Skip to main content
Solved

Strange AD Binding Behavior - Users with Accounts in multiple child domains.


Forum|alt.badge.img+2

I'm seeing a very strange behavior with our 10.10 client images when using AD login bindings and I believe it's based on our domain structure.

We currently have a top level domain SchooName.univ. There are four child domains (resource, labs, students, employees).

My employee clients are being bound to resource.SchoolName.univ. In my directory binding configuration the workstations are being placed into he correct OU. Under Administrative i have "Prefer this domain server" set to employees.SchoolName.univ and "Allow authentication from any domain in the forest" checked.

My issue is that we have many employees who also have accounts in the student domain. These accounts are both exactly the same user ID and password (controlled by an external IDM System). When they login to the workstation for the first time the experience is completely different than that of a normal employee. - There are several apps that have a question mark over them. - There are constant authentication windows asking to repair the library. - They do not see the first login prompt to sign in to iCloud.

Once they log out, and back in all of the above items clear up, but my Config Profile to map two smb shares at login will fail with a no permissions error.

Anyone have a similar issue or can point me in the right direction?

Thanks!

Best answer by Kaltsas

All our users have usernames in multiple domains. I use the following script to jigger the directory search policy so client machines authenticate correctly. You

#!/bin/sh dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.tld.edu" killall opendirectoryd

I once tried setting dsconfigad -namespace forest but some applications choked on the user directory having a in it when trying to save/access documents.

View original
Did this topic help you find an answer to your question?

3 replies

Forum|alt.badge.img+16
  • Valued Contributor
  • 291 replies
  • Answer
  • May 28, 2015

All our users have usernames in multiple domains. I use the following script to jigger the directory search policy so client machines authenticate correctly. You

#!/bin/sh dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.tld.edu" killall opendirectoryd

I once tried setting dsconfigad -namespace forest but some applications choked on the user directory having a in it when trying to save/access documents.


Forum|alt.badge.img+2
  • Author
  • New Contributor
  • 1 reply
  • May 29, 2015

This worked perfectly!

Thank you!


Forum|alt.badge.img+9
  • Valued Contributor
  • 114 replies
  • October 29, 2017

I'm seeing something similar, in that I've forced AD binding to domain1, however when logging into a machine in domain1 with user credentials that are found in both domain1 and domain2(which is part of the same forest) it is logging into the account from domain2 and not domain1, even though I have "Prefer this domain server" set to a DC in domain1.

I'm wondering if the script referenced above will resolve this and if so when/where are you setting this script to run? (During deployment? After the directory binding? or?)

Thanks sorry for digging up an old thread.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings