Posted on 05-28-2015 07:23 AM
I'm seeing a very strange behavior with our 10.10 client images when using AD login bindings and I believe it's based on our domain structure.
We currently have a top level domain SchooName.univ. There are four child domains (resource, labs, students, employees).
My employee clients are being bound to resource.SchoolName.univ. In my directory binding configuration the workstations are being placed into he correct OU. Under Administrative i have "Prefer this domain server" set to employees.SchoolName.univ and "Allow authentication from any domain in the forest" checked.
My issue is that we have many employees who also have accounts in the student domain. These accounts are both exactly the same user ID and password (controlled by an external IDM System). When they login to the workstation for the first time the experience is completely different than that of a normal employee. - There are several apps that have a question mark over them. - There are constant authentication windows asking to repair the library. - They do not see the first login prompt to sign in to iCloud.
Once they log out, and back in all of the above items clear up, but my Config Profile to map two smb shares at login will fail with a no permissions error.
Anyone have a similar issue or can point me in the right direction?
Thanks!
Solved! Go to Solution.
Posted on 05-28-2015 08:33 AM
All our users have usernames in multiple domains. I use the following script to jigger the directory search policy so client machines authenticate correctly. You
#!/bin/sh dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.tld.edu" killall opendirectoryd
I once tried setting dsconfigad -namespace forest but some applications choked on the user directory having a in it when trying to save/access documents.
Posted on 05-28-2015 08:33 AM
All our users have usernames in multiple domains. I use the following script to jigger the directory search policy so client machines authenticate correctly. You
#!/bin/sh dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.tld.edu" killall opendirectoryd
I once tried setting dsconfigad -namespace forest but some applications choked on the user directory having a in it when trying to save/access documents.
Posted on 05-29-2015 04:46 AM
This worked perfectly!
Thank you!
Posted on 10-28-2017 07:32 PM
I'm seeing something similar, in that I've forced AD binding to domain1, however when logging into a machine in domain1 with user credentials that are found in both domain1 and domain2(which is part of the same forest) it is logging into the account from domain2 and not domain1, even though I have "Prefer this domain server" set to a DC in domain1.
I'm wondering if the script referenced above will resolve this and if so when/where are you setting this script to run? (During deployment? After the directory binding? or?)
Thanks sorry for digging up an old thread.