Tuesday, November 06, 2007

Leopard eats Active Directory

I've commented a couple of times about vendors and how they need to beef up their Active Directory integration (if they even integrate to start with). Now the opposite happens: Apple's Active Directory integration has blown up in their latest OS X incarnation - Leopard.

I heard about this yesterday when I was at the Vintela offices in Lindon, Utah (yes, downstairs from the evil Canopy Group and across the street from the eviler than yesterday SCO Group).

Here are some details...

Leopard Problems: Active Directort integration - First, Active Directory integration is broken. It centers mostly around authentication issues. If the Mac was joined to the domain before it was upgraded, it can’t log on after. Directory Utility returns a “Server can not be contacted” error. If the machine was not joined to the domain, it fails while trying to with an “unknown error” in step 3 of the bind process.

The other issue is in Safari through a Microsoft ISA 2006 proxy server. When going to an SSL website, Safari crashes after it tries to authenticate. Firefox still works.

Avoid an Active Directory 10.5 upgrade issue - If your Mac is bound to Active Directory (AD), make sure you unbind it before upgrading. Also make sure you have a local admin account (that was not created via AD) beforehand. I had a tough time with a Mac here -- the only account on the machine was created through authenticating via AD. In case this happens to someone else, and they find this, here's a fix:

Start up in single user mode (power on while holding Command-S) and enable the root account by giving it a password (by typing passwd and entering a password). Then reboot and log in as root. Once you've logged in (it was very slow for me), go into Directory Utility (/Applications » Utilities) and you will see the AD entry listed there.

For me it showed as connected, but was not getting the proper info. Unbind it, and as soon as it's done, you should see an immediate improvement. I was not able to log into my old account; I had to create a new (local) one, and then transfer the old home folder to my new one. I think I added that hint before, but here it is again, in case I didn't:

Create new user newuseraccount. In Terminal, do:
$ sudo -s (enter password)
$ cd /Users
$ rm -rf newuseraccount
$ mv olduseraccount newuseraccount
$ chown -R newuseraccount:staff newuseraccount

I guess Apple's QA team didn't include any cases for testing their Active Diretory integration?

Technorati Tags:
, , ,

1 comment:

Jason said...

They definitely broke it. I bound a brand new machine with 10.5.2 to AD... that worked fine... but I couldn't login as a domain user.
The settings were:
Create Mobile Account at Login
Force Local Home Directory on Startup Disk.
Derive Network Home Location (SMB).
This is miserable. I had to turn off one of the three to allow login. What gives?