Ticket Options
Question Details
TICKET ARCHIVE -> Workgroup Manager Error After Directory Bind
creader - Mar 31, 2005 - 3:10 am
hi
I have an osx 10.3.8 server connected to a directory access server. (windows 2003) i can see all the users in workgroup manager, and can authenticate ok. but when i try to make any changes, i.e. try to create a new user or group i get
'Got unexpected error Error of type -14140 on line 1127 of PMMUGMainView.mm'
is this down to permissions? the admin account apperently has the highest priveleges on the p.c server.
or is it to do with the schema?
or am i way off and missing something?
many thanks
chris
I have an osx 10.3.8 server connected to a directory access server. (windows 2003) i can see all the users in workgroup manager, and can authenticate ok. but when i try to make any changes, i.e. try to create a new user or group i get
'Got unexpected error Error of type -14140 on line 1127 of PMMUGMainView.mm'
is this down to permissions? the admin account apperently has the highest priveleges on the p.c server.
or is it to do with the schema?
or am i way off and missing something?
many thanks
chris
macjock - Apr 1, 2005 - 12:09 am
Hi,
that sound like it's an issue with the schema for sure. How have you configured your Directory Access? Are you using the AD plug-in or have you configured LDAP? Either way I suspect that you haven't a) modified the AD schema to support the requried OD attributes or b) haven't mapped the attributes correctley.
--------
Cheers
dave
that sound like it's an issue with the schema for sure. How have you configured your Directory Access? Are you using the AD plug-in or have you configured LDAP? Either way I suspect that you haven't a) modified the AD schema to support the requried OD attributes or b) haven't mapped the attributes correctley.
--------
Cheers
dave
creader - Apr 1, 2005 - 3:16 am
hi
i am using the AD plug-in. but am aldo trying to get the macs connected to the osx servser via ldap.
i have read there are 3 ways to modify the schema to work with OD.
1, change the attributes on the win2003 server,
2, repurpose existing
3, employ local mappings
i am new to this ldap stuff, netinfo was great! my idea is for students to authenticate to the AD windows server, then be controlled by an osx server 10.3.8. (dock preferences etc).and i have been told this can work. i know hardly anything about windoze but have a great senior network engineer here.
which of the 3 above would you recommend i learn more about and (try!) to implement? and where is a good place to get some good info on this?
many thanks for you time and help
Chris
i am using the AD plug-in. but am aldo trying to get the macs connected to the osx servser via ldap.
i have read there are 3 ways to modify the schema to work with OD.
1, change the attributes on the win2003 server,
2, repurpose existing
3, employ local mappings
i am new to this ldap stuff, netinfo was great! my idea is for students to authenticate to the AD windows server, then be controlled by an osx server 10.3.8. (dock preferences etc).and i have been told this can work. i know hardly anything about windoze but have a great senior network engineer here.
which of the 3 above would you recommend i learn more about and (try!) to implement? and where is a good place to get some good info on this?
many thanks for you time and help
Chris
macjock - Apr 3, 2005 - 10:05 pm
Hi Chris,
Modifying the schema is a great way of using your existing AD Directory Services, if this was easy then this would be the best way to go but it's not easy and your Windows Admin guys might not be happy to go with it (most arent't). The trouble is that modifying the schema can take out your entire AD setup if you get it wrong - you'd really want to test the whole precedure out a couple of times before going for a live modification.
Repurposing existing attributes has less impact but I don't think you'll have enough spare to implement all the changes required for full Workgroup Manager functionality.
Employing local mappings is going to be complicated (and I don't think 100% successful)
But there is another way (and here's a summary of it):
a) Bind you Macs to the AD domain using the built in Mac OS X AD plugin. Test that you can login as AD users and access their home folders.
b) Create a Mac OS X Server 10.3.8 Directory Services master machine.
c) Bind the 10.3.8 Server to the AD domain
d) Using Workgroup Manager add the users from the AD Directory to groups defined on your OS X Server machine (define a load a workgroups of your own on the OS X Server)
e) Set the Workgroup Manager Preferences on the OD defined groups.
f) on the clients - create a LDAP configuration pointing to your OS X Server OD Master
g) Make sure the listing for the nodes in Directory Access (on the clients) has Active Directory before the LDAP config.
Now when you log on as AD defined users they will also pick up the Preferences defined against the Workgroups the user belongs too.
Open Directory makes this possible by allowing the Mac to search all the defined Directory Nodes one after the other until it get's a resolution for the query.
So this procedure is pretty quick but if you've not done it before it can take a few goes.
If you aren't sure of any steps let me know and we'll tackle them one at a time.
By the way - it's covered in the Apple - Directory Services Course I think.
I'll see if I can find any on-line resources for this....
Cheers
dave
--------
Modifying the schema is a great way of using your existing AD Directory Services, if this was easy then this would be the best way to go but it's not easy and your Windows Admin guys might not be happy to go with it (most arent't). The trouble is that modifying the schema can take out your entire AD setup if you get it wrong - you'd really want to test the whole precedure out a couple of times before going for a live modification.
Repurposing existing attributes has less impact but I don't think you'll have enough spare to implement all the changes required for full Workgroup Manager functionality.
Employing local mappings is going to be complicated (and I don't think 100% successful)
But there is another way (and here's a summary of it):
a) Bind you Macs to the AD domain using the built in Mac OS X AD plugin. Test that you can login as AD users and access their home folders.
b) Create a Mac OS X Server 10.3.8 Directory Services master machine.
c) Bind the 10.3.8 Server to the AD domain
d) Using Workgroup Manager add the users from the AD Directory to groups defined on your OS X Server machine (define a load a workgroups of your own on the OS X Server)
e) Set the Workgroup Manager Preferences on the OD defined groups.
f) on the clients - create a LDAP configuration pointing to your OS X Server OD Master
g) Make sure the listing for the nodes in Directory Access (on the clients) has Active Directory before the LDAP config.
Now when you log on as AD defined users they will also pick up the Preferences defined against the Workgroups the user belongs too.
Open Directory makes this possible by allowing the Mac to search all the defined Directory Nodes one after the other until it get's a resolution for the query.
So this procedure is pretty quick but if you've not done it before it can take a few goes.
If you aren't sure of any steps let me know and we'll tackle them one at a time.
By the way - it's covered in the Apple - Directory Services Course I think.
I'll see if I can find any on-line resources for this....
Cheers
dave
--------
creader - Apr 4, 2005 - 5:20 am
Hi Dave
thanks for your assistants on this, i think i understand what your getting me to do, however, we cannot get the clients to bind to the AD... it works ok on the server, but on a client i keep getting unknown user/password when i go to bind. have checked with the senior pc guy and he agrees it all looks ok, we have tried and tried to no avail, (even after a fresh install) is this a pc proble?have you seen this before?
(not too impressive... i failed on the first point! apologies!)
chris
thanks for your assistants on this, i think i understand what your getting me to do, however, we cannot get the clients to bind to the AD... it works ok on the server, but on a client i keep getting unknown user/password when i go to bind. have checked with the senior pc guy and he agrees it all looks ok, we have tried and tried to no avail, (even after a fresh install) is this a pc proble?have you seen this before?
(not too impressive... i failed on the first point! apologies!)
chris
macjock - Apr 4, 2005 - 9:29 pm
Hi Chris,
can you confirm what you mean by "it works ok on the server" - is this when yo bind the OS X server to the domain?
Top tips for AD binding on OS X:
•*Use 10.3.8
•*Ensure all the clients and servers are within 5 minutes time of each other. Easiest thing to do it point all machines to a known NTP server (i.e. your AD domain or domain controllers)
•*Check forward and reverse DNS lookups for all domain servers. You need to be able to resolve the name (fully qualified) and the IP address. This is less of an issue with 10.3.8 but it is still an indication of potential problems.
Let me know how you get on.
Cheers
dave
can you confirm what you mean by "it works ok on the server" - is this when yo bind the OS X server to the domain?
Top tips for AD binding on OS X:
•*Use 10.3.8
•*Ensure all the clients and servers are within 5 minutes time of each other. Easiest thing to do it point all machines to a known NTP server (i.e. your AD domain or domain controllers)
•*Check forward and reverse DNS lookups for all domain servers. You need to be able to resolve the name (fully qualified) and the IP address. This is less of an issue with 10.3.8 but it is still an indication of potential problems.
Let me know how you get on.
Cheers
dave
creader - Apr 6, 2005 - 5:47 am
Hi Dave
"can you confirm what you mean by "it works ok on the server" - is this when yo bind the OS X server to the domain?" - yes, i mean if i bind the server to the AD it authenticates ok, but using the same credentials on the client i get "unknown user" error. I have been told to try a third party app, to test settings. i have tried ldapper and can view the directory ok.
all macs are 10.3.8
have set up to use NTP server which is working.
have checked dns forward and back..again ok
not sure what else to try,
is there anything in terminal i can try?
Chris
"can you confirm what you mean by "it works ok on the server" - is this when yo bind the OS X server to the domain?" - yes, i mean if i bind the server to the AD it authenticates ok, but using the same credentials on the client i get "unknown user" error. I have been told to try a third party app, to test settings. i have tried ldapper and can view the directory ok.
all macs are 10.3.8
have set up to use NTP server which is working.
have checked dns forward and back..again ok
not sure what else to try,
is there anything in terminal i can try?
Chris
macjock - Apr 6, 2005 - 8:29 pm
On a test machine try trashing all the DirectoryServices settings.
rm -r /Library/Preferences/DirectoryService
We need to establish if there is something on you client machine or not. This should help establish that.
Are the client machines on the same network/VLAN/Subnet as the server machines.
It sound like you have the correct settings if you are able to get it to work on the OS X Servers, so we need to work out where the differences are.
You may also need to try using the "Use a Preferred domain server" advanced option. Make sure you pick a known AD domain controller and that you can get to it via the fully qualified domain name.
Cheers
dave
--------
rm -r /Library/Preferences/DirectoryService
We need to establish if there is something on you client machine or not. This should help establish that.
Are the client machines on the same network/VLAN/Subnet as the server machines.
It sound like you have the correct settings if you are able to get it to work on the OS X Servers, so we need to work out where the differences are.
You may also need to try using the "Use a Preferred domain server" advanced option. Make sure you pick a known AD domain controller and that you can get to it via the fully qualified domain name.
Cheers
dave
--------
macjock - Jun 19, 2005 - 8:29 pm
Hi Chris,
how did you get on with this? Is this resolved?
Regards,
dave
how did you get on with this? Is this resolved?
Regards,
dave
creader - Jun 20, 2005 - 7:57 am
Hi Dave
sorry for not responding, it has been difficult to concentrate on this as its the end of term and students have been manic.. they are leaving v shortly so i can now concentrate on this further.
i have managed to bind the server, and log in as a windows user. it was down to the user path mapping. is a bit slow logging in, using 10.4.1 now,
I will be attempting to cofigure ldap to enable users to be authenticated by active directory and to have their home areas on the mac server. I am getting an xserve and raid shotly so will be trying then. No doubt i will be posting more issues shortly.
Thanks for your help on this matter.
Regards
chris
sorry for not responding, it has been difficult to concentrate on this as its the end of term and students have been manic.. they are leaving v shortly so i can now concentrate on this further.
i have managed to bind the server, and log in as a windows user. it was down to the user path mapping. is a bit slow logging in, using 10.4.1 now,
I will be attempting to cofigure ldap to enable users to be authenticated by active directory and to have their home areas on the mac server. I am getting an xserve and raid shotly so will be trying then. No doubt i will be posting more issues shortly.
Thanks for your help on this matter.
Regards
chris
IF THIS IS YOUR QUESTION AND YOU WISH TO RESPOND, LOGIN HERE FIRST.
