Skip to main content
Question

Question regarding Directory Bound Mac authentication and AD Forests


Forum|alt.badge.img+9
  • Valued Contributor
  • 114 replies

Hello, here is our scenario and I'm wondering if anyone else has run across this/might have an answer.
Our machine are managed by JAMF and our Bound to AD.
Our AD Environment Looks something like this:
Forest 1 > AD bind for the machines live in "Domain A" in this Forest
We also have another Forest, (Forest 2 for the sake of argument) which includes several other domains, that we will call Domain D and Domain E etc.

Here is my question, if a user has an account in one of the domains in Forest 2(Domain D or Domain E) is there anyway possible for that user to authenticate to a DC in that Domain(Domain D or Domain E) to change a password?

Thanks for any insight!

3 replies

Forum|alt.badge.img+7
  • Contributor
  • 62 replies
  • November 3, 2017

I had to open an Apple Enterprise Support ticket due to issues we were having in our environment with forested domains and certificates servers not being able to talk to each other through configuration profiles. Basically trying to get systems on one domain to in the same forest to get certificates form a certificate server on another domain

This was my response from Apple

"At this moment in time the AD client module in macOS does not support Discontiguous Namespaces as is the case with oneofourdomains.com and andanotherdomain.global"

If anyone is aware of something I am missing to get this working let me know


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 114 replies
  • November 3, 2017

Thanks for the response @sbirdsley as another interesting maybe unrelated tidbit, I am seeing issues with accounts with the same username in multiple domains(same forest).
Example: machine is bound to Domain A.
Account that exists in both Domain A and Domain B logs into machine
Immediately presented with a "Keychain cannot be found to store xxxxxxx Auth token."
If I login with the password to the same user id in Domain B - it logs in and authenticates with no keychain errors.

Any ideas? Related to what you were seeing in your environment @sbirdsley ?


Forum|alt.badge.img+16
  • Valued Contributor
  • 291 replies
  • November 3, 2017

@brianmcbride99

Many of our users have accounts in multiple domains in the forest. We have run into issues with namespace collisions. I rejigger the directory search to isolate the mac to only search the domain it is bound to (not the whole forest).

If you look at the man page for dsconfigad you'll see an option for -namespace "forest | domain" Setting this to forest will prefix all accounts with DOMAINuser. Unfortunately we had some issues with some applications not appreciating the in a file path so we use domain and configure so the desired domain is the only one in the search path.

#!/bin/sh
dscl /Search -delete / CSPSearchPath "/Active Directory/domainb/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/domainb/domainb.domaina.edu"
killall opendirectoryd

exit 0

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings