AD Binding issues

KPS
New Contributor

Hello all,
Just had casper installed to our school for our 1to1 project. We have airs running 10.7.2 (Installed the air fix yesterday X< ).

The binding to AD after some massaging seems to be going ok on a couple of computers but I've had a few issues:

Sometimes the AD will just not bind, it will say completed but it won't have bound.

Admin creds arn't being given to anyone that logs on (from AD) even if told it allow the groups e.g. Students, Domain admins etc.

Also home folders won't work as in the SMB path on the OSX side won't complete the path eg: the full path for a home folder is serverstudentsyear6child1, the smb only goes to serverstudentsyear 6, is there any way to fix this?

Sorry about all the stupid questions, just trying to wrap my head around all this fast (as school goes back next week, and well everything got dumped in my lap yesterday). Also I'm sorry if I use any 'window-isms' as I'm more used to windows.

A massive thanks in advance.

Cheers,
Nick

3 REPLIES 3

jarednichols
Honored Contributor

Without knowing anything about your AD environment, a couple questions/points:

  1. Does the account you're joining machines to the domain with have create-on-join privs or do you need to pre-populate the computer objects in the domain?

  2. /var/log/opendirectoryd.log may clue you in to some of the issues you're having

  3. Try preferring a particular domain server (AD plugin -> Administrative tab)

  4. Try unchecking "Allow authentication from any domain the forest" and ensuring that your search paths in the Search Policy area for authentication are "/Active Directory/your.domain" as opposed to "/Active Directory/All Domains" Lion can be stupid/tricky about that. Also ensure you have your domain listed only once. I've seen times where you try and re-bind and it doesn't remove prior attempts and you may have it listed like 15 times. Stupid.

  5. For troubleshooting, try unchecking "Use UNC path from Active Directory to derive network home locations". If you can get things working up until you do the home folders, you're in good shape. That's a whole ball of wax that can drive you up a wall. May as well not worry about it just yet until you get binding and authentication reliable.

j

catfeetstop
Contributor II

I had similar issues. I had to create an AD binding policy in Casper then use "jamf policy -trigger AD_Policy" in my first boot script that is run after imaging.

Lion has issues mounting home folders like yours. I had to create an Applescript app that mounts the drives at login instead of using the AD plugin. The mount_smbfs command works for network shares like yours.

See the following articles:

http://support.apple.com/kb/HT4829

http://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

rmanly
Contributor III

I have found that to get certain groups to be admins on all machines via AD group (domain admins, enterprise admins, IT staff, etc). Several things are required.

  1. Extend AD schema to include some limited *NIXy stuff. This is done simply by adding the “Identity Management for UNIX” role service

http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/

  1. In the Bind Settings check the "allow administration by" checkbox and input the appropriate groups

  2. Populate the gidNumber attribute in AD for the groups. Doing it for All groups or just the admin groups. But note that there are ACL issues with AD groups on Mac OS file servers if you don't

  3. enable mapping the gidNumber attribute in the Bind Settings