...
So you can't even connect to the Xserve now from a Windows computer, correct? I know this is a stupid question, but you do have SMB enabled right?

When you go to Server Admin > SMB > Settings, you see your server listed as a domain member and the domain is correct, right? The realm should also be your domain. Also under settings, check to make sure you have NTLM and NTLMv2 & Kerberos checked under authentication, and that the maximum number of clients is more than a few.
 
Okay, So right after I replied to you, I went to lunch.

I came back and the Windows Clients CAN see the Xserve now.

If I use the local [root] account and password to logon to the Xserve from a Windows client I can see the shared folders.

But it still doesn't work with AD accounts. I've even tried an UPN user, and nothing. (I wasn't surprised because we don't use UPN names)

I have everything configured in SMB as you have described, even the connection to unlimited.

All of the computer clocks are within seconds of each other, so Kerberos-time difference is not an issue.


When it worked a few years back, I was able to use the "Workgroup Manager" and see all of the objects on the domain controller, Now it asks me to connect and It can never find the domain controller through the "Workgroup Manager"
 
That's strange, since you can see AD users and group when adding ACL's I don't know why they aren't showing up in WGM. The only thing I can think about is that you are browsing the wrong directory, as the first directory is local, you need to manually specify it to look at AD.

On your Xserve, open Terminal and type in dscl. Browse through AD and make sure you are connected by using the cd command.

Do you have any Mac clients you can test this with, or only Windows clients?
 
I am having some trouble with the dscl command.

Do you have an example command I can use? or maybe a screenshot?

We only have Windows Clients. The guy who installed the Xserve thought it would be great to have some "diversity" in the network...

I am checking the SMB logs, and I'm getting a lot of [eDSAuthFailed]
as well as this one "NT_STATUS_NO_SUCH_USER"

I really do appreciate the time you have spent helping me so far.
 
So I've un-binded the Xserve, and now when I am trying to bind it back, I receive the following error in the Directory Utility:

Unable the add the domain
And unexpected error of type -14120
(eDSPermissionError) occurred​
 
UPDATE:

I have finally fixed the issue.

SOLUTION:

I formatted and installed OSX 10.6.8, and everything worked the first time.


In my own opinion and experience, OSX 10.5.x is really just an awful excuse for an operating system.
 
compaqman said:
UPDATE:

I have finally fixed the issue.

SOLUTION:

I formatted and installed OSX 10.6.8, and everything worked the first time.


In my own opinion and experience, OSX 10.5.x is really just an awful excuse for an operating system.
Click to expand...
I completely agree, that was my first suggestion as well ;)

For one, I highly recommend you upgrade to 10.6.8, it's much more robust than 10.5.
Click to expand...
 
compaqman said:
Yes, Thank you for the recommendation! 10.6.8 has so much more to offer, and things seem to be organized better as well!
Click to expand...
Just don't go to 10.7. Once you get to Lion or newer, Apple starts stripping out more and more features from their server solution.
 
You must log in or register to reply here.
Back
Top