Help

Question regarding Directory Bound Mac authentication and AD Forests

bmack99
Contributor III

Posted on ‎11-03-2017 10:19 AM

Hello, here is our scenario and I'm wondering if anyone else has run across this/might have an answer.
Our machine are managed by JAMF and our Bound to AD.
Our AD Environment Looks something like this:
Forest 1 > AD bind for the machines live in "Domain A" in this Forest
We also have another Forest, (Forest 2 for the sake of argument) which includes several other domains, that we will call Domain D and Domain E etc.

Here is my question, if a user has an account in one of the domains in Forest 2(Domain D or Domain E) is there anyway possible for that user to authenticate to a DC in that Domain(Domain D or Domain E) to change a password?

Thanks for any insight!

0 Kudos
Reply
3 REPLIES 3

sbirdsley
Contributor

Posted on ‎11-03-2017 10:50 AM

I had to open an Apple Enterprise Support ticket due to issues we were having in our environment with forested domains and certificates servers not being able to talk to each other through configuration profiles. Basically trying to get systems on one domain to in the same forest to get certificates form a certificate server on another domain

This was my response from Apple

"At this moment in time the AD client module in macOS does not support Discontiguous Namespaces as is the case with oneofourdomains.com and andanotherdomain.global"

If anyone is aware of something I am missing to get this working let me know

Reply

bmack99
Contributor III

Posted on ‎11-03-2017 01:10 PM

Thanks for the response @sbirdsley as another interesting maybe unrelated tidbit, I am seeing issues with accounts with the same username in multiple domains(same forest).
Example: machine is bound to Domain A.
Account that exists in both Domain A and Domain B logs into machine
Immediately presented with a "Keychain cannot be found to store xxxxxxx Auth token."
If I login with the password to the same user id in Domain B - it logs in and authenticates with no keychain errors.

Any ideas? Related to what you were seeing in your environment @sbirdsley ?

0 Kudos
Reply

Kaltsas
Contributor III

Posted on ‎11-03-2017 02:01 PM

@brianmcbride99

Many of our users have accounts in multiple domains in the forest. We have run into issues with namespace collisions. I rejigger the directory search to isolate the mac to only search the domain it is bound to (not the whole forest).

If you look at the man page for dsconfigad you'll see an option for -namespace "forest | domain" Setting this to forest will prefix all accounts with DOMAINuser. Unfortunately we had some issues with some applications not appreciating the in a file path so we use domain and configure so the desired domain is the only one in the search path.

#!/bin/sh
dscl /Search -delete / CSPSearchPath "/Active Directory/domainb/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/domainb/domainb.domaina.edu"
killall opendirectoryd

exit 0
Reply